Debian Bug report logs -
#1067523
firefox: CVE-2024-29943 / CVE-2024-29944 critical bugs, fixed in FF 124.0.1
Reported by: Vincent Lefevre <vincent@vinc17.net>
Date: Fri, 22 Mar 2024 22:57:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version firefox/124.0-1
Fixed in version 124.0.1-1
Done: Mike Hommey <mh@glandium.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>:
Bug#1067523; Package firefox.
(Fri, 22 Mar 2024 22:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Lefevre <vincent@vinc17.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>.
(Fri, 22 Mar 2024 22:57:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: firefox
Version: 124.0-1
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Firefox 124.0.1 is available upstream, which fixes 2 critical bugs:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-15/
-- Package-specific info:
-- Addons package information
-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.6.15-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages firefox depends on:
ii debianutils 5.17
ii fontconfig 2.15.0-1.1
ii libasound2t64 1.2.11-1+b1
ii libatk1.0-0t64 2.51.90-4
ii libc6 2.37-15.1
ii libcairo-gobject2 1.18.0-1+local1
ii libcairo2 1.18.0-1+local1
ii libdbus-1-3 1.14.10-4+b1
ii libevent-2.1-7t64 2.1.12-stable-8.1+b1
ii libffi8 3.4.6-1
ii libfontconfig1 2.15.0-1.1
ii libfreetype6 2.13.2+dfsg-1+b2
ii libgcc-s1 14-20240315-1
ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-3+b2
ii libglib2.0-0t64 2.78.4-5
ii libgtk-3-0t64 3.24.41-3
ii libnspr4 2:4.35-1.1+b1
ii libnss3 2:3.99-1
ii libpango-1.0-0 1.51.0+ds-4
ii libstdc++6 14-20240315-1
ii libvpx8 1.13.1-2
ii libx11-6 2:1.8.7-1
ii libx11-xcb1 2:1.8.7-1
ii libxcb-shm0 1.15-1
ii libxcb1 1.15-1
ii libxcomposite1 1:0.4.5-1
ii libxdamage1 1:1.1.6-1
ii libxext6 2:1.3.4-1+b1
ii libxfixes3 1:6.0.0-2
ii libxrandr2 2:1.5.4-1
ii procps 2:4.0.4-4
ii zlib1g 1:1.3.dfsg-3.1
Versions of packages firefox recommends:
ii libavcodec60 7:6.1.1-3
Versions of packages firefox suggests:
ii fonts-lmodern 2.005-1
ii fonts-stix [otf-stix] 1.1.1-5
ii libcanberra0t64 [libcanberra0] 0.30-12.2
ii libgssapi-krb5-2 1.20.1-6
ii pulseaudio 16.1+dfsg1-3+b1
-- no debconf information
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply sent
to Mike Hommey <mh@glandium.org>:
You have taken responsibility.
(Sat, 23 Mar 2024 01:00:31 GMT) (full text, mbox, link).
Notification sent
to Vincent Lefevre <vincent@vinc17.net>:
Bug acknowledged by developer.
(Sat, 23 Mar 2024 01:00:31 GMT) (full text, mbox, link).
Message #10 received at 1067523-done@bugs.debian.org (full text, mbox, reply):
Version: 124.0.1-1
$ grep firefox_124.0.1-1 /srv/ftp-master.debian.org/log/2024-03
20240322231510|process-upload|dak|Processing changes file|firefox_124.0.1-1_source.changes
On Fri, Mar 22, 2024 at 11:53:06PM +0100, Vincent Lefevre wrote:
> Package: firefox
> Version: 124.0-1
> Severity: grave
> Tags: security upstream fixed-upstream
> Justification: user security hole
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
>
> Firefox 124.0.1 is available upstream, which fixes 2 critical bugs:
> https://www.mozilla.org/en-US/security/advisories/mfsa2024-15/
>
> -- Package-specific info:
>
>
> -- Addons package information
>
> -- System Information:
> Debian Release: trixie/sid
> APT prefers unstable-debug
> APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 6.6.15-amd64 (SMP w/12 CPU threads; PREEMPT)
> Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages firefox depends on:
> ii debianutils 5.17
> ii fontconfig 2.15.0-1.1
> ii libasound2t64 1.2.11-1+b1
> ii libatk1.0-0t64 2.51.90-4
> ii libc6 2.37-15.1
> ii libcairo-gobject2 1.18.0-1+local1
> ii libcairo2 1.18.0-1+local1
> ii libdbus-1-3 1.14.10-4+b1
> ii libevent-2.1-7t64 2.1.12-stable-8.1+b1
> ii libffi8 3.4.6-1
> ii libfontconfig1 2.15.0-1.1
> ii libfreetype6 2.13.2+dfsg-1+b2
> ii libgcc-s1 14-20240315-1
> ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-3+b2
> ii libglib2.0-0t64 2.78.4-5
> ii libgtk-3-0t64 3.24.41-3
> ii libnspr4 2:4.35-1.1+b1
> ii libnss3 2:3.99-1
> ii libpango-1.0-0 1.51.0+ds-4
> ii libstdc++6 14-20240315-1
> ii libvpx8 1.13.1-2
> ii libx11-6 2:1.8.7-1
> ii libx11-xcb1 2:1.8.7-1
> ii libxcb-shm0 1.15-1
> ii libxcb1 1.15-1
> ii libxcomposite1 1:0.4.5-1
> ii libxdamage1 1:1.1.6-1
> ii libxext6 2:1.3.4-1+b1
> ii libxfixes3 1:6.0.0-2
> ii libxrandr2 2:1.5.4-1
> ii procps 2:4.0.4-4
> ii zlib1g 1:1.3.dfsg-3.1
>
> Versions of packages firefox recommends:
> ii libavcodec60 7:6.1.1-3
>
> Versions of packages firefox suggests:
> ii fonts-lmodern 2.005-1
> ii fonts-stix [otf-stix] 1.1.1-5
> ii libcanberra0t64 [libcanberra0] 0.30-12.2
> ii libgssapi-krb5-2 1.20.1-6
> ii pulseaudio 16.1+dfsg1-3+b1
>
> -- no debconf information
>
> --
> Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
>
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Mar 23 11:51:58 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon