Bug 28247

Summary: Thunderbird 78.7
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: doktor5000, fri, mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: thunderbird, thunderbird-l10n CVE:
Status comment:
Bug Depends on: 28218    
Bug Blocks:    

Description David Walser 2021-01-29 00:56:17 CET 
Mozilla has released Thunderbird 78.7 on January 26:
https://www.thunderbird.net/en-US/thunderbird/78.7.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-05/
David Walser 2021-01-29 00:56:29 CET

Depends on: (none) => 28218
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 David Walser 2021-01-29 01:12:01 CET 
RedHat has issued an advisory for this today (January 28):
https://access.redhat.com/errata/RHSA-2021:0298
Comment 2 Lewis Smith 2021-01-29 20:33:14 CET 
Assigning to NicolasS who has done most of the more recent commits; CC'ing Florian, the registered maintainer.

Assignee: bugsquad => nicolas.salguero
CC: (none) => doktor5000

Comment 3 Nicolas Lécureuil 2021-02-01 20:11:33 CET 
pushed in mga8 updates_testing ( l10n now )

CC: (none) => mageia

Comment 4 Thomas Backlund 2021-02-02 09:01:36 CET 
cauldron/mga8 ok

Whiteboard: MGA8TOO, MGA7TOO => (none)
Version: Cauldron => 7

Comment 5 Nicolas Salguero 2021-02-02 15:18:50 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Cross-origin information leakage via redirected PDF requests. (CVE-2021-23953)

Type confusion when using logical assignment operators in JavaScript switch statements. (CVE-2021-23954)

IMAP Response Injection when using STARTTLS. (CVE-2020-15685)

HTTPS pages could have been intercepted by a registered service worker when they should not have been. (CVE-2020-26976)

Use-after-poison for incorrectly redeclared JavaScript variables during GC. (CVE-2021-23960)

Memory safety bugs fixed in Thunderbird 78.7. (CVE-2021-23964)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23953
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23954
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15685
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26976
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23960
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23964
https://www.mozilla.org/en-US/security/advisories/mfsa2021-05/
https://www.thunderbird.net/en-US/thunderbird/78.7.0/releasenotes/
========================

Updated packages in core/updates_testing:
========================
thunderbird-78.7.0-1.mga7
thunderbird-enigmail-78.7.0-1.mga7
thunderbird-ar-78.7.0-1.mga7
thunderbird-ast-78.7.0-1.mga7
thunderbird-be-78.7.0-1.mga7
thunderbird-bg-78.7.0-1.mga7
thunderbird-br-78.7.0-1.mga7
thunderbird-ca-78.7.0-1.mga7
thunderbird-cs-78.7.0-1.mga7
thunderbird-cy-78.7.0-1.mga7
thunderbird-da-78.7.0-1.mga7
thunderbird-de-78.7.0-1.mga7
thunderbird-el-78.7.0-1.mga7
thunderbird-en_GB-78.7.0-1.mga7
thunderbird-en_US-78.7.0-1.mga7
thunderbird-es_AR-78.7.0-1.mga7
thunderbird-es_ES-78.7.0-1.mga7
thunderbird-et-78.7.0-1.mga7
thunderbird-eu-78.7.0-1.mga7
thunderbird-fi-78.7.0-1.mga7
thunderbird-fr-78.7.0-1.mga7
thunderbird-fy_NL-78.7.0-1.mga7
thunderbird-ga_IE-78.7.0-1.mga7
thunderbird-gd-78.7.0-1.mga7
thunderbird-gl-78.7.0-1.mga7
thunderbird-he-78.7.0-1.mga7
thunderbird-hr-78.7.0-1.mga7
thunderbird-hsb-78.7.0-1.mga7
thunderbird-hu-78.7.0-1.mga7
thunderbird-hy_AM-78.7.0-1.mga7
thunderbird-id-78.7.0-1.mga7
thunderbird-is-78.7.0-1.mga7
thunderbird-it-78.7.0-1.mga7
thunderbird-ja-78.7.0-1.mga7
thunderbird-ka-78.7.0-1.mga7
thunderbird-kab-78.7.0-1.mga7
thunderbird-kk-78.7.0-1.mga7
thunderbird-ko-78.7.0-1.mga7
thunderbird-lt-78.7.0-1.mga7
thunderbird-ms-78.7.0-1.mga7
thunderbird-nb_NO-78.7.0-1.mga7
thunderbird-nl-78.7.0-1.mga7
thunderbird-nn_NO-78.7.0-1.mga7
thunderbird-pl-78.7.0-1.mga7
thunderbird-pt_BR-78.7.0-1.mga7
thunderbird-pt_PT-78.7.0-1.mga7
thunderbird-ro-78.7.0-1.mga7
thunderbird-ru-78.7.0-1.mga7
thunderbird-si-78.7.0-1.mga7
thunderbird-sk-78.7.0-1.mga7
thunderbird-sl-78.7.0-1.mga7
thunderbird-sq-78.7.0-1.mga7
thunderbird-sv_SE-78.7.0-1.mga7
thunderbird-tr-78.7.0-1.mga7
thunderbird-uk-78.7.0-1.mga7
thunderbird-uz-78.7.0-1.mga7
thunderbird-vi-78.7.0-1.mga7
thunderbird-zh_CN-78.7.0-1.mga7
thunderbird-zh_TW-78.7.0-1.mga7

from SRPMS:
thunderbird-78.7.0-1.mga7.src.rpm
thunderbird-l10n-78.7.0-1.mga7.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Source RPM: thunderbird => thunderbird, thunderbird-l10n

Comment 6 Morgan Leijström 2021-02-02 20:54:15 CET 
mga7-64 plasma
Clean update, including swedish
Tested a couple mail SMTP + IMAP
A few accounts, ten thousands mail still here
Keep using it.

CC: (none) => fri

Comment 7 Aurelien Oudelet 2021-02-04 09:26:48 CET 
MGA7 Plasma x86_64, Classic Install ISO.
Updated with QA Repo.
Packages updated:
thunderbird-78.7.0-1.mga7
thunderbird-enigmail-78.7.0-1.mga7
thunderbird-fr-78.7.0-1.mga7

IMAP (SSL and /SSL) OK
SMTP (SSL and without) OK
POP3 (SSL and without) OK
Calendar OK
Enigmail crypt/decrypt sign OK
Set new account OK
Mails previously here: still here. OK
UI in French OK

Give this a OK - MGA7-64-OK
Validating 
Advisory commited to SVN.

CC: (none) => ouaurelien

Aurelien Oudelet 2021-02-04 09:27:01 CET

Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2021-02-04 14:41:56 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0066.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED