Re: bug#39766: Security-Problems, probably known

[address@hidden]

Two new zero-days have hit Firefox
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6819 &
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6820 see
https://mspoweruser.com/mozilla-update-firefox-zero-day-vulnerabilities/
for details. Are we still going to intentionally distribute a release
version knowing it is vulnerable to all these exploits without even
addressing it on the icecat webpage?

I quote from the article "Since these vulnerabilities are being
exploited in the wild, users are urged to download and install the patch
immediately to avoid being hacked"

Kind regards,
Corne

On 3/10/20 7:35 PM, Gary Driggs wrote:
> Not enough devs on the project. Also, the fork & build process has not been 
> documented well enough to make it easy enough for most folks to contribute.
> 
> q.v. https://savannah.gnu.org/projects/gnuzilla
> 
> 
>> On Mar 10, 2020, at 11:04 AM, Antonio Trande <> wrote:
>>
>> @Mark,
>>
>> do you why the binary releases are not spread?
>>
>>> On 10/03/20 18:31, info wrote:
>>> Current binary release is 60.7.0 which is vulnerable and that is the
>>> problem, see: https://ftp.gnu.org/gnu/gnuzilla/?C=M;O=D
>>>
>>>> On 3/10/20 6:24 PM, Antonio Trande wrote:
>>>> These issues have been fixed with Firefox ESR 68.4.1; current IceCat
>>>> release on 68 branch is the 68.6.0. So, what's the problem?
>>>>
>>>> On 10/03/20 10:29, info wrote:
>>>>> Hello,
>>>>>
>>>>> It seems no one has replied to this. I think IceCat should no longer be
>>>>> recommended to users until this issue is resolved especially since
>>>>> IceCat is advertised as a browser with "Privacy protection features".
>>>>> Suffice to say such protection features are no good if the browser
>>>>> itself is vulnerable to the types of vulnerabilities as eluded to before.
>>>>>
>>>>> I understand that there aren't sufficient developers to maintain IceCat
>>>>> but that does not mean the GNU website should offer the browser without
>>>>> at least clearly addressing it's potential vulnerabilities on the
>>>>> appropriate webpages.
>>>>>
>>>>> As of now, users might download, install and subsequently use IceCat
>>>>> with the understanding that they have downloaded a browser with enhanced
>>>>> privacy protection features while not being aware that it is potentially
>>>>> susceptible to recently discovered vulnerabilities.
>>>>>
>>>>> This is precisely the sort of situation that free software, and free and
>>>>> open information should prevent.
>>>>>
>>>>> I hope we can resolve this quickly.
>>>>>
>>>>> Kind regards,
>>>>> Corne
>>>>>
>>>>> On 2/24/20 7:05 PM, info wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I was also really wondering about this as the current version of IceCat
>>>>>> is a version of Firefox that was affected.
>>>>>>
>>>>>> On 24-02-2020 12:09, Arne Wichmann wrote:
>>>>>>> Good day tou you!
>>>>>>>
>>>>>>> I see here some security problems referenced for Firefox, which are
>>>>>>> probably applicable to Icecat, too:
>>>>>>>
>>>>>>> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
>>>>>>>  FallibleStoreElement
>>>>>>> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
>>>>>>>
>>>>>>> More less critical ones are referenced, too.
>>>>>>>
>>>>>>> Are there plans to adress these?
>>>>>>>
>>>>>>> cu
>>>>>>>
>>>>>>> AW
>>>>>>>
>>>>
>>>>
>>
>> -- 
>> ---
>> Antonio Trande
>> Fedora Project
>> mailto 'sagitter at example dot org'
>> GPG key: 0x7B30EE04E576AA84
>> GPG key server: https://keys.openpgp.org/
>>
>