Bug 28642 - Thunderbird 78.9
Summary: Thunderbird 78.9
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on: 28641
Blocks:
  Show dependency treegraph
 
Reported: 2021-03-25 09:14 CET by Nicolas Salguero
Modified: 2022-10-26 18:39 CEST (History)
6 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2021-03-25 09:14:24 CET
Mozilla has released Thunderbird 78.9.0 on March 23:
https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-12/

Mageia 7 and 8 also affected.
Nicolas Salguero 2021-03-25 09:14:40 CET

Source RPM: (none) => thunderbird, thunderbird-l10n
Whiteboard: (none) => MGA8TOO, MGA7TOO

Nicolas Salguero 2021-03-25 09:30:49 CET

Depends on: (none) => 28641

Comment 1 Lewis Smith 2021-03-25 19:23:40 CET
Assigning this also to you Nicolas as having much maintained it; CC'ing neoclust who also has committed it recently.

Assignee: bugsquad => nicolas.salguero
CC: (none) => mageia

Comment 2 Nicolas Lécureuil 2021-03-25 21:56:58 CET
pushed in cauldron mga7/8 by Nicolas:

src:
   - mageia 7:
         - thunderbird-l10n-78.9.0-1.mga7
         - thunderbird-78.9.0-1.mga7
   - mageia 8:
         - thunderbird-l10n-78.9.0-1.mga8
         - thunderbird-78.9.0-1.mga8

Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8

Comment 3 Morgan Leijström 2021-03-26 01:08:36 CET
mga7-64 Plasma Nvidia-current quick test OK
Picking up settings and many thousands mail in a handful accounts
Swedish locale
Ask password at start (as set)
Offline IMAP, SMTP send
printing

Continue using it tomorrow etc

CC: (none) => fri

Comment 4 Nicolas Salguero 2021-03-26 09:13:42 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Texture upload into an unbound backing buffer resulted in an out-of-bound read. (CVE-2021-23981)

Angle graphics library out of date. (MOZ-2021-0002)

Internal network hosts could have been probed by a malicious webpage. (CVE-2021-23982)

Malicious extensions could have spoofed popup information. (CVE-2021-23984)

Memory safety bugs fixed in Thunderbird 78.9. (CVE-2021-23987)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23984
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23987
https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-12/

Status: NEW => ASSIGNED

Comment 5 Thomas Andrews 2021-03-27 20:57:26 CET
I have been using the US English version in mga8-64 Plasma for a few hours, with no issues noted.

CC: (none) => andrewsfarm

Comment 6 Guillaume Royer 2021-03-28 09:24:22 CEST
Testing to day Thunderbird.

Update ok with QA Repo and with:

thunderbird-78.9.0-1.mga8
thunderbird-fr-78.9.0-1.mga8.noarch.rpm

And:

lib64nss3-3.63.0-1.mga8.x86_64.rpm
lib64nspr4-4.30-1.mga8.x86_64.rpm

Because dependencies weren't satisfied

Send mail OK and reception Ok

I'll try to install it in the day on VM M7

CC: (none) => guillaume.royer

Comment 7 Guillaume Royer 2021-03-28 14:18:37 CEST
Testing to day Thunderbird M7 VM GNOME

Update ok with QA Repo and with:

thunderbird-78.9.0-1.mga7
thunderbird-fr-78.9.0-1.mga7.noarch.rpm

Configuration new account OK, send mail OK and reception Ok
Comment 8 Aurelien Oudelet 2021-03-30 20:47:12 CEST
Mageia 7 and 8 Plasma.
x86_64 OK

Validating.

CC: (none) => ouaurelien, sysadmin-bugs
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: (none) => advisory, validated_update

Comment 9 Mageia Robot 2021-03-30 22:11:18 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0164.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 10 David Walser 2021-03-30 23:08:11 CEST
RedHat has issued an advisory for this on March 25:
https://access.redhat.com/errata/RHSA-2021:0993
Comment 11 David Walser 2022-10-26 18:39:26 CEST
I was notified by Christian Fischer that the MOZ vulnerabilities have CVEs.  SVN advisory updated.

Mageia Advisory: https://advisories.mageia.org/MGASA-2021-0164.html
Mozilla Advisory:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-12/
Suggested change(s):
MOZ-2021-0002 -> CVE-2021-4127

Note You need to log in before you can comment on or make changes to this bug.