From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Marusich Subject: Re: Guix IceCat users have had early access to security fixes Date: Thu, 15 Dec 2016 02:35:46 -0800 Message-ID: <87inqlpji5.fsf@gmail.com> References: <87oa0e3t1r.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47795) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cHTPA-0000dT-Sc for guix-devel@gnu.org; Thu, 15 Dec 2016 05:36:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cHTP7-0001qw-Qe for guix-devel@gnu.org; Thu, 15 Dec 2016 05:36:52 -0500 Received: from mail-pf0-f177.google.com ([209.85.192.177]:34925) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cHTP7-0001qO-JB for guix-devel@gnu.org; Thu, 15 Dec 2016 05:36:49 -0500 Received: by mail-pf0-f177.google.com with SMTP id i88so8683957pfk.2 for ; Thu, 15 Dec 2016 02:36:49 -0800 (PST) In-Reply-To: <87oa0e3t1r.fsf@netris.org> (Mark H. Weaver's message of "Wed, 14 Dec 2016 20:00:32 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Mark H Weaver writes: > Yesterday, Mozilla released Firefox ESR 45.6 and announced several CVEs > fixed by it: > > https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/ > > I'm pleased to announce that Guix users of IceCat have had early access > all of these fixes. > > Since November 30 (commit 9689e71d2f2b5e766415a40d5f5ab267768d217d), > we've had fixes for CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, > CVE-2016-9900, CVE-2016-9904, and 4 out of 11 patches for CVE-2016-9893. > > Since December 3 (commit 5bdec7d634ce0058801cd212e9e4ea56e914ca0c), > we've had the fixes that were later announced as CVE-2016-9901, > CVE-2016-9902, CVE-2016-9905, and another patch for CVE-2016-9893. > > On December 10 (commit 56c394ee4397015d6144dab002ee43fc7e32a331), I > cherry-picked the remaining fixes from the not-yet-released Firefox > ESR 45.6: CVE-2016-9895, and the final six patches for CVE-2016-9893. > > Mark That's really awesome! Thank you for keeping track of this. By the way, I'm curious: I see that those changes (e.g., 9689e71d2f2b5e766415a40d5f5ab267768d217d) added patches. Do those patches result in grafts, or is grafting a totally unrelated thing? =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlhScgIACgkQ3UCaFdgi Rp3ImhAAimuPJI8bE4gJPRadLfg1hBcDiSyWWq7ytJSR6084MIMCMwepMlGYyL8P KZieBFhswsmIEr+ajKtsxB6TGw7WSSA7Ja/3jJMTnoe540Db7B+n7QrOoyrhmDis fvwoAnBQU7z4YF2PBzEBvX5vC6lWg1U6l0SjClxAtTy1VgJBB51TaURfTxXlyfvQ m7eznsxJv6Z0ElGzY2Eq33o3IC+1dLbShAfHYpBNHZm/9N8VuRO4KHBoRIjq7x+K LfsJoTdsdYvJ/+52EJjqnl/CnIB9MI3w8pzG1l+pIbyzzRlrds0DOEeK79jFQ9oU vRw4cIMtArBkfPEycwDkxjMX0g1ezlKhPswM7o8Yn3vqUoZ8Mz3pdv6jS6zKO452 j+fMNaxGfmoSnW9tWEuBee8X/V/+ZvG14/dzdfY7DEZKpJhEtjsoVgA9AzBH/5ZG 0TDrNIU/kgdvAxP8DUzWv206YPrkJsoKsYcXU3iQriLE8kjrnASESXsMs5/Mgzh+ Ib7KwRBTi3XjgQiV3075zKztzeB7zZFqeJHtrZPVLMWRj7m36FaFPKEIBpCmdoWu +z/IGXCyHvi6osmXbY4pTdz+ezgXAfz3RmmEjHIGgrNfd63VDlU6eunSs0hD0OKr S10pfJRERF5IXY8UXHW/kya/jvvhAA00O4IAEWX5UFsi5aHemIY= =kBbU -----END PGP SIGNATURE----- --=-=-=--