XPost: alt.os.linux.debian
Moritz Muehlenhoff <jmm@debian.org> writes:
Debian Security Advisory DSA-4324-1
[...]
CVE ID : CVE-2018-12389 CVE-2018-12390 CVE-2018-12392
CVE-2018-12393 CVE-2018-12395 CVE-2018-12396
CVE-2018-12397
Multiple security issues have been found in the Mozilla Firefox web
browser, which could result in the execution of arbitrary code,
privilege escalation or information disclosure.
For the stable distribution (stretch), these problems have been fixed
in version 60.3.0esr-1~deb9u1.
[...]
... Or we can get a detailed look at [1].
I can't say I'm surprised that adopting a new, memory-safe
language as the basis for Firefox haven't instantly resulted
in a bug-free ESR; IME, any new technology takes some time
stumbling around before its claimed benefits can truly show.
What I'm concerned, however, is that the adoption of a
XUL-incompatible Firefox version by Debian stable left its users
without Debian packaged, XUL-only versions of NoScript and uBlock.
Frankly, at this point, I'm inclined to trust an unsupported ESR
plus NoScript /more/ than a supported ESR without one.
(Not to mention that I find Firefox UI without CTR barely usable.)
[1]
http://security-tracker.debian.org/firefox-esr
[2]
http://addons.mozilla.org/firefox/addon/classicthemerestorer/
--
FSF associate member #7257 np. Face Another Day -- Jogeir Liljedahl
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)