Bug #10752: Investigate the current security status of Icedove + NSS as shipped in Tails 1.7 & 1.8

Bug #10752

Investigate the current security status of Icedove + NSS as shipped in Tails 1.7 & 1.8

Added by Anonymous 2015-12-14 06:20:12 . Updated 2015-12-14 07:33:02 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Tails_1.8

Start date:

2015-12-14

Due date:

% Done:

100%

Feature Branch:

Type of work:

Research

Blueprint:

Starter:

Affected tool:

Email Client

Deliverable for:

268

Description

See

and report back.

Subtasks

History

#1 Updated by Anonymous 2015-12-14 06:23:51

Parent task set to ~~Feature #5663~~

#2 Updated by Anonymous 2015-12-14 06:24:55

Target version deleted (~~SponsorS_M3~~)
Deliverable for set to 267

#3 Updated by Anonymous 2015-12-14 07:10:48

From git grep icedove -- wiki/src/torrents
Current package of Icedove in Tails 1.7 is 31.8.0-1~deb7u1
Current version of libnss3 in Tails 1.7 is 3.14.5-1+deb7u5

#4 Updated by Anonymous 2015-12-14 07:16:06

Deliverable for changed from 267 to 268

#5 Updated by Anonymous 2015-12-14 07:27:23

Target version set to Tails_1.8

#6 Updated by Anonymous 2015-12-14 07:28:57

quoting intrigeri:

38.4.0-1~deb7u1 and other security backports apparently have no libnss3-dev in its build-deps, while sid packages have. which seems to indicate that such security backports might be built with their own, bundled nss, instead of the system one.
this is ugly, but actually very good news for us.

#7 Updated by kytv 2015-12-14 07:31:53

Assignee deleted (~~kytv~~)

Confirmed, our icedove packages have no dependency on the system NSS.

amnesia@amnesia:~$ apt-cache --installed depends icedove
icedove
  Depends: fontconfig
  Depends: psmisc
  Depends: debianutils
  Depends: libasound2
  Depends: libatk1.0-0
  Depends: libc6
  Depends: libcairo2
  Depends: libdbus-1-3
  Depends: libdbus-glib-1-2
  Depends: libevent-2.0-5
  Depends: libffi5
  Depends: libfontconfig1
  Depends: libfreetype6
  Depends: libgcc1
  Depends: libgdk-pixbuf2.0-0
  Depends: libglib2.0-0
  Depends: libgtk2.0-0
  Depends: libhunspell-1.3-0
  Depends: libpango1.0-0
  Depends: libpixman-1-0
  Depends: libsqlite3-0
  Depends: libstartup-notification0
  Depends: libstdc++6
  Depends: libx11-6
  Depends: libxcomposite1
  Depends: libxdamage1
  Depends: libxext6
  Depends: libxfixes3
  Depends: libxrender1
  Depends: libxt6
  Depends: zlib1g

I suppose this means we only have to worry about keeping Icedove current and that this ticket could be closed?

#8 Updated by kytv 2015-12-14 07:33:02

Subject changed from Investigate he current security status of Icedove + NSS as shipped in Tails 1.7 & 1.8 to Investigate the current security status of Icedove + NSS as shipped in Tails 1.7 & 1.8
Status changed from Confirmed to Resolved
% Done changed from 0 to 100

Closing as I don’t think there’s anything else for us to do here.