Bug 25435

Summary: Thunderbird 68.1
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: nicolas.salguero, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: thunderbird, thunderbird-l10n CVE:
Status comment:

Description David Walser 2019-09-13 12:44:43 CEST 
Mozilla has released Thunderbird 68.1 on September 11:
https://www.thunderbird.net/en-US/thunderbird/68.1.0/releasenotes/

It fixes several bugs and likely security issues as well.
David Walser 2019-09-13 12:44:51 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Salguero 2019-09-16 08:57:43 CEST 
Suggested advisory:
========================

The updated packages fix security issues:

Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message. (CVE-2019-11739)

Use-after-free while manipulating video. (CVE-2019-11746)

XSS by breaking out of title and textarea elements using innerHTML. (CVE-2019-11744)

Same-origin policy violation with SVG filters and canvas to steal cross-origin images. (CVE-2019-11742)

Use-after-free while extracting a key value in IndexedDB. (CVE-2019-11752)

Cross-origin access to unload event attributes. (CVE-2019-11743)

Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, Firefox ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9. (CVE-2019-11740)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11740
https://www.thunderbird.net/en-US/thunderbird/68.1.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-30/
========================

Updated packages in core/updates_testing:
========================
thunderbird-68.1.0-1.mga7
thunderbird-enigmail-68.1.0-1.mga7
thunderbird-ar-68.1.0-1.mga7
thunderbird-ast-68.1.0-1.mga7
thunderbird-be-68.1.0-1.mga7
thunderbird-bg-68.1.0-1.mga7
thunderbird-br-68.1.0-1.mga7
thunderbird-ca-68.1.0-1.mga7
thunderbird-cs-68.1.0-1.mga7
thunderbird-cy-68.1.0-1.mga7
thunderbird-da-68.1.0-1.mga7
thunderbird-de-68.1.0-1.mga7
thunderbird-el-68.1.0-1.mga7
thunderbird-en_GB-68.1.0-1.mga7
thunderbird-en_US-68.1.0-1.mga7
thunderbird-es_AR-68.1.0-1.mga7
thunderbird-es_ES-68.1.0-1.mga7
thunderbird-et-68.1.0-1.mga7
thunderbird-eu-68.1.0-1.mga7
thunderbird-fi-68.1.0-1.mga7
thunderbird-fr-68.1.0-1.mga7
thunderbird-fy_NL-68.1.0-1.mga7
thunderbird-ga_IE-68.1.0-1.mga7
thunderbird-gd-68.1.0-1.mga7
thunderbird-gl-68.1.0-1.mga7
thunderbird-he-68.1.0-1.mga7
thunderbird-hr-68.1.0-1.mga7
thunderbird-hsb-68.1.0-1.mga7
thunderbird-hu-68.1.0-1.mga7
thunderbird-hy_AM-68.1.0-1.mga7
thunderbird-id-68.1.0-1.mga7
thunderbird-is-68.1.0-1.mga7
thunderbird-it-68.1.0-1.mga7
thunderbird-ja-68.1.0-1.mga7
thunderbird-ko-68.1.0-1.mga7
thunderbird-lt-68.1.0-1.mga7
thunderbird-nb_NO-68.1.0-1.mga7
thunderbird-nl-68.1.0-1.mga7
thunderbird-nn_NO-68.1.0-1.mga7
thunderbird-pl-68.1.0-1.mga7
thunderbird-pt_BR-68.1.0-1.mga7
thunderbird-pt_PT-68.1.0-1.mga7
thunderbird-ro-68.1.0-1.mga7
thunderbird-ru-68.1.0-1.mga7
thunderbird-si-68.1.0-1.mga7
thunderbird-sk-68.1.0-1.mga7
thunderbird-sl-68.1.0-1.mga7
thunderbird-sq-68.1.0-1.mga7
thunderbird-sv_SE-68.1.0-1.mga7
thunderbird-tr-68.1.0-1.mga7
thunderbird-uk-68.1.0-1.mga7
thunderbird-vi-68.1.0-1.mga7
thunderbird-zh_CN-68.1.0-1.mga7
thunderbird-zh_TW-68.1.0-1.mga7

from SRPMS:
thunderbird-68.1.0-1.mga7.src.rpm
thunderbird-l10n-68.1.0-1.mga7.src.rpm

Version: Cauldron => 7
Severity: normal => major
Whiteboard: MGA7TOO => (none)
Status: NEW => ASSIGNED
Source RPM: thunderbird => thunderbird, thunderbird-l10n
Assignee: nicolas.salguero => qa-bugs

Nicolas Salguero 2019-09-16 16:40:08 CEST

Blocks: (none) => 25437

Comment 2 Nicolas Salguero 2019-09-16 16:41:10 CEST 
thunderbird-68.1.0-1.1.mga7 is building for bug 25437.

CC: (none) => nicolas.salguero
Assignee: qa-bugs => nicolas.salguero

Comment 3 Nicolas Salguero 2019-09-17 15:09:43 CEST 
Suggested advisory:
========================

The updated packages fix security issues:

Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message. (CVE-2019-11739)

Use-after-free while manipulating video. (CVE-2019-11746)

XSS by breaking out of title and textarea elements using innerHTML. (CVE-2019-11744)

Same-origin policy violation with SVG filters and canvas to steal cross-origin images. (CVE-2019-11742)

Use-after-free while extracting a key value in IndexedDB. (CVE-2019-11752)

Cross-origin access to unload event attributes. (CVE-2019-11743)

Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, Firefox ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9. (CVE-2019-11740)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11740
https://www.thunderbird.net/en-US/thunderbird/68.1.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-30/
========================

Updated packages in core/updates_testing:
========================
thunderbird-68.1.0-1.1.mga7
thunderbird-enigmail-68.1.0-1.1.mga7
thunderbird-ar-68.1.0-1.mga7
thunderbird-ast-68.1.0-1.mga7
thunderbird-be-68.1.0-1.mga7
thunderbird-bg-68.1.0-1.mga7
thunderbird-br-68.1.0-1.mga7
thunderbird-ca-68.1.0-1.mga7
thunderbird-cs-68.1.0-1.mga7
thunderbird-cy-68.1.0-1.mga7
thunderbird-da-68.1.0-1.mga7
thunderbird-de-68.1.0-1.mga7
thunderbird-el-68.1.0-1.mga7
thunderbird-en_GB-68.1.0-1.mga7
thunderbird-en_US-68.1.0-1.mga7
thunderbird-es_AR-68.1.0-1.mga7
thunderbird-es_ES-68.1.0-1.mga7
thunderbird-et-68.1.0-1.mga7
thunderbird-eu-68.1.0-1.mga7
thunderbird-fi-68.1.0-1.mga7
thunderbird-fr-68.1.0-1.mga7
thunderbird-fy_NL-68.1.0-1.mga7
thunderbird-ga_IE-68.1.0-1.mga7
thunderbird-gd-68.1.0-1.mga7
thunderbird-gl-68.1.0-1.mga7
thunderbird-he-68.1.0-1.mga7
thunderbird-hr-68.1.0-1.mga7
thunderbird-hsb-68.1.0-1.mga7
thunderbird-hu-68.1.0-1.mga7
thunderbird-hy_AM-68.1.0-1.mga7
thunderbird-id-68.1.0-1.mga7
thunderbird-is-68.1.0-1.mga7
thunderbird-it-68.1.0-1.mga7
thunderbird-ja-68.1.0-1.mga7
thunderbird-ko-68.1.0-1.mga7
thunderbird-lt-68.1.0-1.mga7
thunderbird-nb_NO-68.1.0-1.mga7
thunderbird-nl-68.1.0-1.mga7
thunderbird-nn_NO-68.1.0-1.mga7
thunderbird-pl-68.1.0-1.mga7
thunderbird-pt_BR-68.1.0-1.mga7
thunderbird-pt_PT-68.1.0-1.mga7
thunderbird-ro-68.1.0-1.mga7
thunderbird-ru-68.1.0-1.mga7
thunderbird-si-68.1.0-1.mga7
thunderbird-sk-68.1.0-1.mga7
thunderbird-sl-68.1.0-1.mga7
thunderbird-sq-68.1.0-1.mga7
thunderbird-sv_SE-68.1.0-1.mga7
thunderbird-tr-68.1.0-1.mga7
thunderbird-uk-68.1.0-1.mga7
thunderbird-vi-68.1.0-1.mga7
thunderbird-zh_CN-68.1.0-1.mga7
thunderbird-zh_TW-68.1.0-1.mga7

from SRPMS:
thunderbird-68.1.0-1.1.mga7.src.rpm
thunderbird-l10n-68.1.0-1.mga7.src.rpm

Assignee: nicolas.salguero => qa-bugs

Comment 4 Thomas Backlund 2019-09-19 22:03:10 CEST 
Been running this for 2 days now without issues

CC: (none) => tmb
Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2019-09-21 12:03:42 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2019-09-21 13:08:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0285.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Nicolas Salguero 2019-11-04 09:33:22 CET

Blocks: 25437 => (none)