From owner-freebsd-ports@FreeBSD.ORG Thu Mar 5 15:23:16 2015 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 36804F96 for ; Thu, 5 Mar 2015 15:23:16 +0000 (UTC) Received: from vfemail.net (nine.vfemail.net [108.76.175.9]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C9101802 for ; Thu, 5 Mar 2015 15:23:15 +0000 (UTC) Received: (qmail 45297 invoked by uid 89); 5 Mar 2015 14:56:16 -0000 Received: from localhost (HELO freequeue.vfemail.net) (127.0.0.1) by localhost with (DHE-RSA-AES256-SHA encrypted) SMTP; 5 Mar 2015 14:56:16 -0000 Received: (qmail 45228 invoked by uid 89); 5 Mar 2015 14:55:58 -0000 Received: by simscan 1.3.1 ppid: 45225, pid: 45227, t: 0.0024s scanners:none Received: from unknown (HELO smtp102-2.vfemail.net) (172.16.100.62) by FreeQueue with SMTP; 5 Mar 2015 14:55:58 -0000 Received: (qmail 16426 invoked by uid 89); 5 Mar 2015 14:55:58 -0000 Received: by simscan 1.4.0 ppid: 16404, pid: 16420, t: 1.3202s scanners:none Received: from unknown (HELO nil) (amJlaWNoQHZmZW1haWwubmV0@172.16.100.27) by 172.16.100.62 with ESMTPA; 5 Mar 2015 14:55:57 -0000 From: Jan Beich To: "Thomas Mueller" Subject: Re: www/seamonkey 2.32.1 vulnerable? References: <901146.90545.bm@smtp112.sbc.mail.ne1.yahoo.com> Date: Thu, 05 Mar 2015 15:55:43 +0100 In-Reply-To: <901146.90545.bm@smtp112.sbc.mail.ne1.yahoo.com> (Thomas Mueller's message of "Thu, 5 Mar 2015 03:01:43 -0800 (PST)") Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Cc: freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Mar 2015 15:23:16 -0000 --=-=-= Content-Type: text/plain "Thomas Mueller" writes: > A massive portmaster upgrade resulting from png last December 25, > delayed by other snags, stopped quickly because www/seamonkey was said > to be vulnerable. > > But this is the newest version of Seamonkey either on FreeBSD ports or > upstream (www.seamonkey-project.org where there was no mention of > vulnerability in current version). Mozilla vulnerabilities are often generic to the engine/core. While many cannot be exploited in Thunderbird due to scripting disabled the same cannot be said about SeaMonkey which includes a browser. After looking through the past MFSAs it appears upstream only marks SeaMonkey vulnerable after there's a corresponding release with vulnerabilities fixed. In a situation where such release is delayed (like 2.33) or even canceled (2.27, 2.28) there's a window for attackers to take action on the disclosure. Do you have a better suggestion? I'm in favor of populating VuXML first instead of pretending using 2.32.1 is safe at this point. -- SeaMonkey 2.33 status can be tracked in bug 1137028 or via hg tags: https://bugzilla.mozilla.org/show_bug.cgi?id=1137028 https://hg.mozilla.org/releases/comm-release/ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQF8BAEBCgBmBQJU+G5vXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREQjQ0MzY3NEM3RDIzNTc4NkUxNDkyQ0VF NEM3Nzg4MzQ3OURCRERCAAoJEOTHeINHnb3bNKMH/RRDJHWqZeSfJ8EFZudSAiVS 4pH8aiXkwg5v4JafEwsm3L5eNwBuNVR7jtgKq7cx7q8TFQrwljoyDGBd4xTtfx1R exoAiQuSX5g0vi6Z8sEv37/PHgtsswpCbNPp1QNnkiS2rR9M+ti9PvMcjB65j140 W/3DuEfw9QbH4GiaZ1/2gIiBcmfAwXU9cxmT2KW1SEYf0DZE143Mp2IUAIZaEFHc ydUOL758dmEnMwbMcowvhAZBoz/8WnhM+tFXRa6LEbjJV5wdS6Qy1LrNIM/a7WTk 7wvrqX+kaWsDRvjwIycbr0Wfmi7wUHpITJo2YjJ9k4086paEHzcAI8fLRZSdpqI= =Ygc4 -----END PGP SIGNATURE----- --=-=-=--