0

I am a regular user of Firefox and Thunderbird. I have been using solely Ubuntu for more than a year. An interesting thing I noticed is that while Firefox is updated as quickly as possible (with a lag of at most several days) in Ubuntu repositories, the same is not true for Thunderbird.

  1. The latest official version for Firefox is 74.0; it was released just two days ago and Ubuntu just updated it today.

  2. The latest official version for Thunderbird is 68.5.0 which was released more than a month ago; while Ubuntu repositories still have not updated Thunderbird since version 68.4.1, which was released more than two months ago:

Version 68.4.1, first offered to channel users on January 9, 2020

Version 68.4.2, first offered to channel users on January 24, 2020

Version 68.5.0, first offered to channel users on February 11, 2020

Note: I am only interested about the supported PPAs and I am not currently using the "snap store" for these software. However, checking the snap store will reveal that the same (68.4.1) Thunderbird version is provided there too.

Community
  • 1
FedKad
  • 10,515
  • More info required: is firefox a snap? Is thunderbird a snap? And you are aware we use a 6 month cycle for software? ( and that 6 month cycle is well inside your 2 months ;) ) do you have issues with snap installs? If not, install tbird using snap. – Rinzwind Mar 12 '20 at 10:22
  • There's a ppa here: https://launchpad.net/~mozillateam/+archive/ubuntu/ppa?field.series_filter=eoan – DK Bose Mar 12 '20 at 11:16

1 Answers1

0

New upstream versions are NOT pushed to Ubuntu repositories after release (except Web Browsers and a couple other critical exceptions, which are pushed). E-mail clients are not one of those exceptions.

The normal Security Team process is that vulnerabilities get tracked and patched, then a new, safe package is released in the security pocket.

  • The version number gets a minor bump, since this is not a new upstream release. Example: Thunderbird 68.4.1+build1-0ubuntu0.19.10.1 gets bumped to 68.4.1+build1-0ubuntu0.19.10.2. It's just as safe as 68.5. All the same (declared) vulns are addressed.

The exception for web browsers is that the newest upstream release is always pushed to all releases of Ubuntu by the Security Team. There are several reasons for this: Browsers are more widely and more intensively used, are more complex, and have more interaction with other hardware on your system.

  • This is a new upstream release, so the major version number gets bumped. Example: Firefox 72.0.1+build1-0ubuntu0.19.10.1 gets bumped to 74.0.1+build1-0ubuntu0.19.10.1

In the specific example of Thunderbird: 68.4.2 won't be pushed to Ubuntu 19.10 users, since 19.10 has already been released. However, all the vulnerabilities fixed in 68.4.2 were backported to 68.4.1 by the Ubuntu Security Team. Your patched 68.4.1 is safe. Thunderbird 68.5 is in Ubuntu 20.04.

user535733
  • 62,253