www/seamonkey 2.32.1 vulnerable?
Jan Beich
jbeich at FreeBSD.org
Thu Mar 5 15:23:16 UTC 2015
"Thomas Mueller" <mueller6724 at bellsouth.net> writes:
> A massive portmaster upgrade resulting from png last December 25,
> delayed by other snags, stopped quickly because www/seamonkey was said
> to be vulnerable.
>
> But this is the newest version of Seamonkey either on FreeBSD ports or
> upstream (www.seamonkey-project.org where there was no mention of
> vulnerability in current version).
Mozilla vulnerabilities are often generic to the engine/core. While many
cannot be exploited in Thunderbird due to scripting disabled the same
cannot be said about SeaMonkey which includes a browser.
After looking through the past MFSAs it appears upstream only marks
SeaMonkey vulnerable after there's a corresponding release with
vulnerabilities fixed. In a situation where such release is delayed
(like 2.33) or even canceled (2.27, 2.28) there's a window for attackers
to take action on the disclosure.
Do you have a better suggestion? I'm in favor of populating VuXML first
instead of pretending using 2.32.1 is safe at this point.
--
SeaMonkey 2.33 status can be tracked in bug 1137028 or via hg tags:
https://bugzilla.mozilla.org/show_bug.cgi?id=1137028
https://hg.mozilla.org/releases/comm-release/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 602 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20150305/a60b393e/attachment.sig>
More information about the freebsd-ports
mailing list