Thunderbird 60.7 has been released today (May 18): https://ftp.mozilla.org/pub/thunderbird/releases/60.7.0/source/thunderbird-60.7.0.source.tar.xz As of this posting, it hasn't been announced yet: https://www.thunderbird.net/en-US/thunderbird/60.7.0/releasenotes/
Security issues detailed here: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/
Severity: normal => criticalWhiteboard: (none) => MGA6TOO
Moreover enigmail 2.0.11 fixes at least one security vulnerability and some other bugs.
https://enigmail.net/index.php/en/download/changelog#enig2.0.11
I see thunderbird 60.0.7 in mga6 testing. Please also make the language rpms.
CC: (none) => fri
Suggested advisory: ======================== The updated packages fix some bugs and security vulnerabilities: Type confusion with object groups and UnboxedObjects. (CVE-2019-9816) Stealing of cross-domain images using canvas. (CVE-2019-9817) Use-after-free in crash generation server. (CVE-2019-9818) Compartment mismatch with fetch API. (CVE-2019-9819) Use-after-free of ChromeEventHandler by DocShell. (CVE-2019-9820) Use-after-free in XMLHttpRequest. (CVE-2019-11691) Use-after-free removing listeners in the event listener manager. (CVE-2019-11692) Buffer overflow in WebGL bufferdata on Linux. (CVE-2019-11693) Use-after-free in png_image_free of libpng library. (CVE-2019-7317) Cross-origin theft of images with createImageBitmap. (CVE-2019-9797) Cross-origin theft of images with ImageBitmapRenderingContext. (CVE-2018-18511) Theft of user history data through drag and drop of hyperlinks to and from bookmarks. (CVE-2019-11698) Out-of-bounds read in Skia. (CVE-2019-5798) Memory safety bugs fixed in Firefox 67, Firefox ESR 60.7, and Thunderbird 60.7. (CVE-2019-9800) Inline-PGP messages that allows an attacker to have Enigmail display a correctly signed or encrypted message info, but display a different unauthenticated text. References: https://www.thunderbird.net/en-US/thunderbird/60.7.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/ https://enigmail.net/index.php/en/download/changelog#enig2.0.11 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9816 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9817 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9818 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9819 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9820 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11691 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11692 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11693 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9797 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11698 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9800 ======================== Updated packages in core/updates_testing: ======================== thunderbird-60.7.0-1.mga6 thunderbird-enigmail-60.7.0-1.mga6 thunderbird-ar-60.7.0-1.mga6 thunderbird-ast-60.7.0-1.mga6 thunderbird-be-60.7.0-1.mga6 thunderbird-bg-60.7.0-1.mga6 thunderbird-br-60.7.0-1.mga6 thunderbird-ca-60.7.0-1.mga6 thunderbird-cs-60.7.0-1.mga6 thunderbird-cy-60.7.0-1.mga6 thunderbird-da-60.7.0-1.mga6 thunderbird-de-60.7.0-1.mga6 thunderbird-el-60.7.0-1.mga6 thunderbird-en_GB-60.7.0-1.mga6 thunderbird-en_US-60.7.0-1.mga6 thunderbird-es_AR-60.7.0-1.mga6 thunderbird-es_ES-60.7.0-1.mga6 thunderbird-et-60.7.0-1.mga6 thunderbird-eu-60.7.0-1.mga6 thunderbird-fi-60.7.0-1.mga6 thunderbird-fr-60.7.0-1.mga6 thunderbird-fy_NL-60.7.0-1.mga6 thunderbird-ga_IE-60.7.0-1.mga6 thunderbird-gd-60.7.0-1.mga6 thunderbird-gl-60.7.0-1.mga6 thunderbird-he-60.7.0-1.mga6 thunderbird-hr-60.7.0-1.mga6 thunderbird-hsb-60.7.0-1.mga6 thunderbird-hu-60.7.0-1.mga6 thunderbird-hy_AM-60.7.0-1.mga6 thunderbird-id-60.7.0-1.mga6 thunderbird-is-60.7.0-1.mga6 thunderbird-it-60.7.0-1.mga6 thunderbird-ja-60.7.0-1.mga6 thunderbird-ko-60.7.0-1.mga6 thunderbird-lt-60.7.0-1.mga6 thunderbird-nb_NO-60.7.0-1.mga6 thunderbird-nl-60.7.0-1.mga6 thunderbird-nn_NO-60.7.0-1.mga6 thunderbird-pl-60.7.0-1.mga6 thunderbird-pt_BR-60.7.0-1.mga6 thunderbird-pt_PT-60.7.0-1.mga6 thunderbird-ro-60.7.0-1.mga6 thunderbird-ru-60.7.0-1.mga6 thunderbird-si-60.7.0-1.mga6 thunderbird-sk-60.7.0-1.mga6 thunderbird-sl-60.7.0-1.mga6 thunderbird-sq-60.7.0-1.mga6 thunderbird-sv_SE-60.7.0-1.mga6 thunderbird-tr-60.7.0-1.mga6 thunderbird-uk-60.7.0-1.mga6 thunderbird-vi-60.7.0-1.mga6 thunderbird-zh_CN-60.7.0-1.mga6 thunderbird-zh_TW-60.7.0-1.mga6 from SRPMS: thunderbird-60.7.0-1.mga6.src.rpm thunderbird-l10n-60.7.0-1.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNED
64 bit, Plasma, swedish, works for me in casual use during the day; email via IMAP and SMTP (not using calendar etc)
Real hardware, nvidia340 graphics, Atheros wifi, 64-bit Plasma system using the desktop kernel. Updated the English versions of Firefox and Thunderbird in one operation. Afterward, no issues noted, but I do not use either the calendar or enigmail.
CC: (none) => andrewsfarm
on mga6-64 kernel-desktop plasma packages installed cleanly: - thunderbird-60.7.0-1.mga6.x86_64 - thunderbird-en_GB-60.7.0-1.mga6.noarch email (POP, SMTP): OK Calendar: OK Address book: OK Movemail: OK I don't use enigmail or IMAP looks OK for mga6-64
CC: (none) => jim
Looks good enough to me. Validating. Suggested advisory in Comment 5.
Whiteboard: (none) => MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
RedHat has issued an advisory for this on June 3: https://access.redhat.com/errata/RHSA-2019:1309
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0190.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED