"Thomas Mueller" <mueller6...@bellsouth.net> writes: > A massive portmaster upgrade resulting from png last December 25, > delayed by other snags, stopped quickly because www/seamonkey was said > to be vulnerable. > > But this is the newest version of Seamonkey either on FreeBSD ports or > upstream (www.seamonkey-project.org where there was no mention of > vulnerability in current version).
Mozilla vulnerabilities are often generic to the engine/core. While many cannot be exploited in Thunderbird due to scripting disabled the same cannot be said about SeaMonkey which includes a browser. After looking through the past MFSAs it appears upstream only marks SeaMonkey vulnerable after there's a corresponding release with vulnerabilities fixed. In a situation where such release is delayed (like 2.33) or even canceled (2.27, 2.28) there's a window for attackers to take action on the disclosure. Do you have a better suggestion? I'm in favor of populating VuXML first instead of pretending using 2.32.1 is safe at this point. -- SeaMonkey 2.33 status can be tracked in bug 1137028 or via hg tags: https://bugzilla.mozilla.org/show_bug.cgi?id=1137028 https://hg.mozilla.org/releases/comm-release/
signature.asc
Description: PGP signature
