Closed Bug 1209484 Opened 7 years ago Closed 7 years ago

Update SeaMonkey vulnerabilities page for 2.35 and 2.38 releases

Categories

(www.mozilla.org :: General, defect)

Production
defect
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: rsx11m.pub, Assigned: rsx11m.pub)

References

()

Details

Attachments

(2 files)

We have skipped 2.34 (Gecko 37), and 2.35 is on par with 38.2.0 ESR.
SeaMonkey 2.38 is built from Gecko 41.

Please add those releases to the respective MFSA pages and the main page.
Thanks.
Build information for SM 2.35:
http://hg.mozilla.org/releases/mozilla-esr38/rev/cf6b17cea869   [SEAMONKEY_2_35_RELEASE_BRANCH]
http://hg.mozilla.org/releases/comm-release/rev/b939f5c5904d    [SEAMONKEY_2_35_RELEASE_BRANCH]

Build information for SM 2.38:
http://hg.mozilla.org/releases/mozilla-release/rev/78c82e5cd777 [GECKO410_2015091718_RELBRANCH]
http://hg.mozilla.org/releases/comm-release/rev/5d9eeddc129e    [SEA_COMM410_20150923_RELBRANCH]
Note: SeaMonkey 2.35 was a special case as its release was way behind schedule and needed various patches from the MailNews side, hence the special arrangement to branch SEAMONKEY_2_35_RELEASE_BRANCH off the THUNDERBIRD_38_VERBRANCH established for Thunderbird 38.x fixes.
Blocks: SM2.35, SM2.38
Hi Dan-

Does this update fall under your team?

Thanks,
Jen
Flags: needinfo?(dveditz)
abillings normally does the advisories when we publish them for Firefox, but at this point you're talking about updating 85 advisories (or most of them) from MFSA 2015-30 through 2015-114
https://www.mozilla.org/en-US/security/advisories/

The best approach would be for someone from the seamonkey team to do the bulk of the work figuring out which advisories apply and then issue a pull request against
https://github.com/mozilla/foundation-security-advisories that Al could then push.
Flags: needinfo?(dveditz)
I don't have permission to look into the bugs referred to from the MFSA pages.
In general, I'd assume that all MFSAs apply which aren't specific to browser/ or mail/ (or any other application-specific directories in the mozilla-{esr38,release} and comm-release repositories).
(In reply to Daniel Veditz [:dveditz] from comment #4)
> abillings normally does the advisories when we publish them for Firefox, but
> at this point you're talking about updating 85 advisories (or most of them)
> from MFSA 2015-30 through 2015-114
> https://www.mozilla.org/en-US/security/advisories/
> 
> The best approach would be for someone from the seamonkey team to do the
> bulk of the work figuring out which advisories apply and then issue a pull
> request against
> https://github.com/mozilla/foundation-security-advisories that Al could then
> push.

Thanks, Dan. That sounds like a good plan to me.
(In reply to rsx11m from comment #5)
> I don't have permission to look into the bugs referred to from the MFSA
> pages.

I don't know which bugs you are referring to, but if you could list them here maybe someone can help you get access.

As Dan mentioned, the best way to get this work done will be for someone from the seamonkey team to issue a pull request against https://github.com/mozilla/foundation-security-advisories with the new/updated content.
(In reply to Jennifer Bertsch [:jbertsch] from comment #8)
> I don't know which bugs you are referring to, but if you could list them
> here maybe someone can help you get access.

Well, that list would be at least as long as the number of MSFAs to be covered...  :-(

In general, for SeaMonkey 2.35, candidates are all fixes for
  Firefox 37.0, 37.0.1, 37.0.2                    MSFA 2015-30 to 2015-45
  Firefox 38.0, 38.1 ESR                          MSFA 2015-46 to 2015-67 and -69/70/71
  Firefox 38.1.1 ESR, 38.2 ESR                    MSFA 2015-78/79/80/82-85/87-90/92 
  Thunderbird 38.0.1, 38.1.0, 38.2.0              (for Mail/News, seems to be included in above)

and for SeaMonkey 2.38, candidates are all fixes for
  Firefox 39.0, 39.0.3, 40.0                      MSFA 2015-81/86/91 (not covered in 38.x ESR)
  Firefox 40.0.3, 41.0                            MSFA 2015-94 to 2015-114

I'm not sure if it's feasible to go through those manually to verify if only changes were made that are NPOTB for SeaMonkey, thus a respective MSFA could be removed. Other than Android-specific MSFA 2015-41/52/99, I don't see any obvious candidate for removal, so the "easy" way would be to just take the whole list and add the respective SeaMonkey releases to those MSFAs.

It would be good to know which criteria abillings is using to include a vulnerability for SeaMonkey.
(In reply to rsx11m from comment #9)

> It would be good to know which criteria abillings is using to include a
> vulnerability for SeaMonkey.

If Firefox (or both Firefox and Thunderbird) are vulnerable, I assume SeaMonkey is unless I know it is a Firefox only feature, which has happened a few times before. I have no special SeaMonkey insight nor do I run it. :-)
This is the best I can do from reading the advisories and looking into available patches. For advisories affecting both Firefox and Thunderbird, I assumed that SeaMonkey is equally affected. For Firefox-only announcements, I tried to look them up on hg.mozilla.org to see if only changes for browser/ were made or if it's a component not used by SeaMonkey, but not all of them showed up due to frequently obscured commit messages not listing a bug number.

Thus, following the list in comment #9:
  - dropped 2015-32 which seems specific to be specific for Firefox LWT
  - dropped 2015-41/52/99, those only apply to Android platforms
  - dropped 2015-43 as it's on the built-in Reader not used in SeaMonkey
  + added 2015-68 which was specific to Mac OSX but in shared widget code
  - dropped 2015-69/78 on PDF.js which is not used by SeaMonkey either
  + added 2015-93 which was listed for Firefox 38 only (maybe ESR branch?)
  - dropped 2015-100 as SeaMonkey doesn't use the Maintenance Service

I've also corrected a typo in 2015-109 while I was there. ;-)

I assumed all media/ issues apply to SeaMonkey as well (we don't support EME yet, but at least for me, it's impossible to tell any dependencies here).
Assignee: nobody → rsx11m.pub
Attachment #8672160 - Flags: review?(abillings)
Can you do this via Github and not in Bugzilla as I'm still going to need to accept it there?
I don't have a Github account and don't know how to create a "pull request" there. If you can just apply the patch and push it from your side, this would simplify things on my end substantially.
I literally have no idea how I'm supposed to apply this patch to a github repo. These files aren't checked into hg so git is the only resolution mechanism.
Try "patch -p1 < bug1209484.patch" from the command line. I realize that git is similar to hg, but it's still sufficiently different to imply a learning curve (e.g., no "git import" for this case?).
Ah, "git apply" seems to be the corresponding command for applying a patch.
Attached file Pull request
Attachment #8672160 - Attachment is obsolete: true
Attachment #8672160 - Flags: review?(abillings)
Great, thanks ewong!
https://github.com/mozilla/foundation-security-advisories/pull/7

Merged.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Comment on attachment 8672160 [details] [diff] [review]
Proposed additions

Thanks, I'm unhiding this patch FTR as it reflects what was pushed on GitHub.
Attachment #8672160 - Attachment is obsolete: false
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.