Mozilla has released Thunderbird 52.5.2 today (December 22): https://www.mozilla.org/en-US/thunderbird/52.5.2/releasenotes/ It fixes some security issues which haven't been detailed yet.
CC: (none) => nicolas.salgueroWhiteboard: (none) => MGA5TOO
The Enigmail extension is affected by one of the security issues, so it will also need to be updated. Debian has issued an advisory for Enigmail on December 21: https://www.debian.org/security/2017/dsa-4070
Assigning to the registered thunderbird maintainer.
Assignee: bugsquad => doktor5000CC: (none) => marja11
openSUSE has issued advisories for this on December 22 and 25: https://lists.opensuse.org/opensuse-updates/2017-12/msg00107.html https://lists.opensuse.org/opensuse-updates/2017-12/msg00101.html
Updates submitted for cauldron, mga5, and mga6. Advisory to follow after they've built.
Assignee: doktor5000 => mramboCC: (none) => mrambo
Updated package uploaded for cauldron, Mageia 6, and Mageia 5. Advisory: ======================== Updated thunderbird package fixes security vulnerabilities: Multiple vulnerabilies have been fixed in thunderbird. * JavaScript Execution via RSS in mailbox:// origin (CVE-2017-7846). * Local path string can be leaked from RSS feed (CVE-2017-7847). * RSS Feed vulnerable to new line Injection (CVE-2017-7848). * Mailsploit From address with encoded null character is cut off in message header display (CVE-2017-7829). Multiple vulnerabilies have been fixed in the bundled enigmail package. * An issue was discovered that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list (CVE-2017-17843). * A remote attacker can obtain cleartext content by sending an encrypted data block to a victim, and relying on the victim to automatically decrypt that block and then send it back to the attacker as quoted text (CVE-2017-17844). * An issue was discovered where Improper Random Secret Generation occurs because Math.Random() is used by pretty Easy privacy (pEp) (CVE-2017-17845). * An issue was discovered where regular expressions are exploitable for Denial of Service, because of attempts to match arbitrarily long strings (CVE-2017-17846). * An issue was discovered that signature spoofing is possible because the UI does not properly distinguish between an attachment signature, and a signature that applies to the entire containing message (CVE-2017-17847). * In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed (CVE-2017-17848). References: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17843 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17844 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17845 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17846 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17847 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17848 ======================== Updated packages in core/updates_testing: ======================== thunderbird-52.5.2-1.mga6 thunderbird-enigmail-52.5.2-1.mga6 from thunderbird-52.5.2-1.mga6.src.rpm thunderbird-ar-52.5.2-1.mga6.noarch.rpm thunderbird-ast-52.5.2-1.mga6.noarch.rpm thunderbird-be-52.5.2-1.mga6.noarch.rpm thunderbird-bg-52.5.2-1.mga6.noarch.rpm thunderbird-bn_BD-52.5.2-1.mga6.noarch.rpm thunderbird-br-52.5.2-1.mga6.noarch.rpm thunderbird-ca-52.5.2-1.mga6.noarch.rpm thunderbird-cs-52.5.2-1.mga6.noarch.rpm thunderbird-cy-52.5.2-1.mga6.noarch.rpm thunderbird-da-52.5.2-1.mga6.noarch.rpm thunderbird-de-52.5.2-1.mga6.noarch.rpm thunderbird-el-52.5.2-1.mga6.noarch.rpm thunderbird-en_GB-52.5.2-1.mga6.noarch.rpm thunderbird-en_US-52.5.2-1.mga6.noarch.rpm thunderbird-es_AR-52.5.2-1.mga6.noarch.rpm thunderbird-es_ES-52.5.2-1.mga6.noarch.rpm thunderbird-et-52.5.2-1.mga6.noarch.rpm thunderbird-eu-52.5.2-1.mga6.noarch.rpm thunderbird-fi-52.5.2-1.mga6.noarch.rpm thunderbird-fr-52.5.2-1.mga6.noarch.rpm thunderbird-fy_NL-52.5.2-1.mga6.noarch.rpm thunderbird-ga_IE-52.5.2-1.mga6.noarch.rpm thunderbird-gd-52.5.2-1.mga6.noarch.rpm thunderbird-gl-52.5.2-1.mga6.noarch.rpm thunderbird-he-52.5.2-1.mga6.noarch.rpm thunderbird-hr-52.5.2-1.mga6.noarch.rpm thunderbird-hsb-52.5.2-1.mga6.noarch.rpm thunderbird-hu-52.5.2-1.mga6.noarch.rpm thunderbird-hy_AM-52.5.2-1.mga6.noarch.rpm thunderbird-id-52.5.2-1.mga6.noarch.rpm thunderbird-is-52.5.2-1.mga6.noarch.rpm thunderbird-it-52.5.2-1.mga6.noarch.rpm thunderbird-ja-52.5.2-1.mga6.noarch.rpm thunderbird-ko-52.5.2-1.mga6.noarch.rpm thunderbird-lt-52.5.2-1.mga6.noarch.rpm thunderbird-nb_NO-52.5.2-1.mga6.noarch.rpm thunderbird-nl-52.5.2-1.mga6.noarch.rpm thunderbird-nn_NO-52.5.2-1.mga6.noarch.rpm thunderbird-pa_IN-52.5.2-1.mga6.noarch.rpm thunderbird-pl-52.5.2-1.mga6.noarch.rpm thunderbird-pt_BR-52.5.2-1.mga6.noarch.rpm thunderbird-pt_PT-52.5.2-1.mga6.noarch.rpm thunderbird-ro-52.5.2-1.mga6.noarch.rpm thunderbird-ru-52.5.2-1.mga6.noarch.rpm thunderbird-si-52.5.2-1.mga6.noarch.rpm thunderbird-sk-52.5.2-1.mga6.noarch.rpm thunderbird-sl-52.5.2-1.mga6.noarch.rpm thunderbird-sq-52.5.2-1.mga6.noarch.rpm thunderbird-sv_SE-52.5.2-1.mga6.noarch.rpm thunderbird-ta_LK-52.5.2-1.mga6.noarch.rpm thunderbird-tr-52.5.2-1.mga6.noarch.rpm thunderbird-uk-52.5.2-1.mga6.noarch.rpm thunderbird-vi-52.5.2-1.mga6.noarch.rpm thunderbird-zh_CN-52.5.2-1.mga6.noarch.rpm thunderbird-zh_TW-52.5.2-1.mga6.noarch.rpm from thunderbird-l10n-52.5.2-1.mga6.src.rpm thunderbird-52.5.2-1.mga5 thunderbird-enigmail-52.5.2-1.mga5 from thunderbird-52.5.2-1.mga5.src.rpm thunderbird-ar-52.5.2-1.mga5.noarch.rpm thunderbird-ast-52.5.2-1.mga5.noarch.rpm thunderbird-be-52.5.2-1.mga5.noarch.rpm thunderbird-bg-52.5.2-1.mga5.noarch.rpm thunderbird-bn_BD-52.5.2-1.mga5.noarch.rpm thunderbird-br-52.5.2-1.mga5.noarch.rpm thunderbird-ca-52.5.2-1.mga5.noarch.rpm thunderbird-cs-52.5.2-1.mga5.noarch.rpm thunderbird-cy-52.5.2-1.mga5.noarch.rpm thunderbird-da-52.5.2-1.mga5.noarch.rpm thunderbird-de-52.5.2-1.mga5.noarch.rpm thunderbird-el-52.5.2-1.mga5.noarch.rpm thunderbird-en_GB-52.5.2-1.mga5.noarch.rpm thunderbird-en_US-52.5.2-1.mga5.noarch.rpm thunderbird-es_AR-52.5.2-1.mga5.noarch.rpm thunderbird-es_ES-52.5.2-1.mga5.noarch.rpm thunderbird-et-52.5.2-1.mga5.noarch.rpm thunderbird-eu-52.5.2-1.mga5.noarch.rpm thunderbird-fi-52.5.2-1.mga5.noarch.rpm thunderbird-fr-52.5.2-1.mga5.noarch.rpm thunderbird-fy_NL-52.5.2-1.mga5.noarch.rpm thunderbird-ga_IE-52.5.2-1.mga5.noarch.rpm thunderbird-gd-52.5.2-1.mga5.noarch.rpm thunderbird-gl-52.5.2-1.mga5.noarch.rpm thunderbird-he-52.5.2-1.mga5.noarch.rpm thunderbird-hr-52.5.2-1.mga5.noarch.rpm thunderbird-hsb-52.5.2-1.mga5.noarch.rpm thunderbird-hu-52.5.2-1.mga5.noarch.rpm thunderbird-hy_AM-52.5.2-1.mga5.noarch.rpm thunderbird-id-52.5.2-1.mga5.noarch.rpm thunderbird-is-52.5.2-1.mga5.noarch.rpm thunderbird-it-52.5.2-1.mga5.noarch.rpm thunderbird-ja-52.5.2-1.mga5.noarch.rpm thunderbird-ko-52.5.2-1.mga5.noarch.rpm thunderbird-lt-52.5.2-1.mga5.noarch.rpm thunderbird-nb_NO-52.5.2-1.mga5.noarch.rpm thunderbird-nl-52.5.2-1.mga5.noarch.rpm thunderbird-nn_NO-52.5.2-1.mga5.noarch.rpm thunderbird-pa_IN-52.5.2-1.mga5.noarch.rpm thunderbird-pl-52.5.2-1.mga5.noarch.rpm thunderbird-pt_BR-52.5.2-1.mga5.noarch.rpm thunderbird-pt_PT-52.5.2-1.mga5.noarch.rpm thunderbird-ro-52.5.2-1.mga5.noarch.rpm thunderbird-ru-52.5.2-1.mga5.noarch.rpm thunderbird-si-52.5.2-1.mga5.noarch.rpm thunderbird-sk-52.5.2-1.mga5.noarch.rpm thunderbird-sl-52.5.2-1.mga5.noarch.rpm thunderbird-sq-52.5.2-1.mga5.noarch.rpm thunderbird-sv_SE-52.5.2-1.mga5.noarch.rpm thunderbird-ta_LK-52.5.2-1.mga5.noarch.rpm thunderbird-tr-52.5.2-1.mga5.noarch.rpm thunderbird-uk-52.5.2-1.mga5.noarch.rpm thunderbird-vi-52.5.2-1.mga5.noarch.rpm thunderbird-zh_CN-52.5.2-1.mga5.noarch.rpm thunderbird-zh_TW-52.5.2-1.mga5.noarch.rpm from thunderbird-l10n-52.5.2-1.mga5.src.rpm
Assignee: mrambo => qa-bugs
Thanks Mike! Just a minor note, the Thunderbird CVEs (CVE-2017-7829, CVE-2017-784[6-8]) are missing in your references list, so QA team, please make sure those go in the CVE list when making the advisory in SVN.
tested on 586 platform, lxde, amd athlon XP all appears to be working as usual tested on x86_64 platform plasma ryzen, all appears to be working OK urpmi thunderbird-en_GB-52.5.2-1.mga6.noarch thunderbird-52.5.2-1.mga6.i586 $MIRRORLIST: media/core/updates_testing/thunderbird-52.5.2-1.mga6.i586.rpm $MIRRORLIST: media/core/updates_testing/thunderbird-en_GB-52.5.2-1.mga6.noarch.rpm installing thunderbird-52.5.2-1.mga6.i586.rpm thunderbird-en_GB-52.5.2-1.mga6.noarch.rpm from /var/cache/urpmi/rpms Preparing... ############################################################################################################### 1/2: thunderbird ############################################################################################################### 2/2: thunderbird-en_GB ############################################################################################################### 1/2: removing thunderbird-en_GB-52.5.0-1.mga6.noarch ############################################################################################################### 2/2: removing thunderbird-0:52.5.0-1.mga6.i586 ############################################################################################################### urpmi thunderbird-en_GB-52.5.2-1.mga6.noarch thunderbird-52.5.2-1.mga6.x86_64 $MIRRORLIST: media/core/updates_testing/thunderbird-52.5.2-1.mga6.x86_64.rpm $MIRRORLIST: media/core/updates_testing/thunderbird-en_GB-52.5.2-1.mga6.noarch.rpm installing thunderbird-52.5.2-1.mga6.x86_64.rpm thunderbird-en_GB-52.5.2-1.mga6.noarch.rpm from /var/cache/urpmi/rpms Preparing... ############################################################################################################### 1/2: thunderbird ############################################################################################################### 2/2: thunderbird-en_GB ############################################################################################################### 1/2: removing thunderbird-en_GB-52.5.0-1.mga6.noarch ############################################################################################################### 2/2: removing thunderbird-0:52.5.0-1.mga6.x86_64 ############################################################################################################### using imap backend citadel. confirmed read navigate folders and smtp send outbound from both platforms.
CC: (none) => peter.winterflood
Checked out the i586 version in Mageia 5, with the US English language pack. Received emails, sent one to qa-discuss, checked out the Mageia newsgroup. Everything looks good.
CC: (none) => andrewsfarm
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
on mga5-64 packages installed cleanly: - thunderbird-52.5.2-1.mga5.x86_64 - thunderbird-en_GB-52.5.2-1.mga5.noarch email - POP, SMTP - OK calendar - OK movemail - OK OK for mga5-64
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OKCC: (none) => jim
(In reply to David Walser from comment #6) > Thanks Mike! Just a minor note, the Thunderbird CVEs (CVE-2017-7829, > CVE-2017-784[6-8]) are missing in your references list, so QA team, please > make sure those go in the CVE list when making the advisory in SVN. All the CVEs *are* itemised in the Advisory Description, which is fine. The CVE URL list can serve as a cross-check for CVE numbers cited in the Title or Description. OTOH If the CVEs are only listed as URLs, or there are a lot, we can pick them off that list: it is a question of what makes the easier editing. ------------------------------------------------------------- And I am adding both Mageia 6 OKs from comment 7 (thanks Peter): > tested on 586 platform, lxde, amd athlon XP all appears to be working as usual > thunderbird-en_GB-52.5.2-1.mga6.noarch thunderbird-52.5.2-1.mga6.i586 > tested on x86_64 platform plasma ryzen, all appears to be working OK > thunderbird-en_GB-52.5.2-1.mga6.noarch thunderbird-52.5.2-1.mga6.x86_64 > confirmed read navigate folders and smtp send outbound from both platforms All of which, with comments 8 & 9, warrants validation: 4/4..
Keywords: (none) => advisory, validated_updateWhiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-64 MGA6-64-OKCC: (none) => sysadmin-bugs
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-64 MGA6-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0477.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED