| Summary: | Thunderbird 115.6 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, chb0, fri, marja11, nicolas.salguero, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | thunderbird, thunderbird-l10n | CVE: | CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, CVE-2023-50761, CVE-2023-50762 |
| Status comment: | |||
| Bug Depends on: | 32642 | ||
| Bug Blocks: | |||
|
Description
Nicolas Salguero
2023-12-21 10:14:40 CET
Nicolas Salguero
2023-12-21 10:15:04 CET
Depends on:
(none) =>
32642 Thunderbird can be tested after updating nss and lib(64)nss to 3.96.1 from Bug 32642 - Firefox 115.6 - Firefox rpm is missing currently, but Thunderbird can be tested with that nss --- mga9-64 OK here Tested under Plasma X11, Intel I7-870, nvidia 470.223.02-1 on GTX750, kernel 6.5.13-desktop-5 Closed thunderbird, and backed up Updated nss and lib(64)nss to 3.96.1 Updated thunderbird; thunderbird-sv_SE-115.6.0-1.mga9 thunderbird-115.6.0-1.mga9 And started TB: settings and local mail kept Swedish locale IMAP (offline, IMAP to synk to server) SMTP I do not use calendar nor tasks --- This bug (and Firefox) need advisory proposals and package lists Assignee:
bugsquad =>
qa-bugs (In reply to Morgan Leijström from comment #1) > This bug (and Firefox) need advisory proposals and package lists CC:
(none) =>
nicolas.salguero mga9-64, Plasma, Vbox The following 5 packages are going to be installed: - lib64nss3-3.96.1-1.mga9.x86_64 - lib64otr5-4.1.1-5.mga9.x86_64 - thunderbird-115.6.0-1.mga9.x86_64 - thunderbird-compose-1.1-1.mga9.noarch - thunderbird-en_CA-115.6.0-1.mga9.noarch 244MB of additional disk space will be used. -- new install -set up yahoo account with no issues and sent/received emails -created a new calendar - that worked from what I can tell Works for me. I'm not a regular Thunderbird user - anyone want to test an upgrade before I approve CC:
(none) =>
brtians1
Thomas Andrews
2024-01-07 21:26:30 CET
CC:
(none) =>
andrewsfarm Hi. MGA9, Plasma, bare metal machine, french locale. As no package list is provided, I activated core/updates_testing and : # urpmi thunderbird Pour satisfaire les dépendances, les paquetages suivants vont être installés : Paquetage Version Révision Arch (média « Core Updates Testing (distrib5) ») lib64nss3 3.96.1 1.mga9 x86_64 thunderbird 115.6.0 1.mga9 x86_64 thunderbird-fr 115.6.0 1.mga9 noarch un espace de 2.3Mo sera libéré. 71Mo de paquets seront récupérés. Multiple accounts = ok Calendar with Nextcloud sync = ok Contacts with Nexcloud sync = ok CC:
(none) =>
chb0 Has this been pushed to Cauldron yet? I've been holding off until that happened. Good you checked. It seems the nss update is in Cauldron but not Firefox nor Thunderbird. Setting feedback for packager to update Cauldron. (Maybe it did it get lost due to the disk space problem?) And we still lack package list and advisory proposal. Anyway, I think we can still go on testing it in mga9. It is a security update, so in a hurry. Keywords:
(none) =>
feedback Hi, Sadly, neither Firefox ESR nor Thunderbird can be built with python 3.12 and Cauldron switched to that version of python. Best regards, We should not hinder a security update in our supported release because of whatever problem in our development cauldron. Please open a separate issue for Cauldron. Whiteboard:
MGA9TOO =>
(none) Suggested advisory: ======================== The updated packages fix a security vulnerability: Truncated signed text was shown with a valid OpenPGP signature. (CVE-2023-50762) S/MIME signature accepted despite mismatching message date. (CVE-2023-50761) Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver. (CVE-2023-6856) Symlinks may resolve to smaller than expected buffers. (CVE-2023-6857) Heap buffer overflow in nsTextFragment. (CVE-2023-6858) Use-after-free in PR_GetIdentitiesLayer. (CVE-2023-6859) Potential sandbox escape due to VideoBridge lack of texture validation. (CVE-2023-6860) Heap buffer overflow affected nsWindow::PickerOpen(void) in headless mode. (CVE-2023-6861) Use-after-free in nsDNSService. (CVE-2023-6862) Undefined behavior in ShutdownObserver(). (CVE-2023-6863) Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. (CVE-2023-6864) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50762 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50761 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6856 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6857 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6858 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6859 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6860 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6862 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6863 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6864 https://www.thunderbird.net/en-US/thunderbird/115.5.2/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/115.6.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/ ======================== Updated packages in core/updates_testing: ======================== thunderbird-115.6.0-1.mga9 thunderbird-af-115.6.0-1.mga9 thunderbird-ar-115.6.0-1.mga9 thunderbird-ast-115.6.0-1.mga9 thunderbird-be-115.6.0-1.mga9 thunderbird-bg-115.6.0-1.mga9 thunderbird-br-115.6.0-1.mga9 thunderbird-ca-115.6.0-1.mga9 thunderbird-cs-115.6.0-1.mga9 thunderbird-cy-115.6.0-1.mga9 thunderbird-da-115.6.0-1.mga9 thunderbird-de-115.6.0-1.mga9 thunderbird-dsb-115.6.0-1.mga9 thunderbird-el-115.6.0-1.mga9 thunderbird-en_CA-115.6.0-1.mga9 thunderbird-en_GB-115.6.0-1.mga9 thunderbird-en_US-115.6.0-1.mga9 thunderbird-es_AR-115.6.0-1.mga9 thunderbird-es_ES-115.6.0-1.mga9 thunderbird-es_MX-115.6.0-1.mga9 thunderbird-et-115.6.0-1.mga9 thunderbird-eu-115.6.0-1.mga9 thunderbird-fi-115.6.0-1.mga9 thunderbird-fr-115.6.0-1.mga9 thunderbird-fy_NL-115.6.0-1.mga9 thunderbird-ga_IE-115.6.0-1.mga9 thunderbird-gd-115.6.0-1.mga9 thunderbird-gl-115.6.0-1.mga9 thunderbird-he-115.6.0-1.mga9 thunderbird-hr-115.6.0-1.mga9 thunderbird-hsb-115.6.0-1.mga9 thunderbird-hu-115.6.0-1.mga9 thunderbird-hy_AM-115.6.0-1.mga9 thunderbird-id-115.6.0-1.mga9 thunderbird-is-115.6.0-1.mga9 thunderbird-it-115.6.0-1.mga9 thunderbird-ja-115.6.0-1.mga9 thunderbird-ka-115.6.0-1.mga9 thunderbird-kab-115.6.0-1.mga9 thunderbird-kk-115.6.0-1.mga9 thunderbird-ko-115.6.0-1.mga9 thunderbird-lt-115.6.0-1.mga9 thunderbird-lv-115.6.0-1.mga9 thunderbird-ms-115.6.0-1.mga9 thunderbird-nb_NO-115.6.0-1.mga9 thunderbird-nl-115.6.0-1.mga9 thunderbird-nn_NO-115.6.0-1.mga9 thunderbird-pa_IN-115.6.0-1.mga9 thunderbird-pl-115.6.0-1.mga9 thunderbird-pt_BR-115.6.0-1.mga9 thunderbird-pt_PT-115.6.0-1.mga9 thunderbird-ro-115.6.0-1.mga9 thunderbird-ru-115.6.0-1.mga9 thunderbird-sk-115.6.0-1.mga9 thunderbird-sl-115.6.0-1.mga9 thunderbird-sq-115.6.0-1.mga9 thunderbird-sr-115.6.0-1.mga9 thunderbird-sv_SE-115.6.0-1.mga9 thunderbird-th-115.6.0-1.mga9 thunderbird-tr-115.6.0-1.mga9 thunderbird-uk-115.6.0-1.mga9 thunderbird-uz-115.6.0-1.mga9 thunderbird-vi-115.6.0-1.mga9 thunderbird-zh_CN-115.6.0-1.mga9 thunderbird-zh_TW-115.6.0-1.mga9 from SRPMS: thunderbird-115.6.0-1.mga9.src.rpm thunderbird-l10n-115.6.0-1.mga9.src.rpm Status:
NEW =>
ASSIGNED MGA9-64 Plasma. I updated both firefox and thunderbird in one operation, with no apparent issues. Then I ran thunderbird, immediately getting confirmation that firefox is working when before anything else happened a web page was opened by Mozilla begging for money. Seems like that happened with the last thunderbird update, too... Anyway, I received and sent mail, checked newsgroups and read a couple of posts. Looks OK here.
Marja Van Waes
2024-01-08 18:02:55 CET
CVE:
(none) =>
CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, 2023-50761, CVE-2023-50762 Advisory from comment 9 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete" CVE:
CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, 2023-50761, CVE-2023-50762 =>
CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, CVE-2023-50761, CVE-2023-50762 In cauldron, we still have thunderbird-115.5.1-1.mga10 So changing version to Cauldron and MGA9TOO Whiteboard:
(none) =>
MGA9TOO Validating. CC:
(none) =>
sysadmin-bugs
Morgan Leijström
2024-01-11 00:48:45 CET
Whiteboard:
(none) =>
MGA9-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0006.html Resolution:
(none) =>
FIXED How come this got shipped before bug 32642 despite this bug was set to depend on that? Indeed, the updates pushing script won't just do that (unless it's changed), someone would have had to have manually forced it. Not good. |