Mozilla has released Thunderbird 91.8.0 on April 5:
The page with the security issues which have been fixed is not available yet.
Been using it a couple days
§ kept settings, accounts, mails
§ offline IMAP, SMTP
RedHat has issued an advisory for this today (April 11):
Mozilla has released Thunderbird 91.8.1 on April 18:
Thunderbird 91.8 =>
Still OK, usage as comment 1
If mga8 thunderbird 91.8.1 is ready for QA, please assign to QA.
The updated packages fix security vulnerabilities:
Use-after-free in NSSToken objects. (CVE-2022-1097)
Out of bounds write due to unexpected WebAuthN Extensions. (CVE-2022-28281)
OpenPGP revocation information was ignored. (CVE-2022-1197)
Use-after-free after VR Process destruction. (CVE-2022-1196)
Use-after-free in DocumentL10n::TranslateDocument. (CVE-2022-28282)
Incorrect AliasSet used in JIT Codegen. (CVE-2022-28285)
iframe contents could be rendered outside the border. (CVE-2022-28286)
Denial of Service via complex regular expressions. (CVE-2022-24713)
Memory safety bugs fixed in Thunderbird 91.8. (CVE-2022-28289)
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. (CVE-2022-25235)
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. (CVE-2022-25236)
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. (CVE-2022-25315)
Updated packages in core/updates_testing:
Interesting. Updated the US English version on my Probook 6550b Plasma system, with no installation issues.
When I ran it, instead of just checking my accounts as it usually does, Thunderbird immediately took me through the process of changing access to my Gmail accounts to using Oauth2 rather than the old way with a password. All was successful on the two accounts, and Google sent warnings to each account and to the security backup account that each had been accessed by a "new" Linux device.
I had known that Gmail was going to require the switch soon, but had procrastinated about going through it on my own. Now, I'm a little glad I did. Made for a nice test of the process before we release.
Updated my production desktop Plasma system, no installation issues. Once again Gmail access was automatically updated, no issues. Tried newsgroups and sent one followup, all OK.
I don't use the calendar or enigmail.
Thanks for the forewarning TJ.
However. could not install this.
thunderbird-91.8.1-1.1.mga8.x86_64 (due to unsatisfied lib64nss3[>= 2:3.77.0])
thunderbird-en_GB-91.8.1-1.mga8.noarch (due to unsatisfied thunderbird[== 0:91.8.1])
lib64nss3-3.76.0-1.mga8.x86_64 is installed. Has there been an update that I missed?
Follow on from comment 9:
Tried the same thing on another machine and hit the same problem.
nss-3.77.0-1.mga8 in Bug 30247 - Firefox 91.8
- which this bug is set to depend on ;-)
Thunderbird now working fine after installation and restart.
At some stage I shall have to update it on my netbook before going on holiday. Hoping that it will not treat it as a new device.
An update for this issue has been pushed to the Mageia Updates repository.