From mboxrd@z Thu Jan 1 00:00:00 1970 From: julien lepiller Subject: Re: Guix IceCat users have had early access to security fixes Date: Thu, 15 Dec 2016 13:56:52 +0100 Message-ID: References: <87oa0e3t1r.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:56295) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cHVaq-0005xS-H7 for guix-devel@gnu.org; Thu, 15 Dec 2016 07:57:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cHVan-0004sr-FT for guix-devel@gnu.org; Thu, 15 Dec 2016 07:57:04 -0500 Received: from dau94-h03-89-91-205-84.dsl.sta.abo.bbox.fr ([89.91.205.84]:35681 helo=skaro.lepiller.eu) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cHVan-0004r5-3Z for guix-devel@gnu.org; Thu, 15 Dec 2016 07:57:01 -0500 Received: from localhost (localhost [127.0.0.1]) by skaro.lepiller.eu (Postfix) with ESMTP id 38C9780B7A for ; Thu, 15 Dec 2016 13:56:57 +0100 (CET) Received: from skaro.lepiller.eu ([127.0.0.1]) by localhost (lepiller.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2e9BIbOgPwVb for ; Thu, 15 Dec 2016 13:56:53 +0100 (CET) Received: from webmail.lepiller.eu (localhost [127.0.0.1]) by skaro.lepiller.eu (Postfix) with ESMTPA id 8FE847F8FC for ; Thu, 15 Dec 2016 13:56:52 +0100 (CET) In-Reply-To: <87oa0e3t1r.fsf@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Le 2016-12-15 02:00, Mark H Weaver a =C3=A9crit=C2=A0: > Yesterday, Mozilla released Firefox ESR 45.6 and announced several CVEs > fixed by it: >=20 > https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/ >=20 > I'm pleased to announce that Guix users of IceCat have had early access > all of these fixes. >=20 > Since November 30 (commit 9689e71d2f2b5e766415a40d5f5ab267768d217d), > we've had fixes for CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, > CVE-2016-9900, CVE-2016-9904, and 4 out of 11 patches for=20 > CVE-2016-9893. >=20 > Since December 3 (commit 5bdec7d634ce0058801cd212e9e4ea56e914ca0c), > we've had the fixes that were later announced as CVE-2016-9901, > CVE-2016-9902, CVE-2016-9905, and another patch for CVE-2016-9893. >=20 > On December 10 (commit 56c394ee4397015d6144dab002ee43fc7e32a331), I > cherry-picked the remaining fixes from the not-yet-released Firefox > ESR 45.6: CVE-2016-9895, and the final six patches for CVE-2016-9893. >=20 > Mark Impressive, thank you! I'm a bit curious though, how did you get these patches? Were they=20 already advertised as vulnerability fixes at the time you applied them?=20 Were they already publicly-available?