Bug 55221 – firefox-esr: Multiple issues (5.0)

Bug 55221 - firefox-esr: Multiple issues (5.0)


Summary:	firefox-esr: Multiple issues (5.0)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 5.0
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 5.0-2-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-09-26 08:01 CEST by Quality Assurance
Modified:	2022-09-29 12:38 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) NVD RedHat debian/changelog

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2022-09-26 08:01:48 CEST

New Debian firefox-esr 102.3.0esr-1~deb10u1 fixes:
This update addresses the following issues:
102.3.0esr-1~deb10u1 (Fri, 23 Sep 2022 11:38:58 +0200)
* Backport to buster.
* Use internal libevent, the system one is too old.
102.2.0esr-1 (Wed, 24 Aug 2022 06:35:58 +0900)
* New upstream release.
* Fixes for mfsa2022-34, also known as: CVE-2022-38472, CVE-2022-38473,  CVE-2022-38477, CVE-2022-38478.
* debian/rules, debian/control: Fix libavcodec recommends..
* debian/control*: Bump nss build dependency.
102.1.0esr-2 (Mon, 15 Aug 2022 15:46:49 +0900)
* debian/rules: Remove old and now unnecessary workarounds.
* intl/icu/source/common/unicode/std_string.h,  intl/icu/source/common/utypeinfo.h, intl/icu/source/io/unicode/ustream.h:  Remove workaround for old libstdc++ problem, which now causes problems with  GCC 12 on arm.
* third_party/libwebrtc/moz.build: Add missing webrtc directory for ppc64el  (bz#1775202).
102.1.0esr-1 (Sun, 14 Aug 2022 16:59:19 +0900)
* Fixes for mfsa2022-28, also known as: CVE-2022-36319, CVE-2022-36318,  CVE-2022-36315, CVE-2022-36316, CVE-2022-36320, CVE-2022-2505.
* debian/rules: - Improve detection of known failing cases on armhf and  mipsel. - Use thinLTO for rust on armhf, to stay in the memory budget with  an armhf toolchain. - Use MACH_BUILD_PYTHON_NATIVE_PACKAGE_SOURCE=none  instead of MACH_USE_SYSTEM_PYTHON=1.
* debian/rules, debian/watch, debian/watch.in: Generate debian/watch and fix  it.
* third_party/libwebrtc/moz.build: Work around bz#1775202 to fix FTBFS on  ppc64el.
* config/makefiles/rust.mk: Allow to override rust LTO flag.
102.0-1 (Wed, 29 Jun 2022 07:41:32 +0900)
* Fixes for mfsa2022-24, also known as: CVE-2022-34479, CVE-2022-34470,  CVE-2022-34468, CVE-2022-34482, CVE-2022-34483, CVE-2022-34476,  CVE-2022-34481, CVE-2022-34474, CVE-2022-34471, CVE-2022-34472,  CVE-2022-2200, CVE-2022-34480, CVE-2022-34477, CVE-2022-34475,  CVE-2022-34473, CVE-2022-34484, CVE-2022-34485.
* build/moz.configure/bindgen.configure,  gfx/webrender_bindings/webrender_ffi.h: Work around build failure with  newer cbindgen. bz#1773259
101.0.1-1 (Fri, 10 Jun 2022 06:24:01 +0900)
* build/moz.configure/rust.configure, debian/control*: Allow to build with  cargo in unstable.
101.0-1 (Wed, 01 Jun 2022 06:07:37 +0900)
* Fixes for mfsa2022-20, also known as: CVE-2022-31736, CVE-2022-31737,  CVE-2022-31738, CVE-2022-31740, CVE-2022-31741, CVE-2022-31742,  CVE-2022-31743, CVE-2022-31744, CVE-2022-31745, CVE-2022-1919,  CVE-2022-31747, CVE-2022-31748.
* debian/rules: Fail the build early when building for armhf on armhf (only  works on arm64), and when building for mipsel on mipsel.
* debian/control*: Bump rustc, cargo, cbindgen and nss build dependencies.
100.0.2-1 (Sat, 21 May 2022 07:32:04 +0900)
* Fixes for mfsa2022-19, also known as CVE-2022-1802 and CVE-2022-1529.
100.0-1 (Wed, 04 May 2022 08:48:41 +0900)
* Fixes for mfsa2022-16, also known as: CVE-2022-29914, CVE-2022-29909,  CVE-2022-29916, CVE-2022-29911, CVE-2022-29912, CVE-2022-29915,  CVE-2022-29917, CVE-2022-29918.
99.0-1 (Wed, 06 Apr 2022 09:04:22 +0900)
* Fixes for mfsa2022-13, also known as: CVE-2022-1097, CVE-2022-28281,  CVE-2022-28282, CVE-2022-28283, CVE-2022-28284, CVE-2022-28285,  CVE-2022-28286, CVE-2022-28287, CVE-2022-24713, CVE-2022-28289,  CVE-2022-28288.
98.0-2 (Thu, 10 Mar 2022 09:09:43 +0900)
* debian/rules: Install crash reporter files on arm64.
* js/src/jit/GenerateAtomicOperations.py: Work around a GCC issue with  generated atomics. bz#1756347.
98.0-1 (Wed, 09 Mar 2022 07:09:27 +0900)
* Fixes for mfsa2022-10, also known as: CVE-2022-26383, CVE-2022-26384,  CVE-2022-26387, CVE-2022-26381, CVE-2022-26382, CVE-2022-26385,  CVE-2022-0843.
* Fixes for mfsa2022-09, also known as: CVE-2022-26485, CVE-2022-26486.
* debian/control*: - Bump nss build dependency. - Downgrade rust dependency  to 1.56, and cargo to 0.57.
* Cargo.lock, config/makefiles/rust.mk, python/mozboot/mozboot/util.py,  servo/components/style/Cargo.toml, servo/components/style/build.rs,  servo/components/style/lib.rs,  servo/components/style/stylesheets/page_rule.rs,  servo/components/style/stylist.rs,  third_party/rust/audioipc2-client/.cargo-checksum.json,  third_party/rust/audioipc2-client/Cargo.toml,  third_party/rust/audioipc2-client/build.rs,  third_party/rust/audioipc2-client/src/lib.rs,  third_party/rust/wgpu-hal/.cargo-checksum.json,  third_party/rust/wgpu-hal/src/gles/egl.rs: Relax minimum supported Rust  version to 1.56.0.
97.0-1 (Wed, 09 Feb 2022 07:53:42 +0900)
* Fixes for mfsa2022-04, also known as: CVE-2022-22754, CVE-2022-22755,  CVE-2022-22756, CVE-2022-22759, CVE-2022-22760, CVE-2022-22761,  CVE-2022-22764, CVE-2022-0511.
* debian/control*: Bump nss, rustc and cargo build dependencies.
* debian/browser.install.in: Install libipcclientcerts.so.
96.0.3-1 (Mon, 31 Jan 2022 06:21:31 +0900)
96.0.1-1 (Sat, 15 Jan 2022 07:41:14 +0900)
* modules/libpref/init/StaticPrefList.yaml: Disable cookie sameSite  schemeful. bz#1750264.
* dom/media/webrtc/third_party_build/gn-configs/x64_*_arm_linux.json,  dom/media/webrtc/third_party_build/gn-configs/x64_*_ppc64_linux.json,  third_party/libwebrtc/**/moz.build: Add webrtc configs for arm and ppc64  linux. bz#1738845.
96.0-1 (Wed, 12 Jan 2022 08:03:30 +0900)
* Fixes for mfsa2022-01, also known as: CVE-2022-22743, CVE-2022-22742,  CVE-2022-22741, CVE-2022-22740, CVE-2022-22738, CVE-2022-22737,  CVE-2021-4140, CVE-2022-22748, CVE-2022-22745, CVE-2022-22747,  CVE-2022-22739, CVE-2022-22751, CVE-2022-22752.
* debian/rules: - Adjust preprocessor command to upstream changes. - Set an  objdir when using the preprocessor, and clean that up.
95.0.1-1 (Fri, 17 Dec 2021 07:05:23 +0900)
* debian/control.in: Build against rustc-mozilla/cargo-mozilla on relevant  older releases.
* modules/fdlibm/src/math_private.h: Fix FTBFS on i386. bz#1729459.
95.0-1 (Wed, 08 Dec 2021 06:38:07 +0900)
* Fixes for mfsa2021-52, also known as: CVE-2021-43536, CVE-2021-43537,  CVE-2021-43538, CVE-2021-43539, CVE-2021-43540, CVE-2021-43541,  CVE-2021-43542, CVE-2021-43543, CVE-2021-43544, CVE-2021-43545,  CVE-2021-43546, MOZ-2021-0009.
* debian/browser.mozconfig.in: Explicitly disable wasm sandboxing. We don't  have the necessary tools yet.
94.0.2-1 (Wed, 24 Nov 2021 06:57:55 +0900)
94.0-2 (Thu, 11 Nov 2021 16:32:50 +0900)
* debian/firefox.in: Use `command -v` instead of `which`. Does not affect  this package, though.
* .cargo/config.in, Cargo.lock, Cargo.toml,  third_party/rust/cc/.cargo-checksum.json, third_party/rust/cc/Cargo.toml,  third_party/rust/cc/src/lib.rs,  third_party/rust/cc/src/windows_registry.rs: Update cc crate to  b2f6b146b75299c444e05bbde50d03705c7c4b6e, aka 1.0.71 + GCC-11 fix for  armhf. bz#1739040.
* .cargo/config.in, Cargo.lock,  third_party/rust/cubeb-pulse/.cargo-checksum.json,  third_party/rust/cubeb-pulse/src/backend/stream.rs,  toolkit/library/rust/shared/Cargo.toml: Upgrade cubeb-pulse to fix a race  condition that can lead to shutdown deadlock. bz#1735905. (suspected to).
94.0-1 (Wed, 03 Nov 2021 08:20:50 +0900)
* Fixes for mfsa2021-48, also known as: CVE-2021-38503, CVE-2021-38504,  CVE-2021-38506, CVE-2021-38507, CVE-2021-38508, MOZ-2021-0004,  CVE-2021-38509, MOZ-2021-0005, MOZ-2021-0006, MOZ-2021-0007. (MOZ-* pending  CVE assignment)
* Cargo.toml, Cargo.lock, third_party/rust/naga/.cargo-checksum.json,  third_party/rust/naga/Cargo.toml,  third_party/rust/wgpu-core/.cargo-checksum.json,  third_party/rust/wgpu-core/Cargo.toml, build/moz.configure/rust.configure:  Remove workaround to build with an old cargo, now that Debian has a recent  version.
93.0-1 (Wed, 06 Oct 2021 06:53:13 +0900)
* Fixes for mfsa2021-43, also known as: CVE-2021-38496, CVE-2021-38497,  CVE-2021-38498, CVE-2021-32810, CVE-2021-38500, CVE-2021-38501,  CVE-2021-38499.
* debian/rules: Set MOZBUILD_STATE_PATH.
* Cargo.toml, Cargo.lock, third_party/rust/naga/.cargo-checksum.json,  third_party/rust/naga/Cargo.toml,  third_party/rust/wgpu-core/.cargo-checksum.json,  third_party/rust/wgpu-core/Cargo.toml: Work around the lack of resolver  feature in unstable's cargo.
92.0-1 (Wed, 08 Sep 2021 07:57:38 +0900)
* Fixes for mfsa2021-38, also known as: CVE-2021-38491, CVE-2021-38493,  CVE-2021-38494.
* debian/rules: Build against embedded nspr and nss on bullseye.
* debian/upstream.mk: Add bookworm and trixie.

Comment 1 Quality Assurance

2022-09-26 09:00:14 CEST

--- mirror/ftp/pool/main/f/firefox-esr/firefox-esr_91.13.0esr-1~deb10u1.dsc
+++ apt/ucs_5.0-0-errata5.0-2/source/firefox-esr_102.3.0esr-1~deb10u1.dsc
@@ -1,147 +1,273 @@
-91.13.0esr-1~deb10u1 [Wed, 24 Aug 2022 06:09:13 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2022-35, also known as:
-    CVE-2022-38472, CVE-2022-38473, CVE-2022-38478.
-
-91.12.0esr-1~deb10u1 [Wed, 27 Jul 2022 09:08:20 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2022-29, also known as:
-    CVE-2022-36319, CVE-2022-36318.
-
-91.11.0esr-1~deb10u1 [Wed, 29 Jun 2022 06:30:12 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2022-25, also known as:
-    CVE-2022-34479, CVE-2022-34470, CVE-2022-34468, CVE-2022-34481,
-    CVE-2022-31744, CVE-2022-34472, CVE-2022-2200, CVE-2022-34484.
+102.3.0esr-1~deb10u1 [Fri, 23 Sep 2022 11:38:58 +0200] Emilio Pozuelo Monfort <pochu@debian.org>:
+
+  * Backport to buster.
+  * Use internal libevent, the system one is too old.
+
+102.3.0esr-1 [Wed, 21 Sep 2022 06:58:15 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2022-41, also known as:
+    CVE-2022-40959, CVE-2022-40960, CVE-2022-40958, CVE-2022-40956,
+    CVE-2022-40957, CVE-2022-40962.
+
+102.2.0esr-1 [Wed, 24 Aug 2022 06:35:58 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2022-34, also known as:
+    CVE-2022-38472, CVE-2022-38473, CVE-2022-38477, CVE-2022-38478.
+
+  * debian/rules, debian/control: Fix libavcodec recommends. Closes: #1017782.
+  * debian/control*: Bump nss build dependency.
+
+102.1.0esr-2 [Mon, 15 Aug 2022 15:46:49 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/rules: Remove old and now unnecessary workarounds.
+
+  * intl/icu/source/common/unicode/std_string.h,
+    intl/icu/source/common/utypeinfo.h,
+    intl/icu/source/io/unicode/ustream.h: Remove workaround for old libstdc++
+    problem, which now causes problems with GCC 12 on arm.
+  * third_party/libwebrtc/moz.build: Add missing webrtc directory for ppc64el
+    (bz#1775202).
+
+102.1.0esr-1 [Sun, 14 Aug 2022 16:59:19 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2022-28, also known as:
+    CVE-2022-36319, CVE-2022-36318, CVE-2022-36315, CVE-2022-36316,
+    CVE-2022-36320, CVE-2022-2505.
+
+  * debian/rules:
+    - Improve detection of known failing cases on armhf and mipsel.
+    - Use thinLTO for rust on armhf, to stay in the memory budget with an
+      armhf toolchain.
+    - Use MACH_BUILD_PYTHON_NATIVE_PACKAGE_SOURCE=none instead of
+      MACH_USE_SYSTEM_PYTHON=1.
+  * debian/rules, debian/watch, debian/watch.in: Generate debian/watch and
+    fix it.
+
+  * third_party/libwebrtc/moz.build: Work around bz#1775202 to fix FTBFS on
+    ppc64el.
+  * config/makefiles/rust.mk: Allow to override rust LTO flag.
+
+102.0-1 [Wed, 29 Jun 2022 07:41:32 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2022-24, also known as:
+    CVE-2022-34479, CVE-2022-34470, CVE-2022-34468, CVE-2022-34482,
+    CVE-2022-34483, CVE-2022-34476, CVE-2022-34481, CVE-2022-34474,
+    CVE-2022-34471, CVE-2022-34472, CVE-2022-2200, CVE-2022-34480,
+    CVE-2022-34477, CVE-2022-34475, CVE-2022-34473, CVE-2022-34484,
+    CVE-2022-34485.
 
   * build/moz.configure/bindgen.configure,
     gfx/webrender_bindings/webrender_ffi.h: Work around build failure with
     newer cbindgen. bz#1773259
 
-91.10.0esr-1~deb10u1 [Wed, 01 Jun 2022 05:24:22 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2022-21, also known as:
+101.0.1-1 [Fri, 10 Jun 2022 06:24:01 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+  * build/moz.configure/rust.configure, debian/control*: Allow to build with
+    cargo in unstable.
+
+101.0-1 [Wed, 01 Jun 2022 06:07:37 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2022-20, also known as:
     CVE-2022-31736, CVE-2022-31737, CVE-2022-31738, CVE-2022-31740,
-    CVE-2022-31741, CVE-2022-31742, CVE-2022-31747.
-
-91.9.1esr-1~deb10u1 [Sat, 21 May 2022 06:22:04 +0900] Mike Hommey <glandium@debian.org>:
+    CVE-2022-31741, CVE-2022-31742, CVE-2022-31743, CVE-2022-31744,
+    CVE-2022-31745, CVE-2022-1919, CVE-2022-31747, CVE-2022-31748.
+
+  * debian/rules: Fail the build early when building for armhf on armhf
+    (only works on arm64), and when building for mipsel on mipsel.
+  * debian/control*: Bump rustc, cargo, cbindgen and nss build dependencies.
+
+100.0.2-1 [Sat, 21 May 2022 07:32:04 +0900] Mike Hommey <glandium@debian.org>:
 
   * New upstream release.
   * Fixes for mfsa2022-19, also known as CVE-2022-1802 and CVE-2022-1529.
 
-91.9.0esr-1~deb10u1 [Wed, 04 May 2022 06:43:23 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2022-17, also known as
+100.0-1 [Wed, 04 May 2022 08:48:41 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2022-16, also known as:
     CVE-2022-29914, CVE-2022-29909, CVE-2022-29916, CVE-2022-29911,
-    CVE-2022-29912, CVE-2022-29917.
-
-91.8.0esr-1~deb10u1 [Wed, 06 Apr 2022 08:13:44 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2022-14, also known as
-    CVE-2022-1097, CVE-2022-28281, CVE-2022-1196, CVE-2022-28282,
-    CVE-2022-28285, CVE-2022-28286, CVE-2022-24713, CVE-2022-28289.
-
-91.7.0esr-1~deb10u1 [Wed, 09 Mar 2022 06:47:37 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2022-11, also known as
+    CVE-2022-29912, CVE-2022-29915, CVE-2022-29917, CVE-2022-29918.
+
+99.0-1 [Wed, 06 Apr 2022 09:04:22 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2022-13, also known as:
+    CVE-2022-1097, CVE-2022-28281, CVE-2022-28282, CVE-2022-28283,
+    CVE-2022-28284, CVE-2022-28285, CVE-2022-28286, CVE-2022-28287,
+    CVE-2022-24713, CVE-2022-28289, CVE-2022-28288.
+
+  * debian/control*: Bump nss build dependency.
+
+98.0-2 [Thu, 10 Mar 2022 09:09:43 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/rules: Install crash reporter files on arm64.
+
+  * js/src/jit/GenerateAtomicOperations.py: Work around a GCC issue with
+    generated atomics. bz#1756347.
+
+98.0-1 [Wed, 09 Mar 2022 07:09:27 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2022-10, also known as:
     CVE-2022-26383, CVE-2022-26384, CVE-2022-26387, CVE-2022-26381,
-    CVE-2022-26386.
-
-91.6.1esr-1~deb10u1 [Sun, 06 Mar 2022 07:31:23 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2022-09, also known as CVE-2022-26485, CVE-2022-26486.
-
-91.6.0esr-1~deb10u1 [Wed, 09 Feb 2022 07:37:27 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2022-05, also known as:
-    CVE-2022-22754, CVE-2022-22756, CVE-2022-22759, CVE-2022-22760,
-    CVE-2022-22761, CVE-2022-22763, CVE-2022-22764.
-
-  * netwerk/base/SimpleChannel.*, netwerk/base/nsBaseChannel.*,
-    netwerk/protocol/res/ExtensionProtocolHandler.cpp,
-    netwerk/protocol/res/PageThumbProtocolHandler.cpp,
-    toolkit/components/places/nsAnnoProtocolHandler.cpp,
-    dom/file/ipc/RemoteLazyInputStream.cpp: Apply upstream patches to fix
-    excessive CPU usage in web extensions. bz#1706594, bz#1735899.
-    Closes: #1002868.
-
-91.5.0esr-1~deb10u1 [Wed, 12 Jan 2022 06:58:53 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2022-02, also known as:
+    CVE-2022-26382, CVE-2022-26385, CVE-2022-0843.
+  * Fixes for mfsa2022-09, also known as: CVE-2022-26485, CVE-2022-26486.
+
+  * debian/control*:
+    - Bump nss build dependency.
+    - Downgrade rust dependency to 1.56, and cargo to 0.57.
+
+  * Cargo.lock, config/makefiles/rust.mk, python/mozboot/mozboot/util.py,
+    servo/components/style/Cargo.toml, servo/components/style/build.rs,
+    servo/components/style/lib.rs,
+    servo/components/style/stylesheets/page_rule.rs,
+    servo/components/style/stylist.rs,
+    third_party/rust/audioipc2-client/.cargo-checksum.json,
+    third_party/rust/audioipc2-client/Cargo.toml,
+    third_party/rust/audioipc2-client/build.rs,
+    third_party/rust/audioipc2-client/src/lib.rs,
+    third_party/rust/wgpu-hal/.cargo-checksum.json,
+    third_party/rust/wgpu-hal/src/gles/egl.rs: Relax minimum supported Rust
+    version to 1.56.0.
+
+97.0-1 [Wed, 09 Feb 2022 07:53:42 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2022-04, also known as:
+    CVE-2022-22754, CVE-2022-22755, CVE-2022-22756, CVE-2022-22759,
+    CVE-2022-22760, CVE-2022-22761, CVE-2022-22764, CVE-2022-0511.
+
+  * debian/control*: Bump nss, rustc and cargo build dependencies.
+  * debian/browser.install.in: Install libipcclientcerts.so.
+
+96.0.3-1 [Mon, 31 Jan 2022 06:21:31 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+96.0.1-1 [Sat, 15 Jan 2022 07:41:14 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+  * modules/libpref/init/StaticPrefList.yaml: Disable cookie sameSite
+    schemeful. bz#1750264.
+  * dom/media/webrtc/third_party_build/gn-configs/x64_*_arm_linux.json,
+    dom/media/webrtc/third_party_build/gn-configs/x64_*_ppc64_linux.json,
+    third_party/libwebrtc/**/moz.build: Add webrtc configs for arm and
+    ppc64 linux. bz#1738845.
+
+96.0-1 [Wed, 12 Jan 2022 08:03:30 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2022-01, also known as:
     CVE-2022-22743, CVE-2022-22742, CVE-2022-22741, CVE-2022-22740,
     CVE-2022-22738, CVE-2022-22737, CVE-2021-4140, CVE-2022-22748,
-    CVE-2022-22745, CVE-2022-22747, CVE-2022-22739, CVE-2022-22751.
-
-91.4.1esr-1~deb10u1 [Sun, 19 Dec 2021 06:44:45 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-
-  * debian/rules: Build against embedded nspr and nss on bullseye.
-  * debian/control*: Build against rustc-mozilla/cargo-mozilla on relevant
-    older release.
-  * debian/upstream.mk: Add definitions for newer releases of Debian.
-
-91.4.0esr-1 [Wed, 08 Dec 2021 06:38:58 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes cubeb deadlock. Closes: #998679.
-  * Fixes for mfsa2021-53, also known as:
+    CVE-2022-22745, CVE-2022-22747, CVE-2022-22739, CVE-2022-22751,
+    CVE-2022-22752.
+
+  * debian/rules:
+    - Adjust preprocessor command to upstream changes.
+    - Set an objdir when using the preprocessor, and clean that up.
+  * debian/control*: Bump nss build dependency.
+
+95.0.1-1 [Fri, 17 Dec 2021 07:05:23 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+  * debian/control.in: Build against rustc-mozilla/cargo-mozilla on relevant
+    older releases.
+
+  * modules/fdlibm/src/math_private.h: Fix FTBFS on i386. bz#1729459.
+
+95.0-1 [Wed, 08 Dec 2021 06:38:07 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-52, also known as:
     CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539,
-    CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545,
-    CVE-2021-43546, MOZ-2021-0009.
-
-91.3.0esr-2 [Sat, 27 Nov 2021 06:50:56 +0900] Mike Hommey <glandium@debian.org>:
-
-  * debian/firefox.in: Use `command -v` instead of `which`. Closes: #996455.
-
-  * modules/fdlibm/src/math_private.h: Fix FTBFS on i386. bz#1729459.
+    CVE-2021-43540, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543,
+    CVE-2021-43544, CVE-2021-43545, CVE-2021-43546, MOZ-2021-0009.
+
+  * debian/browser.mozconfig.in: Explicitly disable wasm sandboxing. We don't
+    have the necessary tools yet.
+
+94.0.2-1 [Wed, 24 Nov 2021 06:57:55 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+94.0-2 [Thu, 11 Nov 2021 16:32:50 +0900] Mike Hommey <glandium@debian.org>:
+
+  * debian/firefox.in: Use `command -v` instead of `which`. Does not affect
+    this package, though.
+
   * .cargo/config.in, Cargo.lock, Cargo.toml,
     third_party/rust/cc/.cargo-checksum.json,
     third_party/rust/cc/Cargo.toml, third_party/rust/cc/src/lib.rs,
     third_party/rust/cc/src/windows_registry.rs: Update cc crate to
     b2f6b146b75299c444e05bbde50d03705c7c4b6e, aka 1.0.71 + GCC-11 fix for
     armhf. bz#1739040.
-
-91.3.0esr-1 [Wed, 03 Nov 2021 06:04:59 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2021-49, also known as:
+  * .cargo/config.in, Cargo.lock,
+    third_party/rust/cubeb-pulse/.cargo-checksum.json,
+    third_party/rust/cubeb-pulse/src/backend/stream.rs,
+    toolkit/library/rust/shared/Cargo.toml: Upgrade cubeb-pulse to fix a race
+    condition that can lead to shutdown deadlock. bz#1735905.
+    (suspected to) Closes: #998108.
+
+94.0-1 [Wed, 03 Nov 2021 08:20:50 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-48, also known as:
     CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507,
-    MOZ-2021-0008, CVE-2021-38508, CVE-2021-38509, MOZ-2021-0007.
+    CVE-2021-38508, MOZ-2021-0004, CVE-2021-38509, MOZ-2021-0005,
+    MOZ-2021-0006, MOZ-2021-0007.
     (MOZ-* pending CVE assignment)
 
-91.2.0esr-1 [Wed, 06 Oct 2021 06:29:51 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2021-45, also known as:
+  * debian/control*: Bump nss, rustc and cargo build dependencies.
+
+  * Cargo.toml, Cargo.lock, third_party/rust/naga/.cargo-checksum.json,
+    third_party/rust/naga/Cargo.toml,
+    third_party/rust/wgpu-core/.cargo-checksum.json,
+    third_party/rust/wgpu-core/Cargo.toml, build/moz.configure/rust.configure:
+    Remove workaround to build with an old cargo, now that Debian has a recent
+    version.
+
+93.0-1 [Wed, 06 Oct 2021 06:53:13 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-43, also known as:
     CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-32810,
-    CVE-2021-38500, CVE-2021-38501.
-
-91.1.0esr-1 [Wed, 08 Sep 2021 07:46:16 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
-  * Fixes for mfsa2021-40, also known as CVE-2021-38495.
-
-91.0.1esr-1 [Wed, 18 Aug 2021 10:28:37 +0900] Mike Hommey <glandium@debian.org>:
+    CVE-2021-38500, CVE-2021-38501, CVE-2021-38499.
+
+  * debian/control*: Bump nss build dependency.
+  * debian/rules: Set MOZBUILD_STATE_PATH.
+
+  * Cargo.toml, Cargo.lock, third_party/rust/naga/.cargo-checksum.json,
+    third_party/rust/naga/Cargo.toml,
+    third_party/rust/wgpu-core/.cargo-checksum.json,
+    third_party/rust/wgpu-core/Cargo.toml: Work around the lack of resolver
+    feature in unstable's cargo.
+
+92.0-1 [Wed, 08 Sep 2021 07:57:38 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2021-38, also known as:
+    CVE-2021-38491, CVE-2021-38493, CVE-2021-38494.
+
+  * debian/rules: Build against embedded nspr and nss on bullseye.
+  * debian/upstream.mk: Add bookworm and trixie.
+  * debian/control*: Bump nss build dependency.
+
+91.0.1-1 [Wed, 18 Aug 2021 10:28:35 +0900] Mike Hommey <glandium@debian.org>:
 
   * New upstream release.
   * Fixes for mfsa2021-37, also known as CVE-2021-29991.
 
   * debian/import-tar.py, debian/repack.py: Fixed for python 3.9.
-
-91.0esr-1 [Wed, 11 Aug 2021 11:05:38 +0900] Mike Hommey <glandium@debian.org>:
-
-  * New upstream release.
 
 91.0-1 [Wed, 11 Aug 2021 07:18:22 +0900] Mike Hommey <glandium@debian.org>:
 

<http://piuparts.knut.univention.de/5.0-2/#13437586994538044>

Comment 2 Philipp Hahn

2022-09-28 08:52:16 CEST

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.0-2] dd5fedd89c Bug #55221: firefox-esr 102.3.0esr-1~deb10u2
 doc/errata/staging/firefox-esr.yaml | 203 +++++++-----------------------------
 1 file changed, 37 insertions(+), 166 deletions(-)

[5.0-2] bb7c4d77c1 Bug #55221: firefox-esr 102.3.0esr-1~deb10u2
 doc/errata/staging/firefox-esr.yaml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

[5.0-2] cd07d9b060 Bug #55221: firefox-esr 102.3.0esr-1~deb10u1
 doc/errata/staging/firefox-esr.yaml | 283 ++++++++++++++++++++++++++++++++++++
 1 file changed, 283 insertions(+)

Comment 3 Erik Damrose

2022-09-29 12:38:53 CEST

<https://errata.software-univention.de/#/?erratum=5.0x434>