>>>>> Moritz Muehlenhoff <
j...@debian.org> writes:
> Debian Security Advisory DSA-4324-1
[...]
> CVE ID : CVE-2018-12389 CVE-2018-12390 CVE-2018-12392
> CVE-2018-12393 CVE-2018-12395 CVE-2018-12396
> CVE-2018-12397
> Multiple security issues have been found in the Mozilla Firefox web
> browser, which could result in the execution of arbitrary code,
> privilege escalation or information disclosure.
> For the stable distribution (stretch), these problems have been fixed
> in version 60.3.0esr-1~deb9u1.
[...]
... Or we can get a detailed look at [1].
I can't say I'm surprised that adopting a new, memory-safe
language as the basis for Firefox haven't instantly resulted
in a bug-free ESR; IME, any new technology takes some time
stumbling around before its claimed benefits can truly show.
What I'm concerned, however, is that the adoption of a
XUL-incompatible Firefox version by Debian stable left its users
without Debian packaged, XUL-only versions of NoScript and uBlock.
Frankly, at this point, I'm inclined to trust an unsupported ESR
plus NoScript /more/ than a supported ESR without one.
(Not to mention that I find Firefox UI without CTR barely usable.)
[1]
http://security-tracker.debian.org/firefox-esr
[2]
http://addons.mozilla.org/firefox/addon/classicthemerestorer/
--
FSF associate member #7257 np. Face Another Day -- Jogeir Liljedahl