RedHat has issued an advisory today (October 1): https://rhn.redhat.com/errata/RHSA-2015-1852.html I'm working on the update now. The advisory will be as follows. Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird (CVE-2015-4500, CVE-2015-4509, CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180). Two information leak flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to disclose sensitive information or, in certain cases, crash (CVE-2015-4519, CVE-2015-4520). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4519 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4520 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4521 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7176 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7180 https://www.mozilla.org/en-US/security/advisories/mfsa2015-96/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-106/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-110/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-111/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ https://rhn.redhat.com/errata/RHSA-2015-1852.html ======================== Updated packages in core/updates_testing: ======================== thunderbird-38.3.0-1.mga5 thunderbird-enigmail-38.3.0-1.mga5 thunderbird-ar-38.3.0-1.mga5 thunderbird-ast-38.3.0-1.mga5 thunderbird-be-38.3.0-1.mga5 thunderbird-bg-38.3.0-1.mga5 thunderbird-bn_BD-38.3.0-1.mga5 thunderbird-br-38.3.0-1.mga5 thunderbird-ca-38.3.0-1.mga5 thunderbird-cs-38.3.0-1.mga5 thunderbird-cy-38.3.0-1.mga5 thunderbird-da-38.3.0-1.mga5 thunderbird-de-38.3.0-1.mga5 thunderbird-el-38.3.0-1.mga5 thunderbird-en_GB-38.3.0-1.mga5 thunderbird-en_US-38.3.0-1.mga5 thunderbird-es_AR-38.3.0-1.mga5 thunderbird-es_ES-38.3.0-1.mga5 thunderbird-et-38.3.0-1.mga5 thunderbird-eu-38.3.0-1.mga5 thunderbird-fi-38.3.0-1.mga5 thunderbird-fr-38.3.0-1.mga5 thunderbird-fy_NL-38.3.0-1.mga5 thunderbird-ga_IE-38.3.0-1.mga5 thunderbird-gd-38.3.0-1.mga5 thunderbird-gl-38.3.0-1.mga5 thunderbird-he-38.3.0-1.mga5 thunderbird-hr-38.3.0-1.mga5 thunderbird-hsb-38.3.0-1.mga5 thunderbird-hu-38.3.0-1.mga5 thunderbird-hy_AM-38.3.0-1.mga5 thunderbird-id-38.3.0-1.mga5 thunderbird-is-38.3.0-1.mga5 thunderbird-it-38.3.0-1.mga5 thunderbird-ja-38.3.0-1.mga5 thunderbird-ko-38.3.0-1.mga5 thunderbird-lt-38.3.0-1.mga5 thunderbird-nb_NO-38.3.0-1.mga5 thunderbird-nl-38.3.0-1.mga5 thunderbird-nn_NO-38.3.0-1.mga5 thunderbird-pa_IN-38.3.0-1.mga5 thunderbird-pl-38.3.0-1.mga5 thunderbird-pt_BR-38.3.0-1.mga5 thunderbird-pt_PT-38.3.0-1.mga5 thunderbird-ro-38.3.0-1.mga5 thunderbird-ru-38.3.0-1.mga5 thunderbird-si-38.3.0-1.mga5 thunderbird-sk-38.3.0-1.mga5 thunderbird-sl-38.3.0-1.mga5 thunderbird-sq-38.3.0-1.mga5 thunderbird-sv_SE-38.3.0-1.mga5 thunderbird-ta_LK-38.3.0-1.mga5 thunderbird-tr-38.3.0-1.mga5 thunderbird-uk-38.3.0-1.mga5 thunderbird-vi-38.3.0-1.mga5 thunderbird-zh_CN-38.3.0-1.mga5 thunderbird-zh_TW-38.3.0-1.mga5 from SRPMS: thunderbird-38.3.0-1.mga5.src.rpm thunderbird-l10n-38.3.0-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Updated packages uploaded for Mageia 5 and Cauldron. Advisory and package list in Comment 0.
Assignee: bugsquad => qa-bugs
Some strange errors updating this one mga5 64.. 1/3: thunderbird ########## (process:21275): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed 2/3: thunderbird-en_GB ########## 3/3: thunderbird-enigmail ########## (process:21299): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed 1/3: removing thunderbird-en_GB-38.2.0-1.mga5.noarch ######## (process:21319): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed 2/3: removing thunderbird-enigmail-0:38.2.0-1.mga5.x86_64 ######## 3/3: removing thunderbird-0:38.2.0-1.mga5.x86_64 ########
(In reply to claire robinson from comment #2) > Some strange errors updating this one mga5 64.. Yeah that's a glib2.0 bug, not a thunderbird one.
It's OK in use. imap, pop3, enigmail, spell check, search, address book, calendar, tasks, etc.
Whiteboard: (none) => mga5-64-ok
Advisory uploaded. Needs mga5 32 test to validate.
Whiteboard: mga5-64-ok => has_procedure advisory mga5-64-ok
Testing on mga-5-32 email, usenet, newsfeeds, movemail, calendar, address book - all OK OK for mga-5-32
Whiteboard: has_procedure advisory mga5-64-ok => has_procedure advisory mga5-64-ok MGA5-32-OK
This update is now validated and can be pushed to updates
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0387.html
Status: NEW => RESOLVEDResolution: (none) => FIXED