Thunderbird 38.7 is available as of March 13: http://ftp.mozilla.org/pub/thunderbird/releases/38.7.0/source/ The upstream advisories haven't been updated yet, nor has RedHat posted theirs yet, but it should fix the same issues as in the last two paragraphs of the advisory for Firefox in Bug 17900.
Status: NEW => ASSIGNEDCC: (none) => doktor5000
Pushed to cauldron and thunderbird-38.7.0-1.mga5 and thunderbird-l10n-38.7.0-1.mga5 to core/updates_testing, will test tomorrow.
Updated packages uploaded by Florian. Thanks! Advisory details are not available yet, but I'll post it when they are. Note that you need to also update the rootcerts and nss packages from Bug 17974 along with these. Updated packages in core/updates_testing: ======================== thunderbird-38.7.0-1.mga5 thunderbird-enigmail-38.7.0-1.mga5 thunderbird-ar-38.7.0-1.mga5 thunderbird-ast-38.7.0-1.mga5 thunderbird-be-38.7.0-1.mga5 thunderbird-bg-38.7.0-1.mga5 thunderbird-bn_BD-38.7.0-1.mga5 thunderbird-br-38.7.0-1.mga5 thunderbird-ca-38.7.0-1.mga5 thunderbird-cs-38.7.0-1.mga5 thunderbird-cy-38.7.0-1.mga5 thunderbird-da-38.7.0-1.mga5 thunderbird-de-38.7.0-1.mga5 thunderbird-el-38.7.0-1.mga5 thunderbird-en_GB-38.7.0-1.mga5 thunderbird-en_US-38.7.0-1.mga5 thunderbird-es_AR-38.7.0-1.mga5 thunderbird-es_ES-38.7.0-1.mga5 thunderbird-et-38.7.0-1.mga5 thunderbird-eu-38.7.0-1.mga5 thunderbird-fi-38.7.0-1.mga5 thunderbird-fr-38.7.0-1.mga5 thunderbird-fy_NL-38.7.0-1.mga5 thunderbird-ga_IE-38.7.0-1.mga5 thunderbird-gd-38.7.0-1.mga5 thunderbird-gl-38.7.0-1.mga5 thunderbird-he-38.7.0-1.mga5 thunderbird-hr-38.7.0-1.mga5 thunderbird-hsb-38.7.0-1.mga5 thunderbird-hu-38.7.0-1.mga5 thunderbird-hy_AM-38.7.0-1.mga5 thunderbird-id-38.7.0-1.mga5 thunderbird-is-38.7.0-1.mga5 thunderbird-it-38.7.0-1.mga5 thunderbird-ja-38.7.0-1.mga5 thunderbird-ko-38.7.0-1.mga5 thunderbird-lt-38.7.0-1.mga5 thunderbird-nb_NO-38.7.0-1.mga5 thunderbird-nl-38.7.0-1.mga5 thunderbird-nn_NO-38.7.0-1.mga5 thunderbird-pa_IN-38.7.0-1.mga5 thunderbird-pl-38.7.0-1.mga5 thunderbird-pt_BR-38.7.0-1.mga5 thunderbird-pt_PT-38.7.0-1.mga5 thunderbird-ro-38.7.0-1.mga5 thunderbird-ru-38.7.0-1.mga5 thunderbird-si-38.7.0-1.mga5 thunderbird-sk-38.7.0-1.mga5 thunderbird-sl-38.7.0-1.mga5 thunderbird-sq-38.7.0-1.mga5 thunderbird-sv_SE-38.7.0-1.mga5 thunderbird-ta_LK-38.7.0-1.mga5 thunderbird-tr-38.7.0-1.mga5 thunderbird-uk-38.7.0-1.mga5 thunderbird-vi-38.7.0-1.mga5 thunderbird-zh_CN-38.7.0-1.mga5 thunderbird-zh_TW-38.7.0-1.mga5 from SRPMS: thunderbird-38.7.0-1.mga5.src.rpm thunderbird-l10n-38.7.0-1.mga5.src.rpm
Depends on: (none) => 17974Assignee: doktor5000 => qa-bugs
Testing this on my production system, x86_64. Already a user so updated right away. Installed the nss and rootcerts packages as advised. Supplied the Google imail password when prompted. Generated a new key-pair via Enigmail and a revocation certificate. All the basic functions that I normally use are working and as it is in continuous use I am likely to notice any regressions. Giving this the OK but shall not be testing it on 32-bit architecture.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
Tested today too including the nss update, and works fine here on x86_64.
Uploaded a template advisory with srpms added which can be amended when it is available.
Advisory in SVN fixed. No RedHat advisory yet, but last URL in the reference can be replaced if one is. Here's the advisory in SVN. Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird (CVE-2016-1952, CVE-2016-1954, CVE-2016-1957, CVE-2016-1960, CVE-2016-1961, CVE-2016-1974, CVE-2016-1964, CVE-2016-1966). Multiple security flaws were found in the graphite2 font library shipped with Thunderbird. A web page containing malicious content could cause it to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird (CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1952 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1954 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1957 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1961 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1964 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1966 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1977 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2792 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2802 https://www.mozilla.org/en-US/security/advisories/mfsa2016-16/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-17/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-20/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-23/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-24/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-27/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-31/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-34/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ https://rhn.redhat.com/errata/RHSA-2016-0373.html
I'll test i586 this evening if nobody beats me to it.
CC: (none) => davidwhodginsWhiteboard: MGA5-64-OK => MGA5-64-OK advisory
Testing complete Mageia 5 i586. Validating this now.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK advisory => MGA5-32-OK MGA5-64-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0115.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
RedHat has issued an advisory for this on March 16: https://rhn.redhat.com/errata/RHSA-2016-0460.html Advisory reference updated in SVN.