Re: CVE-2023-5217 unimportant for firefox?
On Sat, 30 Sep 2023 17:28:29 +0200 Klaus Singvogel wrote: > hede wrote: > > Hi, > > > > does anyone know why CVE-2023-5217 (critical vp8 encoder bug) is rated as > > an "open unimportant issue" for firefox-esr? Currently it is not fixed in > > bookworm and newer [1]. Mozilla itself rates it as "critical" [2]. > > That's fixed in Debian Bullseye. > If I look into /usr/share/doc/firefox-esr/changelog.Debian.gz, I find this > entry on top: > > - > firefox-esr (115.3.1esr-1~deb11u1) bullseye-security; urgency=medium > > * New upstream release. > * Fix for mfsa2023-44, also known as CVE-2023-5217. > - Yeah, fixed in Bullseye and not in Bookworm and newer, that's what I criticised. But the Wanderer and Lee already had an explanation: Firefox in Bookworm and newer uses the system library (libvpx) which has fixes applied. hede
Re: CVE-2023-5217 unimportant for firefox?
On Sat, 30 Sep 2023 07:37:04 -0400 The Wanderer wrote: > When I follow the link to [3], and look at the bottom of the page, I see > what looks to me like an explanation Ah, I get it. That's indeed a good explanation. Then the state of "vulnerable" is simply wrong, because it's actually "not applicable". Someone should fix the Debian security tracker. ;-) Thank you Wanderer, hede
Re: CVE-2023-5217 unimportant for firefox?
hede wrote: > Hi, > > does anyone know why CVE-2023-5217 (critical vp8 encoder bug) is rated as an > "open unimportant issue" for firefox-esr? Currently it is not fixed in > bookworm and newer [1]. Mozilla itself rates it as "critical" [2]. That's fixed in Debian Bullseye. If I look into /usr/share/doc/firefox-esr/changelog.Debian.gz, I find this entry on top: - firefox-esr (115.3.1esr-1~deb11u1) bullseye-security; urgency=medium * New upstream release. * Fix for mfsa2023-44, also known as CVE-2023-5217. - Best regards, Klaus. -- Klaus Singvogel GnuPG-Key-ID: 1024R/5068792D 1994-06-27
Re: CVE-2023-5217 unimportant for firefox?
On 9/30/23, hede wrote: > Hi, > > does anyone know why CVE-2023-5217 (critical vp8 encoder bug) is rated as an > "open unimportant issue" for firefox-esr? Currently it is not fixed in > bookworm and newer [1]. Mozilla itself rates it as "critical" [2]. At the bottom of the page of your [1] is the note src:firefox, src:firefox-esr and src:thunderbird use the system libvpx starting in bookworm and above. For older releases still needs the fixes in src:firefox-esr and src:thunderbird. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053182#22 Date: Fri, 29 Sep 2023 14:58:43 + We believe that the bug you reported is fixed in the latest version of libvpx, which is due to be installed in the Debian FTP archive. But I'm just guessing that the firefox security tracker page hasn't been updated yet. Regards Lee > [1] https://security-tracker.debian.org/tracker/source-package/firefox-esr > [2] https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ > > hede
Re: CVE-2023-5217 unimportant for firefox?
On 2023-09-30 at 07:20, hede wrote: > Hi, > > does anyone know why CVE-2023-5217 (critical vp8 encoder bug) is rated as an > "open unimportant issue" for firefox-esr? Currently it is not fixed in > bookworm and newer [1]. Mozilla itself rates it as "critical" [2]. > > [1] https://security-tracker.debian.org/tracker/source-package/firefox-esr When I follow the link to [3], and look at the bottom of the page, I see what looks to me like an explanation: >> src:firefox, src:firefox-esr and src:thunderbird use the system >> libvpx starting in bookworm and above. For older releases still >> needs the fixes in src:firefox-esr and src:thunderbird. [3] https://security-tracker.debian.org/tracker/CVE-2023-5217 -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw signature.asc Description: OpenPGP digital signature
CVE-2023-5217 unimportant for firefox?
Hi, does anyone know why CVE-2023-5217 (critical vp8 encoder bug) is rated as an "open unimportant issue" for firefox-esr? Currently it is not fixed in bookworm and newer [1]. Mozilla itself rates it as "critical" [2]. [1] https://security-tracker.debian.org/tracker/source-package/firefox-esr [2] https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ hede