LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

April 2016

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS April 2016

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Firefox and Thunderbird unpatched question
From:	Andrew C Aitchison <[log in to unmask]>
Reply To:	Andrew C Aitchison <[log in to unmask]>
Date:	Mon, 25 Apr 2016 21:15:43 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (67 lines)

On Mon, 25 Apr 2016, Jarek Polok wrote:

> On 04/25/2016 02:32 AM, ToddAndMargo wrote:
>>  Hi All,
>>
>>  Seems like SL7 is not keeping up with Firefox and Thunderbird
>>  updates anymore.  EL Linux is suppose to keep up with security updates
>>  but Red Hat obviously picks and chooses: Firefox and Thunderbird
>>  are typically left unpatched.
>
> That is incorrect, see:
>
> # rpm -q firefox --changelog
>
> shows:
>
> * Thu Mar 03 2016 Jan Horak <[log in to unmask]> - 38.7.0-1
> - Update to 38.7.0 ESR

We are in an awkward edge case at the moment.
We are in the overlap when there are two versions of Firefox ESR
supported by Mozilla: 45 and 38.

As to which minor versions are current, it may be about to get simpler as
[log in to unmask]" target="_blank">https:[log in to unmask]
suggests that we should see 38.8 esr and 45.1 esr from Mozilla tomorrow 
(Tuesday 26th April).

As things stand on Monday, the *source* of almost any mozilla web page
includes (near the very top) the line:
 		<html class="windows x86 no-js" lang="en" dir="ltr"
 				data-latest-firefox="45.0.2"
 				data-esr-versions="38.7.1 45.0.2">

https://www.mozilla.org/firefox/38.7.1/releasenotes/

   Version 38.7.1, first offered to ESR channel users on March 16, 2016

   Fixed
     Loading from history can show the wrong url in the location bar (Bug 1256194)

   Changed
     Disabled Graphite font shaping library

As I understand it, neither of these fix known security issues.
38.7.0 does fix a security issue in graphite, the change in 38.7.1
is to disable graphite in case there are more issues.
I am not clear whether graphite is installed on Red Hat systems.

So, Red Hat and SL are not shipping the latest version of Firefox ESR 38.7
but the missing patches do not cause known security issues.

In my experience of previous Firefox ESR major releases,
Red Hat stay with the older supported version as long as possible,
ie until a security update is released for the new version,
but not for the old version.
I'd expect Red Hat to stay with Firefox ESR 38 until mainline 47.0.1 is 
released.

*** Thunderbird isn't as actively developed as Firefox,
*** so doesn't have the "release early, release often" mainline releases
*** and releases work differently from Firefox.

-- 
Andrew C Aitchison

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV