Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic:  when to update iceweasel?  (Read 10786 times)

Offline cas

  • User
  • Posts: 401
when to update iceweasel?
« on: 2015/08/07, 19:17:12 »
firefox/iceweasel users are strongly advised to update to 39.03 / ESR 38.1.1
http://www.zdnet.com/article/mozilla-urges-users-to-update-firefox-with-file-stealing-exploit-in-wild/

When I try, many other packages would be updated, probably related to the gcc transition.

So,  what are we supposed to do?
Is it wise to wait until the transition is over?

Thnx, C

Offline ayla

  • User
  • Posts: 1.744
Re: when to update iceweasel?
« Reply #1 on: 2015/08/07, 19:35:34 »
Can't answer your question, but as we have a strong warning about the ongoing transition, I would like to add one:

Would it help to switch of the pdf preview in iceweasel, using okular insteed?

Offline der_bud

  • User
  • Posts: 1.072
  • member
Re: when to update iceweasel?
« Reply #2 on: 2015/08/07, 20:06:25 »
...Would it help to switch of the pdf preview in iceweasel, using okular insteed?

I asked that question in a comment at the blog of a mozilla representative (waiting for moderation atm). There are more infos about this security issue:
Quote from: SoerenHentzschel
Update: Mozilla hat eine ausführliche Ankündigung veröffentlicht. Demnach existiert die Sicherheitslücke auf Windows, OS X sowie auf Linux, bekannt ist aber nur die Ausnutzung auf Windows und Linux. Wer Windows oder Linux nutzt, sollte alle gespeicherten Passwörter und Schlüssel in den folgenden Dateien ändern:

    "On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts."

__
edit: following the links above I can find Firefox as affected by this. Does anybody know if Iceweasel is concerned?
« Last Edit: 2015/08/07, 20:10:49 by der_bud »
Du lachst? Wieso lachst du? Das ist doch oft so, Leute lachen erst und dann sind sie tot.

Offline vilde

  • User
  • Posts: 708
Re: when to update iceweasel?
« Reply #3 on: 2015/08/07, 20:11:41 »
One way to get the newest "iceweasel" is to download firefox and run it from a folder in your user directory, no installation needed and it will use all your settings/bookmarks from iceweasel. This could then be used until we can do a proper d-u.

But I have no idea if above method is recommended and/or if it will help for this issue.

Maybe someone who understand more about this can suggest if this will be ok?

Offline melmarker

  • User
  • Posts: 2.799
    • g-com.eu
Re: when to update iceweasel?
« Reply #4 on: 2015/08/07, 20:14:54 »
@vilde - one way would be: use your brain and read the changelog
@cas: apt-get install iceweasel should do the trick

@all:
Code: [Select]
iceweasel (38.1.1esr-1) unstable; urgency=high

  * New upstream release.
  * Fixes for mfsa2015-78, also known as CVE-2015-4495.

  * debian/source.filter: Remove the source tarball filtering of search plugin
    icons. See 20150715221703.GD19084@glandium.org.

 -- Mike Hommey <glandium@debian.org>  Fri, 07 Aug 2015 08:34:19 +0900

Code: [Select]
iceweasel (39.0.3-1~bpo70+1) UNRELEASED; urgency=medium

  * Rebuild for wheezy-backports.

 -- Mike Hommey <glandium@debian.org>  Fri, 07 Aug 2015 09:07:54 +0900

iceweasel (39.0.3-1) experimental; urgency=medium

  * New upstream release.
  * Fixes for mfsa2015-78, also known as CVE-2015-4495.

  * debian/source.filter: Remove the source tarball filtering of search plugin
    icons. See 20150715221703.GD19084@glandium.org.

 -- Mike Hommey <glandium@debian.org>  Fri, 07 Aug 2015 08:52:52 +0900
« Last Edit: 2015/08/07, 20:27:56 by melmarker »
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. (Benjamin Franklin, November 11, 1755)
Never attribute to malice that which can be adequately explained by stupidity. (Hanlons razor)

Offline der_bud

  • User
  • Posts: 1.072
  • member
Re: when to update iceweasel?
« Reply #5 on: 2015/08/07, 20:49:49 »
... @cas: apt-get install iceweasel should do the trick ...
Looks here like
Code: [Select]
LANG=C apt-get install iceweasel iceweasel-l10n-de
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  cpp-5 gcc-5 gcc-5-base gcc-5-base:i386 libasan2 libatomic1 libcc1-0 libcilkrts5 libgcc-5-dev libgcc1 libgcc1:i386 libgfortran3 libgomp1
  libitm1 liblsan0 libmpx0 libquadmath0 libstdc++6 libstdc++6:i386 libtsan0 libubsan0
Suggested packages:
  gcc-5-locales gcc-5-multilib gcc-5-doc libgcc1-dbg libgomp1-dbg libitm1-dbg libatomic1-dbg libasan2-dbg liblsan0-dbg libtsan0-dbg
  libubsan0-dbg libcilkrts5-dbg libmpx0-dbg libquadmath0-dbg fonts-stix otf-stix fonts-oflb-asana-math fonts-mathjax mozplugger libgnomeui-0
The following packages will be REMOVED:
  digikam digikam-private-libs kipi-plugins libdap17 libdapclient6 libdapserver7 libgdal1h powertop qlandkartegt
The following packages will be upgraded:
  cpp-5 gcc-5 gcc-5-base gcc-5-base:i386 iceweasel iceweasel-l10n-de libasan2 libatomic1 libcc1-0 libcilkrts5 libgcc-5-dev libgcc1
  libgcc1:i386 libgfortran3 libgomp1 libitm1 liblsan0 libmpx0 libquadmath0 libstdc++6 libstdc++6:i386 libtsan0 libubsan0
23 upgraded, 0 newly installed, 9 to remove and 284 not upgraded.
Need to get 95.0 MB of archives.
After this operation, 55.8 MB disk space will be freed.
Do you want to continue? [Y/n]
For some days I could do without digikam and qlandkarte, don't know what other people's systems do
Du lachst? Wieso lachst du? Das ist doch oft so, Leute lachen erst und dann sind sie tot.

Offline melmarker

  • User
  • Posts: 2.799
    • g-com.eu
Re: when to update iceweasel?
« Reply #6 on: 2015/08/07, 21:18:34 »
nobody claims that the biggest transition since years is pure fun - but nice to cleanup the own system, get familar with not so often used features of the packagemanagement and so on :)
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. (Benjamin Franklin, November 11, 1755)
Never attribute to malice that which can be adequately explained by stupidity. (Hanlons razor)

Offline cas

  • User
  • Posts: 401
Re: when to update iceweasel?
« Reply #7 on: 2015/08/07, 21:21:57 »
@vilde Thnx, nice answer

@melmarker Does the trick? Seems too clever. Not only libreoffice is removed. I wonder, whether there are lurking further problems I cannot see by the half-baken transition. That's the reason I asked the question.
 
Code: [Select]
   apt-get install -s iceweasel
HINWEIS: Dies ist nur eine Simulation!
         apt-get benötigt root-Privilegien für die reale Ausführung.
         Behalten Sie ebenfalls in Hinterkopf, dass die Sperren deaktiviert
         sind, verlassen Sie sich also bezüglich des reellen aktuellen
         Status der Sperre nicht darauf!
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.       
Statusinformationen werden eingelesen.... Fertig
Die folgenden zusätzlichen Pakete werden installiert:
  cpp-5 gcc-5 gcc-5-base iceweasel-l10n-de libasan2 libatomic1 libcc1-0 libcilkrts5
  libgcc-5-dev libgcc1 libgfortran3 libgomp1 libitm1 libmpx0 libquadmath0
  libreoffice-common libstdc++6 libubsan0
Vorgeschlagene Pakete:
  gcc-5-locales gcc-5-multilib gcc-5-doc libgcc1-dbg libgomp1-dbg libitm1-dbg
  libatomic1-dbg libasan2-dbg liblsan0-dbg libtsan0-dbg libubsan0-dbg libcilkrts5-dbg
  libmpx0-dbg libquadmath0-dbg fonts-stix otf-stix fonts-oflb-asana-math fonts-mathjax
  mozplugger libreoffice-style-crystal libreoffice-style-hicontrast
  libreoffice-style-oxygen libreoffice-style-sifr libreoffice-style-tango
Empfohlene Pakete:
  gstreamer1.0-libav xfonts-mathml python3-uno
Die folgenden Pakete werden ENTFERNT:
  libboost-date-time1.54.0 libboost-date-time1.55.0 libcmis-0.3-3 libcmis-0.4-4
  libcmis-0.5-5 libreoffice-base-core libreoffice-calc libreoffice-core libreoffice-draw
  libreoffice-help-de libreoffice-impress libreoffice-writer
Die folgenden Pakete werden aktualisiert (Upgrade):
  cpp-5 gcc-5 gcc-5-base iceweasel iceweasel-l10n-de libasan2 libatomic1 libcc1-0
  libcilkrts5 libgcc-5-dev libgcc1 libgfortran3 libgomp1 libitm1 libmpx0 libquadmath0
  libreoffice-common libstdc++6 libubsan0
19 aktualisiert, 0 neu installiert, 12 zu entfernen und 242 nicht aktualisiert.
Remv libcmis-0.3-3 [0.3.1-5]
Remv libboost-date-time1.54.0 [1.54.0+dfsg-7]
Remv libreoffice-calc [1:4.4.4-1]
Remv libreoffice-help-de [1:4.4.4-1]
Remv libreoffice-writer [1:4.4.4-1]
Remv libreoffice-base-core [1:4.4.4-1]
Remv libreoffice-core [1:4.4.4-1] [libreoffice-impress:i386 libreoffice-draw:i386 ]
Remv libcmis-0.4-4 [0.4.1-7] [libreoffice-impress:i386 libreoffice-draw:i386 ]
Remv libboost-date-time1.55.0 [1.55.0+dfsg-4] [libreoffice-impress:i386 libcmis-0.5-5:i386
libreoffice-draw:i386 ]
Remv libcmis-0.5-5 [0.5.0-2] [libreoffice-impress:i386 libreoffice-draw:i386 ]
Remv libreoffice-impress [1:4.4.4-1] [libreoffice-draw:i386 ]
Remv libreoffice-draw [1:4.4.4-1]
Inst libitm1 [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) []
Inst gcc-5-base [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) [libcc1-0:i386 libmpx0:i386 cp
p-5:i386 libquadmath0:i386 libatomic1:i386 libstdc++6:i386 libasan2:i386 libgomp1:i386 libg
fortran3:i386 libcilkrts5:i386 libgcc1:i386 libubsan0:i386 gcc-5:i386 libgcc-5-dev:i386 ]
Conf gcc-5-base (5.2.1-14 Debian:unstable [i386]) [libcc1-0:i386 libmpx0:i386 cpp-5:i386 li
bquadmath0:i386 libatomic1:i386 libstdc++6:i386 libasan2:i386 libgomp1:i386 libgfortran3:i3
86 libcilkrts5:i386 libgcc1:i386 libubsan0:i386 gcc-5:i386 libgcc-5-dev:i386 ]
Inst libstdc++6 [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) [libcc1-0:i386 libmpx0:i386 cp
p-5:i386 libquadmath0:i386 libatomic1:i386 libasan2:i386 libgomp1:i386 libgfortran3:i386 li
bcilkrts5:i386 libgcc1:i386 libubsan0:i386 gcc-5:i386 libgcc-5-dev:i386 ]
Conf libstdc++6 (5.2.1-14 Debian:unstable [i386]) [libcc1-0:i386 libmpx0:i386 cpp-5:i386 li
bquadmath0:i386 libatomic1:i386 libasan2:i386 libgomp1:i386 libgfortran3:i386 libcilkrts5:i
386 libgcc1:i386 libubsan0:i386 gcc-5:i386 libgcc-5-dev:i386 ]
Inst libcc1-0 [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) [libmpx0:i386 cpp-5:i386 libquad
math0:i386 libatomic1:i386 libasan2:i386 libgomp1:i386 libgfortran3:i386 libcilkrts5:i386 l
ibgcc1:i386 libubsan0:i386 gcc-5:i386 libgcc-5-dev:i386 ]
Inst libgomp1 [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) [libmpx0:i386 cpp-5:i386 libquad
math0:i386 libatomic1:i386 libasan2:i386 libgfortran3:i386 libcilkrts5:i386 libgcc1:i386 li
bubsan0:i386 gcc-5:i386 libgcc-5-dev:i386 ]
Inst libatomic1 [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) [libmpx0:i386 cpp-5:i386 libqu
admath0:i386 libasan2:i386 libgfortran3:i386 libcilkrts5:i386 libgcc1:i386 libubsan0:i386 g
cc-5:i386 libgcc-5-dev:i386 ]
Inst libasan2 [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) [libmpx0:i386 cpp-5:i386 libquad
math0:i386 libgfortran3:i386 libcilkrts5:i386 libgcc1:i386 libubsan0:i386 gcc-5:i386 libgcc
-5-dev:i386 ]
Inst libubsan0 [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) [libmpx0:i386 cpp-5:i386 libqua
dmath0:i386 libgfortran3:i386 libcilkrts5:i386 libgcc1:i386 gcc-5:i386 libgcc-5-dev:i386 ]
Inst libcilkrts5 [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) [libmpx0:i386 cpp-5:i386 libq
uadmath0:i386 libgfortran3:i386 libgcc1:i386 gcc-5:i386 libgcc-5-dev:i386 ]
Inst libmpx0 [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) [cpp-5:i386 libquadmath0:i386 lib
gfortran3:i386 libgcc1:i386 gcc-5:i386 libgcc-5-dev:i386 ]
Inst libquadmath0 [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) [cpp-5:i386 libgfortran3:i38
6 libgcc1:i386 gcc-5:i386 libgcc-5-dev:i386 ]
Inst libgcc-5-dev [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) [cpp-5:i386 libgfortran3:i38
6 libgcc1:i386 gcc-5:i386 ]
Inst gcc-5 [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) [cpp-5:i386 libgfortran3:i386 libgc
c1:i386 ]
Inst cpp-5 [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) [libgfortran3:i386 libgcc1:i386 ]
Inst libgfortran3 [5.1.1-14] (5.2.1-14 Debian:unstable [i386]) [libgcc1:i386 ]
Inst libgcc1 [1:5.1.1-14] (1:5.2.1-14 Debian:unstable [i386])
Conf libgcc1 (1:5.2.1-14 Debian:unstable [i386])
Inst libreoffice-common [1:4.4.4-1] (1:4.4.5-2 Debian:unstable [all])
Inst iceweasel-l10n-de [1:38.1.0esr-3] (1:38.1.1esr-1 Debian:unstable [all]) []
Inst iceweasel [38.1.0esr-3] (38.1.1esr-1 Debian:unstable [i386])
Conf libitm1 (5.2.1-14 Debian:unstable [i386])
Conf libcc1-0 (5.2.1-14 Debian:unstable [i386])
Conf libgomp1 (5.2.1-14 Debian:unstable [i386])
Conf libatomic1 (5.2.1-14 Debian:unstable [i386])
Conf libasan2 (5.2.1-14 Debian:unstable [i386])
Conf libubsan0 (5.2.1-14 Debian:unstable [i386])
Conf libcilkrts5 (5.2.1-14 Debian:unstable [i386])
Conf libmpx0 (5.2.1-14 Debian:unstable [i386])
Conf libquadmath0 (5.2.1-14 Debian:unstable [i386])
Conf libgcc-5-dev (5.2.1-14 Debian:unstable [i386])
Conf cpp-5 (5.2.1-14 Debian:unstable [i386])
Conf gcc-5 (5.2.1-14 Debian:unstable [i386])
Conf libgfortran3 (5.2.1-14 Debian:unstable [i386])
Conf libreoffice-common (1:4.4.5-2 Debian:unstable [all])
Conf iceweasel (38.1.1esr-1 Debian:unstable [i386])
Conf iceweasel-l10n-de (1:38.1.1esr-1 Debian:unstable [all])

Offline melmarker

  • User
  • Posts: 2.799
    • g-com.eu
Re: when to update iceweasel?
« Reply #8 on: 2015/08/07, 21:47:19 »
@cas - libreoffice from the document foundation works without flaws, kano also has mirrored packages - unfortunally the experimental version of LO (thought as a fix for the new dependencies was built against libboost-$foo1.55, current and working is 1.5.8) so i would let it go and use current packages from the document foundation.

Second solution - use a different browser or wait
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. (Benjamin Franklin, November 11, 1755)
Never attribute to malice that which can be adequately explained by stupidity. (Hanlons razor)

Offline michaa7

  • User
  • Posts: 2.295
Re: when to update iceweasel?
« Reply #9 on: 2015/08/07, 23:01:50 »
...
So,  what are we supposed to do?
Is it wise to wait until the transition is over?


If you don't like to fumble around with substitute packages from various non Debian sources just abstain to use IW for the time being. As a temporal fallback you probabely (worked here) may install or update chromium without dependencies to other packages (you may import your bookmarks to it).
Ok, you can't code, but you still might be able to write a bug report for Debian's sake

Offline vilde

  • User
  • Posts: 708
Re: when to update iceweasel?
« Reply #10 on: 2015/08/07, 23:20:17 »
@ melmarker, I don't like your tone, you don't have to be rude. I'm just a user here no developer, I don't read changelogs because I normally don't not understand anything in them.  And the first thing I did was to try to update iceweasel but it want's to remove a lot of packages of which I don't know anything or what they belongs to so I didn't. 


@vilde - one way would be: use your brain and read the changelog
@cas: apt-get install iceweasel should do the trick

@all:
Code: [Select]
iceweasel (38.1.1esr-1) unstable; urgency=high

  * New upstream release.
  * Fixes for mfsa2015-78, also known as CVE-2015-4495.

  * debian/source.filter: Remove the source tarball filtering of search plugin
    icons. See 20150715221703.GD19084@glandium.org.

 -- Mike Hommey <glandium@debian.org>  Fri, 07 Aug 2015 08:34:19 +0900

Code: [Select]
iceweasel (39.0.3-1~bpo70+1) UNRELEASED; urgency=medium

  * Rebuild for wheezy-backports.

 -- Mike Hommey <glandium@debian.org>  Fri, 07 Aug 2015 09:07:54 +0900

iceweasel (39.0.3-1) experimental; urgency=medium

  * New upstream release.
  * Fixes for mfsa2015-78, also known as CVE-2015-4495.

  * debian/source.filter: Remove the source tarball filtering of search plugin
    icons. See 20150715221703.GD19084@glandium.org.

 -- Mike Hommey <glandium@debian.org>  Fri, 07 Aug 2015 08:52:52 +0900

Offline melmarker

  • User
  • Posts: 2.799
    • g-com.eu
Re: when to update iceweasel?
« Reply #11 on: 2015/08/07, 23:22:04 »
sorry - couldn't test any of the frosted animals - i use the original for years now - if one want to use firefox or thunderbird not systemwide, local installations (in the userdir) might be sufficient
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. (Benjamin Franklin, November 11, 1755)
Never attribute to malice that which can be adequately explained by stupidity. (Hanlons razor)

Offline vilde

  • User
  • Posts: 708
Re: when to update iceweasel?
« Reply #12 on: 2015/08/07, 23:28:02 »
thanks ;)

Offline melmarker

  • User
  • Posts: 2.799
    • g-com.eu
Re: when to update iceweasel?
« Reply #13 on: 2015/08/07, 23:33:22 »
@vilde: sorry for beeing rude

All of us should have in mind that we are in the biggest transition in debian ever - so a lot of packages will break. This is not a problem for the debian developers nor should it be for us. The solution for most of the problems is doing nothing, some problems (security wise) can be solved with partial upgrades as described in the gcc fallout thread http://forum.siduction.org/index.php?topic=5719.0 And at some point one have to descide what is his most important goal - a full working system, current packages, security upgrades. If doing nothing is not an option one will have to let some packages go. Fortunally for Libre Office is the workaround with the project packages.

I suggest to get familar with these options and workarounds - the transition will last longer as we think (devil bets on 3-4 weeks iirc, i would bet on the double or triple time)
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. (Benjamin Franklin, November 11, 1755)
Never attribute to malice that which can be adequately explained by stupidity. (Hanlons razor)

Offline clubex

  • User
  • Posts: 265
Re: when to update iceweasel?
« Reply #14 on: 2015/08/08, 00:58:06 »
While this gcc transition is occuring I've switched to a stable dstro. A step backward but less problems. I'll return to siduction as my everyday system when unstabke has settled down.