Firefox 78 ESR reached its end of life on 2 November - five weeks ago - but the new version, Firefox 91 ESR has not arrived in Debian Stable (or indeed testing, which I am using now). That means that a number of issues that are fixed in 91 ESR will not be fixed in Firefox 78 ESR, leaving users exposed to vulnerabilities until 91 ESR arrives.
Although none of these vulnerabilities has been exploited to expose users to attack, being weeks overdue for security updates is not a good place to be.
If this makes you nervous, I will detail how to update to the latest version below.
The story has gone round the internet with an added does of FUD. It is an example of how one web site runs a story they read on another web site which read the story on a blog somewhere and nobody bothers to fact check it.
The story first appeared on BaronHK's Rants, a blog by... somebody. techrights.org reprinted it, and then Phoronix and The Register covered it.
The story notes the open vulnerabilities (which is true), but the blog and the re-runs all claim that Debian won't be able to push Firefox 91 ESR to Stable because Stable isn't up to date enough. This claim comes from a bug report linked to in the blog where a post on 8 November says:
Firefox-ESR 91.3 doesn't use OpenGL GLX anymore. Instead it uses EGL by
default.
EGL requires at least mesa version 21.x.
Debian stable (bullseye) ships with mesa version 20.3.5
For the nvidia users the following bug report might be important...
Nobody at Phoronix or The Register thought to check the progress of the bug report before running the story. If they had, they would have noticed that the bug was closed on 7 December and the problem was nothing to do with the above and was in fact in Cubed (an audio component, apparently).
So, baseless FUD from a random blog gets spread around the internet.
Debian of course has to make sure that the new Firefox ESR release doesn't have bugs. If you are nervous about using Firefox 78 ESR in Debian, here is one way to get the latest version (there are other ways).
Add the Ubuntuzilla repository and key to your Debian sources, update and install either the latest ESR, or the latest Mozilla build, Firefox 95, which is what I did (I am running Testing after all).
Note that you will have to uninstall firefox-esr first (which will automatically install the Epiphany browser). You can then install from Ubuntuzilla. If you don't, you will get this error message:
dpkg-divert: error: 'diversion of /usr/bin/firefox to /usr/bin/firefox.ubuntu by
firefox-mozilla-build' clashes with 'diversion of /usr/bin/firefox to /usr/bin/
firefox.real by firefox-esr'
dpkg: error processing archive /var/cache/apt/archives/firefox-mozilla-build_95.
0-0ubuntu1_amd64.deb (--unpack):
new firefox-mozilla-build package pre-installation script subprocess returned e
rror exit status 2
dpkg-divert: error: mismatch on divert-to
when removing 'diversion of /usr/bin/firefox to /usr/bin/firefox.ubuntu by fir
efox-mozilla-build'
found 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by firefox-esr'
dpkg: error while cleaning up:
new firefox-mozilla-build package post-removal script subprocess returned error
exit status 2
Errors were encountered while processing:
/var/cache/apt/archives/firefox-mozilla-build_95.0-0ubuntu1_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
Installing anything from Ubuntu on Debian is normally a bad idea, as it can cause instabilities, but in this case it is fine, because the repository is just for the latest Firefox builds from Mozilla.
Update: some information from a Debian developer about the delay.
Work on this is nearing completion.
Please note that Mozilla is constantly updating to newer rustc and LLVM
versions. That means that preparing a new major ESR release for Debian
requires not just the packaging of the firefox-esr and thunderbird
updates, but also some very complex toolchain components. Those
components are usually already in unstable/testing, but for stable,
oldstable, and LTS, the toolchain must be backported first.
lists.debian.org
Debian also supports additional hardware architectures and the toolchain
components sometimes require specific work in order to support those
additional architectures. In fact, that was the case with this current
update that is underway.
...
It is lamentable that it has taken this long, but that is not an
indication of a lack of effort on the part of the people in Debian
working on this.
lists.debian.org
From Piorunz at the mailing lists, here is an alternative method to update Firefox ESR, preserving the user profile until Firefox ESR is updated in Debian.
lists.debian,org
Piorunz also points out that Mesa is not the problem in a post on Phoronix:
Works perfectly fine with Debian Stable and Mesa 20.3.5, because Firefox 91 ESR detects Mesa version and adjust acelleration settings accordingly:
Code:
X11_EGL
available by default
blocklisted by env:
Blocklisted by gfxInfo
Phoronix