[palata]

> The vulnerability impacts the latest Firefox (standard release) and the extended support releases (ESR).

Does that mean it impacts Firefox 131.0.+, Firefox ESR 115.16.+ and Firefox ESR 128.3.+?

I.e. Firefox 130.0.+ or Firefox ESR 114.+.+ are fine? It's not clear to me when the vulnerability was introduced...

[olejorgenb]

> This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, and Firefox ESR < 115.16.1.

https://nvd.nist.gov/vuln/detail/CVE-2024-9680

[krackers]

CVE affected range is always far too wide. It obviously can't affect anything before ~75 or so because firefox didn't have the timeline api before then. It's annoying that they don't distinguish an unknown lower bound.

[illiac786]

Well, I think their thinking is that: * we don’t want users to run 75 * 75 is so riddled with CVEs by now, who cares if there is one more

But I agree it’s appears lazy because it would have been easy to determine in that case, if I understood you correctly. Someone would have had to test it though, at the very least.

[acidburnNSA]

Got my update on Ubuntu this morning, but not seeing any updates for Firefox Android in Google Play yet.