firefox: Please update to 72.0.1 (and firefox-esr to 68.4.1) because of CVE-2019-17026

Related Vulnerabilities: CVE-2019-17026   cve-2019-17026  

Debian Bug report logs - #948452
firefox: Please update to 72.0.1 (and firefox-esr to 68.4.1) because of CVE-2019-17026

version graph

Reported by: jim_p <pitsiorisj@gmail.com>

Date: Wed, 8 Jan 2020 19:51:01 UTC

Severity: grave

Tags: security, upstream

Found in version firefox/72.0-1

Fixed in version firefox/72.0.1-1

Done: Mike Hommey <mh@glandium.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, pitsiorisj@gmail.com, Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>:
Bug#948452; Package firefox. (Wed, 08 Jan 2020 19:51:03 GMT) (full text, mbox, link).


Acknowledgement sent to jim_p <pitsiorisj@gmail.com>:
New Bug report received and forwarded. Copy sent to pitsiorisj@gmail.com, Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>. (Wed, 08 Jan 2020 19:51:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: jim_p <pitsiorisj@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: firefox: Please update to 72.0.1 (and firefox-esr to 68.4.1) because of CVE-2019-17026
Date: Wed, 08 Jan 2020 21:49:07 +0200
Package: firefox
Version: 72.0-1
Severity: important
Tags: upstream

Dear Maintainer,

As I mention in the title, firefox was updated to 72.0.1 today, just 1 day
after the release of 72.0, in order to close cve-2019-17026.
Here is the relevant post from mozilla
https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/



-- Package-specific info:

-- Extensions information
Name: Amazon.com
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled

Name: Bing
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled

Name: Dark theme
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: user-disabled

Name: Default theme
Location: /usr/lib/firefox/omni.ja
Package: firefox
Status: enabled

Name: DoH Roll-Out
Location: /usr/lib/firefox/browser/features/doh-rollout@mozilla.org.xpi
Package: firefox
Status: enabled

Name: DuckDuckGo
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled

Name: Firefox Screenshots
Location: /usr/lib/firefox/browser/features/screenshots@mozilla.org.xpi
Package: firefox
Status: enabled

Name: Form Autofill
Location: /usr/lib/firefox/browser/features/formautofill@mozilla.org.xpi
Package: firefox
Status: enabled

Name: Google
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled

Name: Light theme
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: user-disabled

Name: PlayThis
Location: ${PROFILE_EXTENSIONS}/playthis@anxdpanic.xpi
Status: enabled

Name: Twitter
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled

Name: uBlock Origin
Location: ${PROFILE_EXTENSIONS}/uBlock0@raymondhill.net.xpi
Status: enabled

Name: Video DownloadHelper
Location: ${PROFILE_EXTENSIONS}/{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
Status: enabled

Name: Web Compat
Location: /usr/lib/firefox/browser/features/webcompat@mozilla.org.xpi
Package: firefox
Status: enabled

Name: WebCompat Reporter
Location: /usr/lib/firefox/browser/features/webcompat-reporter@mozilla.org.xpi
Package: firefox
Status: user-disabled

Name: Wikipedia (en)
Location: /usr/lib/firefox/browser/omni.ja
Package: firefox
Status: enabled

-- Plugins information
Name: Shockwave Flash (32.0.0.293)
Location: /usr/lib/flashplayer-mozilla/libflashplayer.so
Package: flashplayer-mozilla
Status: disabled


-- Addons package information
ii  firefox             72.0-1            amd64        Mozilla Firefox web browser
ii  flashplayer-mozilla 3:32.0.0.293-dmo1 amd64        Adobe Flash Player

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages firefox depends on:
ii  debianutils               4.9.1
ii  fontconfig                2.13.1-2+b1
ii  libatk1.0-0               2.34.1-1
ii  libc6                     2.29-7
ii  libcairo-gobject2         1.16.0-4
ii  libcairo2                 1.16.0-4
ii  libdbus-1-3               1.12.16-2
ii  libdbus-glib-1-2          0.110-5
ii  libevent-2.1-7            2.1.11-stable-1
ii  libffi6                   3.2.1-9
ii  libfontconfig1            2.13.1-2+b1
ii  libfreetype6              2.10.1-2
ii  libgcc1                   1:9.2.1-22
ii  libgdk-pixbuf2.0-0        2.40.0+dfsg-2
ii  libglib2.0-0              2.62.4-1
ii  libgtk-3-0                3.24.13-1
ii  libnspr4                  2:4.24-1
ii  libnss3                   2:3.48-1
ii  libpango-1.0-0            1.42.4-7
ii  libsqlite3-0              3.30.1+fossil191229-1
ii  libstartup-notification0  0.12-6
ii  libstdc++6                9.2.1-22
ii  libx11-6                  2:1.6.8-1
ii  libx11-xcb1               2:1.6.8-1
ii  libxcb-shm0               1.13.1-2
ii  libxcb1                   1.13.1-2
ii  libxcomposite1            1:0.4.4-2
ii  libxdamage1               1:1.1.5-1
ii  libxext6                  2:1.3.3-1+b2
ii  libxfixes3                1:5.0.3-1
ii  libxrender1               1:0.9.10-1
ii  libxt6                    1:1.1.5-1+b3
ii  procps                    2:3.3.15-2+b1
ii  zlib1g                    1:1.2.11.dfsg-1+b1

Versions of packages firefox recommends:
ii  libavcodec58  10:4.2.2-dmo1

Versions of packages firefox suggests:
pn  fonts-lmodern          <none>
pn  fonts-stix | otf-stix  <none>
ii  libcanberra0           0.30-7
ii  libgssapi-krb5-2       1.17-6
ii  libgtk2.0-0            2.24.32-4
pn  pulseaudio             <none>

-- no debconf information



Added tag(s) security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 08 Jan 2020 20:15:08 GMT) (full text, mbox, link).


Severity set to 'grave' from 'important' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 08 Jan 2020 20:15:09 GMT) (full text, mbox, link).


Reply sent to Mike Hommey <mh@glandium.org>:
You have taken responsibility. (Thu, 09 Jan 2020 01:06:03 GMT) (full text, mbox, link).


Notification sent to jim_p <pitsiorisj@gmail.com>:
Bug acknowledged by developer. (Thu, 09 Jan 2020 01:06:04 GMT) (full text, mbox, link).


Message #14 received at 948452-done@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <mh@glandium.org>
To: 948452-done@bugs.debian.org
Subject: Re: Bug#948452: firefox: Please update to 72.0.1 (and firefox-esr to 68.4.1) because of CVE-2019-17026
Date: Thu, 9 Jan 2020 09:26:57 +0900
Version: 72.0.1-1

On Wed, Jan 08, 2020 at 09:49:07PM +0200, jim_p wrote:
> Package: firefox
> Version: 72.0-1
> Severity: important
> Tags: upstream
> 
> Dear Maintainer,
> 
> As I mention in the title, firefox was updated to 72.0.1 today, just 1 day
> after the release of 72.0, in order to close cve-2019-17026.
> Here is the relevant post from mozilla
> https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/
> 
> 
> 
> -- Package-specific info:
> 
> -- Extensions information
> Name: Amazon.com
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: enabled
> 
> Name: Bing
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: enabled
> 
> Name: Dark theme
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: user-disabled
> 
> Name: Default theme
> Location: /usr/lib/firefox/omni.ja
> Package: firefox
> Status: enabled
> 
> Name: DoH Roll-Out
> Location: /usr/lib/firefox/browser/features/doh-rollout@mozilla.org.xpi
> Package: firefox
> Status: enabled
> 
> Name: DuckDuckGo
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: enabled
> 
> Name: Firefox Screenshots
> Location: /usr/lib/firefox/browser/features/screenshots@mozilla.org.xpi
> Package: firefox
> Status: enabled
> 
> Name: Form Autofill
> Location: /usr/lib/firefox/browser/features/formautofill@mozilla.org.xpi
> Package: firefox
> Status: enabled
> 
> Name: Google
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: enabled
> 
> Name: Light theme
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: user-disabled
> 
> Name: PlayThis
> Location: ${PROFILE_EXTENSIONS}/playthis@anxdpanic.xpi
> Status: enabled
> 
> Name: Twitter
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: enabled
> 
> Name: uBlock Origin
> Location: ${PROFILE_EXTENSIONS}/uBlock0@raymondhill.net.xpi
> Status: enabled
> 
> Name: Video DownloadHelper
> Location: ${PROFILE_EXTENSIONS}/{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
> Status: enabled
> 
> Name: Web Compat
> Location: /usr/lib/firefox/browser/features/webcompat@mozilla.org.xpi
> Package: firefox
> Status: enabled
> 
> Name: WebCompat Reporter
> Location: /usr/lib/firefox/browser/features/webcompat-reporter@mozilla.org.xpi
> Package: firefox
> Status: user-disabled
> 
> Name: Wikipedia (en)
> Location: /usr/lib/firefox/browser/omni.ja
> Package: firefox
> Status: enabled
> 
> -- Plugins information
> Name: Shockwave Flash (32.0.0.293)
> Location: /usr/lib/flashplayer-mozilla/libflashplayer.so
> Package: flashplayer-mozilla
> Status: disabled
> 
> 
> -- Addons package information
> ii  firefox             72.0-1            amd64        Mozilla Firefox web browser
> ii  flashplayer-mozilla 3:32.0.0.293-dmo1 amd64        Adobe Flash Player
> 
> -- System Information:
> Debian Release: bullseye/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 5.4.0-2-amd64 (SMP w/2 CPU cores)
> Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages firefox depends on:
> ii  debianutils               4.9.1
> ii  fontconfig                2.13.1-2+b1
> ii  libatk1.0-0               2.34.1-1
> ii  libc6                     2.29-7
> ii  libcairo-gobject2         1.16.0-4
> ii  libcairo2                 1.16.0-4
> ii  libdbus-1-3               1.12.16-2
> ii  libdbus-glib-1-2          0.110-5
> ii  libevent-2.1-7            2.1.11-stable-1
> ii  libffi6                   3.2.1-9
> ii  libfontconfig1            2.13.1-2+b1
> ii  libfreetype6              2.10.1-2
> ii  libgcc1                   1:9.2.1-22
> ii  libgdk-pixbuf2.0-0        2.40.0+dfsg-2
> ii  libglib2.0-0              2.62.4-1
> ii  libgtk-3-0                3.24.13-1
> ii  libnspr4                  2:4.24-1
> ii  libnss3                   2:3.48-1
> ii  libpango-1.0-0            1.42.4-7
> ii  libsqlite3-0              3.30.1+fossil191229-1
> ii  libstartup-notification0  0.12-6
> ii  libstdc++6                9.2.1-22
> ii  libx11-6                  2:1.6.8-1
> ii  libx11-xcb1               2:1.6.8-1
> ii  libxcb-shm0               1.13.1-2
> ii  libxcb1                   1.13.1-2
> ii  libxcomposite1            1:0.4.4-2
> ii  libxdamage1               1:1.1.5-1
> ii  libxext6                  2:1.3.3-1+b2
> ii  libxfixes3                1:5.0.3-1
> ii  libxrender1               1:0.9.10-1
> ii  libxt6                    1:1.1.5-1+b3
> ii  procps                    2:3.3.15-2+b1
> ii  zlib1g                    1:1.2.11.dfsg-1+b1
> 
> Versions of packages firefox recommends:
> ii  libavcodec58  10:4.2.2-dmo1
> 
> Versions of packages firefox suggests:
> pn  fonts-lmodern          <none>
> pn  fonts-stix | otf-stix  <none>
> ii  libcanberra0           0.30-7
> ii  libgssapi-krb5-2       1.17-6
> ii  libgtk2.0-0            2.24.32-4
> pn  pulseaudio             <none>
> 
> -- no debconf information
> 



Marked as fixed in versions firefox/72.0.1-1; no longer marked as fixed in versions 72.0.1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 09 Jan 2020 05:51:09 GMT) (full text, mbox, link).


Message sent on to jim_p <pitsiorisj@gmail.com>:
Bug#948452. (Thu, 09 Jan 2020 05:51:12 GMT) (full text, mbox, link).


Message #19 received at 948452-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 948452-submitter@bugs.debian.org
Subject: closing 948452
Date: Thu, 09 Jan 2020 06:50:52 +0100
close 948452 72.0.1-1
thanks




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Jan 9 09:24:44 2020; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.