Bug 25103 - Thunderbird 60.8.0
Summary: Thunderbird 60.8.0
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA6-64-OK mga7-64-ok mga7-32...
Keywords: advisory, validated_update
Depends on: 25102 25105
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-11 11:33 CEST by Nicolas Salguero
Modified: 2019-07-21 20:18 CEST (History)
8 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2019-07-11 11:33:21 CEST
Hi,

Thunderbird 60.8 has been released (July 9).

References:
https://www.thunderbird.net/en-US/thunderbird/60.8.0/releasenotes/

Best regards,

Nico.
Nicolas Salguero 2019-07-11 13:17:54 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO
Source RPM: (none) => thunderbird, thunderbird-l10n

Comment 1 Nicolas Salguero 2019-07-12 09:56:07 CEST
Suggested advisory:
========================

The updated packages fix some bugs.

References:
https://www.thunderbird.net/en-US/thunderbird/60.8.0/releasenotes/
========================

Updated packages in core/updates_testing:
========================
thunderbird-60.8.0-1.mga[67]
thunderbird-enigmail-60.8.0-1.mga[67]
thunderbird-ar-60.8.0-1.mga[67]
thunderbird-ast-60.8.0-1.mga[67]
thunderbird-be-60.8.0-1.mga[67]
thunderbird-bg-60.8.0-1.mga[67]
thunderbird-br-60.8.0-1.mga[67]
thunderbird-ca-60.8.0-1.mga[67]
thunderbird-cs-60.8.0-1.mga[67]
thunderbird-cy-60.8.0-1.mga[67]
thunderbird-da-60.8.0-1.mga[67]
thunderbird-de-60.8.0-1.mga[67]
thunderbird-el-60.8.0-1.mga[67]
thunderbird-en_GB-60.8.0-1.mga[67]
thunderbird-en_US-60.8.0-1.mga[67]
thunderbird-es_AR-60.8.0-1.mga[67]
thunderbird-es_ES-60.8.0-1.mga[67]
thunderbird-et-60.8.0-1.mga[67]
thunderbird-eu-60.8.0-1.mga[67]
thunderbird-fi-60.8.0-1.mga[67]
thunderbird-fr-60.8.0-1.mga[67]
thunderbird-fy_NL-60.8.0-1.mga[67]
thunderbird-ga_IE-60.8.0-1.mga[67]
thunderbird-gd-60.8.0-1.mga[67]
thunderbird-gl-60.8.0-1.mga[67]
thunderbird-he-60.8.0-1.mga[67]
thunderbird-hr-60.8.0-1.mga[67]
thunderbird-hsb-60.8.0-1.mga[67]
thunderbird-hu-60.8.0-1.mga[67]
thunderbird-hy_AM-60.8.0-1.mga[67]
thunderbird-id-60.8.0-1.mga[67]
thunderbird-is-60.8.0-1.mga[67]
thunderbird-it-60.8.0-1.mga[67]
thunderbird-ja-60.8.0-1.mga[67]
thunderbird-ko-60.8.0-1.mga[67]
thunderbird-lt-60.8.0-1.mga[67]
thunderbird-nb_NO-60.8.0-1.mga[67]
thunderbird-nl-60.8.0-1.mga[67]
thunderbird-nn_NO-60.8.0-1.mga[67]
thunderbird-pl-60.8.0-1.mga[67]
thunderbird-pt_BR-60.8.0-1.mga[67]
thunderbird-pt_PT-60.8.0-1.mga[67]
thunderbird-ro-60.8.0-1.mga[67]
thunderbird-ru-60.8.0-1.mga[67]
thunderbird-si-60.8.0-1.mga[67]
thunderbird-sk-60.8.0-1.mga[67]
thunderbird-sl-60.8.0-1.mga[67]
thunderbird-sq-60.8.0-1.mga[67]
thunderbird-sv_SE-60.8.0-1.mga[67]
thunderbird-tr-60.8.0-1.mga[67]
thunderbird-uk-60.8.0-1.mga[67]
thunderbird-vi-60.8.0-1.mga[67]
thunderbird-zh_CN-60.8.0-1.mga[67]
thunderbird-zh_TW-60.8.0-1.mga[67]

from SRPMS:
thunderbird-60.8.0-1.mga[67].src.rpm
thunderbird-l10n-60.8.0-1.mga[67].src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 7
Assignee: bugsquad => qa-bugs
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO

Comment 2 James Kerr 2019-07-12 13:05:26 CEST
on mga6-64  plasma

packages installed cleanly:

- thunderbird-60.8.0-1.mga6.x86_64
- thunderbird-en_GB-60.8.0-1.mga6.noarch

email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

I don't use enigmail or IMAP

looks OK for mga6-64

CC: (none) => jim

Comment 3 Nicolas Salguero 2019-07-12 13:15:29 CEST
My bad! I forgot to mention that enigmail was updated to 2.0.12 as well.

Suggested advisory:
========================

The updated packages fix some bugs.

Enigmail 2.0.12 sets the default keyserver to keys.openpgp.org in order to mitigate the SKS Keyserver Network Attack.

References:
https://www.thunderbird.net/en-US/thunderbird/60.8.0/releasenotes/
https://enigmail.net/index.php/en/download/changelog#enig2.0.12
Comment 4 James Kerr 2019-07-13 11:03:51 CEST
This update should be released after or at the same time as the firefox update, bug#25102, since it requires the nss update in that bug.

Depends on: (none) => 25102

Comment 5 James Kerr 2019-07-13 12:02:54 CEST
On mga7-64

Sorry, the following packages cannot be selected:

- thunderbird-60.8.0-1.mga7.x86_64 (due to unsatisfied lib64nss3[>= 2:3.45.0])
- thunderbird-en_GB-60.8.0-1.mga7.noarch (due to unsatisfied thunderbird[== 0:60.8.0])
James Kerr 2019-07-13 12:24:59 CEST

Keywords: (none) => feedback

Comment 6 Nicolas Salguero 2019-07-13 13:20:19 CEST
This update should be released after or at the same time as the firefox update, bug#25105, since it requires the nss update in that bug.

Depends on: (none) => 25105
Keywords: feedback => (none)

Comment 7 Thomas Backlund 2019-07-13 13:27:32 CEST
Has anyone checked that lightning translations are updated to match and work ?
(

See bug: https://bugs.mageia.org/show_bug.cgi?id=25068

CC: (none) => tmb

Comment 8 David Walser 2019-07-13 20:27:08 CEST
Please add security info the advisory:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/

QA Contact: (none) => security
Component: RPM Packages => Security
Severity: normal => critical

Comment 9 Morgan Leijström 2019-07-14 06:20:25 CEST
mga6-64, plasma: Thunderbird working without regressions for me. Using many thousands mail and several accounts over offline IMAP, and SMTP.

Re c#7 it is still not translated for me, swedish.
I do not use calender nor enigmail, but checked the menues and dialogs.

CC: (none) => fri

Comment 10 David Walser 2019-07-15 19:13:20 CEST
RedHat has issued an advisory for this today (July 15):
https://access.redhat.com/errata/RHSA-2019:1775
Comment 11 Nicolas Salguero 2019-07-18 10:17:54 CEST
I added a new version of the script script get-calendar-langpacks.sh and launched a new build to try to solve bug 25068 too.

The main problem is that, in my test VMs, calendar is translated (into French, in my case) so I do not see any reason why, in many cases, it is not.  Maybe the problem, in my tests, is that the profiles are too new to exhibit the issue.
Comment 12 Nicolas Salguero 2019-07-18 10:18:12 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Sandbox escape via installation of malicious language pack. (CVE-2019-9811)

Script injection within domain through inner window reuse. (CVE-2019-11711)

Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects. (CVE-2019-11712)

Use-after-free with HTTP/2 cached stream. (CVE-2019-11713)

Empty or malformed p256-ECDH public keys may trigger a segmentation fault. (CVE-2019-11729)

HTML parsing error can contribute to content XSS. (CVE-2019-11715)

Caret character improperly escaped in origins. (CVE-2019-11717)

Out-of-bounds read when importing curve25519 private key. (CVE-2019-11719)

Same-origin policy treats all files in a directory as having the same-origin. (CVE-2019-11730)

Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8 and Thunderbird 60.8. (CVE-2019-11709)

Enigmail 2.0.12 sets the default keyserver to keys.openpgp.org in order to mitigate the SKS Keyserver Network Attack.

References:
https://www.thunderbird.net/en-US/thunderbird/60.8.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/
https://enigmail.net/index.php/en/download/changelog#enig2.0.12
https://access.redhat.com/errata/RHSA-2019:1775
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9811
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11711
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11712
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11713
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11715
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11717
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11719
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11730
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11709
========================

Updated packages in core/updates_testing:
========================
thunderbird-60.8.0-1.1.mga[67]
thunderbird-enigmail-60.8.0-1.1.mga[67]
thunderbird-ar-60.8.0-1.mga[67]
thunderbird-ast-60.8.0-1.mga[67]
thunderbird-be-60.8.0-1.mga[67]
thunderbird-bg-60.8.0-1.mga[67]
thunderbird-br-60.8.0-1.mga[67]
thunderbird-ca-60.8.0-1.mga[67]
thunderbird-cs-60.8.0-1.mga[67]
thunderbird-cy-60.8.0-1.mga[67]
thunderbird-da-60.8.0-1.mga[67]
thunderbird-de-60.8.0-1.mga[67]
thunderbird-el-60.8.0-1.mga[67]
thunderbird-en_GB-60.8.0-1.mga[67]
thunderbird-en_US-60.8.0-1.mga[67]
thunderbird-es_AR-60.8.0-1.mga[67]
thunderbird-es_ES-60.8.0-1.mga[67]
thunderbird-et-60.8.0-1.mga[67]
thunderbird-eu-60.8.0-1.mga[67]
thunderbird-fi-60.8.0-1.mga[67]
thunderbird-fr-60.8.0-1.mga[67]
thunderbird-fy_NL-60.8.0-1.mga[67]
thunderbird-ga_IE-60.8.0-1.mga[67]
thunderbird-gd-60.8.0-1.mga[67]
thunderbird-gl-60.8.0-1.mga[67]
thunderbird-he-60.8.0-1.mga[67]
thunderbird-hr-60.8.0-1.mga[67]
thunderbird-hsb-60.8.0-1.mga[67]
thunderbird-hu-60.8.0-1.mga[67]
thunderbird-hy_AM-60.8.0-1.mga[67]
thunderbird-id-60.8.0-1.mga[67]
thunderbird-is-60.8.0-1.mga[67]
thunderbird-it-60.8.0-1.mga[67]
thunderbird-ja-60.8.0-1.mga[67]
thunderbird-ko-60.8.0-1.mga[67]
thunderbird-lt-60.8.0-1.mga[67]
thunderbird-nb_NO-60.8.0-1.mga[67]
thunderbird-nl-60.8.0-1.mga[67]
thunderbird-nn_NO-60.8.0-1.mga[67]
thunderbird-pl-60.8.0-1.mga[67]
thunderbird-pt_BR-60.8.0-1.mga[67]
thunderbird-pt_PT-60.8.0-1.mga[67]
thunderbird-ro-60.8.0-1.mga[67]
thunderbird-ru-60.8.0-1.mga[67]
thunderbird-si-60.8.0-1.mga[67]
thunderbird-sk-60.8.0-1.mga[67]
thunderbird-sl-60.8.0-1.mga[67]
thunderbird-sq-60.8.0-1.mga[67]
thunderbird-sv_SE-60.8.0-1.mga[67]
thunderbird-tr-60.8.0-1.mga[67]
thunderbird-uk-60.8.0-1.mga[67]
thunderbird-vi-60.8.0-1.mga[67]
thunderbird-zh_CN-60.8.0-1.mga[67]
thunderbird-zh_TW-60.8.0-1.mga[67]

from SRPMS:
thunderbird-60.8.0-1.1.mga[67].src.rpm
thunderbird-l10n-60.8.0-1.mga[67].src.rpm
Comment 13 Bill Wilkinson 2019-07-18 18:19:17 CEST
Tested MGA7-64

Send/receive/move/Delete under SMTP/IMAP OK
Changing google calendar through lightning/google calendar provider OK

Whiteboard: MGA6TOO => MGA6TOO mga7-64-ok
CC: (none) => wrw105

Comment 14 Len Lawrence 2019-07-18 21:01:52 CEST
mga6, x86_64

Updated fine.  All regular operations working fine with POP3/SMTP.
Calendar data remembered.  Reminder of QA meeting popped up on time.

Good for 64bits.

Whiteboard: MGA6TOO mga7-64-ok => MGA6-64-OK mga7-64-ok
CC: (none) => tarazed25

Bill Wilkinson 2019-07-19 15:37:24 CEST

Whiteboard: MGA6-64-OK mga7-64-ok => mga6too MGA6-64-OK mga7-64-ok

Comment 15 James Kerr 2019-07-20 17:02:20 CEST
On mga7-64  kernel-desktop  plasma

packages installed cleanly:
- thunderbird-60.8.0-1.1.mga7.x86_64
- thunderbird-en_GB-60.8.0-1.mga7.noarch

email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

I don't use enigmail or IMAP

looks OK for mga7-64

should be tested by someone using a non-English version (see comment#11)
James Kerr 2019-07-20 17:48:54 CEST

Whiteboard: mga6too MGA6-64-OK mga7-64-ok => MGA6TOO MGA6-64-OK mga7-64-ok

Comment 16 Bill Wilkinson 2019-07-21 00:52:00 CEST
Tested mga7-32

send/receive/move/delete under imap/SMTP all ok.
Calendar behaves properly with google calendar provider.

Whiteboard: MGA6TOO MGA6-64-OK mga7-64-ok => MGA6TOO MGA6-64-OK mga7-64-ok mga7-32-ok

Dave Hodgins 2019-07-21 03:46:06 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 17 nathan giovannini 2019-07-21 19:50:17 CEST
I also confirm that it works correctly on a 32-bit version.

Whiteboard: MGA6TOO MGA6-64-OK mga7-64-ok mga7-32-ok => MGA6TOO MGA6-64-OK mga7-64-ok mga7-32-ok MGA6-32-OK
CC: (none) => nathan95

Comment 18 Mageia Robot 2019-07-21 20:18:40 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0212.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.