Mozilla has released Thunderbird 91.8.0 on April 5: https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes/ The page with the security issues which have been fixed is not available yet.
Depends on: (none) => 30247Whiteboard: (none) => MGA8TOOAssignee: bugsquad => nicolas.salgueroCC: (none) => nicolas.salgueroSource RPM: (none) => thunderbird, thunderbird-l10n
mga8-64, plasma Been using it a couple days OK: § kept settings, accounts, mails § Localisation § offline IMAP, SMTP
CC: (none) => fri
RedHat has issued an advisory for this today (April 11): https://access.redhat.com/errata/RHSA-2022:1301
Mozilla has released Thunderbird 91.8.1 on April 18: https://www.thunderbird.net/en-US/thunderbird/91.8.1/releasenotes/
Summary: Thunderbird 91.8 => Thunderbird 91.8.1
Still OK, usage as comment 1
If mga8 thunderbird 91.8.1 is ready for QA, please assign to QA.
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Use-after-free in NSSToken objects. (CVE-2022-1097) Out of bounds write due to unexpected WebAuthN Extensions. (CVE-2022-28281) OpenPGP revocation information was ignored. (CVE-2022-1197) Use-after-free after VR Process destruction. (CVE-2022-1196) Use-after-free in DocumentL10n::TranslateDocument. (CVE-2022-28282) Incorrect AliasSet used in JIT Codegen. (CVE-2022-28285) iframe contents could be rendered outside the border. (CVE-2022-28286) Denial of Service via complex regular expressions. (CVE-2022-24713) Memory safety bugs fixed in Thunderbird 91.8. (CVE-2022-28289) xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. (CVE-2022-25235) xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. (CVE-2022-25236) In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. (CVE-2022-25315) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1097 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28281 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1197 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1196 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28282 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28285 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28286 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28289 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25235 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25236 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25315 https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/ https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes/ https://www.thunderbird.net/en-US/thunderbird/91.8.1/releasenotes/ https://access.redhat.com/errata/RHSA-2022:1301 ======================== Updated packages in core/updates_testing: ======================== thunderbird-91.8.1-1.1.mga8 thunderbird-ru-91.8.1-1.mga8 thunderbird-uk-91.8.1-1.mga8 thunderbird-ka-91.8.1-1.mga8 thunderbird-el-91.8.1-1.mga8 thunderbird-th-91.8.1-1.mga8 thunderbird-ja-91.8.1-1.mga8 thunderbird-kk-91.8.1-1.mga8 thunderbird-zh_TW-91.8.1-1.mga8 thunderbird-zh_CN-91.8.1-1.mga8 thunderbird-hy_AM-91.8.1-1.mga8 thunderbird-sk-91.8.1-1.mga8 thunderbird-hu-91.8.1-1.mga8 thunderbird-dsb-91.8.1-1.mga8 thunderbird-vi-91.8.1-1.mga8 thunderbird-hsb-91.8.1-1.mga8 thunderbird-sr-91.8.1-1.mga8 thunderbird-cs-91.8.1-1.mga8 thunderbird-fr-91.8.1-1.mga8 thunderbird-ko-91.8.1-1.mga8 thunderbird-sq-91.8.1-1.mga8 thunderbird-lt-91.8.1-1.mga8 thunderbird-be-91.8.1-1.mga8 thunderbird-bg-91.8.1-1.mga8 thunderbird-es_AR-91.8.1-1.mga8 thunderbird-de-91.8.1-1.mga8 thunderbird-tr-91.8.1-1.mga8 thunderbird-pl-91.8.1-1.mga8 thunderbird-pt_BR-91.8.1-1.mga8 thunderbird-fy_NL-91.8.1-1.mga8 thunderbird-sv_SE-91.8.1-1.mga8 thunderbird-kab-91.8.1-1.mga8 thunderbird-nl-91.8.1-1.mga8 thunderbird-cy-91.8.1-1.mga8 thunderbird-gl-91.8.1-1.mga8 thunderbird-eu-91.8.1-1.mga8 thunderbird-he-91.8.1-1.mga8 thunderbird-pt_PT-91.8.1-1.mga8 thunderbird-fi-91.8.1-1.mga8 thunderbird-ar-91.8.1-1.mga8 thunderbird-sl-91.8.1-1.mga8 thunderbird-ro-91.8.1-1.mga8 thunderbird-da-91.8.1-1.mga8 thunderbird-nn_NO-91.8.1-1.mga8 thunderbird-nb_NO-91.8.1-1.mga8 thunderbird-pa_IN-91.8.1-1.mga8 thunderbird-hr-91.8.1-1.mga8 thunderbird-ca-91.8.1-1.mga8 thunderbird-id-91.8.1-1.mga8 thunderbird-en_GB-91.8.1-1.mga8 thunderbird-gd-91.8.1-1.mga8 thunderbird-en_CA-91.8.1-1.mga8 thunderbird-en_US-91.8.1-1.mga8 thunderbird-br-91.8.1-1.mga8 thunderbird-lv-91.8.1-1.mga8 thunderbird-it-91.8.1-1.mga8 thunderbird-ga_IE-91.8.1-1.mga8 thunderbird-et-91.8.1-1.mga8 thunderbird-uz-91.8.1-1.mga8 thunderbird-ast-91.8.1-1.mga8 thunderbird-is-91.8.1-1.mga8 thunderbird-ms-91.8.1-1.mga8 thunderbird-es_ES-91.8.1-1.mga8 thunderbird-af-91.8.1-1.mga8 from SRPMS: thunderbird-91.8.1-1.1.mga8.src.rpm thunderbird-l10n-91.8.1-1.mga8.src.rpm
Version: Cauldron => 8Status: NEW => ASSIGNEDWhiteboard: MGA8TOO => (none)Assignee: nicolas.salguero => qa-bugs
Interesting. Updated the US English version on my Probook 6550b Plasma system, with no installation issues. When I ran it, instead of just checking my accounts as it usually does, Thunderbird immediately took me through the process of changing access to my Gmail accounts to using Oauth2 rather than the old way with a password. All was successful on the two accounts, and Google sent warnings to each account and to the security backup account that each had been accessed by a "new" Linux device. I had known that Gmail was going to require the switch soon, but had procrastinated about going through it on my own. Now, I'm a little glad I did. Made for a nice test of the process before we release.
CC: (none) => andrewsfarm
Updated my production desktop Plasma system, no installation issues. Once again Gmail access was automatically updated, no issues. Tried newsgroups and sent one followup, all OK. I don't use the calendar or enigmail.
Mageia8, x86_64 Thanks for the forewarning TJ. However. could not install this. thunderbird-91.8.1-1.1.mga8.x86_64 (due to unsatisfied lib64nss3[>= 2:3.77.0]) thunderbird-en_GB-91.8.1-1.mga8.noarch (due to unsatisfied thunderbird[== 0:91.8.1]) lib64nss3-3.76.0-1.mga8.x86_64 is installed. Has there been an update that I missed?
CC: (none) => tarazed25
Follow on from comment 9: Tried the same thing on another machine and hit the same problem.
nss-3.77.0-1.mga8 in Bug 30247 - Firefox 91.8 - which this bug is set to depend on ;-)
Thanks Morgan.
Thunderbird now working fine after installation and restart. At some stage I shall have to update it on my netbook before going on holiday. Hoping that it will not treat it as a new device.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA8-64-OK, MGA8-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0157.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED