[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-gnuzilla] Unpatched security flaws in IceCat
|
From: |
mhw |
|
Subject: |
Re: [Bug-gnuzilla] Unpatched security flaws in IceCat |
|
Date: |
Thu, 13 Aug 2015 15:30:21 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Rubén Rodríguez <address@hidden> writes:
>> 1. GNU IceCat 38.2.
>
> I'm working on that, I have a mostly usable version already and it needs
> some final polishing. I wanted to delay the release until I could bring
> a series of new features in, but given how security patching is being
> handled upstream I'll just release with no newer features and add them
> in the future.
Yes, I think it's important to release ASAP.
> I'll make a test build and post it to the list so volunteers can help
> list the things to be polished.
Sounds good, thanks!
>> 2. Backports of these fixes to GNU IceCat 31.8.
>>
>> I've already backported the fix for CVE-2015-4495, which was included in
>> Firefox ESR 38.1.1, here:
>>
>>
>> http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/patches/icecat-CVE-2015-4495.patch
>
> Since I understand this is the most important security bug in the list,
> I'll make a 31.8.0-gnu2 release with this patch.
If you're going to do that, you might as well also include the other
fixes I was able to backport:
http://git.savannah.gnu.org/cgit/guix.git/commit/?id=c037a0f7ce79d8d67e08694ae20e407b1280d84e
Note that the above commit did not add the fix for CVE-2015-4495, since
I had already done that in an earlier commit. It also doesn't include
fixes for the bundled libvpx, since in GNU Guix we use a newer external
copy of libvpx instead.
Thank you!
Mark