- This topic has 22 replies, 7 voices, and was last updated Sep 26-5:48 pm by Robin.
September 21, 2022 at 4:02 pm #89458MemberModdIt
From Heise Security. Users are advised to update
A number of problems with Mozilla Produkte were announced. Users are advised to
update to Firefox 105, Firefox ESR 102.3, Thunderbird 91.13.1 or latest
Thunderbird 102.2.1 which have fixes incorporated.
Users are advised to install updates as soon as available.
I was able to download from Mozilla and install FF105 yesterday.
Why anyone should want java script active in thunderbird is beyond my understanding,
unless to use it nefariously.
It can be switched on in extended settings. Interesting together with the possibility
of remote settings changes by…
As yet I have no info on whether LibreWolf is affected. At this time I do not see an
update availability. In general the project follows firefox latest as quickly
as possible so I will check the project site frequently.
September 21, 2022 at 9:45 pm #89495MemberRobin::
- This topic was modified 1 week, 2 days ago by ModdIt.
- This topic was modified 1 week, 2 days ago by ModdIt.
“Houston, we have a problem.”
…on antiX 19:
$ apt-cache policy firefox-esr firefox-esr: Installed: 78.15.0esr-1~deb10u1 Candidate: 78.15.0esr-1~deb10u1 Version table: *** 78.15.0esr-1~deb10u1 500 500 http://ftp.de.debian.org/debian buster/main i386 Packages 500 http://security.debian.org buster/updates/main i386 Packages 100 /var/lib/dpkg/status
Windows is like a submarine. Open a window and serious problems will start.September 21, 2022 at 10:22 pm #89497Memberstevesr0::
I am running Sid and apt show firefox-esr gives the version Moddit mentioned. I thought it would be the same ESR version for all types of Debian-based distros (unstable, testing, stable and maybe oldstable) unless there are some dependencies that block it.
I am assuming that you regularly “sudo apt update”.
I don’t have my antiX-21 stable machine on right now. I will report back unless other posters clear this up.
stevesr0September 21, 2022 at 10:47 pm #89501MemberRobin::
I assure you, I’ve apt updated the very minute before…
Only on sid the recent update is available.
What puzzles me a bit is the fact, that on antiX 19 I still see the 78.x version from above only, nothing more recent at all, while on antiX 21 there seems to be at least a 91.x version present…
I’d be fine with 78.x if I could be sure the security patches have been applied to it.
Windows is like a submarine. Open a window and serious problems will start.September 22, 2022 at 6:55 am #89507MemberModdIt::
Updated ESR was downloadable for sid this morning. It usualy
takes a day or days for updates to move to stable.
For buster and bullseye 64 bit I see firefox-esr (91.13.0esr-1~deb10u1.
Newer versions are not available for 32 bit.
On the debian security pages I see only 64 bit ESR fox support.
Unsure if the older versions get patched.
nothing about firefox, not yet anyway.
Reading about the vunerabilitys, if java is off (thunderbird) or effectively
blocked by no script in fox and the user is careful it looks like there should
be minimal risks.
In thunderbird setting to show mails in simple html or
plain text is a complete protection.
September 22, 2022 at 7:18 am #89510Membersybok::
- This reply was modified 1 week, 2 days ago by ModdIt.
Hi Robin, why not download the latest binary from e.g. https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr .
See also the following post/topic https://www.antixforum.com/forums/topic/split-firefox-getting-newer-versions/#post-78908September 22, 2022 at 11:25 am #89522MemberRobin::
Hi ModdIt and Sybok,
Many thanks for all the suggestions.
why not download the latest binary from
Many thanks for this hint. Actually there IS a most recent 32 bit firefox esr available: 32bit Firefox ESR 102.3.0
On the debian security pages I see only 64 bit ESR fox support.
Obviously this is debian business policy only.
Btw, there seems to be a package available for non-esr version on 32bit antiX 19 from the repos:
$ apt-cache policy firefox firefox: Installed: (none) Candidate: 104.0.1~mozillabinaries-1mx19+1 Version table: 104.0.1~mozillabinaries-1mx19+1 500 500 https://mirror.eu.oneandone.net/linux/distributions/mx/packages/antix/buster buster/main i386 Packages
But this isn’t the 105 from your security advisory by now also.
So I’ll give the manually downloaded 102.3.0esr package a try first.
Three questions left:
— After unboxing it comes as a bunch of files and folders. Am I expected now to guess for each of them in which place in system they belong and distribute them manually to all the system folders (which is done by the installer when using apt usually)?
— Will it conflict with the existing apt installation of firefox, e.g. overwrite some important settings files or system libraries or whatever, when starting a test run? Or do I need to uninstall/purge the old installation before starting this manually downloaded version? And can it live without systemd?
— And how to start it at all? Is it enough already to type /bin/bash /<path to>/firefox-102.3.0esr/firefox/firefox.bin on console?
Windows is like a submarine. Open a window and serious problems will start.September 22, 2022 at 3:56 pm #89540MemberRobin::
Most recent firefox ESR 32bit running flawlessly on antiX 19
As you can see, this package actually works. The two foxes even run parallel the same time, without conflicting. Will have to find out where the new one puts all his settings the old one has stored in /home/<username>/.mozilla folder. But at first glance it looks good, no extensive system load from the new version, even with its default settings, as far I can see.
For starting it is enough to enter the full path to the »firefox« executable file found in the extracted package into console window.
Any Ideas where to copy this bunch of files and folders properly now? Obviously no need to distribute them throughout the system, a single location seems to be fine. But which is the proper place to store this complete program folder in antiX?
/opt /usr/bin /usr/local/bin /usr/share /usr/local/share /usr/lib /usr/local/lib
or even another place?
And in which places do I need to manually change the path to the firefox executable so it will come up instead of the outdated one installed from the repo by apt? Is there an “alternative” configured for this in antiX I could simply switch (or add the new executable to existing ones and switch then)?
Windows is like a submarine. Open a window and serious problems will start.September 22, 2022 at 4:19 pm #89543Memberblur13September 22, 2022 at 5:01 pm #89547MemberRobin::
Many thanks, blur13. In your link is described also the classic way setting up the alternatives. The keyword x-www-browser is what I was looking for.
antiX control center also allows to modify the alternatives. But in it’s respective window (meant to manage this task in GUI) I see two times an entry field expecting a path. What actually is meant here? Which of these paths has to point to what? No explanation, no information:
antiX 19 Control Center → Alternatives → Add Alternative
@anticapitalista: Please note, This UI needs to inform users about what the two path entries are meant for. One of them should probably point to the new executable, but which one? And what is the second one good for? If possible this piece of information should be added in a future version of antiX CC.
So I’ll use now the classic (and familiar) way via console command.
The other question is already solved: The new firefox uses also the /home/<username>/.mozilla/firefox folder but creates its private profile subfolder. You can decide which profile gets used by which installation simply by editing the two files installs.ini and profiles.ini (or by running the profile manager of firefox). But be carefully, this can easily result in version mismatch, if an older version tries to start from a recent profile. The other way around the profile gets updated simply, and is not usable any longer by the old version thereafter. So keep a backup copy before messing around in this place.
Windows is like a submarine. Open a window and serious problems will start.September 22, 2022 at 9:34 pm #89560Memberstevesr0::
I thought I was safe since I was using Sid, but I have been running the new version rather than the ESR, and as noted in this case, the ESR is patched but not the current newest Firefox in the Sid repos.
So I just installed the ESR version available in Sid and now I am “safe” again — until the next weakness is discovered at least.
Thanks for the heads up!
stevesr0September 22, 2022 at 11:29 pm #89563ModeratorBrian Masinick::Helpful0
::Whenever I install Firefox directly from mozilla I extract to /opt. sudo tar xvjf firefox-xxxx.tar.bz2 -C /opt. Check the instructions here:
As a consistent, reasonably well-supported way to run Firefox, I accept the general mechanisms they suggest for running their software.
For me, however, I frequently run, and personally maintain, my own personal copies of Firefox. I download the archives from their Website and then unpack them directly from my home directory, that is, /home/masinick. Therefore, each download, once unpacked, would reside in
/home/masinick/firefox. In order to maintain three versions, I’d rename the release version as /home/masinick/firefox-release, the test version as
/home/masinick/firefox-beta, and the other one /home/masinick/firefox-nightly. I’ve since grabbed the developer’s edition, which is roughly equivalent to the Beta version, so instead I rename the directory as /home/masinick/firefox-developer.
To run them, I invoke /home/masinick/firefox-release/firefox to run the released version, /home/masinick/firefox-developer/firefox to run the developer’s edition, and /home/masinick/firefox-nightly/firefox to run the nightly version. By running all three, I can keep tabs on the work; if it goes “sideways” and has regressions that affect my preferred user experience, I can (and have a few times) report defects, what I was running, what pages I was accessing, and the undesired behavior found. By promptly reporting matters that concern me, I get a user experience that meets my own needs and therefore I’ve enjoyed a positive browsing environment for a very long time.
To each our own; some people detest Mozilla, Google, and others; they are free to make their own decisions and preferences. Mine are clear; I’ve run this stuff for a long time. While I do try out and use other browsers from time to time, I enjoy the ones that started out in the Netscape/Mozilla heritage; maybe it’s because I used them very early in their history and again as they were redesigned, so I grew both familiar and preferred the way they work.
Brian MasinickSeptember 23, 2022 at 9:39 am #89581Memberseriousness::
Finally, Firefox ESR 102.3 arrived in stable repo. No need to do anything but update.September 23, 2022 at 1:09 pm #89584MemberRobin::
Finally, Firefox ESR 102.3 arrived in stable repo. No need to do anything but update.
Unfortunately antiX 19 is Oldstable, which means even then no recent updates are avialable in the debian repos:
$ apt-cache policy firefox-esr firefox-esr: Installed: 78.15.0esr-1~deb10u1 Candidate: 78.15.0esr-1~deb10u1 Version table: *** 78.15.0esr-1~deb10u1 500 500 http://ftp.de.debian.org/debian buster/main i386 Packages 500 http://security.debian.org buster/updates/main i386 Packages 100 /var/lib/dpkg/status $ apt-cache policy firefox firefox: Installed: (none) Candidate: 104.0.1~mozillabinaries-1mx19+1 Version table: 104.0.1~mozillabinaries-1mx19+1 500 500 https://mirror.eu.oneandone.net/linux/distributions/mx/packages/antix/buster buster/main i386 Packages
And also packages.debian.org tells us that firefox-esr 91.13.0esr-1~deb11u1 is their most recent version for „bullseye”, and 78.15.0esr-1~deb10u1 the most recent version for „buster”, while even Oldoldstable „Stretch” comes with 91.11.0esr-1~deb9u1 also.
Does anybody know definitely the security patches from the new versions are applied by debian to these old versions they distribute, or does Debian provide completely insecure software packages here without any warning to the user following the default update path? I mean, antiX uses Debian LTS versions, and until now I have thought the security is kept this way when always making sure the system is up to date from the repos by apt-get update && apt-get-upgrade. If not, we should users tell to abstain from installing firefox via repo at all, but only and allways directly download from the mozilla packages. This would render proper desktop integration a bit difficult… Any comments?
Windows is like a submarine. Open a window and serious problems will start.September 23, 2022 at 2:05 pm #89588Memberblur13::
My understanding is that LTS is security support, but limited in architectures and packages. Amd64 and i386 are supported. Almost all common packages are supported. Install package debian-security-support to get notified if you have unsupported packages installed. Last time I checked firefox was supported.
- You must be logged in to reply to this topic.