 | NixOS Security Discussions | 363 Members |
| Discussions around Security | Triaging happens in #security:nixos.org | 126 Servers |
| NixOS Security Discussions | 363 Members |
| Discussions around Security | Triaging happens in #security:nixos.org | 126 Servers |
| Sender | Message | Time |
|---|---|---|
| 13 Oct 2024 | ||
 emily | (though of course it's not written down anywhere) | 18:00:04 |
| emily | I just mean I wouldn't expect the situation to change in that regard. | 18:00:21 |
 aloisw | I'm not aware of any specific security fixes or knownVulnerabilities in Thunderbird, it's just a browser engine so it's probably better to assume every release is security-relevant. | 18:01:01 |
| emily | https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ | 18:01:35 |
| emily | there is admittedly a lot of "In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potential risks in browser or browser-like contexts." – I guess they don't do much assessment of what exposure they're actually subject to. | 18:02:07 |
| emily | certainly e.g. image decoding bugs seem like they would potentially be exploitable. | 18:02:24 |
| emily | there's also stuff like "CVE-2023-5388: NSS susceptible to timing attack against RSA decryption" | 18:02:42 |
| aloisw | In reply to @emilazy:matrix.orgLol this literally is every release, right? | 18:02:47 |
| emily | In reply to @emilazy:matrix.orgwhich is funny coming after this notice :) | 18:02:50 |
| emily | In reply to @aloisw:kde.orgyes, though like their notice says probably a lot of them are effectively irrelevant for a product that doesn't (or at least tries not to?) run untrusted JS | 18:03:08 |
| aloisw | I also assume they stop investigating what security issues have accidentally been fixed after a release that has since been superseded. | 18:03:39 |
| emily | here's a recent Thunderbird-specific one https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/ | 18:03:39 |
| emily | if it had happened slightly after 24.05, probably stable users would still be vulnerable | 18:03:59 |
| emily | anyway. my personal bottom line is that I think we have a handful too many Firefox/Chromium forks and that the security situation with a lot of them is worrying. I would agree that I don't think Betterbird is meeting reasonable expectations, and it doesn't seem like anything has changed since the last time it was discussed. | 18:04:59 |
 hexa | In reply to @aloisw:kde.orgbasically they track the esr cycle of firefox (up until now), which regularly comes with a security advisory attached | 18:05:47 |
| hexa | In reply to @aloisw:kde.orgyes. | 18:06:05 |
| hexa | In reply to @emilazy:matrix.orgyou can open a website in thunderbird fwiw | 18:06:22 |
| emily |
(April)
(June)
| 18:06:44 |
| emily | update eventually merged 3 weeks ago | 18:06:56 |
| hexa | yeah, not acceptable | 18:07:06 |
| emily | https://github.com/NixOS/nixpkgs/issues/251427
(August 2023) | 18:07:52 |
| emily | think it's fair to say that the situation is unlikely to change | 18:08:08 |
| hexa | https://github.com/NixOS/nixpkgs/pull/241560#issuecomment-1620795028 | 18:09:12 |
| hexa | do you remember this one, emily? | 18:09:18 |
| aloisw | On a cursory glance, upstream (if that's the correct word here given that it's a patched Thunderbird) maintainance looks kinda okay, but nixpkgs is lagging severely. | 18:09:19 |
| emily | upstream is some guy who was banned from Thunderbird development for constantly being uncivil IIRC | 18:10:07 |
| emily | but I agree that it seems to meet my basic expectations for backports of upstream browser engine security fixes | 18:10:20 |
| emily | so it's ahead of, like, most Firefox forks | 18:10:29 |
| emily | In reply to @hexa:lossy.networkright. this is what I was remembering re: stable backports | 18:10:47 |
| emily | the commitment is more than I remember, but it doesn't seem to have been fulfilled | 18:11:07 |