On 01/09/2015 07:15 PM, Rufus wrote:
> WaltS48 wrote:
>> On 01/09/2015 08:44 PM, Paul in Houston, TX wrote:
>>> David H. Durgee wrote:
>>>> I am growing more and more tempted to abandon seamonkey due to the
>>>> continuing and expanding list of issues. First is the password issue
>>>> that forces me to keep a tab open to the data manager in order to be
>>>> able to copy/paste passwords that are no longer being filled in after
>>>> 2.26.1 was replaced. Next was the problems with chase.com which is
>>>> holding me at the 2.30 level in hopes that the next release will
>>>> eliminate this problem that makes 2.31 unacceptable. How much longer
>>>> can this go on?
>>>>
>>>> The current firefox user interface is also unacceptable to me. Is
>>>> there a way to port the seamonkey user interface in place of the
>>>> firefox interface? If so, I might give serious consideration to
>>>> moving to firefox and thunderbird in place of seamonkey.
>>>>
>>>> I would prefer to have seamonkey working as it did in 2.26.1 with all
>>>> the current security fixed applied, but I have my doubts if this will
>>>> ever be available. For some reason the developers are more interested
>>>> in adding "features" than in fixing problems.
>>>>
>>>> Dave
>>>
>>> Why not use SM 2.26.1 instead?
>>
>>
>> For one it is vulnerable to [RSA Signature Forgery in NSS —
>> Mozilla](https://www.mozilla.org/en-US/security/advisories/mfsa2014-73/)
>>
>> and probably [1076983 – (POODLE) Padding oracle attack on SSL
>> 3.0](https://bugzilla.mozilla.org/show_bug.cgi?id=poodle)
>>
>> Not to mention all the other security vulnerabilities fixed since the
>> release of 2.26.1.
>>
>> [Security Advisories for SeaMonkey —
>> Mozilla](https://www.mozilla.org/en-US/security/known-vulnerabilities/seamonkey/)
>>
>>
>> But David already mentioned "I would prefer to have seamonkey working as
>> it did in 2.26.1 with all the current security fixed applied,"
>>
>>
>
> So use 2.26.1, be careful where you surf to, and use HTTPS Everywhere
> for a bit of added "security" -
Right...
Impact key
*Critical Vulnerability can be used to run attacker code and install
software, requiring no user interaction beyond normal browsing.*
*High Vulnerability can be used to gather sensitive data from sites
in other windows or inject data or code into those sites, requiring no
more than normal browsing actions.*
Moderate Vulnerabilities that would otherwise be High or Critical
except they only work in uncommon non-default configurations or require
the user to perform complicated and/or unlikely steps.
Low Minor security vulnerabilities such as Denial of Service
attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL
indicia would have "High" impact because those are generally used to
steal sensitive data intended for other sites.)
# Fixed in SeaMonkey 2.31
2014-91 Privileged access to security wrapped protected objects
2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer
2014-88 Buffer overflow while parsing media content
2014-87 Use-after-free during HTML5 parsing
2014-86 CSP leaks redirect data via violation reports
2014-85 XMLHttpRequest crashes with some input streams
2014-84 XBL bindings accessible via improper CSS declarations
2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)
# Fixed in SeaMonkey 2.30
2014-81 Inconsistent video sharing within iframe
2014-80 Key pinning bypasses
2014-79 Use-after-free interacting with text directionality
2014-78 Further uninitialized memory use during GIF rendering
2014-77 Out-of-bounds write with WebM video
2014-76 Web Audio memory corruption issues with custom waveforms
2014-75 Buffer overflow during CSS manipulation
2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)
# Fixed in SeaMonkey 2.29.1
2014-73 RSA Signature Forgery in NSS
# Fixed in SeaMonkey 2.29
2014-72 Use-after-free setting text directionality
2014-71 Profile directory file access through file: protocol
2014-70 Out-of-bounds read in Web Audio audio timeline
2014-69 Uninitialized memory use during GIF rendering
2014-68 Use-after-free during DOM interactions with SVG
2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 /
rv:24.8)
>
> https://www.eff.org/https-everywhere
>
> ...I just wish they'd fix the stupid random Master Password request bug,
> as far as "security" goes.
>
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
