Bug 22470 - Thunderbird 52.6
Summary: Thunderbird 52.6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-01-26 06:43 CET by David Walser
Modified: 2018-02-06 07:26 CET (History)
9 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE:
Status comment:


Attachments

Description David Walser 2018-01-26 06:43:39 CET
Mozilla has released Thunderbird 52.6 on January 25:
https://www.mozilla.org/en-US/thunderbird/52.6.0/releasenotes/

The issues fixed are listed here:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/
David Walser 2018-01-26 06:43:57 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO
CC: (none) => nicolas.salguero

David Walser 2018-01-26 06:45:17 CET

Component: RPM Packages => Security
QA Contact: (none) => security

Comment 1 Marja Van Waes 2018-01-26 07:02:45 CET
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => doktor5000

Comment 2 Nicolas Salguero 2018-01-29 12:47:18 CET
Suggested advisory:
========================

The updated packages fix several bugs and some security issues:

Integer overflow in Skia library during edge builder allocation. (CVE-2018-5095)

Use-after-free while editing form elements. (CVE-2018-5096)

Use-after-free when source document is manipulated during XSLT. (CVE-2018-5097)

Use-after-free while manipulating form input elements. (CVE-2018-5098)

Use-after-free with widget listener. (CVE-2018-5099)

Use-after-free in HTML media elements. (CVE-2018-5102)

Use-after-free during mouse event handling. (CVE-2018-5103)

Use-after-free during font face manipulation. (CVE-2018-5104)

URL spoofing with right-to-left text aligned left-to-right. (CVE-2018-5117)

Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6, and Thunderbird 52.6. (CVE-2018-5089)

References:
========================
https://www.mozilla.org/en-US/thunderbird/52.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5095
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5096
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5097
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5099
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5102
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5103
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5089

Updated packages in 5/core/updates_testing:
========================
thunderbird-52.6.0-1.mga5
thunderbird-enigmail-52.6.0-1.mga5
thunderbird-ar-52.6.0-1.mga5
thunderbird-ast-52.6.0-1.mga5
thunderbird-be-52.6.0-1.mga5
thunderbird-bg-52.6.0-1.mga5
thunderbird-bn_BD-52.6.0-1.mga5
thunderbird-br-52.6.0-1.mga5
thunderbird-ca-52.6.0-1.mga5
thunderbird-cs-52.6.0-1.mga5
thunderbird-cy-52.6.0-1.mga5
thunderbird-da-52.6.0-1.mga5
thunderbird-de-52.6.0-1.mga5
thunderbird-el-52.6.0-1.mga5
thunderbird-en_GB-52.6.0-1.mga5
thunderbird-en_US-52.6.0-1.mga5
thunderbird-es_AR-52.6.0-1.mga5
thunderbird-es_ES-52.6.0-1.mga5
thunderbird-et-52.6.0-1.mga5
thunderbird-eu-52.6.0-1.mga5
thunderbird-fi-52.6.0-1.mga5
thunderbird-fr-52.6.0-1.mga5
thunderbird-fy_NL-52.6.0-1.mga5
thunderbird-ga_IE-52.6.0-1.mga5
thunderbird-gd-52.6.0-1.mga5
thunderbird-gl-52.6.0-1.mga5
thunderbird-he-52.6.0-1.mga5
thunderbird-hr-52.6.0-1.mga5
thunderbird-hsb-52.6.0-1.mga5
thunderbird-hu-52.6.0-1.mga5
thunderbird-hy_AM-52.6.0-1.mga5
thunderbird-id-52.6.0-1.mga5
thunderbird-is-52.6.0-1.mga5
thunderbird-it-52.6.0-1.mga5
thunderbird-ja-52.6.0-1.mga5
thunderbird-ko-52.6.0-1.mga5
thunderbird-lt-52.6.0-1.mga5
thunderbird-nb_NO-52.6.0-1.mga5
thunderbird-nl-52.6.0-1.mga5
thunderbird-nn_NO-52.6.0-1.mga5
thunderbird-pa_IN-52.6.0-1.mga5
thunderbird-pl-52.6.0-1.mga5
thunderbird-pt_BR-52.6.0-1.mga5
thunderbird-pt_PT-52.6.0-1.mga5
thunderbird-ro-52.6.0-1.mga5
thunderbird-ru-52.6.0-1.mga5
thunderbird-si-52.6.0-1.mga5
thunderbird-sk-52.6.0-1.mga5
thunderbird-sl-52.6.0-1.mga5
thunderbird-sq-52.6.0-1.mga5
thunderbird-sv_SE-52.6.0-1.mga5
thunderbird-ta_LK-52.6.0-1.mga5
thunderbird-tr-52.6.0-1.mga5
thunderbird-uk-52.6.0-1.mga5
thunderbird-vi-52.6.0-1.mga5
thunderbird-zh_CN-52.6.0-1.mga5
thunderbird-zh_TW-52.6.0-1.mga6

from SRPMS:
thunderbird-52.6.0-1.mga5.src.rpm
thunderbird-l10n-52.6.0-1.mga5.src.rpm

Updated packages in 6/core/updates_testing:
========================
thunderbird-52.6.0-1.mga6
thunderbird-enigmail-52.6.0-1.mga6
thunderbird-ar-52.6.0-1.mga6
thunderbird-ast-52.6.0-1.mga6
thunderbird-be-52.6.0-1.mga6
thunderbird-bg-52.6.0-1.mga6
thunderbird-bn_BD-52.6.0-1.mga6
thunderbird-br-52.6.0-1.mga6
thunderbird-ca-52.6.0-1.mga6
thunderbird-cs-52.6.0-1.mga6
thunderbird-cy-52.6.0-1.mga6
thunderbird-da-52.6.0-1.mga6
thunderbird-de-52.6.0-1.mga6
thunderbird-el-52.6.0-1.mga6
thunderbird-en_GB-52.6.0-1.mga6
thunderbird-en_US-52.6.0-1.mga6
thunderbird-es_AR-52.6.0-1.mga6
thunderbird-es_ES-52.6.0-1.mga6
thunderbird-et-52.6.0-1.mga6
thunderbird-eu-52.6.0-1.mga6
thunderbird-fi-52.6.0-1.mga6
thunderbird-fr-52.6.0-1.mga6
thunderbird-fy_NL-52.6.0-1.mga6
thunderbird-ga_IE-52.6.0-1.mga6
thunderbird-gd-52.6.0-1.mga6
thunderbird-gl-52.6.0-1.mga6
thunderbird-he-52.6.0-1.mga6
thunderbird-hr-52.6.0-1.mga6
thunderbird-hsb-52.6.0-1.mga6
thunderbird-hu-52.6.0-1.mga6
thunderbird-hy_AM-52.6.0-1.mga6
thunderbird-id-52.6.0-1.mga6
thunderbird-is-52.6.0-1.mga6
thunderbird-it-52.6.0-1.mga6
thunderbird-ja-52.6.0-1.mga6
thunderbird-ko-52.6.0-1.mga6
thunderbird-lt-52.6.0-1.mga6
thunderbird-nb_NO-52.6.0-1.mga6
thunderbird-nl-52.6.0-1.mga6
thunderbird-nn_NO-52.6.0-1.mga6
thunderbird-pa_IN-52.6.0-1.mga6
thunderbird-pl-52.6.0-1.mga6
thunderbird-pt_BR-52.6.0-1.mga6
thunderbird-pt_PT-52.6.0-1.mga6
thunderbird-ro-52.6.0-1.mga6
thunderbird-ru-52.6.0-1.mga6
thunderbird-si-52.6.0-1.mga6
thunderbird-sk-52.6.0-1.mga6
thunderbird-sl-52.6.0-1.mga6
thunderbird-sq-52.6.0-1.mga6
thunderbird-sv_SE-52.6.0-1.mga6
thunderbird-ta_LK-52.6.0-1.mga6
thunderbird-tr-52.6.0-1.mga6
thunderbird-uk-52.6.0-1.mga6
thunderbird-vi-52.6.0-1.mga6
thunderbird-zh_CN-52.6.0-1.mga6
thunderbird-zh_TW-52.6.0-1.mga6

from SRPMS:
thunderbird-52.6.0-1.mga6.src.rpm
thunderbird-l10n-52.6.0-1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: doktor5000 => qa-bugs
Version: Cauldron => 6
Source RPM: thunderbird => thunderbird, thunderbird-l10n
Status: NEW => ASSIGNED

Comment 3 Thomas Andrews 2018-01-30 17:17:31 CET
Used this on two very different sets of hardware in 64-bit Mageia 6 Plasma systems. Sent and received emails and newsgroup posts, with no issues noted.

Looks OK to me.

CC: (none) => andrewsfarm

Comment 4 James Kerr 2018-01-30 19:43:12 CET
on mga5-64 KDE

packages installed cleanly:
- thunderbird-52.6.0-1.mga5.x86_64
- thunderbird-en_GB-52.6.0-1.mga5.noarch

email - POP/SMTP - OK
calendar - OK
movemail - OK

not tested - IMAP, enigmail

to the extent tested, OK for mga5-64

CC: (none) => jim

Comment 5 James Kerr 2018-01-30 20:00:12 CET
on mga5-32 in a vbox VM

packages installed cleanly:
- thunderbird-52.6.0-1.mga5.i586
- thunderbird-en_GB-52.6.0-1.mga5.noarch

email - POP/SMTP - OK
movemail - OK
calendar - OK

not tested - IMAP, enigmail

to the extent tested, OK for mga5-32
Comment 6 Frédéric "LpSolit" Buclin 2018-01-31 12:10:25 CET
The Lightning extension is marked as incompatible with 52.6.0!
Comment 7 Frédéric "LpSolit" Buclin 2018-01-31 12:15:34 CET
(In reply to Frédéric Buclin from comment #6)
> The Lightning extension is marked as incompatible with 52.6.0!

Hum, this is maybe because I also tested upstream 58.0b3, where Lightning is working fine.
Comment 8 Herman Viaene 2018-01-31 14:15:47 CET
MGA5-32 on Dell Latitude D600 Xfce
This is an update on on existing Thunderbird configuration in Dutch with a POP3 account.
I could send an e-mail to another account, read on other PC.
I could register a new event in the calender. All seems OK to me.

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Comment 9 Len Lawrence 2018-02-01 18:42:30 CET
Mageia 6 :: x86_64

Using this habitually so have installed the updates, with the en_GB package.  No problem with sending and receiving emails.  Ignoring enigmail for historic reasons.  Keeping an eye open for any regressions.

Godd for 64 bits.

CC: (none) => tarazed25

Len Lawrence 2018-02-02 18:26:02 CET

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK

Comment 10 Thomas Andrews 2018-02-03 22:12:17 CET
Installed in a 64-bit MGA5 system, server kernel, nvidia340 graphics.

Sent email to myself, checked newsgroups, everything looks OK.

Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA6-64-OK MGA5-64-OK

Comment 11 José Jorge 2018-02-04 11:54:13 CET
Test in 32 bit with enigmail, encrypted mail sent ok, received also

CC: (none) => lists.jjorge

Comment 12 James Kerr 2018-02-04 15:58:27 CET
on mga6-64 plasma

packages installed cleanly:
- thunderbird-52.6.0-1.mga6.x86_64
- thunderbird-en_GB-52.6.0-1.mga6.noarch

email: POP/SMTP - OK
calendar - OK
movemail - OK

not tested: IMAP, enigmail

To the extent tested, OK for mga6-64
Comment 13 James Kerr 2018-02-04 16:16:54 CET
on mga6-32 in a vbox VM

packages installed cleanly:
- thunderbird-52.6.0-1.mga6.i586
- thunderbird-en_GB-52.6.0-1.mga6.noarch

email - POP/SMTP - OK
movemail - OK
calendar - OK

to extent tested, OK for mga6-32
Comment 14 Len Lawrence 2018-02-04 18:21:35 CET
Re comment 9: should have added - imail server.
Len Lawrence 2018-02-05 23:16:41 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2018-02-06 05:26:40 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 15 Mageia Robot 2018-02-06 07:26:58 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0115.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.