Bug 58723 - firefox-esr: Multiple issues (5.2)
Summary: firefox-esr: Multiple issues (5.2)
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Security updates
Version: UCS 5.2
Hardware: All Linux
: P3 normal
Target Milestone: UCS 5.2-3-errata
Assignee: Quality Assurance
QA Contact: Iván.Delgado
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-10-20 07:49 CEST by Quality Assurance
Modified: 2025-10-22 13:38 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) NVD

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2025-10-20 07:49:36 CEST 
New Debian firefox-esr 140.4.0esr-1~deb12u1 fixes:
This update addresses the following issues:
140.3.1esr-1~deb12u1 (Sat, 27 Sep 2025 09:57:32 +0900)
* New upstream release.
* media/libyuv/libyuv/libyuv.gyp: Disable SVE parts of libyuv when the SVE  flags are not supported. Fixes FTBFS on arm64 on bookworm.
* config/system-headers.mozbuild: Add a system header wrapper for  sys/platform/ppc.h.: Fixes FTBFS on pc64el on bookworm.
* debian/upstream.mk, debian/control: Stop handling testing/unstable as  trixie, meaning embedded NSS is not built anymore.
* debian/rules: - Avoid running dwz on platforms where we disable debug info.  - Stop setting _LEAKTEST_FILES, it hasn't been used since version 32.0. -  Disable rust LTO on s390x, hoping to fix FTBFS.
140.4.0esr-1~deb12u1 (Wed, 15 Oct 2025 08:55:29 +0900)
* Fixes for mfsa2025-83, also known as: CVE-2025-11708, CVE-2025-11709,  CVE-2025-11710, CVE-2025-11711, CVE-2025-11712, CVE-2025-11714,  CVE-2025-11715.
* debian/watch: Refreshed. Somehow it was not refreshed for ESR.
* debian/dh: Properly handle multiple DEB_BUILD_OPTIONS.
Comment 1 Quality Assurance univentionstaff 2025-10-20 08:00:09 CEST 
--- mirror/ftp/pool/main/f/firefox-esr/firefox-esr_140.3.0esr-1~deb12u1.dsc
+++ apt/ucs_5.2-0-errata5.2-3/source/firefox-esr_140.4.0esr-1~deb12u1.dsc
@@ -1,3 +1,30 @@
+140.4.0esr-1~deb12u1 [Wed, 15 Oct 2025 08:55:29 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+  * Fixes for mfsa2025-83, also known as:
+    CVE-2025-11708, CVE-2025-11709, CVE-2025-11710, CVE-2025-11711,
+    CVE-2025-11712, CVE-2025-11714, CVE-2025-11715.
+
+  * debian/watch: Refreshed. Somehow it was not refreshed for ESR.
+  * debian/dh: Properly handle multiple DEB_BUILD_OPTIONS.
+
+140.3.1esr-1~deb12u1 [Sat, 27 Sep 2025 09:57:32 +0900] Mike Hommey <glandium@debian.org>:
+
+  * New upstream release.
+
+  * media/libyuv/libyuv/libyuv.gyp: Disable SVE parts of libyuv when the
+    SVE flags are not supported. Fixes FTBFS on arm64 on bookworm.
+  * config/system-headers.mozbuild: Add a system header wrapper for
+    sys/platform/ppc.h.: Fixes FTBFS on pc64el on bookworm.
+
+  * debian/upstream.mk, debian/control: Stop handling testing/unstable
+    as trixie, meaning embedded NSS is not built anymore.
+  * debian/rules:
+    - Avoid running dwz on platforms where we disable debug info.
+      Closes: #1115490
+    - Stop setting _LEAKTEST_FILES, it hasn't been used since version 32.0.
+    - Disable rust LTO on s390x, hoping to fix FTBFS.
+
 140.3.0esr-1~deb12u1 [Wed, 17 Sep 2025 08:35:15 +0900] Mike Hommey <glandium@debian.org>:
 
   * New upstream release.

<http://piuparts.knut.univention.de/5.2-3/#2744698841158852027>
Comment 2 Iván.Delgado univentionstaff 2025-10-21 10:47:59 CEST 
OK: bug
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.2-3] 48dece0653 Bug #58723: firefox-esr 140.4.0esr-1~deb12u1
 doc/errata/staging/firefox-esr.yaml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
Comment 3 Iván.Delgado univentionstaff 2025-10-22 13:38:52 CEST 
<https://errata.software-univention.de/#/?erratum=5.2x264>