Re: [Bug-gnuzilla] Up-to-date IceCat source tarballs now available via GNU Guix

[address@hidden]

Hello everyone,

This is my first message on this ml so bare with me. It has been a few
weeks since the Firefox CVE was detailed and a fix was released,
however, the binary and source distributions for Icecat have not been
updated. Effectively a very large portion of the Icecat users will be
vulnerable to this CVE and I see little movement towards fixing this.

I find that combined with that there is no information online addressing
the vulnerability of the current Icecat release concerning.

Looking forward to hearing what you think about this.

Kind regards,
Corne Lukken (Dantali0n)

On 6/25/19 10:50 AM, Mark H Weaver wrote:
> Antonio Trande <address@hidden> writes:
>> Where the source is hosted?
> 
> I'm not able to make it available for direct download at this time.
> For now, all I can offer is the ability to build it using Guix.
> 
>       Mark
> 
> 
>> On 24/06/19 18:34, Mark H Weaver wrote:
>>> GNU Guix is now capable of producing up-to-date source tarballs for
>>> IceCat that should hopefully build on any system that IceCat supports.
>>>
>>> For example, GNU Guix has icecat-60.7.2-guix1, which includes fixes for
>>> CVE-2019-11707 and CVE-2019-11708, which are apparently quite serious
>>> flaws that are being actively exploited in the wild.
>>>
>>> The IceCat source tarballs produced by GNU Guix are almost identical to
>>> the official IceCat tarballs, except that the timestamps and file
>>> ordering in the tarball are canonicalized, and a few manifest files
>>> within the tarball are sorted differently.
>>>
>>> After installing Guix <https://gnu.org/s/guix>, the command to produce
>>> the IceCat tarball is:
>>>
>>>   guix build --source icecat
>>>
>>>       Mark
>>>
>>> --
>>> http://gnuzilla.gnu.org
>>>
> 
> --
> http://gnuzilla.gnu.org
>