www/seamonkey 2.32.1 vulnerable?

Jan Beich jbeich at FreeBSD.org
Thu Mar 5 15:23:16 UTC 2015

"Thomas Mueller" <mueller6724 at bellsouth.net> writes:

> A massive portmaster upgrade resulting from png last December 25,
> delayed by other snags, stopped quickly because www/seamonkey was said
> to be vulnerable.
> But this is the newest version of Seamonkey either on FreeBSD ports or
> upstream (www.seamonkey-project.org where there was no mention of
> vulnerability in current version).

Mozilla vulnerabilities are often generic to the engine/core. While many
cannot be exploited in Thunderbird due to scripting disabled the same
cannot be said about SeaMonkey which includes a browser.

After looking through the past MFSAs it appears upstream only marks
SeaMonkey vulnerable after there's a corresponding release with
vulnerabilities fixed. In a situation where such release is delayed
(like 2.33) or even canceled (2.27, 2.28) there's a window for attackers
to take action on the disclosure.

Do you have a better suggestion? I'm in favor of populating VuXML first
instead of pretending using 2.32.1 is safe at this point.

SeaMonkey 2.33 status can be tracked in bug 1137028 or via hg tags:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 602 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20150305/a60b393e/attachment.sig>

More information about the freebsd-ports mailing list