2878 – Update candidate: mozilla-thunderbird & -l10n - security update to 3.1.15

Bug 2878 - Update candidate: mozilla-thunderbird & -l10n - security update to 3.1.15

Summary: Update candidate: mozilla-thunderbird & -l10n - security update to 3.1.15

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	1
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:
Whiteboard:
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2011-09-30 13:36 CEST by Florian Hubold
Modified:	2012-02-03 17:07 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Florian Hubold 2011-09-30 13:36:39 CEST

There is now mozilla-thunderbird-3.1.15-1.mga1 in core/updates_testing to validate, together with the language packages mozilla-thunderbird-XX-3.1.15-1.mga1
-------------------------------------------------------


Suggested advisory:
-------------------
This update addresses the following security issues:


- Revoked the root certificate for DigiNotar due to fraudulent SSL certificate issuance, fixed in Thunderbird 3.1.13 ( see https://bugzilla.mozilla.org/show_bug.cgi?id=682927 and the security advisory at http://www.mozilla.org/security/announce/2011/mfsa2011-34.html )

- Removed trust exceptions for certificates issued by Staat der Nederlanden, fixed in Thunderbird 3.1.14 (see https://bugzilla.mozilla.org/show_bug.cgi?id=683449 and the security advisory at http://www.mozilla.org/security/announce/2011/mfsa2011-35.html )

- Resolved an issue with gov.uk websites (see https://bugzilla.mozilla.org/show_bug.cgi?id=669792)

- Fixed a critical crash [@ nsContentUtils::ComparePosition] 

- Several other fixes to improve performance, stability and security, which are listed here and fixed in Thunderbird 3.1.15: https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_status_thunderbird31;type0-0-1=equals;field0-0-1=cf_status_192;query_format=advanced;value0-0-1=.23-fixed;type0-0-0=equals;value0-0-0=.15-fixed

-------------------------------------------------------
Steps to reproduce:

- install/update to update candidate and according language pack
- make sure DigiNotar and PKIoverheid (Staat der Nederlanden) are untrusted, meanuing not listed in CA list
- make sure there are no regressions
- make sure Thunderbird uses the language of the language pack

Florian Hubold 2011-09-30 14:01:17 CEST

Status: NEW => ASSIGNED

Comment 1 claire robinson 2011-10-01 20:39:38 CEST

Testing i586 en_GB.

Spell checking seems fine. Diginotar is not listed in certificate authorities, I'm not sure we can test beyond that.

Staad der Nederlanden are both present

One bug still present is bug 1631 - No new mail sound - but it is not covered in this update.

Tested IMAP and POP3, SMTP. html and plain text, address book, spam filter. All seems fine.

Comment 2 Florian Hubold 2011-10-01 23:57:21 CEST

(In reply to comment #1)
> 
> One bug still present is bug 1631 - No new mail sound - but it is not covered
> in this update.

Sorry, seems Anssi overlooked that and not assigned it to me, so it didn't show up in my bug list. Grabbed it now and commented there.


For the Staat der Nederlanden certificates, this was done in the code like for the DigiNotar certificates in Firefox, just look at the linked bug, also for some example links which should now be untrusted: https://bugzilla.mozilla.org/show_bug.cgi?id=683449

But currently no easy way of checking that those are untrusted in Thunderbird comes to my mind. Anybody has email business with one of the following dutch websites?

https://sha2.diginotar.nl/
https://g2test.logius.nl/
https://steenwijkerland.bim.mijnbezwaar.nl/
https://secure.valkenswaard.nl/
https://www8.eindhoven.nl/

Comment 3 Dave Hodgins 2011-10-05 10:41:58 CEST

Ping.  We need a x86-64 tester for thunderbird.

CC: (none) => davidwhodgins

Comment 4 Florian Hubold 2011-10-05 11:32:21 CEST

Well, i'm using it here since 7 days, everything working all right.

Comment 5 claire robinson 2011-10-05 11:37:50 CEST

I will install and test this later x86_64 if there's nobody already using it. Apart from you Florian :P

Comment 6 claire robinson 2011-10-05 15:17:25 CEST

Tests OK x86_64

Update validated.

Advisory:
------------------
This update addresses the following security issues:


- Revoked the root certificate for DigiNotar due to fraudulent SSL certificate
issuance, fixed in Thunderbird 3.1.13 ( see
https://bugzilla.mozilla.org/show_bug.cgi?id=682927 and the security advisory
at http://www.mozilla.org/security/announce/2011/mfsa2011-34.html )

- Removed trust exceptions for certificates issued by Staat der Nederlanden,
fixed in Thunderbird 3.1.14 (see
https://bugzilla.mozilla.org/show_bug.cgi?id=683449 and the security advisory
at http://www.mozilla.org/security/announce/2011/mfsa2011-35.html )

- Resolved an issue with gov.uk websites (see
https://bugzilla.mozilla.org/show_bug.cgi?id=669792)

- Fixed a critical crash [@ nsContentUtils::ComparePosition] 

- Several other fixes to improve performance, stability and security, which are
listed here and fixed in Thunderbird 3.1.15:

https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_status_thunderbird31;type0-0-1=equals;field0-0-1=cf_status_192;query_format=advanced;value0-0-1=.23-fixed;type0-0-0=equals;value0-0-0=.15-fixed

-------------------------

Source RPM: mozilla-thunderbird-3.1.15-1.mga1.src.rpm


Can sysadmin please push from core/updates_testing to core/updates.

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 D Morgan 2011-10-08 23:35:47 CEST

update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => dmorganec
Resolution: (none) => FIXED

Florian Hubold 2012-02-03 17:03:59 CET

Blocks: (none) => 4401

Florian Hubold 2012-02-03 17:07:43 CET

Blocks: 4401 => (none)

Note You need to log in before you can comment on or make changes to this bug.