Mozilla has released Thunderbird 78.0 tomorrow (July 17): https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/ It fixes security issues (some already fixed in 68.x, some not): https://www.mozilla.org/en-US/security/advisories/mfsa2020-29/ It looks like the new issues are: CVE-2020-12415 CVE-2020-12416 CVE-2020-15648 CVE-2020-12402 CVE-2020-12422 CVE-2020-12424 CVE-2020-12425 CVE-2020-12426 We can update in Cauldron, but not Mageia 7 yet.
Depends on: (none) => 26711
68.11 didn't address the CVEs in Comment 0. We should be working on this update for Cauldron now. 78.1 is out as of July 30: https://www.thunderbird.net/en-US/thunderbird/78.1.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-33/
Version: 7 => CauldronSummary: Thunderbird 78.0 => Thunderbird 78.1CC: (none) => nicolas.salgueroWhiteboard: (none) => MGA7TOO
(In reply to David Walser from comment #1) > 68.11 didn't address the CVEs in Comment 0. We should be working on this > update for Cauldron now. > > 78.1 is out as of July 30 We cannot push 78.1 because it breaks enigail. We have to wait for 78.2 version according to their annoncment : https://mail.mozilla.org/pipermail/tb-planning/2020-May/007627.html
"The 78.2 release is scheduled for 2020-08-25." Sounds good. 78.3 will be the first of these we'll release for Mageia 7, but we'll want to build 78.2 for internal testing.
Summary: Thunderbird 78.1 => Thunderbird 78.2
CC: (none) => fri
This can also be worked on once Bug 27204 is pushed. 78.2 was released on August 25: https://www.thunderbird.net/en-US/thunderbird/78.2.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-41/
It probably won't build yet because of whatever's breaking the FF/TB builds in Cauldron currently, but it might be good to start working on this update in Cauldron. Mageia 7 work can start once I get the underlying bits ready for Bug 26711.
Mozilla has released Thunderbird 78.2.1 on August 29: https://www.thunderbird.net/en-US/thunderbird/78.2.1/releasenotes/ It fixes some OpenPGP issues.
Summary: Thunderbird 78.2 => Thunderbird 78.2.1
(In reply to David Walser from comment #6) > Mozilla has released Thunderbird 78.2.1 on August 29: > https://www.thunderbird.net/en-US/thunderbird/78.2.1/releasenotes/ > > It fixes some OpenPGP issues. Right but upstream does affirm that upgrading from 68.x version to 78.x is unsupported as it breaks addons. Also, by integrating OpenPGP, enigmail is deprecated and can't be used with 78.x version. "Thunderbird version 78.2.1 is only offered as direct download from thunderbird.net and not as an upgrade from Thunderbird version 68 or earlier. A future release will provide updates from earlier versions. Automatic updates are available for users already running version 78.0 or higher. Add-on support: As of version 78.0, Thunderbird only supports MailExtensions. Your favorite add-ons may not have been updated for compatibility." We should add some documentation on it.
Comment 2 said that was supposed to be fixed, but maybe it got delayed to 78.3 (it better not be later than that, as 68 is EOL), but we do need to start working on packaging this. We don't need to release it in Mageia 7 until 78.3.
Looking at the upstream threads, it looks like enigmail is permanently deprecated and users will be automatically migrated to OpenPGP. Unrelated, but important for our packagers: https://mail.mozilla.org/pipermail/tb-planning/2020-August/007744.html
Underlying dependencies are built for Mageia 7: https://bugs.mageia.org/show_bug.cgi?id=26711#c28 You may begin working on the TB 78 update for Cauldron (and then Mageia 7 once that's successful).
78.2.2 (released today, September 10) fixes a lot more bugs: https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes/
Summary: Thunderbird 78.2.1 => Thunderbird 78.2.2
Hi, Thunderbird 78.2.2 has been built for Cauldron and will be available soon. Best regards, Nico.
I understand from reading TB ML that 78 makes changes to the user profile such that it will no longer work with earlier versions. I have always used one profile across different Mageia releases including cauldron. I think that there should be a warning to stop users installing 78 where they use the same profile for other (earlier) systems.
CC: (none) => zen25000
Good point. Also some plugins that work in 6x versions do not work in 78, so it should be in that note too. IMO the info should also be in Mageia 8 release notes.
Barry, there's no way for the system to know that you use your profile on multiple systems. Also, Mageia 7 will have to be updated to 78 as well, so everyone will have to deal with it (and you just shouldn't use Mozilla profiles with multiple versions anyway, that's nothing new). The advisory for the 78.3 update will need to mention the changes that will impact users, and putting it in the Mageia 8 release notes probably makes sense too.
I have updated to the new version. Now, my profile no works. I can't see my accounts. The Thunderbird menu no works, and although my language is spanish, thunderbird appears in english. I can't downgrade to thunderbird 68.12 in Mageia 8 beta 1.
CC: (none) => joselp
Same issue for me as Jose in comment 16 I managed to downgrade to 68.8.0 by downloading the following rpm from http://ftp.free.fr/mirrors/mageia.org/distrib/7.1/x86_64/media/core/updates/ icu63-data-63.1-1.mga7.noarch.rpm lib64event6-2.1.8-3.mga7.x86_64.rpm lib64icu63-63.1-1.mga7.x86_64.rpm thunderbird-68.8.0-1.mga7.x86_64.rpm thunderbird-fr-68.8.0-1.mga7.noarch.rpm and running : urpmi --downgrade ./thunderbird-* ./lib64icu63-63.1-1.mga7.x86_64.rpm ./icu63-data-63.1-1.mga7.noarch.rpm ./lib64event6-2.1.8-3.mga7.x86_64.rpm
CC: (none) => boulshet
Confirm entirely this situation. Thunderbird seems able to have migrated profile. But main UI can't display anything. Also, fetching mail is OK, systray notifications too. But main UI is still empty. Menus are displayed in French. Loading Thunderbird without any extension does nothing new instead display UI in English. Managed to install thunderbird-debugsource-78.2.2-1.mga8.x86_64.rpm and thunderbird-debuginfo-78.2.2-1.mga8.x86_64.rpm. Console output from Developer Tools in Tools menu while opening Thunderbird: 22:05:33,224 Uncaught Exception { name: "NS_ERROR_FAILURE", message: "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIObserverService.removeObserver]", result: 2147500037, filename: "chrome://lightning/content/imip-bar.js", lineNumber: 87, columnNumber: 0, data: null, stack: "unload@chrome://lightning/content/imip-bar.js:87:18\nOnUnloadMsgHeaderPane@chrome://messenger/content/msgHdrView.js:351:21\nOnUnloadMessenger@chrome://messenger/content/msgMail3PaneWindow.js:975:3\nonunload@chrome://messenger/content/messenger.xhtml:1:1\n", location: XPCWrappedNative_NoHelper } imip-bar.js:87 22:05:33,256 Uncaught Exception { name: "NS_ERROR_ILLEGAL_VALUE", message: "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsIObserverService.removeObserver]", result: 2147942487, filename: "chrome://calendar/content/today-pane.js", lineNumber: 59, columnNumber: 0, data: null, stack: "onUnload@chrome://calendar/content/today-pane.js:59:18\n", location: XPCWrappedNative_NoHelper } today-pane.js:59 22:05:33,277 Ouverture de chrome://extensions/content/dummy.xhtml 22:05:39,469 Uncaught TypeError: Cc['@mozilla.org/updates/update-manager;1'] is undefined showWhatsNewPage chrome://messenger/content/specialTabs.js:1051 openSpecialTabsOnStartup chrome://messenger/content/specialTabs.js:799 OnLoadMessenger chrome://messenger/content/msgMail3PaneWindow.js:617 onload chrome://messenger/content/messenger.xhtml:1 specialTabs.js:1051:18 22:06:04,608 [Exception... "Component returned failure code: 0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]" nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)" location: "JS frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync :: line 658" data: no] L10nRegistry.jsm:658:19 22:06:04,714 Successfully loaded OpenPGP library librnp.so from /usr/lib64/thunderbird/librnp.so RNPLib.jsm:46:13 22:06:04,716 public keys: 0, secret keys: 0 RNPLib.jsm:194:15 22:06:04,716 0 protected and 0 unprotected keys BondOpenPGP.jsm:99:13 22:06:04,738 [Exception... "Component returned failure code: 0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]" nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)" location: "JS frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync :: line 658" data: no] L10nRegistry.jsm:658:19 22:06:05,129 [Exception... "Component returned failure code: 0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]" nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)" location: "JS frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync :: line 658" data: no] L10nRegistry.jsm:658:19 22:06:05,426 [Exception... "Component returned failure code: 0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]" nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)" location: "JS frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync :: line 658" data: no] L10nRegistry.jsm:658:19 22:06:05,428 [Exception... "Component returned failure code: 0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]" nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)" location: "JS frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync :: line 658" data: no] L10nRegistry.jsm:658:19 22:06:05,883 Successfully loaded OTR library libotr.so.5 from system's standard library locations OTRLib.jsm:43:13 Hope this help.
CC: (none) => ouaurelien
Waiting for this to be resolved, I have opted for the following: - Download the official version of thunderbird. - Open the app to create a new profile. - Pass the old profile folder "mail" where all the emails are, and create the accounts by assigning those folders from the new version of Thunderbird. - Copy the "calendar-data" folder and modify the pref.js file to be able to recover the task schedule and calendar. This is a big problem for new users who have installed Mageia 8 Beta 1 and don't know where the data from the old Thunderbird is. They will simply open the app and find the app without mail. Applying the update to 78 in Mageia 7 might affect production environments.
Well hopefully 78.3 works. Does 78.2.2 from upstream have the same problem?
(In reply to David Walser from comment #20) > Does 78.2.2 from upstream have the same problem? In my tests, upstream does not have those problems and our version is affected by several issues, at least I found these ones: - the preference tab cannot be opened; - the folder pane seems empty but, in fact, it only displays a white rectangle; - depending of when your profile was created, L10n XPIs are ignored or not so thunderbird can be displayed in English or be localized.
I had to add that I did not find any other distribution I usually take inspiration of that provides thunderbird 78 so I did what I could by looking at the modifications occurred in firefox when we switch to ESR 78.
Martin removed a couple of patches from Firefox which fixed the l10n issue, I'm guessing you'll have to do the same for Thunderbird. I'd double check Fedora and see if there's any changes we missed.
CC: (none) => sylvain.hemonet
The latest update still doesn't work properly, the menu doesn't work. The menu bar appears and cannot be hidden.Now the interface does appear in Spanish.
Should we revert cauldron to the previous working TB version and do all this testing in 8/updates_testing so people can use cauldron to work on other stuff and have access to email?
Reverting the current version in Cauldron won't change much, excepted for people who didn't upgrade yet, as the user profile has already been modified for the new version.
CC: (none) => guillomovitch
@Guillaume Rousse: are you sure that the issue is about a profil modification ? i did upgrade to the current version. It didn't work, i reverted to 68.8.0 and it worked just fine (see comment 17) The only issue i have noticed so far is that i have lost my contacts. Btw fwiw I fully agree with Barry Jackson proposal. Major issues happen quite often on some cooker packages (firefox, thunderbird). Of course, my intent is in no way to criticize the great guys who work on those packages. People using cooker on a daily basis know that it is a development release and that it is less robust that official ones but they might be discouraged by those kind of issues and an intermediate test area like testing would make sense for some packages. IMO, it is only about providing a very minimal and basic level of test and avoiding to push a fully broken major package.
Hi, thunderbird-78.2.2-3.mga8 is currently building and contains a patch that is supposed to correct the UI issue. Best regards, Nico.
I confirm that the patch corrects the issue. If you do not want to wait until the build is finished and available on mirrors, you can get version x86_64 here: http://pkgsubmit.mageia.org/uploads/done/cauldron/core/release/20200918100312.ns80.duvel.41823_thunderbird-78.2.2-3.mga8.x86_64.rpm
Hi it does work for me, thanks. And my contacts are back ! Regards
Assignee: lists.jjorge => nicolas.salguero
DistroWatch detected that 78.3.0 is now available. Release notes are not up yet: https://www.thunderbird.net/en-US/thunderbird/78.3.0/releasenotes/ Cauldron can be updated. Mageia 7 is stuck waiting for nodejs to be updated and fixed (what's currently in SVN is broken, it builds but will not install, which would prevent fixing it at that point).
Summary: Thunderbird 78.2.2 => Thunderbird 78.3.0
Hi, The problem with nodejs in Mageia 7 will be solved with nodejs-10.22.1-1.mga7. Best regards, Nico.
Looks like it built this time :D For the advisory, don't forget to add in the CVEs from Comment 0, as I don't believe they were ever fixed in 68.x.
(In reply to David Walser from comment #33) > Looks like it built this time :D > > For the advisory, don't forget to add in the CVEs from Comment 0, as I don't > believe they were ever fixed in 68.x. I will not forger this when writing ADV. Best regards,
Suggested advisory: ======================== The updated packages fix security vulnerabilities: AppCache manifest poisoning due to url encoded character processing. (CVE-200-12415) Use-after-free in WebRTC VideoBroadcaster. (CVE-2020-12416) X-Frame-Options bypass using object or embed tags. (CVE-2020-15648) RSA Key Generation vulnerable to side-channel attack. (CVE-2020-12402) Integer overflow in nsJPEGEncoder::emptyOutputBuffer. (CVE-2020-12422) WebRTC permission prompt could have been bypassed by a compromised content process. (CVE-2020-12424) Out of bound read in Date.parse(). (CVE-2020-12425) Memory safety bugs fixed in Thunderbird 78. (CVE-2020-12426) Extension APIs could be used to bypass Same-Origin Policy. (CVE-2020-15655) Bypassing iframe sandbox when allowing popups. (CVE-2020-15653) Type confusion for special arguments in IonMonkey. (CVE-2020-15656) Overriding file type when saving to disk. (CVE-2020-15658) Custom cursor can overlay user interface. (CVE-2020-15654) Memory safety bugs fixed in Thunderbird 78.1. (CVE-2020-15659) Memory safety bugs fixed in Thunderbird 78.2. (CVE-2020-15670) Download origin spoofing via redirect. (CVE-2020-15677) XSS when pasting attacker-controlled data into a contenteditable element. (CVE-2020-15676) When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario. (CVE-2020-15678) Memory safety bugs fixed in Thunderbird 78.3. (CVE-2020-15673) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12415 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12416 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15648 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12402 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12422 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12424 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12425 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12426 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15655 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15653 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15656 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15658 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15654 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15659 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15670 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15677 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15676 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15678 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15673 https://www.mozilla.org/en-US/security/advisories/mfsa2020-29/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-33/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-41/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-44/ https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.0.1/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.1.0/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.1.1/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.2.0/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.2.1/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.3.0/releasenotes/ ======================== Updated packages in core/updates_testing: ======================== thunderbird-78.3.0-1.mga7 thunderbird-ar-78.3.0-1.mga7 thunderbird-ast-78.3.0-1.mga7 thunderbird-be-78.3.0-1.mga7 thunderbird-bg-78.3.0-1.mga7 thunderbird-br-78.3.0-1.mga7 thunderbird-ca-78.3.0-1.mga7 thunderbird-cs-78.3.0-1.mga7 thunderbird-cy-78.3.0-1.mga7 thunderbird-da-78.3.0-1.mga7 thunderbird-de-78.3.0-1.mga7 thunderbird-el-78.3.0-1.mga7 thunderbird-en_GB-78.3.0-1.mga7 thunderbird-en_US-78.3.0-1.mga7 thunderbird-es_AR-78.3.0-1.mga7 thunderbird-es_ES-78.3.0-1.mga7 thunderbird-et-78.3.0-1.mga7 thunderbird-eu-78.3.0-1.mga7 thunderbird-fi-78.3.0-1.mga7 thunderbird-fr-78.3.0-1.mga7 thunderbird-fy_NL-78.3.0-1.mga7 thunderbird-ga_IE-78.3.0-1.mga7 thunderbird-gd-78.3.0-1.mga7 thunderbird-gl-78.3.0-1.mga7 thunderbird-he-78.3.0-1.mga7 thunderbird-hr-78.3.0-1.mga7 thunderbird-hsb-78.3.0-1.mga7 thunderbird-hu-78.3.0-1.mga7 thunderbird-hy_AM-78.3.0-1.mga7 thunderbird-id-78.3.0-1.mga7 thunderbird-is-78.3.0-1.mga7 thunderbird-it-78.3.0-1.mga7 thunderbird-ja-78.3.0-1.mga7 thunderbird-ka-78.3.0-1.mga7 thunderbird-kab-78.3.0-1.mga7 thunderbird-kk-78.3.0-1.mga7 thunderbird-ko-78.3.0-1.mga7 thunderbird-lt-78.3.0-1.mga7 thunderbird-ms-78.3.0-1.mga7 thunderbird-nb_NO-78.3.0-1.mga7 thunderbird-nl-78.3.0-1.mga7 thunderbird-nn_NO-78.3.0-1.mga7 thunderbird-pl-78.3.0-1.mga7 thunderbird-pt_BR-78.3.0-1.mga7 thunderbird-pt_PT-78.3.0-1.mga7 thunderbird-ro-78.3.0-1.mga7 thunderbird-ru-78.3.0-1.mga7 thunderbird-si-78.3.0-1.mga7 thunderbird-sk-78.3.0-1.mga7 thunderbird-sl-78.3.0-1.mga7 thunderbird-sq-78.3.0-1.mga7 thunderbird-sv_SE-78.3.0-1.mga7 thunderbird-tr-78.3.0-1.mga7 thunderbird-uk-78.3.0-1.mga7 thunderbird-uz-78.3.0-1.mga7 thunderbird-vi-78.3.0-1.mga7 thunderbird-zh_CN-78.3.0-1.mga7 thunderbird-zh_TW-78.3.0-1.mga7 from SRPMS: thunderbird-78.3.0-1.mga7.src.rpm thunderbird-l10n-78.3.0-1.mga7.src.rpm
Status: NEW => ASSIGNEDSource RPM: thunderbird => thunderbird, thunderbird-l10nVersion: Cauldron => 7Assignee: nicolas.salguero => qa-bugsWhiteboard: MGA7TOO => (none)
Removing issues that we previously fixed or that didn't affect 68.12. Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: AppCache manifest poisoning due to url encoded character processing (CVE-200-12415). Use-after-free in WebRTC VideoBroadcaster (CVE-2020-12416). Integer overflow in nsJPEGEncoder::emptyOutputBuffer (CVE-2020-12422). WebRTC permission prompt could have been bypassed by a compromised content process (CVE-2020-12424). Out of bound read in Date.parse() (CVE-2020-12425). Memory safety bugs fixed in Thunderbird 78 (CVE-2020-12426). X-Frame-Options bypass using object or embed tags (CVE-2020-15648). Memory safety bugs fixed in Thunderbird 78.3 (CVE-2020-15673). XSS when pasting attacker-controlled data into a contenteditable element (CVE-2020-15676). Download origin spoofing via redirect (CVE-2020-15677). When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario (CVE-2020-15678). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12415 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12416 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12422 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12424 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12425 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12426 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15648 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15673 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15676 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15677 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15678 https://www.mozilla.org/en-US/security/advisories/mfsa2020-29/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-44/ https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.0.1/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.1.0/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.1.1/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.2.0/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.2.1/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.3.0/releasenotes/
On mga7-64 kernel-desktop plasma packages installed cleanly: - thunderbird-78.3.0-1.mga7.x86_64 - thunderbird-en_GB-78.3.0-1.mga7.noarch email (POP, SMTP): OK Calendar: OK Address book: OK Movemail: OK I don't use enigmail or IMAP looks OK for mga7-64
CC: (none) => jim
mga7, x64 Installed with en_GB. New version now keeps the current profile and address book. TGFT. Sent an email - IMAP/SMTP Set up calendar event with reminder, which worked as expected. Saving to local folders OK.
CC: (none) => tarazed25
MGA7-64 Plasma on Lenovo B50 No installation issues No previous installation of thunderbird on this laptop. Setup gmail account with wizard, send and receive mail with and without attachment, all OK. Note to James: I see no enigmail in the list of packages, not that I ever used it, but just a remark. OK for me.
CC: (none) => herman.viaene
Enigmail plugin is dropped. Instead openpgp functionality is integrated in thunderbird himself. We need test the upgrade from a Thunderbird+Enigmail 68 with openpgpg keys to Thunderbird 78.3. Will see this tommorow.
Note that tb no longer supports gpg keyrings. The keys are stored in a tb database. There is no option to require a passphrase for each access of the secret key, so a master passphrase should be set for tb. Also, if using encryption, never leave tb running unattended where other people have access to it since anyone with access to a running tb will have access to all encrypted messages, and be able to send messages automatically signed with your key. Not a design I agree with, but that is what mozilla has chosen, to simplify key and encryption/signing management at the expense of security.
CC: (none) => davidwhodgins
Running fine here, 64 bit, i7, Plasma, Nvidia, Swedish. System is fully updated to testing per yesterday. Sending using SMTP, receiving and storing using offline IMAP. Using offline IMAP i moved several thousand mails from one folder to another.
Mozilla has released Thunderbird 78.3.1 today (September 26): https://www.thunderbird.net/en-US/thunderbird/78.3.1/releasenotes/ It fixes a crash, but it doesn't sound like we've seen the issue.
Validating the update. As per comment 41, encryption tested. I also tested imap, pop3, and nntp accounts.
CC: (none) => sysadmin-bugsWhiteboard: (none) => MGA7-64-OKKeywords: (none) => validated_update
Keywords: validated_update => feedbackWhiteboard: MGA7-64-OK => (none)Blocks: (none) => 27317
Summary: Thunderbird 78.3.0 => Thunderbird 78.3.1
Hi, In this update (78.3.1), the language menu and folders change to english again. My language application is Spanish, and I can't change to spanish. In preferences the spanish language have been selected, but Thunderbird 78.3.1 appears in english. Greetings!
(In reply to Aurelien Oudelet from comment #40) > Enigmail plugin is dropped. Instead openpgp functionality is integrated in > thunderbird himself. > > We need test the upgrade from a Thunderbird+Enigmail 68 with openpgpg keys > to Thunderbird 78.3. > > Will see this tommorow. (In reply to Dave Hodgins from comment #41) > Note that tb no longer supports gpg keyrings. The keys are stored in a tb > database. There is no option to require a passphrase for each access of the > secret key, so a master passphrase should be set for tb. Also, if using > encryption, never leave tb running unattended where other people have access > to > it since anyone with access to a running tb will have access to all encrypted > messages, and be able to send messages automatically signed with your key. > > Not a design I agree with, but that is what mozilla has chosen, to simplify > key and encryption/signing management at the expense of security. Testing this. MUST say a big WARNING on this. Summary: Thunderbird 68.12 + Enigmail with my aure[...]@free.fr private/public PGP key on my M7 system. I can send encrypted and signed mail to my other email (ouaur[...]@gmail.com) All good configuration. Updating to Thunderbird 78.3.1 on M7 with updates_testing this uninstall enigmail-68.12 which is expected behaviour. Expected also as per Dave Hodgins comment 41 above, is do these steps: 1) I have to import my PGP (public and private) key from exported files by Kleopatra on Plasma. Import is OK inside Thunderbird UI. 2) Have also to edit end-to-end encryption inside Accounts preferences and select my existing openpgp key. 3) Import public PGP key from existing recipients. 4) Sending encrypted / signed after is OK. These steps must be documented. Thunderbird no longer use system keyring on Linux. There is no upgrade assistant nor automatically updated settings. Our end-users will have to manually do all these above steps for updating to Thunderbird 78.3. (In reply to Jose Manuel López from comment #45) > Hi, > > In this update (78.3.1), the language menu and folders change to english > again. My language application is Spanish, and I can't change to spanish. > > In preferences the spanish language have been selected, but Thunderbird > 78.3.1 appears in english. > > Greetings! Sorry but Thunderbird 78.3.1 installed over Thunderbird 68.12 on M7 is in French.
Status: ASSIGNED => NEW
@Jose, I can't reproduce this.
Keywords: feedback => (none)Status: NEW => ASSIGNED
And what can I contribute to help solve this?? I have two different teams with the same problem in Mageia 8 Beta Plasma Kde. This is a screenshot of this bug: https://mega.nz/file/z1kjjKYA#IechbRpslhIW4DNILWnMnvePh-10KsTjTexiOeDa884 Greetints!!
Hi, I think you install thunderbird 78.3.1 when thunderbird-l10n package was not built so the localisation package was removed. You need to manually install thunderbird-es_ES or thunderbird-es_AR to get the translation back. Best regards, Nico.
Also, Thunderbird 78.3.1 installed in M8 Cauldron is in French. But at first, mgaapplet wanted to uninstall french-lang pack. Had to refresh RPM database by a manual "Look for updates". I think on Cauldron systems, you can use rpmdrake and manually look for spanish lang-pack.
(In reply to Aurelien Oudelet from comment #46) > > Not a design I agree with, but that is what mozilla has chosen, to simplify > > key and encryption/signing management at the expense of security. > > Testing this. MUST say a big WARNING on this. What do you think if thunderbird package contains a README.urpmi file saying: """ Installation steps if you want to use PGP keys in Thunderbird 78+ ----------------------------------------------------------------- Starting with Thunderbird 78, Enigmail is no longer available and Thunderbird will no longer use system keyring. To use PGP keys with Thunderbird 78 and above, you can follow these steps: 1. Import your PGP (public and private) key. 2. Edit end-to-end encryption inside Accounts preferences and select your existing openpgp key. 3. Import public PGP key from existing recipients. 4. To protect your keys, you may also define a master password in Thunderbird. """ Do you think it is clear or do you have some ideas to improve the message?
(In reply to Nicolas Salguero from comment #51) > (In reply to Aurelien Oudelet from comment #46) > > > Not a design I agree with, but that is what mozilla has chosen, to simplify > > > key and encryption/signing management at the expense of security. > > > > Testing this. MUST say a big WARNING on this. > > What do you think if thunderbird package contains a README.urpmi file saying: > """ > Installation steps if you want to use PGP keys in Thunderbird 78+ > ----------------------------------------------------------------- > > Starting with Thunderbird 78, Enigmail is no longer available and Thunderbird > will no longer use system keyring. > > To use PGP keys with Thunderbird 78 and above, you can follow these steps: > 1. Import your PGP (public and private) key. > 2. Edit end-to-end encryption inside Accounts preferences and select your > existing openpgp key. > 3. Import public PGP key from existing recipients. > 4. To protect your keys, you may also define a master password in > Thunderbird. > """ > > Do you think it is clear or do you have some ideas to improve the message? Yeah, we should do this. Also, a Mageia wiki link to a webpage should be add as it permit translations.
Maybe also a blog post a week before pushing it. Email working is very crucial for a lot of us. That said, people who go for encryption tend also to be the more technical ones, but they may not be prepared to spend time on finding problems and make it work again.
According to this: https://wiki.mozilla.org/Thunderbird:OpenPGP:Migration-From-Enigmail Enigmail can be integrated with Thunderbird 78.3 and serves as a migration tools. And here:https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq#w_i-have-previously-used-enigmail-how-do-i-migrate-and-configure I have previously used Enigmail, how do I migrate and configure? You can upgrade your Thunderbird settings from an older version (such as 68.x) to version 78.x It is recommended that you make a backup of your old Thunderbird profile before you use Thunderbird 78 for the first time, because once you have upgraded, your profile can no longer be used with Thunderbird 68. If for any reason you decide that you must continue to use Thunderbird 68 and Enigmail, a backup will allow you to go back easily. Enigmail is currently available in two versions, 2.1.x and 2.2.x: Enigmail 2.1.x only works with Thunderbird 68 and older release versions, and provides the classic functionality. Enigmail version 2.2.x is a specially modified version, which only works with Thunderbird 78 and later version. Enigmail 2.2.x doesn't provide the traditional functionality, rather it exists to help you migrate your keys and settings to Thunderbird 78. This is untested and should be see.
Upstream Thunderbird Enigmail: https://addons.thunderbird.net/fr/thunderbird/addon/enigmail/versions/?page=1#version-2.2.3 Migration tool is here. This should be added and will reduce Keys manipulations exposed in Comment 46.
Added this Wiki page on this: https://wiki.mageia.org/en/Migration_from_Thunderbird_68_and_Enigmail_to_Thunderbird_78 Feel free for Documentation Team to translate into other language.
Suggested advisory: ======================== Updated thunderbird packages fix security vulnerabilities: AppCache manifest poisoning due to url encoded character processing. (CVE-200-12415) Use-after-free in WebRTC VideoBroadcaster. (CVE-2020-12416) Integer overflow in nsJPEGEncoder::emptyOutputBuffer. (CVE-2020-12422) WebRTC permission prompt could have been bypassed by a compromised content process. (CVE-2020-12424) Out of bound read in Date.parse(). (CVE-2020-12425) Memory safety bugs fixed in Thunderbird 78. (CVE-2020-12426) X-Frame-Options bypass using object or embed tags. (CVE-2020-15648) Memory safety bugs fixed in Thunderbird 78.3. (CVE-2020-15673) XSS when pasting attacker-controlled data into a contenteditable element. (CVE-2020-15676) Download origin spoofing via redirect. (CVE-2020-15677) When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario. (CVE-2020-15678) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12415 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12416 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12422 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12424 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12425 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12426 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15648 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15673 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15676 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15677 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15678 https://www.mozilla.org/en-US/security/advisories/mfsa2020-29/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-44/ https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.0.1/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.1.0/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.1.1/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.2.0/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.2.1/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.3.0/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.3.1/releasenotes/ ======================== Updated packages in core/updates_testing: ======================== thunderbird-78.3.1-3.mga7 thunderbird-ar-78.3.1-1.mga7 thunderbird-ast-78.3.1-1.mga7 thunderbird-be-78.3.1-1.mga7 thunderbird-bg-78.3.1-1.mga7 thunderbird-br-78.3.1-1.mga7 thunderbird-ca-78.3.1-1.mga7 thunderbird-cs-78.3.1-1.mga7 thunderbird-cy-78.3.1-1.mga7 thunderbird-da-78.3.1-1.mga7 thunderbird-de-78.3.1-1.mga7 thunderbird-el-78.3.1-1.mga7 thunderbird-en_GB-78.3.1-1.mga7 thunderbird-en_US-78.3.1-1.mga7 thunderbird-es_AR-78.3.1-1.mga7 thunderbird-es_ES-78.3.1-1.mga7 thunderbird-et-78.3.1-1.mga7 thunderbird-eu-78.3.1-1.mga7 thunderbird-fi-78.3.1-1.mga7 thunderbird-fr-78.3.1-1.mga7 thunderbird-fy_NL-78.3.1-1.mga7 thunderbird-ga_IE-78.3.1-1.mga7 thunderbird-gd-78.3.1-1.mga7 thunderbird-gl-78.3.1-1.mga7 thunderbird-he-78.3.1-1.mga7 thunderbird-hr-78.3.1-1.mga7 thunderbird-hsb-78.3.1-1.mga7 thunderbird-hu-78.3.1-1.mga7 thunderbird-hy_AM-78.3.1-1.mga7 thunderbird-id-78.3.1-1.mga7 thunderbird-is-78.3.1-1.mga7 thunderbird-it-78.3.1-1.mga7 thunderbird-ja-78.3.1-1.mga7 thunderbird-ka-78.3.1-1.mga7 thunderbird-kab-78.3.1-1.mga7 thunderbird-kk-78.3.1-1.mga7 thunderbird-ko-78.3.1-1.mga7 thunderbird-lt-78.3.1-1.mga7 thunderbird-ms-78.3.1-1.mga7 thunderbird-nb_NO-78.3.1-1.mga7 thunderbird-nl-78.3.1-1.mga7 thunderbird-nn_NO-78.3.1-1.mga7 thunderbird-pl-78.3.1-1.mga7 thunderbird-pt_BR-78.3.1-1.mga7 thunderbird-pt_PT-78.3.1-1.mga7 thunderbird-ro-78.3.1-1.mga7 thunderbird-ru-78.3.1-1.mga7 thunderbird-si-78.3.1-1.mga7 thunderbird-sk-78.3.1-1.mga7 thunderbird-sl-78.3.1-1.mga7 thunderbird-sq-78.3.1-1.mga7 thunderbird-sv_SE-78.3.1-1.mga7 thunderbird-tr-78.3.1-1.mga7 thunderbird-uk-78.3.1-1.mga7 thunderbird-uz-78.3.1-1.mga7 thunderbird-vi-78.3.1-1.mga7 thunderbird-zh_CN-78.3.1-1.mga7 thunderbird-zh_TW-78.3.1-1.mga7 from SRPMS: thunderbird-78.3.1-3.mga7.src.rpm thunderbird-l10n-78.3.1-1.mga7.src.rpm
In thunderbird-78.3.1-3.mga7, I added enigmail 2.2.3 and modified the file README.urpmi like this: """ Installation steps if you want to use PGP keys in Thunderbird 78+ ----------------------------------------------------------------- Starting with Thunderbird 78, Enigmail will no longer let you manage your PGP keys but will only provide a migration tool. Thunderbird will no longer use system keyring and GnuPG but it will handle PGP keys internally. To use PGP keys with Thunderbird 78 and above, you can use the migration tool from Enigmail or follow these steps: 1. Import your PGP (public and private) key. 2. Edit end-to-end encryption inside Accounts preferences and select your existing openpgp key. 3. Import public PGP key from existing recipients. In all cases, to protect your keys, you should also define a master password in Thunderbird. """
Will test this tonight after downgrade thunderbird, rebuild a user profile and set a working Enigmail config.
I uninstalled Thunderbird, cleaned urpmi and reinstalled it by selecting the Spanish language. Everything's right now. Menus and folder names are in Spanish. Best regards!!
(In reply to Nicolas Salguero from comment #58) > In thunderbird-78.3.1-3.mga7, I added enigmail 2.2.3 and modified the file > README.urpmi like this: > """ > Installation steps if you want to use PGP keys in Thunderbird 78+ > ----------------------------------------------------------------- > > Starting with Thunderbird 78, Enigmail will no longer let you manage your PGP > keys but will only provide a migration tool. Thunderbird will no longer use > system keyring and GnuPG but it will handle PGP keys internally. > > To use PGP keys with Thunderbird 78 and above, you can use the migration tool > from Enigmail or follow these steps: > 1. Import your PGP (public and private) key. > 2. Edit end-to-end encryption inside Accounts preferences and select your > existing openpgp key. > 3. Import public PGP key from existing recipients. > > In all cases, to protect your keys, you should also define a master password > in Thunderbird. > """ Tested this, and This is OK ! Enigmail taunts at first Thunderbird 78.3.1-4 run and proposes a Migration Tool, fully translated. This populates Thunderbird 78 from Enigmail previous settings and imports GnuPG Keys. Also, updating Wiki page. M7-32 Bits version and M7-64 bits are OK!
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OK MGA7-32-OK
It should be 78.3.1-3, not 78.3.1-4. Was that a typo or did you test Cauldron instead of Mageia 7?
Advisory in Comment 36. Package list in Comment 57. We should add a note about the enigmail changes to the bottom of the advisory too though...
Ohh you're right. It is REALLY 78.3.1-3 on Mageia 7. Sorry, (as I tested both) You are eagle-eyed! Can we provide a link in README.urpmi to this wiki page: https://wiki.mageia.org/en/Migration_from_Thunderbird_68_and_Enigmail_to_Thunderbird_78 ?
Or you can provide that link in the advisory if we don't want to trigger yet another rebuild of the package.
(In reply to David Walser from comment #63) > Advisory in Comment 36. Package list in Comment 57. > > We should add a note about the enigmail changes to the bottom of the > advisory too though... I think link to wiki above link has his good place here. Feel free to correct it.
Proposed Advisory: type: security subject: Updated Thunderbird packages fix security vulnerabilities CVE: - CVE-2020-12415 - CVE-2020-12416 - CVE-2020-12422 - CVE-2020-12424 - CVE-2020-12425 - CVE-2020-12426 - CVE-2020-15648 - CVE-2020-15673 - CVE-2020-15676 - CVE-2020-15677 - CVE-2020-15678 src: 7: core: - thunderbird-78.3.1-3.mga7 - thunderbird-l10n-78.3.1-1.mga7 description: | AppCache manifest poisoning due to url encoded character processing. (CVE-2020-12415) Use-after-free in WebRTC VideoBroadcaster. (CVE-2020-12416) Integer overflow in nsJPEGEncoder::emptyOutputBuffer. (CVE-2020-12422) WebRTC permission prompt could have been bypassed by a compromised content process. (CVE-2020-12424) Out of bound read in Date.parse(). (CVE-2020-12425) Memory safety bugs fixed in Thunderbird 78. (CVE-2020-12426) X-Frame-Options bypass using object or embed tags. (CVE-2020-15648) Memory safety bugs fixed in Thunderbird 78.3. (CVE-2020-15673) XSS when pasting attacker-controlled data into a contenteditable element. (CVE-2020-15676) Download origin spoofing via redirect. (CVE-2020-15677) When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario. (CVE-2020-15678) Starting with Thunderbird 78, Enigmail will no longer let you manage your PGP keys but will only provide a migration tool. Thunderbird will no longer use system keyring and GnuPG but it will handle PGP keys internally. To use your existing PGP keys with Thunderbird 78 and above, you must use the migration tool from Enigmail at first Thunderbird run. See our wiki-page, link below. In all cases, to protect your keys, you should also define a master password in Thunderbird. references: - https://bugs.mageia.org/show_bug.cgi?id=26965 - https://wiki.mageia.org/en/Migration_from_Thunderbird_68_and_Enigmail_to_Thunderbird_78 - https://www.mozilla.org/en-US/security/advisories/mfsa2020-29/ - https://www.mozilla.org/en-US/security/advisories/mfsa2020-44/ - https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/ - https://www.thunderbird.net/en-US/thunderbird/78.0.1/releasenotes/ - https://www.thunderbird.net/en-US/thunderbird/78.1.0/releasenotes/ - https://www.thunderbird.net/en-US/thunderbird/78.1.1/releasenotes/ - https://www.thunderbird.net/en-US/thunderbird/78.2.0/releasenotes/ - https://www.thunderbird.net/en-US/thunderbird/78.2.1/releasenotes/ - https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes/ - https://www.thunderbird.net/en-US/thunderbird/78.3.0/releasenotes/ - https://www.thunderbird.net/en-US/thunderbird/78.3.1/releasenotes/
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0378.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED