Mozilla has released Thunderbird 68.5.0 on February 11: https://www.thunderbird.net/en-US/thunderbird/68.5.0/releasenotes/ It fixes several security issues: https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/
Depends on: (none) => 26181
Updated packages uploaded by Nicolas. Advisory to come. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6792 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6793 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6794 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6795 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6800 https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/ https://www.thunderbird.net/en-US/thunderbird/68.5.0/releasenotes/ ======================== Updated packages in core/updates_testing: ======================== thunderbird-68.5.0-1.mga7 thunderbird-enigmail-68.5.0-1.mga7 thunderbird-ar-68.5.0-1.mga7 thunderbird-ast-68.5.0-1.mga7 thunderbird-be-68.5.0-1.mga7 thunderbird-bg-68.5.0-1.mga7 thunderbird-br-68.5.0-1.mga7 thunderbird-ca-68.5.0-1.mga7 thunderbird-cs-68.5.0-1.mga7 thunderbird-cy-68.5.0-1.mga7 thunderbird-da-68.5.0-1.mga7 thunderbird-de-68.5.0-1.mga7 thunderbird-el-68.5.0-1.mga7 thunderbird-en_GB-68.5.0-1.mga7 thunderbird-en_US-68.5.0-1.mga7 thunderbird-es_AR-68.5.0-1.mga7 thunderbird-es_ES-68.5.0-1.mga7 thunderbird-et-68.5.0-1.mga7 thunderbird-eu-68.5.0-1.mga7 thunderbird-fi-68.5.0-1.mga7 thunderbird-fr-68.5.0-1.mga7 thunderbird-fy_NL-68.5.0-1.mga7 thunderbird-ga_IE-68.5.0-1.mga7 thunderbird-gd-68.5.0-1.mga7 thunderbird-gl-68.5.0-1.mga7 thunderbird-he-68.5.0-1.mga7 thunderbird-hr-68.5.0-1.mga7 thunderbird-hsb-68.5.0-1.mga7 thunderbird-hu-68.5.0-1.mga7 thunderbird-hy_AM-68.5.0-1.mga7 thunderbird-id-68.5.0-1.mga7 thunderbird-is-68.5.0-1.mga7 thunderbird-it-68.5.0-1.mga7 thunderbird-ja-68.5.0-1.mga7 thunderbird-ko-68.5.0-1.mga7 thunderbird-lt-68.5.0-1.mga7 thunderbird-nb_NO-68.5.0-1.mga7 thunderbird-nl-68.5.0-1.mga7 thunderbird-nn_NO-68.5.0-1.mga7 thunderbird-pl-68.5.0-1.mga7 thunderbird-pt_BR-68.5.0-1.mga7 thunderbird-pt_PT-68.5.0-1.mga7 thunderbird-ro-68.5.0-1.mga7 thunderbird-ru-68.5.0-1.mga7 thunderbird-si-68.5.0-1.mga7 thunderbird-sk-68.5.0-1.mga7 thunderbird-sl-68.5.0-1.mga7 thunderbird-sq-68.5.0-1.mga7 thunderbird-sv_SE-68.5.0-1.mga7 thunderbird-tr-68.5.0-1.mga7 thunderbird-uk-68.5.0-1.mga7 thunderbird-vi-68.5.0-1.mga7 thunderbird-zh_CN-68.5.0-1.mga7 thunderbird-zh_TW-68.5.0-1.mga7 from SRPMS: thunderbird-68.5.0-1.mga7.src.rpm thunderbird-l10n-68.5.0-1.mga7.src.rpm
Assignee: nicolas.salguero => qa-bugsCC: (none) => nicolas.salguero
MGA7-64 Plasma on Lenovo B50 No installation issues Sent and received messages without and with attachments between different -mail accounts and machines. All OK.
CC: (none) => herman.viaene
On mga7-64 kernel-desktop plasma packages installed cleanly: thunderbird-en_GB-68.5.0-1.mga7 thunderbird-68.5.0-1.mga7 email (POP, SMTP): OK Calendar: OK Address book: OK Movemail: OK I don't use enigmail or IMAP looks OK for mga7-64
CC: (none) => jim
i5-2500, wired Internet, 64-bit Plasma system. No installation problems. Looks like it's working OK here.
CC: (none) => andrewsfarm
64 bit OK for offline imap + smtp Have been using it two days 20+ mails under: Current kernel-desktop + nvidia-current + plasma, swedish locale Took over mail end settings OK. Was updated together with firefox in testing. Not tested calendar etc, only using mail, settings i already had.
CC: (none) => fri
Still working here, days later. Time to let it go. Validating. Advisory in Comment 1.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OK
Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: When deriving an identifier for an email message, uninitialized memory was used in addition to the message contents (CVE-2020-6792). When processing an email message with an ill-formed envelope, Thunderbird could read data from a random memory location (CVE-2020-6793). If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations (CVE-2020-6794). When processing a message that contains multiple S/MIME signatures, a bug in the MIME processing code caused a null pointer dereference, leading to an unexploitable crash (CVE-2020-6795). If a <template> tag was used in a <select> tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result (CVE-2020-6798). Memory safety bugs present in Thunderbird ESR 68.4. Some of these bugs showed evidence of memory corruption and presumably some of these could have been exploited to run arbitrary code (CVE-2020-6800). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6792 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6793 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6794 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6795 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6800 https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/ https://www.thunderbird.net/en-US/thunderbird/68.5.0/releasenotes/
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0091.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
RedHat has issued an advisory for this today (February 24): https://access.redhat.com/errata/RHSA-2020:0577