Kevin Kofler via devel wrote: > Marius Schwarz wrote: >> I know it was a security update for >> https://www.mozilla.org/en-US/security/advisories/mfsa2022-38/ >> <https://www.mozilla.org/en-US/security/advisories/mfsa2022-38/>, >> so better safe and live with some minor bugs, than to be sorry. > > Debian claims on https://security-tracker.debian.org/tracker/CVE-2022-3033 > that Thunderbird 91 is not even vulnerable to the CVEs fixed by that > advisory, only Thunderbird 102 releases (prior to the fix) were. And if that claim is wrong, you can simply backport the fixes: The MFSA lists the bug IDs, so just search for those in the hg history: https://hg.mozilla.org/comm-central/log?rev=1784838 https://hg.mozilla.org/comm-central/log?rev=1783831 https://hg.mozilla.org/comm-central/log?rev=1745751 https://hg.mozilla.org/comm-central/log?rev=1787741 In particular, the fix for the high-impact CVE-2022-3033 is a one-line addition. It does not make sense to upgrade to an incompatible version for that fix. Kevin Kofler _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
