[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Guix IceCat users have had early access to security fixes

From: Mark H Weaver
Subject: Re: Guix IceCat users have had early access to security fixes
Date: Sun, 15 Jan 2017 19:08:11 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)


julien lepiller <address@hidden> writes:

> Le 2016-12-15 02:00, Mark H Weaver a écrit :
>> Yesterday, Mozilla released Firefox ESR 45.6 and announced several CVEs
>> fixed by it:
>> I'm pleased to announce that Guix users of IceCat have had early access
>> all of these fixes.
>> Since November 30 (commit 9689e71d2f2b5e766415a40d5f5ab267768d217d),
>> we've had fixes for CVE-2016-9897, CVE-2016-9898, CVE-2016-9899,
>> CVE-2016-9900, CVE-2016-9904, and 4 out of 11 patches for
>> CVE-2016-9893.
>> Since December 3 (commit 5bdec7d634ce0058801cd212e9e4ea56e914ca0c),
>> we've had the fixes that were later announced as CVE-2016-9901,
>> CVE-2016-9902, CVE-2016-9905, and another patch for CVE-2016-9893.
>> On December 10 (commit 56c394ee4397015d6144dab002ee43fc7e32a331), I
>> cherry-picked the remaining fixes from the not-yet-released Firefox
>> ESR 45.6: CVE-2016-9895, and the final six patches for CVE-2016-9893.
>>       Mark
> Impressive, thank you!
> I'm a bit curious though, how did you get these patches? Were they
> already advertised as vulnerability fixes at the time you applied
> them? Were they already publicly-available?

I cherry-picked them from the mozilla-esr45 mercurial repository.  They
were not yet advertised as vulnerability fixes.  Often they are only
labeled with a mozilla bug number, and the relevant bug reports are not
publicly accessible.  However, in practice most of the bug fixes applied
to that branch are potentially exploitable.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]