Bug 27634

Summary: Thunderbird 78.5
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: fri, herman.viaene, nicolas.salguero, ouaurelien, sysadmin-bugs, wrw105
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga7-64-ok mga7-32-ok
Source RPM: thunderbird, thunderbird-l10n CVE:
Status comment:
Bug Depends on: 27617    
Bug Blocks:    

Description Nicolas Salguero 2020-11-19 09:49:41 CET 
Mozilla has released Thunderbird 78.5.0 on November 17:
https://www.thunderbird.net/en-US/thunderbird/78.5.0/releasenotes/

It fixes security issues:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/
Nicolas Salguero 2020-11-19 09:49:54 CET

Source RPM: (none) => thunderbird, thunderbird-l10n
Whiteboard: (none) => m

Nicolas Salguero 2020-11-19 09:50:34 CET

Whiteboard: m => MGA7TOO
Assignee: bugsquad => nicolas.salguero
Severity: normal => major

Nicolas Salguero 2020-11-19 09:51:27 CET

Depends on: (none) => 27617

Comment 1 Nicolas Salguero 2020-11-19 14:56:23 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code. (CVE-2020-26951)

Variable time processing of cross-origin images during drawImage calls. (CVE-2020-16012)

Fullscreen could be enabled without displaying the security UI. (CVE-2020-26953)

XSS through paste (manual and clipboard API). (CVE-2020-26956)

Requests intercepted through ServiceWorkers lacked MIME type restrictions. (CVE-2020-26958)

Use-after-free in WebRequestService. (CVE-2020-26959)

Potential use-after-free in uses of nsTArray. (CVE-2020-26960)

DoH did not filter IPv4 mapped IP Addresses. (CVE-2020-26961)

Software keyboards may have remembered typed passwords. (CVE-2020-26965)

Single-word search queries were also broadcast to local network. (CVE-2020-26966)

Memory safety bugs fixed in Thunderbird 78.5. (CVE-2020-26968)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26951
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26953
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26956
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26958
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26959
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26960
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26961
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26966
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26968
https://www.thunderbird.net/en-US/thunderbird/78.5.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/
========================

Updated packages in core/updates_testing:
========================
thunderbird-78.5.0-1.mga7
thunderbird-enigmail-78.5.0-1.mga7
thunderbird-ar-78.5.0-1.mga7
thunderbird-ast-78.5.0-1.mga7
thunderbird-be-78.5.0-1.mga7
thunderbird-bg-78.5.0-1.mga7
thunderbird-br-78.5.0-1.mga7
thunderbird-ca-78.5.0-1.mga7
thunderbird-cs-78.5.0-1.mga7
thunderbird-cy-78.5.0-1.mga7
thunderbird-da-78.5.0-1.mga7
thunderbird-de-78.5.0-1.mga7
thunderbird-el-78.5.0-1.mga7
thunderbird-en_GB-78.5.0-1.mga7
thunderbird-en_US-78.5.0-1.mga7
thunderbird-es_AR-78.5.0-1.mga7
thunderbird-es_ES-78.5.0-1.mga7
thunderbird-et-78.5.0-1.mga7
thunderbird-eu-78.5.0-1.mga7
thunderbird-fi-78.5.0-1.mga7
thunderbird-fr-78.5.0-1.mga7
thunderbird-fy_NL-78.5.0-1.mga7
thunderbird-ga_IE-78.5.0-1.mga7
thunderbird-gd-78.5.0-1.mga7
thunderbird-gl-78.5.0-1.mga7
thunderbird-he-78.5.0-1.mga7
thunderbird-hr-78.5.0-1.mga7
thunderbird-hsb-78.5.0-1.mga7
thunderbird-hu-78.5.0-1.mga7
thunderbird-hy_AM-78.5.0-1.mga7
thunderbird-id-78.5.0-1.mga7
thunderbird-is-78.5.0-1.mga7
thunderbird-it-78.5.0-1.mga7
thunderbird-ja-78.5.0-1.mga7
thunderbird-ka-78.5.0-1.mga7
thunderbird-kab-78.5.0-1.mga7
thunderbird-kk-78.5.0-1.mga7
thunderbird-ko-78.5.0-1.mga7
thunderbird-lt-78.5.0-1.mga7
thunderbird-ms-78.5.0-1.mga7
thunderbird-nb_NO-78.5.0-1.mga7
thunderbird-nl-78.5.0-1.mga7
thunderbird-nn_NO-78.5.0-1.mga7
thunderbird-pl-78.5.0-1.mga7
thunderbird-pt_BR-78.5.0-1.mga7
thunderbird-pt_PT-78.5.0-1.mga7
thunderbird-ro-78.5.0-1.mga7
thunderbird-ru-78.5.0-1.mga7
thunderbird-si-78.5.0-1.mga7
thunderbird-sk-78.5.0-1.mga7
thunderbird-sl-78.5.0-1.mga7
thunderbird-sq-78.5.0-1.mga7
thunderbird-sv_SE-78.5.0-1.mga7
thunderbird-tr-78.5.0-1.mga7
thunderbird-uk-78.5.0-1.mga7
thunderbird-uz-78.5.0-1.mga7
thunderbird-vi-78.5.0-1.mga7
thunderbird-zh_CN-78.5.0-1.mga7
thunderbird-zh_TW-78.5.0-1.mga7

from SRPMS:
thunderbird-78.5.0-1.mga7.src.rpm
thunderbird-l10n-78.5.0-1.mga7.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA7TOO => (none)
CC: (none) => nicolas.salguero
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 7

Comment 2 Herman Viaene 2020-11-19 16:52:43 CET 
MGA7-64 MATE on Peaq C1011
No installation issues.
Send and receive mail from and to other account on my desktopPC, without and with attachment.
All OK

CC: (none) => herman.viaene

Comment 3 Bill Wilkinson 2020-11-19 21:23:53 CET 
tested mga7-64
 Send/receive/move/delete over IMAP/SMTP all ok.

CC: (none) => wrw105
Whiteboard: (none) => mga7-64-ok

Bill Wilkinson 2020-11-19 22:03:27 CET

Whiteboard: mga7-64-ok => mga7-64-ok mga7-32-ok

Comment 4 Bill Wilkinson 2020-11-19 22:03:51 CET 
Tested mga7-32 as above, all OK.
Comment 5 Aurelien Oudelet 2020-11-19 22:34:12 CET 
MGA7-64 Plasma and Gnome
Updating existing installation.
UI translated = OK
IMAP/POP3 and SMTP OK.
SSL/IMAP, SSL/POP3 and SSL/SMTP OK.
AddressBook = OK
Calendar = OK
Send/Receive Encrypted and/or Signed mail = OK.
Deleting and importing gnupg private key = OK
Handling gnupg public keys = OK

As well as seen in upstream releasenotes, openPGP ui in messages is better looking and less confusing. OK

MGA7-64-OK

========================================================
Validating, Advisory and packages in Comment 1.
Advisory pushed to SVN.

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 6 David Walser 2020-11-19 23:14:41 CET 
CVE-2020-26966 should be removed from the advisory, it only affects Windows.

Keywords: advisory, validated_update => (none)

Comment 7 Morgan Leijström 2020-11-20 00:13:14 CET 
OK mga7-64 plasma: Swedish, offline IMAP, SMTP

CC: (none) => fri

Comment 8 Aurelien Oudelet 2020-11-20 09:18:59 CET 
(In reply to David Walser from comment #6)
> CVE-2020-26966 should be removed from the advisory, it only affects Windows.

Done.
Aurelien Oudelet 2020-11-20 09:19:13 CET

Keywords: (none) => advisory, validated_update

Comment 9 Mageia Robot 2020-11-21 13:22:27 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0433.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 10 David Walser 2020-11-30 16:47:22 CET 
RedHat has issued an advisory for this today (November 30):
https://access.redhat.com/errata/RHSA-2020:5236