Re: Security Vulnerability
The Fx version is in: mozilla\browser\config\version.txt Be aware that SeaMonkey is build from the THUNDERBIRD_52_VERBRANCH which is not bleeding edge but contains OSX and some other mailnews fixes. If you want bleeding edge you need to merge default to it. FRG Richmond wrote: Frank-Rainer Grahlwrites: 2.49.1 is based on the latest 52.4 so the CVE is in it. OK thanks but how can I tell that is the case without asking here? Or to put it another way, how do I know when to recompile and what version of firefox ESR the code I check out will be based on? (Maybe there is no way). (I am checking out from comm-esr52). ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Security Vulnerability
Frank-Rainer Grahlwrites: > 2.49.1 is based on the latest 52.4 so the CVE is in it. > OK thanks but how can I tell that is the case without asking here? Or to put it another way, how do I know when to recompile and what version of firefox ESR the code I check out will be based on? (Maybe there is no way). (I am checking out from comm-esr52). ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Security Vulnerability
2.49.1 is based on the latest 52.4 so the CVE is in it. Richmond wrote: How do I tell if, for example, CVE-2017-7810 has been addressed in Seamonkey? I see it is fixed in Firefox ESR 52.4. So if I recompile will it be in Seamonkey comm-esr52? I have been looking here: https://hg.mozilla.org/releases/comm-esr52/log But cannot see anything corresponding to CVE numbers. (I have used CVE-2017-7810 as an example) (My previous post subject 2.49.2 was meant to be a test. I posted it in the wrong place.) ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Security Vulnerability
On 03/11/2017 16:26, Richmond wrote: > How do I tell if, for example, CVE-2017-7810 has been addressed in > Seamonkey? I see it is fixed in Firefox ESR 52.4. So if I recompile will > it be in Seamonkey comm-esr52? https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7810 Mozilla developers and community members Christoph Diehl, Jan de Mooij, Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian Hengst reported memory safety bugs present in Firefox 55 and Firefox ESR 52.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1386787%2C1389974%2C1371657%2C1360334%2C1390550%2C1380824%2C1387918%2C1395598 NONE of these bugs are public, despite the CVE entry being created over 6 months ago, and the fix being announced a month ago. I don't know who's running the show at moz org, but someone needs to give them a good kick in the bottom, if you ask me. Regards. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Security Vulnerability
How do I tell if, for example, CVE-2017-7810 has been addressed in Seamonkey? I see it is fixed in Firefox ESR 52.4. So if I recompile will it be in Seamonkey comm-esr52? I have been looking here: https://hg.mozilla.org/releases/comm-esr52/log But cannot see anything corresponding to CVE numbers. (I have used CVE-2017-7810 as an example) (My previous post subject 2.49.2 was meant to be a test. I posted it in the wrong place.) -- ~ ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
seemonkey wrote: But it would close the vulnerability in nss. If one would release a seamonkey let's say 2.40.1 only with the change of nss 3.21.1 the result would be the same as i described. I didn't mention any bug in the base product. The whole topic was started with nss and not bugs/sec vuln. in seamonkey. So keeping SM 2.40 official release without replacing the nss is the worst one can do at the moment. If you trust an unofficial build (2.46) then install it. Or copy the dlls as i described. The worst thing you could do is assume you are covered. It would close one vulnerability in nss not all. Current nss is 3.28 beta and 3.26.2 in the next Firefox release. I am quite sure there some few security fixes in the latest version too. You best protection is still a script and an Ad blocker when browsing the web. A 2.40.1 can not be released because the l10n part of the build system is broken. It it weren't so we would have 2.46 already. Adrians unofficial builds are ok. You can trust them. And if you run en-US there are now candidate builds for every platform available too. They are not final but this only means that the build process stopped with an error when it came to building the l10n versions. Building en-US was mostly finished at this stage. That said ewong is still busy building and I hope we will see the final 2.46 soon. FRG ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
On Tuesday, October 18, 2016 at 10:10:15 PM UTC+2, Frank-Rainer Grahl wrote: > I wouldn't start hacking together a version with different binaries. Might > work > might not. And this won't close any bugs in the base product which could be > exploited if you are so concerned about security. > > Better check if the latest en-US candidate 2.46 test builds works for you or > use > Adrians latest 2.46 build. They are both build from the same sources and > updating > to the next official build whenever it arrives will be possible just by > downloading it. Adrians is gtk3 and the candidate gtk2 for Linux users. > Windows > VS2015 but Adrians should be a little faster because he used -O2 for > compiling. > > If you use a hacked together build do not open bug reports against it. > > There will be no 2.40.x builds. The next one will be 2.46 if the l10n build > bug > can be fixed in time. > > FRG > > On Sun, 16 Oct 2016 21:59:19 +0200, Ray_Net wrote: > > >>Lee wrote on 16/10/2016 17:45: > >>> On 10/16/16, Ray_Net wrote: > >>>> seemonkey wrote on 13/10/2016 08:06: > >>>>> There's at least one security vulnerability that is missing from this > >>>>> NSS > >>>>> version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 > >>>>> > >>>>> There was a bugfix in NSS > >>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue > >>>>> but unfortunately it seems that this bugfix is not in 3.20.x according > >>>>> to > >>>>> the developer entries. I didn't check the code yet if the bugfix is > >>>>> really > >>>>> missing! > >>>>> > >>>>> So my question is why seamonkey uses still this outdated NSS version? It > >>>>> should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and > >>>>> also in latest thunderbird /45.4.0/) > >>>>> > >>>>> As a workaround i can copy the nss libraries from firefox esr to > >>>>> seamonkey > >>>>> until a security release of seamonkey let's say 2.40.1 arrives. I tried > >>>>> this end i can start seamonkey with newer NSS library because they're > >>>>> compatible. > >>>> "As a workaround i can copy the nss libraries from firefox esr to > >>>> seamonkey " > >>>> > >>>> Could you tell us what we need (in details) to do ? > >>>> I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc. > >>> Upgrade. > >>> > >>> The current version of Firefox is 49.0.1 > >>> about:support / Library Versions says the NSS* expected & in use version > >>> is > 3.25 > >>> > >>> The 'current' version of SeaMonkey is 2.40 and is missing a lot of > >>> security patches. Upgrading requires that you download & install a > >>> new version of SM instead of waiting for it to upgrade automatically. > >>> **where** to download the new version from is a bit of a question tho > >>> :( I'm guessing the safest bet is > >>> > https://l10n.mozilla-community.org/~akalla/unofficial/seamonkey/nightly/latest-com > m-release-windows32/ > >>> if only because akalla had to pick _this_ particular build to make > >>> available for downloading. SeaMonkey 2.46 has the same 3.25 > >>> about:support / Library Versions for NSS* as FF. > >>> > >>> Regards, > >>> Lee > >>You don't understand. > >>- I hate to install a not released SM. > >>- I stay with FireFox 46.0.1 because I am able with it to do "View > >>Selection Source" using my version of Firefox, because my SM 2.40 cannot > >>do it. > >>- He said " It should use at least 3.21.1 (that is in latest firefox esr > >>/45.4.0/" and because my version of Firefox is greater (46.0.1) I can > >>use nss from this version to put into SM because it should be > 3.21.1. > >>So the question is still open: > >>How, in details, can I use the NSS of my FireFox 46.0.1 into my SM 2.40 ? > > > Regards > Frank-Rainer Grahl But it would close the vulnerability in nss. If one would release a seamonkey let's say 2.40.1 only with the change of nss 3.21.1 the result would be the same as i described. I didn't mention any bug in the base product. The whole topic was started with nss and not bugs/sec vuln. in seamonkey. So keeping SM 2.40 official release without replacing the nss is the worst one can do at the moment. If you trust an unofficial build (2.46) then install it. Or copy the dlls as i described. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
Frank-Rainer Grahl wrote on 18/10/2016 22:03: I wouldn't start hacking together a version with different binaries. Might work might not. And this won't close any bugs in the base product which could be exploited if you are so concerned about security. Ok, I will stay with my official SM 2.40 without introducing some possible problem. Thanks for all answering. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
I wouldn't start hacking together a version with different binaries. Might work might not. And this won't close any bugs in the base product which could be exploited if you are so concerned about security. Better check if the latest en-US candidate 2.46 test builds works for you or use Adrians latest 2.46 build. They are both build from the same sources and updating to the next official build whenever it arrives will be possible just by downloading it. Adrians is gtk3 and the candidate gtk2 for Linux users. Windows VS2015 but Adrians should be a little faster because he used -O2 for compiling. If you use a hacked together build do not open bug reports against it. There will be no 2.40.x builds. The next one will be 2.46 if the l10n build bug can be fixed in time. FRG On Sun, 16 Oct 2016 21:59:19 +0200, Ray_Net wrote: >>Lee wrote on 16/10/2016 17:45: >>> On 10/16/16, Ray_Net <tbrraymond.schmit...@tbrscarlet.be> wrote: >>>> seemonkey12...@gmail.com wrote on 13/10/2016 08:06: >>>>> There's at least one security vulnerability that is missing from this NSS >>>>> version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 >>>>> >>>>> There was a bugfix in NSS >>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue >>>>> but unfortunately it seems that this bugfix is not in 3.20.x according to >>>>> the developer entries. I didn't check the code yet if the bugfix is really >>>>> missing! >>>>> >>>>> So my question is why seamonkey uses still this outdated NSS version? It >>>>> should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and >>>>> also in latest thunderbird /45.4.0/) >>>>> >>>>> As a workaround i can copy the nss libraries from firefox esr to seamonkey >>>>> until a security release of seamonkey let's say 2.40.1 arrives. I tried >>>>> this end i can start seamonkey with newer NSS library because they're >>>>> compatible. >>>> "As a workaround i can copy the nss libraries from firefox esr to >>>> seamonkey " >>>> >>>> Could you tell us what we need (in details) to do ? >>>> I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc. >>> Upgrade. >>> >>> The current version of Firefox is 49.0.1 >>> about:support / Library Versions says the NSS* expected & in use version is 3.25 >>> >>> The 'current' version of SeaMonkey is 2.40 and is missing a lot of >>> security patches. Upgrading requires that you download & install a >>> new version of SM instead of waiting for it to upgrade automatically. >>> **where** to download the new version from is a bit of a question tho >>> :( I'm guessing the safest bet is >>> https://l10n.mozilla-community.org/~akalla/unofficial/seamonkey/nightly/latest-com m-release-windows32/ >>> if only because akalla had to pick _this_ particular build to make >>> available for downloading. SeaMonkey 2.46 has the same 3.25 >>> about:support / Library Versions for NSS* as FF. >>> >>> Regards, >>> Lee >>You don't understand. >>- I hate to install a not released SM. >>- I stay with FireFox 46.0.1 because I am able with it to do "View >>Selection Source" using my version of Firefox, because my SM 2.40 cannot >>do it. >>- He said " It should use at least 3.21.1 (that is in latest firefox esr >>/45.4.0/" and because my version of Firefox is greater (46.0.1) I can >>use nss from this version to put into SM because it should be > 3.21.1. >>So the question is still open: >>How, in details, can I use the NSS of my FireFox 46.0.1 into my SM 2.40 ? Regards Frank-Rainer Grahl ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
On Sunday, October 16, 2016 at 9:59:26 PM UTC+2, Ray_Net wrote: > Lee wrote on 16/10/2016 17:45: > > On 10/16/16, Ray_Net wrote: > >> seemonkey wrote on 13/10/2016 08:06: > >>> There's at least one security vulnerability that is missing from this NSS > >>> version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 > >>> > >>> There was a bugfix in NSS > >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue > >>> but unfortunately it seems that this bugfix is not in 3.20.x according to > >>> the developer entries. I didn't check the code yet if the bugfix is really > >>> missing! > >>> > >>> So my question is why seamonkey uses still this outdated NSS version? It > >>> should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and > >>> also in latest thunderbird /45.4.0/) > >>> > >>> As a workaround i can copy the nss libraries from firefox esr to seamonkey > >>> until a security release of seamonkey let's say 2.40.1 arrives. I tried > >>> this end i can start seamonkey with newer NSS library because they're > >>> compatible. > >> "As a workaround i can copy the nss libraries from firefox esr to > >> seamonkey " > >> > >> Could you tell us what we need (in details) to do ? > >> I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc. > > Upgrade. > > > > The current version of Firefox is 49.0.1 > > about:support / Library Versions says the NSS* expected & in use version is > > 3.25 > > > > The 'current' version of SeaMonkey is 2.40 and is missing a lot of > > security patches. Upgrading requires that you download & install a > > new version of SM instead of waiting for it to upgrade automatically. > > **where** to download the new version from is a bit of a question tho > > :( I'm guessing the safest bet is > > https://l10n.mozilla-community.org/~akalla/unofficial/seamonkey/nightly/latest-comm-release-windows32/ > > if only because akalla had to pick _this_ particular build to make > > available for downloading. SeaMonkey 2.46 has the same 3.25 > > about:support / Library Versions for NSS* as FF. > > > > Regards, > > Lee > You don't understand. > - I hate to install a not released SM. > - I stay with FireFox 46.0.1 because I am able with it to do "View > Selection Source" using my version of Firefox, because my SM 2.40 cannot > do it. > - He said " It should use at least 3.21.1 (that is in latest firefox esr > /45.4.0/" and because my version of Firefox is greater (46.0.1) I can > use nss from this version to put into SM because it should be > 3.21.1. > So the question is still open: > How, in details, can I use the NSS of my FireFox 46.0.1 into my SM 2.40 ? I understand you. In detail you must do the following. Copy these files from firefox into seamonkey overwriting the existing files (you have *.dll instead of *.so): libfreebl3.chk libfreebl3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.chk libnssdbm3.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.chk libsoftokn3.so libssl3.so I did it on linux, on windows it should be the same, please check it! I hope you have chk files too. However i have firefox 45.4.0 (esr) not the 46. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
On Sun, 16 Oct 2016 21:59:19 +0200, Ray_Net <tbrraymond.schmit...@tbrscarlet.be> wrote: >Lee wrote on 16/10/2016 17:45: >> On 10/16/16, Ray_Net <tbrraymond.schmit...@tbrscarlet.be> wrote: >>> seemonkey12...@gmail.com wrote on 13/10/2016 08:06: >>>> There's at least one security vulnerability that is missing from this NSS >>>> version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 >>>> >>>> There was a bugfix in NSS >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue >>>> but unfortunately it seems that this bugfix is not in 3.20.x according to >>>> the developer entries. I didn't check the code yet if the bugfix is really >>>> missing! >>>> >>>> So my question is why seamonkey uses still this outdated NSS version? It >>>> should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and >>>> also in latest thunderbird /45.4.0/) >>>> >>>> As a workaround i can copy the nss libraries from firefox esr to seamonkey >>>> until a security release of seamonkey let's say 2.40.1 arrives. I tried >>>> this end i can start seamonkey with newer NSS library because they're >>>> compatible. >>> "As a workaround i can copy the nss libraries from firefox esr to >>> seamonkey " >>> >>> Could you tell us what we need (in details) to do ? >>> I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc. >> Upgrade. >> >> The current version of Firefox is 49.0.1 >> about:support / Library Versions says the NSS* expected & in use version is >> 3.25 >> >> The 'current' version of SeaMonkey is 2.40 and is missing a lot of >> security patches. Upgrading requires that you download & install a >> new version of SM instead of waiting for it to upgrade automatically. >> **where** to download the new version from is a bit of a question tho >> :( I'm guessing the safest bet is >> https://l10n.mozilla-community.org/~akalla/unofficial/seamonkey/nightly/latest-comm-release-windows32/ >> if only because akalla had to pick _this_ particular build to make >> available for downloading. SeaMonkey 2.46 has the same 3.25 >> about:support / Library Versions for NSS* as FF. >> >> Regards, >> Lee >You don't understand. >- I hate to install a not released SM. >- I stay with FireFox 46.0.1 because I am able with it to do "View >Selection Source" using my version of Firefox, because my SM 2.40 cannot >do it. >- He said " It should use at least 3.21.1 (that is in latest firefox esr >/45.4.0/" and because my version of Firefox is greater (46.0.1) I can >use nss from this version to put into SM because it should be > 3.21.1. >So the question is still open: >How, in details, can I use the NSS of my FireFox 46.0.1 into my SM 2.40 ? The SM 2.46 builds are being made by Adrian Kalla on a personal machine and are stable even though not publish on the official Mozilla site and usual download places. They are build from stable code but because the build environment has been busted for so long, it's not working on Mozilla proper. I just updated to the SM 2.47 beta build he made today and it has NSS 3.26.2. I didn't realize 3.27/3.27.1 went final until I just looked. So, IMHOO, you have nothing to lose by trying the stable build Adrian has made. You can always kick the tires here: http://goo.gl/9R2c0i Stable, in terms of software, is relative to how many bugs haven't been found yet. As for grafting DLLs, back up nss3.dll, nssckbi.dll, nssdbm3.chk, nssdbm3.dll and mozglue.dll somewhere. Close SM. Copy the NSS DLLs from Firefox and overwrite the ones in the SM directory. 99% of the time you won't need mozglue.dll. Start SM. If it complains about mozglue.dll, close SM and overwrite mozglue.dll. Start SM again. If it won't start, copy back the backed up DLLs. Hope that helps. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
Lee wrote on 16/10/2016 17:45: On 10/16/16, Ray_Net <tbrraymond.schmit...@tbrscarlet.be> wrote: seemonkey12...@gmail.com wrote on 13/10/2016 08:06: There's at least one security vulnerability that is missing from this NSS version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 There was a bugfix in NSS https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue but unfortunately it seems that this bugfix is not in 3.20.x according to the developer entries. I didn't check the code yet if the bugfix is really missing! So my question is why seamonkey uses still this outdated NSS version? It should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and also in latest thunderbird /45.4.0/) As a workaround i can copy the nss libraries from firefox esr to seamonkey until a security release of seamonkey let's say 2.40.1 arrives. I tried this end i can start seamonkey with newer NSS library because they're compatible. "As a workaround i can copy the nss libraries from firefox esr to seamonkey " Could you tell us what we need (in details) to do ? I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc. Upgrade. The current version of Firefox is 49.0.1 about:support / Library Versions says the NSS* expected & in use version is 3.25 The 'current' version of SeaMonkey is 2.40 and is missing a lot of security patches. Upgrading requires that you download & install a new version of SM instead of waiting for it to upgrade automatically. **where** to download the new version from is a bit of a question tho :( I'm guessing the safest bet is https://l10n.mozilla-community.org/~akalla/unofficial/seamonkey/nightly/latest-comm-release-windows32/ if only because akalla had to pick _this_ particular build to make available for downloading. SeaMonkey 2.46 has the same 3.25 about:support / Library Versions for NSS* as FF. Regards, Lee You don't understand. - I hate to install a not released SM. - I stay with FireFox 46.0.1 because I am able with it to do "View Selection Source" using my version of Firefox, because my SM 2.40 cannot do it. - He said " It should use at least 3.21.1 (that is in latest firefox esr /45.4.0/" and because my version of Firefox is greater (46.0.1) I can use nss from this version to put into SM because it should be > 3.21.1. So the question is still open: How, in details, can I use the NSS of my FireFox 46.0.1 into my SM 2.40 ? ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
On 10/16/16, Ray_Net <tbrraymond.schmit...@tbrscarlet.be> wrote: > seemonkey12...@gmail.com wrote on 13/10/2016 08:06: >> There's at least one security vulnerability that is missing from this NSS >> version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 >> >> There was a bugfix in NSS >> https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue >> but unfortunately it seems that this bugfix is not in 3.20.x according to >> the developer entries. I didn't check the code yet if the bugfix is really >> missing! >> >> So my question is why seamonkey uses still this outdated NSS version? It >> should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and >> also in latest thunderbird /45.4.0/) >> >> As a workaround i can copy the nss libraries from firefox esr to seamonkey >> until a security release of seamonkey let's say 2.40.1 arrives. I tried >> this end i can start seamonkey with newer NSS library because they're >> compatible. > > "As a workaround i can copy the nss libraries from firefox esr to > seamonkey " > > Could you tell us what we need (in details) to do ? > I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc. Upgrade. The current version of Firefox is 49.0.1 about:support / Library Versions says the NSS* expected & in use version is 3.25 The 'current' version of SeaMonkey is 2.40 and is missing a lot of security patches. Upgrading requires that you download & install a new version of SM instead of waiting for it to upgrade automatically. **where** to download the new version from is a bit of a question tho :( I'm guessing the safest bet is https://l10n.mozilla-community.org/~akalla/unofficial/seamonkey/nightly/latest-comm-release-windows32/ if only because akalla had to pick _this_ particular build to make available for downloading. SeaMonkey 2.46 has the same 3.25 about:support / Library Versions for NSS* as FF. Regards, Lee ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
seemonkey12...@gmail.com wrote on 13/10/2016 08:06: There's at least one security vulnerability that is missing from this NSS version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 There was a bugfix in NSS https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue but unfortunately it seems that this bugfix is not in 3.20.x according to the developer entries. I didn't check the code yet if the bugfix is really missing! So my question is why seamonkey uses still this outdated NSS version? It should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and also in latest thunderbird /45.4.0/) As a workaround i can copy the nss libraries from firefox esr to seamonkey until a security release of seamonkey let's say 2.40.1 arrives. I tried this end i can start seamonkey with newer NSS library because they're compatible. "As a workaround i can copy the nss libraries from firefox esr to seamonkey " Could you tell us what we need (in details) to do ? I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
WaltS48 wrote: On 10/14/2016 08:49 PM, Edward wrote: TCW wrote: On Wed, 12 Oct 2016 23:06:52 -0700 (PDT), seemonkey12...@gmail.com wrote: There's at least one security vulnerability that is missing from this NSS version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 There was a bugfix in NSS https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue but unfortunately it seems that this bugfix is not in 3.20.x according to the developer entries. I didn't check the code yet if the bugfix is really missing! So my question is why seamonkey uses still this outdated NSS version? It should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and also in latest thunderbird /45.4.0/) As a workaround i can copy the nss libraries from firefox esr to seamonkey until a security release of seamonkey let's say 2.40.1 arrives. I tried this end i can start seamonkey with newer NSS library because they're compatible. You can graft the NSS dlls, sure. I have done that in the past with success. But, there is a build of 2.46 that's stable enough to use if you want to test. Just curious... Does the Linux version of SeaMonkey use the nss package that is included with the Linux distribution being used? The currently installed version here is 3.23.0-1 (Fedora 24). Thanks in advance. Users can enter about:support in the address bar and scroll down to the Library Versions section of the Troubleshooting Information page to see what their version of SeaMonkey, Firefox or Thunderbird is using. If you prefer Help > Troubleshooting Information also gets you there. Thanks for that tip. It looks like nss was just updated. That screen shows the Expected Minimum Version as 3.25, with 3.27 as the Version in use. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
On 10/14/2016 08:49 PM, Edward wrote: TCW wrote: On Wed, 12 Oct 2016 23:06:52 -0700 (PDT), seemonkey12...@gmail.com wrote: There's at least one security vulnerability that is missing from this NSS version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 There was a bugfix in NSS https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue but unfortunately it seems that this bugfix is not in 3.20.x according to the developer entries. I didn't check the code yet if the bugfix is really missing! So my question is why seamonkey uses still this outdated NSS version? It should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and also in latest thunderbird /45.4.0/) As a workaround i can copy the nss libraries from firefox esr to seamonkey until a security release of seamonkey let's say 2.40.1 arrives. I tried this end i can start seamonkey with newer NSS library because they're compatible. You can graft the NSS dlls, sure. I have done that in the past with success. But, there is a build of 2.46 that's stable enough to use if you want to test. Just curious... Does the Linux version of SeaMonkey use the nss package that is included with the Linux distribution being used? The currently installed version here is 3.23.0-1 (Fedora 24). Thanks in advance. Users can enter about:support in the address bar and scroll down to the Library Versions section of the Troubleshooting Information page to see what their version of SeaMonkey, Firefox or Thunderbird is using. If you prefer Help > Troubleshooting Information also gets you there. -- Visit Pittsburgh <http://www.visitpittsburgh.com/> Coexist <https://www.coexist.org/> Ubuntu 16.04LTS ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
On Saturday, October 15, 2016 at 2:49:48 AM UTC+2, Edward wrote: > TCW wrote: > > On Wed, 12 Oct 2016 23:06:52 -0700 (PDT), seemonkey > > wrote: > > > >> There's at least one security vulnerability that is missing from this NSS > >> version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 > >> > >> There was a bugfix in NSS > >> https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue > >> but unfortunately it seems that this bugfix is not in 3.20.x according to > >> the developer entries. I didn't check the code yet if the bugfix is really > >> missing! > >> > >> So my question is why seamonkey uses still this outdated NSS version? It > >> should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and > >> also in latest thunderbird /45.4.0/) > >> > >> As a workaround i can copy the nss libraries from firefox esr to seamonkey > >> until a security release of seamonkey let's say 2.40.1 arrives. I tried > >> this end i can start seamonkey with newer NSS library because they're > >> compatible. > > > > You can graft the NSS dlls, sure. I have done that in the past with > > success. But, there is a build of 2.46 that's stable enough to use if > > you want to test. > > Just curious... Does the Linux version of SeaMonkey use the nss package > that is included with the Linux distribution being used? The currently > installed version here is 3.23.0-1 (Fedora 24). > > Thanks in advance. No, seamonkey/firefox/thunderbird look for their .so ONLY in their own directory ignoring to search in /usr/lib. That why it is not enough to install a separate nss package but one need to place symbolic links into each mozilla product. You can check with strace which .so is loaded on startup of seamonkey. If the one from nss lib 3.23.0-1 then you are lucky and don't have to do anything. I just wanted to point out that we immediately need a seemonkey update. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
On Thursday, October 13, 2016 at 3:10:42 PM UTC+2, TCW wrote: > On Wed, 12 Oct 2016 23:06:52 -0700 (PDT), seemonkey > > >There's at least one security vulnerability that is missing from this NSS > >version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 > > > >There was a bugfix in NSS > >https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue but > >unfortunately it seems that this bugfix is not in 3.20.x according to the > >developer entries. I didn't check the code yet if the bugfix is really > >missing! > > > >So my question is why seamonkey uses still this outdated NSS version? It > >should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and also > >in latest thunderbird /45.4.0/) > > > >As a workaround i can copy the nss libraries from firefox esr to seamonkey > >until a security release of seamonkey let's say 2.40.1 arrives. I tried this > >end i can start seamonkey with newer NSS library because they're compatible. > > You can graft the NSS dlls, sure. I have done that in the past with > success. But, there is a build of 2.46 that's stable enough to use if > you want to test. I tried with firefox's/thunderbirds 3.21.1 and it works. I trust this version of nss (at the moment) ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
TCW wrote: On Wed, 12 Oct 2016 23:06:52 -0700 (PDT), seemonkey12...@gmail.com wrote: There's at least one security vulnerability that is missing from this NSS version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 There was a bugfix in NSS https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue but unfortunately it seems that this bugfix is not in 3.20.x according to the developer entries. I didn't check the code yet if the bugfix is really missing! So my question is why seamonkey uses still this outdated NSS version? It should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and also in latest thunderbird /45.4.0/) As a workaround i can copy the nss libraries from firefox esr to seamonkey until a security release of seamonkey let's say 2.40.1 arrives. I tried this end i can start seamonkey with newer NSS library because they're compatible. You can graft the NSS dlls, sure. I have done that in the past with success. But, there is a build of 2.46 that's stable enough to use if you want to test. Just curious... Does the Linux version of SeaMonkey use the nss package that is included with the Linux distribution being used? The currently installed version here is 3.23.0-1 (Fedora 24). Thanks in advance. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
On Wed, 12 Oct 2016 23:06:52 -0700 (PDT), seemonkey12...@gmail.com wrote: >There's at least one security vulnerability that is missing from this NSS >version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 > >There was a bugfix in NSS https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 >to solve this issue but unfortunately it seems that this bugfix is not in >3.20.x according to the developer entries. I didn't check the code yet if the >bugfix is really missing! > >So my question is why seamonkey uses still this outdated NSS version? It >should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and also in >latest thunderbird /45.4.0/) > >As a workaround i can copy the nss libraries from firefox esr to seamonkey >until a security release of seamonkey let's say 2.40.1 arrives. I tried this >end i can start seamonkey with newer NSS library because they're compatible. You can graft the NSS dlls, sure. I have done that in the past with success. But, there is a build of 2.46 that's stable enough to use if you want to test. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability
There's at least one security vulnerability that is missing from this NSS version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 There was a bugfix in NSS https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue but unfortunately it seems that this bugfix is not in 3.20.x according to the developer entries. I didn't check the code yet if the bugfix is really missing! So my question is why seamonkey uses still this outdated NSS version? It should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and also in latest thunderbird /45.4.0/) As a workaround i can copy the nss libraries from firefox esr to seamonkey until a security release of seamonkey let's say 2.40.1 arrives. I tried this end i can start seamonkey with newer NSS library because they're compatible. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Security Vulnerability
This sounds more like a SeaMonkey support issue than a general security issue. Adding support-seamonkey@lists.mozilla.org mailto:support-seamonkey@lists.mozilla.org. to addresss this issue. -- Curtis Koenig Mozilla Corp. Security Program Manager On 2012-02-16 14:23 PM, L Davis wrote: Hi, Even though I have updated to the latest version of SeaMonkey, when I Open in a New Tab, the older version of SeaMonkey comes up, advising me to upgrade. The original page reflects the updated version. Thank you for your help. Laura signature.asc Description: OpenPGP digital signature ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Security vulnerability in FF3.*
Stéphane Grégoire wrote: Hi, Is Seamonkey 2.0.9 or Seamonkey 2.1b1 affected by this bug : http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/ I don't know for sure, but this may give some calm to SM users, at least those on newer Windows users? However, for some reason or another the cybercriminal behind this attack has chosen to limit the scope of the vulnerability. Using browser headers, the exploit checks both the Firefox version and the operating system used. According to Mozilla, the underlying flaw is present in both Firefox 3.5 and 3.6, but only recent versions of 3.6 were targeted by JS_NINDYA.A. In addition, if the user is running newer versions of Windows (such as Vista, Windows 7, Server 2008, and Server 2008 R2), the exploit will not be triggered either. Read more: http://blog.trendmicro.com/firefox-zero-day-found-in-compromised-nobel-peace-prize-website/ -- /Arne ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Security vulnerability in FF3.*
Hi, Is Seamonkey 2.0.9 or Seamonkey 2.1b1 affected by this bug : http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/ -- Stéphane http://pasdenom.info ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Security vulnerability in FF3.*
Stéphane Grégoire wrote: Is Seamonkey 2.0.9 or Seamonkey 2.1b1 affected by this bug : http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/ The 2.0 branch is affected for sure; it uses the same back-end as Firefox 3.5. SeaMonkey 2.0.10 will be released soon (about the same time as the next Firefox minor releases). I don't know about SeaMonkey 2.1 Beta 1, but if it's affected you'd either have to switch to using trunk nightly builds, wait for 2.1 Beta 2 (which will take some time, though), disable JavaScript, or install NoScript. HTH Jens -- Jens Hatlak http://jens.hatlak.de/ SeaMonkey Trunk Tracker http://smtt.blogspot.com/ ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Security vulnerability in FF3.*
Stéphane Grégoire schrieb: Is Seamonkey 2.0.9 or Seamonkey 2.1b1 affected by this bug : http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/ SeaMonkey 2.0.9 is affected and we are working on 2.0.10 right now to fix it. SeaMonkey 2.1 Beta 1 is at least not affected when it comes to HTML, as the new HTML5 parser works differently and doesn't run into the problem, but we will put some parts of the patch in future 2.1 versions as well (as I understand it) to ensure this cannot regress. Find 2.0.10 candidate build with the fix on FTP, as I just posted. Robert Kaiser ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Firefox 3.6 security vulnerability -- shared by SM?
Paul B. Gallagher wrote: http://www.computerworld.com/s/article/9173698/Mozilla_confirms_critical_Firefox_bug Any experts care to comment? This problem only exists in Gecko 1.9.2 and higher, but SeaMonkey 2.0.x uses 1.9.1.x, so our security update for a few other things stays targeted for March 30, just as Firefox 3.5.9, which is also Gecko 1.9.1-based. Robert Kaiser ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Firefox 3.6 security vulnerability -- shared by SM?
Sun, 21 Mar 2010 17:33:35 -0700, /NoOp/: On 03/21/2010 03:03 PM, Paul B. Gallagher wrote: http://www.computerworld.com/s/article/9173698/Mozilla_confirms_critical_Firefox_bug Any experts care to comment? Not an expert... but I suspect that the 2.0.4 testing request from kairo: quote If no problems come up in testing those builds, they will go live as the official 2.0.4 on Tuesday, March 30, in sync with Firefox and Thunderbird updates that will fix the same set of security issues. /quote is probably related meant to take care of this. http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608/ linked from the given Computerworld article: *Update:* To clarify, as originally claimed this issue affects Firefox 3.6 only and not any earlier versions. Thunderbird and SeaMonkey are based on earlier versions of the browser engine and are not affected. -- Stanimir ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Firefox 3.6 security vulnerability -- shared by SM?
Stanimir Stamenkov wrote: http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608/ linked from the given Computerworld article: *Update:* To clarify, as originally claimed this issue affects Firefox 3.6 only and not any earlier versions. Thunderbird and SeaMonkey are based on earlier versions of the browser engine and are not affected. Whew! Thanks. -- War doesn't determine who's right, just who's left. -- Paul B. Gallagher ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Firefox 3.6 security vulnerability -- shared by SM?
On 3/22/2010 6:57 AM PT, Paul B. Gallagher typed: http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608/ linked from the given Computerworld article: *Update:* To clarify, as originally claimed this issue affects Firefox 3.6 only and not any earlier versions. Thunderbird and SeaMonkey are based on earlier versions of the browser engine and are not affected. Whew! Thanks. Cool. Don't need to wait for that fix then. :) -- ..., you ready for a little dumpster diving? Um... okay. You know I don't mind getting my hands dirty. I mean, maggots, wet trash, I am the first one in. Okay, so what are you waiting for? Ants. (Chuckles) Ants? Yes, I have got a problem with ants. They are sneaky, and they are mobile, and when they get on you, even if you get them off... Okay, Calleigh, chill. --CSI: Miami (Wannabe episode; #218) /\___/\ / /\ /\ \Phil./Ant @ http://antfarm.ma.cx (Personal Web Site) | |o o| | Ant's Quality Foraged Links: http://aqfl.net \ _ / Nuke ANT from e-mail address: phi...@earthlink.netant ( ) or ant...@zimage.com Ant is currently not listening to any songs on his home computer. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Firefox 3.6 security vulnerability -- shared by SM?
http://www.computerworld.com/s/article/9173698/Mozilla_confirms_critical_Firefox_bug Any experts care to comment? -- War doesn't determine who's right, just who's left. -- Paul B. Gallagher ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Firefox 3.6 security vulnerability -- shared by SM?
On 03/21/2010 03:03 PM, Paul B. Gallagher wrote: http://www.computerworld.com/s/article/9173698/Mozilla_confirms_critical_Firefox_bug Any experts care to comment? Not an expert... but I suspect that the 2.0.4 testing request from kairo: quote If no problems come up in testing those builds, they will go live as the official 2.0.4 on Tuesday, March 30, in sync with Firefox and Thunderbird updates that will fix the same set of security issues. /quote is probably related meant to take care of this. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey