Mozilla has released Thunderbird 52.9 today (July 3): https://www.thunderbird.net/en-US/thunderbird/52.9.0/releasenotes/ The security issues fixed are listed here: https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/ Mageia 5 and Mageia 6 are also affected. If it builds for Mageia 5, we can push the nspr, rootcerts, and nss packages from Bug 22904 with it. Additionally, enigmail needs to be updated (see Bug 23140).
Whiteboard: (none) => MGA6TOOBlocks: (none) => 23140
Assigning to the registered maintainer. CC'ing some recent committers.
CC: (none) => geiger.david68210, marja11, mrambo, nicolas.salgueroAssignee: bugsquad => doktor5000
Suggested advisory: ======================== The updated packages fix several bugs and some security issues: Buffer overflow using computed size of canvas element. (CVE-2018-12359) Use-after-free when using focus(). (CVE-2018-12360) S/MIME and PGP decryption oracles can be built with HTML emails. (CVE-2018-12372) S/MIME plaintext can be leaked through HTML reply/forward. (CVE-2018-12373) Integer overflow in SSSE3 scaler. (CVE-2018-12362) Use-after-free when appending DOM nodes. (CVE-2018-12363) CSRF attacks through 307 redirects and NPAPI plugins. (CVE-2018-12364) Compromised IPC child process can list local filenames. (CVE-2018-12365) Invalid data handling during QCMS transformations. (CVE-2018-12366) Using form to exfiltrate encrypted mail part by pressing enter in form field. (CVE-2018-12374) Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 52.9. (CVE-2018-5188) The signature verification routine in Enigmail before 2.0.7 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids. (CVE-2018-12019) mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes. (CVE-2018-12020) References: ======================== https://www.thunderbird.net/en-US/thunderbird/52.9.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/ https://lists.opensuse.org/opensuse-updates/2018-05/msg00133.html https://neopg.io/blog/enigmail-signature-spoof/ http://openwall.com/lists/oss-security/2018/06/13/10 https://neopg.io/blog/gpg-signature-spoof/ https://sourceforge.net/p/enigmail/forum/announce/thread/b948279f/ https://lists.opensuse.org/opensuse-updates/2018-06/msg00094.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12359 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12360 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12372 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12373 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12362 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12363 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12364 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12365 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12366 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12374 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5188 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020 Updated packages in 5/core/updates_testing: ======================== thunderbird-52.9.0-1.mga5 thunderbird-enigmail-52.9.0-1.mga5 thunderbird-ar-52.9.0-1.mga5 thunderbird-ast-52.9.0-1.mga5 thunderbird-be-52.9.0-1.mga5 thunderbird-bg-52.9.0-1.mga5 thunderbird-bn_BD-52.9.0-1.mga5 thunderbird-br-52.9.0-1.mga5 thunderbird-ca-52.9.0-1.mga5 thunderbird-cs-52.9.0-1.mga5 thunderbird-cy-52.9.0-1.mga5 thunderbird-da-52.9.0-1.mga5 thunderbird-de-52.9.0-1.mga5 thunderbird-el-52.9.0-1.mga5 thunderbird-en_GB-52.9.0-1.mga5 thunderbird-en_US-52.9.0-1.mga5 thunderbird-es_AR-52.9.0-1.mga5 thunderbird-es_ES-52.9.0-1.mga5 thunderbird-et-52.9.0-1.mga5 thunderbird-eu-52.9.0-1.mga5 thunderbird-fi-52.9.0-1.mga5 thunderbird-fr-52.9.0-1.mga5 thunderbird-fy_NL-52.9.0-1.mga5 thunderbird-ga_IE-52.9.0-1.mga5 thunderbird-gd-52.9.0-1.mga5 thunderbird-gl-52.9.0-1.mga5 thunderbird-he-52.9.0-1.mga5 thunderbird-hr-52.9.0-1.mga5 thunderbird-hsb-52.9.0-1.mga5 thunderbird-hu-52.9.0-1.mga5 thunderbird-hy_AM-52.9.0-1.mga5 thunderbird-id-52.9.0-1.mga5 thunderbird-is-52.9.0-1.mga5 thunderbird-it-52.9.0-1.mga5 thunderbird-ja-52.9.0-1.mga5 thunderbird-ko-52.9.0-1.mga5 thunderbird-lt-52.9.0-1.mga5 thunderbird-nb_NO-52.9.0-1.mga5 thunderbird-nl-52.9.0-1.mga5 thunderbird-nn_NO-52.9.0-1.mga5 thunderbird-pa_IN-52.9.0-1.mga5 thunderbird-pl-52.9.0-1.mga5 thunderbird-pt_BR-52.9.0-1.mga5 thunderbird-pt_PT-52.9.0-1.mga5 thunderbird-ro-52.9.0-1.mga5 thunderbird-ru-52.9.0-1.mga5 thunderbird-si-52.9.0-1.mga5 thunderbird-sk-52.9.0-1.mga5 thunderbird-sl-52.9.0-1.mga5 thunderbird-sq-52.9.0-1.mga5 thunderbird-sv_SE-52.9.0-1.mga5 thunderbird-ta_LK-52.9.0-1.mga5 thunderbird-tr-52.9.0-1.mga5 thunderbird-uk-52.9.0-1.mga5 thunderbird-vi-52.9.0-1.mga5 thunderbird-zh_CN-52.9.0-1.mga5 thunderbird-zh_TW-52.9.0-1.mga5 libnspr4-4.19-1.mga5 libnspr-devel-4.19-1.mga5 rootcerts-20180411.00-1.mga5 rootcerts-java-20180411.00-1.mga5 nss-3.28.6-1.4.mga5 nss-doc-3.28.6-1.4.mga5 libnss3-3.28.6-1.4.mga5 libnss-devel-3.28.6-1.4.mga5 libnss-static-devel-3.28.6-1.4.mga5 from SRPMS: thunderbird-52.9.0-1.mga5.src.rpm thunderbird-l10n-52.9.0-1.mga5.src.rpm nspr-4.19-1.mga5.src.rpm rootcerts-20180411.00-1.mga5.src.rpm nss-3.28.6-1.4.mga5.src.rpm Updated packages in 6/core/updates_testing: ======================== thunderbird-52.9.0-1.mga6 thunderbird-enigmail-52.9.0-1.mga6 thunderbird-ar-52.9.0-1.mga6 thunderbird-ast-52.9.0-1.mga6 thunderbird-be-52.9.0-1.mga6 thunderbird-bg-52.9.0-1.mga6 thunderbird-bn_BD-52.9.0-1.mga6 thunderbird-br-52.9.0-1.mga6 thunderbird-ca-52.9.0-1.mga6 thunderbird-cs-52.9.0-1.mga6 thunderbird-cy-52.9.0-1.mga6 thunderbird-da-52.9.0-1.mga6 thunderbird-de-52.9.0-1.mga6 thunderbird-el-52.9.0-1.mga6 thunderbird-en_GB-52.9.0-1.mga6 thunderbird-en_US-52.9.0-1.mga6 thunderbird-es_AR-52.9.0-1.mga6 thunderbird-es_ES-52.9.0-1.mga6 thunderbird-et-52.9.0-1.mga6 thunderbird-eu-52.9.0-1.mga6 thunderbird-fi-52.9.0-1.mga6 thunderbird-fr-52.9.0-1.mga6 thunderbird-fy_NL-52.9.0-1.mga6 thunderbird-ga_IE-52.9.0-1.mga6 thunderbird-gd-52.9.0-1.mga6 thunderbird-gl-52.9.0-1.mga6 thunderbird-he-52.9.0-1.mga6 thunderbird-hr-52.9.0-1.mga6 thunderbird-hsb-52.9.0-1.mga6 thunderbird-hu-52.9.0-1.mga6 thunderbird-hy_AM-52.9.0-1.mga6 thunderbird-id-52.9.0-1.mga6 thunderbird-is-52.9.0-1.mga6 thunderbird-it-52.9.0-1.mga6 thunderbird-ja-52.9.0-1.mga6 thunderbird-ko-52.9.0-1.mga6 thunderbird-lt-52.9.0-1.mga6 thunderbird-nb_NO-52.9.0-1.mga6 thunderbird-nl-52.9.0-1.mga6 thunderbird-nn_NO-52.9.0-1.mga6 thunderbird-pa_IN-52.9.0-1.mga6 thunderbird-pl-52.9.0-1.mga6 thunderbird-pt_BR-52.9.0-1.mga6 thunderbird-pt_PT-52.9.0-1.mga6 thunderbird-ro-52.9.0-1.mga6 thunderbird-ru-52.9.0-1.mga6 thunderbird-si-52.9.0-1.mga6 thunderbird-sk-52.9.0-1.mga6 thunderbird-sl-52.9.0-1.mga6 thunderbird-sq-52.9.0-1.mga6 thunderbird-sv_SE-52.9.0-1.mga6 thunderbird-ta_LK-52.9.0-1.mga6 thunderbird-tr-52.9.0-1.mga6 thunderbird-uk-52.9.0-1.mga6 thunderbird-vi-52.9.0-1.mga6 thunderbird-zh_CN-52.9.0-1.mga6 thunderbird-zh_TW-52.9.0-1.mga6 from SRPMS: thunderbird-52.9.0-1.mga6.src.rpm thunderbird-l10n-52.9.0-1.mga6.src.rpm
Assignee: doktor5000 => qa-bugsVersion: Cauldron => 6Status: NEW => ASSIGNEDWhiteboard: MGA6TOO => MGA5TOO
It finally built for Mageia 5. Yay! Thanks Nicolas! Is it possible to fix Firefox? Advisory to come later. Updated packages in core/updates_testing: ======================== libnspr4-4.19-1.mga5 libnspr-devel-4.19-1.mga5 rootcerts-20180411.00-1.mga5 rootcerts-java-20180411.00-1.mga5 nss-3.28.6-1.4.mga5 nss-doc-3.28.6-1.4.mga5 libnss3-3.28.6-1.4.mga5 libnss-devel-3.28.6-1.4.mga5 libnss-static-devel-3.28.6-1.4.mga5 thunderbird-52.9.0-1.mga5 thunderbird-ar-52.9.0-1.mga5 thunderbird-ast-52.9.0-1.mga5 thunderbird-be-52.9.0-1.mga5 thunderbird-bg-52.9.0-1.mga5 thunderbird-bn_BD-52.9.0-1.mga5 thunderbird-br-52.9.0-1.mga5 thunderbird-ca-52.9.0-1.mga5 thunderbird-cs-52.9.0-1.mga5 thunderbird-cy-52.9.0-1.mga5 thunderbird-da-52.9.0-1.mga5 thunderbird-de-52.9.0-1.mga5 thunderbird-el-52.9.0-1.mga5 thunderbird-en_GB-52.9.0-1.mga5 thunderbird-en_US-52.9.0-1.mga5 thunderbird-es_AR-52.9.0-1.mga5 thunderbird-es_ES-52.9.0-1.mga5 thunderbird-et-52.9.0-1.mga5 thunderbird-eu-52.9.0-1.mga5 thunderbird-fi-52.9.0-1.mga5 thunderbird-fr-52.9.0-1.mga5 thunderbird-fy_NL-52.9.0-1.mga5 thunderbird-ga_IE-52.9.0-1.mga5 thunderbird-gd-52.9.0-1.mga5 thunderbird-gl-52.9.0-1.mga5 thunderbird-he-52.9.0-1.mga5 thunderbird-hr-52.9.0-1.mga5 thunderbird-hsb-52.9.0-1.mga5 thunderbird-hu-52.9.0-1.mga5 thunderbird-hy_AM-52.9.0-1.mga5 thunderbird-id-52.9.0-1.mga5 thunderbird-is-52.9.0-1.mga5 thunderbird-it-52.9.0-1.mga5 thunderbird-ja-52.9.0-1.mga5 thunderbird-ko-52.9.0-1.mga5 thunderbird-lt-52.9.0-1.mga5 thunderbird-nb_NO-52.9.0-1.mga5 thunderbird-nl-52.9.0-1.mga5 thunderbird-nn_NO-52.9.0-1.mga5 thunderbird-pa_IN-52.9.0-1.mga5 thunderbird-pl-52.9.0-1.mga5 thunderbird-pt_BR-52.9.0-1.mga5 thunderbird-pt_PT-52.9.0-1.mga5 thunderbird-ro-52.9.0-1.mga5 thunderbird-ru-52.9.0-1.mga5 thunderbird-si-52.9.0-1.mga5 thunderbird-sk-52.9.0-1.mga5 thunderbird-sl-52.9.0-1.mga5 thunderbird-sq-52.9.0-1.mga5 thunderbird-sv_SE-52.9.0-1.mga5 thunderbird-ta_LK-52.9.0-1.mga5 thunderbird-tr-52.9.0-1.mga5 thunderbird-uk-52.9.0-1.mga5 thunderbird-vi-52.9.0-1.mga5 thunderbird-zh_CN-52.9.0-1.mga5 thunderbird-zh_TW-52.9.0-1.mga5 thunderbird-52.9.0-1.mga6 thunderbird-enigmail-52.9.0-1.mga6 thunderbird-ar-52.9.0-1.mga6 thunderbird-ast-52.9.0-1.mga6 thunderbird-be-52.9.0-1.mga6 thunderbird-bg-52.9.0-1.mga6 thunderbird-bn_BD-52.9.0-1.mga6 thunderbird-br-52.9.0-1.mga6 thunderbird-ca-52.9.0-1.mga6 thunderbird-cs-52.9.0-1.mga6 thunderbird-cy-52.9.0-1.mga6 thunderbird-da-52.9.0-1.mga6 thunderbird-de-52.9.0-1.mga6 thunderbird-el-52.9.0-1.mga6 thunderbird-en_GB-52.9.0-1.mga6 thunderbird-en_US-52.9.0-1.mga6 thunderbird-es_AR-52.9.0-1.mga6 thunderbird-es_ES-52.9.0-1.mga6 thunderbird-et-52.9.0-1.mga6 thunderbird-eu-52.9.0-1.mga6 thunderbird-fi-52.9.0-1.mga6 thunderbird-fr-52.9.0-1.mga6 thunderbird-fy_NL-52.9.0-1.mga6 thunderbird-ga_IE-52.9.0-1.mga6 thunderbird-gd-52.9.0-1.mga6 thunderbird-gl-52.9.0-1.mga6 thunderbird-he-52.9.0-1.mga6 thunderbird-hr-52.9.0-1.mga6 thunderbird-hsb-52.9.0-1.mga6 thunderbird-hu-52.9.0-1.mga6 thunderbird-hy_AM-52.9.0-1.mga6 thunderbird-id-52.9.0-1.mga6 thunderbird-is-52.9.0-1.mga6 thunderbird-it-52.9.0-1.mga6 thunderbird-ja-52.9.0-1.mga6 thunderbird-ko-52.9.0-1.mga6 thunderbird-lt-52.9.0-1.mga6 thunderbird-nb_NO-52.9.0-1.mga6 thunderbird-nl-52.9.0-1.mga6 thunderbird-nn_NO-52.9.0-1.mga6 thunderbird-pa_IN-52.9.0-1.mga6 thunderbird-pl-52.9.0-1.mga6 thunderbird-pt_BR-52.9.0-1.mga6 thunderbird-pt_PT-52.9.0-1.mga6 thunderbird-ro-52.9.0-1.mga6 thunderbird-ru-52.9.0-1.mga6 thunderbird-si-52.9.0-1.mga6 thunderbird-sk-52.9.0-1.mga6 thunderbird-sl-52.9.0-1.mga6 thunderbird-sq-52.9.0-1.mga6 thunderbird-sv_SE-52.9.0-1.mga6 thunderbird-ta_LK-52.9.0-1.mga6 thunderbird-tr-52.9.0-1.mga6 thunderbird-uk-52.9.0-1.mga6 thunderbird-vi-52.9.0-1.mga6 thunderbird-zh_CN-52.9.0-1.mga6 thunderbird-zh_TW-52.9.0-1.mga6 from SRPMS: nspr-4.19-1.mga5.src.rpm rootcerts-20180411.00-1.mga5.src.rpm nss-3.28.6-1.4.mga5.src.rpm thunderbird-52.9.0-1.mga5.src.rpm thunderbird-l10n-52.9.0-1.mga5.src.rpm thunderbird-52.9.0-1.mga6.src.rpm thunderbird-l10n-52.9.0-1.mga6.src.rpm
Status: ASSIGNED => NEWCC: (none) => doktor5000
Ahh mid-air collision. Nicolas's advisory works. Thanks :o)
Mageia 6, x86_64 Updated the thunderbird packages for language en_GB and reloaded thunderbird. Working as expected. Filed messages in folders, received new mail, deleted entries, images display, followed links to browser. It looks fine. Calendar retained previous entries. Added a new weekly entry for QA IRC meeting with an alert 30 minutes before. Enigmail not in use for historical reasons but tried generating a new key pair. That failed. It was impossible to read the logs in enigmail console because of low contrast between black background and the dark grey text but the suspicion is that the problem might be related to gnome-keyring as in the past. If enigmail is left out of the equation thunderbird is working perfectly.
CC: (none) => tarazed25
Mageia 5, x86_64 Upgraded nss packages, rootcerts and thunderbird. IMAP connection to googlemail.com OK. Normal functions working OK, address books, tabs, internal filing, calendar, web links. Enigmail complains that gnome-keyring is not a standard tool for handling passphrases. Not possible to set or clear. Tried keypair generation without a passphrase, stored a revocation certificate and configured enigmail to automatically encrypt sent messages and decrypt incoming mail. Sent a test message to myself and that worked fine. This looks OK for 64-bits.
MGA5-32 Xfce on Dell Latitude D600 No installation issues, overwriting an existing version. launching from CLI shows initial complaint that the current version of enigmail is not compatible. As I never used it before, I just disregard this, AFAICS it is not part of the update. I was able to send a message from my gmail account to my ISP's account on another machine and get its response back. Addressbook OK. OK for me.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
Installed the 64-bit version on my HP 6550b MGA6 Plasma install. Sent and received emails, read newsgroups. I do not use the calendar, so did not check that. I also do not use enigmail. The enigmail issue appears to be an old, ongoing issue that was not meant to be addressed by this update. As such, and because of Len's tests, I am giving this an OK for MGA6-64.
CC: (none) => andrewsfarmWhiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. This was q fresh install of Thunderbird. I used its wizard to setup my existing gmail account: works OK. Sending and receiving mail from/to it works OK.
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32-OK
Enigmail should be part of the thunderbird srpm IINM Name : thunderbird-enigmail Version : 52.8.0 Release : 4.mga6 Group : Networking/Mail Size : 9052626 Architecture: x86_64 Source RPM : thunderbird-52.8.0-4.mga6.src.rpm It possibly need upgrading.
FWIW, please don't push this yet, 52.9.0 contains a bug when users remove attachments from mails, the mails then gets damaged. See more details at https://mail.mozilla.org/pipermail/tb-enterprise/2018-July/001409.html 52.9.1 was released yesterday and contains the fix for this: https://www.thunderbird.net/en-US/thunderbird/52.9.1/releasenotes/ @QA: Feel free to assign this to me, I can also take a look at the enigmail upgrade from Bug 23140
Dropping OKs based on comment 11
CC: (none) => tmbWhiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32-OK => MGA5TOO
Keywords: (none) => feedback
CC: (none) => davidwhodginsAssignee: qa-bugs => doktor5000
Submitted both thunderbird-52.9.1-1.mga6 and thunderbird-l10n-52.9.1-1.mga6. thunderbird build fails on i586 on the buildsystem with "virtual memory exhausted: Operation not permitted" but I cannot reproduce locally via iurt, builds fine for i586 here. One of the sysadmins would need to take a look for that. BTW, same failure occurs for firefox-52.9.0-1.mga5 and iceape-2.49.3-1.mga5 and also maybe other recent builds.
Assignee: doktor5000 => sysadmin-bugs
thunderbird-52.9.1-1.mga6 built on i586/x86_64
Assignee: sysadmin-bugs => qa-bugsWhiteboard: MGA5TOO => (none)Keywords: feedback => (none)
MGA6-32 MATE on IBM Thinkpad R50e Removed 52.9.0 completely including .thunderbird in home. No installation issues. This was a fresh install of Thunderbird. I used its wizard to setup my existing gmail account: works OK. Sending and receiving and forwarding mail with or without attachment from/to it works OK.
Whiteboard: (none) => MGA6-32-OK
Summary: Thunderbird 52.9 => Thunderbird 52.9.1
Blocks: (none) => 23303
Updated my production system (Intel Core 2 Duo, 8GB, Intel graphics, wired Internet, 64-bit Plasma) This system had NOT been updated to Thunderbird 52.9.0. Sent and received POP emails, looked at newsgroups. That's about all I do with Thunderbird. Looks OK here.
on mga6-64 packages installed cleanly: - thunderbird-52.9.1-1.mga6.x86_64 - thunderbird-en_GB-52.9.1-1.mga6.noarch email - POP/SMTP - OK calendar - OK movemail - OK not tested - IMAP, enigmail to the extent tested, OK for mga6-64
CC: (none) => jim
on mga6-32 packages installed cleanly: thunderbird-52.9.1-1.mga6.i586 thunderbird-en_GB-52.9.1-1.mga6.noarch email - POP/SMTP - OK calendar - OK movemail - OK not tested IMAP, enigmail To the extent tested OK for mga6-32
works on x86_64, tested smtp, nntp, imap
Keywords: (none) => validated_updateWhiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKCC: (none) => sysadmin-bugs
Summary: Thunderbird 52.9.1 => Thunderbird 52.9.1 (mga6)
Advisory uploaded (based on comment 2 + reference in comment 11 + SRPM in comment 14 (assuming same version/rel for -l10n package).
Also added thunderbird-enigmail from comment 10 with version from comment 14 to advisory. @packagers: When pushing new versions, please try to be crystal clear about what SRPMs are the latest one that are being validated, the exact SRPM NEVR is needed for the advisory.
Keywords: (none) => advisory
Enigmail should not be in the SRPM list as it is not separate, it is part of the thunderbird SRPM.
Advisory corrected.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0316.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
RedHat has issued an advisory for this on July 24: https://access.redhat.com/errata/RHSA-2018:2252 Note that we forgot to update Cauldron to 52.9.1.
Version 52.9.1 uploaded for cauldron.