Mozilla has released Thunderbird 68.10.0 on July 1: https://www.thunderbird.net/en-US/thunderbird/68.10.0/releasenotes/ It fixes security issues: https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/ We should wait to build it until Thunderbird 68.9.0 has been pushed (Bug 26705).
Depends on: (none) => 26890
You might want to double check that thunderbird-l10n is correct, as I found several languages that should have been added in firefox-l10n when it was bumped to 68.0, which I just fixed in 68.10.
Actually you might as well build it, Firefox 68.9 never got pushed either.
Blocks: (none) => 26705
CC: (none) => nicolas.salguero
CC: (none) => andrewsfarm
Fedora has issued an advisory for this today (July 10): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OUYAQVBJJNHI2M2LJ57FZB5BJCANBXWT/
There is also a new version of enigmail.
Working on it...
Here's a start on the advisory. Add anything you need to add to it (about updated enigmail or whatever). Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection (CVE-2020-12398). When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash due to a use-after-free (CVE-2020-12405). Mozilla developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash due to type confusion with NativeTypes. We presume that with enough effort that it could be exploited to run arbitrary code (CVE-2020-12406). Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox ESR 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-12410). Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript (CVE-2020-12418). When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free in nsGlobalWindowInner. This could have led to memory corruption and a potentially exploitable crash (CVE-2020-12419). When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash (CVE-2020-12420). If an attacker intercepts Thunderbird's initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and the attacker sends a crafted response, then Thunderbird sends username and password over https to a server controlled by the attacker (MFSA-2020-0001). When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user (CVE-2020-12421). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12398 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12405 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12406 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12410 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12418 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12419 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12420 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12421 https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/ ======================== Updated packages in core/updates_testing: ======================== thunderbird-68.10.0-1.mga7 thunderbird-enigmail-68.10.0-1.mga7 thunderbird-ar-68.10.0-1.mga7 thunderbird-ast-68.10.0-1.mga7 thunderbird-be-68.10.0-1.mga7 thunderbird-bg-68.10.0-1.mga7 thunderbird-br-68.10.0-1.mga7 thunderbird-ca-68.10.0-1.mga7 thunderbird-cak-68.10.0-1.mga7 thunderbird-cs-68.10.0-1.mga7 thunderbird-cy-68.10.0-1.mga7 thunderbird-da-68.10.0-1.mga7 thunderbird-de-68.10.0-1.mga7 thunderbird-el-68.10.0-1.mga7 thunderbird-en_GB-68.10.0-1.mga7 thunderbird-en_US-68.10.0-1.mga7 thunderbird-es_AR-68.10.0-1.mga7 thunderbird-es_ES-68.10.0-1.mga7 thunderbird-et-68.10.0-1.mga7 thunderbird-eu-68.10.0-1.mga7 thunderbird-fi-68.10.0-1.mga7 thunderbird-fr-68.10.0-1.mga7 thunderbird-fy_NL-68.10.0-1.mga7 thunderbird-ga_IE-68.10.0-1.mga7 thunderbird-gd-68.10.0-1.mga7 thunderbird-gl-68.10.0-1.mga7 thunderbird-he-68.10.0-1.mga7 thunderbird-hr-68.10.0-1.mga7 thunderbird-hsb-68.10.0-1.mga7 thunderbird-hu-68.10.0-1.mga7 thunderbird-hy_AM-68.10.0-1.mga7 thunderbird-id-68.10.0-1.mga7 thunderbird-is-68.10.0-1.mga7 thunderbird-it-68.10.0-1.mga7 thunderbird-ja-68.10.0-1.mga7 thunderbird-ka-68.10.0-1.mga7 thunderbird-kab-68.10.0-1.mga7 thunderbird-kk-68.10.0-1.mga7 thunderbird-ko-68.10.0-1.mga7 thunderbird-lt-68.10.0-1.mga7 thunderbird-ms-68.10.0-1.mga7 thunderbird-nb_NO-68.10.0-1.mga7 thunderbird-nl-68.10.0-1.mga7 thunderbird-nn_NO-68.10.0-1.mga7 thunderbird-pl-68.10.0-1.mga7 thunderbird-pt_BR-68.10.0-1.mga7 thunderbird-pt_PT-68.10.0-1.mga7 thunderbird-ro-68.10.0-1.mga7 thunderbird-ru-68.10.0-1.mga7 thunderbird-si-68.10.0-1.mga7 thunderbird-sk-68.10.0-1.mga7 thunderbird-sl-68.10.0-1.mga7 thunderbird-sq-68.10.0-1.mga7 thunderbird-sv_SE-68.10.0-1.mga7 thunderbird-tr-68.10.0-1.mga7 thunderbird-uk-68.10.0-1.mga7 thunderbird-uz-68.10.0-1.mga7 thunderbird-vi-68.10.0-1.mga7 thunderbird-zh_CN-68.10.0-1.mga7 thunderbird-zh_TW-68.10.0-1.mga7 from SRPMS: thunderbird-68.10.0-1.mga7.src.rpm thunderbird-l10n-68.10.0-1.mga7.src.rpm
Assignee: lists.jjorge => qa-bugs
64-bit Plasma system, Intel graphics. Updated the US English version, no installation issues. Was able to send and receive POP mail and use newsgroups. I do not use the calendar or enigmail, but it's working OK for what I do with it.
64-bit Plasma, Nvidia proprietary OK: Swedish, SMTP, offline IMAP
CC: (none) => fri
On mga7-64 kernel-desktop plasma packages installed cleanly: - thunderbird-68.10.0-1.mga7.x86_64 - thunderbird-en_GB-68.10.0-1.mga7.noarch email (POP, SMTP): OK Calendar: OK Address book: OK Movemail: OK I don't use enigmail or IMAP looks OK for mga7-64
CC: (none) => jim
RedHat has issued an advisory for this today (July 14): https://access.redhat.com/errata/RHSA-2020:2906
mga7, x64 thunderbird-en_GB working fine here for IMAP. Tested calendar reminder function - worked OK. Moved a group of emails to a local folder. No regressions.
CC: (none) => tarazed25
Good enough. Giving it an OK and validating. Advisory in Comment 6, though from reading the comment I'm not sure that one is complete enough.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OK
Yeah I was hoping he'd add a blurb and reference for the enigmail update.
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0300.html
Status: NEW => RESOLVEDResolution: (none) => FIXED