Bug 25415 - Thunderbird 60.9.0
Summary: Thunderbird 60.9.0
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on: 25396
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-07 13:51 CEST by Nicolas Salguero
Modified: 2019-09-16 20:54 CEST (History)
6 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2019-09-07 13:51:58 CEST
Hi,

Thunderbird 60.9 has been released (September 6).

References:
https://www.thunderbird.net/en-US/thunderbird/60.9.0/releasenotes/

Best regards,

Nico.
Nicolas Salguero 2019-09-07 13:52:23 CEST

Source RPM: (none) => thunderbird, thunderbird-l10n

Nicolas Salguero 2019-09-07 14:06:09 CEST

Assignee: bugsquad => nicolas.salguero

Comment 1 Morgan Leijström 2019-09-10 00:54:21 CEST
60.9.0-1 mga6 - 64 bit + Swedish working nicely here on Plasma - tested for some hours in production, offline IMAP + SMTP, but not tested Calendar.  This system is fully updated to testing repos.

CC: (none) => fri

Nicolas Salguero 2019-09-11 09:13:25 CEST

Depends on: (none) => 25396

Comment 2 Nicolas Salguero 2019-09-11 09:17:04 CEST
Suggested advisory:
========================

The updated packages fix some bugs and security issues.

References:
https://www.thunderbird.net/en-US/thunderbird/60.9.0/releasenotes/
========================

Updated packages in core/updates_testing:
========================
thunderbird-60.9.0-1.mga6
thunderbird-enigmail-60.9.0-1.mga6
thunderbird-ar-60.9.0-1.mga6
thunderbird-ast-60.9.0-1.mga6
thunderbird-be-60.9.0-1.mga6
thunderbird-bg-60.9.0-1.mga6
thunderbird-br-60.9.0-1.mga6
thunderbird-ca-60.9.0-1.mga6
thunderbird-cs-60.9.0-1.mga6
thunderbird-cy-60.9.0-1.mga6
thunderbird-da-60.9.0-1.mga6
thunderbird-de-60.9.0-1.mga6
thunderbird-el-60.9.0-1.mga6
thunderbird-en_GB-60.9.0-1.mga6
thunderbird-en_US-60.9.0-1.mga6
thunderbird-es_AR-60.9.0-1.mga6
thunderbird-es_ES-60.9.0-1.mga6
thunderbird-et-60.9.0-1.mga6
thunderbird-eu-60.9.0-1.mga6
thunderbird-fi-60.9.0-1.mga6
thunderbird-fr-60.9.0-1.mga6
thunderbird-fy_NL-60.9.0-1.mga6
thunderbird-ga_IE-60.9.0-1.mga6
thunderbird-gd-60.9.0-1.mga6
thunderbird-gl-60.9.0-1.mga6
thunderbird-he-60.9.0-1.mga6
thunderbird-hr-60.9.0-1.mga6
thunderbird-hsb-60.9.0-1.mga6
thunderbird-hu-60.9.0-1.mga6
thunderbird-hy_AM-60.9.0-1.mga6
thunderbird-id-60.9.0-1.mga6
thunderbird-is-60.9.0-1.mga6
thunderbird-it-60.9.0-1.mga6
thunderbird-ja-60.9.0-1.mga6
thunderbird-ko-60.9.0-1.mga6
thunderbird-lt-60.9.0-1.mga6
thunderbird-nb_NO-60.9.0-1.mga6
thunderbird-nl-60.9.0-1.mga6
thunderbird-nn_NO-60.9.0-1.mga6
thunderbird-pl-60.9.0-1.mga6
thunderbird-pt_BR-60.9.0-1.mga6
thunderbird-pt_PT-60.9.0-1.mga6
thunderbird-ro-60.9.0-1.mga6
thunderbird-ru-60.9.0-1.mga6
thunderbird-si-60.9.0-1.mga6
thunderbird-sk-60.9.0-1.mga6
thunderbird-sl-60.9.0-1.mga6
thunderbird-sq-60.9.0-1.mga6
thunderbird-sv_SE-60.9.0-1.mga6
thunderbird-tr-60.9.0-1.mga6
thunderbird-uk-60.9.0-1.mga6
thunderbird-vi-60.9.0-1.mga6
thunderbird-zh_CN-60.9.0-1.mga6
thunderbird-zh_TW-60.9.0-1.mga6

from SRPMS:
thunderbird-60.9.0-1.mga6.src.rpm
thunderbird-l10n-60.9.0-1.mga6.src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED

Comment 3 Len Lawrence 2019-09-11 11:42:00 CEST
mga6, x86_64

The new thunderbird works fine here for a gmail account.  Updated in the middle of checking email.  After restart all looked the same but there are many changes under the hood, too many to check.  The calendar/reminder function is working fine and contains the new location option for tasks.

Good for 64bits.

CC: (none) => tarazed25

Comment 4 Bill Wilkinson 2019-09-11 19:57:34 CEST
Tested MGA6-32:

Send/Recieve/Move/Delete over IMAP/SMTP all ok.
Calendar OK

CC: (none) => wrw105
Whiteboard: (none) => MGA6-32-OK

Comment 5 Thomas Andrews 2019-09-12 21:29:00 CEST
(In reply to Len Lawrence from comment #3)
> mga6, x86_64
> 
> The new thunderbird works fine here for a gmail account.  Updated in the
> middle of checking email.  After restart all looked the same but there are
> many changes under the hood, too many to check.  The calendar/reminder
> function is working fine and contains the new location option for tasks.
> 
> Good for 64bits.

Thank you, Len. Adding a 64-bit OK based on Morgan's and your tests, and validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 6 Thomas Backlund 2019-09-15 12:37:33 CEST
Better advisory, added to svn:

type: security
subject: Updated thunderbird packages fix security vulnerabilities
CVE:
 - CVE-2019-11739
 - CVE-2019-11740
 - CVE-2019-11742
 - CVE-2019-11743
 - CVE-2019-11744
 - CVE-2019-11752
src:
  6:
   core:
     - thunderbird-60.9.0-1.mga6
     - thunderbird-l10n-60.9.0-1.mga6
description: |
  Updated thunderbird packages fix security vulnerabilities:

  Covert Content Attack on S/MIME encryption using a crafted multipart/
  alternative message (CVE-2019-11739).

  Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, Firefox
  ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9 (CVE-2019-11740)

  Same-origin policy violation with SVG filters and canvas to steal
  cross-origin images (CVE-2019-11742)

  Cross-origin access to unload event attributes (CVE-2019-11743)

  XSS by breaking out of title and textarea elements using innerHTML
  (CVE-2019-11744)

  Use-after-free while manipulating video (CVE-2019-11746)

  Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=25415
 - https://www.thunderbird.net/en-US/thunderbird/60.9.0/releasenotes/

CC: (none) => tmb
Keywords: (none) => advisory

Comment 7 Mageia Robot 2019-09-15 14:13:10 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0275.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 8 David Walser 2019-09-16 20:54:22 CEST
RedHat has issued an advisory for this today (September 16):
https://access.redhat.com/errata/RHSA-2019:2774

Note You need to log in before you can comment on or make changes to this bug.