On Sun, Sep 25, 2016 at 01:08:55AM +0200, Bálint Réczey wrote: > Hi, > > 2016-09-24 15:34 GMT+02:00 Balint Reczey <bal...@balintreczey.hu>: > > Hi, > > > > On 09/24/2016 12:51 AM, Mike Hommey wrote: > >> On Fri, Sep 23, 2016 at 07:57:45PM +0200, Bálint Réczey wrote: > >>> Hi, > >>> > >>> 2016-09-20 23:43 GMT+02:00 Chris Lamb <la...@debian.org>: > >>>> Hello dear maintainer(s), > >>>> > >>>> the Debian LTS team would like to fix the security issues which are > >>>> currently open in the Wheezy version of firefox-esr: > >>>> https://security-tracker.debian.org/tracker/source-package/firefox-esr > >>>> > >>>> Would you like to take care of this yourself? > >>>> > >>>> If yes, please follow the workflow we have defined here: > >>>> https://wiki.debian.org/LTS/Development > >>>> > >>>> If that workflow is a burden to you, feel free to just prepare an > >>>> updated source package and send it to debian-lts@lists.debian.org > >>>> (via a debdiff, or with an URL pointing to the source package, > >>>> or even with a pointer to your packaging repository), and the members > >>>> of the LTS team will take care of the rest. Indicate clearly whether you > >>>> have tested the updated package or not. > >>>> > >>>> If you don't want to take care of this update, it's not a problem, we > >>>> will do our best with your package. Just let us know whether you would > >>>> like to review and/or test the updated package before it gets released. > >>>> > >>>> You can also opt-out from receiving future similar emails in your > >>>> answer and then the LTS Team will take care of firefox-esr updates > >>>> for the LTS releases. (In case we don't get any answer for months, > >>>> we may also take it as an opt-out, too.) > >>> > >>> I think Mike would like the LTS Team to prepare the future updates: > >>> > >>> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote: > >>>> On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote: > >>>>> Hello Mike, > >>>>> > >>>>> Thank you for preparing the security update of firefox-esr. I have just > >>>>> sent a security announcement for your update in Wheezy to the > >>>>> debian-lts-announce mailing list. If you want to take care of this next > >>>>> time, please follow our guidelines which we have outlined at [1]. If > >>>>> this is a burden for you, no problem, we will do our best and take care > >>>>> of the rest. In this case we would like to ask you to send a short > >>>>> reminder to debian-lts, so that we can prepare the announcement in a > >>>>> timely manner. > >>>> > >>>> Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about > >>>> that. That these updates go through the same security-master doesn't > >>>> help making it obvious they are different. > >>>> > >>>> Anyways, I'd rather not have more work to do, so if can send > >>>> announcements, that works for me. Or you can deal with the backport > >>>> from back to back. > >>> ... > >>> > >>> I have added firefox-esr to lts-do-not-call and started preparing the > >>> update. > >> > >> Thanks. > > > > I have prepared the update. > > > > Please see the diff to jessie-security's version attached. > > > > Changes: > > > > firefox-esr (45.4.0esr-1~deb7u1) wheezy-security; urgency=medium > > . > > [ Mike Hommey ] > > * New upstream release. > > * Fixes for mfsa2016-86, also known as: > > CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274, > > CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281, > > CVE-2016-5284, CVE-2016-5250, CVE-2016-5261, CVE-2016-5257. > > . > > * debian/control*, debian/rules: Compile with GCC 5 on testing/unstable > > on arm* because of crashes when building with GCC 6. (FTBFS) > > * debian/rules: Build with -fno-schedule-insns2 and > > -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles > > Firefox. Closes: #836533. > > . > > * config/gcc-stl-wrapper.template.h, memory/mozalloc/throw_gcc.h: > > Don't include mozalloc.h from the cstdlib wrapper. bz#1245076, > > bz#1259537. > > Closes: #822715. > > * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS) > > > > > > The binary packages for amd64 are also available for testing here: > > > > deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/ > > > > I ran browser benchmarks to stress test the package and also visited a > > few sites manually. > > > > I plan uploading the package around 21:00 UTC. > > ARM builds are failing for the package due to looking for gcc-5 . :-( > > I'm fixing that shortly.
That was fixed in 45.4.0esr-1~deb8u2. Mike