Project

General

Profile

Feature #10911

Investigate if/how we could more efficiently be aware of MFSAs

Added by u almost 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
01/12/2016
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:
Starter:
Affected tool:

Description

During the discussion about Icedove's release timing the question arose if we could more efficiently track security issues which concern Tails, Icedove or other software we ship. Maybe this has already been discussed and maybe sysadmins keep track of this kind of thing?

History

#1 Updated by intrigeri almost 4 years ago

maybe sysadmins keep track of this kind of thing?

FYI: not particularly (and even if they would, it would not be about desktop software).

#2 Updated by u almost 4 years ago

MFSAs are published here:
https://www.mozilla.org/en-US/security/advisories/

Known vulns in TB are published here:
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/

CVEs affecting TB:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Thunderbird

Debian security:
https://lists.debian.org/debian-security/

FD (has RSS feed):
http://seclists.org/fulldisclosure/

Right now I'm sort of dreaming on having a tool which would search all these lists via RSS and send email whenever a certain keyword pops up..

#3 Updated by u almost 4 years ago

  • Status changed from Confirmed to In Progress

#4 Updated by u almost 4 years ago

  • Target version changed from Tails_2.2 to Tails_2.4

#5 Updated by u almost 4 years ago

  • Status changed from In Progress to Resolved
  • Affected tool deleted (Email Client)

It now looks like this is not a specific question to Icedove, because we have the same problem with any other software. So this should be part of a larger discussion.

We have processes to be aware of browser updates which work quite well.

Even if we were aware of MFSAs early enough in the process for Icedove, we still rely on Debian to get security patches.

But with the AppArmor profile such problem might be partly mitigated in the meantime.

Once we feel more comfortable with this, we might revisit this question, but for now i will close this ticket.

Also available in: Atom PDF