A host of CVEs have been fixed in Debian's firefox-esr package: https://metadata.ftp-master.debian.org/changelogs//main/f/firefox-esr/firefox-esr_60.6.2esr-1_changelog
If we could pull in the latest firefox-esr from Debian, we can then make sure that our version is addressing the CVEs.
It might be good to describe the process of updating packages in Laniakea so we can distribute responsibility for this type of work.
For the "pull in the latest firefox-esr from Debian" part, it was prepared earlier today¹ and uploading (but failing and failing) now².
¹ as soon as Debian git-tracked source was available - see http://bugs.debian.org/927279
² several upload attempts failed with a timeout - upload is 1GB because source-only uploads are mysteriously no longer working for me - see T744
firefox-esr (a.k.a. PureBrowser) 60.6.2esr-1pureos1 was confirmed accepted 25 minuts ago.
What should happen next is recompilation for arm64 after which it enters landing.
Then after due testing time (unless blocked) it enters green.
$ apt-cache policy purebrowser purebrowser:
Installed: 60.6.2esr-1pureos1 Candidate: 60.6.2esr-1pureos1 Version table:
*** 60.6.2esr-1pureos1 500
500 https://repo.puri.sm/pureos green/main amd64 Packages
100 /var/lib/dpkg/status