Does Firefox 60.7.2 ESR contain the security fix detailed in "CVE-2019-11702: IE protocols can be used to open known local files"?
After looking through the security fixes for Firefox ESR, I don't see "CVE-2019-11702: IE protocols can be used to open known local files" addressed anywhere. This was fixed in Firefox non-ESR 67.0.2 (released 06/11/2019) under 2019-16.
ESR 60.7.2 released 06/20/2019 so I'm assuming that it'd include the 2019-16 security fix but the Mozilla site detailing security fixes does not show that. Is it possible to confirm if 60.7.2 patches out the known vulnerability?
Ọ̀nà àbáyọ tí a yàn
hi, firefox 60.0esr will not receive a fix for this particular vulnerability. the first version of the 68.0esr release train, which just got released today does contain a patch of it though.
according to https://www.mozilla.org/en-US/firefox/organizations/ mozilla is only committing to backporting fixes for high-risk/high-impact vulnerabilities to the extended support release - https://www.mozilla.org/en-US/security/advisories/mfsa2019-16/#CVE-2019-11702 in particular was only classified as moderate though...
Ka ìdáhùn ni ìṣètò kíkà 👍 1All Replies (2)
Ọ̀nà àbáyọ Tí a Yàn
hi, firefox 60.0esr will not receive a fix for this particular vulnerability. the first version of the 68.0esr release train, which just got released today does contain a patch of it though.
according to https://www.mozilla.org/en-US/firefox/organizations/ mozilla is only committing to backporting fixes for high-risk/high-impact vulnerabilities to the extended support release - https://www.mozilla.org/en-US/security/advisories/mfsa2019-16/#CVE-2019-11702 in particular was only classified as moderate though...
This is exactly what I needed to know. Thanks for the quick response!