Page MenuHomePureOS Tracker

Upgrade firefox-esr (Purebrowser) to bring in recent CVE fixes.
Closed, ResolvedPublic

Description

A host of CVEs have been fixed in Debian's firefox-esr package: https://metadata.ftp-master.debian.org/changelogs//main/f/firefox-esr/firefox-esr_60.6.2esr-1_changelog

If we could pull in the latest firefox-esr from Debian, we can then make sure that our version is addressing the CVEs.

It might be good to describe the process of updating packages in Laniakea so we can distribute responsibility for this type of work.

Event Timeline

jonas.smedegaard added a comment.EditedMay 7 2019, 09:12

For the "pull in the latest firefox-esr from Debian" part, it was prepared earlier today¹ and uploading (but failing and failing) now².

¹ as soon as Debian git-tracked source was available - see http://bugs.debian.org/927279

² several upload attempts failed with a timeout - upload is 1GB because source-only uploads are mysteriously no longer working for me - see T744

The plot thickens

firefox-esr (a.k.a. PureBrowser) 60.6.2esr-1pureos1 was confirmed accepted 25 minuts ago.

What should happen next is recompilation for arm64 after which it enters landing.

Then after due testing time (unless blocked) it enters green.

$ apt-cache policy purebrowser
purebrowser:
Installed: 60.6.2esr-1pureos1
Candidate: 60.6.2esr-1pureos1
Version table:
*** 60.6.2esr-1pureos1 500
       500 https://repo.puri.sm/pureos green/main amd64 Packages
       100 /var/lib/dpkg/status
jeremiah.foster closed this task as Resolved.May 9 2019, 07:54