Re: [Bug-gnuzilla] Unpatched security flaws in IceCat

[Mark H Weaver]

FYI, it has now been over six weeks since I posted the message below.
For over six weeks, anyone running GNU IceCat has been vulnerable to
widely known security flaws that are believed to allow remote code
execution.

     Mark


Mark H Weaver <address@hidden> writes:

> Since the last GNU IceCat release, there have been 12 security
> advisories from Mozilla addressing 18 CVEs and associated releases of
> Firefox ESR 38.1.1 (on August 6) and ESR 38.2 (yesterday).
>
>   https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
>
>   CVE-2015-4473, CVE-2015-4474, CVE-2015-4475, CVE-2015-4478,
>   CVE-2015-4479, CVE-2015-4480, CVE-2015-4481, CVE-2015-4482,
>   CVE-2015-4484, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487,
>   CVE-2015-4488, CVE-2015-4489, CVE-2015-4491, CVE-2015-4492,
>   CVE-2015-4493, CVE-2015-4495
>
> There have been no new releases on the ESR 31 branch, so I guess that
> Mozilla is no longer supporting it, or at least not in a timely fashion.
>
> We are therefore in urgent need of either:
>
>   1. GNU IceCat 38.2.
>   2. Backports of these fixes to GNU IceCat 31.8.
>
> I've already backported the fix for CVE-2015-4495, which was included in
> Firefox ESR 38.1.1, here:
>
>   
> http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/patches/icecat-CVE-2015-4495.patch
>
> Now I'm faced with the prospect of backporting a large pile of fixes,
> several of which are labelled "critical", from Firefox 38 to 31, or else
> running a browser with published remote execution vulnerabilities for
> some unknown number of days.  This is not good.
>
> So, when can we expect GNU IceCat 38.2 to be released?
>
>      Mark