Bug 20003

David: Is THIS what you were looking after?:
http://ftp.mozilla.org/pub/firefox/releases/45.6.0esr/source/firefox-45.6.0esr.source.tar.xz

CC: (none) => hamnisdude

No, this is what I was looking at:
http://ftp.mozilla.org/pub/thunderbird/releases/45.6.0/

We already released the Firefox 45.6 update.

Sorry. My bad. I'm so tired that I didn't even reflect on which one of the Mozilla programs you needed the source for. Doh!

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption (CVE-2016-9899).

Event handlers on marquee elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript (CVE-2016-9895).

Memory corruption resulting in a potentially exploitable crash during WebGL functions using a vector constructor with a varying array within libGLES (CVE-2016-9897).

Use-after-free resulting in potentially exploitable crash when manipulating DOM subtrees in the Editor (CVE-2016-9898).

External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of data: URLs. This could allow for cross-domain data leakage (CVE-2016-9900).

An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites (CVE-2016-9904).

A potentially exploitable crash in EnumerateSubDocuments while adding or removing sub-documents (CVE-2016-9905).

Mozilla developers and community members Jan de Mooij, Iris Hsiao, Christian Holler, Carsten Book, Timothy Nikkel, Christoph Diehl, Olli Pettay, Raymond Forbes, and Boris Zbarsky reported memory safety bugs present in in Thunderbird ESR 45.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code (CVE-2016-9893).

References:
https://www.mozilla.org/en-US/thunderbird/45.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-96/
https://rhn.redhat.com/errata/RHSA-2016-2973.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9899
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9895
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9897
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9898
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9905
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9893
========================

Updated packages in core/updates_testing:
========================
thunderbird-45.6.0-1.mga5
thunderbird-enigmail-45.6.0-1.mga5
thunderbird-ar-45.6.0-1.mga5
thunderbird-ast-45.6.0-1.mga5
thunderbird-be-45.6.0-1.mga5
thunderbird-bg-45.6.0-1.mga5
thunderbird-bn_BD-45.6.0-1.mga5
thunderbird-br-45.6.0-1.mga5
thunderbird-ca-45.6.0-1.mga5
thunderbird-cs-45.6.0-1.mga5
thunderbird-cy-45.6.0-1.mga5
thunderbird-da-45.6.0-1.mga5
thunderbird-de-45.6.0-1.mga5
thunderbird-el-45.6.0-1.mga5
thunderbird-en_GB-45.6.0-1.mga5
thunderbird-en_US-45.6.0-1.mga5
thunderbird-es_AR-45.6.0-1.mga5
thunderbird-es_ES-45.6.0-1.mga5
thunderbird-et-45.6.0-1.mga5
thunderbird-eu-45.6.0-1.mga5
thunderbird-fi-45.6.0-1.mga5
thunderbird-fr-45.6.0-1.mga5
thunderbird-fy_NL-45.6.0-1.mga5
thunderbird-ga_IE-45.6.0-1.mga5
thunderbird-gd-45.6.0-1.mga5
thunderbird-gl-45.6.0-1.mga5
thunderbird-he-45.6.0-1.mga5
thunderbird-hr-45.6.0-1.mga5
thunderbird-hsb-45.6.0-1.mga5
thunderbird-hu-45.6.0-1.mga5
thunderbird-hy_AM-45.6.0-1.mga5
thunderbird-id-45.6.0-1.mga5
thunderbird-is-45.6.0-1.mga5
thunderbird-it-45.6.0-1.mga5
thunderbird-ja-45.6.0-1.mga5
thunderbird-ko-45.6.0-1.mga5
thunderbird-lt-45.6.0-1.mga5
thunderbird-nb_NO-45.6.0-1.mga5
thunderbird-nl-45.6.0-1.mga5
thunderbird-nn_NO-45.6.0-1.mga5
thunderbird-pa_IN-45.6.0-1.mga5
thunderbird-pl-45.6.0-1.mga5
thunderbird-pt_BR-45.6.0-1.mga5
thunderbird-pt_PT-45.6.0-1.mga5
thunderbird-ro-45.6.0-1.mga5
thunderbird-ru-45.6.0-1.mga5
thunderbird-si-45.6.0-1.mga5
thunderbird-sk-45.6.0-1.mga5
thunderbird-sl-45.6.0-1.mga5
thunderbird-sq-45.6.0-1.mga5
thunderbird-sv_SE-45.6.0-1.mga5
thunderbird-ta_LK-45.6.0-1.mga5
thunderbird-tr-45.6.0-1.mga5
thunderbird-uk-45.6.0-1.mga5
thunderbird-vi-45.6.0-1.mga5
thunderbird-zh_CN-45.6.0-1.mga5
thunderbird-zh_TW-45.6.0-1.mga5

from SRPMS:
thunderbird-45.6.0-1.mga5.src.rpm
thunderbird-l10n-45.6.0-1.mga5.src.rpm

Status: NEW => ASSIGNED
Assignee: doktor5000 => qa-bugs

Tested mga5-64.

Send/receive/move/delete under SMTP/IMAP OK, Google calendar loads normally.

CC: (none) => wrw105
Whiteboard: (none) => has_procedure mga5-64-ok

MGA5-32-OK & MGA5-64-OK on real hardware and virtualbox machines

Procedure :

Upgrade from 45.5.1-1 to 45.6.0-1
the installation goes fine (I still have my config files and account as before)

Sending and receiving mails with and without files/pictures works.
Adding/Removing accounts from different webmail works (tested with gmail, hotmail and yahoo)

I'm using these addons :

Enigmail
Adblockplus
Lightning

And to test a bit more, I used a few personas and themes and changed some settings.

Everything is working as intended, I'm OK'ing the update for both arch.
Waiting for more people to validate the update.

CC: (none) => youpburden
Whiteboard: has_procedure mga5-64-ok => has_procedure mga5-64-ok mga5-32-ok

Validating; Advisory from Comment 4.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-64-ok mga5-32-ok => has_procedure mga5-64-ok mga5-32-ok advisory
CC: (none) => lewyssmith, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0006.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED