RedHat has issued an advisory today (December 21): https://rhn.redhat.com/errata/RHSA-2016-2973.html I just checked ftp.mozilla.org and the 45.6.0 directory is there but the source tarballs are not, so hopefully they come back soon or we can get them from RedHat.
CC: (none) => nicolas.salgueroWhiteboard: (none) => MGA5TOO
David: Is THIS what you were looking after?: http://ftp.mozilla.org/pub/firefox/releases/45.6.0esr/source/firefox-45.6.0esr.source.tar.xz
CC: (none) => hamnisdude
No, this is what I was looking at: http://ftp.mozilla.org/pub/thunderbird/releases/45.6.0/ We already released the Firefox 45.6 update.
Sorry. My bad. I'm so tired that I didn't even reflect on which one of the Mozilla programs you needed the source for. Doh!
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption (CVE-2016-9899). Event handlers on marquee elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript (CVE-2016-9895). Memory corruption resulting in a potentially exploitable crash during WebGL functions using a vector constructor with a varying array within libGLES (CVE-2016-9897). Use-after-free resulting in potentially exploitable crash when manipulating DOM subtrees in the Editor (CVE-2016-9898). External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of data: URLs. This could allow for cross-domain data leakage (CVE-2016-9900). An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites (CVE-2016-9904). A potentially exploitable crash in EnumerateSubDocuments while adding or removing sub-documents (CVE-2016-9905). Mozilla developers and community members Jan de Mooij, Iris Hsiao, Christian Holler, Carsten Book, Timothy Nikkel, Christoph Diehl, Olli Pettay, Raymond Forbes, and Boris Zbarsky reported memory safety bugs present in in Thunderbird ESR 45.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code (CVE-2016-9893). References: https://www.mozilla.org/en-US/thunderbird/45.6.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-96/ https://rhn.redhat.com/errata/RHSA-2016-2973.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9899 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9895 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9897 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9898 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9900 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9904 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9905 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9893 ======================== Updated packages in core/updates_testing: ======================== thunderbird-45.6.0-1.mga5 thunderbird-enigmail-45.6.0-1.mga5 thunderbird-ar-45.6.0-1.mga5 thunderbird-ast-45.6.0-1.mga5 thunderbird-be-45.6.0-1.mga5 thunderbird-bg-45.6.0-1.mga5 thunderbird-bn_BD-45.6.0-1.mga5 thunderbird-br-45.6.0-1.mga5 thunderbird-ca-45.6.0-1.mga5 thunderbird-cs-45.6.0-1.mga5 thunderbird-cy-45.6.0-1.mga5 thunderbird-da-45.6.0-1.mga5 thunderbird-de-45.6.0-1.mga5 thunderbird-el-45.6.0-1.mga5 thunderbird-en_GB-45.6.0-1.mga5 thunderbird-en_US-45.6.0-1.mga5 thunderbird-es_AR-45.6.0-1.mga5 thunderbird-es_ES-45.6.0-1.mga5 thunderbird-et-45.6.0-1.mga5 thunderbird-eu-45.6.0-1.mga5 thunderbird-fi-45.6.0-1.mga5 thunderbird-fr-45.6.0-1.mga5 thunderbird-fy_NL-45.6.0-1.mga5 thunderbird-ga_IE-45.6.0-1.mga5 thunderbird-gd-45.6.0-1.mga5 thunderbird-gl-45.6.0-1.mga5 thunderbird-he-45.6.0-1.mga5 thunderbird-hr-45.6.0-1.mga5 thunderbird-hsb-45.6.0-1.mga5 thunderbird-hu-45.6.0-1.mga5 thunderbird-hy_AM-45.6.0-1.mga5 thunderbird-id-45.6.0-1.mga5 thunderbird-is-45.6.0-1.mga5 thunderbird-it-45.6.0-1.mga5 thunderbird-ja-45.6.0-1.mga5 thunderbird-ko-45.6.0-1.mga5 thunderbird-lt-45.6.0-1.mga5 thunderbird-nb_NO-45.6.0-1.mga5 thunderbird-nl-45.6.0-1.mga5 thunderbird-nn_NO-45.6.0-1.mga5 thunderbird-pa_IN-45.6.0-1.mga5 thunderbird-pl-45.6.0-1.mga5 thunderbird-pt_BR-45.6.0-1.mga5 thunderbird-pt_PT-45.6.0-1.mga5 thunderbird-ro-45.6.0-1.mga5 thunderbird-ru-45.6.0-1.mga5 thunderbird-si-45.6.0-1.mga5 thunderbird-sk-45.6.0-1.mga5 thunderbird-sl-45.6.0-1.mga5 thunderbird-sq-45.6.0-1.mga5 thunderbird-sv_SE-45.6.0-1.mga5 thunderbird-ta_LK-45.6.0-1.mga5 thunderbird-tr-45.6.0-1.mga5 thunderbird-uk-45.6.0-1.mga5 thunderbird-vi-45.6.0-1.mga5 thunderbird-zh_CN-45.6.0-1.mga5 thunderbird-zh_TW-45.6.0-1.mga5 from SRPMS: thunderbird-45.6.0-1.mga5.src.rpm thunderbird-l10n-45.6.0-1.mga5.src.rpm
Status: NEW => ASSIGNEDAssignee: doktor5000 => qa-bugs
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Tested mga5-64. Send/receive/move/delete under SMTP/IMAP OK, Google calendar loads normally.
CC: (none) => wrw105Whiteboard: (none) => has_procedure mga5-64-ok
MGA5-32-OK & MGA5-64-OK on real hardware and virtualbox machines Procedure : Upgrade from 45.5.1-1 to 45.6.0-1 the installation goes fine (I still have my config files and account as before) Sending and receiving mails with and without files/pictures works. Adding/Removing accounts from different webmail works (tested with gmail, hotmail and yahoo) I'm using these addons : Enigmail Adblockplus Lightning And to test a bit more, I used a few personas and themes and changed some settings. Everything is working as intended, I'm OK'ing the update for both arch. Waiting for more people to validate the update.
CC: (none) => youpburdenWhiteboard: has_procedure mga5-64-ok => has_procedure mga5-64-ok mga5-32-ok
Validating; Advisory from Comment 4.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-64-ok mga5-32-ok => has_procedure mga5-64-ok mga5-32-ok advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0006.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED