RedHat has issued an advisory today (November 26): https://rhn.redhat.com/errata/RHSA-2015-2519.html The update is in progress and will hopefully be available in a couple hours. Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird (CVE-2015-4513, CVE-2015-7189, CVE-2015-7197, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200). A same-origin policy bypass flaw was found in the way Thunderbird handled certain cross-origin resource sharing (CORS) requests. A web page containing malicious content could cause Thunderbird to disclose sensitive information (CVE-2015-7193). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4513 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7189 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7200 https://www.mozilla.org/en-US/security/advisories/mfsa2015-116/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-123/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-127/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-131/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-132/ https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ https://rhn.redhat.com/errata/RHSA-2015-2519.html ======================== Updated packages in core/updates_testing: ======================== thunderbird-38.4.0-1.mga5 thunderbird-enigmail-38.4.0-1.mga5 thunderbird-ar-38.4.0-1.mga5 thunderbird-ast-38.4.0-1.mga5 thunderbird-be-38.4.0-1.mga5 thunderbird-bg-38.4.0-1.mga5 thunderbird-bn_BD-38.4.0-1.mga5 thunderbird-br-38.4.0-1.mga5 thunderbird-ca-38.4.0-1.mga5 thunderbird-cs-38.4.0-1.mga5 thunderbird-cy-38.4.0-1.mga5 thunderbird-da-38.4.0-1.mga5 thunderbird-de-38.4.0-1.mga5 thunderbird-el-38.4.0-1.mga5 thunderbird-en_GB-38.4.0-1.mga5 thunderbird-en_US-38.4.0-1.mga5 thunderbird-es_AR-38.4.0-1.mga5 thunderbird-es_ES-38.4.0-1.mga5 thunderbird-et-38.4.0-1.mga5 thunderbird-eu-38.4.0-1.mga5 thunderbird-fi-38.4.0-1.mga5 thunderbird-fr-38.4.0-1.mga5 thunderbird-fy_NL-38.4.0-1.mga5 thunderbird-ga_IE-38.4.0-1.mga5 thunderbird-gd-38.4.0-1.mga5 thunderbird-gl-38.4.0-1.mga5 thunderbird-he-38.4.0-1.mga5 thunderbird-hr-38.4.0-1.mga5 thunderbird-hsb-38.4.0-1.mga5 thunderbird-hu-38.4.0-1.mga5 thunderbird-hy_AM-38.4.0-1.mga5 thunderbird-id-38.4.0-1.mga5 thunderbird-is-38.4.0-1.mga5 thunderbird-it-38.4.0-1.mga5 thunderbird-ja-38.4.0-1.mga5 thunderbird-ko-38.4.0-1.mga5 thunderbird-lt-38.4.0-1.mga5 thunderbird-nb_NO-38.4.0-1.mga5 thunderbird-nl-38.4.0-1.mga5 thunderbird-nn_NO-38.4.0-1.mga5 thunderbird-pa_IN-38.4.0-1.mga5 thunderbird-pl-38.4.0-1.mga5 thunderbird-pt_BR-38.4.0-1.mga5 thunderbird-pt_PT-38.4.0-1.mga5 thunderbird-ro-38.4.0-1.mga5 thunderbird-ru-38.4.0-1.mga5 thunderbird-si-38.4.0-1.mga5 thunderbird-sk-38.4.0-1.mga5 thunderbird-sl-38.4.0-1.mga5 thunderbird-sq-38.4.0-1.mga5 thunderbird-sv_SE-38.4.0-1.mga5 thunderbird-ta_LK-38.4.0-1.mga5 thunderbird-tr-38.4.0-1.mga5 thunderbird-uk-38.4.0-1.mga5 thunderbird-vi-38.4.0-1.mga5 thunderbird-zh_CN-38.4.0-1.mga5 thunderbird-zh_TW-38.4.0-1.mga5 from SRPMS: thunderbird-38.4.0-1.mga5.src.rpm thunderbird-l10n-38.4.0-1.mga5.src.rpm Reproducible: Steps to Reproduce:
mga5 x86_64 Mate Thunderbird is my preferred email client. Saved .thunderbird to a tar file (1.7GB) and installed the update with thunderbird-en_GB-38.4.0-1. It has been running fine for the last two hours, receiving and sending emails and communicating with firefox.
CC: (none) => tarazed25
I use Thunderbird in KDE for both email and Usenet. Even though this bug cites only the i585 version, I have tried both i586 and x86-64 versions of the update on two sets of hardware, sending and receiving test emails and Usenet messages. Also intentionally misspelled words to check the spell checker for the desired English-US language. Everything appears to work as it should.
CC: (none) => andrewsfarm
Tried out Enigmail by sending messages to myself. Ran the wizard at the most elementary level which involves setting up a passphrase and leaving the machine to do all the work. Out of four choices for encrypting text and/or attachments I chose to encrypt the message text only. The application spent a few minutes generating the key. Part of the process is generating a revocation certificate which needs to be moved to a removable medium. Encrypted email sent and received and unlocked with the passphrase. Sent another without encryption. Received that as was.
Tried out the revocation certificate: Enigmail -> Key Management -> Edit -> Revoke key That worked. Not done yet but somebody else might care to test the more advanced options.
MGA5-32 on AcerD620 Xfce. No installation issues. Tested Usenet in Dutch version, all OK.
CC: (none) => herman.viaene
On mga-5-64 Installed: thunderbird-en_GB-38.4.0-1.mga5.noarch.rpm thunderbird-38.4.0-1.mga5.x86_64.rpm No problems on installation, except for this message: (process:19823): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed which seems to be benign. Everything is working normally: email send and receive (POP) through my ISP; News Server; News Feeds; Calendar; Address Book. OK for me on mga-5-64.
Validating this one now. Thanks everybody.
Keywords: (none) => validated_updateWhiteboard: (none) => has_procedure mga5-32-ok mga5-64-okCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: has_procedure mga5-32-ok mga5-64-ok => has_procedure mga5-32-ok mga5-64-ok advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0462.html
Status: NEW => RESOLVEDResolution: (none) => FIXED