Mr. Volkerding, please don't forget about security updates

max.b · 11-15-2021, 08:30 PM

Mr. Volkerding,

100 vulnerabilities are discovered in Firefox every year:

https://cve.mitre.org/cgi-bin/cvekey...eyword=firefox

A typical one is not limited to an OS or recent versions.

Slackware released 0 updates to it in 2021.

Updates to other packages seem similarly sparse.

This is a friendly reminder to release them if you got them.

RadicalDreamer · 11-15-2021, 09:01 PM

Thank you for sharing. Have a nice day.

max.b · 11-15-2021, 09:46 PM

Quote:

Originally Posted by RadicalDreamer

Thank you for sharing. Have a nice day.

You are welcome. HAND.

cwizardone · 11-15-2021, 09:51 PM

Quote:

Originally Posted by max.b

.....Firefox....

Slackware released 0 updates to it in 2021.

On the off chance you are not a troll, but simply grossly misinformed, check the
change log for security updates.
http://slackware.oregonstate.edu/sla.../ChangeLog.txt

You do know how to use the search function in your browser?

RadicalDreamer · 11-15-2021, 10:13 PM

Quote:

Originally Posted by cwizardone

On the off chance you are not a troll, but simply grossly misinformed, check the
change log for security updates.
http://slackware.oregonstate.edu/sla.../ChangeLog.txt

You do know how to use the search function in your browser?

That isn't entirely correct.
http://slackware.oregonstate.edu/sla.../ChangeLog.txt

He snagged one, good catch!

Gerard Lally · 11-15-2021, 11:00 PM

Quote:

Originally Posted by max.b

Mr. Volkerding,

100 vulnerabilities are discovered in Firefox every year

In that case, shouldn't you be directing your sneer towards Mozilla instead?

Defective software is the responsibility of those who write it. As an aspiring professional programmer, you ought to know this. And, if certain FOSS businesses and organisations keep producing defective software, perhaps the solution is to stop shipping it, until they can come up with something that doesn't fall victim to two vulnerabilities every week of the year.

RadicalDreamer · 11-15-2021, 11:15 PM

I give up. People be handing out freebies like it is Epic Games Store. Time to bring out the popcorn!
https://www.youtube.com/watch?v=YfdLh0MHqKw

drgibbon · 11-15-2021, 11:22 PM

OP may be generally trolling around here, but in this case it's an absolutely solid point. According to packages.slackware.com, Slackware stable is still shipping Firefox 68.12.0, released August 25th 2020! If you care even a bit about security that is just not viable. For another example from stable see openssl-1.0.2u, which upstream hasn't supported for yonks: "All older versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of support and should not be used". It's been years since I considered Slackware stable to be an option, sad to see (especially when SBo remains tethered to it)!

max.b · 11-16-2021, 01:56 AM

Quote:

Originally Posted by Gerard Lally

In that case, shouldn't you be directing your sneer towards Mozilla instead?

Defective software is the responsibility of those who write it. As an aspiring professional programmer, you ought to know this. And, if certain FOSS businesses and organisations keep producing defective software, perhaps the solution is to stop shipping it, until they can come up with something that doesn't fall victim to two vulnerabilities every week of the year.

None of what you say is true.

The rule of thumb for widely used and well-tested software is 1 defect per 1kloc.

For browsers, servers, etc., many of these become vulnerabilities, if discovered. You do the math.

Lastly, no developer is required to fix outdated versions. That's an utterly delusional expectation.

marav · 11-16-2021, 02:02 AM

I still don't understand why a Debian user comes to post on a Slackware forum, with zero posts on the Debian forum...
Has the opposite ever happened?

Nobby6 · 11-16-2021, 02:14 AM

Quote:

Originally Posted by marav

I still don't understand why a Debian user comes to post on a Slackware forum, with zero posts on the Debian forum...
Has the opposite ever happened?

yeah, and coz like debian neevvvvvvveeeeeerrrrrrrrrrrrrrr uses old software

max.b · 11-16-2021, 02:26 AM

Quote:

Originally Posted by Gerard Lally

And, if certain FOSS businesses and organisations keep producing defective software, perhaps the solution is to stop shipping it, until they can come up with something that doesn't fall victim to two vulnerabilities every week of the year.

You will be using wget and then staring at the HTML in vim.

Because Chrome gets twice as many vulns discovered a year.

Not because it's worse though. See above.

max.b · 11-16-2021, 02:39 AM

Quote:

Originally Posted by Nobby6

yeah, and coz like debian neevvvvvvveeeeeerrrrrrrrrrrrrrr uses old software

I haven't found anything better, but it's far from flawless.

marav · 11-16-2021, 02:46 AM

Quote:

Originally Posted by max.b

I haven't found anything better, but it's far from flawless.

And this is true for all major distributions, which everyone uses

chrisretusn · 11-16-2021, 02:47 AM

Quote:

Originally Posted by max.b

Mr. Volkerding,

100 vulnerabilities are discovered in Firefox every year:

https://cve.mitre.org/cgi-bin/cvekey...eyword=firefox

A typical one is not limited to an OS or recent versions.

Slackware released 0 updates to it in 2021.

What are these then?

Code:

+--------------------------+
Thu Nov  4 04:43:31 UTC 2021
xap/mozilla-firefox-91.3.0esr-x86_64-1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.3.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2021-49/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38503
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38504
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38505
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38506
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38507
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38508
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38509
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38510
  (* Security fix *)
+--------------------------+
Wed Oct  6 00:02:15 UTC 2021
xap/mozilla-firefox-91.2.0esr-x86_64-1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.2.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2021-45/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38496
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38497
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38498
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32810
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38500
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38501
  (* Security fix *)
+--------------------------+
Mon Sep  6 18:55:54 UTC 2021
xap/mozilla-firefox-91.1.0esr-x86_64-1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.1.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2021-40/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38492
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38495
  (* Security fix *)
+--------------------------+
Tue Aug 17 20:08:40 UTC 2021
xap/mozilla-firefox-91.0.1-x86_64-1.txz: Upgraded.
       This release contains security fixes and improvements.
       For more information, see:
       https://www.mozilla.org/en-US/firefox/91.0.1/releasenotes/
       https://www.mozilla.org/security/advisories/mfsa2021-37/
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29991
       (* Security fix *)

+--------------------------+
Mon Aug 16 05:28:16 UTC 2021
xap/mozilla-firefox-91.0-x86_64-1.txz: Upgraded.
       New ESR release :-)
       This release contains security fixes and improvements.
       For more information, see:
       https://www.mozilla.org/en-US/firefox/91.0/releasenotes/
       https://www.mozilla.org/security/advisories/mfsa2021-33/
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29986
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29981
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29988
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29983
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29984
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29980
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29987
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29985
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29982
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29989
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29990
       (* Security fix *)
+--------------------------+
Mon Jul 12 19:17:02 UTC 2021
xap/mozilla-firefox-90.0-x86_64-1.txz: Upgraded.
       This release contains security fixes and improvements.
       For more information, see:
       https://www.mozilla.org/en-US/firefox/90.0/releasenotes/
       (* Security fix *)
+--------------------------+
Wed Jun 16 01:06:18 UTC 2021
xap/mozilla-firefox-89.0.1-x86_64-1.txz: Upgraded.
       This release contains security fixes and improvements.
       For more information, see:
       https://www.mozilla.org/en-US/firefox/89.0.1/releasenotes/
       (* Security fix *)
+--------------------------+
Wed May 5 19:56:53 UTC 2021
xap/mozilla-firefox-88.0.1-x86_64-1.txz: Upgraded.
       This release contains security fixes and improvements.
       For more information, see:
       https://www.mozilla.org/en-US/firefox/88.0.1/releasenotes/
       https://www.mozilla.org/security/advisories/mfsa2021-20/
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29953
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29952
       (* Security fix *)
+--------------------------+
Mon Apr 19 21:40:04 UTC 2021
xap/mozilla-firefox-88.0-x86_64-1.txz: Upgraded.
       This release contains security fixes and improvements.
       For more information, see:
       https://www.mozilla.org/en-US/firefox/88.0/releasenotes/
       https://www.mozilla.org/security/advisories/mfsa2021-16/
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23994
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23995
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23996
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23997
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23998
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23999
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24000
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24001
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24002
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29945
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29944
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29946
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29947
       (* Security fix *)
+--------------------------+
Wed Mar 24 04:29:15 UTC 2021
xap/mozilla-firefox-87.0-x86_64-1.txz: Upgraded.
       This release contains security fixes and improvements.
       For more information, see:
       https://www.mozilla.org/en-US/firefox/87.0/releasenotes/
       https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23981
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23982
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23983
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23984
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23985
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23986
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23987
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23988
       (* Security fix *)
+--------------------------+
Mon Feb 22 20:58:01 UTC 2021
xap/mozilla-firefox-78.8.0esr-x86_64-1.txz: Upgraded.
       This release contains security fixes and improvements.
       For more information, see:
       https://www.mozilla.org/en-US/firefox/78.8.0/releasenotes/
       (* Security fix *)
+--------------------------+
Fri Feb 5 21:18:59 UTC 2021
xap/mozilla-firefox-78.7.1esr-x86_64-1.txz: Upgraded.
       This release contains a security fix.
       For more information, see:
       https://www.mozilla.org/en-US/firefox/78.7.1/releasenotes/
       https://www.mozilla.org/en-US/security/advisories/mfsa2021-06/#MOZ-2021-0001
       (* Security fix *)
+--------------------------+
Mon Jan 25 20:42:50 UTC 2021
xap/mozilla-firefox-78.7.0esr-x86_64-1.txz: Upgraded.
       This release contains security fixes and improvements.
       For more information, see:
       https://www.mozilla.org/en-US/firefox/78.7.0/releasenotes/
       (* Security fix *)
+--------------------------+
Wed Jan 6 22:59:38 UTC 2021
xap/mozilla-firefox-78.6.1esr-x86_64-1.txz: Upgraded.
       This release contains a security fix:
       A malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet
       in a way that potentially resulted in a use-after-free. We presume that with
       enough effort it could have been exploited to run arbitrary code.
       For more information, see:
       https://www.mozilla.org/en-US/firefox/78.6.1/releasenotes/
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16044
       (* Security fix *)