Bug 19450

Summary:	Thunderbird 45.3
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	davidwhodgins, sysadmin-bugs, tarazed25
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/696206/
Whiteboard:	MGA5-64-OK advisory
Source RPM:	thunderbird	CVE:
Status comment:

Description David Walser 2016-09-23 22:13:28 CEST

RedHat has issued an advisory on September 5:
https://rhn.redhat.com/errata/RHSA-2016-1809.html

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory to come.  For my reference, Firefox 45.3 update was in Bug 19133.

Updated packages in core/updates_testing:
================
thunderbird-45.3.0-2.mga5
thunderbird-enigmail-45.3.0-2.mga5
thunderbird-ar-45.3.0-1.mga5
thunderbird-ast-45.3.0-1.mga5
thunderbird-be-45.3.0-1.mga5
thunderbird-bg-45.3.0-1.mga5
thunderbird-bn_BD-45.3.0-1.mga5
thunderbird-br-45.3.0-1.mga5
thunderbird-ca-45.3.0-1.mga5
thunderbird-cs-45.3.0-1.mga5
thunderbird-cy-45.3.0-1.mga5
thunderbird-da-45.3.0-1.mga5
thunderbird-de-45.3.0-1.mga5
thunderbird-el-45.3.0-1.mga5
thunderbird-en_GB-45.3.0-1.mga5
thunderbird-en_US-45.3.0-1.mga5
thunderbird-es_AR-45.3.0-1.mga5
thunderbird-es_ES-45.3.0-1.mga5
thunderbird-et-45.3.0-1.mga5
thunderbird-eu-45.3.0-1.mga5
thunderbird-fi-45.3.0-1.mga5
thunderbird-fr-45.3.0-1.mga5
thunderbird-fy_NL-45.3.0-1.mga5
thunderbird-ga_IE-45.3.0-1.mga5
thunderbird-gd-45.3.0-1.mga5
thunderbird-gl-45.3.0-1.mga5
thunderbird-he-45.3.0-1.mga5
thunderbird-hr-45.3.0-1.mga5
thunderbird-hsb-45.3.0-1.mga5
thunderbird-hu-45.3.0-1.mga5
thunderbird-hy_AM-45.3.0-1.mga5
thunderbird-id-45.3.0-1.mga5
thunderbird-is-45.3.0-1.mga5
thunderbird-it-45.3.0-1.mga5
thunderbird-ja-45.3.0-1.mga5
thunderbird-ko-45.3.0-1.mga5
thunderbird-lt-45.3.0-1.mga5
thunderbird-nb_NO-45.3.0-1.mga5
thunderbird-nl-45.3.0-1.mga5
thunderbird-nn_NO-45.3.0-1.mga5
thunderbird-pa_IN-45.3.0-1.mga5
thunderbird-pl-45.3.0-1.mga5
thunderbird-pt_BR-45.3.0-1.mga5
thunderbird-pt_PT-45.3.0-1.mga5
thunderbird-ro-45.3.0-1.mga5
thunderbird-ru-45.3.0-1.mga5
thunderbird-si-45.3.0-1.mga5
thunderbird-sk-45.3.0-1.mga5
thunderbird-sl-45.3.0-1.mga5
thunderbird-sq-45.3.0-1.mga5
thunderbird-sv_SE-45.3.0-1.mga5
thunderbird-ta_LK-45.3.0-1.mga5
thunderbird-tr-45.3.0-1.mga5
thunderbird-uk-45.3.0-1.mga5
thunderbird-vi-45.3.0-1.mga5
thunderbird-zh_CN-45.3.0-1.mga5
thunderbird-zh_TW-45.3.0-1.mga5

from SRPMS:
thunderbird-45.3.0-2.mga5.src.rpm
thunderbird-l10n-45.3.0-1.mga5.src.rpm

Comment 1 David Walser 2016-09-23 22:27:32 CEST

Advisory:
================

Updated thunderbird packages fix security vulnerability:

Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird (CVE-2016-2836).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2836
https://www.mozilla.org/en-US/security/advisories/mfsa2016-62/
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/
https://rhn.redhat.com/errata/RHSA-2016-1809.html

Comment 2 Len Lawrence 2016-09-25 18:54:18 CEST

Thunderbird already in use.
For x86_64, installed:
thunderbird-45.3.0-2.mga5
thunderbird-en_GB-45.3.0-1.mga5
thunderbird-enigmail-45.3.0-2.mga5

Reopened thunderbird; functioning normally.
Tried out Enigmail and found that it is still affected by the earlier gnome-keyring bug; i.e. a bug in GNOME keyring associated with GPG.  Nevertheless, although it claims that it cannot create a revocation certificate, one such is created.  Sending a message to myself placed an encrypted reply in my Inbox and again there was an error report regarding GNOME keyring which said the passphrase could not be verified or something but in spite of that the message was successfully decrypted.  Concluding from this that Enigmail does work.  For non GNOME keyring users there would probably be no problem.

Thunderbird has suffered from random crashes recently so it will be interesting to see if those have gone away.  The patches address a different issue.

In the short term, this update looks fine.
Disabling Enigmail because I have no interest in using it.

CC: (none) => tarazed25

Len Lawrence 2016-09-25 18:54:42 CEST

Whiteboard: (none) => MGA5-64-OK

Dave Hodgins 2016-09-28 04:30:03 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 3 Mageia Robot 2016-09-28 08:00:35 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0330.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED