Mozilla has released Thunderbird 91.4.0 today (December 7):
Security issues fixed:
Firefox update in Bug 29734 (but this doesn't need to depend on it since the nss update was already pushed).
Advisory will be as follows.
Updated thunderbird packages fix security vulnerabilities:
chrome-level privileges, but could be used as a stepping stone to further an
attack with other vulnerabilities (CVE-2021-43528).
Under certain circumstances, asynchronous functions could have caused a
navigation to fail but expose the target URL (CVE-2021-43536).
An incorrect type conversion of sizes from 64bit to 32bit integers allowed an
attacker to corrupt memory leading to a potentially exploitable crash due to a
heap buffer overflow when using structured clone (CVE-2021-43537).
By misusing a race in our notification code, an attacker could have forcefully
hidden the notification for pages that had received both full screen and
pointer lock access, which could have been used for spoofing attacks
Failure to correctly record the location of live pointers across wasm instance
calls resulted in a GC occurring within the call not tracing those live
pointers. This could have led to a use-after-free causing a potentially
exploitable crash (CVE-2021-43539).
When invoking protocol handlers for external protocols, a supplied parameter
URL containing spaces was not properly escaped (CVE-2021-43541).
Using XMLHttpRequest, an attacker could have identified installed applications
by probing error messages for loading external protocols (CVE-2021-43542).
Documents loaded with the CSP sandbox directive could have escaped the
sandbox's script restriction by embedding additional content (CVE-2021-43543).
Using the Location API in a loop could have caused severe application hangs
and crashes (CVE-2021-43545).
It was possible to recreate previous cursor spoofing attacks against users
with a zoomed native cursor (CVE-2021-43546).
Mozilla developers and community members Julian Hector, Randell Jesup,
Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported
memory safety bugs present in Thunderbird 91.3. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort some of
these could have been exploited to run arbitrary code (MOZ-2021-0009).
new version pushed in mga8:
Updated packages in core/updates_testing:
MGA8+64 Plasma on Lenovo B50
No installation issues.
Removed .thunderbird from my home, then startte the new version and used the wizard to configure my hotmail account setting.
Used the new settings to send and receive mails without and with attachment to and from my gmail account handled on my desktop PC.All worked OK.
Installed on Slimbook Essential I3 Mageia Plasma Kde x86_64, no issues for the moment. Send and receive ok, calendar and task, addons work fine after the update, attach ok, spanish language ok.
Mageia 8 Gnome VmWare
No installation issues.
Upgrade from existing Thunderbird 91.3.
Sent to gmail account and received ftom the same account without problem.
Extensions, French language and themes work.
All seems to be ok
RedHat has issued an advisory for this today (December 9):
OK for my use on mga8-64, Plasma, Nvidia-current, Swedish locale.
Clean update, preserved settings, accounts, mail
Offline IMAP and SMTP
Did not test POP, and not calendar etc - just email.
Installed US English versions of this and Firefox at the same time, on two separate machines. No installation issues.
Received and sent POP email from my gmail account, and read newsgroup messages from alt.os.linux.mageia. I don't use the calendar, but everything I used seems OK.
Ok on my system (imap, pop3, usenet), with encryption for pop3.
Validating the update
MGA 8 64 XFCE
Installed in French. No issues found, mail, contact and calendar sync are ok.
Advisory committed to svn. Re-validating the update.
An update for this issue has been pushed to the Mageia Updates repository.
I was notified by Christian Fischer that the MOZ vulnerabilities have CVEs. SVN advisory updated.
Mageia Advisory: https://advisories.mageia.org/MGASA-2021-0554.html
MOZ-2021-0009 -> CVE-2021-4129