Hi again all, More Seamonkey vulnerabilties... From <http://www.mozilla.org/projects/security/known-vulnerabilities.html#SeaMonkey>, there is this list: Fixed in SeaMonkey 1.0.2 ------------------------ Critical - MFSA 2006-43 Privilege escalation using addSelectionListener High - MFSA 2006-42 Web site XSS using BOM on UTF-8 pages High - MFSA 2006-41 File stealing by changing input type (variant) Critical - MFSA 2006-40 Double-free on malformed VCard Low - MFSA 2006-39 "View Image" local resource linking (Windows) Critical - MFSA 2006-38 Buffer overflow in crypto.signText() Critical - MFSA 2006-37 Remote compromise via content-defined setter on object prototypes Critical - MFSA 2006-35 Privilege escalation through XUL persist Moderate - MFSA 2006-34 XSS viewing javascript: frames or images from context menu High - MFSA 2006-33 HTTP response smuggling Critical - MFSA 2006-32 Fixes for crashes with potential memory corruption Moderate - MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey) Similar lists exists for Firefox ("Fixed in Firefox 1.5.0.4") and Thunderbird ("Fixed in Thunderbird 1.5.0.4") vulnerabilities on that same page. Somehow, I suspect that if these vulnerabilities exist in Seamonkey, then many will also exist in Mozilla-1.7.13, in Firefox-1.0.8, and Thunderbird-1.0.8 .... What is the Mozilla Foundation trying to do here? Make zero-day exploits available to malware writers to use against legacy users of Mozilla-1.7.13 Firefox-1.0.8, and Thunderbird-1.0.8 users?!? Is there any coordination among outside maintainers of these legacy packages (since the Mozilla foundation's official policy is that Mozilla-1.7.13 was the end of the line for the Mozilla suite)? Should there be?? Regards, David Eisenstein ps: None of the detailed MSFA's linked to from the known-vulnerabilities page that I looked at had any CVE's listed for them. Does anyone know if any CVE's are assigned for these vulnerabilities? Also, all of the bugzilla.mozilla.org links from the MFSA's seem to be embargoed (at least for me). Does anyone here have access to those bug reports?
