Firefox ESR 128 has reached its EOL, which means no more security fixes, but the new version (140) has only just gone into Unstable, which means there will be a period of testing as 140 moves from Unstable to Testing to Trixie, the current version of Debian, and to previous still-supported versions.
There are currently seven security issues affecting Firefox ESR 128.
Just to be utterly sensationalist, I looked for anything scary about these vulnerabilities. Well, this is pretty scary:
A remote code execution vulnerability has been identified in Firefox versions below 143 and Firefox Extended Support Release (ESR) below 140.3. This vulnerability allows attackers to execute arbitrary code on affected installations, which could lead to unauthorized access and manipulation of user systems. It is crucial for Firefox users to update to the latest version to mitigate potential exploitation risks.
The reason for the (again) in the title is that this is not the first time this has happened. See this post from 2021.
I have no idea why Debian does not begin the process of switching to the new ESR version before EOL. If anybody does, please let me know in the comments.
Debian users concerned about the security vulnerabilities present in Firefox ESR 128 can use an alternative browser like Chromium, or install Firefox directly from Mozilla.
