Upgrade Thunderbird to 1:60.2.1-1
Enable the bugfix-16037-upgrade-thunderbird-to-60.2.1 APT overlay (refs: #16037).
#2 Updated by intrigeri over 1 year ago
- Assignee set to CyrilBrulebois
Can you take this one? (Sorry I did not take notes at the FT meeting of who said they could take a little bit more work. I think in the future I'll introduce the idea of note-taking at these meetings, limited to such critical info.)
#6 Updated by CyrilBrulebois over 1 year ago
This is a copy of what I sent to Carsten a moment ago:
Looking at 60.2.1 for Tails, I'm wondering what your plans for
stretch(-security) are. The whole l10n re-architecturing seems a little
out of scope for an update to stable (even for one of those Mozilla
products, which are close to be given carte blanche).
I've prepared a debian/backportable-sid (for the lack of a better name)
in my repository, reverting “unwanted” commits on top of the debian/sid
branch, and updated the debian/stretch branch by merging it in there.
I haven't test-built it yet, but I wanted to share this with you right
I'll keep you posted with the build results; my Tails team mates will
likely monitor my progress on our ticket:
Feedback welcome, as always!
Once I'm done test-building this branch, I'll move to merging it into our Tails branch (reverting bits added from anonym, backporting fixes) and checking what happens in a Tails environment.
#7 Updated by CyrilBrulebois over 1 year ago
It seems I was wrong in assuming I would have to revert those patches: they still apply with 60.2.1.
Looking at the upstream bug report, it seems Thunderbird is considered as non-affected?
Mozilla#1493900 doesn't even list thunderbird at all.
Also, both https://security-tracker.debian.org/tracker/CVE-2018-12386 & https://security-tracker.debian.org/tracker/CVE-2018-12387 mention the
firefox-esr packages only.
Should we keep our patches just in case? Do we have any contacts on the Thunderbird side to get a definitive opinion on the appropriateness of those fixes?