Firefox zeroday patch

I’ve been curious about the status of a patch for PureBrowser in Amber; I know it’s currently based on Firefox ESR 60.9, which reached end-of-life in November. Is it affected by the vulnerability? If so, is a patch possible given upstream end of support?

Given the amount of work and divergence from upstream Firefox we’re no longer going to support Purebrowser. My first recommendation is to use a different browser, like Epiphany, or to download Firefox directly from Mozilla.

My second recommendation is to ensure that you have an updated package repository for your system. You can ensure you have up-to-date package repositories by following these instructions to add amber-updates and amber-security if you do not yet have them; https://tracker.pureos.net/w/pureos/software_center/software_sources/

1 Like

Is it affected by the vulnerability?

This requires investigation to determine because we remove portions of Firefox and Debian (our upstream) does the same.

If so, is a patch possible given upstream end of support?

Likely no, it is best practice to use the browser directly from the source. In the case of Firefox, that is Mozilla. We’ve tried to work with Mozilla to maintain Purebrowser in PureOS but they don’t share our goals at this point in time.

1 Like

Amber is the “stable” PureOS distribution. It receives updates but it does not receive new software. It does receive backported security updates. Byzantium is the “rolling release” of PureOS, it receives lots and lots of updates and new software. It is inherently more unstable however.

1 Like

Thanks Jeremiah, How do I find the address of the Byzantium repo? Just google it?

Maybe follow hints here: Pureos rolling release

However I think you will also want to comment out “Amber” if changing over.

As to whether one or the other is “approved”, I think that depends on your goals.

  • Get work done with the minimum of disruption - Amber
  • Always have the latest and greatest - Byzantium

My 2c.

1 Like

Thanks again for the quick reply (that was fast). I found the Byzantium info on a prior post from last November. Thanks again

you could also dual-boot both Amber and Byzantium or have one or both in a VM …

1 Like

That reminds me, I should write up a quick HowTo on creating a PureOS Byzantium VM.

3 Likes

Thanks for the clarification, Jeremiah. Have you thought about updating the Amber ISO to remove PureBrowser, replacing it with Epiphany in the default install? Technically it goes against the concept of a stable release, I know, but it may be a good safeguard to prevent new users from using an unsupported and potentially unsecure browser.

1 Like

Yes, this is something we’ve thought about. However, there is still a large installed base that is not addressed by these actions and we need to help those folks. This is why our current focus is on updating Purebrowser through our amber-update or amber-security channel.

Does that mean Purebrowser is or isn’t going to receive future security updates? It sounded like it isn’t from now on which would mean we should all stop using it ASAP and move on to an alternative? Or perhaps I interpreted your last statement incorrectly and it would only stop receiving security updates if Debian doesn’t provide anymore ESR updates?

Okay, I may have screwed something up. Any help would be greatly appreciated. I added the Byzantium repos to PureOS Software & Updates. I updated 59 applications and they look great. I then downloaded the latest version of Firefox and could/can only launch Firefox via CLI when I typed in ~/firefox/firefox. Firefox does not show up as an application on the GUI or on my favorites bar. I double clicked on the Software & Updates application and it did not launch. I restated my laptop and tried to launch Software & Updated again, but no response. I uninstalled Software & Updates (with the intention of re-installing it) but now I don’t have the Software or Software & Updated Application on my GUI at all. My questions are:

  1. How do I get the “Software” and “Software & Updates” applications re-installed on my GUI?
  2. What step(s) am I missing with Firefox. How come Firefox does not show up on my GUI’s applications list or the favorites bar? How do I get them there?

I realize it Saturday but if anyone knows what I am missing can you clue me in after the weekend? Thanks

have you tried to start firefox from the CLI ? then when it pops up look in the launch-toolbar and see if it’s there then > right click > add to favorites (that’s how it should be on Gnome DE)

to search for packages :

  1. elevate your privileges with sudo or su
  2. apt search “at-least-part-of-the-name-of-the-package-you-want”
  3. make a note in your mind or in the clipboard or copy/yank the name of the package you want from the list

to install :

  1. elevate your privileges with sudo or su
  2. apt install “exact-name-of-the-package”
    or
    apt install “at-least-part-of-the-name-of-the-package-you-want”
  3. confirm

in your case it’s > apt install gnome-software
just make sure you have the privileges to install …

wait what ? are you from the future ? where i am it’s Thursday morning jan 16 2020 … back to the future now i guess …

1 Like

Or from the past?

When I added Firefox from Mozilla, I had to add a firefox.desktop entry. Others have described how to do that in this forum, e.g. here. I put mine in /usr/share/applications, however. That added Firefox to the Applications menu and everything was fine.

Maybe one does not have to do that anymore, but I thought I would chime in.

1 Like

Thanks for the help. I will try the CL input. I think that should help. Oddly, right clicking the tool bar to add to favorites is the way I usually do it but, in this case, does work. Thanks again.

1 Like

Opps, I drive 18 hours from Illinois to Arizona and posted my question right before I went to sleep. Yeah, it’s Thursday.

2 Likes

Jeremiah, you were saying, that - “My first recommendation is to use a different browser, like Epiphany”
Are you needing to do anything to “Epiphany” in regards to Privacy & Security? Or is it accepted thatit is all OK in that respect?