Re: Transition of Icedove 24.2.0 to testing

To: Filipus Klutiero <chealer@gmail.com>
Cc: c.schoenert@t-online.de, debian-release@lists.debian.org, Guido Günther <agx@sigxcpu.org>, Moritz Muehlenhoff <jmm@inutil.org>, debian-devel@lists.debian.org
Subject: Re: Transition of Icedove 24.2.0 to testing
From: Christoph Goehre <chris@sigxcpu.org>
Date: Mon, 10 Feb 2014 20:00:00 -0500
Message-id: <[🔎] 20140211005959.GA4394@anna.chris.local>
In-reply-to: <52F72A19.5060204@gmail.com>
References: <[🔎] 52ED8A8B.6070809@t-online.de> <52F72A19.5060204@gmail.com>

Hello,

On Sun, Feb 09, 2014 at 02:11:21AM -0500, Filipus Klutiero wrote:
> There is no particular issue with migrating icedove to testing. Are
> you saying you intend to upload icedove 24 to wheezy?

not direct to wheezy, we'll use stable-security to push icedove 24 to
wheezy. This is the same way we do with icedove 17.

> The question is whether icedove 24.2.0-1 is better than 17.0.10-1.
> What security issues in 17.0.10 does 24.2.0 fix? If the team considers
> that 24.2.0 is better than 17.0.10, you can request the release team
> to force it by filing a ticket against release.debian.org.

Icedove 17 is EOL (same as Icedove 10 short after the release of wheezy)
and Mozilla is only providing updates for Icedove 24. Almost all fixed
bugs are in libxul and it's to hard to backport the security fixes from
there (same problem with iceweasel).

Icedove 17.0.11 ships almost the same security fixes like icedove 24.1.
But from there on we 'missed' the following:

 MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)
 MFSA 2013-108 Use-after-free in event listeners
 MFSA 2013-109 Use-after-free during Table Editing
 MFSA 2013-111 Segmentation violation when replacing ordered list elements
 MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
 MFSA 2013-114 Use-after-free in synthetic mouse movement
 MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
 MFSA 2013-116 JPEG information leak
 MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate
 MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
 MFSA 2014-02 Clone protected content with XBL scopes
 MFSA 2014-04 Incorrect use of discarded images by RasterImage
 MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing
 MFSA 2014-09 Cross-origin information leak through web workers
 MFSA 2014-12 NSS ticket handling issues
 MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects

Most of these security problems are probably in icedove 17.

Cheers,
Christoph

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Transition of Icedove 24.2.0 to testing
  - From: Carsten Schoenert <c.schoenert@t-online.de>

Prev by Date: Bug#738340: marked as done (Please rebuild krb5-sync and libauthen-krb5-admin-perl on all arches)
Next by Date: NEW changes in oldstable-new
Previous by thread: Re: Transition of Icedove 24.2.0 to testing
Next by thread: Bug#731902: nmu: transmission_2.82-1
Index(es):
- Date
- Thread