Assigning to Nicolas S. who did last releases.


Adding correct CVE from upstream release notes.

Whiteboard: (none) => MGA7TOO MGA8TOO
CVE: CVE-2021-23961, CVE-2021-23994, CVE-2021-23995, CVE-2021-23998, CVE-2021-23999, CVE-2021-24002, CVE-2021-29945, CVE-2021-29946 => CVE-2021-23994, CVE-2021-23995, CVE-2021-23998, CVE-2021-23961, CVE-2021-23999, CVE-2021-24002, CVE-2021-29945, CVE-2021-29946, CVE-2021-29948

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Out of bound write due to lazy initialization. (CVE-2021-23994) 

Use-after-free in Responsive Design Mode. (CVE-2021-23995) 

Secure Lock icon could have been spoofed. (CVE-2021-23998) 

More internal network hosts could have been probed by a malicious webpage. (CVE-2021-23961) 

Blob URLs may have been granted additional privileges. (CVE-2021-23999) 

Arbitrary FTP command execution on FTP servers using an encoded URL. (CVE-2021-24002) 

Incorrect size computation in WebAssembly JIT could lead to null-reads. (CVE-2021-29945) 

Port blocking could be bypassed. (CVE-2021-29946) 

Race condition when reading from disk while verifying signatures. (CVE-2021-29948) 

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23995
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23998
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23961
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23999
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24002
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29945
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29946
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29948
https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/
https://www.thunderbird.net/en-US/thunderbird/78.10.0/releasenotes/
========================

Updated packages in core/updates_testing:
========================
thunderbird-78.10.0-1.mga{7|8}
thunderbird-enigmail-78.10.0-1.mga{7|8}
thunderbird-ar-78.10.0-1.mga{7|8}
thunderbird-ast-78.10.0-1.mga{7|8}
thunderbird-be-78.10.0-1.mga{7|8}
thunderbird-bg-78.10.0-1.mga{7|8}
thunderbird-br-78.10.0-1.mga{7|8}
thunderbird-ca-78.10.0-1.mga{7|8}
thunderbird-cs-78.10.0-1.mga{7|8}
thunderbird-cy-78.10.0-1.mga{7|8}
thunderbird-da-78.10.0-1.mga{7|8}
thunderbird-de-78.10.0-1.mga{7|8}
thunderbird-el-78.10.0-1.mga{7|8}
thunderbird-en_GB-78.10.0-1.mga{7|8}
thunderbird-en_US-78.10.0-1.mga{7|8}
thunderbird-es_AR-78.10.0-1.mga{7|8}
thunderbird-es_ES-78.10.0-1.mga{7|8}
thunderbird-et-78.10.0-1.mga{7|8}
thunderbird-eu-78.10.0-1.mga{7|8}
thunderbird-fi-78.10.0-1.mga{7|8}
thunderbird-fr-78.10.0-1.mga{7|8}
thunderbird-fy_NL-78.10.0-1.mga{7|8}
thunderbird-ga_IE-78.10.0-1.mga{7|8}
thunderbird-gd-78.10.0-1.mga{7|8}
thunderbird-gl-78.10.0-1.mga{7|8}
thunderbird-he-78.10.0-1.mga{7|8}
thunderbird-hr-78.10.0-1.mga{7|8}
thunderbird-hsb-78.10.0-1.mga{7|8}
thunderbird-hu-78.10.0-1.mga{7|8}
thunderbird-hy_AM-78.10.0-1.mga{7|8}
thunderbird-id-78.10.0-1.mga{7|8}
thunderbird-is-78.10.0-1.mga{7|8}
thunderbird-it-78.10.0-1.mga{7|8}
thunderbird-ja-78.10.0-1.mga{7|8}
thunderbird-ka-78.10.0-1.mga{7|8}
thunderbird-kab-78.10.0-1.mga{7|8}
thunderbird-kk-78.10.0-1.mga{7|8}
thunderbird-ko-78.10.0-1.mga{7|8}
thunderbird-lt-78.10.0-1.mga{7|8}
thunderbird-ms-78.10.0-1.mga{7|8}
thunderbird-nb_NO-78.10.0-1.mga{7|8}
thunderbird-nl-78.10.0-1.mga{7|8}
thunderbird-nn_NO-78.10.0-1.mga{7|8}
thunderbird-pl-78.10.0-1.mga{7|8}
thunderbird-pt_BR-78.10.0-1.mga{7|8}
thunderbird-pt_PT-78.10.0-1.mga{7|8}
thunderbird-ro-78.10.0-1.mga{7|8}
thunderbird-ru-78.10.0-1.mga{7|8}
thunderbird-si-78.10.0-1.mga{7|8}
thunderbird-sk-78.10.0-1.mga{7|8}
thunderbird-sl-78.10.0-1.mga{7|8}
thunderbird-sq-78.10.0-1.mga{7|8}
thunderbird-sv_SE-78.10.0-1.mga{7|8}
thunderbird-tr-78.10.0-1.mga{7|8}
thunderbird-uk-78.10.0-1.mga{7|8}
thunderbird-uz-78.10.0-1.mga{7|8}
thunderbird-vi-78.10.0-1.mga{7|8}
thunderbird-zh_CN-78.10.0-1.mga{7|8}
thunderbird-zh_TW-78.10.0-1.mga{7|8}

from SRPMS:
thunderbird-78.10.0-1.mga{7|8}.src.rpm
thunderbird-l10n-78.10.0-1.mga{7|8}.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA7TOO MGA8TOO => MGA7TOO
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs

MGA8-64 Plasma, nvidia-current, kernel 5.10.30-desktop-1.mga8

- lib64nss3-3.64.0-1.mga8.x86_64
- thunderbird-78.10.0-1.mga8.x86_64
- thunderbird-sv_SE-78.10.0-1.mga8.noarch

Test OK: localisation, settings, existing accounts, folders and mail remain, send using SMTP, offline IMAP, IMAP replicates mail moves between folders on webmail server and in Thunderbird used as client.

CC: (none) => fri

tested mga8-32

send/receive/move/delete and calendar all OK over SMTP/IMAP

Whiteboard: MGA7TOO => MGA7TOO mga8-32-ok
CC: (none) => wrw105

tested mga7-32 as above, all OK

Whiteboard: MGA7TOO mga8-32-ok => MGA7TOO mga8-32-ok mga7-32-ok

tested mga8-64 as above, all OK

Whiteboard: MGA7TOO mga8-32-ok mga7-32-ok => MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok

RedHat has issued an advisory for this on April 26:
https://access.redhat.com/errata/RHSA-2021:1353

tested mga8-64 as above, all OK. Validating. Ready for push when advisory uploaded to svn.

Keywords: (none) => validated_update
Whiteboard: MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok => MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok mga8-64-ok
CC: (none) => sysadmin-bugs

MGA8 Plasma x86_64

All tests OK.

Advisory pushed to svn.

Keywords: (none) => advisory

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0198.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED