The Mozilla Firefox ESR 128.1.0 installation on Windows does not indicate that it is the ESR version in the firefox.exe properties

[Amila Goonawardana]

 The Mozilla Firefox ESR 128.1.0 installation on Windows does not indicate that it is the ESR version in the firefox.exe properties. As a result, the Tenable Nessus scanner detects it as the regular Firefox version 128.1.0, which has known CVEs.  

[Mike Kaply]

There is no regular Firefox 128.1, it is only the ESR.

Except for when the versions are the same (128), the ESR versions can easily be distinguished, as regular Firefox updates have a zero in the second position.

You can see this here:

https://www.mozilla.org/en-US/firefox/releases/

ESRs have a number > 0 in the 2nd position.

It would be up to the vendor to understand how this versioning works.

Mike

On Wed, Aug 28, 2024 at 7:17 AM Amila Goonawardana <hotf...@gmail.com> wrote:

 The Mozilla Firefox ESR 128.1.0 installation on Windows does not indicate that it is the ESR version in the firefox.exe properties. As a result, the Tenable Nessus scanner detects it as the regular Firefox version 128.1.0, which has known CVEs.  

--
You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise+...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/1a822447-da64-46d0-845e-5c48b5a7fa35n%40mozilla.org.

[Amila Goonawardana]

Thanks for the clarrification Mike.

Will share with Tenable.

Amila

[Ryan VanderMeulen]

We actually did ship a change in versioning for 128 that allows detection of ESR vs. Release even for the .0 release by utilizing the fourth digit of the version number (i.e. 128.1.0.2306) as detailed in https://bugzilla.mozilla.org/show_bug.cgi?id=1872242. The logic is documented in the comment here: https://hg.mozilla.org/mozilla-central/file/9cc387be4b6c5814ad2609473f770e6495c4a99e/config/create_rc.py#l104.

And as shown in the version number above, dividing 2306 by 4 yields a remainder of 2, indicating that it's an ESR build.

Hope that helps,

Ryan VanderMeulen

Firefox Release Manager

To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/99b63826-75a8-4ae7-bcc7-a592e4431931n%40mozilla.org.

[Dylan Romero]

Hi Amila,

Did you ever hear anything back from Tenable?  I'm still seeing 128.2.0 being flagged for Mozilla Firefox < 130.0.

Thanks,

Dylan

To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/99b63826-75a8-4ae7-bcc7-a592e4431931n%40mozilla.org.

[Amila Goonawardena]

Hi Dylan ,

Yes, we created the case with Tenable few weeks ago. Tenable hasn’t addressed the issue yet. We also escalated the case through account manager during the training early this week.

Hope Tenable address the case soon and resolve the issue. 

Amila

Get Outlook for iOS

---

From: enter...@mozilla.org <enter...@mozilla.org> on behalf of Dylan Romero <dylan....@gmail.com>
Sent: Thursday, September 19, 2024 4:45:42 PM
To: Amila Goonawardana <hotf...@gmail.com>
Cc: enter...@mozilla.org <enter...@mozilla.org>; Mike Kaply <mka...@mozilla.com>
Subject: Re: [Mozilla Enterprise] The Mozilla Firefox ESR 128.1.0 installation on Windows does not indicate that it is the ESR version in the firefox.exe properties

 

* This email originates from a sender outside of CUNY. Verify the sender before replying or clicking on links and attachments. *

To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/CAG%3DFbBW93ckdqFF%2BVadan0XLEhX8Zx%3D2KmMfPjx2xMGNm9B-3Q%40mail.gmail.com.

[Dylan Romero]

Hi Amila,

I just ran a new scan and it cleared.  The plugins might have updated. I'm running on a second system to verify. 

Thanks,

Dylan