Feature #10911
Investigate if/how we could more efficiently be aware of MFSAs
0%
Description
During the discussion about Icedove’s release timing the question arose if we could more efficiently track security issues which concern Tails, Icedove or other software we ship. Maybe this has already been discussed and maybe sysadmins keep track of this kind of thing?
Subtasks
History
#1 Updated by intrigeri 2016-01-13 12:14:44
> maybe sysadmins keep track of this kind of thing?
FYI: not particularly (and even if they would, it would not be about desktop software).
#2 Updated by Anonymous 2016-01-20 11:56:26
MFSAs are published here:
https://www.mozilla.org/en-US/security/advisories/
Known vulns in TB are published here:
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/
CVEs affecting TB:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Thunderbird
Debian security:
https://lists.debian.org/debian-security/
FD (has RSS feed):
http://seclists.org/fulldisclosure/
Right now I’m sort of dreaming on having a tool which would search all these lists via RSS and send email whenever a certain keyword pops up..
#3 Updated by Anonymous 2016-01-20 11:56:44
- Status changed from Confirmed to In Progress
#4 Updated by Anonymous 2016-02-05 16:46:41
- Target version changed from Tails_2.2 to Tails_2.4
#5 Updated by Anonymous 2016-03-10 15:32:19
- Status changed from In Progress to Resolved
- Affected tool deleted (
Email Client) - Deliverable for deleted (
268)
It now looks like this is not a specific question to Icedove, because we have the same problem with any other software. So this should be part of a larger discussion.
We have processes to be aware of browser updates which work quite well.
Even if we were aware of MFSAs early enough in the process for Icedove, we still rely on Debian to get security patches.
But with the AppArmor profile such problem might be partly mitigated in the meantime.
Once we feel more comfortable with this, we might revisit this question, but for now i will close this ticket.