From: Mark H Weaver <mhw@netris.org>
To: julien lepiller <julien@lepiller.eu>
Cc: guix-devel@gnu.org
Subject: Re: Guix IceCat users have had early access to security fixes
Date: Sun, 15 Jan 2017 19:08:11 -0500 [thread overview]
Message-ID: <87tw8zj28k.fsf@netris.org> (raw)
In-Reply-To: <f43050fa7235dc0ad2882f0a6ef3220a@lepiller.eu> (julien lepiller's message of "Thu, 15 Dec 2016 13:56:52 +0100")
Hi,
julien lepiller <julien@lepiller.eu> writes:
> Le 2016-12-15 02:00, Mark H Weaver a écrit :
>> Yesterday, Mozilla released Firefox ESR 45.6 and announced several CVEs
>> fixed by it:
>>
>> https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/
>>
>> I'm pleased to announce that Guix users of IceCat have had early access
>> all of these fixes.
>>
>> Since November 30 (commit 9689e71d2f2b5e766415a40d5f5ab267768d217d),
>> we've had fixes for CVE-2016-9897, CVE-2016-9898, CVE-2016-9899,
>> CVE-2016-9900, CVE-2016-9904, and 4 out of 11 patches for
>> CVE-2016-9893.
>>
>> Since December 3 (commit 5bdec7d634ce0058801cd212e9e4ea56e914ca0c),
>> we've had the fixes that were later announced as CVE-2016-9901,
>> CVE-2016-9902, CVE-2016-9905, and another patch for CVE-2016-9893.
>>
>> On December 10 (commit 56c394ee4397015d6144dab002ee43fc7e32a331), I
>> cherry-picked the remaining fixes from the not-yet-released Firefox
>> ESR 45.6: CVE-2016-9895, and the final six patches for CVE-2016-9893.
>>
>> Mark
>
> Impressive, thank you!
>
> I'm a bit curious though, how did you get these patches? Were they
> already advertised as vulnerability fixes at the time you applied
> them? Were they already publicly-available?
I cherry-picked them from the mozilla-esr45 mercurial repository. They
were not yet advertised as vulnerability fixes. Often they are only
labeled with a mozilla bug number, and the relevant bug reports are not
publicly accessible. However, in practice most of the bug fixes applied
to that branch are potentially exploitable.
Mark
next prev parent reply other threads:[~2017-01-16 0:08 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-15 1:00 Guix IceCat users have had early access to security fixes Mark H Weaver
2016-12-15 2:20 ` Christopher Allan Webber
2016-12-15 2:53 ` Maxim Cournoyer
2016-12-15 5:18 ` Leo Famulari
2016-12-15 10:35 ` Chris Marusich
2016-12-15 12:56 ` julien lepiller
2017-01-16 0:08 ` Mark H Weaver [this message]
2016-12-15 16:06 ` Kei Kebreau
2016-12-15 16:17 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tw8zj28k.fsf@netris.org \
--to=mhw@netris.org \
--cc=guix-devel@gnu.org \
--cc=julien@lepiller.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).