Does Firefox 60.7.2 ESR contain the security fix detailed in "CVE-2019-11702: IE protocols can be used to open known local files"?
After looking through the security fixes for Firefox ESR, I don't see "CVE-2019-11702: IE protocols can be used to open known local files" addressed anywhere. This was fixed in Firefox non-ESR 67.0.2 (released 06/11/2019) under 2019-16.
ESR 60.7.2 released 06/20/2019 so I'm assuming that it'd include the 2019-16 security fix but the Mozilla site detailing security fixes does not show that. Is it possible to confirm if 60.7.2 patches out the known vulnerability?
Chosen solution
hi, firefox 60.0esr will not receive a fix for this particular vulnerability. the first version of the 68.0esr release train, which just got released today does contain a patch of it though.
according to https://www.mozilla.org/en-US/firefox/organizations/ mozilla is only committing to backporting fixes for high-risk/high-impact vulnerabilities to the extended support release - https://www.mozilla.org/en-US/security/advisories/mfsa2019-16/#CVE-2019-11702 in particular was only classified as moderate though...
Read this answer in context 👍 1All Replies (2)
Chosen Solution
hi, firefox 60.0esr will not receive a fix for this particular vulnerability. the first version of the 68.0esr release train, which just got released today does contain a patch of it though.
according to https://www.mozilla.org/en-US/firefox/organizations/ mozilla is only committing to backporting fixes for high-risk/high-impact vulnerabilities to the extended support release - https://www.mozilla.org/en-US/security/advisories/mfsa2019-16/#CVE-2019-11702 in particular was only classified as moderate though...
This is exactly what I needed to know. Thanks for the quick response!