You are not logged in.
- Topics: Active | Unanswered
#1 2017-11-30 07:29:15
- windy
- Member
- Registered: 2013-11-10
- Posts: 58
Current security issues with Thunderbird
At the moment there are some critical security issues in the version of Thunderbird provided by Arch (52.4):
https://www.mozilla.org/en-US/security/ … sa2017-26/
The package has been flagged out of date two days ago, but there is not even a new version in the testing repo. Also the CVEs are not listed on the security detail page.
Offline
#2 2017-11-30 09:32:45
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 15,065
Re: Current security issues with Thunderbird
I think the security team follows cve.mitre.org and several security related mailing lists
https://cve.mitre.org/cgi-bin/cvekey.cg … hunderbird
No entries for thunderboard in 2017
I've looked up the 3 CVE numbers in that advisory, and they're all listed as reserved without any details.
How are arch security team / devs supposed to learn about these issues if mozilla doesn't give details through proper channels ?
I suggest you email arch thunderbird maintainer directly
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#3 2017-11-30 10:48:02
- windy
- Member
- Registered: 2013-11-10
- Posts: 58
Re: Current security issues with Thunderbird
I suggest you email arch thunderbird maintainer directly
Okay, I did that just now. Thank you for the input.
Offline
#4 2017-11-30 12:31:58
- anthraxx
- Developer
- Registered: 2013-08-17
- Posts: 1
Re: Current security issues with Thunderbird
Yes we scan 
in doubt, the best way to notify the security team is by dropping a line in IRC freenode/#archlinux-security. We make sure to track the issues and get patches and new versions out.
Offline
#5 2017-11-30 18:58:47
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,894
Re: Current security issues with Thunderbird
@anthraxx is there any way other than IRC to contact you to discuss security issues such as https://security.archlinux.org/CVE-2017-14954?
Edit:
As an example of the issues with the CVE-2017-14954 https://security.archlinux.org/AVG-431 notes 4.9.56-1 as vulnerable but the 4.9 series never contained the vulnerable code.
It was introduced in 4.13 and was never back ported to 4.9 this can be seen by examination of original bug and the relevant code in 4.9.56 or
by noting the commit logs for 4.9.y do not reference ce72a16fa705f960ca2352e95a7c5f4801475e75 as being backported.
Please note the proof of concept contains a line that could cause confusion
printf("Leak size=%d bytes\n", sizeof(rusage));Which will lead to output such as the following simply because sizeof(rusage) calculated at compile time is for instance 144 bytes.
Leak size=144 bytesLast edited by loqs (2017-11-30 21:34:01)
Offline