Mozilla.org has released this advisory on February 23, 2021: https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/ Mageia 7 also affected.
Whiteboard: (none) => MGA7TOO MGA8TOO
Depends on: (none) => 28432
Mozilla has released Thunderbird 78.8 on February 23: https://www.thunderbird.net/en-US/thunderbird/78.8.0/releasenotes/ Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/
Summary: Thunderbird 78.8 new security issues => Thunderbird 78.8Group: secteam => (none)Whiteboard: MGA7TOO MGA8TOO => MGA8TOO, MGA7TOO
RedHat has issued an advisory for this on February 24: https://access.redhat.com/errata/RHSA-2021:0657
fixes in cauldron. Pushed in mga7/8 src: mageia7: - thunderbird-78.8.0-1.mga7 - thunderbird-l10n-78.8.0-1.mga7 mageia8: - thunderbird-78.8.0-1.mga8 - thunderbird-l10n-78.8.0-1.mga8
CC: (none) => mageiaAssignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8
Mageia 7 packages for Thunderbird below (Mageia 8 are the same but mga8): thunderbird-78.8.0-1.mga7 thunderbird-enigmail-78.8.0-1.mga7 thunderbird-ar-78.8.0-1.mga7 thunderbird-ast-78.8.0-1.mga7 thunderbird-be-78.8.0-1.mga7 thunderbird-bg-78.8.0-1.mga7 thunderbird-br-78.8.0-1.mga7 thunderbird-ca-78.8.0-1.mga7 thunderbird-cs-78.8.0-1.mga7 thunderbird-cy-78.8.0-1.mga7 thunderbird-da-78.8.0-1.mga7 thunderbird-de-78.8.0-1.mga7 thunderbird-el-78.8.0-1.mga7 thunderbird-en_GB-78.8.0-1.mga7 thunderbird-en_US-78.8.0-1.mga7 thunderbird-es_AR-78.8.0-1.mga7 thunderbird-es_ES-78.8.0-1.mga7 thunderbird-et-78.8.0-1.mga7 thunderbird-eu-78.8.0-1.mga7 thunderbird-fi-78.8.0-1.mga7 thunderbird-fr-78.8.0-1.mga7 thunderbird-fy_NL-78.8.0-1.mga7 thunderbird-ga_IE-78.8.0-1.mga7 thunderbird-gd-78.8.0-1.mga7 thunderbird-gl-78.8.0-1.mga7 thunderbird-he-78.8.0-1.mga7 thunderbird-hr-78.8.0-1.mga7 thunderbird-hsb-78.8.0-1.mga7 thunderbird-hu-78.8.0-1.mga7 thunderbird-hy_AM-78.8.0-1.mga7 thunderbird-id-78.8.0-1.mga7 thunderbird-is-78.8.0-1.mga7 thunderbird-it-78.8.0-1.mga7 thunderbird-ja-78.8.0-1.mga7 thunderbird-ka-78.8.0-1.mga7 thunderbird-kab-78.8.0-1.mga7 thunderbird-kk-78.8.0-1.mga7 thunderbird-ko-78.8.0-1.mga7 thunderbird-lt-78.8.0-1.mga7 thunderbird-ms-78.8.0-1.mga7 thunderbird-nb_NO-78.8.0-1.mga7 thunderbird-nl-78.8.0-1.mga7 thunderbird-nn_NO-78.8.0-1.mga7 thunderbird-pl-78.8.0-1.mga7 thunderbird-pt_BR-78.8.0-1.mga7 thunderbird-pt_PT-78.8.0-1.mga7 thunderbird-ro-78.8.0-1.mga7 thunderbird-ru-78.8.0-1.mga7 thunderbird-si-78.8.0-1.mga7 thunderbird-sk-78.8.0-1.mga7 thunderbird-sl-78.8.0-1.mga7 thunderbird-sq-78.8.0-1.mga7 thunderbird-sv_SE-78.8.0-1.mga7 thunderbird-tr-78.8.0-1.mga7 thunderbird-uk-78.8.0-1.mga7 thunderbird-uz-78.8.0-1.mga7 thunderbird-vi-78.8.0-1.mga7 thunderbird-zh_CN-78.8.0-1.mga7 thunderbird-zh_TW-78.8.0-1.mga7
Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs (CVE-2021-23968). As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin (CVE-2021-23969). When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that MediaError message may have revealed information about the resource (CVE-2021-23973). Mozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and Mats Palmgren reported memory safety bugs present in Thunderbird 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2021-23978). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23968 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23969 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23973 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23978 https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/ https://www.thunderbird.net/en-US/thunderbird/78.8.0/releasenotes/ SRPMS: thunderbird-78.8.0-1.mga7.src.rpm thunderbird-l10n-78.8.0-1.mga7.src.rpm thunderbird-78.8.0-1.mga8.src.rpm thunderbird-l10n-78.8.0-1.mga8.src.rpm
Severity: normal => critical
tested mga8-64 send receive, move delete all OK over SMTP/IMAP Calendar loads normally.
Whiteboard: MGA7TOO => MGA7TOO mga8-64-okCC: (none) => wrw105
tested mga7-32 as above, all ok
Whiteboard: MGA7TOO mga8-64-ok => MGA7TOO mga8-64-ok mga7-32-ok
mga7-64 OK, Plasma, Nvidia-current, Intel i7, Swedish Updated cleanly, all updates from testing installed. Offline IMAP(receive, +sync both ways), SMTP for sending. Took over all accounts and content OK Not tested: Calendar, PGP, Filter...
CC: (none) => fri
MGA7 and 8 64, Plasma, Intel i5 6600K, French Updated cleanly, all updates from QARepo installed. IMAP SSL and noSSL OK SMTP for sending OK to SSL and non SSL servvers. Google Calendar OK. PGP OK. Validating. Advisory pushed to SVN.
CC: (none) => sysadmin-bugsKeywords: (none) => advisory, validated_updateWhiteboard: MGA7TOO mga8-64-ok mga7-32-ok => MGA7TOO MGA7-32-OK MGA8-64-OK
Mageia 8, x64 Just switched to mga8 for testing and find that thunderbird does not work at all. The new version did not work in mga7 either. It is completely blank and even the menu options do not work. It is not even possible to look at account settings - nothing happens. It is like a cardboard cut-out. It comes up blank with every profile tried, completely useless.
CC: (none) => tarazed25
Referring to comment 10: Not using enigmail or PGP keys.
(In reply to Len Lawrence from comment #10) > Mageia 8, x64 > Just switched to mga8 for testing and find that thunderbird does not work at > all. The new version did not work in mga7 either. > It is completely blank and even the menu options do not work. It is not > even possible to look at account settings - nothing happens. It is like a > cardboard cut-out. It comes up blank with every profile tried, completely > useless. Have you installed Firefox update before? See Bug 28432
Keywords: validated_update => (none)
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0096.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
@Aurelien, comment 12 I had not but I did that just now and restarted firefox OK but this had no effect on thunderbird. It still comes up blank. I tried creating a new profile and that at least allowed access to gmail but my address book and local folders are all gone. Account settings is accessible again. Tried copying the abook files from this machine to the test machine and inserted them into the profile directory just created. Still no sign of address book in thunderbird. That might be because they were not created in this profile so there might be hidden credentials that do not match. And there is no sign of any facility for importing old address books or their contents. It might take a couple or three days to retype the data but what happens at the next update if you cannot use older profiles? But the loss of local folders is much more serious. Copying the directories across has not worked in the past. Just noticed that thunderbird has been copying down 42,519 messages in All Mail - two or three hours and not quite halfway. What on earth would cause that? This is an Imail account.
Perhaps this https://support.mozilla.org/en-US/questions/1281911 could help?
http://kb.mozillazine.org/Inbox_stays_blank https://support.mozilla.org/en-US/kb/rebuilding-global-database This does not make me happy.
Nor me Aurelien. I may just cut my losses and revert to Claws-Mail. I would not regard those solutions in the links as proper solutions. thunderbird is defective. Thanks very much for doing the research.
For me, as a Plasma user I rely heavily on KMail. I only use thunderbird for QA tests. I asked QA users also to look at this. I don't have answers, meanwhile. (In reply to Len Lawrence from comment #17) > Nor me Aurelien. I may just cut my losses and revert to Claws-Mail. > I would not regard those solutions in the links as proper solutions. > thunderbird is defective. > > Thanks very much for doing the research. You're welcomed!
No, thunderbird is not defective. There is a strong suspicion that the "missing data" may have something to do with attempts earlier on to use dovecot as a backend for thunderbird. Copying 'Local Folders' in an old profile to <current profile directory>/Mail and the corresponding abook.sqlite to the current profile re-establishes the missing data, albeit somewhat out-of-date. Since nobody else in Mageia has had these problems we have to conclude that this is a non-bug.
Resolution: FIXED => INVALID
Fixed.
CC: (none) => luigiwalserResolution: INVALID => FIXED