Why we need Gecko updates

Robert Kaiser kairo at kairo.at
Wed Dec 9 14:49:05 UTC 2015


Note that Thunderbird's feed reader has all those bells and whistles 
enabled and is vulnerable to almost any browser-style attack.

KaiRo

Gervase Markham schrieb:
> On 08/12/15 19:40, Ben Bucksch wrote:
>> * JS is disabled by default
>
> It would be interesting to catalogue the security bugs discovered over
> the past 2 years to see which required JS (or video or audio playback,
> both of which I hope TB disables as well) and which did not.
>
>> Unfortunately, Mozilla gave up on supporting old Gecko versions with
>> security patches. Time's over once the ESR release is unsupported, which
>> is currently 6-8 months. Anything else was considered not feasible for
>> Firefox security team. There's no chance that the Thunderbird team can
>> keep up.
>
> I think more analysis is required to say that it would be impossible for
> the TB team to adapt or backport the number of security fixes over the
> past two years which did not require JS to be enabled.
>
> Re: Postbox:
>> If they still use Gecko 9.0, I presume they have lots of security
>> holes.
>
> If this is true, why not spend a bit of time proving your point by
> finding one? The MFSA list would be a good place to start. :-)
>
> Gerv
> _______________________________________________
> tb-planning mailing list
> tb-planning at mozilla.org
> https://mail.mozilla.org/listinfo/tb-planning
>




More information about the tb-planning mailing list