Bug 25103

Summary: Thunderbird 60.8.0
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, fri, jim, nathan95, sysadmin-bugs, tarazed25, tmb, wrw105
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6TOO MGA6-64-OK mga7-64-ok mga7-32-ok MGA6-32-OK
Source RPM: thunderbird, thunderbird-l10n CVE:
Status comment:
Bug Depends on: 25102, 25105    
Bug Blocks:    

Description Nicolas Salguero 2019-07-11 11:33:21 CEST 
Hi,

Thunderbird 60.8 has been released (July 9).

References:
https://www.thunderbird.net/en-US/thunderbird/60.8.0/releasenotes/

Best regards,

Nico.
Nicolas Salguero 2019-07-11 13:17:54 CEST

Source RPM: (none) => thunderbird, thunderbird-l10n
Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Nicolas Salguero 2019-07-12 09:56:07 CEST 
Suggested advisory:
========================

The updated packages fix some bugs.

References:
https://www.thunderbird.net/en-US/thunderbird/60.8.0/releasenotes/
========================

Updated packages in core/updates_testing:
========================
thunderbird-60.8.0-1.mga[67]
thunderbird-enigmail-60.8.0-1.mga[67]
thunderbird-ar-60.8.0-1.mga[67]
thunderbird-ast-60.8.0-1.mga[67]
thunderbird-be-60.8.0-1.mga[67]
thunderbird-bg-60.8.0-1.mga[67]
thunderbird-br-60.8.0-1.mga[67]
thunderbird-ca-60.8.0-1.mga[67]
thunderbird-cs-60.8.0-1.mga[67]
thunderbird-cy-60.8.0-1.mga[67]
thunderbird-da-60.8.0-1.mga[67]
thunderbird-de-60.8.0-1.mga[67]
thunderbird-el-60.8.0-1.mga[67]
thunderbird-en_GB-60.8.0-1.mga[67]
thunderbird-en_US-60.8.0-1.mga[67]
thunderbird-es_AR-60.8.0-1.mga[67]
thunderbird-es_ES-60.8.0-1.mga[67]
thunderbird-et-60.8.0-1.mga[67]
thunderbird-eu-60.8.0-1.mga[67]
thunderbird-fi-60.8.0-1.mga[67]
thunderbird-fr-60.8.0-1.mga[67]
thunderbird-fy_NL-60.8.0-1.mga[67]
thunderbird-ga_IE-60.8.0-1.mga[67]
thunderbird-gd-60.8.0-1.mga[67]
thunderbird-gl-60.8.0-1.mga[67]
thunderbird-he-60.8.0-1.mga[67]
thunderbird-hr-60.8.0-1.mga[67]
thunderbird-hsb-60.8.0-1.mga[67]
thunderbird-hu-60.8.0-1.mga[67]
thunderbird-hy_AM-60.8.0-1.mga[67]
thunderbird-id-60.8.0-1.mga[67]
thunderbird-is-60.8.0-1.mga[67]
thunderbird-it-60.8.0-1.mga[67]
thunderbird-ja-60.8.0-1.mga[67]
thunderbird-ko-60.8.0-1.mga[67]
thunderbird-lt-60.8.0-1.mga[67]
thunderbird-nb_NO-60.8.0-1.mga[67]
thunderbird-nl-60.8.0-1.mga[67]
thunderbird-nn_NO-60.8.0-1.mga[67]
thunderbird-pl-60.8.0-1.mga[67]
thunderbird-pt_BR-60.8.0-1.mga[67]
thunderbird-pt_PT-60.8.0-1.mga[67]
thunderbird-ro-60.8.0-1.mga[67]
thunderbird-ru-60.8.0-1.mga[67]
thunderbird-si-60.8.0-1.mga[67]
thunderbird-sk-60.8.0-1.mga[67]
thunderbird-sl-60.8.0-1.mga[67]
thunderbird-sq-60.8.0-1.mga[67]
thunderbird-sv_SE-60.8.0-1.mga[67]
thunderbird-tr-60.8.0-1.mga[67]
thunderbird-uk-60.8.0-1.mga[67]
thunderbird-vi-60.8.0-1.mga[67]
thunderbird-zh_CN-60.8.0-1.mga[67]
thunderbird-zh_TW-60.8.0-1.mga[67]

from SRPMS:
thunderbird-60.8.0-1.mga[67].src.rpm
thunderbird-l10n-60.8.0-1.mga[67].src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Version: Cauldron => 7

Comment 2 James Kerr 2019-07-12 13:05:26 CEST 
on mga6-64  plasma

packages installed cleanly:

- thunderbird-60.8.0-1.mga6.x86_64
- thunderbird-en_GB-60.8.0-1.mga6.noarch

email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

I don't use enigmail or IMAP

looks OK for mga6-64

CC: (none) => jim

Comment 3 Nicolas Salguero 2019-07-12 13:15:29 CEST 
My bad! I forgot to mention that enigmail was updated to 2.0.12 as well.

Suggested advisory:
========================

The updated packages fix some bugs.

Enigmail 2.0.12 sets the default keyserver to keys.openpgp.org in order to mitigate the SKS Keyserver Network Attack.

References:
https://www.thunderbird.net/en-US/thunderbird/60.8.0/releasenotes/
https://enigmail.net/index.php/en/download/changelog#enig2.0.12
Comment 4 James Kerr 2019-07-13 11:03:51 CEST 
This update should be released after or at the same time as the firefox update, bug#25102, since it requires the nss update in that bug.

Depends on: (none) => 25102

Comment 5 James Kerr 2019-07-13 12:02:54 CEST 
On mga7-64

Sorry, the following packages cannot be selected:

- thunderbird-60.8.0-1.mga7.x86_64 (due to unsatisfied lib64nss3[>= 2:3.45.0])
- thunderbird-en_GB-60.8.0-1.mga7.noarch (due to unsatisfied thunderbird[== 0:60.8.0])
James Kerr 2019-07-13 12:24:59 CEST

Keywords: (none) => feedback

Comment 6 Nicolas Salguero 2019-07-13 13:20:19 CEST 
This update should be released after or at the same time as the firefox update, bug#25105, since it requires the nss update in that bug.

Keywords: feedback => (none)
Depends on: (none) => 25105

Comment 7 Thomas Backlund 2019-07-13 13:27:32 CEST 
Has anyone checked that lightning translations are updated to match and work ?
(

See bug: https://bugs.mageia.org/show_bug.cgi?id=25068

CC: (none) => tmb

Comment 8 David Walser 2019-07-13 20:27:08 CEST 
Please add security info the advisory:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/

Severity: normal => critical
Component: RPM Packages => Security
QA Contact: (none) => security

Comment 9 Morgan Leijström 2019-07-14 06:20:25 CEST 
mga6-64, plasma: Thunderbird working without regressions for me. Using many thousands mail and several accounts over offline IMAP, and SMTP.

Re c#7 it is still not translated for me, swedish.
I do not use calender nor enigmail, but checked the menues and dialogs.

CC: (none) => fri

Comment 10 David Walser 2019-07-15 19:13:20 CEST 
RedHat has issued an advisory for this today (July 15):
https://access.redhat.com/errata/RHSA-2019:1775
Comment 11 Nicolas Salguero 2019-07-18 10:17:54 CEST 
I added a new version of the script script get-calendar-langpacks.sh and launched a new build to try to solve bug 25068 too.

The main problem is that, in my test VMs, calendar is translated (into French, in my case) so I do not see any reason why, in many cases, it is not.  Maybe the problem, in my tests, is that the profiles are too new to exhibit the issue.
Comment 12 Nicolas Salguero 2019-07-18 10:18:12 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Sandbox escape via installation of malicious language pack. (CVE-2019-9811)

Script injection within domain through inner window reuse. (CVE-2019-11711)

Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects. (CVE-2019-11712)

Use-after-free with HTTP/2 cached stream. (CVE-2019-11713)

Empty or malformed p256-ECDH public keys may trigger a segmentation fault. (CVE-2019-11729)

HTML parsing error can contribute to content XSS. (CVE-2019-11715)

Caret character improperly escaped in origins. (CVE-2019-11717)

Out-of-bounds read when importing curve25519 private key. (CVE-2019-11719)

Same-origin policy treats all files in a directory as having the same-origin. (CVE-2019-11730)

Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8 and Thunderbird 60.8. (CVE-2019-11709)

Enigmail 2.0.12 sets the default keyserver to keys.openpgp.org in order to mitigate the SKS Keyserver Network Attack.

References:
https://www.thunderbird.net/en-US/thunderbird/60.8.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/
https://enigmail.net/index.php/en/download/changelog#enig2.0.12
https://access.redhat.com/errata/RHSA-2019:1775
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9811
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11711
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11712
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11713
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11715
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11717
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11719
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11730
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11709
========================

Updated packages in core/updates_testing:
========================
thunderbird-60.8.0-1.1.mga[67]
thunderbird-enigmail-60.8.0-1.1.mga[67]
thunderbird-ar-60.8.0-1.mga[67]
thunderbird-ast-60.8.0-1.mga[67]
thunderbird-be-60.8.0-1.mga[67]
thunderbird-bg-60.8.0-1.mga[67]
thunderbird-br-60.8.0-1.mga[67]
thunderbird-ca-60.8.0-1.mga[67]
thunderbird-cs-60.8.0-1.mga[67]
thunderbird-cy-60.8.0-1.mga[67]
thunderbird-da-60.8.0-1.mga[67]
thunderbird-de-60.8.0-1.mga[67]
thunderbird-el-60.8.0-1.mga[67]
thunderbird-en_GB-60.8.0-1.mga[67]
thunderbird-en_US-60.8.0-1.mga[67]
thunderbird-es_AR-60.8.0-1.mga[67]
thunderbird-es_ES-60.8.0-1.mga[67]
thunderbird-et-60.8.0-1.mga[67]
thunderbird-eu-60.8.0-1.mga[67]
thunderbird-fi-60.8.0-1.mga[67]
thunderbird-fr-60.8.0-1.mga[67]
thunderbird-fy_NL-60.8.0-1.mga[67]
thunderbird-ga_IE-60.8.0-1.mga[67]
thunderbird-gd-60.8.0-1.mga[67]
thunderbird-gl-60.8.0-1.mga[67]
thunderbird-he-60.8.0-1.mga[67]
thunderbird-hr-60.8.0-1.mga[67]
thunderbird-hsb-60.8.0-1.mga[67]
thunderbird-hu-60.8.0-1.mga[67]
thunderbird-hy_AM-60.8.0-1.mga[67]
thunderbird-id-60.8.0-1.mga[67]
thunderbird-is-60.8.0-1.mga[67]
thunderbird-it-60.8.0-1.mga[67]
thunderbird-ja-60.8.0-1.mga[67]
thunderbird-ko-60.8.0-1.mga[67]
thunderbird-lt-60.8.0-1.mga[67]
thunderbird-nb_NO-60.8.0-1.mga[67]
thunderbird-nl-60.8.0-1.mga[67]
thunderbird-nn_NO-60.8.0-1.mga[67]
thunderbird-pl-60.8.0-1.mga[67]
thunderbird-pt_BR-60.8.0-1.mga[67]
thunderbird-pt_PT-60.8.0-1.mga[67]
thunderbird-ro-60.8.0-1.mga[67]
thunderbird-ru-60.8.0-1.mga[67]
thunderbird-si-60.8.0-1.mga[67]
thunderbird-sk-60.8.0-1.mga[67]
thunderbird-sl-60.8.0-1.mga[67]
thunderbird-sq-60.8.0-1.mga[67]
thunderbird-sv_SE-60.8.0-1.mga[67]
thunderbird-tr-60.8.0-1.mga[67]
thunderbird-uk-60.8.0-1.mga[67]
thunderbird-vi-60.8.0-1.mga[67]
thunderbird-zh_CN-60.8.0-1.mga[67]
thunderbird-zh_TW-60.8.0-1.mga[67]

from SRPMS:
thunderbird-60.8.0-1.1.mga[67].src.rpm
thunderbird-l10n-60.8.0-1.mga[67].src.rpm
Comment 13 Bill Wilkinson 2019-07-18 18:19:17 CEST 
Tested MGA7-64

Send/receive/move/Delete under SMTP/IMAP OK
Changing google calendar through lightning/google calendar provider OK

Whiteboard: MGA6TOO => MGA6TOO mga7-64-ok
CC: (none) => wrw105

Comment 14 Len Lawrence 2019-07-18 21:01:52 CEST 
mga6, x86_64

Updated fine.  All regular operations working fine with POP3/SMTP.
Calendar data remembered.  Reminder of QA meeting popped up on time.

Good for 64bits.

Whiteboard: MGA6TOO mga7-64-ok => MGA6-64-OK mga7-64-ok
CC: (none) => tarazed25

Bill Wilkinson 2019-07-19 15:37:24 CEST

Whiteboard: MGA6-64-OK mga7-64-ok => mga6too MGA6-64-OK mga7-64-ok

Comment 15 James Kerr 2019-07-20 17:02:20 CEST 
On mga7-64  kernel-desktop  plasma

packages installed cleanly:
- thunderbird-60.8.0-1.1.mga7.x86_64
- thunderbird-en_GB-60.8.0-1.mga7.noarch

email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

I don't use enigmail or IMAP

looks OK for mga7-64

should be tested by someone using a non-English version (see comment#11)
James Kerr 2019-07-20 17:48:54 CEST

Whiteboard: mga6too MGA6-64-OK mga7-64-ok => MGA6TOO MGA6-64-OK mga7-64-ok

Comment 16 Bill Wilkinson 2019-07-21 00:52:00 CEST 
Tested mga7-32

send/receive/move/delete under imap/SMTP all ok.
Calendar behaves properly with google calendar provider.

Whiteboard: MGA6TOO MGA6-64-OK mga7-64-ok => MGA6TOO MGA6-64-OK mga7-64-ok mga7-32-ok

Dave Hodgins 2019-07-21 03:46:06 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 17 nathan giovannini 2019-07-21 19:50:17 CEST 
I also confirm that it works correctly on a 32-bit version.

CC: (none) => nathan95
Whiteboard: MGA6TOO MGA6-64-OK mga7-64-ok mga7-32-ok => MGA6TOO MGA6-64-OK mga7-64-ok mga7-32-ok MGA6-32-OK

Comment 18 Mageia Robot 2019-07-21 20:18:40 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0212.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED