Bug 26705 - Thunderbird 68.9
Summary: Thunderbird 68.9
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: José Jorge
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on: 26828 26891
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-29 15:54 CEST by José Jorge
Modified: 2020-08-01 03:39 CEST (History)
7 users (show)

See Also:
Source RPM: thunderbird
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description José Jorge 2020-05-29 15:54:46 CEST 
A small bugfix version of thunderbird was released, I will push it the testing.

Ref: https://www.thunderbird.net/en-US/thunderbird/68.8.1/releasenotes
Comment 1 Thomas Andrews 2020-05-31 15:50:28 CEST 
We need a package list before we can test this. Advisory information is usually included too, so we might know what to look for.

Also, recently Thunderbird updates have been accompanied by Firefox updates. Will that be the case this time?

CC: (none) => andrewsfarm

Comment 2 Thomas Andrews 2020-05-31 15:57:34 CEST 
OK, so the link you provided explains the changes. Sorry about that part of my comment. I admit that I wrote that before checking the link. 

But, we still need to know what packages are involved. Is it just the two thunderbird packages? Are there new language packs? Any other dependencies?
Comment 3 José Jorge 2020-05-31 15:59:45 CEST 
Yes sorry, the build failed for MGA7, seraching for aworkaround.

Assignee: qa-bugs => lists.jjorge
CC: (none) => lists.jjorge

Morgan Leijström 2020-06-01 00:53:08 CEST

CC: (none) => fri

Comment 4 David Walser 2020-06-01 21:47:04 CEST 
You should probably just wait for 68.9.0 now that Firefox 68.9 is out, but I can't get nss to build.  See Bug 26711.
Comment 5 David Walser 2020-06-06 18:30:43 CEST 
Mozilla has released Thunderbird 68.9.0 on June 3:
https://www.thunderbird.net/en-US/thunderbird/68.9.0/releasenotes/

It fixes security issues:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/

It also depends on the not-yet-completed nss update.

Depends on: (none) => 26711
Summary: thunderbird 68.8.1 => Thunderbird 68.9

David Walser 2020-06-06 18:31:41 CEST

Severity: normal => critical
QA Contact: (none) => security
Component: RPM Packages => Security

Comment 6 David Walser 2020-06-18 20:08:35 CEST 
You can proceed with building this update.
Comment 7 José Jorge 2020-06-18 22:29:15 CEST 
(In reply to David Walser from comment #6)
> You can proceed with building this update.

Ok, let's try.
Comment 8 David Walser 2020-06-18 23:06:26 CEST 
If it BuildRequires nodejs, it won't build until nodejs is fixed or removed from updates_testing.
David Walser 2020-06-20 00:20:02 CEST

Depends on: (none) => 26828

David Walser 2020-06-20 00:22:07 CEST

Depends on: 26711 => (none)

Comment 9 David Walser 2020-06-20 00:26:04 CEST 
nodejs removed, Thunderbird built.  Just needs an advisory.

thunderbird-68.9.0-1.mga7
thunderbird-enigmail-68.9.0-1.mga7
thunderbird-ar-68.9.0-1.mga7
thunderbird-ast-68.9.0-1.mga7
thunderbird-be-68.9.0-1.mga7
thunderbird-bg-68.9.0-1.mga7
thunderbird-br-68.9.0-1.mga7
thunderbird-ca-68.9.0-1.mga7
thunderbird-cs-68.9.0-1.mga7
thunderbird-cy-68.9.0-1.mga7
thunderbird-da-68.9.0-1.mga7
thunderbird-de-68.9.0-1.mga7
thunderbird-el-68.9.0-1.mga7
thunderbird-en_GB-68.9.0-1.mga7
thunderbird-en_US-68.9.0-1.mga7
thunderbird-es_AR-68.9.0-1.mga7
thunderbird-es_ES-68.9.0-1.mga7
thunderbird-et-68.9.0-1.mga7
thunderbird-eu-68.9.0-1.mga7
thunderbird-fi-68.9.0-1.mga7
thunderbird-fr-68.9.0-1.mga7
thunderbird-fy_NL-68.9.0-1.mga7
thunderbird-ga_IE-68.9.0-1.mga7
thunderbird-gd-68.9.0-1.mga7
thunderbird-gl-68.9.0-1.mga7
thunderbird-he-68.9.0-1.mga7
thunderbird-hr-68.9.0-1.mga7
thunderbird-hsb-68.9.0-1.mga7
thunderbird-hu-68.9.0-1.mga7
thunderbird-hy_AM-68.9.0-1.mga7
thunderbird-id-68.9.0-1.mga7
thunderbird-is-68.9.0-1.mga7
thunderbird-it-68.9.0-1.mga7
thunderbird-ja-68.9.0-1.mga7
thunderbird-ko-68.9.0-1.mga7
thunderbird-lt-68.9.0-1.mga7
thunderbird-nb_NO-68.9.0-1.mga7
thunderbird-nl-68.9.0-1.mga7
thunderbird-nn_NO-68.9.0-1.mga7
thunderbird-pl-68.9.0-1.mga7
thunderbird-pt_BR-68.9.0-1.mga7
thunderbird-pt_PT-68.9.0-1.mga7
thunderbird-ro-68.9.0-1.mga7
thunderbird-ru-68.9.0-1.mga7
thunderbird-si-68.9.0-1.mga7
thunderbird-sk-68.9.0-1.mga7
thunderbird-sl-68.9.0-1.mga7
thunderbird-sq-68.9.0-1.mga7
thunderbird-sv_SE-68.9.0-1.mga7
thunderbird-tr-68.9.0-1.mga7
thunderbird-uk-68.9.0-1.mga7
thunderbird-vi-68.9.0-1.mga7
thunderbird-zh_CN-68.9.0-1.mga7
thunderbird-zh_TW-68.9.0-1.mga7

from SRPMS:
thunderbird-68.9.0-1.mga7.src.rpm
thunderbird-l10n-68.9.0-1.mga7.src.rpm
Morgan Leijström 2020-06-20 00:49:34 CEST

Assignee: lists.jjorge => qa-bugs

Comment 10 Morgan Leijström 2020-06-20 13:55:19 CEST 
OK 64 bit plasma, nvidia-proprietary, intel i7
Swedish localisation, SMTP, offline IMAP.
Comment 11 José Jorge 2020-06-20 17:14:56 CEST 
Also Ok on i586 Dell D600. Enigmail, portuese localisation.

Status: NEW => ASSIGNED
Whiteboard: (none) => MGA7-32-OK MGA7-64-OK

Comment 12 David Walser 2020-06-20 18:16:17 CEST 
Advisory:
========================

Updated thunderbird packages fix security vulnerabilities:

If Thunderbird is configured to use STARTTLS for an IMAP server, and the server
sends a PREAUTH response, then Thunderbird will continue with an unencrypted
connection, causing email data to be sent without protection (CVE-2020-12398).

When browsing a malicious page, a race condition in our SharedWorkerService
could occur and lead to a potentially exploitable crash due to a use-after-free
(CVE-2020-12405).

Mozilla developer Iain Ireland discovered a missing type check during unboxed
objects removal, resulting in a crash due to type confusion with NativeTypes. We
presume that with enough effort that it could be exploited to run arbitrary code
(CVE-2020-12406).

Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs
present in Firefox ESR 68.8. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code (CVE-2020-12410).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12398
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12405
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12406
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12410
https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/
Comment 13 David Walser 2020-06-20 18:17:50 CEST 
RedHat has issued an advisory for this on June 18:
https://access.redhat.com/errata/RHSA-2020:2615
Comment 14 Jose Manuel López 2020-06-20 22:52:30 CEST 
Hi!

I have installed a new version on real Mageia 7 x64 Plasma equipment. It works ok, I have sent mail and received from various accounts, I can access the address book, add-ons, preferences, etc. Everything ok.

Regards!!

CC: (none) => joselp

Comment 15 James Kerr 2020-06-21 06:30:12 CEST 
On mga7-64  kernel-desktop  plasma

packages installed cleanly:
- thunderbird-68.9.0-1.mga7.x86_64
- thunderbird-en_GB-68.9.0-1.mga7.noarch

email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

I don't use enigmail or IMAP

looks OK for mga7-64

CC: (none) => jim

Comment 16 Thomas Andrews 2020-06-21 14:20:31 CEST 
Looking good. Validating. Advisory in Comment 12.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

David Walser 2020-07-02 23:33:43 CEST

CC: (none) => luigiwalser
Depends on: (none) => 26891

David Walser 2020-07-02 23:34:14 CEST

Assignee: qa-bugs => lists.jjorge
CC: luigiwalser => (none)
Keywords: validated_update => (none)
Whiteboard: MGA7-32-OK MGA7-64-OK => (none)

Comment 17 Nicolas Lécureuil 2020-07-05 09:34:45 CEST 
if validated it lacks the keyword ;)

CC: (none) => mageia

Comment 18 Thomas Andrews 2020-07-05 14:07:20 CEST 
It was there, but David Walser removed it because Thunderbird 68.10 was pending, and needed to be built. See Bug 26891. 

Firefox 68.10 was built, sent to QA, tested, and validated. Bug 26890. But, it was supposed to be blocked from being pushed until the same happened with Thunderbird 68.10.
Comment 19 David Walser 2020-07-05 15:25:19 CEST 
No, Firefox wasn't supposed to be blocked by Thunderbird, it's the other way around.  The Firefox updates include the nspr and nss updates that Thunderbird is built against, so the Firefox update has to be pushed first.  The packages this Thunderbird was built against were replaced, so the new update needs to be built.
Comment 20 Nicolas Lécureuil 2020-07-06 09:14:00 CEST 
Firefox had been pushed, so all is OK for you to work :)
Comment 21 David Walser 2020-08-01 03:38:43 CEST 
Fixed in:
https://advisories.mageia.org/MGASA-2020-0300.html
Comment 22 David Walser 2020-08-01 03:39:35 CEST 
FIXED

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.