Bug 109094 - mail-client/mozilla-thunderbird{-bin}: does 1.0.7 fixes vulnerabilities ?
Bug#: 109094 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: WORKSFORME Assigned To: security@gentoo.org Reported By: koon@gentoo.org
Component: Vulnerabilities
URL:  http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird
Summary: mail-client/mozilla-thunderbird{-bin}: does 1.0.7 fixes vulnerabilities ?
Keywords:  
Status Whiteboard: A2? [noglsa] koon
Opened: 2005-10-13 00:56 0000
Description:   Opened: 2005-10-13 00:56 0000 
Thunderbird might be vulnerable to more than just the Mozilla Foundation says
(it might be vuylnerable to much of the recent Firefox issues). At least
Madriva, RedHat and Ubuntu are quite convinced of this.

I asked for details, opening a bug do keep track of the issue.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-10-13 01:05:36 0000 ------- 
Testing and marking those stable preventively might be a good idea :

mozilla-thunderbird Target KEYWORDS="alpha amd64 ia64 ppc sparc x86"
mozilla-thunderbird-bin Target KEYWORDS="amd64 x86"

------- Comment #2 From Gustavo Zacarias (RETIRED) 2005-10-13 11:21:15 0000 ------- 
sparc stable.

------- Comment #3 From Paul Varner 2005-10-13 14:46:49 0000 ------- 
Stable on x86

------- Comment #4 From Homer Parker 2005-10-13 18:58:03 0000 ------- 
mozilla-thunderbird ok on amd64

------- Comment #5 From Michael Sawczuk 2005-10-13 23:04:36 0000 ------- 
(In reply to comment #4)
> mozilla-thunderbird ok on amd64

Shouldn't thunderbird-bin also be marked stable on AMD64?

------- Comment #6 From Thierry Carrez (RETIRED) 2005-10-14 00:31:49 0000 ------- 
(In reply to comment #5)
> 
> Shouldn't thunderbird-bin also be marked stable on AMD64?

Yes it should.

------- Comment #7 From Simon Stelling (RETIRED) 2005-10-14 01:40:19 0000 ------- 
-bin stable too on amd64

------- Comment #8 From Jose Luis Rivero (yoswink) 2005-10-15 06:44:11 0000 ------- 
Alpha Stable ( 1.0.7 )

BTW, ia64 seems to be done and keyworded by agriffis (please Aron, CC'ed ia64
again if needed).

------- Comment #9 From Joe Jezak 2005-10-15 13:19:08 0000 ------- 
Marked ppc stable.

------- Comment #10 From Thierry Carrez (RETIRED) 2005-10-16 02:02:07 0000 ------- 
Ready for GLSA, waiting for more information about vulnerability of TB.

------- Comment #11 From Thierry Carrez (RETIRED) 2005-10-18 05:38:05 0000 ------- 
Here is the results of our ivestigation, thanks to Josh Bressers of RedHat :

- The XBM image decoder issue does not affect Thunderbird.
- The zero-width non-joiner sequences can just be used to crash TB
- The other flaws need Javascript (off in Thunderbird)

So I'll close this one as WORKSFORME. Feel free to reopen if you disagree.