A Firefox security update was released on December 9th (140.6.0), which is not available yet for Leap 16 (it’s an update from a Slackware system that made me aware of this); should we be concerned about it?
@seb_fr_62 Don’t use Firefox? Are you affected?
Security Vulnerabilities fixed in Firefox ESR 140.6 — Mozilla
I might indeed not be affected, and I could also use another internet browser.
But I’m surprised by the delay in addressing it, and that’s what concerns me more.
It is completely normal, that packaging, QA and deployment takes some days.
ok, thanks
Well, yes… I appreciate QA and that stuff. Making use of QA could be a reason to rely on the standard repositories and not on Mozilla OBS.
But often it takes up to 1 week, not seldom even 2!
And for Thunderbird (ESR) some ESR update releases are completely missing, at all.
I don’t like this situation! I don’t always view the release notes and security notes to check if I could be affected. It is like this: Leap ship with ESR releases of Firefox and Thunderbird. And almost every ESR update includes security fixes: well, yes, actually not every single update release — but really almost of them. And 1 up to 2 weeks is a really long time for security concerns (whatever they may be in detail)!
You need to voice your concerns at the right places then.
You can speed up the build process by being the one who provides the patch via the github workflow in the second the upstream release notes appear. But QA and deployment can hardly be accelerated.
Well, I had a certain conversation with the likes such as
- Profile of lkocman - openSUSE Build Service
- Profile of manfred-h - openSUSE Build Service
- https://build.opensuse.org/users/msmeissn
- Profile of MSirringhaus - openSUSE Build Service
- Profile of wrosenauer - openSUSE Build Service
Some things are as they are (*)… Some could be improved — but not by me. And some points I just didn’t understand.
(*):
Specifically why I cannot participate coding: I cannot code. I am a mathematician — but sadly I cannot code. I have tried it several times, and I have tried learning it several times: but I just cannot.
I participate in some way to OSS projects: I submit (detailed) bug-reports (not just FR…!) and I help supporting a database for a certain project: that might be boring somehow but that must be done to really benefit from the project/software.
@C7NhtpnK, You do realize that you could head over and purchase one (or more even) SLES 16.0 subscriptions, then add the Desktop Extension module then create a support ticket?
But, also consider that now it’s getting close to holiday times, or is it your expectation that maintenance on a particular web browser should continue, considering there are alternatives for example; other browsers, tarballs, flatpaks if you are that concerned?
Overall, not bad for a free product… 
This made me looking at SUSE Linux Enterprise Desktop at least at last. I expected it to be more expensive… I think, it IS expensive for a common private user: € 139,23 … per year?! (€ 374,85 for 3 years) I would pay the € 150 for all 16.x life long — not for one year. I am not a company or freelancer, I am a retired private person.
It is NOT about the holiday season! I have noticed this for since a long time. And I have had some conversations with some of the people mentioned above every then and now. (The conversations have been friendly…)
Well, personally me, I actually use Mozilla Firefox and Thunderbird where-ever I can: on my devices, at my family/friends, on Linux, on Windows, on macOS, on Android, and on IPhone (where possible).
Tarballs? Flatpaks? Really? — I do use Flatpaks, Snaps, AppImages, direct binaries … — for specific “special” purpose, but I expect an OS with a reliable repository system.
Your opinion.
I like openSUSE (Leap, Tumbleweed, Slowroll) as a free product in general. But yes, I am not fully satisfied. There are other distributions with faster update support (at least, for “important” packages). And it is not just about rolling release <> fixed release.
I did a quick research. From 10 distributions which use FF ESR, only 2 have the latest version 140.6. (Slackware and Oracle Linux). So?
1 Like
SLED is only available for 15 SP7, no more after that, SLES 16.0 is all that is available now.
Again, many packages are maintained on the SUSE side and not by openSUSE, AFAIK MozillaFirefox is one of them, so no one on the openSUSE Project can do anything.
You do realize that Leap Micro, MicroOS, Aeon and Kalpa expect you to only use flatpaks, distrobox and podman in userspace…
No, as helper here and many other places and also a Package (mainly Leaf ones) Maintainer, I do stuff when I can, not beholden to any one else or their time schedules.
You may want use the Mozilla repo, for the time being, which has Firefox-esr 140.6.0 as well as Firefox 146.0 for Leap 16: https://download.opensuse.org/repositories/mozilla/16.0/
So?! My first try: Debian -- Package Search Results -- firefox
Even worse. What should I do with SLES (rather than SLED)?
This is why I talked to
for example.
This is what the maintainers of the Mozilla OBS also told and suggested me: and they actually do it just this way. Obviously without any (major) problems.
I do think about it: adding the Mozilla OBS to my list of repositories. Again. — I had it some time ago. Then I was experiencing one issue and community told me better not to do so, rely just on standard repositories. So?
@C7NhtpnK If those other distributions suit your needs, then your call to go use them it’s not like anyone is stopping you?
If you think your vunerable, then it’s up to you to use/don’t use?
Great point! Really? Should I answer something like “it’s not like anyone is stopping me pointing to this” or even “it’s not like anyone is stopping me complaining about this this”? Really?
I just don’t know!
But there are many ESR release updates with security fixes. Personally me, I don’t know about them in detail.
I don’t evaluate them in detail. I just read the notes. This is actually more then many, many other people do (I know even people in IT industry that don’t (on their private issues)).
And again:
So, I also cannot evaluate them in detail. Can you? Do you do? If so, who else? Do you expect this from ordinary common users?
@C7NhtpnK I provided a link to the update and CVE’s, sure thats for you as you put it a “common” user to investigate and decide.
You do realize that many packages have one person maintaining them, in most cases CVE’s have an embago period for distributions to update, in openSUSE thats Bugzilla and Security Incidents, so you have been using a product that was likely impacted way before this thread even started…
You can see here the status once the embargo has been lifted and security incident made public;
For example all the details: https://www.suse.com/security/cve/CVE-2025-14333.html this will give you an idea as to the impact for you.
1 Like
@malcolmlewis Thank you!
But does this not hold to Show mozilla - openSUSE Build Service like Show mozilla / firefox140esr - openSUSE Build Service and Show mozilla / thunderbird140esr - openSUSE Build Service ?
I don’t get it…
And why do maintainers do all the work in Show mozilla - openSUSE Build Service when the “official” packages in Leap derive from SLE and thus Mozilla OBS obviously could be unnecessary?
Maybe I miss a specific point, I don’t get it, I am naive… I don’t know.
Sorry for any inconvenience. My postings in this thread are not meant offensive. I am just (really) concerned. And I am a user, a common ordinary user. And I just noticed something like
(already some times before…!).
The openSUSE Build Service development projects are focused on Tumbleweed, many publish other product releases as courtesy/testing and for pushing (or pulling) to SUSE for further integration in Leap.
At a point in time Leap 16.1 alpha will cherry pick from those development repos for inclusion into the next release.
1 Like
This means, they do it mainly (sometimes originally meant “solely”) for Tumbleweed? And as a gratis bonus also for Leap… because it is possible and actually possible easily (namely just like that)?
Well, nice! Very nice! Where do I get info like this?