When Firefox 220.127.116.11 came out on Feb. 7, it brought with it fixes for three critical security holes and seven that were not quite so serious. According to the security advisories, many of these problems were also fixed in the Thunderbird 18.104.22.168 e-mail client. Unfortunately, there is no Thunderbird 22.214.171.124.
The Mozilla Foundation’s press release focused on the Firefox 126.96.36.199 security fixes. The Foundation also reported, though, in its MFSA (Mozilla Foundation Security Advisory), that these same bugs had been fixed in the fictitious Thunderbird 188.8.131.52.
Specifically, the following critical security advisories were reported to be fixed in both Firefox and Thunderbird 184.108.40.206: MFSA 2008-01 (crashes with evidence of memory corruption) and MFSA 2008-03 (privilege escalation, XSS, remote code execution). In addition, the serious security bug MFSA 2008-05 (directory traversal via chrome: URI) and moderate security bug MFSA 2008-08 (file action dialog tampering) are reported to have been fixed in the nonexistent Thunderbird 220.127.116.11.
Still, it is upsetting that Mozilla reports that these problems have been fixed in a version of Thunderbird that doesn’t exist. The latest version of Thunderbird is 18.104.22.168.
DesktopLinux.com tried to reach the Mozilla Foundation Feb. 8 for an explanation, but, as of the afternoon of Feb. 11, the Foundation had not replied.
There has long been concern that Thunderbird was not a real priority for Mozilla. In September 2007, Mozilla announced that it was spinning Thunderbird off into a company of its own: MailCo. Only weeks later, Scott McGregor, one of Thunderbird’s two key developers, left Mozilla. This reignited Thunderbird users’ fears that Mozilla was not so much moving Thunderbird out as throwing it out.
Since that time, MailCo has still not left the launch pad. Dr. David Ascher, formerly chief technology officer and vice president of engineering for ActiveState, and a director of the Python Software Foundation, is heading the effort to found the company. On his blog, Ascher reported that as of Jan. 15, Dan Mosedale, once he’s done with his work on the forthcoming Firefox 3, will be helping to get MailCo off the ground.
It appears, though, based on the postings in the blog, that MailCo is still months away from opening its doors. In the meantime, there appears to be little work being done on Thunderbird despite these misleading messages indicating that security fixes are still being delivered to the popular open-source e-mail client.