| Summary: | Thunderbird 68.12 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, fri, jim, marc, nicolas.salguero, sysadmin-bugs, tarazed25, yvesbrungard |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | thunderbird, thunderbird-l10n | CVE: | |
| Status comment: | |||
| Bug Depends on: | 27193 | ||
| Bug Blocks: | |||
|
Description
Nicolas Salguero
2020-08-26 21:56:14 CEST
Nicolas Salguero
2020-08-26 21:56:39 CEST
Assignee:
bugsquad =>
nicolas.salguero
Nicolas Salguero
2020-08-26 22:00:01 CEST
Depends on:
(none) =>
27193
David Walser
2020-08-26 22:04:15 CEST
Depends on:
27193 =>
(none)
David Walser
2020-08-26 22:04:50 CEST
Depends on:
(none) =>
27193
Nicolas Salguero
2020-08-26 22:49:38 CEST
CC:
(none) =>
nicolas.salguero Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed (CVE-2020-15664). When aborting an operation, such as a fetch, an abort signal may be deleted while alerting the objects to be notified. This results in a use-after-free and we presume that with enough effort it could have been exploited to run arbitrary code (CVE-2020-15669). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15664 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15669 https://www.thunderbird.net/en-US/thunderbird/68.12.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-40/ ======================== Updated packages in core/updates_testing: ======================== thunderbird-68.12.0-1.mga7 thunderbird-enigmail-68.12.0-1.mga7 thunderbird-ar-68.12.0-1.mga7 thunderbird-ast-68.12.0-1.mga7 thunderbird-be-68.12.0-1.mga7 thunderbird-bg-68.12.0-1.mga7 thunderbird-br-68.12.0-1.mga7 thunderbird-ca-68.12.0-1.mga7 thunderbird-cs-68.12.0-1.mga7 thunderbird-cy-68.12.0-1.mga7 thunderbird-da-68.12.0-1.mga7 thunderbird-de-68.12.0-1.mga7 thunderbird-el-68.12.0-1.mga7 thunderbird-en_GB-68.12.0-1.mga7 thunderbird-en_US-68.12.0-1.mga7 thunderbird-es_AR-68.12.0-1.mga7 thunderbird-es_ES-68.12.0-1.mga7 thunderbird-et-68.12.0-1.mga7 thunderbird-eu-68.12.0-1.mga7 thunderbird-fi-68.12.0-1.mga7 thunderbird-fr-68.12.0-1.mga7 thunderbird-fy_NL-68.12.0-1.mga7 thunderbird-ga_IE-68.12.0-1.mga7 thunderbird-gd-68.12.0-1.mga7 thunderbird-gl-68.12.0-1.mga7 thunderbird-he-68.12.0-1.mga7 thunderbird-hr-68.12.0-1.mga7 thunderbird-hsb-68.12.0-1.mga7 thunderbird-hu-68.12.0-1.mga7 thunderbird-hy_AM-68.12.0-1.mga7 thunderbird-id-68.12.0-1.mga7 thunderbird-is-68.12.0-1.mga7 thunderbird-it-68.12.0-1.mga7 thunderbird-ja-68.12.0-1.mga7 thunderbird-ka-68.12.0-1.mga7 thunderbird-kab-68.12.0-1.mga7 thunderbird-kk-68.12.0-1.mga7 thunderbird-ko-68.12.0-1.mga7 thunderbird-lt-68.12.0-1.mga7 thunderbird-ms-68.12.0-1.mga7 thunderbird-nb_NO-68.12.0-1.mga7 thunderbird-nl-68.12.0-1.mga7 thunderbird-nn_NO-68.12.0-1.mga7 thunderbird-pl-68.12.0-1.mga7 thunderbird-pt_BR-68.12.0-1.mga7 thunderbird-pt_PT-68.12.0-1.mga7 thunderbird-ro-68.12.0-1.mga7 thunderbird-ru-68.12.0-1.mga7 thunderbird-si-68.12.0-1.mga7 thunderbird-sk-68.12.0-1.mga7 thunderbird-sl-68.12.0-1.mga7 thunderbird-sq-68.12.0-1.mga7 thunderbird-sv_SE-68.12.0-1.mga7 thunderbird-tr-68.12.0-1.mga7 thunderbird-uk-68.12.0-1.mga7 thunderbird-uz-68.12.0-1.mga7 thunderbird-vi-68.12.0-1.mga7 thunderbird-zh_CN-68.12.0-1.mga7 thunderbird-zh_TW-68.12.0-1.mga7 from SRPMS: thunderbird-68.12.0-1.mga7.src.rpm thunderbird-l10n-68.12.0-1.mga7.src.rpm Version:
Cauldron =>
7 Updated the US-English version. Both packages installed cleanly. Looked at newsgroups, sent and received email, no regressions noted. I do not use the calendar or enigmail. Holding back the OK a day or two so someone can check the calendar and another language or two, potential trouble spots in previous versions. CC:
(none) =>
andrewsfarm Following up on calendar for en_GB. Installed and restarted fine - no more forced new profile. Everything came up as it was. Sent a short email from the address book. Made a couple of entries in the calendar, one of them a reminder, which popped up on time. Looks OK so far. CC:
(none) =>
tarazed25 On mga7-64 kernel-desktop plasma packages installed cleanly: - thunderbird-68.12.0-1.mga7.x86_64 - thunderbird-en_GB-68.12.0-1.mga7.noarch email (POP, SMTP): OK Calendar: OK Address book: OK Movemail: OK I don't use enigmail or IMAP looks OK for mga7-64 CC:
(none) =>
jim Installed now in French, 64 bits. No problem reported. I don't use enigmail nor Imap CC:
(none) =>
yves.brungard_mageia Thanks, guys. My own test was with POP mail. Giving this the OK, and validating. Advisory in Comment 1. Keywords:
(none) =>
validated_update
Aurelien Oudelet
2020-08-28 15:21:35 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0352.html Status:
NEW =>
RESOLVED On mga7-64 kernel-desktop plasma Tests OK: Swedish, IMAP, SMTP Keep using it as main app CC:
(none) =>
fri I use TBird in FR, Agenda, and Enigmail under Plasma. I use my TBird extensively for all of these 3 and have not seen any issues as of yet. My TBird manages close to 2,000 emails per day at times and has loads of filters and multiple pop, imap, smtp, aliases. On mga7-64, kernel-desktop plasma CC:
(none) =>
marc RedHat has issued an advisory for this today (September 7): https://access.redhat.com/errata/RHSA-2020:3631 |