Bug 32552

Summary: Thunderbird 115.5.1
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, fri, guillaume.royer, herman.viaene, marja11, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: thunderbird, thunderbird-l10n CVE:
Status comment:
Bug Depends on: 32551    
Bug Blocks:    

Description Nicolas Salguero 2023-11-22 10:16:04 CET 
Mozilla has released Thunderbird 115.5 on November 21:
https://www.thunderbird.net/en-US/thunderbird/115.5.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/
Nicolas Salguero 2023-11-22 10:16:18 CET

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => thunderbird, thunderbird-l10n

Comment 1 Lewis Smith 2023-11-22 21:16:57 CET 
Same thing again: you currently look after Thunderbird, so assigning this to you.

CC: nicolas.salguero => (none)
Assignee: bugsquad => nicolas.salguero

Nicolas Salguero 2023-11-24 11:36:40 CET

Assignee: nicolas.salguero => pkg-bugs

Nicolas Salguero 2023-11-27 15:20:28 CET

Severity: normal => critical

Comment 2 Nicolas Salguero 2023-11-27 15:58:52 CET 
For Cauldron and Mageia 9, new versions of thunderbird and thunderbird-l10n are into SVN.
Nicolas Salguero 2023-11-30 10:28:12 CET

Depends on: (none) => 32551

Comment 3 Nicolas Salguero 2023-11-30 16:15:27 CET 
thunderbird-115.5.0-2.mga9 will include a patch from Centos for CVE-2023-44488 (see bug 32586).
Comment 4 Nicolas Salguero 2023-12-01 11:39:15 CET 
Mozilla has released Thunderbird 115.5.1 on November 27:
https://www.thunderbird.net/en-US/thunderbird/115.5.1/releasenotes/

It fixes several bugs.

Summary: Thunderbird 115.5 => Thunderbird 115.5.1

Comment 5 Nicolas Salguero 2023-12-01 15:53:03 CET 
For Cauldron, thunderbird and thunderbird-l10n need to be built.

Updated packages in core/updates_testing:
========================
thunderbird-115.5.1-1.mga9
thunderbird-af-115.5.1-1.mga9
thunderbird-ar-115.5.1-1.mga9
thunderbird-ast-115.5.1-1.mga9
thunderbird-be-115.5.1-1.mga9
thunderbird-bg-115.5.1-1.mga9
thunderbird-br-115.5.1-1.mga9
thunderbird-ca-115.5.1-1.mga9
thunderbird-cs-115.5.1-1.mga9
thunderbird-cy-115.5.1-1.mga9
thunderbird-da-115.5.1-1.mga9
thunderbird-de-115.5.1-1.mga9
thunderbird-dsb-115.5.1-1.mga9
thunderbird-el-115.5.1-1.mga9
thunderbird-en_CA-115.5.1-1.mga9
thunderbird-en_GB-115.5.1-1.mga9
thunderbird-en_US-115.5.1-1.mga9
thunderbird-es_AR-115.5.1-1.mga9
thunderbird-es_ES-115.5.1-1.mga9
thunderbird-es_MX-115.5.1-1.mga9
thunderbird-et-115.5.1-1.mga9
thunderbird-eu-115.5.1-1.mga9
thunderbird-fi-115.5.1-1.mga9
thunderbird-fr-115.5.1-1.mga9
thunderbird-fy_NL-115.5.1-1.mga9
thunderbird-ga_IE-115.5.1-1.mga9
thunderbird-gd-115.5.1-1.mga9
thunderbird-gl-115.5.1-1.mga9
thunderbird-he-115.5.1-1.mga9
thunderbird-hr-115.5.1-1.mga9
thunderbird-hsb-115.5.1-1.mga9
thunderbird-hu-115.5.1-1.mga9
thunderbird-hy_AM-115.5.1-1.mga9
thunderbird-id-115.5.1-1.mga9
thunderbird-is-115.5.1-1.mga9
thunderbird-it-115.5.1-1.mga9
thunderbird-ja-115.5.1-1.mga9
thunderbird-ka-115.5.1-1.mga9
thunderbird-kab-115.5.1-1.mga9
thunderbird-kk-115.5.1-1.mga9
thunderbird-ko-115.5.1-1.mga9
thunderbird-lt-115.5.1-1.mga9
thunderbird-lv-115.5.1-1.mga9
thunderbird-ms-115.5.1-1.mga9
thunderbird-nb_NO-115.5.1-1.mga9
thunderbird-nl-115.5.1-1.mga9
thunderbird-nn_NO-115.5.1-1.mga9
thunderbird-pa_IN-115.5.1-1.mga9
thunderbird-pl-115.5.1-1.mga9
thunderbird-pt_BR-115.5.1-1.mga9
thunderbird-pt_PT-115.5.1-1.mga9
thunderbird-ro-115.5.1-1.mga9
thunderbird-ru-115.5.1-1.mga9
thunderbird-sk-115.5.1-1.mga9
thunderbird-sl-115.5.1-1.mga9
thunderbird-sq-115.5.1-1.mga9
thunderbird-sr-115.5.1-1.mga9
thunderbird-sv_SE-115.5.1-1.mga9
thunderbird-th-115.5.1-1.mga9
thunderbird-tr-115.5.1-1.mga9
thunderbird-uk-115.5.1-1.mga9
thunderbird-uz-115.5.1-1.mga9
thunderbird-vi-115.5.1-1.mga9
thunderbird-zh_CN-115.5.1-1.mga9
thunderbird-zh_TW-115.5.1-1.mga9

from SRPMS:
thunderbird-115.5.1-1.mga9.src.rpm
thunderbird-l10n-115.5.1-1.mga9.src.rpm
Comment 6 Morgan Leijström 2023-12-03 19:30:19 CET 
Ready for QA?
If so, assign to QA :)

Note to QA: First update the packages from Bug 32551

CC: (none) => fri

Comment 7 Nicolas Salguero 2023-12-05 14:18:01 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Out-of-bound memory access in WebGL2 blitFramebuffer. (CVE-2023-6204)

Use-after-free in MessagePort::Entangled. (CVE-2023-6205)

Clickjacking permission prompts using the fullscreen transition. (CVE-2023-6206)

Use-after-free in ReadableByteStreamQueueEntry::Buffer. (CVE-2023-6207)

Using Selection API would copy contents into X11 primary selection. (CVE-2023-6208)

Incorrect parsing of relative URLs starting with "///". (CVE-2023-6209)

Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5. (CVE-2023-6212)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6204
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6205
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6206
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6207
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6208
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6212
https://www.thunderbird.net/en-US/thunderbird/115.5.0/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/115.5.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/

Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED

Comment 8 Marja Van Waes 2023-12-05 14:56:16 CET 
Advisory from comment 7 with SRPMs from comment 5 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

CC: (none) => marja11
Keywords: (none) => advisory

Comment 9 Guillaume Royer 2023-12-05 21:37:38 CET 
MGA9 x86_64 GNOME

Updated with QARepo and rpm:

thunderbird                    115.5.1      1.mga9        x86_64  
thunderbird-fr                 115.5.1      1.mga9        noarch

No issues after installation.
Contacts and calendar synchronization ok
Sending mail with attachments ok

CC: (none) => guillaume.royer

Comment 10 Thomas Andrews 2023-12-06 15:55:39 CET 
MGA9-64 Plasma. No installation issues for the US English version.

The first time I ran it after updating I got a surprise - before anything else happened Firefox was automagically loaded with a page from Mozilla asking me for a donation to Thunderbird. I suppose I can't object because we put our page on the first run of every Firefox update, but still, I found it annoying.

I closed Firefox, and T-bird displayed normally. All seemed well.

CC: (none) => andrewsfarm

Comment 11 Herman Viaene 2023-12-06 17:12:20 CET 
MGA9-64 MATE on HP-Pavillion
No installation issues.
Thunderbird not installed here before, configured my hotmail account successfully using the wizard, sent and received email without and with aattachments, all  OK.

CC: (none) => herman.viaene

Comment 12 Morgan Leijström 2023-12-06 18:12:35 CET 
OK mga9-64 Plasma nvidia470 Swedish

Localisation OK
Settings and local mail kept.
IMAP, SMTP.
Comment 13 Thomas Andrews 2023-12-08 05:56:49 CET 
Updated on a couple of other machines, without issues. No reason to hold this back that I can see. Validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2023-12-08 12:57:53 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0343.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED