Wheezy update of firefox-esr?

Balint Reczey balint at balintreczey.hu
Sat Sep 24 13:34:14 UTC 2016 

Hi,

On 09/24/2016 12:51 AM, Mike Hommey wrote:
> On Fri, Sep 23, 2016 at 07:57:45PM +0200, Bálint Réczey wrote:
>> Hi,
>>
>> 2016-09-20 23:43 GMT+02:00 Chris Lamb <lamby at debian.org>:
>>> Hello dear maintainer(s),
>>>
>>> the Debian LTS team would like to fix the security issues which are
>>> currently open in the Wheezy version of firefox-esr:
>>> https://security-tracker.debian.org/tracker/source-package/firefox-esr
>>>
>>> Would you like to take care of this yourself?
>>>
>>> If yes, please follow the workflow we have defined here:
>>> https://wiki.debian.org/LTS/Development
>>>
>>> If that workflow is a burden to you, feel free to just prepare an
>>> updated source package and send it to debian-lts at lists.debian.org
>>> (via a debdiff, or with an URL pointing to the source package,
>>> or even with a pointer to your packaging repository), and the members
>>> of the LTS team will take care of the rest. Indicate clearly whether you
>>> have tested the updated package or not.
>>>
>>> If you don't want to take care of this update, it's not a problem, we
>>> will do our best with your package. Just let us know whether you would
>>> like to review and/or test the updated package before it gets released.
>>>
>>> You can also opt-out from receiving future similar emails in your
>>> answer and then the LTS Team will take care of firefox-esr updates
>>> for the LTS releases. (In case we don't get any answer for months,
>>> we may also take it as an opt-out, too.)
>>
>> I think Mike would like the LTS Team to prepare the future updates:
>>
>> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote:
>>> On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote:
>>>> Hello Mike,
>>>>
>>>> Thank you for preparing the security update of firefox-esr. I have just
>>>> sent a security announcement for your update in Wheezy to the
>>>> debian-lts-announce mailing list. If you want to take care of this next
>>>> time, please follow our guidelines which we have outlined at [1]. If
>>>> this is a burden for you, no problem, we will do our best and take care
>>>> of the rest. In this case we would like to ask you to send a short
>>>> reminder to debian-lts, so that we can prepare the announcement in a
>>>> timely manner.
>>>
>>> Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about
>>> that. That these updates go through the same security-master doesn't
>>> help making it obvious they are different.
>>>
>>> Anyways, I'd rather not have more work to do, so if can send
>>> announcements, that works for me. Or you can deal with the backport
>>> from back to back.
>> ...
>>
>> I have added firefox-esr to lts-do-not-call and started preparing the update.
> 
> Thanks.

I have prepared the update.

Please see the diff to jessie-security's version attached.

Changes:

 firefox-esr (45.4.0esr-1~deb7u1) wheezy-security; urgency=medium
 .
   [ Mike Hommey ]
   * New upstream release.
   * Fixes for mfsa2016-86, also known as:
     CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274,
     CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281,
     CVE-2016-5284, CVE-2016-5250, CVE-2016-5261, CVE-2016-5257.
 .
   * debian/control*, debian/rules: Compile with GCC 5 on testing/unstable
     on arm* because of crashes when building with GCC 6. (FTBFS)
   * debian/rules: Build with -fno-schedule-insns2 and
     -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles
     Firefox. Closes: #836533.
 .
   * config/gcc-stl-wrapper.template.h, memory/mozalloc/throw_gcc.h:
     Don't include mozalloc.h from the cstdlib wrapper. bz#1245076,
bz#1259537.
     Closes: #822715.
   * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS)


The binary packages for amd64 are also available for testing here:

 deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/

I ran browser benchmarks to stress test the package and also visited a
few sites manually.

I plan uploading the package around 21:00 UTC.

Cheers,
Balint

-------------- next part --------------
A non-text attachment was scrubbed...
Name: firefox-esr_45.4.0esr-1~deb7u1.patch
Type: text/x-patch
Size: 2579 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20160924/6a02aa12/attachment.bin>

More information about the pkg-mozilla-maintainers mailing list