[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-gnuzilla] Unpatched security flaws in IceCat

From: David Hedlund
Subject: [Bug-gnuzilla] Unpatched security flaws in IceCat
Date: Thu, 12 Nov 2015 03:40:58 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.8.0

Have this been fixed in IceCat 38.3.0?

-------- Forwarded Message --------
Return-Path: <address@hidden>
Delivered-To: address@hidden
Received: from spool.mail.gandi.net (mspool1-d.mgt.gandi.net []) by nmboxes47-d.mgt.gandi.net (Postfix) with ESMTP id 71FD74077B for <address@hidden>; Wed, 12 Aug 2015 18:48:40 +0200 (CEST)
Received: from mfilter15-d.gandi.net (mfilter15-d.gandi.net []) by spool.mail.gandi.net (Postfix) with ESMTP id 6F9BE22649F for <address@hidden>; Wed, 12 Aug 2015 18:48:40 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mfilter15-d.gandi.net
Received: from spool.mail.gandi.net ([IPv6:::ffff:]) by mfilter15-d.gandi.net (mfilter15-d.gandi.net [::ffff:]) (amavisd-new, port 10024) with ESMTP id inhpW0-I8qEE for <address@hidden>; Wed, 12 Aug 2015 18:48:39 +0200 (CEST)
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) by spool.mail.gandi.net (Postfix) with ESMTPS id E74FD2263A7 for <address@hidden>; Wed, 12 Aug 2015 18:48:38 +0200 (CEST)
Received: from localhost ([::1]:39527 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <address@hidden>) id 1ZPZCf-0006Rv-Qk for address@hidden; Wed, 12 Aug 2015 12:48:37 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57523) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <address@hidden>) id 1ZPZCT-0006Er-Ra for address@hidden; Wed, 12 Aug 2015 12:48:32 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <address@hidden>) id 1ZPZCQ-0002nJ-3T for address@hidden; Wed, 12 Aug 2015 12:48:25 -0400
Received: from world.peace.net ([]:60378) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <address@hidden>) id 1ZPZCQ-0002n4-0s for address@hidden; Wed, 12 Aug 2015 12:48:22 -0400
Received: from [] (helo=jojen) by world.peace.net with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from <address@hidden>) id 1ZPZCI-0007GG-NI; Wed, 12 Aug 2015 12:48:14 -0400
From: Mark H Weaver <address@hidden>
To: bug-gnuzilla <address@hidden>
References: <address@hidden>
Date: Wed, 12 Aug 2015 12:48:13 -0400
In-Reply-To: <address@hidden> ("Rubén Rodríguez"'s message of "Mon, 13 Jul 2015 23:09:09 -0500")
Message-ID: <address@hidden>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
Subject: [Bug-gnuzilla] Unpatched security flaws in IceCat
X-BeenThere: address@hidden
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "GNUzilla discussion and bug reports." <bug-gnuzilla.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnuzilla>, <mailto:address@hidden>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnuzilla>
List-Post: <mailto:address@hidden>
List-Help: <mailto:address@hidden>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnuzilla>, <mailto:address@hidden>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: address@hidden
Sender: address@hidden

Since the last GNU IceCat release, there have been 12 security
advisories from Mozilla addressing 18 CVEs and associated releases of
Firefox ESR 38.1.1 (on August 6) and ESR 38.2 (yesterday).


  CVE-2015-4473, CVE-2015-4474, CVE-2015-4475, CVE-2015-4478,
  CVE-2015-4479, CVE-2015-4480, CVE-2015-4481, CVE-2015-4482,
  CVE-2015-4484, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487,
  CVE-2015-4488, CVE-2015-4489, CVE-2015-4491, CVE-2015-4492,
  CVE-2015-4493, CVE-2015-4495

There have been no new releases on the ESR 31 branch, so I guess that
Mozilla is no longer supporting it, or at least not in a timely fashion.

We are therefore in urgent need of either:

  1. GNU IceCat 38.2.
  2. Backports of these fixes to GNU IceCat 31.8.

I've already backported the fix for CVE-2015-4495, which was included in
Firefox ESR 38.1.1, here:


Now I'm faced with the prospect of backporting a large pile of fixes,
several of which are labelled "critical", from Firefox 38 to 31, or else
running a browser with published remote execution vulnerabilities for
some unknown number of days.  This is not good.

So, when can we expect GNU IceCat 38.2 to be released?



reply via email to

[Prev in Thread] Current Thread [Next in Thread]