2 memory corruption bugs introduced to Firefox by Debian patches:
bugzilla.mozilla.org/show_bug.cgi?i
bugzilla.mozilla.org/show_bug.cgi?i
Freezing versions of most software for years, backporting a small subset of security fixes and applying broken / strange distribution-specific changes isn't great.
Conversation
A lot of distributions have these kinds of problems with their packaging but Debian remains the best example.
It's painful working with Debian due to all the distribution-specific broken extensions, hacks, meta-configuration and scripts. It's awful as an upstream maintainer too.
Replying to
A lot of times people don't realize a ton of the scripts, configuration and odd bugs/extensions are something added downstream. It's also pretty awful having tons of people using ancient versions of your software. Even if you provide supported LTS branches, they won't ship it...
1
5
They partially gave in for web browsers, but they still pretend fixing a tiny subset of security issues is adequate for other things. Most security bugs don't get a CVE and they only fix a subset of those, eventually. It's certainly not limited to Debian.
1
1
5
Android seems to have finally realized they need to ship the kernel.org LTS releases at a much quicker pace as part of the monthly updates.
At least they were shipping a larger subset of CVE fixes monthly and the LTS versions via both quarterly and yearly releases.
6