A small bugfix version of thunderbird was released, I will push it the testing.
We need a package list before we can test this. Advisory information is usually included too, so we might know what to look for.
Also, recently Thunderbird updates have been accompanied by Firefox updates. Will that be the case this time?
OK, so the link you provided explains the changes. Sorry about that part of my comment. I admit that I wrote that before checking the link.
But, we still need to know what packages are involved. Is it just the two thunderbird packages? Are there new language packs? Any other dependencies?
Yes sorry, the build failed for MGA7, seraching for aworkaround.
You should probably just wait for 68.9.0 now that Firefox 68.9 is out, but I can't get nss to build. See Bug 26711.
Mozilla has released Thunderbird 68.9.0 on June 3:
It fixes security issues:
It also depends on the not-yet-completed nss update.
thunderbird 68.8.1 =>
RPM Packages =>
You can proceed with building this update.
(In reply to David Walser from comment #6)
> You can proceed with building this update.
Ok, let's try.
If it BuildRequires nodejs, it won't build until nodejs is fixed or removed from updates_testing.
nodejs removed, Thunderbird built. Just needs an advisory.
OK 64 bit plasma, nvidia-proprietary, intel i7
Swedish localisation, SMTP, offline IMAP.
Also Ok on i586 Dell D600. Enigmail, portuese localisation.
Updated thunderbird packages fix security vulnerabilities:
If Thunderbird is configured to use STARTTLS for an IMAP server, and the server
sends a PREAUTH response, then Thunderbird will continue with an unencrypted
connection, causing email data to be sent without protection (CVE-2020-12398).
When browsing a malicious page, a race condition in our SharedWorkerService
could occur and lead to a potentially exploitable crash due to a use-after-free
Mozilla developer Iain Ireland discovered a missing type check during unboxed
objects removal, resulting in a crash due to type confusion with NativeTypes. We
presume that with enough effort that it could be exploited to run arbitrary code
Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs
present in Firefox ESR 68.8. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code (CVE-2020-12410).
RedHat has issued an advisory for this on June 18:
I have installed a new version on real Mageia 7 x64 Plasma equipment. It works ok, I have sent mail and received from various accounts, I can access the address book, add-ons, preferences, etc. Everything ok.
On mga7-64 kernel-desktop plasma
packages installed cleanly:
email (POP, SMTP): OK
Address book: OK
I don't use enigmail or IMAP
looks OK for mga7-64
Looking good. Validating. Advisory in Comment 12.
MGA7-32-OK MGA7-64-OK =>
if validated it lacks the keyword ;)
It was there, but David Walser removed it because Thunderbird 68.10 was pending, and needed to be built. See Bug 26891.
Firefox 68.10 was built, sent to QA, tested, and validated. Bug 26890. But, it was supposed to be blocked from being pushed until the same happened with Thunderbird 68.10.
No, Firefox wasn't supposed to be blocked by Thunderbird, it's the other way around. The Firefox updates include the nspr and nss updates that Thunderbird is built against, so the Firefox update has to be pushed first. The packages this Thunderbird was built against were replaced, so the new update needs to be built.
Firefox had been pushed, so all is OK for you to work :)