Mozilla has released Thunderbird 78.6.0 yesterday (December 14): https://www.thunderbird.net/en-US/thunderbird/78.6.0/releasenotes/ Release notes not out yet.
Source RPM: (none) => thunderbird, thunderbird-l10n
Assignee: bugsquad => nicolas.salguero
CC: (none) => nicolas.salguero
Advisory to come. Updated packages in core/updates_testing: ======================== thunderbird-78.6.0-1.mga7 thunderbird-enigmail-78.6.0-1.mga7 thunderbird-ar-78.6.0-1.mga7 thunderbird-ast-78.6.0-1.mga7 thunderbird-be-78.6.0-1.mga7 thunderbird-bg-78.6.0-1.mga7 thunderbird-br-78.6.0-1.mga7 thunderbird-ca-78.6.0-1.mga7 thunderbird-cs-78.6.0-1.mga7 thunderbird-cy-78.6.0-1.mga7 thunderbird-da-78.6.0-1.mga7 thunderbird-de-78.6.0-1.mga7 thunderbird-el-78.6.0-1.mga7 thunderbird-en_GB-78.6.0-1.mga7 thunderbird-en_US-78.6.0-1.mga7 thunderbird-es_AR-78.6.0-1.mga7 thunderbird-es_ES-78.6.0-1.mga7 thunderbird-et-78.6.0-1.mga7 thunderbird-eu-78.6.0-1.mga7 thunderbird-fi-78.6.0-1.mga7 thunderbird-fr-78.6.0-1.mga7 thunderbird-fy_NL-78.6.0-1.mga7 thunderbird-ga_IE-78.6.0-1.mga7 thunderbird-gd-78.6.0-1.mga7 thunderbird-gl-78.6.0-1.mga7 thunderbird-he-78.6.0-1.mga7 thunderbird-hr-78.6.0-1.mga7 thunderbird-hsb-78.6.0-1.mga7 thunderbird-hu-78.6.0-1.mga7 thunderbird-hy_AM-78.6.0-1.mga7 thunderbird-id-78.6.0-1.mga7 thunderbird-is-78.6.0-1.mga7 thunderbird-it-78.6.0-1.mga7 thunderbird-ja-78.6.0-1.mga7 thunderbird-ka-78.6.0-1.mga7 thunderbird-kab-78.6.0-1.mga7 thunderbird-kk-78.6.0-1.mga7 thunderbird-ko-78.6.0-1.mga7 thunderbird-lt-78.6.0-1.mga7 thunderbird-ms-78.6.0-1.mga7 thunderbird-nb_NO-78.6.0-1.mga7 thunderbird-nl-78.6.0-1.mga7 thunderbird-nn_NO-78.6.0-1.mga7 thunderbird-pl-78.6.0-1.mga7 thunderbird-pt_BR-78.6.0-1.mga7 thunderbird-pt_PT-78.6.0-1.mga7 thunderbird-ro-78.6.0-1.mga7 thunderbird-ru-78.6.0-1.mga7 thunderbird-si-78.6.0-1.mga7 thunderbird-sk-78.6.0-1.mga7 thunderbird-sl-78.6.0-1.mga7 thunderbird-sq-78.6.0-1.mga7 thunderbird-sv_SE-78.6.0-1.mga7 thunderbird-tr-78.6.0-1.mga7 thunderbird-uk-78.6.0-1.mga7 thunderbird-uz-78.6.0-1.mga7 thunderbird-vi-78.6.0-1.mga7 thunderbird-zh_CN-78.6.0-1.mga7 thunderbird-zh_TW-78.6.0-1.mga7 from SRPMS: thunderbird-78.6.0-1.mga7.src.rpm thunderbird-l10n-78.6.0-1.mga7.src.rpm
Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugs
attempted to install mga7-64, received a missing signature error
CC: (none) => wrw105
I've asked sysadmins to remove it, as it'd be better to not increase the release. Is it thunderbird, a l10n package, or both that's missing signature?
Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: When a BigInt was right-shifted the backing store was not properly cleared, allowing uninitialized memory to be read (CVE-2020-16042). Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow in WebGL on some video drivers (CVE-2020-26971). Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This could have been used as a sanitizer bypass (CVE-2020-26973). When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially exploitable crash (CVE-2020-26974). Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine (CVE-2020-26978). When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address (CVE-2020-35111). Mozilla developer Christian Holler reported memory safety bugs present in Thunderbird 78.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-35113). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16042 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26971 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26973 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26974 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26978 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35111 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35113 https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/ https://www.thunderbird.net/en-US/thunderbird/78.6.0/releasenotes/
David, In case you didn't see the response on qa-discuss, it's both.
Ouch, so there may be several packages in Cauldron affected. Rebuilds for this are submitted to the build system.
Looks like the l10n package built, but thunderbird itself was rejected...
This is on hold until the build system is fixed. http://pkgsubmit.mageia.org/uploads/rejected/7/core/updates_testing/20201215185325.luigiwalser.duvel.23366.youri
CC: (none) => sysadmin-bugsKeywords: (none) => feedback
Should be good soon.
Keywords: feedback => (none)
CC: sysadmin-bugs => (none)
Tested MGA7-64 Send/receive/move/delete under smtp/IMAP ok, calendar loaded normally *Side note, I had to use urpmi --clear to remove the unsigned version from yesterday which my machine still had cached.
Whiteboard: (none) => mga7-64-ok
tested mga7-32 as above, all ok. Probably would be a good idea to have someone test POP3 yet, and it's good to go.
Whiteboard: mga7-64-ok => mga7-64-ok mga7-32-ok
Updated 64-bit versions of Firefox and Thunderbird in one operation. Both look good, including POP3 in Thunderbird. Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0462.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
OK I experienced no issues either, 64 bit Plasma, Swedish, IMAP, SMTP, some accounts and many thousand mails.
CC: (none) => fri
RedHat has issued an advisory for this today (December 17): https://access.redhat.com/errata/RHSA-2020:5618