• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Issue with Firefox ESR's dual release cycles

Started by hstahl, September 27, 2023, 09:11:45 AM

Previous topic - Next topic

hstahl

From another thread on this board I understand that PatchMyPC's stance regarding Firefox ESR is that only the "older" ESR build will be deployed/patched (https://patchmypc.com/forum/index.php?topic=5891.msg14510#msg14510).  While I understand your rational, we are having an issue because Mozilla is not updating the older ESR in accordance to what they said they will do.  To clarify based on this site Mozilla says they will back port high security updates to the older build:

https://support.mozilla.org/en-US/kb/firefox-esr-release-cycle

However, they are not doing that.  In July a high (8.8) CVE (https://nvd.nist.gov/vuln/detail/CVE-2023-3600#range-9419430) was announced impacting all versions of Firefox.  To date they have only provided an update for the 115 build of ESR.  All of our installs are being reported as vulnerable to the CVE from Qualys despite being on the latest 102 build.

So is there any chance PMPC will start to support both the older and newer ESR deployment?  Our only other alternative here is to block/remove Firefox ESR from our environment as Mozilla's failure to update high security vulnerabilities isn't tenable.

Thanks

Omar (Patch My PC)

#1
Firefox ESR 102 has officially reached EOL and will not receive any more updates.
Firefox ESR 115 is now the only active ESR, And it was published yesterday in the home updater and the enterprise/catalog.