Opened 5 years ago
Closed 4 years ago
#12615 closed enhancement (fixed)
Move firefox to the esr releases
| Reported by: | Owned by: | Bruce Dubbs | |
|---|---|---|---|
| Priority: | normal | Milestone: | 9.1 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Almost a week ago I suggested moving to the -esr version of firefox.
Details in http://lists.linuxfromscratch.org/pipermail/blfs-dev/2019-September/036880.html
This will pick up new security fixes in the 68 series, whilst ignoring churn (e.g. firefox-69.0.2 which appears at this point to only affect 69, and the move to a newer rust for firefox-70.
Whether or not we do this, the next expected releases (68.2.0, 70.0) will require either a new profile, OR invoking firefox for the first time after the change with 'MOZ_ALLOW_DOWNGRADE=1 firefox' (optionally add -P if you already have multiple profiles and don't want to create another.
So far, nobody has commented on the list so I intend to act on this when the next security release arrives. Unless in the meantime someone can point out what is likely to be lost by staying behind the curve in BLFS.
Change History (5)
comment:1 by , 4 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 4 years ago
To confirm the security fixes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/
At least one issue is critical: Mozilla developers and community members Bob Clary, Jason Kratzer, Aaron Klotz, Iain Ireland, Tyson Smith, Christian Holler, Steve Fink, Honza Bambas, Byron Campen, and Cristian Brindusan reported memory safety bugs present in Firefox 69 and Firefox ESR 68.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code.
Therefore, people should either follow the book and upgrade to 68.2.0, or upgrade to 70.0 (some details of dependencies are in the wiki).
comment:3 by , 4 years ago
| Owner: | changed from to |
|---|---|
| Status: | assigned → new |
I've updated the book in r22284.
Bruce, could you take a look at the relevant php script, please (wherever it is - I can't see anything for chapter40). I've labelled the package as 68.2.0 because that matches the tarball's directoryname and the release notes, but the source is in 68.2.0esr/ and we'll want to pick up 68 versions for the next few months.
comment:4 by , 4 years ago
I made the fix to the currency script but got it in too late for tonight's run. Lets just wait until tomorrow night to check it. I'll close it then if it checks out.
Note that the chapter numbers in the script are out of sync with the book. FF is in blfs-chapter43.php. There is also an obsolete reference to FF in blfs-chapter25.php that I'll remove in my next script update.
The (sole) candidate for 68.2.0esr has been available for several days, expected release is on Tuesday in american TimeZones.