Bug 30144 - Thunderbird 91.7.0
Summary: Thunderbird 91.7.0
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-03-10 14:19 CET by Nicolas Salguero
Modified: 2022-03-14 17:22 CET (History)
4 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2022-03-10 14:19:57 CET 
Mozilla has released Thunderbird 91.7.0 on March 8:
https://www.thunderbird.net/en-US/thunderbird/91.7.0/releasenotes/

It fixes bugs and a security issue:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-12/
Nicolas Salguero 2022-03-10 14:20:18 CET

Assignee: bugsquad => nicolas.salguero
Source RPM: (none) => thunderbird, thunderbird-l10n
CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-03-10 17:39:15 CET 
Advisory:
========================

Updated thunderbird packages fix security vulnerabilities:

An attacker could have caused a use-after-free by forcing a text reflow in an
SVG object leading to a potentially exploitable crash (CVE-2022-26381).

When resizing a popup after requesting fullscreen access, the popup would not
display the fullscreen notification (CVE-2022-26383).

If an attacker could control the contents of an iframe sandboxed with
allow-popups but not allow-scripts, they were able to craft a link that, when
clicked, would lead to JavaScript execution in violation of the sandbox
(CVE-2022-26384).

Previously Thunderbird for macOS and Linux would download temporary files to a
user-specific directory in /tmp, but this behavior was changed to download
them to /tmp where they could be affected by other local users. This behavior
was reverted to the original, user-specific directory (CVE-2022-26386).

When installing an add-on, Thunderbird verified the signature before prompting
the user; but while the user was confirming the prompt, the underlying add-on
file could have been modified and Thunderbird would not have noticed
(CVE-2022-26387).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26381
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26383
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26384
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26386
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26387
https://www.mozilla.org/en-US/security/advisories/mfsa2022-12/
https://www.thunderbird.net/en-US/thunderbird/91.7.0/releasenotes/
Comment 2 David Walser 2022-03-10 17:42:11 CET 
Works fine on Mageia 8 x86_64.  Advisory added to SVN.

Keywords: (none) => advisory
Version: Cauldron => 8
Whiteboard: MGA8TOO => MGA8-64-OK

Comment 3 Morgan Leijström 2022-03-10 21:41:18 CET 
OK from me too mga8-64, plasma, nvidia-current
§ Clean upgrade
§ Localisation (Swedish)
§ All mail and settings kept
§ IMAP, SMTP

CC: (none) => fri

Comment 4 David Walser 2022-03-11 00:30:19 CET 
Advisory in Comment 1.

Updated packages in core/updates_testing:
========================
thunderbird-91.7.0-1.mga8
thunderbird-ru-91.7.0-1.mga8
thunderbird-uk-91.7.0-1.mga8
thunderbird-ka-91.7.0-1.mga8
thunderbird-el-91.7.0-1.mga8
thunderbird-th-91.7.0-1.mga8
thunderbird-ja-91.7.0-1.mga8
thunderbird-kk-91.7.0-1.mga8
thunderbird-zh_TW-91.7.0-1.mga8
thunderbird-zh_CN-91.7.0-1.mga8
thunderbird-hy_AM-91.7.0-1.mga8
thunderbird-sk-91.7.0-1.mga8
thunderbird-hu-91.7.0-1.mga8
thunderbird-dsb-91.7.0-1.mga8
thunderbird-vi-91.7.0-1.mga8
thunderbird-hsb-91.7.0-1.mga8
thunderbird-sr-91.7.0-1.mga8
thunderbird-cs-91.7.0-1.mga8
thunderbird-fr-91.7.0-1.mga8
thunderbird-ko-91.7.0-1.mga8
thunderbird-sq-91.7.0-1.mga8
thunderbird-lt-91.7.0-1.mga8
thunderbird-be-91.7.0-1.mga8
thunderbird-bg-91.7.0-1.mga8
thunderbird-es_AR-91.7.0-1.mga8
thunderbird-de-91.7.0-1.mga8
thunderbird-tr-91.7.0-1.mga8
thunderbird-pl-91.7.0-1.mga8
thunderbird-pt_BR-91.7.0-1.mga8
thunderbird-fy_NL-91.7.0-1.mga8
thunderbird-sv_SE-91.7.0-1.mga8
thunderbird-kab-91.7.0-1.mga8
thunderbird-nl-91.7.0-1.mga8
thunderbird-cy-91.7.0-1.mga8
thunderbird-gl-91.7.0-1.mga8
thunderbird-eu-91.7.0-1.mga8
thunderbird-he-91.7.0-1.mga8
thunderbird-pt_PT-91.7.0-1.mga8
thunderbird-fi-91.7.0-1.mga8
thunderbird-ar-91.7.0-1.mga8
thunderbird-sl-91.7.0-1.mga8
thunderbird-ro-91.7.0-1.mga8
thunderbird-da-91.7.0-1.mga8
thunderbird-nn_NO-91.7.0-1.mga8
thunderbird-nb_NO-91.7.0-1.mga8
thunderbird-pa_IN-91.7.0-1.mga8
thunderbird-hr-91.7.0-1.mga8
thunderbird-ca-91.7.0-1.mga8
thunderbird-id-91.7.0-1.mga8
thunderbird-en_GB-91.7.0-1.mga8
thunderbird-gd-91.7.0-1.mga8
thunderbird-en_CA-91.7.0-1.mga8
thunderbird-en_US-91.7.0-1.mga8
thunderbird-br-91.7.0-1.mga8
thunderbird-lv-91.7.0-1.mga8
thunderbird-it-91.7.0-1.mga8
thunderbird-ga_IE-91.7.0-1.mga8
thunderbird-et-91.7.0-1.mga8
thunderbird-uz-91.7.0-1.mga8
thunderbird-ast-91.7.0-1.mga8
thunderbird-is-91.7.0-1.mga8
thunderbird-ms-91.7.0-1.mga8
thunderbird-es_ES-91.7.0-1.mga8
thunderbird-af-91.7.0-1.mga8

from SRPMS:
thunderbird-91.7.0-1.mga8.src.rpm
thunderbird-l10n-91.7.0-1.mga8.src.rpm

Assignee: nicolas.salguero => qa-bugs

Comment 5 Dave Hodgins 2022-03-11 01:42:21 CET 
Confirming ok on x86_64 using imap and pop3.
Validating the update.

CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 Mageia Robot 2022-03-11 09:52:59 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0097.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2022-03-14 17:22:39 CET 
RedHat has issued an advisory for this today (March 14):
https://access.redhat.com/errata/RHSA-2022:0845
Note You need to log in before you can comment on or make changes to this bug.