Debian Bug report logs -
#948452
firefox: Please update to 72.0.1 (and firefox-esr to 68.4.1) because of CVE-2019-17026
Reported by: jim_p <pitsiorisj@gmail.com>
Date: Wed, 8 Jan 2020 19:51:01 UTC
Severity: grave
Tags: security, upstream
Found in version firefox/72.0-1
Fixed in version firefox/72.0.1-1
Done: Mike Hommey <mh@glandium.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, pitsiorisj@gmail.com, Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>:
Bug#948452; Package firefox.
(Wed, 08 Jan 2020 19:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to jim_p <pitsiorisj@gmail.com>:
New Bug report received and forwarded. Copy sent to pitsiorisj@gmail.com, Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>.
(Wed, 08 Jan 2020 19:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: firefox
Version: 72.0-1
Severity: important
Tags: upstream
Dear Maintainer,
As I mention in the title, firefox was updated to 72.0.1 today, just 1 day
after the release of 72.0, in order to close cve-2019-17026.
Here is the relevant post from mozilla
https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/
-- Package-specific info:
-- Extensions information
Name: Amazon.com
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled
Name: Bing
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled
Name: Dark theme
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: user-disabled
Name: Default theme
Location: /usr/lib/firefox/omni.ja
Package: firefox
Status: enabled
Name: DoH Roll-Out
Location: /usr/lib/firefox/browser/features/doh-rollout@mozilla.org.xpi
Package: firefox
Status: enabled
Name: DuckDuckGo
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled
Name: Firefox Screenshots
Location: /usr/lib/firefox/browser/features/screenshots@mozilla.org.xpi
Package: firefox
Status: enabled
Name: Form Autofill
Location: /usr/lib/firefox/browser/features/formautofill@mozilla.org.xpi
Package: firefox
Status: enabled
Name: Google
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled
Name: Light theme
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: user-disabled
Name: PlayThis
Location: ${PROFILE_EXTENSIONS}/playthis@anxdpanic.xpi
Status: enabled
Name: Twitter
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled
Name: uBlock Origin
Location: ${PROFILE_EXTENSIONS}/uBlock0@raymondhill.net.xpi
Status: enabled
Name: Video DownloadHelper
Location: ${PROFILE_EXTENSIONS}/{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
Status: enabled
Name: Web Compat
Location: /usr/lib/firefox/browser/features/webcompat@mozilla.org.xpi
Package: firefox
Status: enabled
Name: WebCompat Reporter
Location: /usr/lib/firefox/browser/features/webcompat-reporter@mozilla.org.xpi
Package: firefox
Status: user-disabled
Name: Wikipedia (en)
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled
-- Plugins information
Name: Shockwave Flash (32.0.0.293)
Location: /usr/lib/flashplayer-mozilla/libflashplayer.so
Package: flashplayer-mozilla
Status: disabled
-- Addons package information
ii firefox 72.0-1 amd64 Mozilla Firefox web browser
ii flashplayer-mozilla 3:32.0.0.293-dmo1 amd64 Adobe Flash Player
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages firefox depends on:
ii debianutils 4.9.1
ii fontconfig 2.13.1-2+b1
ii libatk1.0-0 2.34.1-1
ii libc6 2.29-7
ii libcairo-gobject2 1.16.0-4
ii libcairo2 1.16.0-4
ii libdbus-1-3 1.12.16-2
ii libdbus-glib-1-2 0.110-5
ii libevent-2.1-7 2.1.11-stable-1
ii libffi6 3.2.1-9
ii libfontconfig1 2.13.1-2+b1
ii libfreetype6 2.10.1-2
ii libgcc1 1:9.2.1-22
ii libgdk-pixbuf2.0-0 2.40.0+dfsg-2
ii libglib2.0-0 2.62.4-1
ii libgtk-3-0 3.24.13-1
ii libnspr4 2:4.24-1
ii libnss3 2:3.48-1
ii libpango-1.0-0 1.42.4-7
ii libsqlite3-0 3.30.1+fossil191229-1
ii libstartup-notification0 0.12-6
ii libstdc++6 9.2.1-22
ii libx11-6 2:1.6.8-1
ii libx11-xcb1 2:1.6.8-1
ii libxcb-shm0 1.13.1-2
ii libxcb1 1.13.1-2
ii libxcomposite1 1:0.4.4-2
ii libxdamage1 1:1.1.5-1
ii libxext6 2:1.3.3-1+b2
ii libxfixes3 1:5.0.3-1
ii libxrender1 1:0.9.10-1
ii libxt6 1:1.1.5-1+b3
ii procps 2:3.3.15-2+b1
ii zlib1g 1:1.2.11.dfsg-1+b1
Versions of packages firefox recommends:
ii libavcodec58 10:4.2.2-dmo1
Versions of packages firefox suggests:
pn fonts-lmodern <none>
pn fonts-stix | otf-stix <none>
ii libcanberra0 0.30-7
ii libgssapi-krb5-2 1.17-6
ii libgtk2.0-0 2.24.32-4
pn pulseaudio <none>
-- no debconf information
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 08 Jan 2020 20:15:08 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 08 Jan 2020 20:15:09 GMT) (full text, mbox, link).
Reply sent
to Mike Hommey <mh@glandium.org>:
You have taken responsibility.
(Thu, 09 Jan 2020 01:06:03 GMT) (full text, mbox, link).
Notification sent
to jim_p <pitsiorisj@gmail.com>:
Bug acknowledged by developer.
(Thu, 09 Jan 2020 01:06:04 GMT) (full text, mbox, link).
Message #14 received at 948452-done@bugs.debian.org (full text, mbox, reply):
Version: 72.0.1-1
On Wed, Jan 08, 2020 at 09:49:07PM +0200, jim_p wrote:
> Package: firefox
> Version: 72.0-1
> Severity: important
> Tags: upstream
>
> Dear Maintainer,
>
> As I mention in the title, firefox was updated to 72.0.1 today, just 1 day
> after the release of 72.0, in order to close cve-2019-17026.
> Here is the relevant post from mozilla
> https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/
>
>
>
> -- Package-specific info:
>
> -- Extensions information
> Name: Amazon.com
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: enabled
>
> Name: Bing
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: enabled
>
> Name: Dark theme
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: user-disabled
>
> Name: Default theme
> Location: /usr/lib/firefox/omni.ja
> Package: firefox
> Status: enabled
>
> Name: DoH Roll-Out
> Location: /usr/lib/firefox/browser/features/doh-rollout@mozilla.org.xpi
> Package: firefox
> Status: enabled
>
> Name: DuckDuckGo
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: enabled
>
> Name: Firefox Screenshots
> Location: /usr/lib/firefox/browser/features/screenshots@mozilla.org.xpi
> Package: firefox
> Status: enabled
>
> Name: Form Autofill
> Location: /usr/lib/firefox/browser/features/formautofill@mozilla.org.xpi
> Package: firefox
> Status: enabled
>
> Name: Google
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: enabled
>
> Name: Light theme
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: user-disabled
>
> Name: PlayThis
> Location: ${PROFILE_EXTENSIONS}/playthis@anxdpanic.xpi
> Status: enabled
>
> Name: Twitter
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: enabled
>
> Name: uBlock Origin
> Location: ${PROFILE_EXTENSIONS}/uBlock0@raymondhill.net.xpi
> Status: enabled
>
> Name: Video DownloadHelper
> Location: ${PROFILE_EXTENSIONS}/{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
> Status: enabled
>
> Name: Web Compat
> Location: /usr/lib/firefox/browser/features/webcompat@mozilla.org.xpi
> Package: firefox
> Status: enabled
>
> Name: WebCompat Reporter
> Location: /usr/lib/firefox/browser/features/webcompat-reporter@mozilla.org.xpi
> Package: firefox
> Status: user-disabled
>
> Name: Wikipedia (en)
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: enabled
>
> -- Plugins information
> Name: Shockwave Flash (32.0.0.293)
> Location: /usr/lib/flashplayer-mozilla/libflashplayer.so
> Package: flashplayer-mozilla
> Status: disabled
>
>
> -- Addons package information
> ii firefox 72.0-1 amd64 Mozilla Firefox web browser
> ii flashplayer-mozilla 3:32.0.0.293-dmo1 amd64 Adobe Flash Player
>
> -- System Information:
> Debian Release: bullseye/sid
> APT prefers testing
> APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.4.0-2-amd64 (SMP w/2 CPU cores)
> Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages firefox depends on:
> ii debianutils 4.9.1
> ii fontconfig 2.13.1-2+b1
> ii libatk1.0-0 2.34.1-1
> ii libc6 2.29-7
> ii libcairo-gobject2 1.16.0-4
> ii libcairo2 1.16.0-4
> ii libdbus-1-3 1.12.16-2
> ii libdbus-glib-1-2 0.110-5
> ii libevent-2.1-7 2.1.11-stable-1
> ii libffi6 3.2.1-9
> ii libfontconfig1 2.13.1-2+b1
> ii libfreetype6 2.10.1-2
> ii libgcc1 1:9.2.1-22
> ii libgdk-pixbuf2.0-0 2.40.0+dfsg-2
> ii libglib2.0-0 2.62.4-1
> ii libgtk-3-0 3.24.13-1
> ii libnspr4 2:4.24-1
> ii libnss3 2:3.48-1
> ii libpango-1.0-0 1.42.4-7
> ii libsqlite3-0 3.30.1+fossil191229-1
> ii libstartup-notification0 0.12-6
> ii libstdc++6 9.2.1-22
> ii libx11-6 2:1.6.8-1
> ii libx11-xcb1 2:1.6.8-1
> ii libxcb-shm0 1.13.1-2
> ii libxcb1 1.13.1-2
> ii libxcomposite1 1:0.4.4-2
> ii libxdamage1 1:1.1.5-1
> ii libxext6 2:1.3.3-1+b2
> ii libxfixes3 1:5.0.3-1
> ii libxrender1 1:0.9.10-1
> ii libxt6 1:1.1.5-1+b3
> ii procps 2:3.3.15-2+b1
> ii zlib1g 1:1.2.11.dfsg-1+b1
>
> Versions of packages firefox recommends:
> ii libavcodec58 10:4.2.2-dmo1
>
> Versions of packages firefox suggests:
> pn fonts-lmodern <none>
> pn fonts-stix | otf-stix <none>
> ii libcanberra0 0.30-7
> ii libgssapi-krb5-2 1.17-6
> ii libgtk2.0-0 2.24.32-4
> pn pulseaudio <none>
>
> -- no debconf information
>
Marked as fixed in versions firefox/72.0.1-1; no longer marked as fixed in versions 72.0.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 09 Jan 2020 05:51:09 GMT) (full text, mbox, link).
Message sent on
to jim_p <pitsiorisj@gmail.com>:
Bug#948452.
(Thu, 09 Jan 2020 05:51:12 GMT) (full text, mbox, link).
Message #19 received at 948452-submitter@bugs.debian.org (full text, mbox, reply):
close 948452 72.0.1-1
thanks
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jan 9 09:24:44 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon