[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-gnuzilla] Unpatched security flaws in IceCat

From: Mark H Weaver
Subject: [Bug-gnuzilla] Unpatched security flaws in IceCat
Date: Wed, 12 Aug 2015 12:48:13 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

Since the last GNU IceCat release, there have been 12 security
advisories from Mozilla addressing 18 CVEs and associated releases of
Firefox ESR 38.1.1 (on August 6) and ESR 38.2 (yesterday).


  CVE-2015-4473, CVE-2015-4474, CVE-2015-4475, CVE-2015-4478,
  CVE-2015-4479, CVE-2015-4480, CVE-2015-4481, CVE-2015-4482,
  CVE-2015-4484, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487,
  CVE-2015-4488, CVE-2015-4489, CVE-2015-4491, CVE-2015-4492,
  CVE-2015-4493, CVE-2015-4495

There have been no new releases on the ESR 31 branch, so I guess that
Mozilla is no longer supporting it, or at least not in a timely fashion.

We are therefore in urgent need of either:

  1. GNU IceCat 38.2.
  2. Backports of these fixes to GNU IceCat 31.8.

I've already backported the fix for CVE-2015-4495, which was included in
Firefox ESR 38.1.1, here:


Now I'm faced with the prospect of backporting a large pile of fixes,
several of which are labelled "critical", from Firefox 38 to 31, or else
running a browser with published remote execution vulnerabilities for
some unknown number of days.  This is not good.

So, when can we expect GNU IceCat 38.2 to be released?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]