Bug 4401

Summary: Update candidate: mozilla-thunderbird & -l10n - security update to 3.1.18
Product: Mageia Reporter: Florian Hubold <doktor5000>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: doktor5000, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment:

Description Florian Hubold 2012-02-03 17:03:59 CET 
There is now mozilla-thunderbird-3.1.18-1.mga1 in core/updates_testing to validate, together with the language packages mozilla-thunderbird-XX-3.1.18-1.mga1
-------------------------------------------------------


Suggested advisory:
-------------------
This update addresses the following security issues:

  o fixes http://www.mozilla.org/security/announce/2011/mfsa2011-59.html
    (.jar files not being treated as executables on MacOS [CVE-2011-3666]
     fixed in 3.1.17)
  o fixes http://www.mozilla.org/security/announce/2012/mfsa2012-01.html
    (Miscellaneous memory safety hazards [(rv:10.0/ 1.9.2.26) [CVE-2012-0443,
      CVE-2012-0442])
  o fixes http://www.mozilla.org/security/announce/2012/mfsa2012-02.html
    (Overly permissive IPv6 literal syntax [CVE-2011-3670])
  o fixes http://www.mozilla.org/security/announce/2012/mfsa2012-04.html
    (Child nodes from nsDOMAttribute still accessible after removal of nodes,
     [CVE-2011-3659])
  o fixes http://www.mozilla.org/security/announce/2012/mfsa2012-07.html
    (Potential Memory Corruption When Decoding Ogg Vorbis files [CVE-2012-0444])
  o fixes http://www.mozilla.org/security/announce/2012/mfsa2012-08.html
    (Crash with malformed embedded XSLT stylesheets [CVE-2012-0449])

-------------------------------------------------------
Steps to reproduce:

- install/update to update candidate and according language pack
- make sure there are no regressions
- make sure Thunderbird uses the language of the language pack
Comment 1 Florian Hubold 2012-02-03 17:07:43 CET 
Please don't be irritated by the changes, i was lazy so i just cloned a previous update request :)

Keywords: validated_update => (none)
Status: NEW => ASSIGNED
CC: davidwhodgins, dmorganec, sysadmin-bugs => doktor5000
Depends on: 2878 => (none)
Assignee: bugsquad => qa-bugs

Comment 2 claire robinson 2012-02-03 17:12:32 CET 
Could never be irritated with you Florian :)
Comment 3 claire robinson 2012-02-03 18:22:09 CET 
Testing this one i586 as thats where I use it, seems OK.
Comment 4 claire robinson 2012-02-03 18:56:02 CET 
This update hasn't fixed the 'Play a sound' on new mail issue. (bug 1631)

Error: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISound.play]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: chrome://messenger/content/preferences/general.js :: anonymous :: line 94"  data: no]

No default plop either but I haven't noticed the plop for a long time now.
Comment 5 Florian Hubold 2012-02-03 20:56:18 CET 
It was not intended to, it's only a security update. I was looking into fixing that, but seems pretty difficult as it was fixed upstream only for newer thunderbird (10.0) and as we need to switch to this newer thunderbird version anyways soon (cf http://www.mozilla.org/en-US/thunderbird/all-older.html ) i've decided that it's not worth the hassle.
Comment 6 claire robinson 2012-02-03 21:06:36 CET 
Thats OK. Tested OK x86_64 too so I'll validate this one. 
I can't POCs for the CVE's.

advisory:
-------------------
This update addresses the following security issues:

  o fixes http://www.mozilla.org/security/announce/2011/mfsa2011-59.html
    (.jar files not being treated as executables on MacOS [CVE-2011-3666]
     fixed in 3.1.17)
  o fixes http://www.mozilla.org/security/announce/2012/mfsa2012-01.html
    (Miscellaneous memory safety hazards [(rv:10.0/ 1.9.2.26) [CVE-2012-0443,
      CVE-2012-0442])
  o fixes http://www.mozilla.org/security/announce/2012/mfsa2012-02.html
    (Overly permissive IPv6 literal syntax [CVE-2011-3670])
  o fixes http://www.mozilla.org/security/announce/2012/mfsa2012-04.html
    (Child nodes from nsDOMAttribute still accessible after removal of nodes,
     [CVE-2011-3659])
  o fixes http://www.mozilla.org/security/announce/2012/mfsa2012-07.html
    (Potential Memory Corruption When Decoding Ogg Vorbis files
[CVE-2012-0444])
  o fixes http://www.mozilla.org/security/announce/2012/mfsa2012-08.html
    (Crash with malformed embedded XSLT stylesheets [CVE-2012-0449])

-------------------------------------------------------

SRPMs:
mozilla-thunderbird-3.1.18-1.mga1.src.rpm
mozilla-thunderbird-l10n-3.1.18-1.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2012-02-05 13:48:20 CET 
update pushed

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED