Bug 30374

Summary: Thunderbird 91.9
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, chb0, davidwhodgins, fri, joselp, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: thunderbird, thunderbird-l10n CVE:
Status comment:
Bug Depends on: 30367    
Bug Blocks:    

Description David Walser 2022-05-04 18:36:54 CEST 
Mozilla has released Thunderbird 91.9.0 on May 3:
https://www.thunderbird.net/en-US/thunderbird/91.9.0/releasenotes/

Security issues fixed are not posted yet, but should basically be the same as Firefox.
David Walser 2022-05-04 18:37:06 CEST

Depends on: (none) => 30367

Comment 1 Jose Manuel López 2022-05-05 09:07:12 CEST 
Hi,

Updated from 91.8 in Mga x86_84. No issues for the moment.

Contacts, addons, send and receive ok. Task and calendar ok. Spanish locale ok.

Greetings!!

CC: (none) => joselp

Comment 2 Nicolas Salguero 2022-05-05 11:42:16 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Incorrect security status shown after viewing an attached email. (CVE-2022-1520)

Fullscreen notification bypass using popups. (CVE-2022-29914)

Bypassing permission prompt in nested browsing contexts. (CVE-2022-29909)

Leaking browser history with CSS variables. (CVE-2022-29916)

iframe sandbox bypass. (CVE-2022-29911)

Reader mode bypassed SameSite cookies. (CVE-2022-29912)

Speech Synthesis feature not properly disabled. (CVE-2022-29913)

Memory safety bugs fixed in Thunderbird 91.9. (CVE-2022-29917)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1520
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29914
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29909
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29916
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29911
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29912
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29913
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29917
https://www.mozilla.org/en-US/security/advisories/mfsa2022-18/
https://www.thunderbird.net/en-US/thunderbird/91.9.0/releasenotes/
========================

Updated packages in core/updates_testing:
========================
thunderbird-91.9.0-1.mga8
thunderbird-ru-91.9.0-1.mga8
thunderbird-uk-91.9.0-1.mga8
thunderbird-ka-91.9.0-1.mga8
thunderbird-el-91.9.0-1.mga8
thunderbird-th-91.9.0-1.mga8
thunderbird-ja-91.9.0-1.mga8
thunderbird-kk-91.9.0-1.mga8
thunderbird-zh_TW-91.9.0-1.mga8
thunderbird-zh_CN-91.9.0-1.mga8
thunderbird-hy_AM-91.9.0-1.mga8
thunderbird-sk-91.9.0-1.mga8
thunderbird-hu-91.9.0-1.mga8
thunderbird-dsb-91.9.0-1.mga8
thunderbird-vi-91.9.0-1.mga8
thunderbird-hsb-91.9.0-1.mga8
thunderbird-sr-91.9.0-1.mga8
thunderbird-cs-91.9.0-1.mga8
thunderbird-fr-91.9.0-1.mga8
thunderbird-ko-91.9.0-1.mga8
thunderbird-sq-91.9.0-1.mga8
thunderbird-lt-91.9.0-1.mga8
thunderbird-be-91.9.0-1.mga8
thunderbird-bg-91.9.0-1.mga8
thunderbird-es_AR-91.9.0-1.mga8
thunderbird-de-91.9.0-1.mga8
thunderbird-tr-91.9.0-1.mga8
thunderbird-pl-91.9.0-1.mga8
thunderbird-pt_BR-91.9.0-1.mga8
thunderbird-fy_NL-91.9.0-1.mga8
thunderbird-sv_SE-91.9.0-1.mga8
thunderbird-kab-91.9.0-1.mga8
thunderbird-nl-91.9.0-1.mga8
thunderbird-cy-91.9.0-1.mga8
thunderbird-gl-91.9.0-1.mga8
thunderbird-eu-91.9.0-1.mga8
thunderbird-he-91.9.0-1.mga8
thunderbird-pt_PT-91.9.0-1.mga8
thunderbird-fi-91.9.0-1.mga8
thunderbird-ar-91.9.0-1.mga8
thunderbird-sl-91.9.0-1.mga8
thunderbird-ro-91.9.0-1.mga8
thunderbird-da-91.9.0-1.mga8
thunderbird-nn_NO-91.9.0-1.mga8
thunderbird-nb_NO-91.9.0-1.mga8
thunderbird-pa_IN-91.9.0-1.mga8
thunderbird-hr-91.9.0-1.mga8
thunderbird-ca-91.9.0-1.mga8
thunderbird-id-91.9.0-1.mga8
thunderbird-en_GB-91.9.0-1.mga8
thunderbird-gd-91.9.0-1.mga8
thunderbird-en_CA-91.9.0-1.mga8
thunderbird-en_US-91.9.0-1.mga8
thunderbird-br-91.9.0-1.mga8
thunderbird-lv-91.9.0-1.mga8
thunderbird-it-91.9.0-1.mga8
thunderbird-ga_IE-91.9.0-1.mga8
thunderbird-et-91.9.0-1.mga8
thunderbird-uz-91.9.0-1.mga8
thunderbird-ast-91.9.0-1.mga8
thunderbird-is-91.9.0-1.mga8
thunderbird-ms-91.9.0-1.mga8
thunderbird-es_ES-91.9.0-1.mga8
thunderbird-af-91.9.0-1.mga8

from SRPMS:
thunderbird-91.9.0-1.mga8.src.rpm
thunderbird-l10n-91.9.0-1.mga8.src.rpm

CC: (none) => nicolas.salguero
Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED
Source RPM: thunderbird => thunderbird, thunderbird-l10n

Comment 3 David Walser 2022-05-05 17:22:53 CEST 
RedHat has issued an advisory for this today (May 5):
https://access.redhat.com/errata/RHSA-2022:1725
Comment 4 Len Lawrence 2022-05-05 18:58:44 CEST 
mga8, x64

Thunderbird en_GB working fine after update.  IMAP server, google mail.  Lost none of the pending messages in the transition.

CC: (none) => tarazed25

Comment 5 christian barranco 2022-05-05 21:48:23 CEST 
Hi
Installation via QA Repo fails because I miss lib64nss3[>= 2:3.78.0]
This version of lib64nss3 is in Testing, but not listed on the QA page. 

https://madb.mageia.org/package/show/application/0/release/8/arch/x86_64/name/lib64nss3
https://madb.mageia.org/tools/updates/application/0/release/8/arch/x86_64
But, actually, it is connected to Firefox...

So, after adding the following package to QA Repo, I was able to install thunderbird:
nss-3.78.0-1.mga8.x86_64.rpm
nss-doc-3.78.0-1.mga8.noarch.rpm
lib64nss3-3.78.0-1.mga8.x86_64.rpm
lib64nss-devel-3.78.0-1.mga8.x86_64.rpm


Tests done on Plasma x86_64
- Emails send/receive
- New contact synched with Nextcloud contact. Then, deleted from my phone.
- New event synched with Nextcloud calendar. Then, deleted from my phone.

OK for me

CC: (none) => chb0

Comment 6 Morgan Leijström 2022-05-05 21:59:18 CEST 
@christian: Actually, per the field "Depends on" above in this bug, the firefox bug is set :)

CC: (none) => fri

Comment 7 Morgan Leijström 2022-05-05 21:59:27 CEST 
OK mga8-64, Plasma, Nvidia-current
* Swedish locale
* preserved settings and mail
* offline IMAP, SMTP
Comment 8 christian barranco 2022-05-05 22:23:49 CEST 
(In reply to Morgan Leijström from comment #6)
> @christian: Actually, per the field "Depends on" above in this bug, the
> firefox bug is set :)

Hi Morgan
Indeed, I missed that and, actually, I learned something more today, which is what "Depends on" is here for! ;)
That being said, as I don't use Firefox ESR, I need anyway to install nss updates specifically.
Comment 9 Thomas Andrews 2022-05-06 17:06:02 CEST 
Updated the mga8-64 US English Firefox and Thunderbird in one operation. No issues to report with either.

CC: (none) => andrewsfarm

Comment 10 Dave Hodgins 2022-05-06 21:23:04 CEST 
Validating the update. Advisory committed to svn.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 11 Mageia Robot 2022-05-06 22:18:30 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0163.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED