When Firefox 18.104.22.168 came out on Feb. 7, it brought with it fixes for three critical security holes and seven that were not quite so serious. According to the security advisories, many of these problems were also fixed in the Thunderbird 22.214.171.124 e-mail client. Unfortunately, there is no Thunderbird 126.96.36.199.
The Mozilla Foundation’s press release focused on the Firefox 188.8.131.52 security fixes. The Foundation also reported, though, in its MFSA (Mozilla Foundation Security Advisory), that these same bugs had been fixed in the fictitious Thunderbird 184.108.40.206.
Specifically, the following critical security advisories were reported to be fixed in both Firefox and Thunderbird 220.127.116.11: MFSA 2008-01 (crashes with evidence of memory corruption) and MFSA 2008-03 (privilege escalation, XSS, remote code execution). In addition, the serious security bug MFSA 2008-05 (directory traversal via chrome: URI) and moderate security bug MFSA 2008-08 (file action dialog tampering) are reported to have been fixed in the nonexistent Thunderbird 18.104.22.168.
Still, it is upsetting that Mozilla reports that these problems have been fixed in a version of Thunderbird that doesn’t exist. The latest version of Thunderbird is 22.214.171.124.
DesktopLinux.com tried to reach the Mozilla Foundation Feb. 8 for an explanation, but, as of the afternoon of Feb. 11, the Foundation had not replied.
There has long been concern that Thunderbird was not a real priority for Mozilla. In September 2007, Mozilla announced that it was spinning Thunderbird off into a company of its own: MailCo. Only weeks later, Scott McGregor, one of Thunderbird’s two key developers, left Mozilla. This reignited Thunderbird users’ fears that Mozilla was not so much moving Thunderbird out as throwing it out.
Since that time, MailCo has still not left the launch pad. Dr. David Ascher, formerly chief technology officer and vice president of engineering for ActiveState, and a director of the Python Software Foundation, is heading the effort to found the company. On his blog, Ascher reported that as of Jan. 15, Dan Mosedale, once he’s done with his work on the forthcoming Firefox 3, will be helping to get MailCo off the ground.
It appears, though, based on the postings in the blog, that MailCo is still months away from opening its doors. In the meantime, there appears to be little work being done on Thunderbird despite these misleading messages indicating that security fixes are still being delivered to the popular open-source e-mail client.