[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-gnuzilla] IceCat distribution delay and the NSA
|
From: |
Mark H Weaver |
|
Subject: |
Re: [Bug-gnuzilla] IceCat distribution delay and the NSA |
|
Date: |
Tue, 14 Mar 2017 01:53:07 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
David Hedlund <address@hidden> writes:
> I got icecat-45.7.0 too in Trisquel 7.
>
> But it doesn't really matter because the latest Firefox ESR is 52.0.
IceCat 45.8.0 would also be fine for now, if it existed. Firefox ESR
45.8.0 was released at about the same time as 52.0, and includes fixes
for the same security flaws that were addressed in 52.0. However, if
the recent pattern holds, 45.8.0 will be the last 45.x release, so we'll
have urgent need of IceCat 52.1 as soon as Firefox ESR 52.1 is released.
Ideally, that work would begin before 52.1 comes out.
IceCat 45.7.0 includes several published security flaws that are
believed to allow remote code execution, and is therefore no longer safe
to use unless you use the version packaged in GNU Guix, which includes
security fixes cherry-picked from upstream Firefox ESR 45.8.0. The only
fix I left out was a fix to the bundled copy of Cairo, since we don't
use the bundled Cairo in Guix, and our system Cairo already has the fix.
As far as I know, Guix is the only distro that promptly cherry-picks
upstream fixes for IceCat. However, it's unlikely that I'll be able to
backport all fixes from 52.x to 45.x, so when 52.1 is released, even
Guix users will be in trouble until IceCat 52.x appears.
Mark
- Re: [Bug-gnuzilla] Firefox 52.0 ESR - The first Electrolysis-based ESR version, (continued)
Re: [Bug-gnuzilla] IceCat distribution delay and the NSA, Narcis Garcia, 2017/03/09