Technology Reviews

Does Thunderbird receive security updates when essential?

I’m on Ubuntu 22.04. Stock Thunderbird is behind in updates now.


$ apt policy thunderbird
thunderbird: Installed: 1:102.2.2+build1-0ubuntu0.22.04.1 Candidate: 1:102.2.2+build1-0ubuntu0.22.04.1 Version table: *** 1:102.2.2+build1-0ubuntu0.22.04.1 500 500 jammy-updates/main amd64 Packages 500 jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 1:91.8.0+build2-0ubuntu1 500 500 jammy/main amd64 Packages

The current release is 102.4.1. I understand that Thunderbird updates only occasionally. I did notice that Thunderbird updated immediately to include the patch for the zero day exploit unearthed at pwn2own.…ed-at-pwn2own/

If you look at the Thunderbird Security Advisories page the recent exploits have this message included.

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.…s/mfsa2022-46/

So the fact that Thunderbird is behind in updates doesn’t really matter. There is also this excerpt from a post.

As such, testing etc of Firefox updates (and other desktop packages seeded on the desktop image etc) are prioritised over Thunderbird so in general Thunderbird updates will lag behind Firefox updates. Unfortunately in a world where new security issues are found daily across the vast array of software that is distributed in Ubuntu, there is a constant stream of security updates which need to be prepared, tested and released by a finite number of developers. The security and desktop teams have to prioritise which packages to target and so we prefer to take the approach of protecting the greatest number of users as possible by updating the packages that are most used first. Hence why unfortunately Thunderbird updates generally will come later – there are just a lot more users of Firefox (and many other applications) than Thunderbird.…users/26963/18

I guess what I’m really wondering is if maybe the maintainers are strategically updating Thunderbird when it really needs it such as with the pwn2own zero day but letting it slide when the danger is not so great? Or is it just that they get to it when they can?

EDIT: Forgot to add that I’ve seen other posts in the forums saying that Ubuntu 22.04 is a LTS and updates are only when needed. Which would seem to imply that Thunderbird is indeed updated when needed.