Firefox security update not showing for EE

Questions about software.
bin
Posts: 37
Joined: 13 Dec 2013 15:31

Firefox security update not showing for EE

Postby bin » 20 Jun 2019 06:14

Using Firefox ESR 60.7.0

Just puzzled - the latest fix for Firefox to fix an active zero day vuln is not showing up in the EE repo yet. :?: :?:

User avatar
ilu
Posts: 2420
Joined: 09 Oct 2013 12:45

Re: Firefox security update not showing for EE

Postby ilu » 20 Jun 2019 14:29

Firefox ESR is provided by Debian, nothing we can do about that. Actually its fixed in all supported versions but not in buster - because buster is testing and still not stable (so security updates are not a priority). That's debian policy. If you want to get all security updates asap use stable (or maybe sid). See here https://security-tracker.debian.org/tra ... irefox-esr.

We are providing Firefox nonESR and Waterfox and on both the security update is there.

kurotsugi
Posts: 2214
Joined: 09 Jan 2014 00:17

Re: Firefox security update not showing for EE

Postby kurotsugi » 20 Jun 2019 18:22

that's not debian's policy. I'm not sure where did you got that impression but security patch always got prioritized in debian. normal package have 10 days delay on sid while security patches, depends on the severity, have 1,3, or 5 days. you can use tracker.debian.org to know the situation of certain packages. as we can see here https://tracker.debian.org/pkg/firefox-esr, firefox-esr got 5 days delay and it only one day old.

please remember that buster is under the final step of freeze period. under normal circumstances no package is allowed to migrate from sid. 5 days delay means it's normal security patch so the severity is not high. it should be better to wait until it arrives in buster

User avatar
ilu
Posts: 2420
Joined: 09 Oct 2013 12:45

Re: Firefox security update not showing for EE

Postby ilu » 20 Jun 2019 23:55

Security issues in stable and old-stable get fixed as soon as possible, with minimal waiting period as you can see in the security tracker - CVE-2019-11707 is fixed on both. There is certainly no 5 days delay for stable. Stable got the fix on tuesday, old-stable on thursday and testing/buster is still waiting 5 days for the fix coming in from sid. You can see that on the tracker page you linked.
Relaying security patches into stable immediately and without waiting longer than absolutely necessary is debian policy. But buster is testing and not meant for production systems. So, what I said is: If you want security fixes as soon as possible, don't use testing but use stable.

In the meantime CVE-2019-11708 arrived which is fixed only on sid, which got the fix yesterday. That's why I said if your priority is quick security fixes (and, obviously, if you feel very adventurous!) you might decide to use sid - but never testing.

And the priority of both CVEs is not just high but critical.

kurotsugi
Posts: 2214
Joined: 09 Jan 2014 00:17

Re: Firefox security update not showing for EE

Postby kurotsugi » 21 Jun 2019 02:57

all security patches, compared to common patches will flagged as critical. that would be the "normal security patch", there are two more level above this level, which will have 1 or 3 days delays. 1 is super high, 3 is high, 5 is for normal security patch.

well...you were saying
<snip>...(so security updates are not a priority). That's debian policy. <snip>
this might cause misunderstanding. I just want to stressed out that debian always put security stuffs as their priority regardless for stable, testing, nor unstable.

bin
Posts: 37
Joined: 13 Dec 2013 15:31

Re: Firefox security update not showing for EE

Postby bin » 21 Jun 2019 04:41

Hmmm.... it does seem to me that Debian have adopted a somewhat non-coherent policy in that case.

However, I've swapped over to Waterfox as suggested - despite the adverse comments on various sites about it being slow to fix that is obviously not the case this time.

I always preferred Seamonkey so it's a pleasure to use. What is more interesting is that it also renders a number of sites that cause trouble with stock FF.

Thanks for the advice about Debian policy - I'll try to remember in future :D


Return to “Software”

Who is online

Users browsing this forum: No registered users and 2 guests