| Summary: | Thunderbird 68.9 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | José Jorge <lists.jjorge> |
| Component: | Security | Assignee: | José Jorge <lists.jjorge> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, fri, jim, joselp, lists.jjorge, mageia, sysadmin-bugs |
| Version: | 7 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | thunderbird | CVE: | |
| Status comment: | |||
| Bug Depends on: | 26828, 26891 | ||
| Bug Blocks: | |||
|
Description
José Jorge
2020-05-29 15:54:46 CEST
We need a package list before we can test this. Advisory information is usually included too, so we might know what to look for. Also, recently Thunderbird updates have been accompanied by Firefox updates. Will that be the case this time? CC:
(none) =>
andrewsfarm OK, so the link you provided explains the changes. Sorry about that part of my comment. I admit that I wrote that before checking the link. But, we still need to know what packages are involved. Is it just the two thunderbird packages? Are there new language packs? Any other dependencies? Yes sorry, the build failed for MGA7, seraching for aworkaround. Assignee:
qa-bugs =>
lists.jjorge
Morgan Leijström
2020-06-01 00:53:08 CEST
CC:
(none) =>
fri You should probably just wait for 68.9.0 now that Firefox 68.9 is out, but I can't get nss to build. See Bug 26711. Mozilla has released Thunderbird 68.9.0 on June 3: https://www.thunderbird.net/en-US/thunderbird/68.9.0/releasenotes/ It fixes security issues: https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/ It also depends on the not-yet-completed nss update. Depends on:
(none) =>
26711
David Walser
2020-06-06 18:31:41 CEST
Severity:
normal =>
critical You can proceed with building this update. (In reply to David Walser from comment #6) > You can proceed with building this update. Ok, let's try. If it BuildRequires nodejs, it won't build until nodejs is fixed or removed from updates_testing.
David Walser
2020-06-20 00:20:02 CEST
Depends on:
(none) =>
26828
David Walser
2020-06-20 00:22:07 CEST
Depends on:
26711 =>
(none) nodejs removed, Thunderbird built. Just needs an advisory. thunderbird-68.9.0-1.mga7 thunderbird-enigmail-68.9.0-1.mga7 thunderbird-ar-68.9.0-1.mga7 thunderbird-ast-68.9.0-1.mga7 thunderbird-be-68.9.0-1.mga7 thunderbird-bg-68.9.0-1.mga7 thunderbird-br-68.9.0-1.mga7 thunderbird-ca-68.9.0-1.mga7 thunderbird-cs-68.9.0-1.mga7 thunderbird-cy-68.9.0-1.mga7 thunderbird-da-68.9.0-1.mga7 thunderbird-de-68.9.0-1.mga7 thunderbird-el-68.9.0-1.mga7 thunderbird-en_GB-68.9.0-1.mga7 thunderbird-en_US-68.9.0-1.mga7 thunderbird-es_AR-68.9.0-1.mga7 thunderbird-es_ES-68.9.0-1.mga7 thunderbird-et-68.9.0-1.mga7 thunderbird-eu-68.9.0-1.mga7 thunderbird-fi-68.9.0-1.mga7 thunderbird-fr-68.9.0-1.mga7 thunderbird-fy_NL-68.9.0-1.mga7 thunderbird-ga_IE-68.9.0-1.mga7 thunderbird-gd-68.9.0-1.mga7 thunderbird-gl-68.9.0-1.mga7 thunderbird-he-68.9.0-1.mga7 thunderbird-hr-68.9.0-1.mga7 thunderbird-hsb-68.9.0-1.mga7 thunderbird-hu-68.9.0-1.mga7 thunderbird-hy_AM-68.9.0-1.mga7 thunderbird-id-68.9.0-1.mga7 thunderbird-is-68.9.0-1.mga7 thunderbird-it-68.9.0-1.mga7 thunderbird-ja-68.9.0-1.mga7 thunderbird-ko-68.9.0-1.mga7 thunderbird-lt-68.9.0-1.mga7 thunderbird-nb_NO-68.9.0-1.mga7 thunderbird-nl-68.9.0-1.mga7 thunderbird-nn_NO-68.9.0-1.mga7 thunderbird-pl-68.9.0-1.mga7 thunderbird-pt_BR-68.9.0-1.mga7 thunderbird-pt_PT-68.9.0-1.mga7 thunderbird-ro-68.9.0-1.mga7 thunderbird-ru-68.9.0-1.mga7 thunderbird-si-68.9.0-1.mga7 thunderbird-sk-68.9.0-1.mga7 thunderbird-sl-68.9.0-1.mga7 thunderbird-sq-68.9.0-1.mga7 thunderbird-sv_SE-68.9.0-1.mga7 thunderbird-tr-68.9.0-1.mga7 thunderbird-uk-68.9.0-1.mga7 thunderbird-vi-68.9.0-1.mga7 thunderbird-zh_CN-68.9.0-1.mga7 thunderbird-zh_TW-68.9.0-1.mga7 from SRPMS: thunderbird-68.9.0-1.mga7.src.rpm thunderbird-l10n-68.9.0-1.mga7.src.rpm
Morgan Leijström
2020-06-20 00:49:34 CEST
Assignee:
lists.jjorge =>
qa-bugs OK 64 bit plasma, nvidia-proprietary, intel i7 Swedish localisation, SMTP, offline IMAP. Also Ok on i586 Dell D600. Enigmail, portuese localisation. Status:
NEW =>
ASSIGNED Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection (CVE-2020-12398). When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash due to a use-after-free (CVE-2020-12405). Mozilla developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash due to type confusion with NativeTypes. We presume that with enough effort that it could be exploited to run arbitrary code (CVE-2020-12406). Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox ESR 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-12410). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12398 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12405 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12406 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12410 https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/ RedHat has issued an advisory for this on June 18: https://access.redhat.com/errata/RHSA-2020:2615 Hi! I have installed a new version on real Mageia 7 x64 Plasma equipment. It works ok, I have sent mail and received from various accounts, I can access the address book, add-ons, preferences, etc. Everything ok. Regards!! CC:
(none) =>
joselp On mga7-64 kernel-desktop plasma packages installed cleanly: - thunderbird-68.9.0-1.mga7.x86_64 - thunderbird-en_GB-68.9.0-1.mga7.noarch email (POP, SMTP): OK Calendar: OK Address book: OK Movemail: OK I don't use enigmail or IMAP looks OK for mga7-64 CC:
(none) =>
jim Looking good. Validating. Advisory in Comment 12. Keywords:
(none) =>
validated_update
David Walser
2020-07-02 23:33:43 CEST
CC:
(none) =>
luigiwalser
David Walser
2020-07-02 23:34:14 CEST
Assignee:
qa-bugs =>
lists.jjorge if validated it lacks the keyword ;) CC:
(none) =>
mageia It was there, but David Walser removed it because Thunderbird 68.10 was pending, and needed to be built. See Bug 26891. Firefox 68.10 was built, sent to QA, tested, and validated. Bug 26890. But, it was supposed to be blocked from being pushed until the same happened with Thunderbird 68.10. No, Firefox wasn't supposed to be blocked by Thunderbird, it's the other way around. The Firefox updates include the nspr and nss updates that Thunderbird is built against, so the Firefox update has to be pushed first. The packages this Thunderbird was built against were replaced, so the new update needs to be built. Firefox had been pushed, so all is OK for you to work :) FIXED Resolution:
(none) =>
FIXED |