Thunderbird 38.6.0 has finally been released: https://www.mozilla.org/en-US/thunderbird/38.6.0/releasenotes/ The MFSA's haven't been updated yet. 2016-01 will definitely be fixed here. I don't know of 2016-03 or 2016-14 affected Thunderbird. Assigning to Florian as he needs to update the Lightning translations. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
Status: NEW => ASSIGNEDCC: (none) => doktor5000Hardware: i586 => All
Submitted thunderbird-38.6.0-1.mga6 for cauldron and thunderbird-38.6.0-1.mga5 to core/updates_testing. @David: Could you add a short advisory please and assign to QA team?
Thanks Florian, but you forgot thunderbird-l10n. I just took care of that one. Advisory details are not available yet, but I'll post it when they are. Updated packages in core/updates_testing: ======================== thunderbird-38.6.0-1.mga5 thunderbird-enigmail-38.6.0-1.mga5 thunderbird-ar-38.6.0-1.mga5 thunderbird-ast-38.6.0-1.mga5 thunderbird-be-38.6.0-1.mga5 thunderbird-bg-38.6.0-1.mga5 thunderbird-bn_BD-38.6.0-1.mga5 thunderbird-br-38.6.0-1.mga5 thunderbird-ca-38.6.0-1.mga5 thunderbird-cs-38.6.0-1.mga5 thunderbird-cy-38.6.0-1.mga5 thunderbird-da-38.6.0-1.mga5 thunderbird-de-38.6.0-1.mga5 thunderbird-el-38.6.0-1.mga5 thunderbird-en_GB-38.6.0-1.mga5 thunderbird-en_US-38.6.0-1.mga5 thunderbird-es_AR-38.6.0-1.mga5 thunderbird-es_ES-38.6.0-1.mga5 thunderbird-et-38.6.0-1.mga5 thunderbird-eu-38.6.0-1.mga5 thunderbird-fi-38.6.0-1.mga5 thunderbird-fr-38.6.0-1.mga5 thunderbird-fy_NL-38.6.0-1.mga5 thunderbird-ga_IE-38.6.0-1.mga5 thunderbird-gd-38.6.0-1.mga5 thunderbird-gl-38.6.0-1.mga5 thunderbird-he-38.6.0-1.mga5 thunderbird-hr-38.6.0-1.mga5 thunderbird-hsb-38.6.0-1.mga5 thunderbird-hu-38.6.0-1.mga5 thunderbird-hy_AM-38.6.0-1.mga5 thunderbird-id-38.6.0-1.mga5 thunderbird-is-38.6.0-1.mga5 thunderbird-it-38.6.0-1.mga5 thunderbird-ja-38.6.0-1.mga5 thunderbird-ko-38.6.0-1.mga5 thunderbird-lt-38.6.0-1.mga5 thunderbird-nb_NO-38.6.0-1.mga5 thunderbird-nl-38.6.0-1.mga5 thunderbird-nn_NO-38.6.0-1.mga5 thunderbird-pa_IN-38.6.0-1.mga5 thunderbird-pl-38.6.0-1.mga5 thunderbird-pt_BR-38.6.0-1.mga5 thunderbird-pt_PT-38.6.0-1.mga5 thunderbird-ro-38.6.0-1.mga5 thunderbird-ru-38.6.0-1.mga5 thunderbird-si-38.6.0-1.mga5 thunderbird-sk-38.6.0-1.mga5 thunderbird-sl-38.6.0-1.mga5 thunderbird-sq-38.6.0-1.mga5 thunderbird-sv_SE-38.6.0-1.mga5 thunderbird-ta_LK-38.6.0-1.mga5 thunderbird-tr-38.6.0-1.mga5 thunderbird-uk-38.6.0-1.mga5 thunderbird-vi-38.6.0-1.mga5 thunderbird-zh_CN-38.6.0-1.mga5 thunderbird-zh_TW-38.6.0-1.mga5 from SRPMS: thunderbird-38.6.0-1.mga5.src.rpm thunderbird-l10n-38.6.0-1.mga5.src.rpm
Version: Cauldron => 5Assignee: doktor5000 => qa-bugsWhiteboard: MGA5TOO => (none)
Updated i586. All seems Ok, even calendar!
CC: (none) => lists.jjorge
Whiteboard: (none) => MGA5-32-OK
Already using this. Updated on x86_64 and it works as always.
CC: (none) => tarazed25
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
(In reply to David Walser from comment #2) > Thanks Florian, but you forgot thunderbird-l10n. Sorry, classical case of ENOCOFFEE and early morning. Thanks for helping out \o/
Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird (CVE-2016-1930, CVE-2016-1935). Multiple security flaws were found in the graphite2 font library bundled with Thunderbird. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523, CVE-2016-1526). Thunderbird includes a bundled copy of the graphite2 library, which has been updated in Thunderbird 38.6.0. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1521 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1526 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1930 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1935 http://www.talosintel.com/reports/TALOS-2016-0057/ http://www.talosintel.com/reports/TALOS-2016-0058/ http://www.talosintel.com/reports/TALOS-2016-0059/ http://www.talosintel.com/reports/TALOS-2016-0060/ http://www.talosintel.com/reports/TALOS-2016-0061/ http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-03/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/ https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ https://rhn.redhat.com/errata/RHSA-2016-0071.html https://rhn.redhat.com/errata/RHSA-2016-0197.html
OpenSuSE has issued an advisory for this today (February 17): http://lists.opensuse.org/opensuse-updates/2016-02/msg00105.html
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0078.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
RedHat has issued an advisory for this on February 18: https://rhn.redhat.com/errata/RHSA-2016-0258.html
URL: (none) => http://lwn.net/Vulnerabilities/673772/