Version 128.8.0esr-1 of firefox-esr is marked for autoremoval from testing on Sun 13 Apr 2025. It is affected by #1099130. The removal of firefox-esr will also cause the removal of (transitive) reverse dependencies: debianbuttons, firefox-esr-mobile-config, gnome-kiosk, libfirefox-marionette-perl, pybrowsers. You should try to prevent the removal by fixing these RC bugs.
CVE-2024-11704:
A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbird < 133, Firefox ESR < 128.7, and Thunderbird < 128.7.
CVE-2024-11704:
A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbird < 133, Firefox ESR < 128.7, and Thunderbird < 128.7.
Lintian reports
5 errors
and
5 warnings
about this package. You should make the package lintian clean getting rid of them.
Standards version of the package is outdated.
high
The package is severely out of date with respect to the Debian Policy.The package should be updated to follow the last version of Debian Policy
(Standards-Version 4.7.2 instead of
3.9.8.0).
debian/patches: 20 patches to forward upstream
low
Among the 20 debian patches
available in version 128.8.0esr-1 of the package,
we noticed the following issues:
20 patches
where the metadata indicates that the patch has not yet been forwarded
upstream. You should either forward the patch upstream or update the
metadata to document its real status.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/f/firefox-esr.png){kind=link}