On Tuesday, October 18, 2016 at 10:10:15 PM UTC+2, Frank-Rainer Grahl wrote: > I wouldn't start hacking together a version with different binaries. Might > work > might not. And this won't close any bugs in the base product which could be > exploited if you are so concerned about security. > > Better check if the latest en-US candidate 2.46 test builds works for you or > use > Adrians latest 2.46 build. They are both build from the same sources and > updating > to the next official build whenever it arrives will be possible just by > downloading it. Adrians is gtk3 and the candidate gtk2 for Linux users. > Windows > VS2015 but Adrians should be a little faster because he used -O2 for > compiling. > > If you use a hacked together build do not open bug reports against it. > > There will be no 2.40.x builds. The next one will be 2.46 if the l10n build > bug > can be fixed in time. > > FRG > > On Sun, 16 Oct 2016 21:59:19 +0200, Ray_Net wrote: > > >>Lee wrote on 16/10/2016 17:45: > >>> On 10/16/16, Ray_Net wrote: > >>>> seemonkey wrote on 13/10/2016 08:06: > >>>>> There's at least one security vulnerability that is missing from this > >>>>> NSS > >>>>> version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 > >>>>> > >>>>> There was a bugfix in NSS > >>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue > >>>>> but unfortunately it seems that this bugfix is not in 3.20.x according > >>>>> to > >>>>> the developer entries. I didn't check the code yet if the bugfix is > >>>>> really > >>>>> missing! > >>>>> > >>>>> So my question is why seamonkey uses still this outdated NSS version? It > >>>>> should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and > >>>>> also in latest thunderbird /45.4.0/) > >>>>> > >>>>> As a workaround i can copy the nss libraries from firefox esr to > >>>>> seamonkey > >>>>> until a security release of seamonkey let's say 2.40.1 arrives. I tried > >>>>> this end i can start seamonkey with newer NSS library because they're > >>>>> compatible. > >>>> "As a workaround i can copy the nss libraries from firefox esr to > >>>> seamonkey " > >>>> > >>>> Could you tell us what we need (in details) to do ? > >>>> I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc. > >>> Upgrade. > >>> > >>> The current version of Firefox is 49.0.1 > >>> about:support / Library Versions says the NSS* expected & in use version > >>> is > 3.25 > >>> > >>> The 'current' version of SeaMonkey is 2.40 and is missing a lot of > >>> security patches. Upgrading requires that you download & install a > >>> new version of SM instead of waiting for it to upgrade automatically. > >>> **where** to download the new version from is a bit of a question tho > >>> :( I'm guessing the safest bet is > >>> > https://l10n.mozilla-community.org/~akalla/unofficial/seamonkey/nightly/latest-com > m-release-windows32/ > >>> if only because akalla had to pick _this_ particular build to make > >>> available for downloading. SeaMonkey 2.46 has the same 3.25 > >>> about:support / Library Versions for NSS* as FF. > >>> > >>> Regards, > >>> Lee > >>You don't understand. > >>- I hate to install a not released SM. > >>- I stay with FireFox 46.0.1 because I am able with it to do "View > >>Selection Source" using my version of Firefox, because my SM 2.40 cannot > >>do it. > >>- He said " It should use at least 3.21.1 (that is in latest firefox esr > >>/45.4.0/" and because my version of Firefox is greater (46.0.1) I can > >>use nss from this version to put into SM because it should be > 3.21.1. > >>So the question is still open: > >>How, in details, can I use the NSS of my FireFox 46.0.1 into my SM 2.40 ? > > > Regards > Frank-Rainer Grahl
But it would close the vulnerability in nss. If one would release a seamonkey let's say 2.40.1 only with the change of nss 3.21.1 the result would be the same as i described. I didn't mention any bug in the base product. The whole topic was started with nss and not bugs/sec vuln. in seamonkey. So keeping SM 2.40 official release without replacing the nss is the worst one can do at the moment. If you trust an unofficial build (2.46) then install it. Or copy the dlls as i described. _______________________________________________ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
