| 13 Oct 2024 |
 emily | currently unfixed on stable that don't look JS-specific:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1888333
- https://bugzilla.mozilla.org/show_bug.cgi?id=1893340
- https://bugzilla.mozilla.org/show_bug.cgi?id=1878199
- https://bugzilla.mozilla.org/show_bug.cgi?id=1193389
- https://bugzilla.mozilla.org/show_bug.cgi?id=1896555 (maybe? "By manipulating the text in an
<input> tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash." – bug is not public still, lol)
- https://bugzilla.mozilla.org/buglist.cgi?bug_id=1862809%2C1889355%2C1893388%2C1895123 (also not accesible)
- uhh more NSS stuff… actually this is too tedious, there's like 3 more point releases left
| 18:15:36 |
| emily | I think we need to set knownVulnerabilities on 24.05 for sure. removal before the 24.11 freeze also seems like a reasonable course of action to me, or we will inevitably end up shipping vulnerable versions to users again within the next 6 months unless someone else wants to be responsible for the package. | 18:16:14 |
| emily | actually the NSS stuff might be fine if we have a separate NSS package | 18:16:44 |
| emily | and of course it may be hard to impossible to construct an exploit chain for some or all of them without JS | 18:16:55 |
| emily | but that is certainly not wholly obvious to me for some of them | 18:17:16 |
 Tristan Ross | In reply to @emilazy:matrix.org
you'd want to talk to ris Idk who that is | 18:19:08 |
 hexa | risicle | 18:19:13 |
| hexa | ris_ in this room | 18:19:23 |
| emily | also lib.maintainers.ris | 18:19:39 |
| Tristan Ross | Oh | 18:19:43 |
| hexa | In reply to @emilazy:matrix.org
actually the NSS stuff might be fine if we have a separate NSS package hm? I maintain nss | 18:21:02 |
| Tristan Ross | Time to find the issue I was pinged in relating to what I'm doing lol | 18:21:09 |
| emily | I meant that one of the vulns I linked was NSS-related | 18:21:13 |
| emily | so it may not apply to us assuming we have a split NSS package that actually gets updates | 18:21:23 |
| hexa | nss is always recent | 18:21:28 |
| emily | oh, is 115 just EOL in general now? | 18:21:29 |
| hexa | yes | 18:21:35 |
| emily | then that seems like an especially good argument for removing Betterbird | 18:21:43 |
| hexa | 115.16.0esr was the last release | 18:21:45 |
| hexa | https://github.com/NixOS/nixpkgs/pull/348318 | 18:21:50 |
| emily | given that they don't have a release based on anything else | 18:21:51 |
| emily | well, ok, they have a "Future version" "Preview" | 18:22:18 |
| emily | with "Note that Thunderbird 128 and hence Betterbird 128 is shipping with a broken backend, causing IMAP folder corruption under some circumstances. Currently, we do not recommend version 128 for productive use." | 18:22:22 |
| hexa |
Future version: Betterbird 128 ESR "Preview" (128.3.1esr-bb12, 11 October 2024)
| 18:22:23 |
| emily | between dropping it and shipping a version they call "future" "preview" and tell you not to use, I think I'd pick the former, given the history here | 18:22:45 |
| hexa | sure | 18:23:01 |
| hexa | I'm using 128 esr with chonky imap folders | 18:23:15 |
| emily | well, this gets back to the Betterbird guy having beef with Thunderbird upstream, I think. | 18:23:40 |
| emily | the site is all about how Thunderbird is broken and they fix things that Thunderbird won't let people fix. | 18:23:51 |
| * hexa nods | 18:23:59 |
