Bug 18006

Summary: Thunderbird 38.7
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, doktor5000, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: thunderbird CVE:
Status comment:
Bug Depends on: 17974    
Bug Blocks:    

Description David Walser 2016-03-14 23:29:20 CET 
Thunderbird 38.7 is available as of March 13:
http://ftp.mozilla.org/pub/thunderbird/releases/38.7.0/source/

The upstream advisories haven't been updated yet, nor has RedHat posted theirs yet, but it should fix the same issues as in the last two paragraphs of the advisory for Firefox in Bug 17900.
Florian Hubold 2016-03-14 23:33:27 CET

Status: NEW => ASSIGNED
CC: (none) => doktor5000

Comment 1 Florian Hubold 2016-03-15 01:13:27 CET 
Pushed to cauldron and thunderbird-38.7.0-1.mga5 and thunderbird-l10n-38.7.0-1.mga5 to core/updates_testing, will test tomorrow.
Comment 2 David Walser 2016-03-15 15:06:08 CET 
Updated packages uploaded by Florian.  Thanks!

Advisory details are not available yet, but I'll post it when they are.

Note that you need to also update the rootcerts and nss packages from Bug 17974 along with these.

Updated packages in core/updates_testing:
========================
thunderbird-38.7.0-1.mga5
thunderbird-enigmail-38.7.0-1.mga5
thunderbird-ar-38.7.0-1.mga5
thunderbird-ast-38.7.0-1.mga5
thunderbird-be-38.7.0-1.mga5
thunderbird-bg-38.7.0-1.mga5
thunderbird-bn_BD-38.7.0-1.mga5
thunderbird-br-38.7.0-1.mga5
thunderbird-ca-38.7.0-1.mga5
thunderbird-cs-38.7.0-1.mga5
thunderbird-cy-38.7.0-1.mga5
thunderbird-da-38.7.0-1.mga5
thunderbird-de-38.7.0-1.mga5
thunderbird-el-38.7.0-1.mga5
thunderbird-en_GB-38.7.0-1.mga5
thunderbird-en_US-38.7.0-1.mga5
thunderbird-es_AR-38.7.0-1.mga5
thunderbird-es_ES-38.7.0-1.mga5
thunderbird-et-38.7.0-1.mga5
thunderbird-eu-38.7.0-1.mga5
thunderbird-fi-38.7.0-1.mga5
thunderbird-fr-38.7.0-1.mga5
thunderbird-fy_NL-38.7.0-1.mga5
thunderbird-ga_IE-38.7.0-1.mga5
thunderbird-gd-38.7.0-1.mga5
thunderbird-gl-38.7.0-1.mga5
thunderbird-he-38.7.0-1.mga5
thunderbird-hr-38.7.0-1.mga5
thunderbird-hsb-38.7.0-1.mga5
thunderbird-hu-38.7.0-1.mga5
thunderbird-hy_AM-38.7.0-1.mga5
thunderbird-id-38.7.0-1.mga5
thunderbird-is-38.7.0-1.mga5
thunderbird-it-38.7.0-1.mga5
thunderbird-ja-38.7.0-1.mga5
thunderbird-ko-38.7.0-1.mga5
thunderbird-lt-38.7.0-1.mga5
thunderbird-nb_NO-38.7.0-1.mga5
thunderbird-nl-38.7.0-1.mga5
thunderbird-nn_NO-38.7.0-1.mga5
thunderbird-pa_IN-38.7.0-1.mga5
thunderbird-pl-38.7.0-1.mga5
thunderbird-pt_BR-38.7.0-1.mga5
thunderbird-pt_PT-38.7.0-1.mga5
thunderbird-ro-38.7.0-1.mga5
thunderbird-ru-38.7.0-1.mga5
thunderbird-si-38.7.0-1.mga5
thunderbird-sk-38.7.0-1.mga5
thunderbird-sl-38.7.0-1.mga5
thunderbird-sq-38.7.0-1.mga5
thunderbird-sv_SE-38.7.0-1.mga5
thunderbird-ta_LK-38.7.0-1.mga5
thunderbird-tr-38.7.0-1.mga5
thunderbird-uk-38.7.0-1.mga5
thunderbird-vi-38.7.0-1.mga5
thunderbird-zh_CN-38.7.0-1.mga5
thunderbird-zh_TW-38.7.0-1.mga5

from SRPMS:
thunderbird-38.7.0-1.mga5.src.rpm
thunderbird-l10n-38.7.0-1.mga5.src.rpm

Depends on: (none) => 17974
Assignee: doktor5000 => qa-bugs

Comment 3 Len Lawrence 2016-03-15 17:58:47 CET 
Testing this on my production system, x86_64.

Already a user so updated right away.
Installed the nss and rootcerts packages as advised.
Supplied the Google imail password when prompted.
Generated a new key-pair via Enigmail and a revocation certificate.

All the basic functions that I normally use are working and as it is in continuous use I am likely to notice any regressions.  Giving this the OK but shall not be testing it on 32-bit architecture.

CC: (none) => tarazed25

Len Lawrence 2016-03-15 17:59:06 CET

Whiteboard: (none) => MGA5-64-OK

Comment 4 Florian Hubold 2016-03-15 19:26:15 CET 
Tested today too including the nss update, and works fine here on x86_64.
Comment 5 claire robinson 2016-03-15 20:04:22 CET 
Uploaded a template advisory with srpms added which can be amended when it is available.
Comment 6 David Walser 2016-03-15 20:25:41 CET 
Advisory in SVN fixed.

No RedHat advisory yet, but last URL in the reference can be replaced if one is.

Here's the advisory in SVN.

Advisory:
========================

Updated thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird (CVE-2016-1952, CVE-2016-1954, CVE-2016-1957, CVE-2016-1960,
CVE-2016-1961, CVE-2016-1974, CVE-2016-1964, CVE-2016-1966).

Multiple security flaws were found in the graphite2 font library shipped
with Thunderbird. A web page containing malicious content could cause it
to crash or, potentially, execute arbitrary code with the privileges of the
user running Thunderbird (CVE-2016-1977, CVE-2016-2790, CVE-2016-2791,
CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796,
CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801,
CVE-2016-2802).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1952
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1954
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1961
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1964
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1966
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1977
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2792
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2794
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2795
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2802
https://www.mozilla.org/en-US/security/advisories/mfsa2016-16/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-17/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-20/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-23/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-24/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-27/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-31/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-34/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/
https://rhn.redhat.com/errata/RHSA-2016-0373.html
Comment 7 David Walser 2016-03-15 20:26:02 CET 
I'll test i586 this evening if nobody beats me to it.
Dave Hodgins 2016-03-15 22:10:06 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 8 David Walser 2016-03-16 11:30:57 CET 
Testing complete Mageia 5 i586.  Validating this now.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK advisory => MGA5-32-OK MGA5-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2016-03-16 19:08:36 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0115.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2016-03-17 16:54:54 CET 
RedHat has issued an advisory for this on March 16:
https://rhn.redhat.com/errata/RHSA-2016-0460.html

Advisory reference updated in SVN.