Mozilla has released Thunderbird 91.13.0 on September 20: https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/ Security issues fixed haven't been posted, but are probably basically the same as in Firefox 102.3 (Bug 30867).
Depends on: (none) => 30867
Hi, For Cauldron, the build is impossible because of LLVM 14 which is missing. Best regards,
Source RPM: thunderbird => thunderbird, thunderbird-l10nCC: (none) => nicolas.salguero
Updated packages in core/updates_testing: ======================== thunderbird-102.3.0-1.mga8 thunderbird-ka-102.3.0-1.mga8 thunderbird-ru-102.3.0-1.mga8 thunderbird-uk-102.3.0-1.mga8 thunderbird-el-102.3.0-1.mga8 thunderbird-ja-102.3.0-1.mga8 thunderbird-zh_TW-102.3.0-1.mga8 thunderbird-kk-102.3.0-1.mga8 thunderbird-th-102.3.0-1.mga8 thunderbird-sk-102.3.0-1.mga8 thunderbird-vi-102.3.0-1.mga8 thunderbird-hu-102.3.0-1.mga8 thunderbird-zh_CN-102.3.0-1.mga8 thunderbird-cs-102.3.0-1.mga8 thunderbird-hsb-102.3.0-1.mga8 thunderbird-dsb-102.3.0-1.mga8 thunderbird-hy_AM-102.3.0-1.mga8 thunderbird-sr-102.3.0-1.mga8 thunderbird-es_MX-102.3.0-1.mga8 thunderbird-fr-102.3.0-1.mga8 thunderbird-de-102.3.0-1.mga8 thunderbird-tr-102.3.0-1.mga8 thunderbird-es_AR-102.3.0-1.mga8 thunderbird-pl-102.3.0-1.mga8 thunderbird-ko-102.3.0-1.mga8 thunderbird-kab-102.3.0-1.mga8 thunderbird-fy_NL-102.3.0-1.mga8 thunderbird-sq-102.3.0-1.mga8 thunderbird-pt_BR-102.3.0-1.mga8 thunderbird-cy-102.3.0-1.mga8 thunderbird-bg-102.3.0-1.mga8 thunderbird-sv_SE-102.3.0-1.mga8 thunderbird-be-102.3.0-1.mga8 thunderbird-sl-102.3.0-1.mga8 thunderbird-is-102.3.0-1.mga8 thunderbird-nl-102.3.0-1.mga8 thunderbird-lt-102.3.0-1.mga8 thunderbird-eu-102.3.0-1.mga8 thunderbird-et-102.3.0-1.mga8 thunderbird-da-102.3.0-1.mga8 thunderbird-fi-102.3.0-1.mga8 thunderbird-gl-102.3.0-1.mga8 thunderbird-pt_PT-102.3.0-1.mga8 thunderbird-he-102.3.0-1.mga8 thunderbird-hr-102.3.0-1.mga8 thunderbird-ro-102.3.0-1.mga8 thunderbird-ar-102.3.0-1.mga8 thunderbird-nn_NO-102.3.0-1.mga8 thunderbird-es_ES-102.3.0-1.mga8 thunderbird-en_GB-102.3.0-1.mga8 thunderbird-nb_NO-102.3.0-1.mga8 thunderbird-en_CA-102.3.0-1.mga8 thunderbird-pa_IN-102.3.0-1.mga8 thunderbird-en_US-102.3.0-1.mga8 thunderbird-ca-102.3.0-1.mga8 thunderbird-id-102.3.0-1.mga8 thunderbird-gd-102.3.0-1.mga8 thunderbird-it-102.3.0-1.mga8 thunderbird-lv-102.3.0-1.mga8 thunderbird-br-102.3.0-1.mga8 thunderbird-ga_IE-102.3.0-1.mga8 thunderbird-af-102.3.0-1.mga8 thunderbird-ms-102.3.0-1.mga8 thunderbird-ast-102.3.0-1.mga8 thunderbird-uz-102.3.0-1.mga8 from SRPMS: thunderbird-102.3.0-1.mga8.src.rpm thunderbird-l10n-102.3.0-1.mga8.src.rpm
(In reply to Nicolas Salguero from comment #1) > Hi, > > For Cauldron, the build is impossible because of LLVM 14 which is missing. > > Best regards, I saw on IRC that the llvm 14 library was restored to Cauldron. Does that help?
Looks like it helped, it's building successfully in Cauldron. Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2022-42/ Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead (CVE-2022-40956). By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks (CVE-2022-40958). During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments (CVE-2022-40959). Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash (CVE-2022-40960). Mozilla developers Nika Layzell, Timothy Nikkel, Jeff Muizelaar, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2022-40962). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40956 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40958 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40959 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40960 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40962 https://www.mozilla.org/en-US/security/advisories/mfsa2022-42/ https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/
Keywords: (none) => advisory
assign to QA
Assignee: nicolas.salguero => qa-bugs
mga8-64, Plasma, nvidia-current, 4K screen, Intel i7 § OK for me: Local folders and settings kept Localisation Swedish Offline IMAP, SMTP § Not tested: filters, calendar, task § Failure regarding where sent messages appear when using multiple IMAP accounts noted on previous 102 (internal testing) https://ml.mageia.org/l/arc/qa-discuss/2022-09/msg00037.html I have not checked it further.
CC: (none) => fri
MGA8 64 XFCE. Updated with QA repo tool and rpms: thunderbird-102.3.0-1.mga8 thunderbird-fr-102.3.0-1.mga8 No issues at installation. Send and receive mail are Ok Calendar and Cardbook synchronization are Ok
CC: (none) => guillaume.royer
No issues here, either.
CC: (none) => andrewsfarm
Sending this on its way...
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0347.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
RedHat has issued an advisory for this today (September 26): https://access.redhat.com/errata/RHSA-2022:6717