Thunderbird 52.2 has been released today (June 14): https://www.mozilla.org/en-US/thunderbird/52.2.0/releasenotes/ It fixes several bugs and likely many of the same security issues as Firefox 52.2 (Bug 21088).
CC: (none) => doktor5000, mrambo, nicolas.salgueroWhiteboard: (none) => MGA5TOO
Update to 52.2.0 committed and freeze push requested for cauldron.
Assignee: bugsquad => mrambo
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
Updated package uploaded for Mageia 5. Advisory: ======================== Updated thunderbird and thunderbird-l10n packages fix bugs and various security vulnerabilities: * Use-after-free using destroyed node when regenerating trees (CVE-2017-5472). * Use-after-free during docshell reloading (CVE-2017-7749). * Use-after-free with track elements (CVE-2017-7750). * Use-after-free with content viewer listeners (CVE-2017-7751). * Use-after-free with IME input (CVE-2017-7752). * Out-of-bounds read in WebGL with ImageInfo object (CVE-2017-7754). * Use-after-free and use-after-scope logging XHR header errors (CVE-2017-7756). * Use-after-free in IndexedDB (CVE-2017-7757). * Vulnerabilities in the Graphite 2 library (CVE-2017-7778). * Out-of-bounds read in Opus encoder (CVE-2017-7758). * Mac fonts render some unicode characters as spaces (CVE-2017-7763). * Domain spoofing with combination of Canadian Syllabics and other unicode blocks (CVE-2017-7764). * Mark of the Web bypass when saving executable files (CVE-2017-7765). * Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2, and Thunderbird 52.2 (CVE-2017-5470). * plus various bug fixes. References: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5472 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7749 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7750 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7751 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7752 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7754 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7756 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7757 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7778 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7758 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7763 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7764 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7765 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5470 ======================== Updated packages in core/updates_testing: ======================== thunderbird-52.2.0-1.mga5 thunderbird-debuginfo-52.2.0-1.mga5 thunderbird-enigmail-52.2.0-1.mga5 from thunderbird-52.2.0-1.mga5.src.rpm - and thunderbird-l10n - thunderbird-ar-52.2.0-1.mga5.noarch.rpm thunderbird-ast-52.2.0-1.mga5.noarch.rpm thunderbird-be-52.2.0-1.mga5.noarch.rpm thunderbird-bg-52.2.0-1.mga5.noarch.rpm thunderbird-bn_BD-52.2.0-1.mga5.noarch.rpm thunderbird-br-52.2.0-1.mga5.noarch.rpm thunderbird-ca-52.2.0-1.mga5.noarch.rpm thunderbird-cs-52.2.0-1.mga5.noarch.rpm thunderbird-cy-52.2.0-1.mga5.noarch.rpm thunderbird-da-52.2.0-1.mga5.noarch.rpm thunderbird-de-52.2.0-1.mga5.noarch.rpm thunderbird-el-52.2.0-1.mga5.noarch.rpm thunderbird-en_GB-52.2.0-1.mga5.noarch.rpm thunderbird-en_US-52.2.0-1.mga5.noarch.rpm thunderbird-es_AR-52.2.0-1.mga5.noarch.rpm thunderbird-es_ES-52.2.0-1.mga5.noarch.rpm thunderbird-et-52.2.0-1.mga5.noarch.rpm thunderbird-eu-52.2.0-1.mga5.noarch.rpm thunderbird-fi-52.2.0-1.mga5.noarch.rpm thunderbird-fr-52.2.0-1.mga5.noarch.rpm thunderbird-fy_NL-52.2.0-1.mga5.noarch.rpm thunderbird-ga_IE-52.2.0-1.mga5.noarch.rpm thunderbird-gd-52.2.0-1.mga5.noarch.rpm thunderbird-gl-52.2.0-1.mga5.noarch.rpm thunderbird-he-52.2.0-1.mga5.noarch.rpm thunderbird-hr-52.2.0-1.mga5.noarch.rpm thunderbird-hsb-52.2.0-1.mga5.noarch.rpm thunderbird-hu-52.2.0-1.mga5.noarch.rpm thunderbird-hy_AM-52.2.0-1.mga5.noarch.rpm thunderbird-id-52.2.0-1.mga5.noarch.rpm thunderbird-is-52.2.0-1.mga5.noarch.rpm thunderbird-it-52.2.0-1.mga5.noarch.rpm thunderbird-ja-52.2.0-1.mga5.noarch.rpm thunderbird-ko-52.2.0-1.mga5.noarch.rpm thunderbird-lt-52.2.0-1.mga5.noarch.rpm thunderbird-nb_NO-52.2.0-1.mga5.noarch.rpm thunderbird-nl-52.2.0-1.mga5.noarch.rpm thunderbird-nn_NO-52.2.0-1.mga5.noarch.rpm thunderbird-pa_IN-52.2.0-1.mga5.noarch.rpm thunderbird-pl-52.2.0-1.mga5.noarch.rpm thunderbird-pt_BR-52.2.0-1.mga5.noarch.rpm thunderbird-pt_PT-52.2.0-1.mga5.noarch.rpm thunderbird-ro-52.2.0-1.mga5.noarch.rpm thunderbird-ru-52.2.0-1.mga5.noarch.rpm thunderbird-si-52.2.0-1.mga5.noarch.rpm thunderbird-sk-52.2.0-1.mga5.noarch.rpm thunderbird-sl-52.2.0-1.mga5.noarch.rpm thunderbird-sq-52.2.0-1.mga5.noarch.rpm thunderbird-sv_SE-52.2.0-1.mga5.noarch.rpm thunderbird-ta_LK-52.2.0-1.mga5.noarch.rpm thunderbird-tr-52.2.0-1.mga5.noarch.rpm thunderbird-uk-52.2.0-1.mga5.noarch.rpm thunderbird-vi-52.2.0-1.mga5.noarch.rpm thunderbird-zh_CN-52.2.0-1.mga5.noarch.rpm thunderbird-zh_TW-52.2.0-1.mga5.noarch.rpm from thunderbird-l10n-52.2.0-1.mga5.src.rpm
Assignee: mrambo => qa-bugs
Thanks Mike! SUSE has issued an advisory for this today (June 16): https://lists.opensuse.org/opensuse-updates/2017-06/msg00052.html
Running this on x86_64, Mate desktop. Installed thunderbird, thunderbird-en_GB and enigmail from updates testing but could not access thunderbird-debuginfo (not on distrib-coffee - did not look elsewhere). Working fine for emails. Sent one to myself but as usual was unable to decrypt it so destroyed the old certificates and regenerated a key and a revocation certificate. Sent another message to myself and was able to decrypt it when it arrived although there was the usual keyring complaint from GnuPG about gpg-agent (a known issue with comments upstream). Shall remove enigmail after this because I have no idea how to publish public key. I never use the calendar functions but the calendar works for data entry and event reminders. This is OK for 64-bits.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
CC: (none) => davidwhodginsWhiteboard: MGA5-64-OK => MGA5-64-OK advisory
For working with pgp/gpg keys, it's probably easier to start with kgpg, create the key, export the public key to a text file, and import it on other systems. pgp public key servers can also be used to publish keys for use by other people. Testing on an i586 install, enigmail shows this for one old message sent between my i586 and x86_64 installs ... Enigmail Security Info Good signature from David W. Hodgins <davidwhodgins@gmail.com> Key ID: 0x98B013E0 / Signed on: 27/03/16 05:37 AM Key fingerprint: A97B 3851 44E4 98D9 157E DA10 39B8 4EA5 98B0 13E0 Used Algorithms: DSA and SHA-1 Validating the update.
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0180.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED