Bug 30986 - Thunderbird 102.4
Summary: Thunderbird 102.4
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-10-19 16:30 CEST by David Walser
Modified: 2022-10-28 08:55 CEST (History)
8 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE:
Status comment:


Attachments

Description David Walser 2022-10-19 16:30:20 CEST
Mozilla hasn't released Thunderbird 102.4.0 yet, but it should be coming soon:
https://www.thunderbird.net/en-US/thunderbird/102.4.0/releasenotes/

When we do update it, we'll need to make sure to include the expat patches that we have in the Firefox package, as we had missed that previously.  I just added the CVE-2022-40674 patch in firefox-102.4.0-2.mga9.  Here's RedHat adding that one to Thunderbird:
https://git.centos.org/rpms/thunderbird/c/0423e888d6f549a811d3dbdc2ee88428d2f9a153?branch=c7
Comment 1 Nicolas Salguero 2022-10-19 17:02:57 CEST
Hi,

Regarding Firefox, I saw that you also added a patch to fix webrtc.  I think I will build and test a firefox-102.4.0-2.mga8 to see if it solves my issue with BigBlueButton.

Best regards,

Nico.
Comment 2 David Walser 2022-10-19 17:44:30 CEST
I'm already building a Mageia 8 update with that patch.
Comment 3 Nicolas Salguero 2022-10-20 13:05:54 CEST
Updated packages in core/updates_testing:
========================
thunderbird-102.4.0-1.mga8
thunderbird-ka-102.4.0-1.mga8
thunderbird-ru-102.4.0-1.mga8
thunderbird-uk-102.4.0-1.mga8
thunderbird-el-102.4.0-1.mga8
thunderbird-ja-102.4.0-1.mga8
thunderbird-zh_TW-102.4.0-1.mga8
thunderbird-kk-102.4.0-1.mga8
thunderbird-th-102.4.0-1.mga8
thunderbird-sk-102.4.0-1.mga8
thunderbird-vi-102.4.0-1.mga8
thunderbird-hu-102.4.0-1.mga8
thunderbird-zh_CN-102.4.0-1.mga8
thunderbird-cs-102.4.0-1.mga8
thunderbird-hsb-102.4.0-1.mga8
thunderbird-dsb-102.4.0-1.mga8
thunderbird-hy_AM-102.4.0-1.mga8
thunderbird-sr-102.4.0-1.mga8
thunderbird-es_MX-102.4.0-1.mga8
thunderbird-fr-102.4.0-1.mga8
thunderbird-de-102.4.0-1.mga8
thunderbird-tr-102.4.0-1.mga8
thunderbird-es_AR-102.4.0-1.mga8
thunderbird-pl-102.4.0-1.mga8
thunderbird-ko-102.4.0-1.mga8
thunderbird-kab-102.4.0-1.mga8
thunderbird-fy_NL-102.4.0-1.mga8
thunderbird-sq-102.4.0-1.mga8
thunderbird-pt_BR-102.4.0-1.mga8
thunderbird-cy-102.4.0-1.mga8
thunderbird-bg-102.4.0-1.mga8
thunderbird-sv_SE-102.4.0-1.mga8
thunderbird-be-102.4.0-1.mga8
thunderbird-sl-102.4.0-1.mga8
thunderbird-is-102.4.0-1.mga8
thunderbird-nl-102.4.0-1.mga8
thunderbird-lt-102.4.0-1.mga8
thunderbird-eu-102.4.0-1.mga8
thunderbird-et-102.4.0-1.mga8
thunderbird-da-102.4.0-1.mga8
thunderbird-fi-102.4.0-1.mga8
thunderbird-gl-102.4.0-1.mga8
thunderbird-pt_PT-102.4.0-1.mga8
thunderbird-he-102.4.0-1.mga8
thunderbird-hr-102.4.0-1.mga8
thunderbird-ro-102.4.0-1.mga8
thunderbird-ar-102.4.0-1.mga8
thunderbird-nn_NO-102.4.0-1.mga8
thunderbird-es_ES-102.4.0-1.mga8
thunderbird-en_GB-102.4.0-1.mga8
thunderbird-nb_NO-102.4.0-1.mga8
thunderbird-en_CA-102.4.0-1.mga8
thunderbird-pa_IN-102.4.0-1.mga8
thunderbird-en_US-102.4.0-1.mga8
thunderbird-ca-102.4.0-1.mga8
thunderbird-id-102.4.0-1.mga8
thunderbird-gd-102.4.0-1.mga8
thunderbird-it-102.4.0-1.mga8
thunderbird-lv-102.4.0-1.mga8
thunderbird-br-102.4.0-1.mga8
thunderbird-ga_IE-102.4.0-1.mga8
thunderbird-af-102.4.0-1.mga8
thunderbird-ms-102.4.0-1.mga8
thunderbird-ast-102.4.0-1.mga8
thunderbird-uz-102.4.0-1.mga8

from SRPMS:
thunderbird-102.4.0-1.mga8.src.rpm
thunderbird-l10n-102.4.0-1.mga8.src.rpm
Comment 4 David Walser 2022-10-20 13:59:29 CEST
Pointing out the obvious here, but later in the day yesterday (October 19) they did in fact release Thunderbird 102.4.  Release notes are posted, security issues fixed have not been posted yet (probably will be similar to FF 102.4).  Expat CVE-2022-40674 is patched in the updated build.
Comment 5 Nicolas Salguero 2022-10-21 08:59:01 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. (CVE-2022-40674)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40674
https://www.thunderbird.net/en-US/thunderbird/102.4.0/releasenotes/

Assignee: nicolas.salguero => qa-bugs
Source RPM: thunderbird => thunderbird, thunderbird-l10n
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

Comment 6 Guillaume Royer 2022-10-21 10:07:47 CEST
MGA8 64 XFCE,

Updated with QA repo and RPMs:

thunderbird                    102.4.0      1.mga8        x86_64  
thunderbird-fr                 102.4.0      1.mga8        noarch  

No issues at installation.

Send and receive mail IMAP Ok
Synchronize Calendar and contact OK

CC: (none) => guillaume.royer

Comment 7 Morgan Leijström 2022-10-23 22:42:49 CEST
mga8-64, Plasma: short test OK, continue using.
Clean update
Swedish locale
settings and mail kept
IMAP and SMTP

CC: (none) => fri

Comment 8 Herman Viaene 2022-10-24 16:43:44 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues, updating an exwiting version.
Sending and receiving mail without and with attachment works OK, with the repeating phenomenon (at least on this configuration) that all messages sent are listed twice in the Sent box, but are sent only once.

CC: (none) => herman.viaene

Comment 9 Thomas Andrews 2022-10-24 17:44:39 CEST
MGA8-64 Plasma system here. No installation issues with US English version. Sent and received POP3 mail with Gmail and Yahoo accounts, read newsgroup messages. No issues noted.

I think this can go on its way. OKing and validating. Advisory in Comment 5.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 10 Jose Manuel López 2022-10-25 09:51:41 CEST
MGA8-64 Plasma. No installation issues, updated from testing repositories and with previous Thunderbird version installed.

- Addons ok.
- Signature ok.
- Send and receive ok.
- POP3 and IMAP accouts works fine.
- Spanish translation ok.
- Calendar and task sync with my /e/ account ok.
- Attach ok.
- Settings ok.

Greetings!!

CC: (none) => joselp

Dave Hodgins 2022-10-28 04:00:21 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 11 Mageia Robot 2022-10-28 08:55:49 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0397.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.