Bug 26334

Summary: Thunderbird 68.6
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, fri, jim, joselp, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: thunderbird, thunderbird-l10n CVE:
Status comment:
Bug Depends on: 26325    
Bug Blocks:    

Description Nicolas Salguero 2020-03-12 21:48:27 CET 
Mozilla has released Thunderbird 68.6.0 today (March 12):
https://www.thunderbird.net/en-US/thunderbird/68.6.0/releasenotes/

It fixes several security issues:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/
Nicolas Salguero 2020-03-12 21:50:04 CET

Source RPM: (none) => thunderbird, thunderbird-l10n
Whiteboard: (none) => MGA7TOO

Comment 1 Morgan Leijström 2020-03-13 02:29:54 CET 
- thunderbird-68.6.0-1.mga7.x86_64
- thunderbird-sv_SE-68.6.0-1.mga7.noarch

OK 64 bit here:
Takes over mail and settings.
Tested using smtp and imap to send and receive
I dont use calendar
I will keep using it at work tomorrow.

CC: (none) => fri

Comment 2 Nicolas Salguero 2020-03-13 09:16:33 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Use-after-free when removing data about origins. (CVE-2020-6805)

BodyStream::OnInputStreamReady was missing protections against state confusion. (CVE-2020-6806)

Use-after-free in cubeb during stream destruction. (CVE-2020-6807)

Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection. (CVE-2020-6811)

Out of bounds reads in sctp_load_addresses_from_init. (CVE-2019-20503)

The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission. (CVE-2020-6812)

Memory safety bugs fixed in Thunderbird 68.6. (CVE-2020-6814)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6811
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20503
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6814
https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/
https://www.thunderbird.net/en-US/thunderbird/68.6.0/releasenotes/
========================

Updated packages in core/updates_testing:
========================
thunderbird-68.6.0-1.mga7
thunderbird-enigmail-68.6.0-1.mga7
thunderbird-ar-68.6.0-1.mga7
thunderbird-ast-68.6.0-1.mga7
thunderbird-be-68.6.0-1.mga7
thunderbird-bg-68.6.0-1.mga7
thunderbird-br-68.6.0-1.mga7
thunderbird-ca-68.6.0-1.mga7
thunderbird-cs-68.6.0-1.mga7
thunderbird-cy-68.6.0-1.mga7
thunderbird-da-68.6.0-1.mga7
thunderbird-de-68.6.0-1.mga7
thunderbird-el-68.6.0-1.mga7
thunderbird-en_GB-68.6.0-1.mga7
thunderbird-en_US-68.6.0-1.mga7
thunderbird-es_AR-68.6.0-1.mga7
thunderbird-es_ES-68.6.0-1.mga7
thunderbird-et-68.6.0-1.mga7
thunderbird-eu-68.6.0-1.mga7
thunderbird-fi-68.6.0-1.mga7
thunderbird-fr-68.6.0-1.mga7
thunderbird-fy_NL-68.6.0-1.mga7
thunderbird-ga_IE-68.6.0-1.mga7
thunderbird-gd-68.6.0-1.mga7
thunderbird-gl-68.6.0-1.mga7
thunderbird-he-68.6.0-1.mga7
thunderbird-hr-68.6.0-1.mga7
thunderbird-hsb-68.6.0-1.mga7
thunderbird-hu-68.6.0-1.mga7
thunderbird-hy_AM-68.6.0-1.mga7
thunderbird-id-68.6.0-1.mga7
thunderbird-is-68.6.0-1.mga7
thunderbird-it-68.6.0-1.mga7
thunderbird-ja-68.6.0-1.mga7
thunderbird-ko-68.6.0-1.mga7
thunderbird-lt-68.6.0-1.mga7
thunderbird-nb_NO-68.6.0-1.mga7
thunderbird-nl-68.6.0-1.mga7
thunderbird-nn_NO-68.6.0-1.mga7
thunderbird-pl-68.6.0-1.mga7
thunderbird-pt_BR-68.6.0-1.mga7
thunderbird-pt_PT-68.6.0-1.mga7
thunderbird-ro-68.6.0-1.mga7
thunderbird-ru-68.6.0-1.mga7
thunderbird-si-68.6.0-1.mga7
thunderbird-sk-68.6.0-1.mga7
thunderbird-sl-68.6.0-1.mga7
thunderbird-sq-68.6.0-1.mga7
thunderbird-sv_SE-68.6.0-1.mga7
thunderbird-tr-68.6.0-1.mga7
thunderbird-uk-68.6.0-1.mga7
thunderbird-vi-68.6.0-1.mga7
thunderbird-zh_CN-68.6.0-1.mga7
thunderbird-zh_TW-68.6.0-1.mga7

from SRPMS:
thunderbird-68.6.0-1.mga7.src.rpm
thunderbird-l10n-68.6.0-1.mga7.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Nicolas Salguero 2020-03-13 09:29:40 CET

Depends on: (none) => 26325

Comment 3 Thomas Andrews 2020-03-13 14:08:41 CET 
I was wondering where this one was.

Updated the US English version on my HP Probook 6550b 64-bit Plasma system. Packages installed cleanly. Received some POP email, read and posted Usenet messages. Looks good. I do not use the calendar, or Enigmail.

CC: (none) => andrewsfarm

Comment 4 James Kerr 2020-03-13 16:55:10 CET 
On mga7-64  kernel-desktop  plasma

packages installed cleanly:
- thunderbird-68.6.0-1.mga7.x86_64
- thunderbird-en_GB-68.6.0-1.mga7.noarch

email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

I don't use enigmail or IMAP

looks OK for mga7-64

CC: (none) => jim

Comment 5 Jose Manuel López 2020-03-13 17:12:44 CET 
I'm using the new version, no problems, calendar ok, task ok, contacts ok. Send and receive emails ok, from POP3 as IMAP.

In Mga 7 Plasma 64 Bits

CC: (none) => joselp

Thomas Backlund 2020-03-14 09:07:28 CET

CC: (none) => tmb, sysadmin-bugs
Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA7-64-OK

Comment 6 Mageia Robot 2020-03-14 09:36:42 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0142.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2020-03-19 14:57:32 CET 
RedHat has issued an advisory for this today (March 19):
https://access.redhat.com/errata/RHSA-2020:0905