| Summary: | Thunderbird 68.2.1 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, bjarne.thomsen, herman.viaene, petlaw726, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | thunderbird, thunderbird-l10n | CVE: | |
| Status comment: | |||
| Bug Depends on: | 25595 | ||
| Bug Blocks: | |||
|
Description
Nicolas Salguero
2019-10-23 09:14:05 CEST
Nicolas Salguero
2019-10-23 09:14:42 CEST
Depends on:
(none) =>
25595 I take it that you mean Thunderbird, not Firefox (that has bug 25595). Assigning to Florian for Thunderbird. Assignee:
bugsquad =>
doktor5000 Version 68.2 also contains security fixes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/ Component:
RPM Packages =>
Security RedHat has issued an advisory for this today (October 29): https://access.redhat.com/errata/RHSA-2019:3237 Mozilla has released Thunderbird 68.2.1 on October 31: https://www.thunderbird.net/en-US/thunderbird/68.2.1/releasenotes/ Summary:
Thunderbird 68.2 =>
Thunderbird 68.2.1 There is also Enigmail 2.1.3: https://enigmail.net/index.php/en/download/changelog#enig2.1.3
Nicolas Salguero
2019-11-04 09:33:22 CET
Blocks:
(none) =>
25437 Suggested advisory: ======================== The updated packages fix security issues: Heap overflow in expat library in XML_GetCurrentLineNumber. (CVE-2019-15903) Use-after-free when creating index updates in IndexedDB. (CVE-2019-11757) Potentially exploitable crash due to 360 Total Security. (CVE-2019-11758) Stack buffer overflow in HKDF output. (CVE-2019-11759) Stack buffer overflow in WebRTC networking. (CVE-2019-11760) Unintended access to a privileged JSONView object. (CVE-2019-11761) document.domain-based origin isolation has same-origin-property violation. (CVE-2019-11762) Incorrect HTML parsing results in XSS bypass technique. (CVE-2019-11763) Memory safety bugs fixed in Thunderbird 68.2. (CVE-2019-11764) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11757 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11758 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11759 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11760 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11761 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11762 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11763 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11764 https://www.thunderbird.net/en-US/thunderbird/68.2.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/ https://access.redhat.com/errata/RHSA-2019:3237 https://www.thunderbird.net/en-US/thunderbird/68.2.1/releasenotes/ https://enigmail.net/index.php/en/download/changelog#enig2.1.3 ======================== Updated packages in core/updates_testing: ======================== thunderbird-68.2.1-1.mga7 thunderbird-enigmail-68.2.1-1.mga7 thunderbird-ar-68.2.1-1.mga7 thunderbird-ast-68.2.1-1.mga7 thunderbird-be-68.2.1-1.mga7 thunderbird-bg-68.2.1-1.mga7 thunderbird-br-68.2.1-1.mga7 thunderbird-ca-68.2.1-1.mga7 thunderbird-cs-68.2.1-1.mga7 thunderbird-cy-68.2.1-1.mga7 thunderbird-da-68.2.1-1.mga7 thunderbird-de-68.2.1-1.mga7 thunderbird-el-68.2.1-1.mga7 thunderbird-en_GB-68.2.1-1.mga7 thunderbird-en_US-68.2.1-1.mga7 thunderbird-es_AR-68.2.1-1.mga7 thunderbird-es_ES-68.2.1-1.mga7 thunderbird-et-68.2.1-1.mga7 thunderbird-eu-68.2.1-1.mga7 thunderbird-fi-68.2.1-1.mga7 thunderbird-fr-68.2.1-1.mga7 thunderbird-fy_NL-68.2.1-1.mga7 thunderbird-ga_IE-68.2.1-1.mga7 thunderbird-gd-68.2.1-1.mga7 thunderbird-gl-68.2.1-1.mga7 thunderbird-he-68.2.1-1.mga7 thunderbird-hr-68.2.1-1.mga7 thunderbird-hsb-68.2.1-1.mga7 thunderbird-hu-68.2.1-1.mga7 thunderbird-hy_AM-68.2.1-1.mga7 thunderbird-id-68.2.1-1.mga7 thunderbird-is-68.2.1-1.mga7 thunderbird-it-68.2.1-1.mga7 thunderbird-ja-68.2.1-1.mga7 thunderbird-ko-68.2.1-1.mga7 thunderbird-lt-68.2.1-1.mga7 thunderbird-nb_NO-68.2.1-1.mga7 thunderbird-nl-68.2.1-1.mga7 thunderbird-nn_NO-68.2.1-1.mga7 thunderbird-pl-68.2.1-1.mga7 thunderbird-pt_BR-68.2.1-1.mga7 thunderbird-pt_PT-68.2.1-1.mga7 thunderbird-ro-68.2.1-1.mga7 thunderbird-ru-68.2.1-1.mga7 thunderbird-si-68.2.1-1.mga7 thunderbird-sk-68.2.1-1.mga7 thunderbird-sl-68.2.1-1.mga7 thunderbird-sq-68.2.1-1.mga7 thunderbird-sv_SE-68.2.1-1.mga7 thunderbird-tr-68.2.1-1.mga7 thunderbird-uk-68.2.1-1.mga7 thunderbird-vi-68.2.1-1.mga7 thunderbird-zh_CN-68.2.1-1.mga7 thunderbird-zh_TW-68.2.1-1.mga7 from SRPMS: thunderbird-68.2.1-1.mga7.src.rpm thunderbird-l10n-68.2.1-1.mga7.src.rpm Status:
NEW =>
ASSIGNED
Nicolas Salguero
2019-11-06 15:59:58 CET
Blocks:
25437 =>
(none) MGA7-64 Plasma on Lenovo B50 No installation issues overwriting previous version. Tested by sending and receiving e-mail with and without attachments. Addrress book is good. All OK. Whiteboard:
(none) =>
MGA7-64-OK MGA7-64 Plasma. Tested with an i5,Intel graphics, wired Internet connection. Sent and received email, checked newsgroups, received newsgroup messages. I do not use enigmail, or the calendar. Looks good here. If someone could check the calendar, we could send this one along. CC:
(none) =>
andrewsfarm
Thomas Backlund
2019-11-07 23:10:29 CET
Keywords:
(none) =>
advisory, validated_update It works for me on an IPC3 with an i7 CPU CC:
(none) =>
bjarne.thomsen An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0316.html Status:
ASSIGNED =>
RESOLVED (In reply to Nicolas Salguero from comment #6) > Suggested advisory: > ======================== > > The updated packages fix security issues: > > Heap overflow in expat library in XML_GetCurrentLineNumber. (CVE-2019-15903) > > Use-after-free when creating index updates in IndexedDB. (CVE-2019-11757) > > Potentially exploitable crash due to 360 Total Security. (CVE-2019-11758) > > Stack buffer overflow in HKDF output. (CVE-2019-11759) > > Stack buffer overflow in WebRTC networking. (CVE-2019-11760) > > Unintended access to a privileged JSONView object. (CVE-2019-11761) > > document.domain-based origin isolation has same-origin-property violation. > (CVE-2019-11762) > > Incorrect HTML parsing results in XSS bypass technique. (CVE-2019-11763) > > Memory safety bugs fixed in Thunderbird 68.2. (CVE-2019-11764) > > References: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11757 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11758 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11759 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11760 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11761 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11762 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11763 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11764 > https://www.thunderbird.net/en-US/thunderbird/68.2.0/releasenotes/ > https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/ > https://access.redhat.com/errata/RHSA-2019:3237 > https://www.thunderbird.net/en-US/thunderbird/68.2.1/releasenotes/ > https://enigmail.net/index.php/en/download/changelog#enig2.1.3 > ======================== > > Updated packages in core/updates_testing: > ======================== > thunderbird-68.2.1-1.mga7 > thunderbird-enigmail-68.2.1-1.mga7 > thunderbird-ar-68.2.1-1.mga7 > thunderbird-ast-68.2.1-1.mga7 > thunderbird-be-68.2.1-1.mga7 > thunderbird-bg-68.2.1-1.mga7 > thunderbird-br-68.2.1-1.mga7 > thunderbird-ca-68.2.1-1.mga7 > thunderbird-cs-68.2.1-1.mga7 > thunderbird-cy-68.2.1-1.mga7 > thunderbird-da-68.2.1-1.mga7 > thunderbird-de-68.2.1-1.mga7 > thunderbird-el-68.2.1-1.mga7 > thunderbird-en_GB-68.2.1-1.mga7 > thunderbird-en_US-68.2.1-1.mga7 > thunderbird-es_AR-68.2.1-1.mga7 > thunderbird-es_ES-68.2.1-1.mga7 > thunderbird-et-68.2.1-1.mga7 > thunderbird-eu-68.2.1-1.mga7 > thunderbird-fi-68.2.1-1.mga7 > thunderbird-fr-68.2.1-1.mga7 > thunderbird-fy_NL-68.2.1-1.mga7 > thunderbird-ga_IE-68.2.1-1.mga7 > thunderbird-gd-68.2.1-1.mga7 > thunderbird-gl-68.2.1-1.mga7 > thunderbird-he-68.2.1-1.mga7 > thunderbird-hr-68.2.1-1.mga7 > thunderbird-hsb-68.2.1-1.mga7 > thunderbird-hu-68.2.1-1.mga7 > thunderbird-hy_AM-68.2.1-1.mga7 > thunderbird-id-68.2.1-1.mga7 > thunderbird-is-68.2.1-1.mga7 > thunderbird-it-68.2.1-1.mga7 > thunderbird-ja-68.2.1-1.mga7 > thunderbird-ko-68.2.1-1.mga7 > thunderbird-lt-68.2.1-1.mga7 > thunderbird-nb_NO-68.2.1-1.mga7 > thunderbird-nl-68.2.1-1.mga7 > thunderbird-nn_NO-68.2.1-1.mga7 > thunderbird-pl-68.2.1-1.mga7 > thunderbird-pt_BR-68.2.1-1.mga7 > thunderbird-pt_PT-68.2.1-1.mga7 > thunderbird-ro-68.2.1-1.mga7 > thunderbird-ru-68.2.1-1.mga7 > thunderbird-si-68.2.1-1.mga7 > thunderbird-sk-68.2.1-1.mga7 > thunderbird-sl-68.2.1-1.mga7 > thunderbird-sq-68.2.1-1.mga7 > thunderbird-sv_SE-68.2.1-1.mga7 > thunderbird-tr-68.2.1-1.mga7 > thunderbird-uk-68.2.1-1.mga7 > thunderbird-vi-68.2.1-1.mga7 > thunderbird-zh_CN-68.2.1-1.mga7 > thunderbird-zh_TW-68.2.1-1.mga7 > > from SRPMS: > thunderbird-68.2.1-1.mga7.src.rpm > thunderbird-l10n-68.2.1-1.mga7.src.rpm on the previous version, I'd overcome this bug by removing the rights w to permissions.sqlite; with the version 68.2.1-1, I wish to restore these rights, but I don't remember exactly how they were (a+w, u+w, g+w, o+w ?)thank you to remind me them CC:
(none) =>
petlaw726 (In reply to peter lawford from comment #11) > on the previous version, I'd overcome this bug by removing the rights w to > permissions.sqlite; with the version 68.2.1-1, I wish to restore these > rights, but I don't remember exactly how they were (a+w, u+w, g+w, o+w > ?)thank you to remind me them It is u+w. |