ESR Security Risk
I was browsing this Mozilla wiki: https://wiki.mozilla.org/Enterprise/Firefox/ExtendedSupport:Proposal#Risks
and stumble upon this statement:
Over time the ESR will be less secure than the regular release of Firefox, as new functionality will not be added at the same pace as Firefox, and only high-risk/impact security patches will be backported. It is important that organizations deploying this software understand and accept this.
Can someone elaborate on why ESR versions would be less secure? It was my understanding that ESR versions would get the same security fix than non ESR. If someone could clarify that statement for, it would be appreaciated.
Thanks.
Chosen solution
Mozilla classifies each security vulnerabilities either critical, high, moderate or low. They choose the classification based on the severity of the issue and the amount of users that it impacts.
Only patches classified as critical or high are passed into the Firefox ESR. Patches that are classified as moderate or low are not added to the Firefox ESR.
Because you are not receiving all updates when using the Firefox ESR, it may be less secure than the release version.
Read this answer in context 👍 1All Replies (3)
ESR versions of any software are generally slightly less secure than the release versions. This is because security patches for the ESR version have to be specially developed for these versions, since the ESR may not be functionally the same as the release version.
As time goes forward, the ESR has been available longer and longer, potentially giving hackers more time to develop exploits. Also, as time moves on, the development team will have made many major functional and security changes to the release version. This means that the ESR may be less secure than the release channel.
Firefox ESR is intended for businesses, so that the IT staff doesn't have to worry about major update that may break software that they are running on Firefox. Firefox ESR is not ideal for most personal users.
Wesley Branton said
ESR versions of any software are generally slightly less secure than the release versions. This is because security patches for the ESR version have to be specially developed for these versions, since the ESR may not be functionally the same as the release version. As time goes forward, the ESR has been available longer and longer, potentially giving hackers more time to develop exploits. Also, as time moves on, the development team will have made many major functional and security changes to the release version. This means that the ESR may be less secure than the release channel. Firefox ESR is intended for businesses, so that the IT staff doesn't have to worry about major update that may break software that they are running on Firefox. Firefox ESR is not ideal for most personal users.
But, for any major vulnerability during an ESR lifecycle, a dot version of that ESR will be release, correct?
Chosen Solution
Mozilla classifies each security vulnerabilities either critical, high, moderate or low. They choose the classification based on the severity of the issue and the amount of users that it impacts.
Only patches classified as critical or high are passed into the Firefox ESR. Patches that are classified as moderate or low are not added to the Firefox ESR.
Because you are not receiving all updates when using the Firefox ESR, it may be less secure than the release version.