From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: Guix IceCat users have had early access to security fixes Date: Sun, 15 Jan 2017 19:08:11 -0500 Message-ID: <87tw8zj28k.fsf@netris.org> References: <87oa0e3t1r.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:56797) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cSuqc-0004OL-0P for guix-devel@gnu.org; Sun, 15 Jan 2017 19:08:30 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cSuqX-0005XY-VN for guix-devel@gnu.org; Sun, 15 Jan 2017 19:08:29 -0500 Received: from world.peace.net ([50.252.239.5]:46879) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cSuqX-0005XU-RD for guix-devel@gnu.org; Sun, 15 Jan 2017 19:08:25 -0500 In-Reply-To: (julien lepiller's message of "Thu, 15 Dec 2016 13:56:52 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: julien lepiller Cc: guix-devel@gnu.org Hi, julien lepiller writes: > Le 2016-12-15 02:00, Mark H Weaver a =C3=A9crit=C2=A0: >> Yesterday, Mozilla released Firefox ESR 45.6 and announced several CVEs >> fixed by it: >> >> https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/ >> >> I'm pleased to announce that Guix users of IceCat have had early access >> all of these fixes. >> >> Since November 30 (commit 9689e71d2f2b5e766415a40d5f5ab267768d217d), >> we've had fixes for CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, >> CVE-2016-9900, CVE-2016-9904, and 4 out of 11 patches for >> CVE-2016-9893. >> >> Since December 3 (commit 5bdec7d634ce0058801cd212e9e4ea56e914ca0c), >> we've had the fixes that were later announced as CVE-2016-9901, >> CVE-2016-9902, CVE-2016-9905, and another patch for CVE-2016-9893. >> >> On December 10 (commit 56c394ee4397015d6144dab002ee43fc7e32a331), I >> cherry-picked the remaining fixes from the not-yet-released Firefox >> ESR 45.6: CVE-2016-9895, and the final six patches for CVE-2016-9893. >> >> Mark > > Impressive, thank you! > > I'm a bit curious though, how did you get these patches? Were they > already advertised as vulnerability fixes at the time you applied > them? Were they already publicly-available? I cherry-picked them from the mozilla-esr45 mercurial repository. They were not yet advertised as vulnerability fixes. Often they are only labeled with a mozilla bug number, and the relevant bug reports are not publicly accessible. However, in practice most of the bug fixes applied to that branch are potentially exploitable. Mark