Firefox and Debian Testing: Getting Security Updates?

a.list.address_at_gmail.com
Date: 08/17/05

  • Next message: Ron Johnson: "Re: diary with encryption" 
    Date: Wed, 17 Aug 2005 01:01:20 -0500
To: debian-users <debian-user@lists.debian.org>

    I'm a happy user of Testing, but I'm a bit concerned about getting
    updates to Firefox in a timely manner. The current version in Testing
    is 1.0.4-2, which has recently-announced vulnerabilities in it. The
    vulns (I don't like typing that word :) have been fixed in the version
    in Sarge, 1.0.4-2sarge1. They've been fixed in Unstable as well, in
    1.0.6-2.

    But when will this version come to Testing? A quick look at the
    changelog for the package shows that 1.0.5-1, which fixes some
    security issues, was uploaded to Unstable on July 16th with an urgency
    level of high, but four days later 1.0.6-1 was uploaded with an
    urgency of low. Ten days later, on July 30th, 1.0.6-2 was uploaded
    with an urgency of medium. But here it is over two weeks later, and
    Testing is still stuck on 1.0.4-2.

    I looked in the bug tracker, but I couldn't find any good bug to
    prevent these newer versions from moving to Testing.

    Now, I'm far from an expert, and I'm still fairly new to Debian (less
    than a year), but it seems like something needs to change. I don't
    want to run Unstable on my computer, but I don't want to be stuck with
    vulnerable browsers either.

    I could upgrade Firefox to the version that's in unstable, but there
    are two problems:

     1) This is a poor long-term solution, having to manually upgrade
    packages and their dependencies to fix security problems;

    2) I can't even do that in this case, because Firefox 1.0.6-2 depends
    on libxinerama1, which depends on libc6 >=2.3.5, but Testing is still
    on libc6 2.3.2.

    This is simply a mess. Actually, now that I think about it, I suppose
    the reason 1.0.6-2 hasn't moved into Testing is because of the
    dependency problem of libxinerama1 and libc6. But who knows when the
    new version of libc6 will get into Testing? It may be a very long
    time. In the meantime, are we Testing users supposed to keep using a
    vulnerable version of Firefox?

    I know Testing is not supported for security updates, but for
    high-profile packages like Firefox with high-profile vulns, don't we
    need a solution for this problem? And upgrading to Unstable is not a
    solution; there's a reason I and others use Testing instead of
    Unstable.

  • Next message: Ron Johnson: "Re: diary with encryption"

    Relevant Pages

    • FC3 Yum & Firefox
      ... According to Firefox, I'm running ver 1.0.2. ... If I try yum upgrade firefox, it says there are no updates. ...
      (Fedora)
    • Re: Firefox and Debian Testing: Getting Security Updates?
      ... > updates to Firefox in a timely manner. ... > security issues, was uploaded to Unstable on July 16th with an urgency ... > I could upgrade Firefox to the version that's in unstable, ...
      (Debian-User)
    • Re: Firefox and Debian Testing: Getting Security Updates?
      ... > updates to Firefox in a timely manner. ... > security issues, was uploaded to Unstable on July 16th with an urgency ... > I could upgrade Firefox to the version that's in unstable, ...
      (Debian-User)
    • Re: firefox update
      ... patches were issued more than a week ago to get firefox 1.5.0.4. ... There's a related story on lwn.net about Firefox updates: ... FC5 is relatively easy -- it can just get a version upgrade to 1.5.0.4. ...
      (Fedora)
    • [kde] Yet another post of KDE 4.2 impressions
      ... over the Description to find out what the actual application is (konqueror, ... Positive: The two features from Firefox I missed the most in Konqueror where adopted: There is incremental search now, and it does not block the view onto the page I'm trying to search. ... Upgrade path/importing old config: ... I think the KDE project has done itself and the linux desktop a disservice by ...
      (KDE)