[Secure-testing-team] Bug#699758: iceweasel: browser will be unsupported causing security vulnerabilities.

Zack bugreports1649 at riseup.net
Mon Feb 4 17:56:39 UTC 2013 

Package: iceweasel
Version: 10.0.12esr-1
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

In wheezy the current version of iceweasel is 10.0.12 ESR. I know that
according to normal debian policy this package should not receive updates other
than "security updates", however I believe that this could cause security
vulnerabilities. Firefox 10.X ESR will soon no longer be supported, and instead
17.X ESR will be supported instead. I know that the debian security team can
backport security fixes to 10.X, but as mozilla warn on their website about the
ESR version, it becomes harder to back-port security fixes as packages become
more out of date, and  over three years from when 10.X is not supported to when
wheezy is not supported, there will almost certainly be some security fixes
that will not be possible to backdate - this is to some extent true even with
supported ESR (mozilla only backport "high" and "critical" fixes).

By updating to iceweasel 17.X, you will have the advantage of support for a
longer time, and software that is one year newer, making it easier to backport
more fixes. There is also quite a long time still left of quality assurance
before the release date of wheezy to deal with bugs that would be caused by
this upgrade. I know there is often a tension between stability and security,
but I think this is a special case because browser security is so important,
and other components, such as the kernel, will be receiving long term support
for most of the lifespan of wheezy anyway.





-- Package-specific info:

-- Extensions information
Name: Adblock Plus
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
Package: xul-ext-adblock-plus
Status: enabled

Name: Default theme
Location: /usr/lib/iceweasel/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: English (GB) Language Pack locale
Location: /usr/lib/iceweasel/extensions/langpack-en-GB at iceweasel.mozilla.org.xpi
Package: iceweasel-l10n-en-gb
Status: enabled

-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled

Name: Shockwave Flash
Location: /usr/lib/gnash/libgnashplugin.so
Package: browser-plugin-gnash
Status: enabled

Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled


-- Addons package information
ii  browser-plugin 0.8.11~git20 amd64        GNU Shockwave Flash (SWF) player 
ii  gnome-shell    3.4.2-6      amd64        graphical shell for the GNOME des
ii  iceweasel      10.0.12esr-1 amd64        Web browser based on Firefox
ii  iceweasel-l10n 1:10.0.12esr all          English (United Kingdom) language
ii  rhythmbox-plug 2.97-2.1     amd64        plugins for rhythmbox music playe
ii  xul-ext-adbloc 2.1-1        all          Advertisement blocking extension 

-- System Information:
Debian Release: 7.0
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages iceweasel depends on:
ii  debianutils         4.3.2
ii  fontconfig          2.9.0-7.1
ii  libc6               2.13-37
ii  libgdk-pixbuf2.0-0  2.26.1-1
ii  libglib2.0-0        2.33.12+really2.32.4-3
ii  libgtk2.0-0         2.24.10-2
ii  libnspr4            2:4.9.2-1
ii  libnspr4-0d         2:4.9.2-1
ii  libsqlite3-0        3.7.13-1
ii  libstdc++6          4.7.2-5
ii  procps              1:3.3.3-2
ii  xulrunner-10.0      10.0.12esr-1

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
ii  fonts-stix [otf-stix]  1.1.0-1
ii  libgssapi-krb5-2       1.10.1+dfsg-3
pn  mozplugger             <none>

Versions of packages xulrunner-10.0 depends on:
ii  libasound2                1.0.25-4
ii  libatk1.0-0               2.4.0-2
ii  libbz2-1.0                1.0.6-4
ii  libc6                     2.13-37
ii  libcairo2                 1.12.2-2
ii  libdbus-1-3               1.6.8-1
ii  libdbus-glib-1-2          0.100-1
ii  libevent-2.0-5            2.0.19-stable-3
ii  libfontconfig1            2.9.0-7.1
ii  libfreetype6              2.4.9-1.1
ii  libgcc1                   1:4.7.2-5
ii  libgdk-pixbuf2.0-0        2.26.1-1
ii  libglib2.0-0              2.33.12+really2.32.4-3
ii  libgtk2.0-0               2.24.10-2
ii  libhunspell-1.3-0         1.3.2-4
ii  libjpeg8                  8d-1
ii  libmozjs10d               10.0.12esr-1
ii  libnotify4                0.7.5-1
ii  libnspr4-0d               2:4.9.2-1
ii  libnss3-1d                2:3.13.6-2
ii  libpango1.0-0             1.30.0-1
ii  libpixman-1-0             0.26.0-3
ii  libreadline6              6.2+dfsg-0.1
ii  libsqlite3-0              3.7.13-1
ii  libstartup-notification0  0.12-1
ii  libstdc++6                4.7.2-5
ii  libvpx1                   1.1.0-1
ii  libx11-6                  2:1.5.0-1
ii  libxext6                  2:1.3.1-2
ii  libxrender1               1:0.9.7-1
ii  libxt6                    1:1.1.3-1
ii  zlib1g                    1:1.2.7.dfsg-13

Versions of packages xulrunner-10.0 suggests:
ii  libcanberra0  0.28-6
ii  libgnomeui-0  2.24.5-2

-- no debconf information

More information about the Secure-testing-team mailing list