+++ This bug was initially created as a clone of Bug #16232 +++ This bug will depend on the Firefox 38.1 update. Just a reminder that there is now a thunderbird-en_US package from thunderbird-l10n and there is no longer an nsinstall package. Thunderbird 38.1 isn't available yet. Will assign to QA once it is. RH advisory URL to be added to References later. Advisory (Thunderbird): ======================== Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird (CVE-2015-2724, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2724 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2734 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2735 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2736 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2737 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2740 https://www.mozilla.org/en-US/security/advisories/mfsa2015-59/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ ======================== Updated packages in core/updates_testing: ======================== thunderbird-38.1.0-1.mga4 thunderbird-enigmail-38.1.0-1.mga4 thunderbird-ar-38.1.0-1.mga4 thunderbird-ast-38.1.0-1.mga4 thunderbird-be-38.1.0-1.mga4 thunderbird-bg-38.1.0-1.mga4 thunderbird-bn_BD-38.1.0-1.mga4 thunderbird-br-38.1.0-1.mga4 thunderbird-ca-38.1.0-1.mga4 thunderbird-cs-38.1.0-1.mga4 thunderbird-cy-38.1.0-1.mga4 thunderbird-da-38.1.0-1.mga4 thunderbird-de-38.1.0-1.mga4 thunderbird-el-38.1.0-1.mga4 thunderbird-en_GB-38.1.0-1.mga4 thunderbird-en_US-38.1.0-1.mga4 thunderbird-es_AR-38.1.0-1.mga4 thunderbird-es_ES-38.1.0-1.mga4 thunderbird-et-38.1.0-1.mga4 thunderbird-eu-38.1.0-1.mga4 thunderbird-fi-38.1.0-1.mga4 thunderbird-fr-38.1.0-1.mga4 thunderbird-fy_NL-38.1.0-1.mga4 thunderbird-ga_IE-38.1.0-1.mga4 thunderbird-gd-38.1.0-1.mga4 thunderbird-gl-38.1.0-1.mga4 thunderbird-he-38.1.0-1.mga4 thunderbird-hr-38.1.0-1.mga4 thunderbird-hsb-38.1.0-1.mga4 thunderbird-hu-38.1.0-1.mga4 thunderbird-hy_AM-38.1.0-1.mga4 thunderbird-id-38.1.0-1.mga4 thunderbird-is-38.1.0-1.mga4 thunderbird-it-38.1.0-1.mga4 thunderbird-ja-38.1.0-1.mga4 thunderbird-ko-38.1.0-1.mga4 thunderbird-lt-38.1.0-1.mga4 thunderbird-nl-38.1.0-1.mga4 thunderbird-pa_IN-38.1.0-1.mga4 thunderbird-pl-38.1.0-1.mga4 thunderbird-pt_BR-38.1.0-1.mga4 thunderbird-pt_PT-38.1.0-1.mga4 thunderbird-ro-38.1.0-1.mga4 thunderbird-ru-38.1.0-1.mga4 thunderbird-si-38.1.0-1.mga4 thunderbird-sk-38.1.0-1.mga4 thunderbird-sl-38.1.0-1.mga4 thunderbird-sq-38.1.0-1.mga4 thunderbird-sv_SE-38.1.0-1.mga4 thunderbird-ta_LK-38.1.0-1.mga4 thunderbird-tr-38.1.0-1.mga4 thunderbird-uk-38.1.0-1.mga4 thunderbird-vi-38.1.0-1.mga4 thunderbird-zh_CN-38.1.0-1.mga4 thunderbird-zh_TW-38.1.0-1.mga4 thunderbird-38.1.0-1.mga5 thunderbird-enigmail-38.1.0-1.mga5 thunderbird-ar-38.1.0-1.mga5 thunderbird-ast-38.1.0-1.mga5 thunderbird-be-38.1.0-1.mga5 thunderbird-bg-38.1.0-1.mga5 thunderbird-bn_BD-38.1.0-1.mga5 thunderbird-br-38.1.0-1.mga5 thunderbird-ca-38.1.0-1.mga5 thunderbird-cs-38.1.0-1.mga5 thunderbird-cy-38.1.0-1.mga5 thunderbird-da-38.1.0-1.mga5 thunderbird-de-38.1.0-1.mga5 thunderbird-el-38.1.0-1.mga5 thunderbird-en_GB-38.1.0-1.mga5 thunderbird-en_US-38.1.0-1.mga5 thunderbird-es_AR-38.1.0-1.mga5 thunderbird-es_ES-38.1.0-1.mga5 thunderbird-et-38.1.0-1.mga5 thunderbird-eu-38.1.0-1.mga5 thunderbird-fi-38.1.0-1.mga5 thunderbird-fr-38.1.0-1.mga5 thunderbird-fy_NL-38.1.0-1.mga5 thunderbird-ga_IE-38.1.0-1.mga5 thunderbird-gd-38.1.0-1.mga5 thunderbird-gl-38.1.0-1.mga5 thunderbird-he-38.1.0-1.mga5 thunderbird-hr-38.1.0-1.mga5 thunderbird-hsb-38.1.0-1.mga5 thunderbird-hu-38.1.0-1.mga5 thunderbird-hy_AM-38.1.0-1.mga5 thunderbird-id-38.1.0-1.mga5 thunderbird-is-38.1.0-1.mga5 thunderbird-it-38.1.0-1.mga5 thunderbird-ja-38.1.0-1.mga5 thunderbird-ko-38.1.0-1.mga5 thunderbird-lt-38.1.0-1.mga5 thunderbird-nl-38.1.0-1.mga5 thunderbird-pa_IN-38.1.0-1.mga5 thunderbird-pl-38.1.0-1.mga5 thunderbird-pt_BR-38.1.0-1.mga5 thunderbird-pt_PT-38.1.0-1.mga5 thunderbird-ro-38.1.0-1.mga5 thunderbird-ru-38.1.0-1.mga5 thunderbird-si-38.1.0-1.mga5 thunderbird-sk-38.1.0-1.mga5 thunderbird-sl-38.1.0-1.mga5 thunderbird-sq-38.1.0-1.mga5 thunderbird-sv_SE-38.1.0-1.mga5 thunderbird-ta_LK-38.1.0-1.mga5 thunderbird-tr-38.1.0-1.mga5 thunderbird-uk-38.1.0-1.mga5 thunderbird-vi-38.1.0-1.mga5 thunderbird-zh_CN-38.1.0-1.mga5 thunderbird-zh_TW-38.1.0-1.mga5 from SRPMS: thunderbird-38.1.0-1.mga4.src.rpm thunderbird-l10n-38.1.0-1.mga4.src.rpm thunderbird-38.1.0-1.mga5.src.rpm thunderbird-l10n-38.1.0-1.mga5.src.rpm
Source RPM: firefox, thunderbird, nss => thunderbird
Component: RPM Packages => Security
I'm using tarball version of Thunderbird and got the 38.1 update, so it should be out now.
(In reply to Sander Lepik from comment #1) > I'm using tarball version of Thunderbird and got the 38.1 update, so it > should be out now. Yeah, I already used it, too. It didn't fix my problem with 38.0.1 (connecting to a mailbox with STARTTLS and encrypted password fails https://bugzilla.mozilla.org/show_bug.cgi?id=1179002 ) However, I think it's a corner case and shouldn't stop this update.
Yes it's out, but as you may have noticed, I tried to build it last night and it failed in Cauldron. http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20150711221421.luigiwalser.valstar.8864/log/thunderbird-38.1.0-1.mga6/build.0.20150711221503.log http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20150711221421.luigiwalser.valstar.8864/log/thunderbird-38.1.0-1.mga6/build.0.20150711221506.log
CC: (none) => doktor5000
RedHat has issued an advisory for this on July 20: https://rhn.redhat.com/errata/RHSA-2015-1455.html Interestingly, they stuck with 31.x, updating to 31.8.
I've been having some major issues with 38.* that I installed from tarball. It's able to run about 24h and then it needs a restart as it becomes very-very slow :/ 38.1 didn't fix this issue and I have no idea what is causing it. So 31.8 seems like a good idea to me.
I'm using the 38 version of testing since it was pushed, and didn't get a regression from 31 (apprt the thunderbird one which was discussed somewhere, have to check this one day)
Marja, one of the commenters on your upstream bug says they had a same or similar problem with 31.8.0. Does your issue happen there too?
(In reply to David Walser from comment #7) > Marja, one of the commenters on your upstream bug says they had a same or > similar problem with 31.8.0. Does your issue happen there too? His bug is a very different one. I don't have any problem with 31.8.0 And with a fresh mail account from an ISP who cares about Linux, I don't even have a problem with 38.1.0 :-) (The other one is not really interested in Thunderbird or Linux, but thinks everything is fine if it works with Outlook :-/ )
Thomas, You said on IRC that you had some more fixes locally for thunderbird for enigmail and stuff. Please commit them if they're ready. Thanks.
CC: (none) => thomas
David: Let's do that next round. I am leaving town for about a week and it still needs some work for doing the enigmail langs. They are not all that straight forward is listed in the text file.
This update is now available to test. See Comment 0 for more details. Advisory (Thunderbird): ======================== Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird (CVE-2015-2724, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2724 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2734 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2735 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2736 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2737 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2740 https://www.mozilla.org/en-US/security/advisories/mfsa2015-59/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ https://rhn.redhat.com/errata/RHSA-2015-1455.html
Assignee: bugsquad => qa-bugsWhiteboard: (none) => MGA4TOO
CC: (none) => davidwhodginsWhiteboard: MGA4TOO => MGA4TOO advisory
MGA4-32 on Acer D620 Xfce No installation issues, choose Dutch language pack. Thunderbird was not configured on this PC before, so run it to access gmail account (pop3). I could send and receive messages.
CC: (none) => herman.viaeneWhiteboard: MGA4TOO advisory => MGA4TOO advisory MGA4-32-OK
On mga5-64 Updated thunderbird from testing: urpmi --search-media "Core Updates Testing" thunderbird To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Updates Testing (private5)") thunderbird 38.1.0 1.mga5 x86_64 thunderbird-en_GB 38.1.0 1.mga5 noarch Calendar, email collection (POP), sending, usenet, Unix movemail and RSS feeds all OK OK for mga5-64
Whiteboard: MGA4TOO advisory MGA4-32-OK => MGA4TOO advisory MGA4-32-OK MGA5-64-OK
tested mga5-32 Send/receive/move/delete SMTP/IMAP and calendar update OK.
CC: (none) => wrw105Whiteboard: MGA4TOO advisory MGA4-32-OK MGA5-64-OK => MGA4TOO advisory MGA4-32-OK MGA5-64-OK mga5-32-ok
Tested mga4-64 as above, all OK. Validating.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO advisory MGA4-32-OK MGA5-64-OK mga5-32-ok => MGA4TOO advisory MGA4-32-OK MGA5-64-OK mga5-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0284.html
Status: NEW => RESOLVEDResolution: (none) => FIXED