Bug 2878

Summary: Update candidate: mozilla-thunderbird & -l10n - security update to 3.1.15
Product: Mageia Reporter: Florian Hubold <doktor5000>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, dmorganec, sysadmin-bugs
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment:

Description Florian Hubold 2011-09-30 13:36:39 CEST 
There is now mozilla-thunderbird-3.1.15-1.mga1 in core/updates_testing to validate, together with the language packages mozilla-thunderbird-XX-3.1.15-1.mga1
-------------------------------------------------------


Suggested advisory:
-------------------
This update addresses the following security issues:


- Revoked the root certificate for DigiNotar due to fraudulent SSL certificate issuance, fixed in Thunderbird 3.1.13 ( see https://bugzilla.mozilla.org/show_bug.cgi?id=682927 and the security advisory at http://www.mozilla.org/security/announce/2011/mfsa2011-34.html )

- Removed trust exceptions for certificates issued by Staat der Nederlanden, fixed in Thunderbird 3.1.14 (see https://bugzilla.mozilla.org/show_bug.cgi?id=683449 and the security advisory at http://www.mozilla.org/security/announce/2011/mfsa2011-35.html )

- Resolved an issue with gov.uk websites (see https://bugzilla.mozilla.org/show_bug.cgi?id=669792)

- Fixed a critical crash [@ nsContentUtils::ComparePosition] 

- Several other fixes to improve performance, stability and security, which are listed here and fixed in Thunderbird 3.1.15: https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_status_thunderbird31;type0-0-1=equals;field0-0-1=cf_status_192;query_format=advanced;value0-0-1=.23-fixed;type0-0-0=equals;value0-0-0=.15-fixed

-------------------------------------------------------
Steps to reproduce:

- install/update to update candidate and according language pack
- make sure DigiNotar and PKIoverheid (Staat der Nederlanden) are untrusted, meanuing not listed in CA list
- make sure there are no regressions
- make sure Thunderbird uses the language of the language pack
Florian Hubold 2011-09-30 14:01:17 CEST

Status: NEW => ASSIGNED

Comment 1 claire robinson 2011-10-01 20:39:38 CEST 
Testing i586 en_GB.

Spell checking seems fine. Diginotar is not listed in certificate authorities, I'm not sure we can test beyond that.

Staad der Nederlanden are both present

One bug still present is bug 1631 - No new mail sound - but it is not covered in this update.

Tested IMAP and POP3, SMTP. html and plain text, address book, spam filter. All seems fine.
Comment 2 Florian Hubold 2011-10-01 23:57:21 CEST 
(In reply to comment #1)
> 
> One bug still present is bug 1631 - No new mail sound - but it is not covered
> in this update.

Sorry, seems Anssi overlooked that and not assigned it to me, so it didn't show up in my bug list. Grabbed it now and commented there.


For the Staat der Nederlanden certificates, this was done in the code like for the DigiNotar certificates in Firefox, just look at the linked bug, also for some example links which should now be untrusted: https://bugzilla.mozilla.org/show_bug.cgi?id=683449

But currently no easy way of checking that those are untrusted in Thunderbird comes to my mind. Anybody has email business with one of the following dutch websites?

https://sha2.diginotar.nl/
https://g2test.logius.nl/
https://steenwijkerland.bim.mijnbezwaar.nl/
https://secure.valkenswaard.nl/
https://www8.eindhoven.nl/
Comment 3 Dave Hodgins 2011-10-05 10:41:58 CEST 
Ping.  We need a x86-64 tester for thunderbird.

CC: (none) => davidwhodgins

Comment 4 Florian Hubold 2011-10-05 11:32:21 CEST 
Well, i'm using it here since 7 days, everything working all right.
Comment 5 claire robinson 2011-10-05 11:37:50 CEST 
I will install and test this later x86_64 if there's nobody already using it. Apart from you Florian :P
Comment 6 claire robinson 2011-10-05 15:17:25 CEST 
Tests OK x86_64

Update validated.

Advisory:
------------------
This update addresses the following security issues:


- Revoked the root certificate for DigiNotar due to fraudulent SSL certificate
issuance, fixed in Thunderbird 3.1.13 ( see
https://bugzilla.mozilla.org/show_bug.cgi?id=682927 and the security advisory
at http://www.mozilla.org/security/announce/2011/mfsa2011-34.html )

- Removed trust exceptions for certificates issued by Staat der Nederlanden,
fixed in Thunderbird 3.1.14 (see
https://bugzilla.mozilla.org/show_bug.cgi?id=683449 and the security advisory
at http://www.mozilla.org/security/announce/2011/mfsa2011-35.html )

- Resolved an issue with gov.uk websites (see
https://bugzilla.mozilla.org/show_bug.cgi?id=669792)

- Fixed a critical crash [@ nsContentUtils::ComparePosition] 

- Several other fixes to improve performance, stability and security, which are
listed here and fixed in Thunderbird 3.1.15:

https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_status_thunderbird31;type0-0-1=equals;field0-0-1=cf_status_192;query_format=advanced;value0-0-1=.23-fixed;type0-0-0=equals;value0-0-0=.15-fixed

-------------------------

Source RPM: mozilla-thunderbird-3.1.15-1.mga1.src.rpm


Can sysadmin please push from core/updates_testing to core/updates.

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 D Morgan 2011-10-08 23:35:47 CEST 
update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => dmorganec
Resolution: (none) => FIXED

Florian Hubold 2012-02-03 17:03:59 CET

Blocks: (none) => 4401

Florian Hubold 2012-02-03 17:07:43 CET

Blocks: 4401 => (none)