Bug 27707

Summary: Thunderbird 78.5.1
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, fri, herman.viaene, jim, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: thunderbird-78.5.0-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-12-02 16:13:26 CET 
Mozilla has released Thunderbird 78.5.1 today (December 2):
https://www.thunderbird.net/en-US/thunderbird/78.5.1/releasenotes/

It fixes a security issue:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-53/
Comment 1 David Walser 2020-12-02 16:20:59 CET 
We can ship the rootcerts-20201201.00 update with this update.
Comment 2 Nicolas Salguero 2020-12-02 16:28:39 CET 
So nss needs to be rebuilt, isn't it?
Comment 3 David Walser 2020-12-02 16:52:41 CET 
rootcerts-20201201.00-1.mga7
rootcerts-java-20201201.00-1.mga7

from rootcerts-20201201.00-1.mga7.src.rpm

No nspr or nss updates available at this time, so you can build TB.
Comment 4 David Walser 2020-12-02 17:43:27 CET 
No, nss does not build libnssckbi.so (which bundled rootcerts) any more.
Comment 5 David Walser 2020-12-03 04:22:49 CET 
Advisory:
========================

Updated thunderbird packages fix security vulnerability:

When reading SMTP server status codes, Thunderbird writes an integer value to a
position on the stack that is intended to contain just one byte. Depending on
processor architecture and stack layout, this leads to stack corruption that
may be exploitable (CVE-2020-26970).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26970
https://www.mozilla.org/en-US/security/advisories/mfsa2020-53/
https://www.thunderbird.net/en-US/thunderbird/78.5.1/releasenotes/
========================

Updated packages in core/updates_testing:
========================
rootcerts-20201201.00-1.mga7
rootcerts-java-20201201.00-1.mga7
thunderbird-78.5.1-1.mga7
thunderbird-enigmail-78.5.1-1.mga7
thunderbird-ar-78.5.1-1.mga7
thunderbird-ast-78.5.1-1.mga7
thunderbird-be-78.5.1-1.mga7
thunderbird-bg-78.5.1-1.mga7
thunderbird-br-78.5.1-1.mga7
thunderbird-ca-78.5.1-1.mga7
thunderbird-cs-78.5.1-1.mga7
thunderbird-cy-78.5.1-1.mga7
thunderbird-da-78.5.1-1.mga7
thunderbird-de-78.5.1-1.mga7
thunderbird-el-78.5.1-1.mga7
thunderbird-en_GB-78.5.1-1.mga7
thunderbird-en_US-78.5.1-1.mga7
thunderbird-es_AR-78.5.1-1.mga7
thunderbird-es_ES-78.5.1-1.mga7
thunderbird-et-78.5.1-1.mga7
thunderbird-eu-78.5.1-1.mga7
thunderbird-fi-78.5.1-1.mga7
thunderbird-fr-78.5.1-1.mga7
thunderbird-fy_NL-78.5.1-1.mga7
thunderbird-ga_IE-78.5.1-1.mga7
thunderbird-gd-78.5.1-1.mga7
thunderbird-gl-78.5.1-1.mga7
thunderbird-he-78.5.1-1.mga7
thunderbird-hr-78.5.1-1.mga7
thunderbird-hsb-78.5.1-1.mga7
thunderbird-hu-78.5.1-1.mga7
thunderbird-hy_AM-78.5.1-1.mga7
thunderbird-id-78.5.1-1.mga7
thunderbird-is-78.5.1-1.mga7
thunderbird-it-78.5.1-1.mga7
thunderbird-ja-78.5.1-1.mga7
thunderbird-ka-78.5.1-1.mga7
thunderbird-kab-78.5.1-1.mga7
thunderbird-kk-78.5.1-1.mga7
thunderbird-ko-78.5.1-1.mga7
thunderbird-lt-78.5.1-1.mga7
thunderbird-ms-78.5.1-1.mga7
thunderbird-nb_NO-78.5.1-1.mga7
thunderbird-nl-78.5.1-1.mga7
thunderbird-nn_NO-78.5.1-1.mga7
thunderbird-pl-78.5.1-1.mga7
thunderbird-pt_BR-78.5.1-1.mga7
thunderbird-pt_PT-78.5.1-1.mga7
thunderbird-ro-78.5.1-1.mga7
thunderbird-ru-78.5.1-1.mga7
thunderbird-si-78.5.1-1.mga7
thunderbird-sk-78.5.1-1.mga7
thunderbird-sl-78.5.1-1.mga7
thunderbird-sq-78.5.1-1.mga7
thunderbird-sv_SE-78.5.1-1.mga7
thunderbird-tr-78.5.1-1.mga7
thunderbird-uk-78.5.1-1.mga7
thunderbird-uz-78.5.1-1.mga7
thunderbird-vi-78.5.1-1.mga7
thunderbird-zh_CN-78.5.1-1.mga7
thunderbird-zh_TW-78.5.1-1.mga7

from SRPMS:
rootcerts-20201201.00-1.mga7.src.rpm
thunderbird-78.5.1-1.mga7.src.rpm
thunderbird-l10n-78.5.1-1.mga7.src.rpm

CC: (none) => nicolas.salguero
Assignee: nicolas.salguero => qa-bugs

Comment 6 Morgan Leijström 2020-12-04 11:00:31 CET 
64 bit OK here: Plasma, Intel, Nvidia, Swedish.
Clean upgrade and I just continue to use it since yesterday.
Offline IMAP, SMTP.

CC: (none) => fri

Comment 7 James Kerr 2020-12-04 12:47:45 CET 
On mga7-64  kernel-desktop  plasma

packages installed cleanly:
- rootcerts-20201201.00-1.mga7.noarch
- rootcerts-java-20201201.00-1.mga7.noarch
- thunderbird-78.5.1-1.mga7.x86_64
- thunderbird-en_GB-78.5.1-1.mga7.noarch

email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

looks OK for mga7-64

CC: (none) => jim

Comment 8 Herman Viaene 2020-12-04 15:39:57 CET 
MGA7-64 MATE on Peaq C1011
No installation issues.
Using pop account, sending to and receiving from other account on my desktop PC without and with appendix (jpg, pdf) all work OK.
Addressbook preserved fro previous version OK.

CC: (none) => herman.viaene

Comment 9 Thomas Andrews 2020-12-04 23:23:35 CET 
^4-bit US English version looks good here, too. Giving it an OK and validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Comment 10 Aurelien Oudelet 2020-12-05 17:24:31 CET 
Same for French version. IMAP(/SSL), SMTP(/SSL) and POP3 are OK. Enigmail migration OK. x86_64.

Advisory pushed to SVN.

Source RPM: thunderbird => thunderbird-78.5.0-1.mga7.src.rpm
CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 11 Mageia Robot 2020-12-05 20:48:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0450.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 12 David Walser 2020-12-14 22:43:29 CET 
RedHat has issued an advisory for this today (December 14):
https://access.redhat.com/errata/RHSA-2020:5398