Bug 9151

Summary: [Update Request] thunderbird-lightning
Product: Mageia Reporter: Funda Wang <fundawang>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, luigiwalser, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://www.mozilla.org/security/known-vulnerabilities/thunderbirdESR.html
Whiteboard: MGA2-64-OK MGA2-32-OK
Source RPM: thunderbird-lightning-1.9-3.mga2 CVE:
Status comment:
Bug Depends on: 9142    
Bug Blocks:    

Description Funda Wang 2013-02-21 21:28:41 CET 
Several security vulnerabilities have been fixed in Thunderbird 17.0.3esr:

MFSA-2013-28: Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer
MFSA-2013-27: Phishing on HTTPS connection through malicious proxy
MFSA-2013-26: Use-after-free in nsImageLoadingContent
MFSA-2013-25: Privacy leak in JavaScript Workers
MFSA-2013-24: Web content bypass of COW and SOW security wrappers
MFSA-2013-21: Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)

The thunderbird, thunderbird-l10n and thunderbird-lightning packages have been updated to latest 17.0.3esr, due to 10.0esr will not be supported any more from mozilla.
Comment 1 David Walser 2013-02-21 21:32:10 CET 
Thunderbird has already been validated (see Bug 9142).  Please use separate bugs for thunderbird and lightning (now and in the future).

For this time we can use this bug for lightning.

CC: (none) => luigiwalser
Depends on: (none) => 9142
Summary: [Update Request] thunderbird 17.0.3ESR => [Update Request] thunderbird-lightning
Source RPM: thunderbird-17.0.3-1.mga2, thunderbird-l10n-17.0.3-1.1.mga2, thunderbird-lightning-1.9-3.mga2 => thunderbird-lightning-1.9-3.mga2

Comment 2 Dave Hodgins 2013-02-21 23:09:25 CET 
Testing complete on Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpm
thunderbird-lightning-1.9-3.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Several security vulnerabilities have been fixed in Thunderbird 17.0.3esr:

MFSA-2013-28: Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer
MFSA-2013-27: Phishing on HTTPS connection through malicious proxy
MFSA-2013-26: Use-after-free in nsImageLoadingContent
MFSA-2013-25: Privacy leak in JavaScript Workers
MFSA-2013-24: Web content bypass of COW and SOW security wrappers
MFSA-2013-21: Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)

The thunderbird, thunderbird-l10n and thunderbird-lightning packages have been updated to latest 17.0.3esr, due to 10.0esr not being supported any more by mozilla.

https://bugs.mageia.org/show_bug.cgi?id=9151

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK

Comment 3 David Walser 2013-02-21 23:54:58 CET 
Note the advisory isn't correct, as it pertains to Thunderbird (already pushed in another bug).

I guess lightning was just rebuilt because of the updated Thunderbird.
Comment 4 David Walser 2013-02-21 23:57:26 CET 
Actually lightning had to be updated to a new version (1.9) for compatibility with Thunderbird 17 (since we just updated to that from 10).
Comment 5 David Walser 2013-02-21 23:58:25 CET 
So the advisory can be something like:

This provides an updated thunderbird-lightning version 1.9 which is compatible
with the recently released update to Thunderbird 17.
Comment 6 Thomas Backlund 2013-02-22 00:42:32 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0065

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED