subject:"Seamonkey 2.40 \(latest stable\) uses NSS 3.20.1 \- possible security vulnerability"

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-21 Thread Frank-Rainer Grahl


seemonkey wrote:

But it would close the vulnerability in nss. If one would release a seamonkey 
let's say 2.40.1 only with the change of nss 3.21.1 the result would be the 
same as i described. I didn't mention any bug in the base product. The whole 
topic was started with nss and not bugs/sec vuln. in seamonkey.

So keeping SM 2.40 official release without replacing the nss is the worst one 
can do at the moment. If you trust an unofficial build (2.46) then install it. 
Or copy the dlls as i described.


The worst thing you could do is assume you are covered. It would close 
one vulnerability in nss not all. Current nss is 3.28 beta and 3.26.2 in 
the next Firefox release. I am quite sure there some few security fixes 
in the latest version too. You best protection is still a script and an 
Ad blocker when browsing the web.


A 2.40.1 can not be released because the l10n part of the build system 
is broken. It it weren't so we would have 2.46 already.


Adrians unofficial builds are ok. You can trust them. And if you run 
en-US there are now candidate builds for every platform available too. 
They are not final but this only means that the build process stopped 
with an error when it came to building the l10n versions. Building en-US 
was mostly finished at this stage.


That said ewong is still busy building and I hope we will see the final 
2.46 soon.


FRG
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-20 Thread seemonkey

On Tuesday, October 18, 2016 at 10:10:15 PM UTC+2, Frank-Rainer Grahl wrote:
> I wouldn't start hacking together a version with different binaries. Might 
> work 
> might not. And this won't close any bugs in the base product which could be 
> exploited if you are so concerned about security.
> 
> Better check if the latest en-US candidate 2.46 test builds works for you or 
> use 
> Adrians latest 2.46 build. They are both build from the same sources and 
> updating 
> to the next official build whenever it arrives will be possible just by 
> downloading it. Adrians is gtk3 and the candidate gtk2 for Linux users. 
> Windows 
> VS2015 but Adrians should be a little faster because he used -O2 for 
> compiling.
> 
> If you use a hacked together build do not open bug reports against it.
> 
> There will be no 2.40.x builds. The next one will be 2.46 if the l10n build 
> bug 
> can be fixed in time.
> 
> FRG
> 
> On Sun, 16 Oct 2016 21:59:19 +0200, Ray_Net wrote:
> 
> >>Lee wrote on 16/10/2016 17:45:
> >>> On 10/16/16, Ray_Net  wrote:
>  seemonkey wrote on 13/10/2016 08:06:
> > There's at least one security vulnerability that is missing from this 
> > NSS
> > version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950
> >
> > There was a bugfix in NSS
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue
> > but unfortunately it seems that this bugfix is not in 3.20.x according 
> > to
> > the developer entries. I didn't check the code yet if the bugfix is 
> > really
> > missing!
> >
> > So my question is why seamonkey uses still this outdated NSS version? It
> > should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and
> > also in latest thunderbird /45.4.0/)
> >
> > As a workaround i can copy the nss libraries from firefox esr to 
> > seamonkey
> > until a security release of seamonkey let's say 2.40.1 arrives. I tried
> > this end i can start seamonkey with newer NSS library because they're
> > compatible.
>  "As a workaround i can copy the nss libraries from firefox esr to
>  seamonkey "
> 
>  Could you tell us what we need (in details) to do ?
>  I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc.
> >>> Upgrade.
> >>>
> >>> The current version of Firefox is 49.0.1
> >>> about:support / Library Versions says the NSS* expected & in use version 
> >>> is 
> 3.25
> >>>
> >>> The 'current' version of SeaMonkey is 2.40 and is missing a lot of
> >>> security patches.  Upgrading requires that you download & install a
> >>> new version of SM instead of waiting for it to upgrade automatically.
> >>> **where** to download the new version from is a bit of a question tho
> >>> :(   I'm guessing the safest bet is
> >>> 
> https://l10n.mozilla-community.org/~akalla/unofficial/seamonkey/nightly/latest-com
> m-release-windows32/
> >>> if only because akalla had to pick _this_ particular build to make
> >>> available for downloading.  SeaMonkey 2.46 has the same 3.25
> >>> about:support / Library Versions for NSS* as FF.
> >>>
> >>> Regards,
> >>> Lee
> >>You don't understand.
> >>- I hate to install a not released SM.
> >>- I stay with FireFox 46.0.1 because I am able with it to do "View 
> >>Selection Source" using my version of Firefox, because my SM 2.40 cannot 
> >>do it.
> >>- He said " It should use at least 3.21.1 (that is in latest firefox esr 
> >>/45.4.0/" and because my version of Firefox is greater (46.0.1) I can 
> >>use nss from this version to put into SM because it should be > 3.21.1.
> >>So the question is still open:
> >>How, in details,  can I use the NSS of my FireFox 46.0.1 into my SM 2.40 ?
> 
> 
>  Regards
>  Frank-Rainer Grahl

But it would close the vulnerability in nss. If one would release a seamonkey 
let's say 2.40.1 only with the change of nss 3.21.1 the result would be the 
same as i described. I didn't mention any bug in the base product. The whole 
topic was started with nss and not bugs/sec vuln. in seamonkey.

So keeping SM 2.40 official release without replacing the nss is the worst one 
can do at the moment. If you trust an unofficial build (2.46) then install it. 
Or copy the dlls as i described.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-19 Thread Ray_Net


Frank-Rainer Grahl wrote on 18/10/2016 22:03:

I wouldn't start hacking together a version with different binaries. Might work
might not. And this won't close any bugs in the base product which could be
exploited if you are so concerned about security.


Ok, I will stay with my official SM 2.40 without introducing some 
possible problem.

Thanks for all answering.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-18 Thread Frank-Rainer Grahl

I wouldn't start hacking together a version with different binaries. Might work 
might not. And this won't close any bugs in the base product which could be 
exploited if you are so concerned about security.

Better check if the latest en-US candidate 2.46 test builds works for you or 
use 
Adrians latest 2.46 build. They are both build from the same sources and 
updating 
to the next official build whenever it arrives will be possible just by 
downloading it. Adrians is gtk3 and the candidate gtk2 for Linux users. Windows 
VS2015 but Adrians should be a little faster because he used -O2 for compiling.

If you use a hacked together build do not open bug reports against it.

There will be no 2.40.x builds. The next one will be 2.46 if the l10n build bug 
can be fixed in time.

FRG

On Sun, 16 Oct 2016 21:59:19 +0200, Ray_Net wrote:

>>Lee wrote on 16/10/2016 17:45:
>>> On 10/16/16, Ray_Net  wrote:
 seemonkey12...@gmail.com wrote on 13/10/2016 08:06:
> There's at least one security vulnerability that is missing from this NSS
> version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950
>
> There was a bugfix in NSS
> https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue
> but unfortunately it seems that this bugfix is not in 3.20.x according to
> the developer entries. I didn't check the code yet if the bugfix is really
> missing!
>
> So my question is why seamonkey uses still this outdated NSS version? It
> should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and
> also in latest thunderbird /45.4.0/)
>
> As a workaround i can copy the nss libraries from firefox esr to seamonkey
> until a security release of seamonkey let's say 2.40.1 arrives. I tried
> this end i can start seamonkey with newer NSS library because they're
> compatible.
 "As a workaround i can copy the nss libraries from firefox esr to
 seamonkey "

 Could you tell us what we need (in details) to do ?
 I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc.
>>> Upgrade.
>>>
>>> The current version of Firefox is 49.0.1
>>> about:support / Library Versions says the NSS* expected & in use version is 
3.25
>>>
>>> The 'current' version of SeaMonkey is 2.40 and is missing a lot of
>>> security patches.  Upgrading requires that you download & install a
>>> new version of SM instead of waiting for it to upgrade automatically.
>>> **where** to download the new version from is a bit of a question tho
>>> :(   I'm guessing the safest bet is
>>> 
https://l10n.mozilla-community.org/~akalla/unofficial/seamonkey/nightly/latest-com
m-release-windows32/
>>> if only because akalla had to pick _this_ particular build to make
>>> available for downloading.  SeaMonkey 2.46 has the same 3.25
>>> about:support / Library Versions for NSS* as FF.
>>>
>>> Regards,
>>> Lee
>>You don't understand.
>>- I hate to install a not released SM.
>>- I stay with FireFox 46.0.1 because I am able with it to do "View 
>>Selection Source" using my version of Firefox, because my SM 2.40 cannot 
>>do it.
>>- He said " It should use at least 3.21.1 (that is in latest firefox esr 
>>/45.4.0/" and because my version of Firefox is greater (46.0.1) I can 
>>use nss from this version to put into SM because it should be > 3.21.1.
>>So the question is still open:
>>How, in details,  can I use the NSS of my FireFox 46.0.1 into my SM 2.40 ?


 Regards
 Frank-Rainer Grahl


___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-17 Thread seemonkey12345

On Sunday, October 16, 2016 at 9:59:26 PM UTC+2, Ray_Net wrote:
> Lee wrote on 16/10/2016 17:45:
> > On 10/16/16, Ray_Net wrote:
> >> seemonkey wrote on 13/10/2016 08:06:
> >>> There's at least one security vulnerability that is missing from this NSS
> >>> version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950
> >>>
> >>> There was a bugfix in NSS
> >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue
> >>> but unfortunately it seems that this bugfix is not in 3.20.x according to
> >>> the developer entries. I didn't check the code yet if the bugfix is really
> >>> missing!
> >>>
> >>> So my question is why seamonkey uses still this outdated NSS version? It
> >>> should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and
> >>> also in latest thunderbird /45.4.0/)
> >>>
> >>> As a workaround i can copy the nss libraries from firefox esr to seamonkey
> >>> until a security release of seamonkey let's say 2.40.1 arrives. I tried
> >>> this end i can start seamonkey with newer NSS library because they're
> >>> compatible.
> >> "As a workaround i can copy the nss libraries from firefox esr to
> >> seamonkey "
> >>
> >> Could you tell us what we need (in details) to do ?
> >> I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc.
> > Upgrade.
> >
> > The current version of Firefox is 49.0.1
> > about:support / Library Versions says the NSS* expected & in use version is 
> > 3.25
> >
> > The 'current' version of SeaMonkey is 2.40 and is missing a lot of
> > security patches.  Upgrading requires that you download & install a
> > new version of SM instead of waiting for it to upgrade automatically.
> > **where** to download the new version from is a bit of a question tho
> > :(   I'm guessing the safest bet is
> > https://l10n.mozilla-community.org/~akalla/unofficial/seamonkey/nightly/latest-comm-release-windows32/
> > if only because akalla had to pick _this_ particular build to make
> > available for downloading.  SeaMonkey 2.46 has the same 3.25
> > about:support / Library Versions for NSS* as FF.
> >
> > Regards,
> > Lee
> You don't understand.
> - I hate to install a not released SM.
> - I stay with FireFox 46.0.1 because I am able with it to do "View 
> Selection Source" using my version of Firefox, because my SM 2.40 cannot 
> do it.
> - He said " It should use at least 3.21.1 (that is in latest firefox esr 
> /45.4.0/" and because my version of Firefox is greater (46.0.1) I can 
> use nss from this version to put into SM because it should be > 3.21.1.
> So the question is still open:
> How, in details,  can I use the NSS of my FireFox 46.0.1 into my SM 2.40 ?

I understand you.
In detail you must do the following. Copy these files from firefox into 
seamonkey overwriting the existing files (you have *.dll instead of *.so):
libfreebl3.chk
libfreebl3.so
libnspr4.so
libnss3.so
libnssckbi.so
libnssdbm3.chk
libnssdbm3.so
libnssutil3.so
libplc4.so
libplds4.so
libsmime3.so
libsoftokn3.chk
libsoftokn3.so
libssl3.so
I did it on linux, on windows it should be the same, please check it! I hope 
you have chk files too. However i have firefox 45.4.0 (esr) not the 46.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-17 Thread TCW

On Sun, 16 Oct 2016 21:59:19 +0200, Ray_Net
 wrote:

>Lee wrote on 16/10/2016 17:45:
>> On 10/16/16, Ray_Net  wrote:
>>> seemonkey12...@gmail.com wrote on 13/10/2016 08:06:
 There's at least one security vulnerability that is missing from this NSS
 version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950

 There was a bugfix in NSS
 https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue
 but unfortunately it seems that this bugfix is not in 3.20.x according to
 the developer entries. I didn't check the code yet if the bugfix is really
 missing!

 So my question is why seamonkey uses still this outdated NSS version? It
 should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and
 also in latest thunderbird /45.4.0/)

 As a workaround i can copy the nss libraries from firefox esr to seamonkey
 until a security release of seamonkey let's say 2.40.1 arrives. I tried
 this end i can start seamonkey with newer NSS library because they're
 compatible.
>>> "As a workaround i can copy the nss libraries from firefox esr to
>>> seamonkey "
>>>
>>> Could you tell us what we need (in details) to do ?
>>> I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc.
>> Upgrade.
>>
>> The current version of Firefox is 49.0.1
>> about:support / Library Versions says the NSS* expected & in use version is 
>> 3.25
>>
>> The 'current' version of SeaMonkey is 2.40 and is missing a lot of
>> security patches.  Upgrading requires that you download & install a
>> new version of SM instead of waiting for it to upgrade automatically.
>> **where** to download the new version from is a bit of a question tho
>> :(   I'm guessing the safest bet is
>> https://l10n.mozilla-community.org/~akalla/unofficial/seamonkey/nightly/latest-comm-release-windows32/
>> if only because akalla had to pick _this_ particular build to make
>> available for downloading.  SeaMonkey 2.46 has the same 3.25
>> about:support / Library Versions for NSS* as FF.
>>
>> Regards,
>> Lee
>You don't understand.
>- I hate to install a not released SM.
>- I stay with FireFox 46.0.1 because I am able with it to do "View 
>Selection Source" using my version of Firefox, because my SM 2.40 cannot 
>do it.
>- He said " It should use at least 3.21.1 (that is in latest firefox esr 
>/45.4.0/" and because my version of Firefox is greater (46.0.1) I can 
>use nss from this version to put into SM because it should be > 3.21.1.
>So the question is still open:
>How, in details,  can I use the NSS of my FireFox 46.0.1 into my SM 2.40 ?

The SM 2.46 builds are being made by Adrian Kalla on a personal
machine and are stable even though not publish on the official Mozilla
site and usual download places. They are build from stable code but
because the build environment has been busted for so long, it's not
working on Mozilla proper. I just updated to the SM 2.47 beta build he
made today and it has NSS 3.26.2. I didn't realize 3.27/3.27.1 went
final until I just looked. So, IMHOO, you have nothing to lose by
trying the stable build Adrian has made. You can always kick the tires
here: http://goo.gl/9R2c0i

Stable, in terms of software, is relative to how many bugs haven't
been found yet.

As for grafting DLLs, back up nss3.dll, nssckbi.dll, nssdbm3.chk,
nssdbm3.dll and mozglue.dll somewhere. Close SM. Copy the NSS DLLs
from Firefox and overwrite the ones in the SM directory. 99% of the
time you won't need mozglue.dll. Start SM. If it complains about
mozglue.dll, close SM and overwrite mozglue.dll. Start SM again. If it
won't start, copy back the backed up DLLs. Hope that helps.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-16 Thread Ray_Net

Lee wrote on 16/10/2016 17:45:

On 10/16/16, Ray_Net wrote:

seemonkey12...@gmail.com wrote on 13/10/2016 08:06:

There's at least one security vulnerability that is missing from this NSS
version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950

There was a bugfix in NSS
https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue
but unfortunately it seems that this bugfix is not in 3.20.x according to
the developer entries. I didn't check the code yet if the bugfix is really
missing!

So my question is why seamonkey uses still this outdated NSS version? It
should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and
also in latest thunderbird /45.4.0/)

As a workaround i can copy the nss libraries from firefox esr to seamonkey
until a security release of seamonkey let's say 2.40.1 arrives. I tried
this end i can start seamonkey with newer NSS library because they're
compatible.

"As a workaround i can copy the nss libraries from firefox esr to
seamonkey "

Could you tell us what we need (in details) to do ?
I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc.

Upgrade.

The current version of Firefox is 49.0.1
about:support / Library Versions says the NSS* expected & in use version is 3.25

The 'current' version of SeaMonkey is 2.40 and is missing a lot of
security patches. Upgrading requires that you download & install a
new version of SM instead of waiting for it to upgrade automatically.
**where** to download the new version from is a bit of a question tho
:( I'm guessing the safest bet is
https://l10n.mozilla-community.org/~akalla/unofficial/seamonkey/nightly/latest-comm-release-windows32/
if only because akalla had to pick _this_ particular build to make
available for downloading. SeaMonkey 2.46 has the same 3.25
about:support / Library Versions for NSS* as FF.

Regards,
Lee

You don't understand.
- I hate to install a not released SM.
- I stay with FireFox 46.0.1 because I am able with it to do "View
Selection Source" using my version of Firefox, because my SM 2.40 cannot
do it.
- He said " It should use at least 3.21.1 (that is in latest firefox esr
/45.4.0/" and because my version of Firefox is greater (46.0.1) I can
use nss from this version to put into SM because it should be > 3.21.1.

So the question is still open:
How, in details, can I use the NSS of my FireFox 46.0.1 into my SM 2.40 ?
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-16 Thread Lee

On 10/16/16, Ray_Net  wrote:
> seemonkey12...@gmail.com wrote on 13/10/2016 08:06:
>> There's at least one security vulnerability that is missing from this NSS
>> version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950
>>
>> There was a bugfix in NSS
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue
>> but unfortunately it seems that this bugfix is not in 3.20.x according to
>> the developer entries. I didn't check the code yet if the bugfix is really
>> missing!
>>
>> So my question is why seamonkey uses still this outdated NSS version? It
>> should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and
>> also in latest thunderbird /45.4.0/)
>>
>> As a workaround i can copy the nss libraries from firefox esr to seamonkey
>> until a security release of seamonkey let's say 2.40.1 arrives. I tried
>> this end i can start seamonkey with newer NSS library because they're
>> compatible.
>
> "As a workaround i can copy the nss libraries from firefox esr to
> seamonkey "
>
> Could you tell us what we need (in details) to do ?
> I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc.

Upgrade.

The current version of Firefox is 49.0.1
about:support / Library Versions says the NSS* expected & in use version is 3.25

The 'current' version of SeaMonkey is 2.40 and is missing a lot of
security patches.  Upgrading requires that you download & install a
new version of SM instead of waiting for it to upgrade automatically.
**where** to download the new version from is a bit of a question tho
:(   I'm guessing the safest bet is
https://l10n.mozilla-community.org/~akalla/unofficial/seamonkey/nightly/latest-comm-release-windows32/
if only because akalla had to pick _this_ particular build to make
available for downloading.  SeaMonkey 2.46 has the same 3.25
about:support / Library Versions for NSS* as FF.

Regards,
Lee
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-16 Thread Ray_Net


seemonkey12...@gmail.com wrote on 13/10/2016 08:06:

There's at least one security vulnerability that is missing from this NSS 
version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950

There was a bugfix in NSS https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 
to solve this issue but unfortunately it seems that this bugfix is not in 
3.20.x according to the developer entries. I didn't check the code yet if the 
bugfix is really missing!

So my question is why seamonkey uses still this outdated NSS version? It should 
use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and also in latest 
thunderbird /45.4.0/)

As a workaround i can copy the nss libraries from firefox esr to seamonkey 
until a security release of seamonkey let's say 2.40.1 arrives. I tried this 
end i can start seamonkey with newer NSS library because they're compatible.


"As a workaround i can copy the nss libraries from firefox esr to 
seamonkey "


Could you tell us what we need (in details) to do ?
I have Firefox 46.0.1 and SeaMonkey 2.40 on a windows pc.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-15 Thread Edward


WaltS48 wrote:

On 10/14/2016 08:49 PM, Edward wrote:

TCW wrote:

On Wed, 12 Oct 2016 23:06:52 -0700 (PDT), seemonkey12...@gmail.com
wrote:


There's at least one security vulnerability that is missing from
this NSS version:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950

There was a bugfix in NSS
https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this
issue but unfortunately it seems that this bugfix is not in 3.20.x
according to the developer entries. I didn't check the code yet if
the bugfix is really missing!

So my question is why seamonkey uses still this outdated NSS
version? It should use at least 3.21.1 (that is in latest firefox
esr /45.4.0/ and also in latest thunderbird /45.4.0/)

As a workaround i can copy the nss libraries from firefox esr to
seamonkey until a security release of seamonkey let's say 2.40.1
arrives. I tried this end i can start seamonkey with newer NSS
library because they're compatible.


You can graft the NSS dlls, sure. I have done that in the past with
success. But, there is a build of 2.46 that's stable enough to use if
you want to test.


Just curious... Does the Linux version of SeaMonkey use the nss
package that is included with the Linux distribution being used? The
currently installed version here is 3.23.0-1 (Fedora 24).

Thanks in advance.



Users can enter about:support in the address bar and scroll down to the
Library Versions section of the Troubleshooting Information page to see
what their version of SeaMonkey, Firefox or Thunderbird is using.

If you prefer Help > Troubleshooting Information also gets you there.


Thanks for that tip.

It looks like nss was just updated. That screen shows the Expected 
Minimum Version as 3.25, with 3.27 as the Version in use.



___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-15 Thread WaltS48


On 10/14/2016 08:49 PM, Edward wrote:

TCW wrote:

On Wed, 12 Oct 2016 23:06:52 -0700 (PDT), seemonkey12...@gmail.com
wrote:

There's at least one security vulnerability that is missing from this 
NSS version: 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950


There was a bugfix in NSS 
https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this 
issue but unfortunately it seems that this bugfix is not in 3.20.x 
according to the developer entries. I didn't check the code yet if 
the bugfix is really missing!


So my question is why seamonkey uses still this outdated NSS version? 
It should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ 
and also in latest thunderbird /45.4.0/)


As a workaround i can copy the nss libraries from firefox esr to 
seamonkey until a security release of seamonkey let's say 2.40.1 
arrives. I tried this end i can start seamonkey with newer NSS 
library because they're compatible.


You can graft the NSS dlls, sure. I have done that in the past with
success. But, there is a build of 2.46 that's stable enough to use if
you want to test.


Just curious... Does the Linux version of SeaMonkey use the nss package 
that is included with the Linux distribution being used? The currently 
installed version here is 3.23.0-1 (Fedora 24).


Thanks in advance.



Users can enter about:support in the address bar and scroll down to the 
Library Versions section of the Troubleshooting Information page to see 
what their version of SeaMonkey, Firefox or Thunderbird is using.


If you prefer Help > Troubleshooting Information also gets you there.

--
Visit Pittsburgh 
Coexist 
Ubuntu 16.04LTS
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-14 Thread seemonkey

On Saturday, October 15, 2016 at 2:49:48 AM UTC+2, Edward wrote:
> TCW wrote:
> > On Wed, 12 Oct 2016 23:06:52 -0700 (PDT), seemonkey
> > wrote:
> >
> >> There's at least one security vulnerability that is missing from this NSS 
> >> version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950
> >>
> >> There was a bugfix in NSS 
> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue 
> >> but unfortunately it seems that this bugfix is not in 3.20.x according to 
> >> the developer entries. I didn't check the code yet if the bugfix is really 
> >> missing!
> >>
> >> So my question is why seamonkey uses still this outdated NSS version? It 
> >> should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and 
> >> also in latest thunderbird /45.4.0/)
> >>
> >> As a workaround i can copy the nss libraries from firefox esr to seamonkey 
> >> until a security release of seamonkey let's say 2.40.1 arrives. I tried 
> >> this end i can start seamonkey with newer NSS library because they're 
> >> compatible.
> >
> > You can graft the NSS dlls, sure. I have done that in the past with
> > success. But, there is a build of 2.46 that's stable enough to use if
> > you want to test.
> 
> Just curious... Does the Linux version of SeaMonkey use the nss package 
> that is included with the Linux distribution being used? The currently 
> installed version here is 3.23.0-1 (Fedora 24).
> 
> Thanks in advance.

No, seamonkey/firefox/thunderbird look for their .so ONLY in their own 
directory ignoring to search in /usr/lib. That why it is not enough to install 
a separate nss package but one need to place symbolic links into each mozilla 
product.
You can check with strace which .so is loaded on startup of seamonkey. If the 
one from nss lib 3.23.0-1 then you are lucky and don't have to do anything.

I just wanted to point out that we immediately need a seemonkey update.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-14 Thread seemonkey12345

On Thursday, October 13, 2016 at 3:10:42 PM UTC+2, TCW wrote:
> On Wed, 12 Oct 2016 23:06:52 -0700 (PDT), seemonkey
> 
> >There's at least one security vulnerability that is missing from this NSS 
> >version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950
> >
> >There was a bugfix in NSS 
> >https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue but 
> >unfortunately it seems that this bugfix is not in 3.20.x according to the 
> >developer entries. I didn't check the code yet if the bugfix is really 
> >missing!
> >
> >So my question is why seamonkey uses still this outdated NSS version? It 
> >should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and also 
> >in latest thunderbird /45.4.0/)
> >
> >As a workaround i can copy the nss libraries from firefox esr to seamonkey 
> >until a security release of seamonkey let's say 2.40.1 arrives. I tried this 
> >end i can start seamonkey with newer NSS library because they're compatible.
> 
> You can graft the NSS dlls, sure. I have done that in the past with
> success. But, there is a build of 2.46 that's stable enough to use if
> you want to test.

I tried with firefox's/thunderbirds 3.21.1 and it works. I trust this version 
of nss (at the moment)
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-14 Thread Edward


TCW wrote:

On Wed, 12 Oct 2016 23:06:52 -0700 (PDT), seemonkey12...@gmail.com
wrote:


There's at least one security vulnerability that is missing from this NSS 
version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950

There was a bugfix in NSS https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 
to solve this issue but unfortunately it seems that this bugfix is not in 
3.20.x according to the developer entries. I didn't check the code yet if the 
bugfix is really missing!

So my question is why seamonkey uses still this outdated NSS version? It should 
use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and also in latest 
thunderbird /45.4.0/)

As a workaround i can copy the nss libraries from firefox esr to seamonkey 
until a security release of seamonkey let's say 2.40.1 arrives. I tried this 
end i can start seamonkey with newer NSS library because they're compatible.


You can graft the NSS dlls, sure. I have done that in the past with
success. But, there is a build of 2.46 that's stable enough to use if
you want to test.


Just curious... Does the Linux version of SeaMonkey use the nss package 
that is included with the Linux distribution being used? The currently 
installed version here is 3.23.0-1 (Fedora 24).


Thanks in advance.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-13 Thread TCW

On Wed, 12 Oct 2016 23:06:52 -0700 (PDT), seemonkey12...@gmail.com
wrote:

>There's at least one security vulnerability that is missing from this NSS 
>version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950
>
>There was a bugfix in NSS https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 
>to solve this issue but unfortunately it seems that this bugfix is not in 
>3.20.x according to the developer entries. I didn't check the code yet if the 
>bugfix is really missing!
>
>So my question is why seamonkey uses still this outdated NSS version? It 
>should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and also in 
>latest thunderbird /45.4.0/)
>
>As a workaround i can copy the nss libraries from firefox esr to seamonkey 
>until a security release of seamonkey let's say 2.40.1 arrives. I tried this 
>end i can start seamonkey with newer NSS library because they're compatible.

You can graft the NSS dlls, sure. I have done that in the past with
success. But, there is a build of 2.46 that's stable enough to use if
you want to test.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

2016-10-13 Thread seemonkey12345

There's at least one security vulnerability that is missing from this NSS 
version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950

There was a bugfix in NSS https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 
to solve this issue but unfortunately it seems that this bugfix is not in 
3.20.x according to the developer entries. I didn't check the code yet if the 
bugfix is really missing!

So my question is why seamonkey uses still this outdated NSS version? It should 
use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and also in latest 
thunderbird /45.4.0/)

As a workaround i can copy the nss libraries from firefox esr to seamonkey 
until a security release of seamonkey let's say 2.40.1 arrives. I tried this 
end i can start seamonkey with newer NSS library because they're compatible.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Re: Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

Seamonkey 2.40 (latest stable) uses NSS 3.20.1 - possible security vulnerability

16 matches

Site Navigation

Mail list logo

Footer information