I'm not sure whether this is what you had in mind, but each product has a "Known Vulnerabilities" page showing what was patched in different versions:

Thunderbird https://www.mozilla.org/security/known-vulnerabilities/thunderbird/

Firefox https://www.mozilla.org/security/known-vulnerabilities/firefox/

SeaMonkey https://www.mozilla.org/security/known-vulnerabilities/seamonkey/

relevant links:

https://www.us-cert.gov/ncas/current-activity/2015/03/31/Mozilla-Releases-Security-Updates-Firefox-Firefox-ESR-and

therein you are invited to:

'Users and administrators are encouraged to review the Security Advisories for Firefox, Firefox ESR, and Thunderbird and apply the necessary updates.'

"Firefox, Firefox ESR, and Thunderbird" are anchors to the respective vulnerability pages which have no links to the actual update pages (a very novel approach by mozilla).

so, if you wend your way through the site and actually get to the most recent update page for the desired product(s) ... nothing! the new "necessary updates" are nowhere to be found.

Okay, so you would like:

(1) A link to the current product download on the Known Vulnerabilities page

(2) A more direct link to information about security patches on the product page -- currently behind the "What's New" link, in the list of changes, is a link to the Known Vulnerabilities page

I'm not sure of the best place to submit these suggestions.

Firefox 37.0, Firefox 31.6.0 ESR and Thunderbird 31.6.0 (coming) have been released today.

www.mozilla.org/firefox/all www.mozilla.org/firefox/organizations/all/

Thunderbird 31.6.0 will be at www.mozilla.org/thunderbird/all.html

"(1)" something to the "latest" would certainly make sense and utile.

"(2)" perhaps mozilla is not too anxious to have "What's New" readily known as "What was wrong".

i just ran into this prob with SM last week. CERT came out, engineering was all done, and the developer for the download page had forgotten to update the page. so, now we have four (4) different products that this has happened with.

perhaps i should have CERT insist that mozilla get its act together, post the right info on the CVE page (not done before the release), and THEN issue the alert.

thank you, james, but:

'http://www.mozilla.org/thunderbird/all.html' is the "thunderbird ESR" page and all versions are 31.5 not 31.6.

the FF link DOES reach 37.0.

The http://www.mozilla.org/thunderbird/all.html is indeed for the current Tb Release at time. I said 31.6.0 will be at that page when released as there is a Candidate build at here to show.

There has not been any Thunderbird ESR releases since 17.0.1esr back in November 2013.

Ever since Thunderbird 24.X.x it has just been a Release but still in much the same fashion of a ESR release every seven versions and in getting security and allowed stability fixes.

There is no Tb 32.0, 33.0, 34.0, 35.0, 36.0 or 37.0 for Thunderbird Release like there is with Fx. The next Major version Thunderbird will be at will be 38.0.

The Thunderbird community does not have the resources to have the same rapid release as Firefox does with Mozilla.

perhaps i failed to make myself clear. this is the pertinent part of the CERT release:

'Available updates include:

   Firefox 37
   Firefox ESR 31.6
   Thunderbird 31.6

Users and administrators are encouraged to review the Security Advisories for Firefox, Firefox ESR, and Thunderbird and apply the necessary updates.'

my whole point was that the new releases are NOT available when the notice comes out. it is probably not because engineering has not finished, it seems -- like in the SM case last week -- that the person responsible for updating the download page does not do it.

so, coming back to TB: you gave me a link to the TB ESR page and there i found that ALL the releases were 31.5 NOT 31.6 as was supposed to be available. the regular page -- which prompted this exchange -- was still at 31.5 as well.

i do understand the release policy delta between FF and TB, but i am looking for all of the releases cited in the CERT notice to be available on the appropriate download page before the notice goes out. this is not an extravagant expectation.

I do not follow Thunderbird development to know why there is a delay. Thunderbird is not a Mozilla product as it is being done by a community much like with SeaMonkey. SM releases are delayed a bit sometimes, due to server problems or other things as Norton has been the cause of delay a few times.

Again that is not a Thunderbird ESR page but the Thunderbird Release page as the separate ESR channel has not been used since Tb 17.0.1esr.