Bug 25396 - New update of Thunderbird to version 68
Summary: New update of Thunderbird to version 68
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on: 25359
Blocks: 25415
  Show dependency treegraph
 
Reported: 2019-09-02 09:35 CEST by Jose Manuel López Díaz
Modified: 2019-09-12 21:11 CEST (History)
7 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE:
Status comment:


Attachments

Description Jose Manuel López Díaz 2019-09-02 09:35:14 CEST
Description of problem: Mozilla Thunderbird new version 68.0


Version-Release number of selected component (if applicable): Mageia 7


How reproducible: Update to Thunderbird 68


Steps to Reproduce:
1.
2.
3.
Comment 1 Jose Manuel López Díaz 2019-09-02 09:47:29 CEST
I've tried the official package in my computer with Mageia 7 x64 and works perfectly.

Someone that can confirm work in others desktop environmnets and systems x86 and x64 for upload it to update repositories?

Greetings.
Comment 2 Marja Van Waes 2019-09-04 11:05:39 CEST
we'll have version 68.1.0, see bug 25359

*** This bug has been marked as a duplicate of bug 25359 ***

CC: (none) => marja11
Status: NEW => RESOLVED
Resolution: (none) => DUPLICATE

Comment 3 Jose Manuel López Díaz 2019-09-04 11:15:15 CEST
No, no, no, this is new version of Mozilla Thunderbird, the email client.

The bug that you comment is for Mozilla Firefox.

Greetings!!

Status: RESOLVED => REOPENED
Resolution: DUPLICATE => (none)

Comment 4 Marja Van Waes 2019-09-04 14:46:19 CEST
(In reply to Jose Manuel López Díaz from comment #3)
> No, no, no, this is new version of Mozilla Thunderbird, the email client.
> 
> The bug that you comment is for Mozilla Firefox.
> 
> Greetings!!

Oops, sorry


@ ns80 and luigi12

Does it fix security issues? I'm not awake enough to spot them
https://www.thunderbird.net/en-US/thunderbird/68.0/releasenotes/

If not, is it allowed to push this update to stable, anyway?

CC: (none) => luigiwalser, nicolas.salguero

Comment 5 Nicolas Salguero 2019-09-04 14:54:58 CEST
Ii does not seem to fix security issues.

Currently, it fails to build for Cauldron (i586) and I am trying to see if that build failure also occurs for Mageia 7.
Comment 6 Thomas Backlund 2019-09-04 15:40:08 CEST
(In reply to Marja Van Waes from comment #4)

 
> Does it fix security issues? I'm not awake enough to spot them
> https://www.thunderbird.net/en-US/thunderbird/68.0/releasenotes/
> 
> If not, is it allowed to push this update to stable, anyway?


It is allowed.

It basically follows the esr branch of firefox on all the code they share.

CC: (none) => tmb

Comment 7 Marja Van Waes 2019-09-04 16:43:28 CEST
(In reply to Thomas Backlund from comment #6)
> (In reply to Marja Van Waes from comment #4)

> > 
> > If not, is it allowed to push this update to stable, anyway?
> 
> 
> It is allowed.
> 
> It basically follows the esr branch of firefox on all the code they share.

Thanks, tmb, so it can be assigned to someone :-)

Thanks, ns80, for already working on this. Assigning to you then, also because you're currently the de facto maintainer. CC'ing the registered maintainer.

Assignee: bugsquad => nicolas.salguero
CC: (none) => doktor5000

Nicolas Salguero 2019-09-06 08:37:01 CEST

Depends on: (none) => 25359

Comment 8 Nicolas Salguero 2019-09-06 08:46:50 CEST
Suggested advisory:
========================

The updated packages provide the new stable version of Thunderbird and updates enigmail to version 2.1.2.

References:
https://www.thunderbird.net/en-US/thunderbird/68.0/releasenotes/
https://enigmail.net/index.php/en/download/changelog#enig2.1.2
========================

Updated packages in core/updates_testing:
========================
thunderbird-68.0-1.mga7
thunderbird-enigmail-68.0-1.mga7
thunderbird-ar-68.0-1.mga7
thunderbird-ast-68.0-1.mga7
thunderbird-be-68.0-1.mga7
thunderbird-bg-68.0-1.mga7
thunderbird-br-68.0-1.mga7
thunderbird-ca-68.0-1.mga7
thunderbird-cs-68.0-1.mga7
thunderbird-cy-68.0-1.mga7
thunderbird-da-68.0-1.mga7
thunderbird-de-68.0-1.mga7
thunderbird-el-68.0-1.mga7
thunderbird-en_GB-68.0-1.mga7
thunderbird-en_US-68.0-1.mga7
thunderbird-es_AR-68.0-1.mga7
thunderbird-es_ES-68.0-1.mga7
thunderbird-et-68.0-1.mga7
thunderbird-eu-68.0-1.mga7
thunderbird-fi-68.0-1.mga7
thunderbird-fr-68.0-1.mga7
thunderbird-fy_NL-68.0-1.mga7
thunderbird-ga_IE-68.0-1.mga7
thunderbird-gd-68.0-1.mga7
thunderbird-gl-68.0-1.mga7
thunderbird-he-68.0-1.mga7
thunderbird-hr-68.0-1.mga7
thunderbird-hsb-68.0-1.mga7
thunderbird-hu-68.0-1.mga7
thunderbird-hy_AM-68.0-1.mga7
thunderbird-id-68.0-1.mga7
thunderbird-is-68.0-1.mga7
thunderbird-it-68.0-1.mga7
thunderbird-ja-68.0-1.mga7
thunderbird-ko-68.0-1.mga7
thunderbird-lt-68.0-1.mga7
thunderbird-nb_NO-68.0-1.mga7
thunderbird-nl-68.0-1.mga7
thunderbird-nn_NO-68.0-1.mga7
thunderbird-pl-68.0-1.mga7
thunderbird-pt_BR-68.0-1.mga7
thunderbird-pt_PT-68.0-1.mga7
thunderbird-ro-68.0-1.mga7
thunderbird-ru-68.0-1.mga7
thunderbird-si-68.0-1.mga7
thunderbird-sk-68.0-1.mga7
thunderbird-sl-68.0-1.mga7
thunderbird-sq-68.0-1.mga7
thunderbird-sv_SE-68.0-1.mga7
thunderbird-tr-68.0-1.mga7
thunderbird-uk-68.0-1.mga7
thunderbird-vi-68.0-1.mga7
thunderbird-zh_CN-68.0-1.mga7
thunderbird-zh_TW-68.0-1.mga7

from SRPMS:
thunderbird-68.0-1.mga7.src.rpm
thunderbird-l10n-68.0-1.mga7.src.rpm

Source RPM: Thunderbird => thunderbird, thunderbird-l10n
Assignee: nicolas.salguero => qa-bugs
Status: REOPENED => ASSIGNED

Comment 9 Jose Manuel López Díaz 2019-09-06 10:19:17 CEST
Hi,

I've tried the new version from the testing repositories and works perfectly in Mageia 7 x64. 

I can send and receive emails, program some task and calendar events.

Thanks and greetings!!
Comment 10 Nicolas Salguero 2019-09-06 11:16:44 CEST
Hi,

This version does not take into account system dictionaries because it lacks a preference: "spellchecker.dictionary_path" must be set to "/usr/share/myspell" (as it is in firefox).

I will push a new version.

Best regards,

Nico.

Assignee: qa-bugs => nicolas.salguero

Comment 11 Jose Manuel López Díaz 2019-09-06 12:50:32 CEST
I comprobe that if attachment the archive from desktop with the option "Share for email" from plasma desktop menu, thunderbird no attachment the archive correctly and appears a clip icon without the archive.

Greetings!!
Comment 12 Nicolas Salguero 2019-09-11 09:12:49 CEST
(In reply to Jose Manuel López Díaz from comment #11)
> I comprobe that if attachment the archive from desktop with the option
> "Share for email" from plasma desktop menu, thunderbird no attachment the
> archive correctly and appears a clip icon without the archive.

That problem is fixed with thunderbird-68.0-1.3.mga7
Comment 13 Nicolas Salguero 2019-09-11 09:13:25 CEST
Suggested advisory:
========================

The updated packages provide the new stable version of Thunderbird and updates enigmail to version 2.1.2.

References:
https://www.thunderbird.net/en-US/thunderbird/68.0/releasenotes/
https://enigmail.net/index.php/en/download/changelog#enig2.1.2
========================

Updated packages in core/updates_testing:
========================
thunderbird-68.0-1.3.mga7
thunderbird-enigmail-68.0-1.3.mga7
thunderbird-ar-68.0-1.mga7
thunderbird-ast-68.0-1.mga7
thunderbird-be-68.0-1.mga7
thunderbird-bg-68.0-1.mga7
thunderbird-br-68.0-1.mga7
thunderbird-ca-68.0-1.mga7
thunderbird-cs-68.0-1.mga7
thunderbird-cy-68.0-1.mga7
thunderbird-da-68.0-1.mga7
thunderbird-de-68.0-1.mga7
thunderbird-el-68.0-1.mga7
thunderbird-en_GB-68.0-1.mga7
thunderbird-en_US-68.0-1.mga7
thunderbird-es_AR-68.0-1.mga7
thunderbird-es_ES-68.0-1.mga7
thunderbird-et-68.0-1.mga7
thunderbird-eu-68.0-1.mga7
thunderbird-fi-68.0-1.mga7
thunderbird-fr-68.0-1.mga7
thunderbird-fy_NL-68.0-1.mga7
thunderbird-ga_IE-68.0-1.mga7
thunderbird-gd-68.0-1.mga7
thunderbird-gl-68.0-1.mga7
thunderbird-he-68.0-1.mga7
thunderbird-hr-68.0-1.mga7
thunderbird-hsb-68.0-1.mga7
thunderbird-hu-68.0-1.mga7
thunderbird-hy_AM-68.0-1.mga7
thunderbird-id-68.0-1.mga7
thunderbird-is-68.0-1.mga7
thunderbird-it-68.0-1.mga7
thunderbird-ja-68.0-1.mga7
thunderbird-ko-68.0-1.mga7
thunderbird-lt-68.0-1.mga7
thunderbird-nb_NO-68.0-1.mga7
thunderbird-nl-68.0-1.mga7
thunderbird-nn_NO-68.0-1.mga7
thunderbird-pl-68.0-1.mga7
thunderbird-pt_BR-68.0-1.mga7
thunderbird-pt_PT-68.0-1.mga7
thunderbird-ro-68.0-1.mga7
thunderbird-ru-68.0-1.mga7
thunderbird-si-68.0-1.mga7
thunderbird-sk-68.0-1.mga7
thunderbird-sl-68.0-1.mga7
thunderbird-sq-68.0-1.mga7
thunderbird-sv_SE-68.0-1.mga7
thunderbird-tr-68.0-1.mga7
thunderbird-uk-68.0-1.mga7
thunderbird-vi-68.0-1.mga7
thunderbird-zh_CN-68.0-1.mga7
thunderbird-zh_TW-68.0-1.mga7

from SRPMS:
thunderbird-68.0-1.3.mga7.src.rpm
thunderbird-l10n-68.0-1.mga7.src.rpm

Blocks: (none) => 25415
Assignee: nicolas.salguero => qa-bugs

Comment 14 Nicolas Salguero 2019-09-11 09:27:55 CEST
Suggested advisory:
========================

The updated packages update enigmail to version 2.1.2 and provide the new stable version of Thunderbird, which fixes some security issues:

Script injection within domain through inner window reuse. (CVE-2019-11711)

Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects. (CVE-2019-11712)

Use-after-free with HTTP/2 cached stream. (CVE-2019-11713)

NeckoChild can trigger crash when accessed off of main thread. (CVE-2019-11714)

Empty or malformed p256-ECDH public keys may trigger a segmentation fault. (CVE-2019-11729)

HTML parsing error can contribute to content XSS. (CVE-2019-11715)

globalThis not enumerable until accessed. (CVE-2019-11716)

Caret character improperly escaped in origins. (CVE-2019-11717)

Out-of-bounds read when importing curve25519 private key. (CVE-2019-11719)

Character encoding XSS vulnerability. (CVE-2019-11720)

Domain spoofing through unicode latin 'kra' character. (CVE-2019-11721)

Same-origin policy treats all files in a directory as having the same-origin. (CVE-2019-11730)

Cookie leakage during add-on fetching across private browsing boundaries. (CVE-2019-11723)

Retired site input.mozilla.org has remote troubleshooting permissions. (CVE-2019-11724)

Websocket resources bypass safebrowsing protections. (CVE-2019-11725)

PKCS#1 v1.5 signatures can be used for TLS 1.3. (CVE-2019-11727)

Port scanning through Alt-Svc header. (CVE-2019-11728)

Memory safety bugs fixed in Firefox 68 and Thunderbird 68. (CVE-2019-11710)

Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8, and Thunderbird 68. (CVE-2019-11709)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11711
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11712
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11713
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11714
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11715
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11716
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11717
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11719
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11720
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11721
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11730
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11723
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11724
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11725
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11728
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11710
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11709
https://www.thunderbird.net/en-US/thunderbird/68.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-28/
https://enigmail.net/index.php/en/download/changelog#enig2.1.2
========================

Updated packages in core/updates_testing:
========================
thunderbird-68.0-1.3.mga7
thunderbird-enigmail-68.0-1.3.mga7
thunderbird-ar-68.0-1.mga7
thunderbird-ast-68.0-1.mga7
thunderbird-be-68.0-1.mga7
thunderbird-bg-68.0-1.mga7
thunderbird-br-68.0-1.mga7
thunderbird-ca-68.0-1.mga7
thunderbird-cs-68.0-1.mga7
thunderbird-cy-68.0-1.mga7
thunderbird-da-68.0-1.mga7
thunderbird-de-68.0-1.mga7
thunderbird-el-68.0-1.mga7
thunderbird-en_GB-68.0-1.mga7
thunderbird-en_US-68.0-1.mga7
thunderbird-es_AR-68.0-1.mga7
thunderbird-es_ES-68.0-1.mga7
thunderbird-et-68.0-1.mga7
thunderbird-eu-68.0-1.mga7
thunderbird-fi-68.0-1.mga7
thunderbird-fr-68.0-1.mga7
thunderbird-fy_NL-68.0-1.mga7
thunderbird-ga_IE-68.0-1.mga7
thunderbird-gd-68.0-1.mga7
thunderbird-gl-68.0-1.mga7
thunderbird-he-68.0-1.mga7
thunderbird-hr-68.0-1.mga7
thunderbird-hsb-68.0-1.mga7
thunderbird-hu-68.0-1.mga7
thunderbird-hy_AM-68.0-1.mga7
thunderbird-id-68.0-1.mga7
thunderbird-is-68.0-1.mga7
thunderbird-it-68.0-1.mga7
thunderbird-ja-68.0-1.mga7
thunderbird-ko-68.0-1.mga7
thunderbird-lt-68.0-1.mga7
thunderbird-nb_NO-68.0-1.mga7
thunderbird-nl-68.0-1.mga7
thunderbird-nn_NO-68.0-1.mga7
thunderbird-pl-68.0-1.mga7
thunderbird-pt_BR-68.0-1.mga7
thunderbird-pt_PT-68.0-1.mga7
thunderbird-ro-68.0-1.mga7
thunderbird-ru-68.0-1.mga7
thunderbird-si-68.0-1.mga7
thunderbird-sk-68.0-1.mga7
thunderbird-sl-68.0-1.mga7
thunderbird-sq-68.0-1.mga7
thunderbird-sv_SE-68.0-1.mga7
thunderbird-tr-68.0-1.mga7
thunderbird-uk-68.0-1.mga7
thunderbird-vi-68.0-1.mga7
thunderbird-zh_CN-68.0-1.mga7
thunderbird-zh_TW-68.0-1.mga7

from SRPMS:
thunderbird-68.0-1.3.mga7.src.rpm
thunderbird-l10n-68.0-1.mga7.src.rpm

Component: RPM Packages => Security
QA Contact: (none) => security
Severity: normal => critical

Comment 15 Jose Manuel López Díaz 2019-09-11 09:35:30 CEST
(In reply to Nicolas Salguero from comment #12)
> (In reply to Jose Manuel López Díaz from comment #11)
> > I comprobe that if attachment the archive from desktop with the option
> > "Share for email" from plasma desktop menu, thunderbird no attachment the
> > archive correctly and appears a clip icon without the archive.
> 
> That problem is fixed with thunderbird-68.0-1.3.mga7

Ok, fixed in thunderbird-68.0-1.3.mga7

Greetings!!
Comment 16 Bill Wilkinson 2019-09-11 14:23:14 CEST
Tested MGA7-64

Send/receive move delete ok for email. Lightning updated, but doesn't show on Thunderbird. IT shows momentarily during the update process, but on restart, the extension shows as installed, but no menu items or calendar as usual. with the 68.0.1.3

CC: (none) => wrw105

Comment 17 Nicolas Salguero 2019-09-11 14:29:44 CEST
When I tried the new version, I got the same issue and I applied the procedure given here: https://support.mozilla.org/en-US/kb/calendar-updates-issues-thunderbird#w_lightning-disappears-after-a-thunderbird-update-release-and-beta-versions to solve the problem.
Comment 18 Bill Wilkinson 2019-09-11 15:01:15 CEST
Thanks, Nicolas!

Following the directions there helped. I'm good with this, but as it's a version update, we should probably have someone who uses Enigmail try it out, so I'll wait on adding the OK to the whiteboard.
Comment 19 David Walser 2019-09-11 15:47:37 CEST
The link in Comment 17 should probably go in the advisory too.
Thomas Backlund 2019-09-12 19:58:21 CEST

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory, validated_update

Comment 20 Mageia Robot 2019-09-12 21:11:41 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0272.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.