Re: [SECURITY] [DSA 2911-1] icedove security update
Hi,
On Thu, Apr 24, 2014 at 11:36:49AM -0400, charlie derr wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 04/24/2014 11:21 AM, Salvatore Bonaccorso wrote:
> > This is indeed seem a typo in the DSA-2911-1. The fixed version
> > for the unstable distribution for the given CVEs is
> > icedove/24.4.0-1.
> >
> > For reference see also [1].
> >
> > [1] https://security-tracker.debian.org/tracker/DSA-2911-1
> >
> > Hope that thelps,
> >
> > Regards, Salvatore
>
>
> Thank you very much, that does help some, but still doesn't really
> completely explain the mystery to me.
>
> In searching through my /var/log/apt/history files, I see that my
> current version of icedove (24.4.0-1) was installed on 2014-03-26
>
> Was all of this really patched in the sid version of the icedove
> package a full month before the official announcement of these
> vulnerabilities? This timing is confusing to me (though I suppose
> there may be a reasonable explanation for it).
>
> Any further information that might help me understand would be very
> welcome.
Apologies for the late reply. Yes it is true, the sid version was
uploaded not long after the thunderbird 24.4 release, which happened
on 2014-03-18. The corresponding issues are listed in [1].
[1] https://www.mozilla.org/security/announce/
Note: The official announcement of thesee vulnerabilities in
thunderbird was at [1], so already in march. DSA-2911-1 fixes these
issues for icedove in wheezy (additionally if already know, it
mentions also the fixed version for testing and sid).
Hope this clarifies a bit your questions,
Salvatore
Reply to: