Processed: Re: Bug#928509: Firefox insecure because of missing extensions
Processing control commands: > severity 928509 normal Bug #928509 [firefox-esr] Firefox insecure because of missing extensions Severity set to 'normal' from 'grave' -- 928509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928509 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#928509: Firefox insecure because of missing extensions
Control: severity 928509 normal On 2019-05-06 15:04:09, Karsten wrote: > Package: firefox-esr > Version: 60.6.1esr-1~deb8u1 > Justification: user security hole > Severity: grave > Tags: security > > Hello Debian-Team, > > this security bug shall show that Firefox is going to be more and more > unusable to be secure in the internet. > > Today one of the most vulnerable things has happen, because all the > addons/extensions has gone, > and there is no No-Script and Ublock or other Tracking-Protection any more. > It is not possible to reinstall them! > > There are several articles about this out there like > * > https://www.tenforums.com/browsers-email/131965-firefox-has-deleted-all-extensions-wont-reload-them.html > * > https://discourse.mozilla.org/t/fixed-certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047/12 > > When there is no fix for the used Firefox-Version, then a new browser > solution is needed for Debian. I am not sure I understand the problem you're trying to outline here. The package you filed this bug against (Firefox) does not ship with uMatrix or uBlock or Noscript. It's true that those extensions, when installed from the Mozilla add-ons site, got disabled due to the bug described in #928415, but not the actual extensions (including uBlock) shipped from Debian packages. I would therefore argue that this effect is not necessarily a security hole in itself and affects only "third-party" code not shipped in Debian. I'm therefore lowering the severity of this bug report, as it actually keeps the *fixed* version of Firefox from migrating into Buster, making this problem actually worse than it should be. I would otherwise be curious to hear more about which problem you specifically think 60.6.1 (the fixed version) actually still has that needs to be address and, ideally, how that should be addressed. Thank you for the bug report! a. -- La démocratie réelle se définit d'abord et avant tout par la participation massive des citoyens à la gestion des affaires de la cité. Elle est directe et participative. Elle trouve son expression la plus authentique dans l'assemblée populaire et le dialogue permanent sur l'organisation de la vie en commun. - De la servitude moderne
Bug#928509: Firefox insecure because of missing extensions
Hi, On Mon, 6 May 2019 15:04:09 +0200 Karsten wrote: > Package: firefox-esr > Version: 60.6.1esr-1~deb8u1 It was already done in unstable and stable-proposed-updates, and reporter asks about oldstable, so CC:ed to lts mailing list. LTS maintainers, could you build it for oldstable, please? > When there is no fix for the used Firefox-Version, then a new browser > solution is needed for Debian. No, you can migrate to Debian9 at least... -- Regards, Hideki Yamane henrich @ debian.org/iijmio-mail.jp
Bug#928509: Firefox insecure because of missing extensions
Package: firefox-esr Version: 60.6.1esr-1~deb8u1 Justification: user security hole Severity: grave Tags: security Hello Debian-Team, this security bug shall show that Firefox is going to be more and more unusable to be secure in the internet. Today one of the most vulnerable things has happen, because all the addons/extensions has gone, and there is no No-Script and Ublock or other Tracking-Protection any more. It is not possible to reinstall them! There are several articles about this out there like * https://www.tenforums.com/browsers-email/131965-firefox-has-deleted-all-extensions-wont-reload-them.html * https://discourse.mozilla.org/t/fixed-certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047/12 When there is no fix for the used Firefox-Version, then a new browser solution is needed for Debian. >From my point of view it's really a pity with the Mozilla Foundation. Cheers karsten -- System Information: Debian Release: 8.11 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
