Hi, On Thu, Apr 24, 2014 at 11:36:49AM -0400, charlie derr wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 04/24/2014 11:21 AM, Salvatore Bonaccorso wrote: > > This is indeed seem a typo in the DSA-2911-1. The fixed version > > for the unstable distribution for the given CVEs is > > icedove/24.4.0-1. > > > > For reference see also [1]. > > > > [1] https://security-tracker.debian.org/tracker/DSA-2911-1 > > > > Hope that thelps, > > > > Regards, Salvatore > > > Thank you very much, that does help some, but still doesn't really > completely explain the mystery to me. > > In searching through my /var/log/apt/history files, I see that my > current version of icedove (24.4.0-1) was installed on 2014-03-26 > > Was all of this really patched in the sid version of the icedove > package a full month before the official announcement of these > vulnerabilities? This timing is confusing to me (though I suppose > there may be a reasonable explanation for it). > > Any further information that might help me understand would be very > welcome.
Apologies for the late reply. Yes it is true, the sid version was uploaded not long after the thunderbird 24.4 release, which happened on 2014-03-18. The corresponding issues are listed in [1]. [1] https://www.mozilla.org/security/announce/ Note: The official announcement of thesee vulnerabilities in thunderbird was at [1], so already in march. DSA-2911-1 fixes these issues for icedove in wheezy (additionally if already know, it mentions also the fixed version for testing and sid). Hope this clarifies a bit your questions, Salvatore -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
