Security advisory, update Firefox and Thunderbird

Forum Forums News News Security advisory, update Firefox and Thunderbird

  • This topic has 22 replies, 7 voices, and was last updated Sep 26-5:48 pm by Robin.
Viewing 15 posts - 1 through 15 (of 23 total)
  • Author
    Posts
  • #89458
    Member
    ModdIt

    From Heise Security. Users are advised to update
    A number of problems with Mozilla Produkte were announced. Users are advised to
    update to Firefox 105, Firefox ESR 102.3, Thunderbird 91.13.1 or latest
    Thunderbird 102.2.1 which have fixes incorporated.
    Users are advised to install updates as soon as available.

    I was able to download from Mozilla and install FF105 yesterday.

    Why anyone should want java script active in thunderbird is beyond my understanding,
    unless to use it nefariously.

    It can be switched on in extended settings. Interesting together with the possibility
    of remote settings changes by…

    As yet I have no info on whether LibreWolf is affected. At this time I do not see an
    update availability. In general the project follows firefox latest as quickly
    as possible so I will check the project site frequently.

    • This topic was modified 1 week, 2 days ago by ModdIt.
    • This topic was modified 1 week, 2 days ago by ModdIt.
    #89495
    Member
    Robin
    Helpful
    Up
    0
    ::

    “Houston, we have a problem.”

    …on antiX 19:

    $ apt-cache policy firefox-esr
    firefox-esr:
      Installed: 78.15.0esr-1~deb10u1
      Candidate: 78.15.0esr-1~deb10u1
      Version table:
     *** 78.15.0esr-1~deb10u1 500
            500 http://ftp.de.debian.org/debian buster/main i386 Packages
            500 http://security.debian.org buster/updates/main i386 Packages
            100 /var/lib/dpkg/status

    Well then?

    Windows is like a submarine. Open a window and serious problems will start.

    #89497
    Member
    stevesr0
    Helpful
    Up
    0
    ::

    Hi Robin,

    I am running Sid and apt show firefox-esr gives the version Moddit mentioned. I thought it would be the same ESR version for all types of Debian-based distros (unstable, testing, stable and maybe oldstable) unless there are some dependencies that block it.

    I am assuming that you regularly “sudo apt update”.

    I don’t have my antiX-21 stable machine on right now. I will report back unless other posters clear this up.

    stevesr0

    #89501
    Member
    Robin
    Helpful
    Up
    0
    ::

    Hi stevesr0,
    I assure you, I’ve apt updated the very minute before…

    But please compare:
    https://packages.debian.org/sid/firefox-esr
    https://packages.debian.org/bullseye/firefox-esr
    https://packages.debian.org/buster/firefox-esr

    Only on sid the recent update is available.
    What puzzles me a bit is the fact, that on antiX 19 I still see the 78.x version from above only, nothing more recent at all, while on antiX 21 there seems to be at least a 91.x version present…

    I’d be fine with 78.x if I could be sure the security patches have been applied to it.

    Windows is like a submarine. Open a window and serious problems will start.

    #89507
    Member
    ModdIt
    Helpful
    Up
    0
    ::

    Hi Robin,
    Updated ESR was downloadable for sid this morning. It usualy
    takes a day or days for updates to move to stable.

    For buster and bullseye 64 bit I see firefox-esr (91.13.0esr-1~deb10u1.
    Newer versions are not available for 32 bit.

    On the debian security pages I see only 64 bit ESR fox support.
    Unsure if the older versions get patched.

    https://lists.debian.org/debian-lts-changes/2022/09/threads.html
    nothing about firefox, not yet anyway.

    Reading about the vunerabilitys, if java is off (thunderbird) or effectively
    blocked by no script in fox and the user is careful it looks like there should
    be minimal risks.

    In thunderbird setting to show mails in simple html or
    plain text is a complete protection.

    • This reply was modified 1 week, 2 days ago by ModdIt.
    #89510
    Member
    sybok
    Helpful
    Up
    0
    ::

    Hi Robin, why not download the latest binary from e.g. https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr .
    See also the following post/topic https://www.antixforum.com/forums/topic/split-firefox-getting-newer-versions/#post-78908

    #89522
    Member
    Robin
    Helpful
    Up
    0
    ::

    Hi ModdIt and Sybok,
    Many thanks for all the suggestions.

    why not download the latest binary from

    Many thanks for this hint. Actually there IS a most recent 32 bit firefox esr available: 32bit Firefox ESR 102.3.0

    On the debian security pages I see only 64 bit ESR fox support.

    Obviously this is debian business policy only.

    Btw, there seems to be a package available for non-esr version on 32bit antiX 19 from the repos:

    $ apt-cache policy firefox
    firefox:
      Installed: (none)
      Candidate: 104.0.1~mozillabinaries-1mx19+1
      Version table:
         104.0.1~mozillabinaries-1mx19+1 500
            500 https://mirror.eu.oneandone.net/linux/distributions/mx/packages/antix/buster buster/main i386 Packages

    But this isn’t the 105 from your security advisory by now also.

    So I’ll give the manually downloaded 102.3.0esr package a try first.

    Three questions left:
    — After unboxing it comes as a bunch of files and folders. Am I expected now to guess for each of them in which place in system they belong and distribute them manually to all the system folders (which is done by the installer when using apt usually)?
    — Will it conflict with the existing apt installation of firefox, e.g. overwrite some important settings files or system libraries or whatever, when starting a test run? Or do I need to uninstall/purge the old installation before starting this manually downloaded version? And can it live without systemd?
    — And how to start it at all? Is it enough already to type /bin/bash /<path to>/firefox-102.3.0esr/firefox/firefox.bin on console?

    Windows is like a submarine. Open a window and serious problems will start.

    #89540
    Member
    Robin
    Helpful
    Up
    0
    ::

    Update:

    most recent firefox esr 32bit running flawlessly on antiX 19
    Most recent firefox ESR 32bit running flawlessly on antiX 19

    As you can see, this package actually works. The two foxes even run parallel the same time, without conflicting. Will have to find out where the new one puts all his settings the old one has stored in /home/<username>/.mozilla folder. But at first glance it looks good, no extensive system load from the new version, even with its default settings, as far I can see.

    For starting it is enough to enter the full path to the »firefox« executable file found in the extracted package into console window.

    Any Ideas where to copy this bunch of files and folders properly now? Obviously no need to distribute them throughout the system, a single location seems to be fine. But which is the proper place to store this complete program folder in antiX?

    /opt
    /usr/bin
    /usr/local/bin
    /usr/share
    /usr/local/share
    /usr/lib
    /usr/local/lib

    or even another place?

    And in which places do I need to manually change the path to the firefox executable so it will come up instead of the outdated one installed from the repo by apt? Is there an “alternative” configured for this in antiX I could simply switch (or add the new executable to existing ones and switch then)?

    Windows is like a submarine. Open a window and serious problems will start.

    #89543
    Member
    blur13
    Helpful
    Up
    0
    ::

    Whenever I install Firefox directly from mozilla I extract to /opt. sudo tar xvjf firefox-xxxx.tar.bz2 -C /opt. Check the instructions here:

    https://wiki.debian.org/Firefox

    #89547
    Member
    Robin
    Helpful
    Up
    0
    ::

    Many thanks, blur13. In your link is described also the classic way setting up the alternatives. The keyword x-www-browser is what I was looking for.
    antiX control center also allows to modify the alternatives. But in it’s respective window (meant to manage this task in GUI) I see two times an entry field expecting a path. What actually is meant here? Which of these paths has to point to what? No explanation, no information:
    antiX-control-center-add-alternative
    antiX 19 Control Center → Alternatives → Add Alternative

    @anticapitalista: Please note, This UI needs to inform users about what the two path entries are meant for. One of them should probably point to the new executable, but which one? And what is the second one good for? If possible this piece of information should be added in a future version of antiX CC.

    So I’ll use now the classic (and familiar) way via console command.

    The other question is already solved: The new firefox uses also the /home/<username>/.mozilla/firefox folder but creates its private profile subfolder. You can decide which profile gets used by which installation simply by editing the two files installs.ini and profiles.ini (or by running the profile manager of firefox). But be carefully, this can easily result in version mismatch, if an older version tries to start from a recent profile. The other way around the profile gets updated simply, and is not usable any longer by the old version thereafter. So keep a backup copy before messing around in this place.

    Windows is like a submarine. Open a window and serious problems will start.

    #89560
    Member
    stevesr0
    Helpful
    Up
    0
    ::

    Hi All,

    I thought I was safe since I was using Sid, but I have been running the new version rather than the ESR, and as noted in this case, the ESR is patched but not the current newest Firefox in the Sid repos.

    So I just installed the ESR version available in Sid and now I am “safe” again — until the next weakness is discovered at least.

    Thanks for the heads up!

    stevesr0

    #89563
    Moderator
    Brian Masinick
    Helpful
    Up
    0
    ::
    Helpful

    Up

    0

    ::Whenever I install Firefox directly from mozilla I extract to /opt. sudo tar xvjf firefox-xxxx.tar.bz2 -C /opt. Check the instructions here:

    https://wiki.debian.org/Firefox

    As a consistent, reasonably well-supported way to run Firefox, I accept the general mechanisms they suggest for running their software.

    For me, however, I frequently run, and personally maintain, my own personal copies of Firefox. I download the archives from their Website and then unpack them directly from my home directory, that is, /home/masinick. Therefore, each download, once unpacked, would reside in
    /home/masinick/firefox. In order to maintain three versions, I’d rename the release version as /home/masinick/firefox-release, the test version as
    /home/masinick/firefox-beta, and the other one /home/masinick/firefox-nightly. I’ve since grabbed the developer’s edition, which is roughly equivalent to the Beta version, so instead I rename the directory as /home/masinick/firefox-developer.

    To run them, I invoke /home/masinick/firefox-release/firefox to run the released version, /home/masinick/firefox-developer/firefox to run the developer’s edition, and /home/masinick/firefox-nightly/firefox to run the nightly version. By running all three, I can keep tabs on the work; if it goes “sideways” and has regressions that affect my preferred user experience, I can (and have a few times) report defects, what I was running, what pages I was accessing, and the undesired behavior found. By promptly reporting matters that concern me, I get a user experience that meets my own needs and therefore I’ve enjoyed a positive browsing environment for a very long time.

    To each our own; some people detest Mozilla, Google, and others; they are free to make their own decisions and preferences. Mine are clear; I’ve run this stuff for a long time. While I do try out and use other browsers from time to time, I enjoy the ones that started out in the Netscape/Mozilla heritage; maybe it’s because I used them very early in their history and again as they were redesigned, so I grew both familiar and preferred the way they work.

    Brian Masinick

    #89581
    Member
    seriousness
    Helpful
    Up
    0
    ::

    Finally, Firefox ESR 102.3 arrived in stable repo. No need to do anything but update.

    #89584
    Member
    Robin
    Helpful
    Up
    0
    ::

    Finally, Firefox ESR 102.3 arrived in stable repo. No need to do anything but update.

    Unfortunately antiX 19 is Oldstable, which means even then no recent updates are avialable in the debian repos:

    $ apt-cache policy firefox-esr
    firefox-esr:
      Installed: 78.15.0esr-1~deb10u1
      Candidate: 78.15.0esr-1~deb10u1
      Version table:
     *** 78.15.0esr-1~deb10u1 500
            500 http://ftp.de.debian.org/debian buster/main i386 Packages
            500 http://security.debian.org buster/updates/main i386 Packages
            100 /var/lib/dpkg/status
    
    $ apt-cache policy firefox    
    firefox:
      Installed: (none)
      Candidate: 104.0.1~mozillabinaries-1mx19+1
      Version table:
         104.0.1~mozillabinaries-1mx19+1 500
            500 https://mirror.eu.oneandone.net/linux/distributions/mx/packages/antix/buster buster/main i386 Packages

    And also packages.debian.org tells us that firefox-esr 91.13.0esr-1~deb11u1 is their most recent version for „bullseye”, and 78.15.0esr-1~deb10u1 the most recent version for „buster”, while even Oldoldstable „Stretch” comes with 91.11.0esr-1~deb9u1 also.
    Does anybody know definitely the security patches from the new versions are applied by debian to these old versions they distribute, or does Debian provide completely insecure software packages here without any warning to the user following the default update path? I mean, antiX uses Debian LTS versions, and until now I have thought the security is kept this way when always making sure the system is up to date from the repos by apt-get update && apt-get-upgrade. If not, we should users tell to abstain from installing firefox via repo at all, but only and allways directly download from the mozilla packages. This would render proper desktop integration a bit difficult… Any comments?

    Windows is like a submarine. Open a window and serious problems will start.

    #89588
    Member
    blur13
    Helpful
    Up
    0
    ::

    My understanding is that LTS is security support, but limited in architectures and packages. Amd64 and i386 are supported. Almost all common packages are supported. Install package debian-security-support to get notified if you have unsupported packages installed. Last time I checked firefox was supported.

Viewing 15 posts - 1 through 15 (of 23 total)
  • You must be logged in to reply to this topic.