[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of icedove?

On Fri, Oct 20, 2017 at 01:10:56PM +0200, Moritz Muehlenhoff wrote:
> On Fri, Oct 20, 2017 at 01:06:09PM +0200, Guido Günther wrote:
> > Thanks. Looks good here on Wheezy. Any idea when the versions for Jessie
> > and Stretch will be done? Wheezy was a straight rebuild of your work so
> > Jessie and Stretch should be the same. I'd like to avoid having a newer
> > version in Wheezy for too long. Since there's not even a MFSA for
> > Thunderbird yet I assume there are no really critical issues.
> There is https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/

Missed that one - only saw the one fore Firefox ESR 52.4, thanks.

> But I fail to see how CVE-2017-7793 can be critical for Thunderbird.

Me too but the MFSA has:

| In general, these flaws cannot be exploited through email in the
| Thunderbird product because scripting is disabled when reading mail, but
| are potentially risks in browser or browser-like contexts.

The last ones seemed to be verbatim copies of the Firefox ones with
Thunderbird specific CVEs added - but there weren't any since TB
specific ones since quiet some time.
CVE-2017-7805 and CVE-2017-7810 are likely more serious for thunderbird.
 -- Guido

Reply to: