| Summary: | Thunderbird 78.10 Update | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Aurelien Oudelet <ouaurelien> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | High | CC: | fri, nicolas.salguero, sysadmin-bugs, wrw105 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok mga8-64-ok | ||
| Source RPM: | thunderbird-78.9.1-1.mga8.src.rpm | CVE: | CVE-2021-23994, CVE-2021-23995, CVE-2021-23998, CVE-2021-23961, CVE-2021-23999, CVE-2021-24002, CVE-2021-29945, CVE-2021-29946, CVE-2021-29948 |
| Status comment: | |||
| Bug Depends on: | 28822 | ||
| Bug Blocks: | |||
|
Description
Aurelien Oudelet
2021-04-22 21:15:27 CEST
Assigning to Nicolas S. who did last releases. Adding correct CVE from upstream release notes. Whiteboard:
(none) =>
MGA7TOO MGA8TOO Suggested advisory: ======================== The updated packages fix security vulnerabilities: Out of bound write due to lazy initialization. (CVE-2021-23994) Use-after-free in Responsive Design Mode. (CVE-2021-23995) Secure Lock icon could have been spoofed. (CVE-2021-23998) More internal network hosts could have been probed by a malicious webpage. (CVE-2021-23961) Blob URLs may have been granted additional privileges. (CVE-2021-23999) Arbitrary FTP command execution on FTP servers using an encoded URL. (CVE-2021-24002) Incorrect size computation in WebAssembly JIT could lead to null-reads. (CVE-2021-29945) Port blocking could be bypassed. (CVE-2021-29946) Race condition when reading from disk while verifying signatures. (CVE-2021-29948) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23994 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23995 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23998 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23961 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23999 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24002 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29945 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29946 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29948 https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/ https://www.thunderbird.net/en-US/thunderbird/78.10.0/releasenotes/ ======================== Updated packages in core/updates_testing: ======================== thunderbird-78.10.0-1.mga{7|8} thunderbird-enigmail-78.10.0-1.mga{7|8} thunderbird-ar-78.10.0-1.mga{7|8} thunderbird-ast-78.10.0-1.mga{7|8} thunderbird-be-78.10.0-1.mga{7|8} thunderbird-bg-78.10.0-1.mga{7|8} thunderbird-br-78.10.0-1.mga{7|8} thunderbird-ca-78.10.0-1.mga{7|8} thunderbird-cs-78.10.0-1.mga{7|8} thunderbird-cy-78.10.0-1.mga{7|8} thunderbird-da-78.10.0-1.mga{7|8} thunderbird-de-78.10.0-1.mga{7|8} thunderbird-el-78.10.0-1.mga{7|8} thunderbird-en_GB-78.10.0-1.mga{7|8} thunderbird-en_US-78.10.0-1.mga{7|8} thunderbird-es_AR-78.10.0-1.mga{7|8} thunderbird-es_ES-78.10.0-1.mga{7|8} thunderbird-et-78.10.0-1.mga{7|8} thunderbird-eu-78.10.0-1.mga{7|8} thunderbird-fi-78.10.0-1.mga{7|8} thunderbird-fr-78.10.0-1.mga{7|8} thunderbird-fy_NL-78.10.0-1.mga{7|8} thunderbird-ga_IE-78.10.0-1.mga{7|8} thunderbird-gd-78.10.0-1.mga{7|8} thunderbird-gl-78.10.0-1.mga{7|8} thunderbird-he-78.10.0-1.mga{7|8} thunderbird-hr-78.10.0-1.mga{7|8} thunderbird-hsb-78.10.0-1.mga{7|8} thunderbird-hu-78.10.0-1.mga{7|8} thunderbird-hy_AM-78.10.0-1.mga{7|8} thunderbird-id-78.10.0-1.mga{7|8} thunderbird-is-78.10.0-1.mga{7|8} thunderbird-it-78.10.0-1.mga{7|8} thunderbird-ja-78.10.0-1.mga{7|8} thunderbird-ka-78.10.0-1.mga{7|8} thunderbird-kab-78.10.0-1.mga{7|8} thunderbird-kk-78.10.0-1.mga{7|8} thunderbird-ko-78.10.0-1.mga{7|8} thunderbird-lt-78.10.0-1.mga{7|8} thunderbird-ms-78.10.0-1.mga{7|8} thunderbird-nb_NO-78.10.0-1.mga{7|8} thunderbird-nl-78.10.0-1.mga{7|8} thunderbird-nn_NO-78.10.0-1.mga{7|8} thunderbird-pl-78.10.0-1.mga{7|8} thunderbird-pt_BR-78.10.0-1.mga{7|8} thunderbird-pt_PT-78.10.0-1.mga{7|8} thunderbird-ro-78.10.0-1.mga{7|8} thunderbird-ru-78.10.0-1.mga{7|8} thunderbird-si-78.10.0-1.mga{7|8} thunderbird-sk-78.10.0-1.mga{7|8} thunderbird-sl-78.10.0-1.mga{7|8} thunderbird-sq-78.10.0-1.mga{7|8} thunderbird-sv_SE-78.10.0-1.mga{7|8} thunderbird-tr-78.10.0-1.mga{7|8} thunderbird-uk-78.10.0-1.mga{7|8} thunderbird-uz-78.10.0-1.mga{7|8} thunderbird-vi-78.10.0-1.mga{7|8} thunderbird-zh_CN-78.10.0-1.mga{7|8} thunderbird-zh_TW-78.10.0-1.mga{7|8} from SRPMS: thunderbird-78.10.0-1.mga{7|8}.src.rpm thunderbird-l10n-78.10.0-1.mga{7|8}.src.rpm Status:
NEW =>
ASSIGNED MGA8-64 Plasma, nvidia-current, kernel 5.10.30-desktop-1.mga8 - lib64nss3-3.64.0-1.mga8.x86_64 - thunderbird-78.10.0-1.mga8.x86_64 - thunderbird-sv_SE-78.10.0-1.mga8.noarch Test OK: localisation, settings, existing accounts, folders and mail remain, send using SMTP, offline IMAP, IMAP replicates mail moves between folders on webmail server and in Thunderbird used as client. CC:
(none) =>
fri tested mga8-32 send/receive/move/delete and calendar all OK over SMTP/IMAP Whiteboard:
MGA7TOO =>
MGA7TOO mga8-32-ok tested mga7-32 as above, all OK Whiteboard:
MGA7TOO mga8-32-ok =>
MGA7TOO mga8-32-ok mga7-32-ok tested mga8-64 as above, all OK Whiteboard:
MGA7TOO mga8-32-ok mga7-32-ok =>
MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok RedHat has issued an advisory for this on April 26: https://access.redhat.com/errata/RHSA-2021:1353 tested mga8-64 as above, all OK. Validating. Ready for push when advisory uploaded to svn. Keywords:
(none) =>
validated_update MGA8 Plasma x86_64 All tests OK. Advisory pushed to svn. Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0198.html Resolution:
(none) =>
FIXED |