Bug 28069

Summary: Thunderbird 78.6.1
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, jim, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: thunderbird, thunderbird-l10n CVE: CVE-2020-16044
Status comment:

Description David Walser 2021-01-11 23:45:14 CET 
Thunderbird 78.6.1 has been released today (January 11).

For some reason, the release notes are not available yet:
https://www.thunderbird.net/en-US/thunderbird/78.6.1/releasenotes/

but the security advisory is:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-02/

It fixes the same issue as Firefox 78.6.1 (Bug 28034).
David Walser 2021-01-11 23:45:21 CET

Whiteboard: (none) => MGA7TOO

Nicolas Salguero 2021-01-12 09:13:53 CET

CVE: (none) => CVE-2020-16044
CC: (none) => nicolas.salguero
Source RPM: thunderbird => thunderbird, thunderbird-l10n

Thomas Backlund 2021-01-12 11:46:27 CET

Version: Cauldron => 7

Comment 1 Nicolas Salguero 2021-01-12 12:28:30 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk. (CVE-2020-16044)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16044
https://www.mozilla.org/en-US/security/advisories/mfsa2021-02/
https://www.thunderbird.net/en-US/thunderbird/78.6.1/releasenotes/
========================

Updated packages in core/updates_testing:
========================
thunderbird-78.6.1-1.mga7
thunderbird-enigmail-78.6.1-1.mga7
thunderbird-ar-78.6.1-1.mga7
thunderbird-ast-78.6.1-1.mga7
thunderbird-be-78.6.1-1.mga7
thunderbird-bg-78.6.1-1.mga7
thunderbird-br-78.6.1-1.mga7
thunderbird-ca-78.6.1-1.mga7
thunderbird-cs-78.6.1-1.mga7
thunderbird-cy-78.6.1-1.mga7
thunderbird-da-78.6.1-1.mga7
thunderbird-de-78.6.1-1.mga7
thunderbird-el-78.6.1-1.mga7
thunderbird-en_GB-78.6.1-1.mga7
thunderbird-en_US-78.6.1-1.mga7
thunderbird-es_AR-78.6.1-1.mga7
thunderbird-es_ES-78.6.1-1.mga7
thunderbird-et-78.6.1-1.mga7
thunderbird-eu-78.6.1-1.mga7
thunderbird-fi-78.6.1-1.mga7
thunderbird-fr-78.6.1-1.mga7
thunderbird-fy_NL-78.6.1-1.mga7
thunderbird-ga_IE-78.6.1-1.mga7
thunderbird-gd-78.6.1-1.mga7
thunderbird-gl-78.6.1-1.mga7
thunderbird-he-78.6.1-1.mga7
thunderbird-hr-78.6.1-1.mga7
thunderbird-hsb-78.6.1-1.mga7
thunderbird-hu-78.6.1-1.mga7
thunderbird-hy_AM-78.6.1-1.mga7
thunderbird-id-78.6.1-1.mga7
thunderbird-is-78.6.1-1.mga7
thunderbird-it-78.6.1-1.mga7
thunderbird-ja-78.6.1-1.mga7
thunderbird-ka-78.6.1-1.mga7
thunderbird-kab-78.6.1-1.mga7
thunderbird-kk-78.6.1-1.mga7
thunderbird-ko-78.6.1-1.mga7
thunderbird-lt-78.6.1-1.mga7
thunderbird-ms-78.6.1-1.mga7
thunderbird-nb_NO-78.6.1-1.mga7
thunderbird-nl-78.6.1-1.mga7
thunderbird-nn_NO-78.6.1-1.mga7
thunderbird-pl-78.6.1-1.mga7
thunderbird-pt_BR-78.6.1-1.mga7
thunderbird-pt_PT-78.6.1-1.mga7
thunderbird-ro-78.6.1-1.mga7
thunderbird-ru-78.6.1-1.mga7
thunderbird-si-78.6.1-1.mga7
thunderbird-sk-78.6.1-1.mga7
thunderbird-sl-78.6.1-1.mga7
thunderbird-sq-78.6.1-1.mga7
thunderbird-sv_SE-78.6.1-1.mga7
thunderbird-tr-78.6.1-1.mga7
thunderbird-uk-78.6.1-1.mga7
thunderbird-uz-78.6.1-1.mga7
thunderbird-vi-78.6.1-1.mga7
thunderbird-zh_CN-78.6.1-1.mga7
thunderbird-zh_TW-78.6.1-1.mga7

from SRPMS:
thunderbird-78.6.1-1.mga7.src.rpm
thunderbird-l10n-78.6.1-1.mga7.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 2 Thomas Andrews 2021-01-13 17:33:05 CET 
64-bit Plasma system, i5 2500, 16GB RAM, Intel graphics, wired Internet connection.

Used QA Repo to download all files, even though I knew that they wouldn't all be needed. Updated the US English version. No installation issues.

Checked my email, received some from QA, some from others. Sent test message from a gmail account to my yahoo account, and replied. Read newsgroup messages.

I don't use enigmail or the calendar, but what I do use works OK.

CC: (none) => andrewsfarm

Comment 3 David Walser 2021-01-13 18:46:52 CET 
RedHat has issued an advisory for this today (January 13):
https://access.redhat.com/errata/RHSA-2021:0089
Comment 4 James Kerr 2021-01-13 19:37:34 CET 
On mga7-64  kernel-desktop  plasma

packages installed cleanly:
- thunderbird-78.6.1-1.mga7.x86_64
- thunderbird-en_GB-78.6.1-1.mga7.noarch

email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

looks OK for mga7-64

CC: (none) => jim

Comment 5 Aurelien Oudelet 2021-01-14 14:28:48 CET 
(In reply to Thomas Andrews from comment #2)
> 64-bit Plasma system, i5 2500, 16GB RAM, Intel graphics, wired Internet
> connection.
> 
> Used QA Repo to download all files, even though I knew that they wouldn't
> all be needed. Updated the US English version. No installation issues.
> 
> Checked my email, received some from QA, some from others. Sent test message
> from a gmail account to my yahoo account, and replied. Read newsgroup
> messages.
> 
> I don't use enigmail or the calendar, but what I do use works OK.

Same on a M7 Plasma
openPGP functionality is OK
Calendar too.
IMAP and secure IMAP also.

Looks good.

Validating.
Advisory pushed to SVN.

Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 6 Mageia Robot 2021-01-14 16:15:00 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0027.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED