Bug 20749

Summary: Thunderbird - update to version 52.1.0
Product: Mageia Reporter: Mike Rambo <mhrambo3501>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, jim, lewyssmith, lists.jjorge, luigiwalser, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Source RPM: thunderbird-45.8.0-1.mga5.src.rpm CVE:
Status comment:

Description Mike Rambo 2017-04-29 02:04:48 CEST 
Description of problem:
Update to the recently released version 52.0.1
Comment 1 Mike Rambo 2017-04-29 02:15:50 CEST 
Updates for mga5 thunderbird 52.0.1 (and the corresponding thunderbird-l10n) were pushed earlier today. Time ran short to do the advisory so I'll do that and assign to QA next week.

CC: (none) => luigiwalser

Comment 2 Mike Rambo 2017-04-29 02:17:03 CEST 
Updates for mga5 thunderbird 52.0.1 (and the corresponding thunderbird-l10n) were pushed earlier today. Time ran short to do the advisory so I'll do that and assign to QA next week.

Summary: Update to version 52.0.1 => Thunderbird - update to version 52.0.1

Comment 3 David Walser 2017-05-01 01:52:39 CEST 
Thunderbird 52.1.0 has been released today (April 30):
https://www.mozilla.org/en-US/thunderbird/52.1.0/releasenotes/

Now we do need to update it for Mageia 5.
Comment 4 Mike Rambo 2017-05-04 15:17:18 CEST 
Updated package uploaded for Mageia 5.

Advisory:
========================

Updated thunderbird and thunderbird-l10n packages fix bugs and various security vulnerabilities:

* Google Oauth setup can sometimes not progress to the next step
* Background images not working and other issues related to embedded images when composing email
* plus various security fixes (per the release notes)

Updated packages in core/updates_testing:
========================
thunderbird-52.1.0-1.mga5
thunderbird-debuginfo-52.1.0-1.mga5
thunderbird-enigmail-52.1.0-1.mga5

from thunderbird-52.1.0-1.mga5.src.rpm


and the thunderbird-l10n packages

thunderbird-ar-52.1.0-1.mga5.noarch.rpm
thunderbird-ast-52.1.0-1.mga5.noarch.rpm
thunderbird-be-52.1.0-1.mga5.noarch.rpm
thunderbird-bg-52.1.0-1.mga5.noarch.rpm
thunderbird-bn_BD-52.1.0-1.mga5.noarch.rpm
thunderbird-br-52.1.0-1.mga5.noarch.rpm
thunderbird-ca-52.1.0-1.mga5.noarch.rpm
thunderbird-cs-52.1.0-1.mga5.noarch.rpm
thunderbird-cy-52.1.0-1.mga5.noarch.rpm
thunderbird-da-52.1.0-1.mga5.noarch.rpm
thunderbird-de-52.1.0-1.mga5.noarch.rpm
thunderbird-el-52.1.0-1.mga5.noarch.rpm
thunderbird-en_GB-52.1.0-1.mga5.noarch.rpm
thunderbird-en_US-52.1.0-1.mga5.noarch.rpm
thunderbird-es_AR-52.1.0-1.mga5.noarch.rpm
thunderbird-es_ES-52.1.0-1.mga5.noarch.rpm
thunderbird-et-52.1.0-1.mga5.noarch.rpm
thunderbird-eu-52.1.0-1.mga5.noarch.rpm
thunderbird-fi-52.1.0-1.mga5.noarch.rpm
thunderbird-fr-52.1.0-1.mga5.noarch.rpm
thunderbird-fy_NL-52.1.0-1.mga5.noarch.rpm
thunderbird-ga_IE-52.1.0-1.mga5.noarch.rpm
thunderbird-gd-52.1.0-1.mga5.noarch.rpm
thunderbird-gl-52.1.0-1.mga5.noarch.rpm
thunderbird-he-52.1.0-1.mga5.noarch.rpm
thunderbird-hr-52.1.0-1.mga5.noarch.rpm
thunderbird-hsb-52.1.0-1.mga5.noarch.rpm
thunderbird-hu-52.1.0-1.mga5.noarch.rpm
thunderbird-hy_AM-52.1.0-1.mga5.noarch.rpm
thunderbird-id-52.1.0-1.mga5.noarch.rpm
thunderbird-is-52.1.0-1.mga5.noarch.rpm
thunderbird-it-52.1.0-1.mga5.noarch.rpm
thunderbird-ja-52.1.0-1.mga5.noarch.rpm
thunderbird-ko-52.1.0-1.mga5.noarch.rpm
thunderbird-lt-52.1.0-1.mga5.noarch.rpm
thunderbird-nb_NO-52.1.0-1.mga5.noarch.rpm
thunderbird-nl-52.1.0-1.mga5.noarch.rpm
thunderbird-nn_NO-52.1.0-1.mga5.noarch.rpm
thunderbird-pa_IN-52.1.0-1.mga5.noarch.rpm
thunderbird-pl-52.1.0-1.mga5.noarch.rpm
thunderbird-pt_BR-52.1.0-1.mga5.noarch.rpm
thunderbird-pt_PT-52.1.0-1.mga5.noarch.rpm
thunderbird-ro-52.1.0-1.mga5.noarch.rpm
thunderbird-ru-52.1.0-1.mga5.noarch.rpm
thunderbird-si-52.1.0-1.mga5.noarch.rpm
thunderbird-sk-52.1.0-1.mga5.noarch.rpm
thunderbird-sl-52.1.0-1.mga5.noarch.rpm
thunderbird-sq-52.1.0-1.mga5.noarch.rpm
thunderbird-sv_SE-52.1.0-1.mga5.noarch.rpm
thunderbird-ta_LK-52.1.0-1.mga5.noarch.rpm
thunderbird-tr-52.1.0-1.mga5.noarch.rpm
thunderbird-uk-52.1.0-1.mga5.noarch.rpm
thunderbird-vi-52.1.0-1.mga5.noarch.rpm
thunderbird-zh_CN-52.1.0-1.mga5.noarch.rpm
thunderbird-zh_TW-52.1.0-1.mga5.noarch.rpm

from thunderbird-l10n-52.1.0-1.mga5.src.rpm

Summary: Thunderbird - update to version 52.0.1 => Thunderbird - update to version 52.1.0
Assignee: mrambo => qa-bugs

Comment 5 José Jorge 2017-05-04 21:55:19 CEST 
Tested in i586 with enigmail in french. All is ok.

CC: (none) => lists.jjorge
Severity: enhancement => normal

Comment 6 David Walser 2017-05-06 01:00:17 CEST 
Advisory covering the security issues.

Advisory:
========================

Updated thunderbird packages fix security issues:

Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird (CVE-2017-5429, CVE-2017-5430, CVE-2017-5432, CVE-2017-5433,
CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5438, CVE-2017-5439,
CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444,
CVE-2017-5445, CVE-2017-5446, CVE-2017-5447, CVE-2017-5449, CVE-2017-5451,
CVE-2017-5454, CVE-2017-5459, CVE-2017-5460, CVE-2017-5461, CVE-2017-5464,
CVE-2017-5465, CVE-2017-5467, CVE-2017-5469).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5434
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5436
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5441
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5445
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5469
https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/
Comment 7 James Kerr 2017-05-07 11:33:18 CEST 
On mga5-64 packages installed cleanly:

- thunderbird-52.1.0-1.mga5.x86_64
- thunderbird-en_GB-52.1.0-1.mga5.noarch

Email - POP/SMTP - OK
Calendar - OK
Address Book - OK
Unix Movemail - OK
Newsgroups - OK

To the extent tested, OK for mga5-64

Not tested: enigmail, IMAP

CC: (none) => jim

Comment 8 David Walser 2017-05-07 19:12:31 CEST 
openSUSE has issued an advisory for this today (May 7):
https://lists.opensuse.org/opensuse-updates/2017-05/msg00016.html

Component: RPM Packages => Security

Comment 9 David Walser 2017-05-08 12:17:00 CEST 
RedHat has issued an advisory for this today (May 8):
https://rhn.redhat.com/errata/RHSA-2017-1201.html

Advisory:
========================

Updated thunderbird packages fix security issues:

Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird (CVE-2017-5429, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434,
CVE-2017-5435, CVE-2017-5436, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440,
CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445,
CVE-2017-5446, CVE-2017-5447, CVE-2017-5449, CVE-2017-5451, CVE-2017-5454,
CVE-2017-5459, CVE-2017-5460, CVE-2017-5464, CVE-2017-5465, CVE-2017-5467,
CVE-2017-5469).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5434
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5436
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5441
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5445
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5469
https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/
https://rhn.redhat.com/errata/RHSA-2017-1201.html
Comment 10 Manuel Hiebel 2017-05-08 12:21:08 CEST 
Works ok here on 64b (imap lightning)
Dave Hodgins 2017-05-08 21:25:26 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 11 Herman Viaene 2017-05-09 10:59:07 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues, choose Dutch as interface
Declined enigmail config, setup access to mi gmail account, could receive and send messages.

Whiteboard: advisory => advisory MGA5-32-OK
CC: (none) => herman.viaene

Comment 12 Lewis Smith 2017-05-10 19:49:28 CEST 
OK-ing 64-bit in the light of Comment 7 & Comment 10.
Validating. Advisory: added CVE-2017-5466 to the description - it was already in both CVE lists.

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 13 Mageia Robot 2017-05-10 23:03:26 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0139.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED