Bug 52266 – firefox-esr: Multiple issues (4.4)

Bug 52266 - firefox-esr: Multiple issues (4.4)


Summary:	firefox-esr: Multiple issues (4.4)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.4
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.4-6-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-10-27 12:19 CET by Quality Assurance
Modified:	2020-10-28 12:49 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2020-10-27 12:19:18 CET

New Debian firefox-esr 78.4.0esr-1~deb9u1 fixes:
This update addresses the following issues:
* Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4  (CVE-2020-15683)
* Use after free in WebRTC (CVE-2020-15969)

Comment 1 Quality Assurance

2020-10-27 13:00:31 CET

--- mirror/ftp/4.4/unmaintained/component/4.4-6-errata/source/firefox-esr_78.3.0esr-1~deb9u2.dsc
+++ apt/ucs_4.4-0-errata4.4-6/source/firefox-esr_78.4.0esr-1~deb9u1.dsc
@@ -1,14 +1,32 @@
-78.3.0esr-1~deb9u2 [Tue, 29 Sep 2020 10:01:59 +0200] Emilio Pozuelo Monfort <pochu@debian.org>:
+78.4.0esr-1~deb9u1 [Wed, 21 Oct 2020 10:07:45 +0200] Emilio Pozuelo Monfort <pochu@debian.org>:
 
-  * Don't set NASM on non-x86.
+  * Backport to stretch.
+  * Re-add debian-hacks/build-with-libstdc++-7.patch.
+  * debian/rules: add missing LDFLAGS, accidentally removed in 78.4.0esr-1.
 
-78.3.0esr-1~deb9u1 [Wed, 23 Sep 2020 11:03:28 +0200] Emilio Pozuelo Monfort <pochu@debian.org>:
+78.4.0esr-1 [Wed, 21 Oct 2020 06:35:35 +0900] Mike Hommey <glandium@debian.org>:
 
-  * Non-maintainer upload.
-  * Backport to stretch.
-  * debian/l10n/gen: open iso-codes files as unicode.
-  * Build with LLVM 7, 4.0 doesn't support -std=gnu++17.
-  * Build with GCC 7 from gcc-mozilla.
+  * New upstream release.
+  * Fixes for mfsa2020-46, also known as:
+    CVE-2020-15969, CVE-2020-15683.
+
+  [Emilio Pozuelo Monfort]
+  * debian/browser.bug-presubj.in, debian/control.in, debian/rules,
+    debian/symbols.mk, debian/upstream.mk: Remove support for jessie.
+  * debian/control.in, debian/rules: stretch: build with LLVM 7, 4.0 doesn't
+    support -std=gnu++17.
+  * debian/rules:
+    - stretch: build with GCC 7 from gcc-mozilla.
+    - Call python with -B when regenerating the control files, so as to not
+      generate bytecode files.
+    - Call debian/l10n/gen with C.UTF-8 as the locale, otherwise it fails
+    in stretch when opening the iso-codes files.
+    - stretch: don't set NASM on !x86.
+
+78.3.0esr-2 [Wed, 23 Sep 2020 12:53:29 +0900] Mike Hommey <glandium@debian.org>:
+
+  * third-party/rust/authenticator/src/linux/ioctl_mips*.rs: Add missing
+    bindings for mips*.
 
 78.3.0esr-1 [Wed, 23 Sep 2020 07:25:27 +0900] Mike Hommey <glandium@debian.org>:
 

<http://10.200.17.11/4.4-6/#462842615476549>

Comment 2 Philipp Hahn

2020-10-27 19:48:33 CET

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-6] 65fcc579a2 Bug #52266: firefox-esr 78.4.0esr-1~deb9u1
 doc/errata/staging/firefox-esr.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

Comment 3 Erik Damrose

2020-10-28 12:49:27 CET

<https://errata.software-univention.de/#/?erratum=4.4x782>