Mozilla has released Thunderbird 91.4.0 today (December 7): https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes/ Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/ Firefox update in Bug 29734 (but this doesn't need to depend on it since the nss update was already pushed).
Advisory will be as follows. Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to further an attack with other vulnerabilities (CVE-2021-43528). Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL (CVE-2021-43536). An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash due to a heap buffer overflow when using structured clone (CVE-2021-43537). By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received both full screen and pointer lock access, which could have been used for spoofing attacks (CVE-2021-43538). Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash (CVE-2021-43539). When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped (CVE-2021-43541). Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols (CVE-2021-43542). Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content (CVE-2021-43543). Using the Location API in a loop could have caused severe application hangs and crashes (CVE-2021-43545). It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor (CVE-2021-43546). Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported memory safety bugs present in Thunderbird 91.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (MOZ-2021-0009). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43528 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43536 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43537 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43538 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43539 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43541 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43542 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43543 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43545 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43546 https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/ https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes/
new version pushed in mga8: src: - thunderbird-91.4.0-1.mga8 - thunderbird-l10n-91.4.0-1.mga8
CC: (none) => nicolas.salgueroAssignee: nicolas.salguero => qa-bugs
Updated packages in core/updates_testing: ======================== thunderbird-91.4.0-1.mga8 thunderbird-af-91.4.0-1.mga8 thunderbird-ar-91.4.0-1.mga8 thunderbird-ast-91.4.0-1.mga8 thunderbird-be-91.4.0-1.mga8 thunderbird-bg-91.4.0-1.mga8 thunderbird-br-91.4.0-1.mga8 thunderbird-ca-91.4.0-1.mga8 thunderbird-cs-91.4.0-1.mga8 thunderbird-cy-91.4.0-1.mga8 thunderbird-da-91.4.0-1.mga8 thunderbird-de-91.4.0-1.mga8 thunderbird-dsb-91.4.0-1.mga8 thunderbird-el-91.4.0-1.mga8 thunderbird-en_CA-91.4.0-1.mga8 thunderbird-en_GB-91.4.0-1.mga8 thunderbird-en_US-91.4.0-1.mga8 thunderbird-es_AR-91.4.0-1.mga8 thunderbird-es_ES-91.4.0-1.mga8 thunderbird-et-91.4.0-1.mga8 thunderbird-eu-91.4.0-1.mga8 thunderbird-fi-91.4.0-1.mga8 thunderbird-fr-91.4.0-1.mga8 thunderbird-fy_NL-91.4.0-1.mga8 thunderbird-ga_IE-91.4.0-1.mga8 thunderbird-gd-91.4.0-1.mga8 thunderbird-gl-91.4.0-1.mga8 thunderbird-he-91.4.0-1.mga8 thunderbird-hr-91.4.0-1.mga8 thunderbird-hsb-91.4.0-1.mga8 thunderbird-hu-91.4.0-1.mga8 thunderbird-hy_AM-91.4.0-1.mga8 thunderbird-id-91.4.0-1.mga8 thunderbird-is-91.4.0-1.mga8 thunderbird-it-91.4.0-1.mga8 thunderbird-ja-91.4.0-1.mga8 thunderbird-ka-91.4.0-1.mga8 thunderbird-kab-91.4.0-1.mga8 thunderbird-kk-91.4.0-1.mga8 thunderbird-ko-91.4.0-1.mga8 thunderbird-lt-91.4.0-1.mga8 thunderbird-lv-91.4.0-1.mga8 thunderbird-ms-91.4.0-1.mga8 thunderbird-nb_NO-91.4.0-1.mga8 thunderbird-nl-91.4.0-1.mga8 thunderbird-nn_NO-91.4.0-1.mga8 thunderbird-pa_IN-91.4.0-1.mga8 thunderbird-pl-91.4.0-1.mga8 thunderbird-pt_BR-91.4.0-1.mga8 thunderbird-pt_PT-91.4.0-1.mga8 thunderbird-ro-91.4.0-1.mga8 thunderbird-ru-91.4.0-1.mga8 thunderbird-sk-91.4.0-1.mga8 thunderbird-sl-91.4.0-1.mga8 thunderbird-sq-91.4.0-1.mga8 thunderbird-sr-91.4.0-1.mga8 thunderbird-sv_SE-91.4.0-1.mga8 thunderbird-th-91.4.0-1.mga8 thunderbird-tr-91.4.0-1.mga8 thunderbird-uk-91.4.0-1.mga8 thunderbird-uz-91.4.0-1.mga8 thunderbird-vi-91.4.0-1.mga8 thunderbird-zh_CN-91.4.0-1.mga8 thunderbird-zh_TW-91.4.0-1.mga8 from SRPMS: thunderbird-91.4.0-1.mga8.src.rpm thunderbird-l10n-91.4.0-1.mga8.src.rpm
MGA8+64 Plasma on Lenovo B50 No installation issues. Removed .thunderbird from my home, then startte the new version and used the wizard to configure my hotmail account setting. Used the new settings to send and receive mails without and with attachment to and from my gmail account handled on my desktop PC.All worked OK.
CC: (none) => herman.viaene
Hi, Installed on Slimbook Essential I3 Mageia Plasma Kde x86_64, no issues for the moment. Send and receive ok, calendar and task, addons work fine after the update, attach ok, spanish language ok. Greetings!!
CC: (none) => joselpddj
Mageia 8 Gnome VmWare No installation issues. Upgrade from existing Thunderbird 91.3. Sent to gmail account and received ftom the same account without problem. Extensions, French language and themes work. All seems to be ok
CC: (none) => hdetavernier
RedHat has issued an advisory for this today (December 9): https://access.redhat.com/errata/RHSA-2021:5045
OK for my use on mga8-64, Plasma, Nvidia-current, Swedish locale. Clean update, preserved settings, accounts, mail Offline IMAP and SMTP Did not test POP, and not calendar etc - just email.
CC: (none) => fri
Installed US English versions of this and Firefox at the same time, on two separate machines. No installation issues. Received and sent POP email from my gmail account, and read newsgroup messages from alt.os.linux.mageia. I don't use the calendar, but everything I used seems OK.
CC: (none) => andrewsfarm
Ok on my system (imap, pop3, usenet), with encryption for pop3. Validating the update
Whiteboard: (none) => MGA8-64-OKCC: (none) => davidwhodgins, sysadmin-bugsKeywords: (none) => validated_update
MGA 8 64 XFCE Installed in French. No issues found, mail, contact and calendar sync are ok.
CC: (none) => guillaume.royerWhiteboard: MGA8-64-OK => (none)Keywords: validated_update => (none)
Advisory committed to svn. Re-validating the update.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0554.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
I was notified by Christian Fischer that the MOZ vulnerabilities have CVEs. SVN advisory updated. Mageia Advisory: https://advisories.mageia.org/MGASA-2021-0554.html Mozilla Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/ Suggested change(s): MOZ-2021-0009 -> CVE-2021-4129