Bug 16285 - Thunderbird 38.1
Summary: Thunderbird 38.1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/650129/
Whiteboard: MGA4TOO advisory MGA4-32-OK MGA5-64-O...
Keywords: validated_update
Depends on: 16232
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-04 03:52 CEST by David Walser
Modified: 2015-07-27 19:18 CEST (History)
10 users (show)

See Also:
Source RPM: thunderbird
CVE:
Status comment:


Attachments

Description David Walser 2015-07-04 03:52:48 CEST
+++ This bug was initially created as a clone of Bug #16232 +++

This bug will depend on the Firefox 38.1 update.

Just a reminder that there is now a thunderbird-en_US package from thunderbird-l10n and there is no longer an nsinstall package.

Thunderbird 38.1 isn't available yet.  Will assign to QA once it is.

RH advisory URL to be added to References later.

Advisory (Thunderbird):
========================

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird (CVE-2015-2724, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736,
CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2724
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2735
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2736
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2737
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2739
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2740
https://www.mozilla.org/en-US/security/advisories/mfsa2015-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/
========================

Updated packages in core/updates_testing:
========================
thunderbird-38.1.0-1.mga4
thunderbird-enigmail-38.1.0-1.mga4
thunderbird-ar-38.1.0-1.mga4
thunderbird-ast-38.1.0-1.mga4
thunderbird-be-38.1.0-1.mga4
thunderbird-bg-38.1.0-1.mga4
thunderbird-bn_BD-38.1.0-1.mga4
thunderbird-br-38.1.0-1.mga4
thunderbird-ca-38.1.0-1.mga4
thunderbird-cs-38.1.0-1.mga4
thunderbird-cy-38.1.0-1.mga4
thunderbird-da-38.1.0-1.mga4
thunderbird-de-38.1.0-1.mga4
thunderbird-el-38.1.0-1.mga4
thunderbird-en_GB-38.1.0-1.mga4
thunderbird-en_US-38.1.0-1.mga4
thunderbird-es_AR-38.1.0-1.mga4
thunderbird-es_ES-38.1.0-1.mga4
thunderbird-et-38.1.0-1.mga4
thunderbird-eu-38.1.0-1.mga4
thunderbird-fi-38.1.0-1.mga4
thunderbird-fr-38.1.0-1.mga4
thunderbird-fy_NL-38.1.0-1.mga4
thunderbird-ga_IE-38.1.0-1.mga4
thunderbird-gd-38.1.0-1.mga4
thunderbird-gl-38.1.0-1.mga4
thunderbird-he-38.1.0-1.mga4
thunderbird-hr-38.1.0-1.mga4
thunderbird-hsb-38.1.0-1.mga4
thunderbird-hu-38.1.0-1.mga4
thunderbird-hy_AM-38.1.0-1.mga4
thunderbird-id-38.1.0-1.mga4
thunderbird-is-38.1.0-1.mga4
thunderbird-it-38.1.0-1.mga4
thunderbird-ja-38.1.0-1.mga4
thunderbird-ko-38.1.0-1.mga4
thunderbird-lt-38.1.0-1.mga4
thunderbird-nl-38.1.0-1.mga4
thunderbird-pa_IN-38.1.0-1.mga4
thunderbird-pl-38.1.0-1.mga4
thunderbird-pt_BR-38.1.0-1.mga4
thunderbird-pt_PT-38.1.0-1.mga4
thunderbird-ro-38.1.0-1.mga4
thunderbird-ru-38.1.0-1.mga4
thunderbird-si-38.1.0-1.mga4
thunderbird-sk-38.1.0-1.mga4
thunderbird-sl-38.1.0-1.mga4
thunderbird-sq-38.1.0-1.mga4
thunderbird-sv_SE-38.1.0-1.mga4
thunderbird-ta_LK-38.1.0-1.mga4
thunderbird-tr-38.1.0-1.mga4
thunderbird-uk-38.1.0-1.mga4
thunderbird-vi-38.1.0-1.mga4
thunderbird-zh_CN-38.1.0-1.mga4
thunderbird-zh_TW-38.1.0-1.mga4
thunderbird-38.1.0-1.mga5
thunderbird-enigmail-38.1.0-1.mga5
thunderbird-ar-38.1.0-1.mga5
thunderbird-ast-38.1.0-1.mga5
thunderbird-be-38.1.0-1.mga5
thunderbird-bg-38.1.0-1.mga5
thunderbird-bn_BD-38.1.0-1.mga5
thunderbird-br-38.1.0-1.mga5
thunderbird-ca-38.1.0-1.mga5
thunderbird-cs-38.1.0-1.mga5
thunderbird-cy-38.1.0-1.mga5
thunderbird-da-38.1.0-1.mga5
thunderbird-de-38.1.0-1.mga5
thunderbird-el-38.1.0-1.mga5
thunderbird-en_GB-38.1.0-1.mga5
thunderbird-en_US-38.1.0-1.mga5
thunderbird-es_AR-38.1.0-1.mga5
thunderbird-es_ES-38.1.0-1.mga5
thunderbird-et-38.1.0-1.mga5
thunderbird-eu-38.1.0-1.mga5
thunderbird-fi-38.1.0-1.mga5
thunderbird-fr-38.1.0-1.mga5
thunderbird-fy_NL-38.1.0-1.mga5
thunderbird-ga_IE-38.1.0-1.mga5
thunderbird-gd-38.1.0-1.mga5
thunderbird-gl-38.1.0-1.mga5
thunderbird-he-38.1.0-1.mga5
thunderbird-hr-38.1.0-1.mga5
thunderbird-hsb-38.1.0-1.mga5
thunderbird-hu-38.1.0-1.mga5
thunderbird-hy_AM-38.1.0-1.mga5
thunderbird-id-38.1.0-1.mga5
thunderbird-is-38.1.0-1.mga5
thunderbird-it-38.1.0-1.mga5
thunderbird-ja-38.1.0-1.mga5
thunderbird-ko-38.1.0-1.mga5
thunderbird-lt-38.1.0-1.mga5
thunderbird-nl-38.1.0-1.mga5
thunderbird-pa_IN-38.1.0-1.mga5
thunderbird-pl-38.1.0-1.mga5
thunderbird-pt_BR-38.1.0-1.mga5
thunderbird-pt_PT-38.1.0-1.mga5
thunderbird-ro-38.1.0-1.mga5
thunderbird-ru-38.1.0-1.mga5
thunderbird-si-38.1.0-1.mga5
thunderbird-sk-38.1.0-1.mga5
thunderbird-sl-38.1.0-1.mga5
thunderbird-sq-38.1.0-1.mga5
thunderbird-sv_SE-38.1.0-1.mga5
thunderbird-ta_LK-38.1.0-1.mga5
thunderbird-tr-38.1.0-1.mga5
thunderbird-uk-38.1.0-1.mga5
thunderbird-vi-38.1.0-1.mga5
thunderbird-zh_CN-38.1.0-1.mga5
thunderbird-zh_TW-38.1.0-1.mga5

from SRPMS:
thunderbird-38.1.0-1.mga4.src.rpm
thunderbird-l10n-38.1.0-1.mga4.src.rpm
thunderbird-38.1.0-1.mga5.src.rpm
thunderbird-l10n-38.1.0-1.mga5.src.rpm
David Walser 2015-07-04 03:56:48 CEST

Source RPM: firefox, thunderbird, nss => thunderbird

David Walser 2015-07-04 17:08:01 CEST

Component: RPM Packages => Security

Comment 1 Sander Lepik 2015-07-12 19:06:05 CEST
I'm using tarball version of Thunderbird and got the 38.1 update, so it should be out now.
Comment 2 Marja Van Waes 2015-07-12 19:28:49 CEST
(In reply to Sander Lepik from comment #1)
> I'm using tarball version of Thunderbird and got the 38.1 update, so it
> should be out now.

Yeah, I already used it, too.

It didn't fix my problem with 38.0.1 (connecting to a mailbox with STARTTLS and encrypted password fails https://bugzilla.mozilla.org/show_bug.cgi?id=1179002 )

However, I think it's a corner case and shouldn't stop this update.
Florian Hubold 2015-07-15 20:42:18 CEST

CC: (none) => doktor5000

Comment 4 David Walser 2015-07-21 17:25:42 CEST
RedHat has issued an advisory for this on July 20:
https://rhn.redhat.com/errata/RHSA-2015-1455.html

Interestingly, they stuck with 31.x, updating to 31.8.
Comment 5 Sander Lepik 2015-07-21 17:34:27 CEST
I've been having some major issues with 38.* that I installed from tarball. It's able to run about 24h and then it needs a restart as it becomes very-very slow :/ 38.1 didn't fix this issue and I have no idea what is causing it. So 31.8 seems like a good idea to me.
Comment 6 Manuel Hiebel 2015-07-21 18:25:05 CEST
I'm using the 38 version of testing since it was pushed, and didn't get a regression from 31 (apprt the thunderbird one which was discussed somewhere, have to check this one day)
Comment 7 David Walser 2015-07-24 01:40:12 CEST
Marja, one of the commenters on your upstream bug says they had a same or similar problem with 31.8.0.  Does your issue happen there too?
Comment 8 Marja Van Waes 2015-07-24 22:28:46 CEST
(In reply to David Walser from comment #7)
> Marja, one of the commenters on your upstream bug says they had a same or
> similar problem with 31.8.0.  Does your issue happen there too?

His bug is a very different one.

I don't have any problem with 31.8.0

And with a fresh mail account from an ISP who cares about Linux, I don't even have a problem with 38.1.0 :-)
(The other one is not really interested in Thunderbird or Linux, but thinks everything is fine if it works with Outlook :-/ )
Comment 9 David Walser 2015-07-25 03:37:40 CEST
Thomas,

You said on IRC that you had some more fixes locally for thunderbird for enigmail and stuff.  Please commit them if they're ready.  Thanks.

CC: (none) => thomas

Comment 10 Thomas Spuhler 2015-07-25 17:23:27 CEST
David:
Let's do that next round. I am leaving town for about a week and it still needs some work for doing the enigmail langs. They are not all that straight forward is listed in the text file.
Comment 11 David Walser 2015-07-26 16:38:39 CEST
This update is now available to test.  See Comment 0 for more details.

Advisory (Thunderbird):
========================

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird (CVE-2015-2724, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736,
CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2724
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2735
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2736
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2737
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2739
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2740
https://www.mozilla.org/en-US/security/advisories/mfsa2015-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/
https://rhn.redhat.com/errata/RHSA-2015-1455.html

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA4TOO

Dave Hodgins 2015-07-26 18:08:26 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO => MGA4TOO advisory

Comment 12 Herman Viaene 2015-07-27 11:25:45 CEST
MGA4-32 on Acer D620 Xfce
No installation issues, choose Dutch language pack.
Thunderbird was not configured on this PC before, so run it to access gmail account (pop3). I could send and receive messages.

CC: (none) => herman.viaene
Whiteboard: MGA4TOO advisory => MGA4TOO advisory MGA4-32-OK

Comment 13 James Kerr 2015-07-27 11:38:19 CEST
On mga5-64

Updated thunderbird from testing:

urpmi --search-media "Core Updates Testing" thunderbird
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing (private5)")
  thunderbird                    38.1.0       1.mga5        x86_64  
  thunderbird-en_GB              38.1.0       1.mga5        noarch  

Calendar, email collection (POP), sending, usenet, Unix movemail and RSS feeds all OK

OK for mga5-64

Whiteboard: MGA4TOO advisory MGA4-32-OK => MGA4TOO advisory MGA4-32-OK MGA5-64-OK

Comment 14 Bill Wilkinson 2015-07-27 15:30:28 CEST
tested mga5-32

Send/receive/move/delete SMTP/IMAP and calendar update OK.

CC: (none) => wrw105
Whiteboard: MGA4TOO advisory MGA4-32-OK MGA5-64-OK => MGA4TOO advisory MGA4-32-OK MGA5-64-OK mga5-32-ok

Comment 15 Bill Wilkinson 2015-07-27 15:47:20 CEST
Tested mga4-64 as above, all OK.

Validating.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO advisory MGA4-32-OK MGA5-64-OK mga5-32-ok => MGA4TOO advisory MGA4-32-OK MGA5-64-OK mga5-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2015-07-27 19:18:56 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0284.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.