| Summary: | Thunderbird 102.8 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, fri, herman.viaene, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | thunderbird, thunderbird-l10n | CVE: | |
| Status comment: | |||
| Bug Depends on: | 31556 | ||
| Bug Blocks: | |||
|
Description
Nicolas Salguero
2023-02-16 14:03:44 CET
Nicolas Salguero
2023-02-16 14:03:57 CET
CC:
(none) =>
nicolas.salguero Suggested advisory: ======================== The updated packages fix a security vulnerability: User Interface lockup with messages combining S/MIME and OpenPGP. (CVE-2023-0616) Content security policy leak in violation reports using iframes. (CVE-2023-25728) Screen hijack via browser fullscreen mode. (CVE-2023-25730) Arbitrary memory write via PKCS 12 in NSS. (CVE-2023-0767) Potential use-after-free from compartment mismatch in SpiderMonkey. (CVE-2023-25735) Invalid downcast in SVGUtils::SetupStrokeGeometry. (CVE-2023-25737) Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext. (CVE-2023-25739) Extensions could have opened external schemes without user knowledge. (CVE-2023-25729) Out of bounds memory write from EncodeInputStream. (CVE-2023-25732) Web Crypto ImportKey crashes tab. (CVE-2023-25742) Memory safety bugs fixed in Thunderbird 102.8. (CVE-2023-25746) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0616 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25728 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25730 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0767 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25735 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25737 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25739 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25729 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25732 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25742 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25746 https://www.thunderbird.net/en-US/thunderbird/102.8.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/ ======================== Updated packages in core/updates_testing: ======================== thunderbird-102.8.0-1.mga8 thunderbird-ka-102.8.0-1.mga8 thunderbird-ru-102.8.0-1.mga8 thunderbird-uk-102.8.0-1.mga8 thunderbird-el-102.8.0-1.mga8 thunderbird-ja-102.8.0-1.mga8 thunderbird-zh_TW-102.8.0-1.mga8 thunderbird-kk-102.8.0-1.mga8 thunderbird-th-102.8.0-1.mga8 thunderbird-sk-102.8.0-1.mga8 thunderbird-vi-102.8.0-1.mga8 thunderbird-hu-102.8.0-1.mga8 thunderbird-zh_CN-102.8.0-1.mga8 thunderbird-cs-102.8.0-1.mga8 thunderbird-hsb-102.8.0-1.mga8 thunderbird-dsb-102.8.0-1.mga8 thunderbird-hy_AM-102.8.0-1.mga8 thunderbird-sr-102.8.0-1.mga8 thunderbird-es_MX-102.8.0-1.mga8 thunderbird-fr-102.8.0-1.mga8 thunderbird-de-102.8.0-1.mga8 thunderbird-tr-102.8.0-1.mga8 thunderbird-es_AR-102.8.0-1.mga8 thunderbird-pl-102.8.0-1.mga8 thunderbird-ko-102.8.0-1.mga8 thunderbird-kab-102.8.0-1.mga8 thunderbird-fy_NL-102.8.0-1.mga8 thunderbird-sq-102.8.0-1.mga8 thunderbird-pt_BR-102.8.0-1.mga8 thunderbird-cy-102.8.0-1.mga8 thunderbird-bg-102.8.0-1.mga8 thunderbird-sv_SE-102.8.0-1.mga8 thunderbird-be-102.8.0-1.mga8 thunderbird-sl-102.8.0-1.mga8 thunderbird-is-102.8.0-1.mga8 thunderbird-nl-102.8.0-1.mga8 thunderbird-lt-102.8.0-1.mga8 thunderbird-eu-102.8.0-1.mga8 thunderbird-et-102.8.0-1.mga8 thunderbird-da-102.8.0-1.mga8 thunderbird-fi-102.8.0-1.mga8 thunderbird-gl-102.8.0-1.mga8 thunderbird-pt_PT-102.8.0-1.mga8 thunderbird-he-102.8.0-1.mga8 thunderbird-hr-102.8.0-1.mga8 thunderbird-ro-102.8.0-1.mga8 thunderbird-ar-102.8.0-1.mga8 thunderbird-nn_NO-102.8.0-1.mga8 thunderbird-es_ES-102.8.0-1.mga8 thunderbird-en_GB-102.8.0-1.mga8 thunderbird-nb_NO-102.8.0-1.mga8 thunderbird-en_CA-102.8.0-1.mga8 thunderbird-pa_IN-102.8.0-1.mga8 thunderbird-en_US-102.8.0-1.mga8 thunderbird-ca-102.8.0-1.mga8 thunderbird-id-102.8.0-1.mga8 thunderbird-gd-102.8.0-1.mga8 thunderbird-it-102.8.0-1.mga8 thunderbird-lv-102.8.0-1.mga8 thunderbird-br-102.8.0-1.mga8 thunderbird-ga_IE-102.8.0-1.mga8 thunderbird-af-102.8.0-1.mga8 thunderbird-ms-102.8.0-1.mga8 thunderbird-ast-102.8.0-1.mga8 thunderbird-uz-102.8.0-1.mga8 from SRPMS: thunderbird-102.8.0-1.mga8.src.rpm thunderbird-l10n-102.8.0-1.mga8.src.rpm Assignee:
nicolas.salguero =>
qa-bugs
Nicolas Salguero
2023-02-16 17:24:21 CET
Depends on:
(none) =>
31556 mga8-64, Plasma, nvidia-current, intel i7 Tests OK: Swedish locale settings and local mail kept IMAP (offline, IMAP to synk to server) SMTP tested incl inline pictures and attached files. Did not test Filters, Calendar, PGP, RSS... CC:
(none) =>
fri MGA8-64 MATE on Acer Aspire 5253 No installation issues. Using existing profile, sending and receiving mails without and with attachments work OK. CC:
(none) =>
herman.viaene MGA8-64 Plasma. Updated both Firefox and Thunderbird US English versions at the same time, with no installation issues. Used Thunderbird all afternoon yesterday, sent and received several emails about QA, order confirmations, notifications from various farming forums I frequent and from Facebook, used links inside some of the trusted emails, checked some newsgroups. Everything worked as it should. I don't use the calendar, but what I do use is OK. CC:
(none) =>
andrewsfarm Another day of usage with no problems. Sending this on. Validating. Advisory in comment 1. Whiteboard:
(none) =>
MGA8-64-OK
Dave Hodgins
2023-02-20 20:58:33 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0057.html Resolution:
(none) =>
FIXED RedHat has issued an advisory for this on February 20: https://access.redhat.com/errata/RHSA-2023:0824 |