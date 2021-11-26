Yesterday, Debian released the 11.2 update.

Notably missing is Firefox 91.x ESR, which replaced Firefox 78 ESR upstream months ago. It’s available, but masked. I had to use a special command to bring it in.

sudo apt-get -t=bullseye install firefox-esr

At this point, the security situation has gone from bad, to seriously bad.

There are now 17 unpatched CVEs (some of which have multiple actual defects attached to them) which affect Debian 11’s Firefox 78.15 ESR, which has been unmaintained for over 2.5 months.

If anyone is still using this, they need to move over to a browser which is current with its security patches. Debian has been bumping WebkitGTK, so GNOME Web is safe to use (or you can install it from Flatpak), and Brave bumps their browser to be in line with Chromium’s latest updates.

The fact is that this is mostly Mozilla’s fault because they chose to depend on an entirely new version of Mesa out of nowhere in the middle of an ESR series. Firefox ESR 91.2 would have built on Debian 11, but Firefox 91.3+ needs new system packages.

But the fact remains that Debian _chose_ to depend on Firefox, they _chose_ to make it their default browser even though Mozilla has gone insane and nothing they release is stable, so Debian owns this mess.