Mozilla has released Thunderbird 102.6.0 today (December 13): https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/ Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/
Depends on: (none) => 31272
Advisory will be as follows. Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages (CVE-2022-46872). A drag-and-dropped file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code (CVE-2022-46874). Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2022-46878). A missing check related to tex units could have led to a use-after-free in WebGL and potentially exploitable crash (CVE-2022-46880). An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash (CVE-2022-46881). A use-after-free in WebGL extensions could have led to a potentially exploitable crash (CVE-2022-46882). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46872 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46874 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46878 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46880 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46881 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46882 https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/ ======================== Updated packages in core/updates_testing: ======================== thunderbird-102.6.0-1.mga8 thunderbird-ka-102.6.0-1.mga8 thunderbird-ru-102.6.0-1.mga8 thunderbird-uk-102.6.0-1.mga8 thunderbird-el-102.6.0-1.mga8 thunderbird-ja-102.6.0-1.mga8 thunderbird-zh_TW-102.6.0-1.mga8 thunderbird-kk-102.6.0-1.mga8 thunderbird-th-102.6.0-1.mga8 thunderbird-sk-102.6.0-1.mga8 thunderbird-vi-102.6.0-1.mga8 thunderbird-hu-102.6.0-1.mga8 thunderbird-zh_CN-102.6.0-1.mga8 thunderbird-cs-102.6.0-1.mga8 thunderbird-hsb-102.6.0-1.mga8 thunderbird-dsb-102.6.0-1.mga8 thunderbird-hy_AM-102.6.0-1.mga8 thunderbird-sr-102.6.0-1.mga8 thunderbird-es_MX-102.6.0-1.mga8 thunderbird-fr-102.6.0-1.mga8 thunderbird-de-102.6.0-1.mga8 thunderbird-tr-102.6.0-1.mga8 thunderbird-es_AR-102.6.0-1.mga8 thunderbird-pl-102.6.0-1.mga8 thunderbird-ko-102.6.0-1.mga8 thunderbird-kab-102.6.0-1.mga8 thunderbird-fy_NL-102.6.0-1.mga8 thunderbird-sq-102.6.0-1.mga8 thunderbird-pt_BR-102.6.0-1.mga8 thunderbird-cy-102.6.0-1.mga8 thunderbird-bg-102.6.0-1.mga8 thunderbird-sv_SE-102.6.0-1.mga8 thunderbird-be-102.6.0-1.mga8 thunderbird-sl-102.6.0-1.mga8 thunderbird-is-102.6.0-1.mga8 thunderbird-nl-102.6.0-1.mga8 thunderbird-lt-102.6.0-1.mga8 thunderbird-eu-102.6.0-1.mga8 thunderbird-et-102.6.0-1.mga8 thunderbird-da-102.6.0-1.mga8 thunderbird-fi-102.6.0-1.mga8 thunderbird-gl-102.6.0-1.mga8 thunderbird-pt_PT-102.6.0-1.mga8 thunderbird-he-102.6.0-1.mga8 thunderbird-hr-102.6.0-1.mga8 thunderbird-ro-102.6.0-1.mga8 thunderbird-ar-102.6.0-1.mga8 thunderbird-nn_NO-102.6.0-1.mga8 thunderbird-es_ES-102.6.0-1.mga8 thunderbird-en_GB-102.6.0-1.mga8 thunderbird-nb_NO-102.6.0-1.mga8 thunderbird-en_CA-102.6.0-1.mga8 thunderbird-pa_IN-102.6.0-1.mga8 thunderbird-en_US-102.6.0-1.mga8 thunderbird-ca-102.6.0-1.mga8 thunderbird-id-102.6.0-1.mga8 thunderbird-gd-102.6.0-1.mga8 thunderbird-it-102.6.0-1.mga8 thunderbird-lv-102.6.0-1.mga8 thunderbird-br-102.6.0-1.mga8 thunderbird-ga_IE-102.6.0-1.mga8 thunderbird-af-102.6.0-1.mga8 thunderbird-ms-102.6.0-1.mga8 thunderbird-ast-102.6.0-1.mga8 thunderbird-uz-102.6.0-1.mga8 from SRPMS: thunderbird-102.6.0-1.mga8.src.rpm thunderbird-l10n-102.6.0-1.mga8.src.rpm
Still no thunderbird in core/updates_testing
CC: (none) => fri
Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugsSource RPM: thunderbird => thunderbird, thunderbird-l10nCC: (none) => nicolas.salguero
MGA8 XFCE 64 Updated with QA repo and RPMs: thunderbird-102.6.0-1.mga8 thunderbird-fr-102.6.0-1.mga8 Synch calendar and contact OK Send and receive mail in TLS OK
CC: (none) => guillaume.royer
RedHat has issued an advisory for this today (December 15): https://access.redhat.com/errata/RHSA-2022:9080
MGA8-64 Plasma system, i5-2500, Intel graphics, wired Internet. Updated the US English versions of Firefox and Thunderbird at the same time, and have been using them off and on for nearly four hours with no issues to report.
CC: (none) => andrewsfarm
mga8-64, Plasma, nvidia-current, old i7 Been using it occasionally since yesterday - Swedish localisation OK - settings and mails kept - IMAP - SMTP
MGA8-64 Plasma system, HP Pavilion 15, AMD A8-4555, AMD "Aruba" graphics, rtl8818EE wifi. Updated Firefox and Thunderbird at the same time, checked and read pending email, checked newsgroups, sent myself a test email. Test mail from gmail to yahoo seemed to disappear, but a test mail from the same yahoo account to gmail showed within seconds, as did the reply from the gmail account. I suspect the disappearing email is due to a provider problem rather than something wrong with Thunderbird.
The disappearing email showed up OK right after I finished the above report. I'm guessing it was just some sort of traffic delay.
Sorry, the following package cannot be selected: - thunderbird-102.6.0-1.mga8.x86_64 (due to unsatisfied lib64nss3[>= 2:3.86.0]) There is no update bug for lib64nss3, and te version in Core is 3.85, and ti's not listed in the rpm's above. Note: I'm using QARepo to make sure I do not draw in unexpected updates.
CC: (none) => herman.viaene
@Herman, this bug state it depends on Bug 31272 - Firefox 102.6 So install that first :) It includes nss.
I found that out in the mean time, but to me that is not good enough. The thunderbird should either require firefox or nss. Depending on human fiddling is not good enough. I'll continu testing after Firefox update.
It is good enough. The dependency is correct and the released update will never have a problem with it.
Suppose a new version introduces some problem. In such case no one would be able to install the new version of T-bird.
Tested by sending e-mails back and forth between accounts and machines, all works OK.
(In reply to Herman Viaene from comment #13) > Suppose a new version introduces some problem. In such case no one would be > able to install the new version of T-bird. Incorrect. There is no problem. This update depends on the nss update, which will be pushed before or with this one.
Sorry, my sentence was not complete: a bad new version of Firefox would block the new version of T-bird.
Nope. The nss update could be pushed out with Thunderbird if need be.
That's better.
Tested with Canadian English, and with French. Validating. Advisory committed to svn.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0476.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED