Bug 28829 - Thunderbird 78.10 Update
Summary: Thunderbird 78.10 Update
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: High critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO mga8-32-ok mga7-32-ok mga7-64...
Keywords: advisory, validated_update
Depends on: 28822
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-22 21:15 CEST by Aurelien Oudelet
Modified: 2021-04-29 11:43 CEST (History)
4 users (show)

See Also:
Source RPM: thunderbird-78.9.1-1.mga8.src.rpm
CVE: CVE-2021-23994, CVE-2021-23995, CVE-2021-23998, CVE-2021-23961, CVE-2021-23999, CVE-2021-24002, CVE-2021-29945, CVE-2021-29946, CVE-2021-29948
Status comment:


Attachments

Description Aurelien Oudelet 2021-04-22 21:15:27 CEST
Upstream has released Thunderbird 78.10 Update, on April 19, 2021.

t fixes several vulnerabilities.

https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/

https://www.thunderbird.net/en-US/thunderbird/78.10.0/releasenotes/
Comment 1 Aurelien Oudelet 2021-04-22 21:16:50 CEST
Assigning to Nicolas S. who did last releases.


Adding correct CVE from upstream release notes.

Whiteboard: (none) => MGA7TOO MGA8TOO
CVE: CVE-2021-23961, CVE-2021-23994, CVE-2021-23995, CVE-2021-23998, CVE-2021-23999, CVE-2021-24002, CVE-2021-29945, CVE-2021-29946 => CVE-2021-23994, CVE-2021-23995, CVE-2021-23998, CVE-2021-23961, CVE-2021-23999, CVE-2021-24002, CVE-2021-29945, CVE-2021-29946, CVE-2021-29948

Comment 2 Nicolas Salguero 2021-04-26 15:32:58 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Out of bound write due to lazy initialization. (CVE-2021-23994) 

Use-after-free in Responsive Design Mode. (CVE-2021-23995) 

Secure Lock icon could have been spoofed. (CVE-2021-23998) 

More internal network hosts could have been probed by a malicious webpage. (CVE-2021-23961) 

Blob URLs may have been granted additional privileges. (CVE-2021-23999) 

Arbitrary FTP command execution on FTP servers using an encoded URL. (CVE-2021-24002) 

Incorrect size computation in WebAssembly JIT could lead to null-reads. (CVE-2021-29945) 

Port blocking could be bypassed. (CVE-2021-29946) 

Race condition when reading from disk while verifying signatures. (CVE-2021-29948) 

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23995
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23998
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23961
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23999
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24002
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29945
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29946
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29948
https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/
https://www.thunderbird.net/en-US/thunderbird/78.10.0/releasenotes/
========================

Updated packages in core/updates_testing:
========================
thunderbird-78.10.0-1.mga{7|8}
thunderbird-enigmail-78.10.0-1.mga{7|8}
thunderbird-ar-78.10.0-1.mga{7|8}
thunderbird-ast-78.10.0-1.mga{7|8}
thunderbird-be-78.10.0-1.mga{7|8}
thunderbird-bg-78.10.0-1.mga{7|8}
thunderbird-br-78.10.0-1.mga{7|8}
thunderbird-ca-78.10.0-1.mga{7|8}
thunderbird-cs-78.10.0-1.mga{7|8}
thunderbird-cy-78.10.0-1.mga{7|8}
thunderbird-da-78.10.0-1.mga{7|8}
thunderbird-de-78.10.0-1.mga{7|8}
thunderbird-el-78.10.0-1.mga{7|8}
thunderbird-en_GB-78.10.0-1.mga{7|8}
thunderbird-en_US-78.10.0-1.mga{7|8}
thunderbird-es_AR-78.10.0-1.mga{7|8}
thunderbird-es_ES-78.10.0-1.mga{7|8}
thunderbird-et-78.10.0-1.mga{7|8}
thunderbird-eu-78.10.0-1.mga{7|8}
thunderbird-fi-78.10.0-1.mga{7|8}
thunderbird-fr-78.10.0-1.mga{7|8}
thunderbird-fy_NL-78.10.0-1.mga{7|8}
thunderbird-ga_IE-78.10.0-1.mga{7|8}
thunderbird-gd-78.10.0-1.mga{7|8}
thunderbird-gl-78.10.0-1.mga{7|8}
thunderbird-he-78.10.0-1.mga{7|8}
thunderbird-hr-78.10.0-1.mga{7|8}
thunderbird-hsb-78.10.0-1.mga{7|8}
thunderbird-hu-78.10.0-1.mga{7|8}
thunderbird-hy_AM-78.10.0-1.mga{7|8}
thunderbird-id-78.10.0-1.mga{7|8}
thunderbird-is-78.10.0-1.mga{7|8}
thunderbird-it-78.10.0-1.mga{7|8}
thunderbird-ja-78.10.0-1.mga{7|8}
thunderbird-ka-78.10.0-1.mga{7|8}
thunderbird-kab-78.10.0-1.mga{7|8}
thunderbird-kk-78.10.0-1.mga{7|8}
thunderbird-ko-78.10.0-1.mga{7|8}
thunderbird-lt-78.10.0-1.mga{7|8}
thunderbird-ms-78.10.0-1.mga{7|8}
thunderbird-nb_NO-78.10.0-1.mga{7|8}
thunderbird-nl-78.10.0-1.mga{7|8}
thunderbird-nn_NO-78.10.0-1.mga{7|8}
thunderbird-pl-78.10.0-1.mga{7|8}
thunderbird-pt_BR-78.10.0-1.mga{7|8}
thunderbird-pt_PT-78.10.0-1.mga{7|8}
thunderbird-ro-78.10.0-1.mga{7|8}
thunderbird-ru-78.10.0-1.mga{7|8}
thunderbird-si-78.10.0-1.mga{7|8}
thunderbird-sk-78.10.0-1.mga{7|8}
thunderbird-sl-78.10.0-1.mga{7|8}
thunderbird-sq-78.10.0-1.mga{7|8}
thunderbird-sv_SE-78.10.0-1.mga{7|8}
thunderbird-tr-78.10.0-1.mga{7|8}
thunderbird-uk-78.10.0-1.mga{7|8}
thunderbird-uz-78.10.0-1.mga{7|8}
thunderbird-vi-78.10.0-1.mga{7|8}
thunderbird-zh_CN-78.10.0-1.mga{7|8}
thunderbird-zh_TW-78.10.0-1.mga{7|8}

from SRPMS:
thunderbird-78.10.0-1.mga{7|8}.src.rpm
thunderbird-l10n-78.10.0-1.mga{7|8}.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA7TOO MGA8TOO => MGA7TOO
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs

Comment 3 Morgan Leijström 2021-04-26 16:46:49 CEST
MGA8-64 Plasma, nvidia-current, kernel 5.10.30-desktop-1.mga8

- lib64nss3-3.64.0-1.mga8.x86_64
- thunderbird-78.10.0-1.mga8.x86_64
- thunderbird-sv_SE-78.10.0-1.mga8.noarch

Test OK: localisation, settings, existing accounts, folders and mail remain, send using SMTP, offline IMAP, IMAP replicates mail moves between folders on webmail server and in Thunderbird used as client.

CC: (none) => fri

Comment 4 Bill Wilkinson 2021-04-26 23:38:41 CEST
tested mga8-32

send/receive/move/delete and calendar all OK over SMTP/IMAP

Whiteboard: MGA7TOO => MGA7TOO mga8-32-ok
CC: (none) => wrw105

Comment 5 Bill Wilkinson 2021-04-27 01:44:38 CEST
tested mga7-32 as above, all OK

Whiteboard: MGA7TOO mga8-32-ok => MGA7TOO mga8-32-ok mga7-32-ok

Comment 6 Bill Wilkinson 2021-04-27 04:05:58 CEST
tested mga8-64 as above, all OK

Whiteboard: MGA7TOO mga8-32-ok mga7-32-ok => MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok

Comment 7 David Walser 2021-04-27 19:46:31 CEST
RedHat has issued an advisory for this on April 26:
https://access.redhat.com/errata/RHSA-2021:1353
Comment 8 Bill Wilkinson 2021-04-27 20:13:49 CEST
tested mga8-64 as above, all OK. Validating. Ready for push when advisory uploaded to svn.

Keywords: (none) => validated_update
Whiteboard: MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok => MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok mga8-64-ok
CC: (none) => sysadmin-bugs

Comment 9 Aurelien Oudelet 2021-04-28 17:29:39 CEST
MGA8 Plasma x86_64

All tests OK.
Comment 10 Aurelien Oudelet 2021-04-28 17:35:40 CEST
Advisory pushed to svn.

Keywords: (none) => advisory

Comment 11 Mageia Robot 2021-04-29 11:43:03 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0198.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.