On Saturday, October 15, 2016 at 2:49:48 AM UTC+2, Edward wrote:
> TCW wrote:
> > On Wed, 12 Oct 2016 23:06:52 -0700 (PDT), seemonkey
> > wrote:
> >> There's at least one security vulnerability that is missing from this NSS
> >> version: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950
> >> There was a bugfix in NSS
> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1245528 to solve this issue
> >> but unfortunately it seems that this bugfix is not in 3.20.x according to
> >> the developer entries. I didn't check the code yet if the bugfix is really
> >> missing!
> >> So my question is why seamonkey uses still this outdated NSS version? It
> >> should use at least 3.21.1 (that is in latest firefox esr /45.4.0/ and
> >> also in latest thunderbird /45.4.0/)
> >> As a workaround i can copy the nss libraries from firefox esr to seamonkey
> >> until a security release of seamonkey let's say 2.40.1 arrives. I tried
> >> this end i can start seamonkey with newer NSS library because they're
> >> compatible.
> > You can graft the NSS dlls, sure. I have done that in the past with
> > success. But, there is a build of 2.46 that's stable enough to use if
> > you want to test.
> Just curious... Does the Linux version of SeaMonkey use the nss package
> that is included with the Linux distribution being used? The currently
> installed version here is 3.23.0-1 (Fedora 24).
> Thanks in advance.
No, seamonkey/firefox/thunderbird look for their .so ONLY in their own
directory ignoring to search in /usr/lib. That why it is not enough to install
a separate nss package but one need to place symbolic links into each mozilla
You can check with strace which .so is loaded on startup of seamonkey. If the
one from nss lib 3.23.0-1 then you are lucky and don't have to do anything.
I just wanted to point out that we immediately need a seemonkey update.
support-seamonkey mailing list