• Firefox' new ESR

    From Ivan Shmakov@21:1/5 to All on Sun Oct 28 08:07:48 2018
    XPost: alt.os.linux.debian

    Moritz Muehlenhoff <jmm@debian.org> writes:

    Debian Security Advisory DSA-4324-1


    CVE ID : CVE-2018-12389 CVE-2018-12390 CVE-2018-12392
    CVE-2018-12393 CVE-2018-12395 CVE-2018-12396

    Multiple security issues have been found in the Mozilla Firefox web
    browser, which could result in the execution of arbitrary code,
    privilege escalation or information disclosure.

    For the stable distribution (stretch), these problems have been fixed
    in version 60.3.0esr-1~deb9u1.


    ... Or we can get a detailed look at [1].

    I can't say I'm surprised that adopting a new, memory-safe
    language as the basis for Firefox haven't instantly resulted
    in a bug-free ESR; IME, any new technology takes some time
    stumbling around before its claimed benefits can truly show.

    What I'm concerned, however, is that the adoption of a
    XUL-incompatible Firefox version by Debian stable left its users
    without Debian packaged, XUL-only versions of NoScript and uBlock.

    Frankly, at this point, I'm inclined to trust an unsupported ESR
    plus NoScript /more/ than a supported ESR without one.

    (Not to mention that I find Firefox UI without CTR barely usable.)

    [1] http://security-tracker.debian.org/firefox-esr
    [2] http://addons.mozilla.org/firefox/addon/classicthemerestorer/

    FSF associate member #7257 np. Face Another Day -- Jogeir Liljedahl

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)