Bug 30250 - Thunderbird 91.8.1
Summary: Thunderbird 91.8.1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK, MGA8-32-OK
Keywords: advisory, validated_update
Depends on: 30247
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-06 09:43 CEST by Nicolas Salguero
Modified: 2022-04-29 00:47 CEST (History)
5 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2022-04-06 09:43:29 CEST
Mozilla has released Thunderbird 91.8.0 on April 5:
https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes/

The page with the security issues which have been fixed is not available yet.
Nicolas Salguero 2022-04-06 09:44:09 CEST

Depends on: (none) => 30247
Whiteboard: (none) => MGA8TOO
Assignee: bugsquad => nicolas.salguero
CC: (none) => nicolas.salguero
Source RPM: (none) => thunderbird, thunderbird-l10n

Comment 1 Morgan Leijström 2022-04-09 16:46:05 CEST
mga8-64, plasma
Been using it a couple days
OK:
§ kept settings, accounts, mails
§ Localisation
§ offline IMAP, SMTP

CC: (none) => fri

Comment 2 David Walser 2022-04-11 16:05:15 CEST
RedHat has issued an advisory for this today (April 11):
https://access.redhat.com/errata/RHSA-2022:1301
Comment 3 David Walser 2022-04-19 17:29:12 CEST
Mozilla has released Thunderbird 91.8.1 on April 18:
https://www.thunderbird.net/en-US/thunderbird/91.8.1/releasenotes/

Summary: Thunderbird 91.8 => Thunderbird 91.8.1

Comment 4 Morgan Leijström 2022-04-25 14:04:08 CEST
Still OK, usage as comment 1
Comment 5 Morgan Leijström 2022-04-26 09:21:59 CEST
If mga8 thunderbird 91.8.1 is ready for QA, please assign to QA.
Comment 6 Nicolas Salguero 2022-04-26 10:45:26 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Use-after-free in NSSToken objects. (CVE-2022-1097)

Out of bounds write due to unexpected WebAuthN Extensions. (CVE-2022-28281)

OpenPGP revocation information was ignored. (CVE-2022-1197)

Use-after-free after VR Process destruction. (CVE-2022-1196)

Use-after-free in DocumentL10n::TranslateDocument. (CVE-2022-28282)

Incorrect AliasSet used in JIT Codegen. (CVE-2022-28285)

iframe contents could be rendered outside the border. (CVE-2022-28286)

Denial of Service via complex regular expressions. (CVE-2022-24713)

Memory safety bugs fixed in Thunderbird 91.8. (CVE-2022-28289)

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. (CVE-2022-25235)

xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. (CVE-2022-25236)

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. (CVE-2022-25315)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1097
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28281
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28282
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28289
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25235
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25236
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25315
https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/
https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/91.8.1/releasenotes/
https://access.redhat.com/errata/RHSA-2022:1301
========================

Updated packages in core/updates_testing:
========================
thunderbird-91.8.1-1.1.mga8
thunderbird-ru-91.8.1-1.mga8
thunderbird-uk-91.8.1-1.mga8
thunderbird-ka-91.8.1-1.mga8
thunderbird-el-91.8.1-1.mga8
thunderbird-th-91.8.1-1.mga8
thunderbird-ja-91.8.1-1.mga8
thunderbird-kk-91.8.1-1.mga8
thunderbird-zh_TW-91.8.1-1.mga8
thunderbird-zh_CN-91.8.1-1.mga8
thunderbird-hy_AM-91.8.1-1.mga8
thunderbird-sk-91.8.1-1.mga8
thunderbird-hu-91.8.1-1.mga8
thunderbird-dsb-91.8.1-1.mga8
thunderbird-vi-91.8.1-1.mga8
thunderbird-hsb-91.8.1-1.mga8
thunderbird-sr-91.8.1-1.mga8
thunderbird-cs-91.8.1-1.mga8
thunderbird-fr-91.8.1-1.mga8
thunderbird-ko-91.8.1-1.mga8
thunderbird-sq-91.8.1-1.mga8
thunderbird-lt-91.8.1-1.mga8
thunderbird-be-91.8.1-1.mga8
thunderbird-bg-91.8.1-1.mga8
thunderbird-es_AR-91.8.1-1.mga8
thunderbird-de-91.8.1-1.mga8
thunderbird-tr-91.8.1-1.mga8
thunderbird-pl-91.8.1-1.mga8
thunderbird-pt_BR-91.8.1-1.mga8
thunderbird-fy_NL-91.8.1-1.mga8
thunderbird-sv_SE-91.8.1-1.mga8
thunderbird-kab-91.8.1-1.mga8
thunderbird-nl-91.8.1-1.mga8
thunderbird-cy-91.8.1-1.mga8
thunderbird-gl-91.8.1-1.mga8
thunderbird-eu-91.8.1-1.mga8
thunderbird-he-91.8.1-1.mga8
thunderbird-pt_PT-91.8.1-1.mga8
thunderbird-fi-91.8.1-1.mga8
thunderbird-ar-91.8.1-1.mga8
thunderbird-sl-91.8.1-1.mga8
thunderbird-ro-91.8.1-1.mga8
thunderbird-da-91.8.1-1.mga8
thunderbird-nn_NO-91.8.1-1.mga8
thunderbird-nb_NO-91.8.1-1.mga8
thunderbird-pa_IN-91.8.1-1.mga8
thunderbird-hr-91.8.1-1.mga8
thunderbird-ca-91.8.1-1.mga8
thunderbird-id-91.8.1-1.mga8
thunderbird-en_GB-91.8.1-1.mga8
thunderbird-gd-91.8.1-1.mga8
thunderbird-en_CA-91.8.1-1.mga8
thunderbird-en_US-91.8.1-1.mga8
thunderbird-br-91.8.1-1.mga8
thunderbird-lv-91.8.1-1.mga8
thunderbird-it-91.8.1-1.mga8
thunderbird-ga_IE-91.8.1-1.mga8
thunderbird-et-91.8.1-1.mga8
thunderbird-uz-91.8.1-1.mga8
thunderbird-ast-91.8.1-1.mga8
thunderbird-is-91.8.1-1.mga8
thunderbird-ms-91.8.1-1.mga8
thunderbird-es_ES-91.8.1-1.mga8
thunderbird-af-91.8.1-1.mga8

from SRPMS:
thunderbird-91.8.1-1.1.mga8.src.rpm
thunderbird-l10n-91.8.1-1.mga8.src.rpm

Version: Cauldron => 8
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Assignee: nicolas.salguero => qa-bugs

Comment 7 Thomas Andrews 2022-04-27 14:20:01 CEST
Interesting. Updated the US English version on my Probook 6550b Plasma system, with no installation issues.

When I ran it, instead of just checking my accounts as it usually does, Thunderbird immediately took me through the process of changing access to my Gmail accounts to using Oauth2 rather than the old way with a password. All was successful on the two accounts, and Google sent warnings to each account and to the security backup account that each had been accessed by a "new" Linux device.

I had known that Gmail was going to require the switch soon, but had procrastinated about going through it on my own. Now, I'm a little glad I did. Made for a nice test of the process before we release.

CC: (none) => andrewsfarm

Comment 8 Thomas Andrews 2022-04-27 17:51:53 CEST
Updated my production desktop Plasma system, no installation issues. Once again Gmail access was automatically updated, no issues. Tried newsgroups and sent one followup, all OK.

I don't use the calendar or enigmail.
Comment 9 Len Lawrence 2022-04-28 17:19:26 CEST
Mageia8, x86_64
Thanks for the forewarning TJ.
However. could not install this.
thunderbird-91.8.1-1.1.mga8.x86_64 (due to unsatisfied lib64nss3[>= 2:3.77.0])
thunderbird-en_GB-91.8.1-1.mga8.noarch (due to unsatisfied thunderbird[== 0:91.8.1])

lib64nss3-3.76.0-1.mga8.x86_64 is installed.  Has there been an update that I missed?

CC: (none) => tarazed25

Comment 10 Len Lawrence 2022-04-28 17:40:24 CEST
Follow on from comment 9:
Tried the same thing on another machine and hit the same problem.
Comment 11 Morgan Leijström 2022-04-28 18:17:47 CEST
nss-3.77.0-1.mga8 in Bug 30247 - Firefox 91.8

- which this bug is set to depend on ;-)
Comment 12 Len Lawrence 2022-04-28 18:25:26 CEST
Thanks Morgan.
Comment 13 Len Lawrence 2022-04-28 18:53:54 CEST
Thunderbird now working fine after installation and restart.
At some stage I shall have to update it on my netbook before going on holiday.  Hoping that it will not treat it as a new device.
Thomas Backlund 2022-04-28 23:56:37 CEST

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA8-64-OK, MGA8-32-OK
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2022-04-29 00:47:45 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0157.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.