Adrian Bunk
2017-06-03 14:20:03 UTC
Package: release-notes
Severity: important
5.2.1. Security status of web browsers
Debian 9 includes several browser engines which are affected by a steady
stream of security vulnerabilities. The high rate of vulnerabilities and
partial lack of upstream support in the form of long term branches make
it very difficult to support these browsers with backported security
fixes. Additionally, library interdependencies make it impossible to
update to newer upstream releases. Therefore, browsers built upon the
webkit, qtwebkit and khtml engines are included in Stretch, but not
covered by security support. These browsers should not be used against
untrusted websites.
For general web browser use we recommend Firefox or Chromium.
Chromium - while built upon the Webkit codebase - is a leaf package,
which will be kept up-to-date by rebuilding the current Chromium
releases for stable. Firefox and Thunderbird will also be kept
up-to-date by rebuilding the current ESR releases for stable.
Note how from the headline to the sugested mitigation everything
talks about web *browsers*.
These browser engines are used in many places other than web browsers,
and the documentation should cover the problem properly.
As an example, Evolution in jessie (installed as part of GNOME)
renders HTML emails with a browser engine with around 100 unfixed CVEs.
The problem is not limited to this specific browser engine,
there are several others and their reverse dependencies where
users of Debian jessie or stretch are vulnerable to known CVEs.
I do not know how to word that both technicall correct
and without stating "do not run Debian on a desktop".
Severity: important
5.2.1. Security status of web browsers
Debian 9 includes several browser engines which are affected by a steady
stream of security vulnerabilities. The high rate of vulnerabilities and
partial lack of upstream support in the form of long term branches make
it very difficult to support these browsers with backported security
fixes. Additionally, library interdependencies make it impossible to
update to newer upstream releases. Therefore, browsers built upon the
webkit, qtwebkit and khtml engines are included in Stretch, but not
covered by security support. These browsers should not be used against
untrusted websites.
For general web browser use we recommend Firefox or Chromium.
Chromium - while built upon the Webkit codebase - is a leaf package,
which will be kept up-to-date by rebuilding the current Chromium
releases for stable. Firefox and Thunderbird will also be kept
up-to-date by rebuilding the current ESR releases for stable.
Note how from the headline to the sugested mitigation everything
talks about web *browsers*.
These browser engines are used in many places other than web browsers,
and the documentation should cover the problem properly.
As an example, Evolution in jessie (installed as part of GNOME)
renders HTML emails with a browser engine with around 100 unfixed CVEs.
The problem is not limited to this specific browser engine,
there are several others and their reverse dependencies where
users of Debian jessie or stretch are vulnerable to known CVEs.
I do not know how to word that both technicall correct
and without stating "do not run Debian on a desktop".