For those who don't read -dev :

Firefox had one 'high' CVE (code execution possible via crafted SCG
file) which has been fixed in 60.0.0.2 - patches and instructions
for 60.0.0.1 apply, new version will be in the next rendering of the
book.

Also fixed in 60.0.2ESR and 52.8.1 if anyone is using ESR versions.

Following some links from the Arch report which brought this to my
attention, I found that it was originally raised agaisnt chromium,
and that has a lot more vulnerabilities - I've bumped the chromium
ticket, with details of where to get a .tar.gz on github, but I have
no experience building chromium, and no time at the moment.

Meanwhile, qtwebengine has had (backports of) several chromium CVE
fixes - but I can't find the actual code (git just shows submodule
hashes changed, the instructions at qt don't seem to work - or maybe
only work if you clone the whole of Qt, which seems excessive.
Maybe fixes will have to wait for qt-5.11.1 (due on 19th).

This is not a happy place.

ĸen