First Last Prev Next    This bug is not in your last search results.
Bug 54345 - firefox-esr: Multiple issues (5.0)
firefox-esr: Multiple issues (5.0)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 5.0
All Linux
: P3 normal (vote)
: UCS 5.0-1-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-17 08:21 CET by Quality Assurance
Modified: 2022-01-19 13:55 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) NVD RedHat

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2022-01-17 08:21:08 CET 
New Debian firefox-esr 91.5.0esr-1~deb10u1 fixes:
This update addresses the following issues:
* Iframe sandbox bypass with XSLT (CVE-2021-4140)
* iframe sandbox rules did not apply to XSLT stylesheets (CVE-2021-38503)
* Use-after-free in file picker dialog (CVE-2021-38504)
* Firefox could be coaxed into going into fullscreen mode without  notification or warning (CVE-2021-38506)
* Opportunistic Encryption in HTTP2 could be used to bypass the  Same-Origin-Policy on services hosted on other ports (CVE-2021-38507)
* Permission Prompt could be overlaid, resulting in user confusion and  potential spoofing (CVE-2021-38508)
* Javascript alert box could have been spoofed onto an arbitrary domain  (CVE-2021-38509)
* Mozilla developers and community members reported memory safety bugs  present in Firefox 93 and Firefox ESR 91.2. Some of these bugs showed  evidence of memory corruption and we presume that with enough effort some  of these could have been exploited to run arbitrary code. This  vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR <  91.3. (CVE-2021-43534)
* A use-after-free could have occured when an HTTP2 session object was  released on a different thread, leading to memory corruption and a  potentially exploitable crash. This vulnerability affects Firefox < 93,  Thunderbird < 91.3, and Firefox ESR < 91.3. (CVE-2021-43535)
* URL leakage when navigating while executing asynchronous function  (CVE-2021-43536)
* Heap buffer overflow when using structured clone (CVE-2021-43537)
* Missing fullscreen and pointer lock notification when requesting both  (CVE-2021-43538)
* GC rooting failure when calling wasm instance methods (CVE-2021-43539)
* External protocol handler parameters were unescaped (CVE-2021-43541)
* XMLHttpRequest error codes could have leaked the existence of an external  protocol handler (CVE-2021-43542)
* Bypass of CSP sandbox directive when embedding (CVE-2021-43543)
* Denial of Service when using the Location API in a loop (CVE-2021-43545)
* Cursor spoofing could overlay user interface when native cursor is zoomed  (CVE-2021-43546)
* Race condition when playing audio files (CVE-2022-22737)
* Heap-buffer-overflow in blendGaussianBlur (CVE-2022-22738)
* Missing throttling on external protocol launch dialog (CVE-2022-22739)
* Use-after-free of ChannelEventQueue::mOwner (CVE-2022-22740)
* Browser window spoof using fullscreen mode (CVE-2022-22741)
* Out-of-bounds memory access when inserting text in edit mode  (CVE-2022-22742)
* Browser window spoof using fullscreen mode (CVE-2022-22743)
* Leaking cross-origin URLs through securitypolicyviolation event  (CVE-2022-22745)
* Crash when handling empty pkcs7 sequence (CVE-2022-22747)
* Spoofed origin on external protocol launch dialog (CVE-2022-22748)
* Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5  (CVE-2022-22751)
Comment 1 Quality Assurance univentionstaff 2022-01-17 09:00:58 CET 
--- mirror/ftp/pool/main/f/firefox-esr/firefox-esr_78.15.0esr-1~deb10u1.dsc
+++ apt/ucs_5.0-0-errata5.0-1/source/firefox-esr_91.5.0esr-1~deb10u1.dsc
@@ -1,94 +1,243 @@
-78.15.0esr-1~deb10u1 [Wed, 06 Oct 2021 06:18:02 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2021-44, also known as CVE-2021-38496, CVE-2021-38500.
-
-78.14.0esr-1~deb10u1 [Wed, 08 Sep 2021 06:35:55 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2021-39, also known as CVE-2021-38493.
+91.5.0esr-1~deb10u1 [Wed, 12 Jan 2022 06:58:53 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2022-02, also known as:
+    CVE-2022-22743, CVE-2022-22742, CVE-2022-22741, CVE-2022-22740,
+    CVE-2022-22738, CVE-2022-22737, CVE-2021-4140, CVE-2022-22748,
+    CVE-2022-22745, CVE-2022-22747, CVE-2022-22739, CVE-2022-22751.
+
+  * debian/rules: Build against embedded nspr and nss on bullseye.
+  * debian/control*: Build against rustc-mozilla/cargo-mozilla on relevant
+    older release.
+  * debian/upstream.mk: Add definitions for newer releases of Debian.
+
+91.4.0esr-1 [Wed, 08 Dec 2021 06:38:58 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes cubeb deadlock. Closes: #998679.
+  * Fixes for mfsa2021-53, also known as:
+    CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539,
+    CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545,
+    CVE-2021-43546, MOZ-2021-0009.
+
+91.3.0esr-2 [Sat, 27 Nov 2021 06:50:56 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/firefox.in: Use `command -v` instead of `which`. Closes: #996455.
+
+  * modules/fdlibm/src/math_private.h: Fix FTBFS on i386. bz#1729459.
+  * .cargo/config.in, Cargo.lock, Cargo.toml,
+    third_party/rust/cc/.cargo-checksum.json,
+    third_party/rust/cc/Cargo.toml, third_party/rust/cc/src/lib.rs,
+    third_party/rust/cc/src/windows_registry.rs: Update cc crate to
+    b2f6b146b75299c444e05bbde50d03705c7c4b6e, aka 1.0.71 + GCC-11 fix for
+    armhf. bz#1739040.
+
+91.3.0esr-1 [Wed, 03 Nov 2021 06:04:59 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-49, also known as:
+    CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507,
+    MOZ-2021-0008, CVE-2021-38508, CVE-2021-38509, MOZ-2021-0007.
+    (MOZ-* pending CVE assignment)
+
+91.2.0esr-1 [Wed, 06 Oct 2021 06:29:51 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-45, also known as:
+    CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-32810,
+    CVE-2021-38500, CVE-2021-38501.
+
+91.1.0esr-1 [Wed, 08 Sep 2021 07:46:16 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-40, also known as CVE-2021-38495.
+
+91.0.1esr-1 [Wed, 18 Aug 2021 10:28:37 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-37, also known as CVE-2021-29991.
 
   * debian/import-tar.py, debian/repack.py: Fixed for python 3.9.
 
-78.13.0esr-1~deb10u1 [Wed, 11 Aug 2021 07:51:13 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2021-34, also known as:
-    CVE-2021-29986, CVE-2021-29988, CVE-2021-29984, CVE-2021-29980,
-    CVE-2021-29985, CVE-2021-29989.
-
-78.12.0esr-1~deb10u1 [Wed, 14 Jul 2021 05:58:36 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2021-29, also known as:
-    CVE-2021-29970, CVE-2021-30547, CVE-2021-29976.
-
-78.11.0esr-1~deb10u1 [Wed, 02 Jun 2021 05:18:07 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2021-24, also known as CVE-2021-29967.
-
-78.10.0esr-1~deb10u1 [Tue, 20 Apr 2021 06:36:15 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2021-15, also known as:
-    CVE-2021-23994, CVE-2021-23995, CVE-2021-23998, CVE-2021-23961,
-    CVE-2021-23999, CVE-2021-24002, CVE-2021-29945, CVE-2021-29946.
-
-78.9.0esr-1~deb10u1 [Wed, 24 Mar 2021 05:46:46 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2021-11, also known as:
-    CVE-2021-23981, CVE-2021-23982, CVE-2021-23984, CVE-2021-23987.
-
-78.8.0esr-1~deb10u1 [Wed, 24 Feb 2021 06:29:25 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2021-08, also known as:
-    CVE-2021-23969, CVE-2021-23968, CVE-2021-23973, CVE-2021-23978.
-
-78.7.0esr-1~deb10u1 [Wed, 27 Jan 2021 08:57:31 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2021-04, also known as:
-    CVE-2021-23953, CVE-2021-23954, CVE-2020-26976, CVE-2021-23960,
-    CVE-2021-23964.
-
-78.6.1esr-1~deb10u1 [Thu, 07 Jan 2021 07:38:33 +0900] Mike Hommey <glandium@debian.org>:
+91.0esr-1 [Wed, 11 Aug 2021 11:05:38 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+91.0-1 [Wed, 11 Aug 2021 07:18:22 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-33, also known as:
+    CVE-2021-29986, CVE-2021-29981, CVE-2021-29988, CVE-2021-29984,
+    CVE-2021-29980, CVE-2021-29987, CVE-2021-29985, CVE-2021-29982,
+    CVE-2021-29989, CVE-2021-29990.
+
+  * debian/control*: Bump nspr, nss and rustc build dependencies.
+
+90.0-1 [Wed, 14 Jul 2021 06:07:27 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-28, also known as:
+    CVE-2021-29970, CVE-2021-29971, CVE-2021-29972, CVE-2021-29974,
+    CVE-2021-29975, CVE-2021-29976, CVE-2021-29977.
+
+  * debian/control*:
+    - Bump nss build dependency.
+    - Remove libgtk2 build dependency.
+  * debian/browser.install.in: Don't install gtk2/libmozgtk.so.
+
+  * widget/gtk/mozgtk/moz.build: Remove old workaround for bug #844357, which
+    was fixed in binutils a long time ago.
+
+89.0.2-1 [Thu, 24 Jun 2021 07:57:24 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+89.0.1-1 [Fri, 18 Jun 2021 06:03:11 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+89.0-1 [Wed, 02 Jun 2021 05:36:18 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-23, also known as:
+    CVE-2021-29960, CVE-2021-29961, CVE-2021-29959, CVE-2021-29967,
+    CVE-2021-29966.
+
+  * debian/control*: Bump nss and cbindgen build dependency.
+
+88.0.1-1 [Thu, 06 May 2021 07:01:54 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-20, also known as CVE-2021-29952.
+
+88.0-1 [Tue, 20 Apr 2021 07:54:02 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-16, also known as:
+    CVE-2021-23994, CVE-2021-23995, CVE-2021-23996, CVE-2021-23997,
+    CVE-2021-23998, CVE-2021-23999, CVE-2021-24000, CVE-2021-24001,
+    CVE-2021-24002, CVE-2021-29945, CVE-2021-29944, CVE-2021-29946,
+    CVE-2021-29947.
+
+  * debian/control*: Bump nss build dependency.
+
+87.0-2 [Wed, 31 Mar 2021 10:12:40 +0900] Mike Hommey <glandium@debian.org>:
+
+  * js/src/jit/mips-shared/CodeGenerator-mips-shared.cpp,
+    js/src/jit/mips-shared/MacroAssembler-mips-shared*,
+    js/src/jit/mips*/MacroAssembler-mips*: Add missing JIT functions.
+  * js/src/jit/mips64/MacroAssembler-mips64.cpp: Fix register conflict
+    in ma_addPtrTestOverflow. bz#1685662.
+  * gfx/wr/swgl/src/blend.h, gfx/wr/swgl/src/gl.cc: Don't use always_inline
+    on large SWGL functions. bz#1700520.
+
+87.0-1 [Wed, 24 Mar 2021 06:06:10 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-10, also known as:
+    CVE-2021-23981, CVE-2021-23982, CVE-2021-23983, CVE-2021-23984,
+    CVE-2021-23985, CVE-2021-23986, CVE-2021-23987, CVE-2021-23988.
+
+  * debian/control*: Bump nss build dependency.
+
+86.0.1-1 [Fri, 12 Mar 2021 10:30:34 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+86.0-2 [Tue, 09 Mar 2021 07:24:46 +0900] Mike Hommey <glandium@debian.org>:
+
+  * gfx/qcms/src/iccread.rs: Fix startup crash with malformed ICC profiles.
+    bz#1694670.
+
+86.0-1 [Wed, 24 Feb 2021 06:57:42 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-07, also known as:
+    CVE-2021-23969, CVE-2021-23970, CVE-2021-23968, CVE-2021-23974,
+    CVE-2021-23971, CVE-2021-23972, CVE-2021-23975, CVE-2021-23973,
+    CVE-2021-23978, CVE-2021-23979.
+
+  * debian/control*: Bump nss and cbindgen build dependencies.
+
+85.0.1-1 [Sat, 06 Feb 2021 07:54:04 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+  * build/moz.configure/rust.configure, debian/control*: Allow to build with
+    cargo in unstable.
+
+85.0-1 [Wed, 27 Jan 2021 09:06:28 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-03, also known as:
+    CVE-2021-23953, CVE-2021-23954, CVE-2021-23955, CVE-2021-23956,
+    CVE-2021-23958, CVE-2021-23960, CVE-2021-23961, CVE-2021-23962,
+    CVE-2021-23963, CVE-2021-23964, CVE-2021-23965.
+
+  * debian/control*: Bump rustc, cargo and nss build dependencies.
+
+84.0.2-1 [Thu, 07 Jan 2021 07:27:55 +0900] Mike Hommey <glandium@debian.org>:
 
   * New upstream release.
   * Fixes for mfsa2021-01, also known as CVE-2020-16044.
 
-78.6.0esr-1~deb10u1 [Wed, 16 Dec 2020 05:57:15 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2020-55, also known as:
-    CVE-2020-16042, CVE-2020-26971, CVE-2020-26973, CVE-2020-26974,
-    CVE-2020-26978, CVE-2020-35111, CVE-2020-35113.
-
-78.5.0esr-1~deb10u1 [Wed, 18 Nov 2020 06:23:03 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2020-51, also known as:
-    CVE-2020-26951, CVE-2020-16012, CVE-2020-26953, CVE-2020-26956,
-    CVE-2020-26958, CVE-2020-26959, CVE-2020-26960, CVE-2020-26961,
-    CVE-2020-26965, CVE-2020-26968.
-
-78.4.1esr-1~deb10u1 [Tue, 10 Nov 2020 07:27:07 +0900] Mike Hommey <glandium@debian.org>:
+  * debian/control*: Bump nss build dependency.
+
+84.0-3 [Fri, 18 Dec 2020 10:09:12 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/browser.install.in: s/aarch64/arm64/, facepalm.
+
+84.0-2 [Fri, 18 Dec 2020 05:59:54 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/browser.install.in: Install libmozsandbox.so on aarch64 and arm*.
+
+84.0-1 [Wed, 16 Dec 2020 06:30:02 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2020-54, also known as:
+    CVE-2020-16042, CVE-2020-26971, CVE-2020-26972, CVE-2020-26973,
+    CVE-2020-26974, CVE-2020-26976, CVE-2020-26978, CVE-2020-26979,
+    CVE-2020-35111, CVE-2020-35113, CVE-2020-35114.
+
+  * debian/control*: Bump nss build dependency.
+
+  * build/moz.configure/rust.configure, debian/control*: Revert changes from
+    79.0-1 allowing to build with cargo in unstable as of 2020-07-29 because
+    we have the right version now.
+  * intl/icu_sources_data.py: Revert changes from 72.0-1 to avoid building
+    ICU in parallel because we don't build ICU using this script anymore.
+
+83.0-1 [Wed, 18 Nov 2020 07:06:09 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2020-50, also known as:
+    CVE-2020-26951, CVE-2020-26952, CVE-2020-16012, CVE-2020-26953,
+    CVE-2020-26956, CVE-2020-26958, CVE-2020-26959, CVE-2020-26960,
+    CVE-2020-26961, CVE-2020-26962, CVE-2020-26963, CVE-2020-26965,
+    CVE-2020-26967, CVE-2020-26968, CVE-2020-26969.
+
+  * debian/control*: Bump nss and cbindgen build dependencies.
+
+82.0.3-1 [Tue, 10 Nov 2020 07:32:32 +0900] Mike Hommey <glandium@debian.org>:
 
   * New upstream release.
   * Fixes for mfsa2020-49, also known as CVE-2020-26950.
 
-78.4.0esr-1~deb10u2 [Wed, 21 Oct 2020 13:19:24 +0900] Mike Hommey <glandium@debian.org>:
-
-  * debian/rules: Restore parts of debian/rules that were removed by mistake
-    in 78.4.0esr-1~deb10u1, causing FTBFS on at least amd64.
-
-78.4.0esr-1~deb10u1 [Wed, 21 Oct 2020 06:35:35 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2020-46, also known as:
-    CVE-2020-15969, CVE-2020-15683.
+82.0.2-1 [Fri, 30 Oct 2020 06:03:59 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+  * debian/control*: Remove autoconf2.13 build dependency.
+
+  * config/external/icu/data/moz.build: Use the right data file for ICU on
+    big endians. bz#1673769.
+
+82.0-1 [Wed, 21 Oct 2020 11:53:39 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2020-45, also known as:
+    CVE-2020-15969, CVE-2020-15254, CVE-2020-15680, CVE-2020-15681,
+    CVE-2020-15682, CVE-2020-15683, CVE-2020-15684.
 
   [Emilio Pozuelo Monfort]
   * debian/browser.bug-presubj.in, debian/control.in, debian/rules,
@@ -104,29 +253,61 @@
     - stretch: don't set NASM on !x86.
 
   [Mike Hommey]
-  * third-party/rust/authenticator/src/linux/ioctl_mips*.rs: Add missing
-    bindings for mips*.
-
-78.3.0esr-1~deb10u1 [Wed, 23 Sep 2020 12:53:29 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2020-43, also known as:
-    CVE-2020-15677, CVE-2020-15676, CVE-2020-15678, CVE-2020-15673.
-
-  * js/src/jit/mips-shared/CodeGenerator-mips-shared.cpp: Add
-    CodeGenerator::visitWasmRegisterResult function. bz#1649655.
+  * debian/control*: Bump nss build dependency.
+
+  * build/unix/elfhack/elf.cpp, build/unix/elfhack/elfxx.h: Fix elfhack
+    for files > 2GiB and < 4GiB. bz#1495733.
+
+81.0-2 [Thu, 24 Sep 2020 16:22:35 +0900] Mike Hommey <glandium@debian.org>:
+
+  * dom/media/AsyncLogger.h: Fix AsyncLogger::TracePayload's mName
+    size calculation. bz#1667007.
+
+81.0-1 [Wed, 23 Sep 2020 07:56:45 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2020-42, also known as:
+    CVE-2020-15675, CVE-2020-15677, CVE-2020-15676, CVE-2020-15678,
+    CVE-2020-15673, CVE-2020-15674.
+
+  * debian/control*: Bump nss build dependency.
+  * debian/rules: Change l10n build integration:
+    - it is not necessary to override LOCALE_MERGEDIR anymore
+    - it is not necessary to call compare-locales manually
+    - set MACH_USE_SYSTEM_PYTHON=1
+
   * js/src/jit/none/MacroAssembler-none.h: Bump CodeAlignment to 8.
     bz#1666646.
-  * third-party/rust/authenticator/src/linux/ioctl_mips*.rs: Add missing
-    bindings for mips*.
-
-78.2.0esr-1 [Thu, 03 Sep 2020 09:30:52 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2020-32 and mfsa2020-38, also known as:
+
+80.0.1-1 [Thu, 03 Sep 2020 09:36:06 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+80.0-1 [Wed, 26 Aug 2020 07:24:49 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2020-36, also known as:
+    CVE-2020-15664, CVE-2020-12401, CVE-2020-6829, CVE-2020-12400,
+    CVE-2020-15665, CVE-2020-15666, CVE-2020-15667, CVE-2020-15668,
+    CVE-2020-15670.
+
+  * debian/control*: Bump nss build dependency.
+
+79.0-1 [Wed, 29 Jul 2020 13:45:30 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2020-30, also known as:
     CVE-2020-15652, CVE-2020-6514, CVE-2020-15655, CVE-2020-15653,
     CVE-2020-6463, CVE-2020-15656, CVE-2020-15658, CVE-2020-15654,
-    CVE-2020-15659, CVE-2020-15664, CVE-2020-15670.
+    CVE-2020-15659.
+
+  * debian/control*: Bump cbindgen, rustc, cargo, nss and python3 build
+    dependencies.
+  * debian/rules: Add -Cembed-bitcode=yes to rust command lines when
+    using rustc >= 1.45.0.
+
+  * build/moz.configure/rust.configure, debian/control*: Allow to build with
+    cargo in unstable as of 2020-07-29.
 
 78.0.2-1 [Fri, 10 Jul 2020 09:37:04 +0900] Mike Hommey <glandium@debian.org>:
 

<http://piuparts.knut.univention.de/5.0-1/#6429233904290217370>
Comment 2 Philipp Hahn univentionstaff 2022-01-18 11:17:29 CET 
OK: yaml
OK: announce_errata
OK: patch
~OK: piuparts
 new language packages szl(Silesian) sco(Scots)

[5.0-1] 3727861c7a Bug #54345: firefox-esr 91.5.0esr-1~deb10u1
 doc/errata/staging/firefox-esr.yaml | 42 +++++++++++++++++--------------------
 1 file changed, 19 insertions(+), 23 deletions(-)

[5.0-1] 26b64e43da Bug #54345: firefox-esr 91.5.0esr-1~deb10u1
 doc/errata/staging/firefox-esr.yaml | 87 +++++++++++++++++++++++++++++++++++++
 1 file changed, 87 insertions(+)
First Last Prev Next    This bug is not in your last search results.