>
> Similar lists exists for Firefox ("Fixed in Firefox 1.5.0.4") and
> Thunderbird ("Fixed in Thunderbird 1.5.0.4") vulnerabilities on that same page.
>
> Somehow, I suspect that if these vulnerabilities exist in Seamonkey, then
> many will also exist in Mozilla-1.7.13, in Firefox-1.0.8, and
> Thunderbird-1.0.8 ....
Some of them do, some of them don't. I don't have a complete list yet.
I've tracked down the most critical issues. Take a look at these bugs for
the CVE ids I've identified.
Mozilla: 193906
Firefox: 193895
We're working on a patch for those particular issues.
Thunderbird has no critical bugs.
>
> What is the Mozilla Foundation trying to do here? Make zero-day exploits
> available to malware writers to use against legacy users of Mozilla-1.7.13
> Firefox-1.0.8, and Thunderbird-1.0.8 users?!? Is there any coordination
> among outside maintainers of these legacy packages (since the Mozilla
> foundation's official policy is that Mozilla-1.7.13 was the end of the line
> for the Mozilla suite)? Should there be??
The Mozilla Foundation doesn't care about users running the older versions
of the suite and Firefox. I could go into detail about their mishandling
of this, but I'd rather not. They have no interest in coordinating with
vendors in any way. They've done a very poor job communicating the EOL of
their products.
I personally consider releasing a critical update on a Friday very
irresponsible. I've let them know this more than once, which has been
ignored.
>
> Regards,
>
> David Eisenstein
>
> ps: None of the detailed MSFA's linked to from the known-vulnerabilities
> page that I looked at had any CVE's listed for them. Does anyone know if
> any CVE's are assigned for these vulnerabilities? Also, all of the
> bugzilla.mozilla.org links from the MFSA's seem to be embargoed (at least
> for me). Does anyone here have access to those bug reports?
All issues have CVE ids. I'm attaching the CVE mails that detail these.
--
JB
