| 13 Oct 2024 |
 hexa | there were also no updates between 115.9.0 and 115.14.0 in nixpkgs https://github.com/NixOS/nixpkgs/pull/339019 | 16:59:50 |
 emily | i feel we ought to have a written policy on things that contain browser engines at this point | 17:03:33 |
| emily | wrt requiring both upstream and Nixpkgs maintainers to be responsive to security issues | 17:03:56 |
 tgerbet | Yeah I wanted to create a tracking issue so we can follow this more closely and see how it evolves over time but I did not get the time to do it | 17:46:20 |
| emily | IIRC stable branch security backports for betterbird were discussed in the past and the response was "meh, don't care about stable". | 17:57:10 |
| emily | indeed it looks like it hasn't received any backports this cycle | 17:57:57 |
 aloisw | This does not excuse the package being several months out of date on unstable as well. | 17:58:45 |
| emily | to be clear, I don't think it excuses it being out of date on stable | 17:59:23 |
| emily | * to be clear, I don't think it excuses it being out of date on stable either | 17:59:25 |
| emily | backporting security fixes or at least knownVulnerabilities is part of our basic expectations for maintainer responsibilities for highly-exposed applications IMO | 17:59:59 |
| emily | (though of course it's not written down anywhere) | 18:00:04 |
| emily | I just mean I wouldn't expect the situation to change in that regard. | 18:00:21 |
| aloisw | I'm not aware of any specific security fixes or knownVulnerabilities in Thunderbird, it's just a browser engine so it's probably better to assume every release is security-relevant. | 18:01:01 |
| emily | https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ | 18:01:35 |
| emily | there is admittedly a lot of "In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potential risks in browser or browser-like contexts." – I guess they don't do much assessment of what exposure they're actually subject to. | 18:02:07 |
| emily | certainly e.g. image decoding bugs seem like they would potentially be exploitable. | 18:02:24 |
| emily | there's also stuff like "CVE-2023-5388: NSS susceptible to timing attack against RSA decryption" | 18:02:42 |
| aloisw | In reply to @emilazy:matrix.org
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ Lol this literally is every release, right? | 18:02:47 |
| emily | In reply to @emilazy:matrix.org
there is admittedly a lot of "In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potential risks in browser or browser-like contexts." – I guess they don't do much assessment of what exposure they're actually subject to. which is funny coming after this notice :) | 18:02:50 |
| emily | In reply to @aloisw:kde.org
Lol this literally is every release, right? yes, though like their notice says probably a lot of them are effectively irrelevant for a product that doesn't (or at least tries not to?) run untrusted JS | 18:03:08 |
| aloisw | I also assume they stop investigating what security issues have accidentally been fixed after a release that has since been superseded. | 18:03:39 |
| emily | here's a recent Thunderbird-specific one https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/ | 18:03:39 |
| emily | if it had happened slightly after 24.05, probably stable users would still be vulnerable | 18:03:59 |
| emily | anyway. my personal bottom line is that I think we have a handful too many Firefox/Chromium forks and that the security situation with a lot of them is worrying. I would agree that I don't think Betterbird is meeting reasonable expectations, and it doesn't seem like anything has changed since the last time it was discussed. | 18:04:59 |
| hexa | In reply to @aloisw:kde.org
I'm not aware of any specific security fixes or knownVulnerabilities in Thunderbird, it's just a browser engine so it's probably better to assume every release is security-relevant. basically they track the esr cycle of firefox (up until now), which regularly comes with a security advisory attached | 18:05:47 |
| hexa | In reply to @aloisw:kde.org
Lol this literally is every release, right? yes. | 18:06:05 |
| hexa | In reply to @emilazy:matrix.org
yes, though like their notice says probably a lot of them are effectively irrelevant for a product that doesn't (or at least tries not to?) run untrusted JS you can open a website in thunderbird fwiw | 18:06:22 |
| emily |
Security Vulnerabilities fixed in Thunderbird 115.10
CVE-2024-3864: Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10
Memory safety bug present in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code.
(April)
Update request: betterbird 115.9 → 115.12 #323169
(June)
Could you create a PR, please?
| 18:06:44 |
| emily | update eventually merged 3 weeks ago | 18:06:56 |
| hexa | yeah, not acceptable | 18:07:06 |
