Is SeaMonkey v1.1.9 affected by Firefox v2.0.0.14's fix too?

http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.14
http://www.mozilla.org/security/announce/2008/mfsa2008-20.html

Fixed in Firefox 2.0.0.14
MFSA 2008-20 Crash in JavaScript garbage collector

Is SeaMonkey affected too? If so, then is a new version coming out soon?
-- 
"The foreign policy aim of ants can be summed up as follows: restless 
aggression, territorial conquest, and genocidal annihilation of 
neighboring colonies whenever possible. If ants had nuclear weapons, 
they would probably end the world in a week." --Journey to the Ants, 
page 59. Bert Holldobler & Edward O. Wilson
    /\___/\
   / /\ /\ \  Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
  | |o   o| |        Ant's Quality Foraged Links (AQFL): http://aqfl.net
     \ _ /       Remove ANT from e-mail address: philpi@earthlink.netANT
      ( )                                           or ANTant@zimage.com
Ant is currently not listening to any songs on his home computer.
0
Ant
4/17/2008 4:28:30 AM
mozilla.support.seamonkey 13245 articles. 0 followers. Post Follow

49 Replies
573 Views

Similar Articles

[PageSpeed] 6

Ant wrote:
> http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.14
> http://www.mozilla.org/security/announce/2008/mfsa2008-20.html
> 
> Fixed in Firefox 2.0.0.14
> MFSA 2008-20 Crash in JavaScript garbage collector
> 
> Is SeaMonkey affected too? If so, then is a new version coming out soon?

I read today on chatzilla that yes, when KaiRo returns there should be a
SM update.

Rinaldi
-- 
Accuracy, n.:
	The vice of being right
0
Rinaldi
4/17/2008 4:33:59 AM
On 4/16/2008 9:33 PM PT, Rinaldi J. Montessi typed:

>> http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.14
>> http://www.mozilla.org/security/announce/2008/mfsa2008-20.html
>>
>> Fixed in Firefox 2.0.0.14
>> MFSA 2008-20 Crash in JavaScript garbage collector
>>
>> Is SeaMonkey affected too? If so, then is a new version coming out soon?
> 
> I read today on chatzilla that yes, when KaiRo returns there should be a
> SM update.

Thanks for the update. :)
-- 
"Is this stuff any good for ants?" "No, it kills them." --unknown
    /\___/\
   / /\ /\ \  Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
  | |o   o| |        Ant's Quality Foraged Links (AQFL): http://aqfl.net
     \ _ /       Remove ANT from e-mail address: philpi@earthlink.netANT
      ( )                                           or ANTant@zimage.com
Ant is currently not listening to any songs on his home computer.
0
Ant
4/17/2008 5:29:51 AM
Rinaldi J. Montessi wrote:
> Ant wrote:
>> http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.14
>> http://www.mozilla.org/security/announce/2008/mfsa2008-20.html
>>
>> Fixed in Firefox 2.0.0.14
>> MFSA 2008-20 Crash in JavaScript garbage collector
>>
>> Is SeaMonkey affected too? If so, then is a new version coming out soon?
> 
> I read today on chatzilla that yes, when KaiRo returns there should be a
> SM update.
> 
> Rinaldi

Who let KaiRo go on leave?? Didn't they know we would need him??

(Just joking)

Daniel
0
Daniel
4/21/2008 12:06:43 AM
Rinaldi J. Montessi wrote:
> Ant wrote:
>> http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.14
>> http://www.mozilla.org/security/announce/2008/mfsa2008-20.html
>>
>> Fixed in Firefox 2.0.0.14
>> MFSA 2008-20 Crash in JavaScript garbage collector
>>
>> Is SeaMonkey affected too? If so, then is a new version coming out soon?
> 
> I read today on chatzilla that yes, when KaiRo returns there should be a
> SM update.

Last I spoke to KaiRo in more of a /msg (today as well) it was not that 
certain there would be a SM update to match 2.0.0.14's changes.

The issue here does affect SeaMonkey, though it is unlikely it can be 
exploited. KaiRo and the SeaMonkey team will investigate over the next 
few days at most on if a 1.1.10 (based on 2.0.0.14) is needed.

Though, regardless of that decision, the next SeaMonkey 
security/stability update (based on 2.0.0.15 presumably) would include 
these fixes anyway (more than one bug was fixed, though the security 
advisory page only listed one).

-- 
~Justin Wood (Callek)
0
Justin
4/21/2008 5:56:02 AM
Justin Wood (Callek) wrote:
> The issue here does affect SeaMonkey, though it is unlikely it can be
> exploited. KaiRo and the SeaMonkey team will investigate over the next
> few days at most on if a 1.1.10 (based on 2.0.0.14) is needed.
>
> Though, regardless of that decision, the next SeaMonkey
> security/stability update (based on 2.0.0.15 presumably) would include
> these fixes anyway (more than one bug was fixed, though the security
> advisory page only listed one).

Exactly. Thanks for posting this, Callek (I'm still working the backlog 
of those 2 weeks of being away).

Of course, we will do a 1.1.10 some time, but I'm not yet sure if we'll 
base it on Gecko 1.8.1.14 or 1.8.1.15 (the former is what FF 2.0.0.14 
uses and the latter what a future FF 2.0.0.15 will be based upon).

I currently think that we might wait for .15 as I didn't hear of many 
reports about crashing in 1.1.9 and it's not clear if the crash poses an 
ecploitable security risk, but doing a SeaMonkey release consumes 
resources that we may be able to better use for bringing a SeaMonkey 2 
alpha forward.

Robert Kaiser
0
Robert
4/22/2008 3:38:00 PM
On 04/22/2008 08:38 AM, Robert Kaiser wrote:
> Justin Wood (Callek) wrote:
>> The issue here does affect SeaMonkey, though it is unlikely it can be
>> exploited. KaiRo and the SeaMonkey team will investigate over the next
>> few days at most on if a 1.1.10 (based on 2.0.0.14) is needed.
>>
>> Though, regardless of that decision, the next SeaMonkey
>> security/stability update (based on 2.0.0.15 presumably) would include
>> these fixes anyway (more than one bug was fixed, though the security
>> advisory page only listed one).
> 
> Exactly. Thanks for posting this, Callek (I'm still working the backlog 
> of those 2 weeks of being away).
> 
> Of course, we will do a 1.1.10 some time, but I'm not yet sure if we'll 
> base it on Gecko 1.8.1.14 or 1.8.1.15 (the former is what FF 2.0.0.14 
> uses and the latter what a future FF 2.0.0.15 will be based upon).
> 
> I currently think that we might wait for .15 as I didn't hear of many 
> reports about crashing in 1.1.9 and it's not clear if the crash poses an 
> ecploitable security risk, but doing a SeaMonkey release consumes 
> resources that we may be able to better use for bringing a SeaMonkey 2 
> alpha forward.
> 
> Robert Kaiser

Huh? Your response is akin to saying "screw SM 1.1.x and it's thousands
of users - we will look at fixing the security hole sometime later".

http://www.mozilla.org/security/announce/2008/mfsa2008-20.html

<quote>
Workaround

Disable JavaScript until a version containing these fixes can be installed.
</quote>

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1380

So you recommend the "Workaround" of disabling JavaScript in SM 1.1.9?

Interesting:
http://www.kb.cert.org/vuls/id/441529
<quote>
III. Solution
Upgrade

Users are encouraged to update to Firefox 2.0.0.14, Thunderbird
2.0.0.14, or SeaMonkey 1.1.10.
</quote>

I don't know where the SM resources are currently assigned, but wherever
they are, they are (IMO) better assigned in immediately fixing *any*
published & identified security issue in the *existing* SM 1.1.x product.

One might tend to forget that there are thousands of SM 1.1.x installs
out there; most based on the good faith of users that still support
SeaMonkey vs a FF/TB.

Either fix the security issue, or issue a statement, and proof, that it
does not affect SM 1.1.9.


0
NoOp
4/23/2008 1:48:57 AM
On Tue, 22 Apr 2008 18:48:57 -0700, NoOp wrote:

> Huh? Your response is akin to saying "screw SM 1.1.x and it's thousands
> of users - we will look at fixing the security hole sometime later".

> http://www.mozilla.org/security/announce/2008/mfsa2008-20.html

Doing a build and release takes a significant amount of resources,
including manpower resources. SeaMonkey is an all volunteer effort and
unlike Firefox, does not have any paid employees. Previously CTho was
the SeaMonkey release engineer but he GAFIAted from SeaMonkey some time
ago. So currently KaiRo has to deal with releases on top of everything
else he's supposed to be doing. Incidentally this is one of the things
that led to KaiRo being overworked and burning out, and thence needing
to take a few weeks off playing tourist in California to recover.

We certainly don't want KaiRo to burnout again, so I think if you or
someone else were to step forward and volunteer to help build and drive
releases, you would be welcomed with opened arms by the SeaMonkey community.

Phil (Volunteers please form a line on the right, thank you)

-- 
Philip Chee <philip@aleytys.pc.my>, <philip.chee@gmail.com>
http://flashblock.mozdev.org/ http://xsidebar.mozdev.org
Guard us from the she-wolf and the wolf, and guard us from the thief,
oh Night, and so be good for us to pass.
[ ]I shave with Occam's Razor.
* TagZilla 0.066.6

0
Philip
4/23/2008 4:17:09 AM
NoOp wrote:
> Huh? Your response is akin to saying "screw SM 1.1.x and it's thousands
> of users - we will look at fixing the security hole sometime later".

I think calling it a security hole is rather inaccurate.  There's a 
unreliable crash that could (in theory) be exploited.

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1380

.... which exists as a denial of service entry.  Meaning an evil server 
could put the relevant html / javascript in a page and crash SeaMonkey 
when you visit it.  Practically speaking, that would be kinda dumb 
because bugzilla has other simpler, more reliable and unpatched (in any 
product) ways to cause crashes.  Some of those are also (in theory) 
exploitable.

The primary reason Firefox released 2.0.0.14 with the patch is not 
because of security implications but because many people were crashing.

> So you recommend the "Workaround" of disabling JavaScript in SM 1.1.9?

If you want a workaround, I'd recommend you grab a branch nightly:

http://ftp.mozilla.org/pub/mozilla.org/seamonkey/nightly/latest-mozilla1.8/

> I don't know where the SM resources are currently assigned, but wherever

Primarily, we're focused on getting the trunk prepared for alpha release 
of SeaMonkey 2.0.

> they are, they are (IMO) better assigned in immediately fixing *any*
> published&  identified security issue in the *existing* SM 1.1.x product.

Again "identified security issue" is not really accurate unless you're 
putting denial of service under the security umbrella.

-- 
Andrew Schultz
ajschult@verizon.net
http://www.sens.buffalo.edu/~ajs42/
0
Andrew
4/23/2008 4:25:09 AM
On 04/22/2008 09:17 PM, Philip Chee wrote:
> On Tue, 22 Apr 2008 18:48:57 -0700, NoOp wrote:
> 
>> Huh? Your response is akin to saying "screw SM 1.1.x and it's
>> thousands of users - we will look at fixing the security hole
>> sometime later".
> 
>> http://www.mozilla.org/security/announce/2008/mfsa2008-20.html
> 
> Doing a build and release takes a significant amount of resources, 
> including manpower resources. SeaMonkey is an all volunteer effort
> and unlike Firefox, does not have any paid employees. Previously CTho
> was the SeaMonkey release engineer but he GAFIAted from SeaMonkey
> some time ago. So currently KaiRo has to deal with releases on top of
> everything else he's supposed to be doing. Incidentally this is one
> of the things that led to KaiRo being overworked and burning out, and
> thence needing to take a few weeks off playing tourist in California
> to recover.
> 
> We certainly don't want KaiRo to burnout again, so I think if you or 
> someone else were to step forward and volunteer to help build and
> drive releases, you would be welcomed with opened arms by the
> SeaMonkey community.
> 
> Phil (Volunteers please form a line on the right, thank you)
> 

Total nonsense. But thanks for confirming that SeaMonkey is for
hobbyists from your POV. I suggest that in the future you consider that
SeaMonkey is used in both commercial and personal environments.

Security in commercial, and personal, environments is a serious issue.
If there is an outstanding security issue with SM, then that issue needs
to be addressed first and foremost.
  In my case I have SM installed in over 30 commercial sites. If the
fate of SM hangs on the thread of KaiRo becoming burnt out, then I'll
simply convert those customers over to FF/TB and be done with it.

Andrew provides a reasonable, but still questionable response (thanks
Andrew) in his post. However his suggested workaround for existing
customer and personal installations of:

> If you want a workaround, I'd recommend you grab a branch nightly:
> http://ftp.mozilla.org/pub/mozilla.org/seamonkey/nightly/latest-mozilla1.8/

simply isn't reasonable.

So is SM feasable in a commercial environment with regards to security
issues?:

One recommendation suggests just turning off JavaScript (good idea in my
POV but isn't likely to happen), Andrew suggests loading up SM
2.0(alpha) from a nightly build (again isn't going to happen), another
(CERT) is to upgrade to 1.1.10 which isn't available (and isn't likely
to be available anytime soon according to KaiRo), Philip Chee provides
an emotional response regarding SM and KaiRo being overworked.

In the end I'm left wondering if this issue can/will affect my customers
and what to do about it. I'd like to keep them with SM, but if responses
 to SM security issues are indicative of those of Robert/KaiRo, Phillip,
and Andrew then perhaps it's time to just move all of my customers over
to FF/TB and be done with it.


0
NoOp
4/23/2008 5:25:59 AM
NoOp skriver:
> Either fix the security issue, or issue a statement, and proof, that it
> does not affect SM 1.1.9.
>
Wow, isn't it fun telling others what to do?

If you really want to cure any bad feelings you may have about SM 
management, then get involved and help out. This is volunteer work, 
you're welcome on board 8-)

/PM
0
larspeemm
4/23/2008 5:38:53 AM
Philip Chee wrote:
> Doing a build and release takes a significant amount of resources,
> including manpower resources. SeaMonkey is an all volunteer effort and
> unlike Firefox, does not have any paid employees. Previously CTho was
> the SeaMonkey release engineer but he GAFIAted from SeaMonkey some time
> ago. So currently KaiRo has to deal with releases on top of everything
> else he's supposed to be doing. Incidentally this is one of the things
> that led to KaiRo being overworked and burning out, and thence needing
> to take a few weeks off playing tourist in California to recover.
> 
> We certainly don't want KaiRo to burnout again, so I think if you or
> someone else were to step forward and volunteer to help build and drive
> releases, you would be welcomed with opened arms by the SeaMonkey community.
> 
> Phil (Volunteers please form a line on the right, thank you)

then I'd like to make a suggestion to KaiRo.  Why don't you 
put on the seamonkey page a volunteer wanted page? Here you 
could list things you need help with, and delegate that to 
someone who could help. You might have to show that person 
what to do and how to do it, but once they know, then they 
can do it.

I know, I know, you'll point me to this: 
http://www.seamonkey-project.org/dev/get-involved, but I had 
to hunt around for that, and for the average person, they 
wouldn't click on developement, because they're not into 
developing SM.  That is far too confusing, IMO.  I think it 
should have its own subject like Volunteers Wanted, and not 
underneath another subject.

-- 
*IMPORTANT*: Sorry folks, but I cannot provide email 
help!!!! Emails to me may become public

Notice: This posting is protected under the Free Speech 
Laws, which applies everywhere, except for some strange 
reason, not to the mozilla.org newsgroup servers, where you 
may get banned.

Peter Potamus & His Magic Flying Balloon:
http://www.toonopedia.com/potamus.htm
0
Peter
4/23/2008 5:44:43 AM
On 04/22/2008 10:38 PM, larspeemm wrote:
> NoOp skriver:
>> Either fix the security issue, or issue a statement, and proof, that it
>> does not affect SM 1.1.9.
>>
> Wow, isn't it fun telling others what to do?
> 
> If you really want to cure any bad feelings you may have about SM 
> management, then get involved and help out. This is volunteer work, 
> you're welcome on board 8-)
> 
> /PM

You, as a first time poster, apparently are not intelligent enough to
view the archives of this group regarding my posts, and support my of
SeaMonkey.

*My* volunteer work has involved hundreds of postings this group, most
of which are directed towards helping other SM users. *My* volunteer
work has also involved installing several hundreds of SM installations
into both commercial and private systems. *My* volunteer work has been
to install any new pre-release and test in both a commercial and private
environment. *My* volunteer work has supported and promoted SeaMonkey
since it's inception... and you?

Wow, isn't it fun telling others about "volunteer work" when all you've
done is make a one-time post in this group?






0
NoOp
4/23/2008 6:19:31 AM
On 04/22/2008 10:25 PM, NoOp wrote:
Andrew suggests loading up SM
> 2.0(alpha) from a nightly build (again isn't going to happen), 

sorry, should have read:

Andrew suggests loading up SM 1.1.10 from a nightly build...
0
NoOp
4/23/2008 6:25:30 AM
NoOp skriver:
> You, as a first time poster, apparently are not intelligent enough to
> view the archives of this group regarding my posts, and support my of
> SeaMonkey.
>
> *My* volunteer work has involved hundreds of postings this group, most
> of which are directed towards helping other SM users. *My* volunteer
> work has also involved installing several hundreds of SM installations
> into both commercial and private systems. *My* volunteer work has been
> to install any new pre-release and test in both a commercial and private
> environment. *My* volunteer work has supported and promoted SeaMonkey
> since it's inception... and you?
>
> Wow, isn't it fun telling others about "volunteer work" when all you've
> done is make a one-time post in this group?
>

OK, you're alright :-) We'll be around.

/PM
0
larspeemm
4/23/2008 7:06:52 AM
Peter Potamus the Purple Hippo wrote:
> I know, I know, you'll point me to this:
> http://www.seamonkey-project.org/dev/get-involved, but I had to hunt
> around for that, and for the average person, they wouldn't click on
> developement, because they're not into developing SM. That is far too
> confusing, IMO. I think it should have its own subject like Volunteers
> Wanted, and not underneath another subject.

Everyone not clicking on development is surely not able to handle the 
release process, sorry.

Robert Kaiser
0
Robert
4/23/2008 2:06:38 PM
NoOp wrote:
> Total nonsense. But thanks for confirming that SeaMonkey is for
> hobbyists from your POV. I suggest that in the future you consider that
> SeaMonkey is used in both commercial and personal environments.

So, can you tell me the real threat to *anyone* by not shipping a fix 
for this specific bug for the time being? I can't see any threat 
whatsoever right now, so I don't see the need for investing my time into 
a release that contains nothing else but a fix for this one bug.

Robert Kaiser
0
Robert
4/23/2008 2:08:22 PM
NoOp wrote:
> Huh? Your response is akin to saying "screw SM 1.1.x and it's thousands
> of users - we will look at fixing the security hole sometime later".
>
> http://www.mozilla.org/security/announce/2008/mfsa2008-20.html
>
> <quote>
> Workaround
>
> Disable JavaScript until a version containing these fixes can be installed.
> </quote>

<quote>
Fixes for security problems in the JavaScript engine described in MFSA 
2008-15 (CVE-2008-1237) introduced a stability problem, where some users 
experienced crashes during JavaScript garbage collection. This is being 
fixed primarily to address stability concerns. We have no demonstration 
that this particular crash is exploitable [...]
</quote>

So where exactly is the immediate need for a rushed release, taking 
about a full day of my work, probably an afternoon or even full day in 
QA time of volunteers, and probably at least another 2-3 days worth of 
localizers creating and testing new builds?

Robert Kaiser
0
Robert
4/23/2008 2:12:07 PM
On 23.04.2008 01:19, NoOp wrote:

 --- Original Message ---

> You, as a first time poster, apparently are not intelligent enough to
> view the archives of this group regarding my posts, and support my of
> SeaMonkey.

LOL, Lars has been around for a VERY long time and a very respectable
member of the community here and elsewhere, probably moreso than you (in
time, nothing else). Take your own advice and view the archives. You'll
have to use your sense of imagination tho because he's posted under some
different usernames but all recognizable as Lars. :-)

-- 
Jay Garcia Netscape Champion
UFAQ - http://www.UFAQ.org
0
Jay
4/23/2008 2:29:44 PM
On 23.04.2008 09:06, Robert Kaiser wrote:

 --- Original Message ---

> Peter Potamus the Purple Hippo wrote:
>> I know, I know, you'll point me to this:
>> http://www.seamonkey-project.org/dev/get-involved, but I had to hunt
>> around for that, and for the average person, they wouldn't click on
>> developement, because they're not into developing SM. That is far too
>> confusing, IMO. I think it should have its own subject like Volunteers
>> Wanted, and not underneath another subject.
> 
> Everyone not clicking on development is surely not able to handle the 
> release process, sorry.
> 
> Robert Kaiser

C'mon  now, even volunteers/programmers have to be shown the way to the
water trough sometimes. :-)

-- 
Jay Garcia Netscape Champion
UFAQ - http://www.UFAQ.org
0
Jay
4/23/2008 2:31:35 PM
Robert Kaiser skriver:
> <quote>
> Fixes for security problems in the JavaScript engine described in MFSA
> 2008-15 (CVE-2008-1237) introduced a stability problem, where some users
> experienced crashes during JavaScript garbage collection. This is being
> fixed primarily to address stability concerns. We have no demonstration
> that this particular crash is exploitable [...]
> </quote>
>
> So where exactly is the immediate need for a rushed release, taking
> about a full day of my work, probably an afternoon or even full day in
> QA time of volunteers, and probably at least another 2-3 days worth of
> localizers creating and testing new builds?
>
> Robert Kaiser

True, let's focus on the alpha. A SM2 alpha 1 before Summer would be 
great. You can count on the Swedish locale from day 1 :-)

/PM
0
larspeemm
4/23/2008 2:35:44 PM
NoOp <glgxg@sbcglobal.net.invalid> wrote:

> In the end I'm left wondering if this issue can/will affect my
> customers and what to do about it.

Their browsers might crash, though it's unlikely.  I'd tell them to
restart their browsers if that happens.
0
ISO
4/23/2008 4:21:30 PM
�Q� schrieb:
> NoOp <glgxg@sbcglobal.net.invalid> wrote:
> 
>> In the end I'm left wondering if this issue can/will affect my
>> customers and what to do about it.
> 
> Their browsers might crash, though it's unlikely.  I'd tell them to
> restart their browsers if that happens.

AFAIK there is not even a testcase for reproducing the crash.
The bug should be fixed, but not in a hurry.

-- 
Uli Link
0
Uli
4/23/2008 5:01:42 PM
NoOp wrote:
> On 04/22/2008 09:17 PM, Philip Chee wrote:
>> On Tue, 22 Apr 2008 18:48:57 -0700, NoOp wrote:
>>
>>> Huh? Your response is akin to saying "screw SM 1.1.x and it's
>>> thousands of users - we will look at fixing the security hole
>>> sometime later".
>>> http://www.mozilla.org/security/announce/2008/mfsa2008-20.html
>> Doing a build and release takes a significant amount of resources, 
>> including manpower resources. SeaMonkey is an all volunteer effort
>> and unlike Firefox, does not have any paid employees. Previously CTho
>> was the SeaMonkey release engineer but he GAFIAted from SeaMonkey
>> some time ago. So currently KaiRo has to deal with releases on top of
>> everything else he's supposed to be doing. Incidentally this is one
>> of the things that led to KaiRo being overworked and burning out, and
>> thence needing to take a few weeks off playing tourist in California
>> to recover.
>>
>> We certainly don't want KaiRo to burnout again, so I think if you or 
>> someone else were to step forward and volunteer to help build and
>> drive releases, you would be welcomed with opened arms by the
>> SeaMonkey community.
>>
>> Phil (Volunteers please form a line on the right, thank you)
>>
> 
> Total nonsense. But thanks for confirming that SeaMonkey is for
> hobbyists from your POV. I suggest that in the future you consider that
> SeaMonkey is used in both commercial and personal environments.
> 
> Security in commercial, and personal, environments is a serious issue.
> If there is an outstanding security issue with SM, then that issue needs
> to be addressed first and foremost.
>   In my case I have SM installed in over 30 commercial sites. If the
> fate of SM hangs on the thread of KaiRo becoming burnt out, then I'll
> simply convert those customers over to FF/TB and be done with it.
> 
> Andrew provides a reasonable, but still questionable response (thanks
> Andrew) in his post. However his suggested workaround for existing
> customer and personal installations of:
> 
>> If you want a workaround, I'd recommend you grab a branch nightly:
>> http://ftp.mozilla.org/pub/mozilla.org/seamonkey/nightly/latest-mozilla1.8/
> 
> simply isn't reasonable.
> 
> So is SM feasable in a commercial environment with regards to security
> issues?:
> 
> One recommendation suggests just turning off JavaScript (good idea in my
> POV but isn't likely to happen), Andrew suggests loading up SM
> 2.0(alpha) from a nightly build (again isn't going to happen), another
> (CERT) is to upgrade to 1.1.10 which isn't available (and isn't likely
> to be available anytime soon according to KaiRo), Philip Chee provides
> an emotional response regarding SM and KaiRo being overworked.
> 
> In the end I'm left wondering if this issue can/will affect my customers
> and what to do about it. I'd like to keep them with SM, but if responses
>  to SM security issues are indicative of those of Robert/KaiRo, Phillip,
> and Andrew then perhaps it's time to just move all of my customers over
> to FF/TB and be done with it.
> 
> 

Lets just say, the decision came about by a simple crasher bug, that was 
not even deemed exploitable (to anyone's knowledge) by the Firefox team.

The fact that it *is* a crasher has far far more numbers it will affect 
in Firefox, vs. SeaMonkey.

It will be fixed, just a matter of when the next security release, in 
firefox's current case I'd say it is a stability release.

I'd put all my own effort toward anything and everything I can help with 
in the release process if I am convinced not fixing this one bug *now* 
will hurt people.

-- 
~Justin Wood (Callek)
0
Justin
4/24/2008 4:06:23 AM
Jay Garcia wrote:
> On 23.04.2008 09:06, Robert Kaiser wrote:
>> Everyone not clicking on development is surely not able to handle the
>> release process, sorry.
>
> C'mon  now, even volunteers/programmers have to be shown the way to the
> water trough sometimes. :-)

Sure, but once they get far enough that they can handle the release 
process we have, they don't fear clicking "development" any more ;-)

Robert Kaiser
0
Robert
4/24/2008 11:15:22 AM
larspeemm wrote:
> True, let's focus on the alpha. A SM2 alpha 1 before Summer would be
> great. You can count on the Swedish locale from day 1 :-)

Thanks for that!
And yes, I also hope we can move to an alpha soon.

Robert Kaiser
0
Robert
4/24/2008 11:16:47 AM
On 24/04/08 13:15, Robert Kaiser wrote:
> Jay Garcia wrote:
>> On 23.04.2008 09:06, Robert Kaiser wrote:
>>> Everyone not clicking on development is surely not able to handle the
>>> release process, sorry.
>>
>> C'mon now, even volunteers/programmers have to be shown the way to the
>> water trough sometimes. :-)
>
> Sure, but once they get far enough that they can handle the release
> process we have, they don't fear clicking "development" any more ;-)
>
> Robert Kaiser

Anyway, SeaMonkey needs all kinds of volunteers: from plain testers who 
might perhaps not even have a CANCONFIRM permission on bugs, to release 
administrators, project leaders, and everything in between. Of course 
there are some people already doing some of these tasks, but there is 
ample room for more. No task too big, no task too small, apply at the 
front office or puzzle your way in. ;-)

Best regards,
Tony.
-- 
It's not the valleys in life I dread so much as the dips.
		-- Garfield
0
Tony
4/24/2008 12:25:45 PM
Tony Mechelynck wrote:
> Anyway, SeaMonkey needs all kinds of volunteers: from plain testers who
> might perhaps not even have a CANCONFIRM permission on bugs, to release
> administrators, project leaders, and everything in between. Of course
> there are some people already doing some of these tasks, but there is
> ample room for more. No task too big, no task too small, apply at the
> front office or puzzle your way in. ;-)

True. FULL ACK.

Robert Kaiser
0
Robert
4/24/2008 2:42:26 PM
Robert Kaiser wrote:
> Jay Garcia wrote:
>> On 23.04.2008 09:06, Robert Kaiser wrote:
>>> Everyone not clicking on development is surely not able to handle the
>>> release process, sorry.
>> C'mon  now, even volunteers/programmers have to be shown the way to the
>> water trough sometimes. :-)
> 
> Sure, but once they get far enough that they can handle the release 
> process we have, they don't fear clicking "development" any more ;-)
> 
> Robert Kaiser

it would be better to have a separate volunteer wanted page, 
and a listing of it to the left.

-- 
*IMPORTANT*: Sorry folks, but I cannot provide email 
help!!!! Emails to me may become public

Notice: This posting is protected under the Free Speech 
Laws, which applies everywhere, except for some strange 
reason, not to the mozilla.org newsgroup servers, where you 
may get banned.

Peter Potamus & His Magic Flying Balloon:
http://www.toonopedia.com/potamus.htm
0
Peter
4/24/2008 5:31:51 PM
On Thu, 24 Apr 2008 10:31:51 -0700, Peter Potamus the Purple Hippo wrote:
> Robert Kaiser wrote:
>> Jay Garcia wrote:
>>> On 23.04.2008 09:06, Robert Kaiser wrote:
>>>> Everyone not clicking on development is surely not able to handle the
>>>> release process, sorry.
>>> C'mon  now, even volunteers/programmers have to be shown the way to the
>>> water trough sometimes. :-)
>> 
>> Sure, but once they get far enough that they can handle the release 
>> process we have, they don't fear clicking "development" any more ;-)
>
> it would be better to have a separate volunteer wanted page, 
> and a listing of it to the left.

True. Come to think about it, the release process also involves QA, so
even if you don't know how to code a single line of javascript, you can
still help to do the smoketests on the release candidates, especially if
you are on a lesser used platform like OSX or Nokia 810 (just joking on
the latter).

Phil

-- 
Philip Chee <philip@aleytys.pc.my>, <philip.chee@gmail.com>
http://flashblock.mozdev.org/ http://xsidebar.mozdev.org
Guard us from the she-wolf and the wolf, and guard us from the thief,
oh Night, and so be good for us to pass.
[ ]If plugging it in doesn't help, turn it on.
* TagZilla 0.066.6

0
Philip
4/25/2008 3:19:46 AM
On 04/22/2008 09:25 PM, Andrew Schultz wrote:

> 
> If you want a workaround, I'd recommend you grab a branch nightly:
> 
> http://ftp.mozilla.org/pub/mozilla.org/seamonkey/nightly/latest-mozilla1.8/

OK. So I now have:

SeaMonkey 1.1.10pre (as you'll see from the headers on this message).

installed and running on several linux machines (private and commercia).

The question at this point would be: given the remarks from Robert
Kaiser, yourself, & others, what now?

- does this version address the supposed (I say supposed as Kairo etc
state that it is not an issue) security issue?

There are no release notes that I can find that state that this
1.1.10pre addresses anything. BTW: where *are* the release notes for this?

- given the other statements in this thread, does 1.1.10pre need to be
smoketested, verified by a commoner (like myself :-), or is it just a
waste of time at this point as the limited SM resources are now soley
focused on SM2.0?



0
NoOp
4/26/2008 4:21:51 AM
NoOp wrote:
> OK. So I now have:
>
> SeaMonkey 1.1.10pre (as you'll see from the headers on this message).
>
> installed and running on several linux machines (private and commercia).

excellent.

> The question at this point would be: given the remarks from Robert
> Kaiser, yourself,&  others, what now?

You have a working build that has the fixes included in Firefox 
2.0.0.14, including the theoretically exploitable crash bug.  And (I 
hope) you don't see any regressions due to other fixes that have also 
landed.

> - does this version address the supposed (I say supposed as Kairo etc
> state that it is not an issue) security issue?

yes.

> There are no release notes that I can find that state that this
> 1.1.10pre addresses anything. BTW: where *are* the release notes for this?

It's not a release, so there are no release notes.  :)

The bugs-fixed-in-this-release are generally compiled from the bonsai 
checkin list (bonsai.mozilla.org), but that might be a bit terse.  We 
aren't aware of any new problems in 1.1.10pre builds.

If you see problems, your best bet is to check in 
mozilla.dev.apps.seamonkey to see if someone else has posted a message 
about similar problems and if not

a) post a message to mozilla.dev.apps.seamonkey
and/or
b) file a bug

But, chances are good you won't encounter anything out of the ordinary, 
and in that case, you can ignore all that.  :)

> - given the other statements in this thread, does 1.1.10pre need to be
> smoketested, verified by a commoner (like myself :-), or is it just a
> waste of time at this point as the limited SM resources are now soley
> focused on SM2.0?

Yes, and no.  We're still taking patches that would go into what will be 
released as 1.1.10, so we haven't started formal testing of the builds. 
  But we would very much appreciate hearing about anything you notice 
that looks like it might be a bug so we can get it fixed now (fixing now 
is much easier than fixing after we start up the release process).

-- 
Andrew Schultz
ajschult@verizon.net
http://www.sens.buffalo.edu/~ajs42/
0
Andrew
4/26/2008 5:10:23 AM
> Sure, but once they get far enough that they can handle the release 
> process we have, they don't fear clicking "development" any more ;-)

Developers don't click "development", they already know the ropes. And 
if there's something they must know they ask on IRC.
0
Benoit
4/26/2008 9:50:04 AM
On 04/25/2008 10:10 PM, Andrew Schultz wrote:

> 
> The bugs-fixed-in-this-release are generally compiled from the bonsai 
> checkin list (bonsai.mozilla.org), but that might be a bit terse.  We 
> aren't aware of any new problems in 1.1.10pre builds.
> 
> If you see problems, your best bet is to check in 
> mozilla.dev.apps.seamonkey to see if someone else has posted a message 
> about similar problems and if not
> 
> a) post a message to mozilla.dev.apps.seamonkey
> and/or
> b) file a bug
> 
> But, chances are good you won't encounter anything out of the ordinary, 
> and in that case, you can ignore all that.  :)
> 
>> - given the other statements in this thread, does 1.1.10pre need to be
>> smoketested, verified by a commoner (like myself :-), or is it just a
>> waste of time at this point as the limited SM resources are now soley
>> focused on SM2.0?
> 
> Yes, and no.  We're still taking patches that would go into what will be 
> released as 1.1.10, so we haven't started formal testing of the builds. 
>   But we would very much appreciate hearing about anything you notice 
> that looks like it might be a bug so we can get it fixed now (fixing now 
> is much easier than fixing after we start up the release process).
> 

Thanks Andrew. So far I've experienced no 1.1.10pre problems at all on:

- Linux (Ubuntu 7.10 Gutsy and 8.04 Hardy)
- 4 private machines (including my primary work machine), 5 commercial
- Windows: I'll try this weekend on WinXP

Of that:

- 2 fresh installs on Ubuntu 8.04; no issues/problems at all
- remainder of installs were over 1.1.9; no issues/problems at all so far




0
NoOp
4/27/2008 1:31:18 AM
On 04/23/2008 07:29 AM, Jay Garcia wrote:
> On 23.04.2008 01:19, NoOp wrote:
> 
>  --- Original Message ---
> 
>> You, as a first time poster, apparently are not intelligent enough to
>> view the archives of this group regarding my posts, and support my of
>> SeaMonkey.
> 
> LOL, Lars has been around for a VERY long time and a very respectable
> member of the community here and elsewhere, probably moreso than you (in
> time, nothing else). Take your own advice and view the archives. You'll
> have to use your sense of imagination tho because he's posted under some
> different usernames but all recognizable as Lars. :-)
> 

OK. Apology to Lars... I'd looked before my now somewhat embarassing
blaster and didn't see any previous posts from that address. I see now
that I've purged all except the 2008 posts.

0
NoOp
4/27/2008 4:51:55 AM
NoOp skriver:
> On 04/23/2008 07:29 AM, Jay Garcia wrote:
>> On 23.04.2008 01:19, NoOp wrote:
>>
>>   --- Original Message ---
>>
>>> You, as a first time poster, apparently are not intelligent enough to
>>> view the archives of this group regarding my posts, and support my of
>>> SeaMonkey.
>> LOL, Lars has been around for a VERY long time and a very respectable
>> member of the community here and elsewhere, probably moreso than you (in
>> time, nothing else). Take your own advice and view the archives. You'll
>> have to use your sense of imagination tho because he's posted under some
>> different usernames but all recognizable as Lars. :-)
>>
>
> OK. Apology to Lars... I'd looked before my now somewhat embarassing
> blaster and didn't see any previous posts from that address. I see now
> that I've purged all except the 2008 posts.
>
No problem :-D

My most active posting period has expired. Think it was around 2003-04 
in the Andkon era. Years go by.

/PM
0
larspeemm
4/27/2008 9:19:17 AM
On 04/23/2008 07:08 AM, Robert Kaiser wrote:
> NoOp wrote:
>> Total nonsense. But thanks for confirming that SeaMonkey is for
>> hobbyists from your POV. I suggest that in the future you consider that
>> SeaMonkey is used in both commercial and personal environments.
> 
> So, can you tell me the real threat to *anyone* by not shipping a fix 
> for this specific bug for the time being? I can't see any threat 
> whatsoever right now, so I don't see the need for investing my time into 
> a release that contains nothing else but a fix for this one bug.
> 
> Robert Kaiser


So can you tell me there is not?

I think that you totally miss(ed) the issue/perspective from a user
point of view:

===========================================
Mozilla Foundation Security Advisory 2008-20

Title: Crash in JavaScript garbage collector
Impact: Critical
Announced: April 16, 2008
Reporter: Mozilla Developers
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 2.0.0.14
  Thunderbird 2.0.0.14
  SeaMonkey 1.1.10
=============================================

It is a Security Advisory, it is marked *Impact: Critical*, and it shows:

Fixed in: Firefox 2.0.0.14
  Thunderbird 2.0.0.14
  SeaMonkey 1.1.10

What you tell your customers (or relatives/friends/enemies) when they
call up and ask when they will receive an update as they did for their
Firefox and Thunderbird applications?  Should we just blow them off and
tell them "not to worry, that SA is just BS and Kairo/SM say not to
worry about it and that the SM folks are too busy working on SM 2.0"?

Be sensible here. If the SA is incorrect, change it to reflect that SM
is not at risk, and that there is no 1.1.10 eminent. SA's and CVE's, to
include such reports as:

http://secunia.com/advisories/29860/
http://www.kb.cert.org/vuls/id/441529

are taken *very* seriously in commercial/production environments.

If you/SM ever expect SM to be used, and promoted in a
commercial/production environment, then _you_ and the SM Council et al,
need to take these announcements just as seriously.

One would hope that SM is past the hobbyist stage. So *please* allocate
resources to 1.1.10 if that resolves the issue, or send out a correction
to the SA/CVE stating that it is *not* an issue.

And yes, _I_ do understand the:

Per Mozilla Foundation Security Advisory 2008-20:

      Fixes for security problems in the JavaScript engine described in
MFSA 2008-15 (CVE-2008-1237) introduced a stability problem, where some
users experienced crashes during JavaScript garbage collection. This is
being fixed primarily to address stability concerns. We have no
demonstration that this particular crash is exploitable but are issuing
this advisory because some crashes of this type have been shown to be
exploitable in the past.

part. But my customers tend to only look at the first part:

Title: Crash in JavaScript garbage collector
Impact: Critical
Announced: April 16, 2008
Reporter: Mozilla Developers
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 2.0.0.14
  Thunderbird 2.0.0.14
  SeaMonkey 1.1.10

so they ask: where is SeaMonkey 1.1.0? I tell them not to worry, and
they respond: well I received updates to FF and TB, so where is
SeaMonkey 1.1.0...








0
NoOp
4/29/2008 2:13:29 AM
NoOp wrote:
> so they ask: where is SeaMonkey 1.1.0?

A few weeks away, not more than two months.

There is no proof whatsoever that this _is_ an exploitable problem and 
therefore there is no immediate danger to any user.

(As a note, by reacting to a probably non-exploitable issue within two 
months, we are much faster than some competitors who are market leaders 
and known to not have fixed heavily exploitable vulnerabilities for half 
a year in multiple cases.)

Robert Kaiser
0
Robert
4/29/2008 12:03:55 PM
On 29/04/08 14:03, Robert Kaiser wrote:
> NoOp wrote:
>> so they ask: where is SeaMonkey 1.1.0?
>
> A few weeks away, not more than two months.
>
> There is no proof whatsoever that this _is_ an exploitable problem and
> therefore there is no immediate danger to any user.
>
> (As a note, by reacting to a probably non-exploitable issue within two
> months, we are much faster than some competitors who are market leaders
> and known to not have fixed heavily exploitable vulnerabilities for half
> a year in multiple cases.)
>
> Robert Kaiser

Robert, I love the way you are "not naming" them, carefully talking 
around the name but describing them in such a way that one will be 
fooled. :-D :-D :-D

Best regards,
Tony.
-- 
BEDEVERE: Look!  It's the old man from scene 24 - what's he Doing here?
ARTHUR:   He is the keeper of the Bridge.  He asks each traveler five
           questions ...
GALAHAD:  Three questions.
                  "Monty Python and the Holy Grail" PYTHON (MONTY) 
PICTURES LTD
0
Tony
4/29/2008 1:28:32 PM
On Tue, 22 Apr 2008 22:25:59 -0700, NoOp wrote:
> In the end I'm left wondering if this issue can/will affect my customers
> and what to do about it. I'd like to keep them with SM, but if responses
>  to SM security issues are indicative of those of Robert/KaiRo, Phillip,
> and Andrew then perhaps it's time to just move all of my customers over
> to FF/TB and be done with it.

<http://ascher.ca/blog/2008/05/12/thunderbird-20014-and-ssl-certificates/>
<https://bugzilla.mozilla.org/show_bug.cgi?id=431819>

Aren't you all glad now that SeaMonkey didn't rush out a security
release in sync with Firefox 2.0.0.14 like Thunderbird did? :D :D

Phil

-- 
Philip Chee <philip@aleytys.pc.my>, <philip.chee@gmail.com>
http://flashblock.mozdev.org/ http://xsidebar.mozdev.org
Guard us from the she-wolf and the wolf, and guard us from the thief,
oh Night, and so be good for us to pass.
[ ]File Not Found: (A)bort, (R)etry, (F)ake It?
* TagZilla 0.066.6

0
Philip
5/13/2008 2:39:40 AM
On 5/12/2008 7:39 PM PT, Philip Chee typed:

>> In the end I'm left wondering if this issue can/will affect my customers
>> and what to do about it. I'd like to keep them with SM, but if responses
>>  to SM security issues are indicative of those of Robert/KaiRo, Phillip,
>> and Andrew then perhaps it's time to just move all of my customers over
>> to FF/TB and be done with it.
> 
> <http://ascher.ca/blog/2008/05/12/thunderbird-20014-and-ssl-certificates/>
> <https://bugzilla.mozilla.org/show_bug.cgi?id=431819>
> 
> Aren't you all glad now that SeaMonkey didn't rush out a security
> release in sync with Firefox 2.0.0.14 like Thunderbird did? :D :D

Heh. I don't use IMAP. :)
-- 
"The ants sought personal revenge for my having sprayed them the day 
before." --Oliver Smith
    /\___/\
   / /\ /\ \  Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
  | |o   o| |        Ant's Quality Foraged Links (AQFL): http://aqfl.net
     \ _ /       Remove ANT from e-mail address: philpi@earthlink.netANT
      ( )                                           or ANTant@zimage.com
Ant is currently not listening to any songs on his home computer.
0
Ant
5/13/2008 4:02:10 AM
On approximately 5/12/2008 9:02 PM, came the following characters from 
the keyboard of Ant:
> On 5/12/2008 7:39 PM PT, Philip Chee typed:
> 
>>> In the end I'm left wondering if this issue can/will affect my customers
>>> and what to do about it. I'd like to keep them with SM, but if responses
>>>  to SM security issues are indicative of those of Robert/KaiRo, Phillip,
>>> and Andrew then perhaps it's time to just move all of my customers over
>>> to FF/TB and be done with it.
>>
>> <http://ascher.ca/blog/2008/05/12/thunderbird-20014-and-ssl-certificates/> 
>>
>> <https://bugzilla.mozilla.org/show_bug.cgi?id=431819>
>>
>> Aren't you all glad now that SeaMonkey didn't rush out a security
>> release in sync with Firefox 2.0.0.14 like Thunderbird did? :D :D
> 
> Heh. I don't use IMAP. :)


That sounds like a personal problem.  But it is orthogonal to this 
issue: this issue is if you use SSL, whether via IMAP, POP, SMTP, LDAP, 
or whatever protocol.

-- 
Glenn -- http://nevcal.com/
===========================
A protocol is complete when there is nothing left to remove.
-- Stuart Cheshire, Apple Computer, regarding Zero Configuration Networking
0
Glenn
5/13/2008 5:15:09 AM
On 13/05/08 06:02, Ant wrote:
> On 5/12/2008 7:39 PM PT, Philip Chee typed:
>
>>> In the end I'm left wondering if this issue can/will affect my customers
>>> and what to do about it. I'd like to keep them with SM, but if responses
>>> to SM security issues are indicative of those of Robert/KaiRo, Phillip,
>>> and Andrew then perhaps it's time to just move all of my customers over
>>> to FF/TB and be done with it.
>>
>> <http://ascher.ca/blog/2008/05/12/thunderbird-20014-and-ssl-certificates/>
>>
>> <https://bugzilla.mozilla.org/show_bug.cgi?id=431819>
>>
>> Aren't you all glad now that SeaMonkey didn't rush out a security
>> release in sync with Firefox 2.0.0.14 like Thunderbird did? :D :D
>
> Heh. I don't use IMAP. :)

It's also on POP and SMTP whenever you use SSL.

Best regards,
Tony.
-- 
panic: can't find /
0
Tony
5/13/2008 5:26:01 AM
Philip Chee wrote:

>On Tue, 22 Apr 2008 22:25:59 -0700, NoOp wrote:
>  
>
>>In the end I'm left wondering if this issue can/will affect my customers and what to do about it. I'd like to keep them with SM, but if responses to SM security issues are indicative of those of Robert/KaiRo, Phillip, and Andrew then perhaps it's time to just move all of my customers over to FF/TB and be done with it.
>>    
>>
><http://ascher.ca/blog/2008/05/12/thunderbird-20014-and-ssl-certificates/>
><https://bugzilla.mozilla.org/show_bug.cgi?id=431819>
>
>Aren't you all glad now that SeaMonkey didn't rush out a security release in sync with Firefox 2.0.0.14 like Thunderbird did? :D :D
>  
>
Hey, at least we still have real UI we can relnote if necessary ;-)

-- 
Warning: May contain traces of nuts.
0
Neil
5/13/2008 10:06:02 AM
On 5/12/2008 10:15 PM PT, Glenn typed:

> On approximately 5/12/2008 9:02 PM, came the following characters from 
> the keyboard of Ant:
>> On 5/12/2008 7:39 PM PT, Philip Chee typed:
>>
>>>> In the end I'm left wondering if this issue can/will affect my 
>>>> customers
>>>> and what to do about it. I'd like to keep them with SM, but if 
>>>> responses
>>>>  to SM security issues are indicative of those of Robert/KaiRo, 
>>>> Phillip,
>>>> and Andrew then perhaps it's time to just move all of my customers over
>>>> to FF/TB and be done with it.
>>>
>>> <http://ascher.ca/blog/2008/05/12/thunderbird-20014-and-ssl-certificates/> 
>>>
>>> <https://bugzilla.mozilla.org/show_bug.cgi?id=431819>
>>>
>>> Aren't you all glad now that SeaMonkey didn't rush out a security
>>> release in sync with Firefox 2.0.0.14 like Thunderbird did? :D :D
>>
>> Heh. I don't use IMAP. :)
> 
> 
> That sounds like a personal problem.  But it is orthogonal to this 
> issue: this issue is if you use SSL, whether via IMAP, POP, SMTP, LDAP, 
> or whatever protocol.

Oh. OK, that's a problem if I am using POP3 and SMTP with SSL. My bad. :)
-- 
"I once heard the survivors of a colony of ants that had been partially 
obliterated by a cow's foot seriously debating the intention of the gods 
towards their civilization" --Archy the Cockroach from Don Marquis' 
"Archy and Mehitabel" book ("Certain Maxims of Archy" poem)
    /\___/\
   / /\ /\ \  Phil/Ant @ http://antfarm.home.dhs.org (Personal Web Site)
  | |o   o| |        Ant's Quality Foraged Links (AQFL): http://aqfl.net
     \ _ /       Remove ANT from e-mail address: philpi@earthlink.netANT
      ( )                                           or ANTant@zimage.com
Ant is currently not listening to any songs on his home computer.
0
Ant
5/13/2008 12:46:26 PM
Philip Chee wrote:
> <http://ascher.ca/blog/2008/05/12/thunderbird-20014-and-ssl-certificates/>
> <https://bugzilla.mozilla.org/show_bug.cgi?id=431819>
>
> Aren't you all glad now that SeaMonkey didn't rush out a security
> release in sync with Firefox 2.0.0.14 like Thunderbird did? :D :D

Actually, the backend fix was part of 1.8.1.13 and we shipped it with 
1.1.9.  TB skipped 2.0.0.13.

-- 
Andrew Schultz
ajschult@verizon.net
http://www.sens.buffalo.edu/~ajs42/
0
Andrew
5/13/2008 1:39:30 PM
Andrew Schultz wrote:
> Philip Chee wrote:
>> <http://ascher.ca/blog/2008/05/12/thunderbird-20014-and-ssl-certificates/>
>>
>> <https://bugzilla.mozilla.org/show_bug.cgi?id=431819>
>>
>> Aren't you all glad now that SeaMonkey didn't rush out a security
>> release in sync with Firefox 2.0.0.14 like Thunderbird did? :D :D
>
> Actually, the backend fix was part of 1.8.1.13 and we shipped it with
> 1.1.9. TB skipped 2.0.0.13.

Hmm, and I actually wonmder why we haven't got complaints about it. Is 
our UI enough to solve the problem for people?

Robert Kaiser
0
Robert
5/14/2008 2:07:24 AM
Robert Kaiser wrote:
> Andrew Schultz wrote:
>> Philip Chee wrote:
>>> <http://ascher.ca/blog/2008/05/12/thunderbird-20014-and-ssl-certificates/> 
>>>
>>>
>>> <https://bugzilla.mozilla.org/show_bug.cgi?id=431819>
>>>
>>> Aren't you all glad now that SeaMonkey didn't rush out a security
>>> release in sync with Firefox 2.0.0.14 like Thunderbird did? :D :D
>>
>> Actually, the backend fix was part of 1.8.1.13 and we shipped it with
>> 1.1.9. TB skipped 2.0.0.13.
> 
> Hmm, and I actually wonmder why we haven't got complaints about it. Is 
> our UI enough to solve the problem for people?
> 

The way I read TB's bug, our problem is two-fold.  We can't set the pref 
to act this way only for web content, and not for mail.  While TB 
primarily handles mail, and we *want* this enabled for web content.

The user base affected by this setting in mail is relatively small even 
by TB standards. And we actually have UI to change/modify this setting, 
it appears TB does not.

So our risk here is minimal.
-- 
~Justin Wood (Callek)
0
Justin
5/14/2008 4:23:20 AM
On 05/12/2008 07:39 PM, Philip Chee wrote:
> On Tue, 22 Apr 2008 22:25:59 -0700, NoOp wrote:
>> In the end I'm left wondering if this issue can/will affect my customers
>> and what to do about it. I'd like to keep them with SM, but if responses
>>  to SM security issues are indicative of those of Robert/KaiRo, Phillip,
>> and Andrew then perhaps it's time to just move all of my customers over
>> to FF/TB and be done with it.
> 
> <http://ascher.ca/blog/2008/05/12/thunderbird-20014-and-ssl-certificates/>
> <https://bugzilla.mozilla.org/show_bug.cgi?id=431819>
> 
> Aren't you all glad now that SeaMonkey didn't rush out a security
> release in sync with Firefox 2.0.0.14 like Thunderbird did? :D :D
> 
> Phil
> 

I suppose, but then again I wouldn't have experienced the problem as I
don't use ssl-certs to receive or send email w/Thunderbird. And to be
quite honest, even now I only use FF/TB on occassion & mostly for
testing. I have about 5 customers that use them regularly, but I've not
received any problem reports so far regarding this issue/bug.

0
NoOp
5/14/2008 4:38:56 AM
Tony Mechelynck wrote, On 2008-05-12 22:26:
> On 13/05/08 06:02, Ant wrote:
>> On 5/12/2008 7:39 PM PT, Philip Chee typed:
>>
>>>> In the end I'm left wondering if this issue can/will affect my customers
>>>> and what to do about it. I'd like to keep them with SM, but if responses
>>>> to SM security issues are indicative of those of Robert/KaiRo, Phillip,
>>>> and Andrew then perhaps it's time to just move all of my customers over
>>>> to FF/TB and be done with it.
>>> <http://ascher.ca/blog/2008/05/12/thunderbird-20014-and-ssl-certificates/>
>>>
>>> <https://bugzilla.mozilla.org/show_bug.cgi?id=431819>
>>>
>>> Aren't you all glad now that SeaMonkey didn't rush out a security
>>> release in sync with Firefox 2.0.0.14 like Thunderbird did? :D :D
>> Heh. I don't use IMAP. :)
> 
> It's also on POP and SMTP whenever you use SSL.

Only with misconfigured servers.

A server that requests client authentication and has disabled its SSL
session cache, or has shortened the cache lifetime to some absurdly short
time, is simply misconfigured.

This is an evangelism problem.  The users need to push on those server
admins to enable their server SSL session caches with reasonable lifetimes.
It's no different than getting the server admins to replace expired certs.
The admins have to do their jobs, and when they fail to do so, we shouldn't
all be hasty to fall on our swords.
0
Nelson
5/29/2008 12:26:21 AM
Reply:

Similar Artilces:

How do I import SeaMonkey v2.0.14's addressbooks into SeaMonkey v2.9.1's addresbooks?
Hello! I did a clean installation of v2.9.1 and manually copied over my old SM v2.0.14 addressbooks, bookmarks, and e-mails to my Linux/Debian box. I got my bookmarks imported manually, but I can't seem to import my old addresssbooks from *.mab files. Do I really have to export them to non ..mab formats and then import from them? Thank you in advance. :) -- "The ants are back Ted!" --Dougal from Father Ted TV show. /\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site) / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.ne...

Can't log into MyCokeRewards.com with SeaMonkey v2.0, but can with v1.1.18 and Firefox v2.0.0.20?
Hello! http://www.mycokerewards.com/home.do doesn't seem to let me log in with SeaMonkey v2.0, but will for old v1.1.18 and Firefox v2.0.0.20. I already tried allowing referrers and changing User Agent to Firefox v2.0.0.20 Linux. Any ideas? Thank you in advance. :) -- "Any spoke will lead the ant to the hub." --unknown /\___/\ / /\ /\ \ Phil/Ant @ http://antfarm.ma.cx (Personal Web Site) | |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net \ _ / Nuke ANT from e-mail address: philpi@earthlink.netANT ( ) ...

Can't play some CollegeHumor videos in old Firefox v2.0.0.20 and SeaMonkey v1.1.17?
Examples: 1. http://www.collegehumor.com/video:1915916 or http://www.videosift.com/video/Dumpling-Giri-Freakout (same video from same server) 2. http://www.collegehumor.com/video:1915915 or http://www.videosift.com/video/Suprise-Attack-Fail (same video from same server) Videos don't play for old Web browsers. Other videos on the same site seems to be OK. :( -- "This is what metaphor is. It is not saying that an ant is an elephant. Perhaps; both are alive. No. Metaphor is saying the ant is an elephant. Now, logically speaking, I know there is a difference. If yo...

Rendering problem in Firefox v2.0.0.20 and SeaMonkey v1.1.17.
I noticed lately Gizmodo's Web pages are rendering slowly and hogging Web browser's CPU and memory badly. Example: http://gizmodo.com/5313690/why-you-cant-complain-about-the-price-of-todays-gadgets Is anyone else having this problem? If so, then what's going on? Thank you in advance. :) -- "... Our world is not an ant farm!" --Duncan MacLeod (Highlander Season 3 Finale Part II) /\___/\ / /\ /\ \ Phil/Ant @ http://antfarm.ma.cx (Personal Web Site) | |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net \ _ / ...

Firefox 1.5.0.9, Firefox 2.0.0.1 and Thunderbird 1.5.0.9 Security & Stability Updates
As part of Mozilla Corporation�s ongoing stability and security update process, Firefox 1.5.0.9, Firefox 2.0.0.1 and Thunderbird 1.5.0.9 are now available for Windows, Mac, and Linux for free download from getfirefox.com (http://www.getfirefox.com) & getthunderbird.com (http://www.getthunderbird.com). We strongly recommend that all Firefox users upgrade to this latest release. This update is available immediately in 41 languages including Spanish, Japanese, Arabic, Hungarian and more. Note: Firefox 1.5.0.x will be maintained with security and stability updates until Apr...

Firefox 1.5.0.9, Firefox 2.0.0.1 and Thunderbird 1.5.0.9 Security & Stability Updates
As part of Mozilla Corporation�s ongoing stability and security update process, Firefox 1.5.0.9, Firefox 2.0.0.1 and Thunderbird 1.5.0.9 are now available for Windows, Mac, and Linux for free download from getfirefox.com (http://www.getfirefox.com) & getthunderbird.com (http://www.getthunderbird.com). We strongly recommend that all Firefox users upgrade to this latest release. This update is available immediately in 41 languages including Spanish, Japanese, Arabic, Hungarian and more. Note: Firefox 1.5.0.x will be maintained with security and stability updates until Apr...

superreview requested: [Bug 362139] bump SeaMonkey versions to 1.0.7/1.1 on 1.8.0/1.8 branches, localeVersion to 1.8.1 on 1.8 branch : [Attachment 246921] 1.8.0 patch: SeaMonkey version -> 1.0.7
Robert Kaiser <kairo@kairo.at> has asked neil@parkwaycc.co.uk <neil@httl.net> for superreview: Bug 362139: bump SeaMonkey versions to 1.0.7/1.1 on 1.8.0/1.8 branches, localeVersion to 1.8.1 on 1.8 branch https://bugzilla.mozilla.org/show_bug.cgi?id=362139 Attachment 246921: 1.8.0 patch: SeaMonkey version -> 1.0.7 https://bugzilla.mozilla.org/attachment.cgi?id=246921&action=edit ------- Additional Comments from Robert Kaiser <kairo@kairo.at> This is the 1.8.0 branch patch for bumping SeaMonkey version to 1.0.7 ...

superreview granted: [Bug 362139] bump SeaMonkey versions to 1.0.7/1.1 on 1.8.0/1.8 branches, localeVersion to 1.8.1 on 1.8 branch : [Attachment 246921] 1.8.0 patch: SeaMonkey version -> 1.0.7
neil@parkwaycc.co.uk <neil@httl.net> has granted Robert Kaiser <kairo@kairo.at>'s request for superreview: Bug 362139: bump SeaMonkey versions to 1.0.7/1.1 on 1.8.0/1.8 branches, localeVersion to 1.8.1 on 1.8 branch https://bugzilla.mozilla.org/show_bug.cgi?id=362139 Attachment 246921: 1.8.0 patch: SeaMonkey version -> 1.0.7 https://bugzilla.mozilla.org/attachment.cgi?id=246921&action=edit ...

Firefox 1.0 doesn't run on NT 4.0 w/s, 0.9 did.
I installed latest Firefox on top of 0.9, but now it doesn't run. How to make it work? Raymond. Raymond Kennington wrote: > I installed latest Firefox on top of 0.9, but now it doesn't run. > > How to make it work? Uninstall and reinstall. You won't lose your bookmarks. ...

Make error: DBD-Oracle-1.14 , DBI-1.39, Oracle rdbms 9.2.0.0.0 , solaris 9
------=_NextPart_000_0025_01C3BE5A.4F6A0C70 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hi, When I make DBD-Oracle 1.14 , Makefile.PL generates a Makefile with "-o build" in the compiler string before blib/arch/auto/DBD/Oracle/Oracle.so and prevents Oracle.so from being built correctly. demo_rdbms.mk appears to be to supplying this: Attempting to discover Oracle OCI build rules^M gcc -B/usr/ccs/bin/ -c DBD_ORA_OBJ.c^M by executing: (make -f /export/home/oracle/ora9idbms/rdbms/demo/demo_rdbms.mk bu ild ECHODO=echo EC...

Website rendering issues under Firefox 2.0.0.6 & SeaMonkey 1.14 and 1.15
Hello, I have noticed a strange website rendering issue under all the three above mentioned browsers for eCS. My eCS is eSC 2.0 RC2 with all fix-packs and patches applied. My mozilla products all have the Innotek FontEngine applied to them (2.60 beta) and have all be awesome to use. This past week when I decided to gift myself a new GPU, I ran into an interesting rendering problem with the above browsers. The tigerdirect.com page does not render the text input boxes for keyword search and deal alerts correctly. I have a screenshot that I can email or post elsewhere for referen...

SeaMonkey 1.0.1 and Firefox 1.5, 2.0, 3.0 version can be said to be a same at code level
Dear, I am pursuing my research in the field of sotware maintainence at preventive level. i had published some of my research paper in ACM SIGSOFT SEN. As per my research i designed the metrics model for smelly classes with the help of firefox three versions and then i had validated or tested the metrics model with the one version of SeaMonkey. I got the review upon my research that SeaMonkey and Firefox are same at the code level. These cannot be treated as two different data set. But what i had read is they both only usage the same Gecko engine from your website. Some more from yo...

Does SeaMonkey have the security problems that Firefox v2.0.0.5 fixed?
Just wondering. :) -- "I look at an ant and I see myself: a native South African, endowed by nature with a strength much greater than my size so I might cope with the weight of a racism that crushes my spirit." --Miriam Makeba /\___/\ / /\ /\ \ Phillip (Ant) @ http://antfarm.ma.cx (Personal Web Site) | |o o| | Ant's Quality Foraged Links (AQFL): http://aqfl.net \ _ / Remove ANT from e-mail address: philpi@earthlink.netANT ( ) or ANTant@zimage.com Ant is currently not listening to any song...

Is it safe to use old SeaMonkey v2.0.14's uninstaller to remove it and not touch v2.11?
Hi! I think it is time to dump my outdated, v2.0.14 soon. May I safely use its uninstaller in Windows XP Pro. SP3 and 64-bit W7 HPE? This includes deleting the old profiles. I currently have two different profiles and SM installation directories/folders for both versions (v2.10.1 was installed as a new one). Thank you in advance. :) -- "Since the world began, we have never exterminated. We probably shall never exterminate as much as one single insect species. If there was ever an example of an insect we cannot destroy, the fire ant is it." --an entomologist quo...

Web resources about - Is SeaMonkey v1.1.9 affected by Firefox v2.0.0.14's fix too? - mozilla.support.seamonkey

The Hawaiian Seamonkey
Diving, eating, gardening, loving the Big Island of Hawaii

The SeaMonkey® Project
The SeaMonkey project is a community effort to develop the SeaMonkeyall-in-one internet application suite (see below).Such a software suite was ...

SeaMonkey - Wikipedia, the free encyclopedia
cross-platform Internet suite . It is the continuation of the former Mozilla Application Suite , based on the same source code. Core Mozilla ...

Review: SeaMonkey 1.1.8 for the Mac
SeaMonkey 1.1.8, the Mozilla Foundation's all-in-one Internet application, combines browsing, e-mail, HTML editing, and IRC chat.

SeaMonkey 2.3 Beta 1 arrives for testing
Based on the same Gecko browser engine as Firefox 6, SeaMonkey 2.3 Beta 1 has been released for testing. It offers improvements to WebGL that ...

SeaMonkey Offers Browser, E-Mail, and Chat
... resuscitated a group of Internet tools built by Netscapewhose spin-off, Mozilla, brought out the popular Firefox Web browser. Renamed SeaMonkey ...

SeaMonkey, Mozilla's all-in-one Internet suite, releases new beta
The SeaMonkey Project has released SeaMonkey 2.1 Beta 3 , a version that makes a lot of new functionality available to a wide audience for the ...

SeaMonkey review
Browse the web, work with mail, chat in IRC and edit HTML

SeaMonkey 2.33
... advanced e-mail, newsgroup and feed client, IRC chat, and HTML editing made simple, all your Internet needs in one application. The SeaMonkey ...

Seamonkey 1.1 Released
stuuf writes "Version 1.1 of the Seamonkey Internet Application Suite is now available, with quite a few improvements over the 1.0 series. Some ...

Resources last updated: 11/26/2015 2:37:56 AM