Mozilla has released Thunderbird 78.3.3 today (October 16): https://www.thunderbird.net/en-US/thunderbird/78.3.3/releasenotes/ This sounds like a much more minor set of fixes than 78.3.2. We probably don't need to update it immediately, but if there are any other outstanding packaging issues not yet fixed in the last update, this would provide an opportunity to address those.
Mozilla has released Thunderbird 78.4.0 on October 20: https://www.thunderbird.net/en-US/thunderbird/78.4.0/releasenotes/ It likely contains the same security fixes as Firefox 78.4.0 (Bug 27460).
Summary: Thunderbird 78.3.3 => Thunderbird 78.4QA Contact: (none) => securityComponent: RPM Packages => SecurityDepends on: (none) => 27460
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Use-after-free in usersctp. (CVE-2020-15969) Memory safety bugs fixed in Thunderbird 78.4. (CVE-2020-15683) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15969 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15683 https://www.thunderbird.net/en-US/thunderbird/78.3.3/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/78.4.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-47/ ======================== Updated packages in core/updates_testing: ======================== thunderbird-78.4.0-1.mga7 thunderbird-enigmail-78.4.0-1.mga7 thunderbird-ar-78.4.0-1.mga7 thunderbird-ast-78.4.0-1.mga7 thunderbird-be-78.4.0-1.mga7 thunderbird-bg-78.4.0-1.mga7 thunderbird-br-78.4.0-1.mga7 thunderbird-ca-78.4.0-1.mga7 thunderbird-cs-78.4.0-1.mga7 thunderbird-cy-78.4.0-1.mga7 thunderbird-da-78.4.0-1.mga7 thunderbird-de-78.4.0-1.mga7 thunderbird-el-78.4.0-1.mga7 thunderbird-en_GB-78.4.0-1.mga7 thunderbird-en_US-78.4.0-1.mga7 thunderbird-es_AR-78.4.0-1.mga7 thunderbird-es_ES-78.4.0-1.mga7 thunderbird-et-78.4.0-1.mga7 thunderbird-eu-78.4.0-1.mga7 thunderbird-fi-78.4.0-1.mga7 thunderbird-fr-78.4.0-1.mga7 thunderbird-fy_NL-78.4.0-1.mga7 thunderbird-ga_IE-78.4.0-1.mga7 thunderbird-gd-78.4.0-1.mga7 thunderbird-gl-78.4.0-1.mga7 thunderbird-he-78.4.0-1.mga7 thunderbird-hr-78.4.0-1.mga7 thunderbird-hsb-78.4.0-1.mga7 thunderbird-hu-78.4.0-1.mga7 thunderbird-hy_AM-78.4.0-1.mga7 thunderbird-id-78.4.0-1.mga7 thunderbird-is-78.4.0-1.mga7 thunderbird-it-78.4.0-1.mga7 thunderbird-ja-78.4.0-1.mga7 thunderbird-ka-78.4.0-1.mga7 thunderbird-kab-78.4.0-1.mga7 thunderbird-kk-78.4.0-1.mga7 thunderbird-ko-78.4.0-1.mga7 thunderbird-lt-78.4.0-1.mga7 thunderbird-ms-78.4.0-1.mga7 thunderbird-nb_NO-78.4.0-1.mga7 thunderbird-nl-78.4.0-1.mga7 thunderbird-nn_NO-78.4.0-1.mga7 thunderbird-pl-78.4.0-1.mga7 thunderbird-pt_BR-78.4.0-1.mga7 thunderbird-pt_PT-78.4.0-1.mga7 thunderbird-ro-78.4.0-1.mga7 thunderbird-ru-78.4.0-1.mga7 thunderbird-si-78.4.0-1.mga7 thunderbird-sk-78.4.0-1.mga7 thunderbird-sl-78.4.0-1.mga7 thunderbird-sq-78.4.0-1.mga7 thunderbird-sv_SE-78.4.0-1.mga7 thunderbird-tr-78.4.0-1.mga7 thunderbird-uk-78.4.0-1.mga7 thunderbird-uz-78.4.0-1.mga7 thunderbird-vi-78.4.0-1.mga7 thunderbird-zh_CN-78.4.0-1.mga7 thunderbird-zh_TW-78.4.0-1.mga7 from SRPMS: thunderbird-78.4.0-1.mga7.src.rpm thunderbird-l10n-78.4.0-1.mga7.src.rpm
Assignee: nicolas.salguero => qa-bugsSource RPM: thunderbird => thunderbird, thunderbird-l10nStatus: NEW => ASSIGNED
mga7-64 running fine, Plasma, Nvidia, i7, 4k screen. Offline IMAP, SMTP. Swedish localisation. Several accounts, many thousands emails. Not tested PGP nor calendar.
CC: (none) => fri
Updated the 64-bit US English versions of both Firefox and Thunderbird in one operation, using QArepo. No installation issues noted. Received and replied to some POP email, looked at newsgroups. I don't use the calendar or enigmail, but it looks good for what I do with it.
CC: (none) => andrewsfarm
Tested MGA7-32 send/receive/move/delete, including drag and drop, SMTP/IMAP all OK
Whiteboard: (none) => mga7-32-okCC: (none) => wrw105
tested mga7-64 as above, all OK Will leave for further tests unless TJ is happy and validates.
Whiteboard: mga7-32-ok => mga7-64-ok mga7-32-ok
I'm good with it. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
(In reply to David Walser from comment #1) > Mozilla has released Thunderbird 78.4.0 on October 20: > https://www.thunderbird.net/en-US/thunderbird/78.4.0/releasenotes/ > "Yahoo and AOL mail users using password authentication will be migrated to OAuth2" Too bad they didn't do this in an earlier version. I just did this manually about a week ago for my Yahoo mail account. Yahoo kept telling me it would stop working on 20 October if I didn't take care of it. Having it done for me automagically would have been nice.
Advisory pushed to SVN.
Keywords: (none) => advisoryCVE: (none) => CVE-2020-15969, CVE-2020-15683CC: (none) => ouaurelienWhiteboard: mga7-64-ok mga7-32-ok => MGA7-64-OK MGA7-32-OK
On mga7-64 kernel-desktop plasma packages installed cleanly: - thunderbird-78.4.0-1.mga7.x86_64 - thunderbird-en_GB-78.4.0-1.mga7.noarch email (POP, SMTP): OK Calendar: OK Address book: OK Movemail: OK I don't use enigmail or IMAP looks OK for mga7-64
CC: (none) => jim
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0396.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
RedHat has issued an advisory for this on November 4: https://access.redhat.com/errata/RHSA-2020:4913