Bug 31438 - Thunderbird 102.7.1
Summary: Thunderbird 102.7.1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on: 31415
Blocks:
  Show dependency treegraph
 
Reported: 2023-01-20 17:24 CET by David Walser
Modified: 2023-02-07 16:49 CET (History)
7 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE:
Status comment:


Attachments

Description David Walser 2023-01-20 17:24:00 CET
Mozilla has released Thunderbird 102.7.0 on January 19:
https://www.thunderbird.net/en-US/thunderbird/102.7.0/releasenotes/

The security issues fixed haven't been posted yet, but are probably mostly the same as Firefox 102.7.0 (Bug 31415).

There is a regression in Microsoft 365 support, so we could wait for 102.7.1.
David Walser 2023-01-20 17:24:19 CET

Depends on: (none) => 31415

Comment 1 David Walser 2023-01-25 23:47:50 CET
RedHat has issued an advisory for this today (January 25):
https://access.redhat.com/errata/RHSA-2023:0463

Their advisory says that they updated to 102.7.1, even though the release announcement hasn't been posted yet:
https://access.redhat.com/errata/RHSA-2023:0456

Summary: Thunderbird 102.7 => Thunderbird 102.7.1

Comment 2 Nicolas Salguero 2023-02-01 14:23:21 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

libusrsctp library out of date. (CVE-2022-46871)

Arbitrary file read from GTK drag and drop on Linux. (CVE-2023-23598)

URL being dragged from cross-origin iframe into same tab triggers navigation. (CVE-2023-23601)

Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers. (CVE-2023-23602)

Fullscreen notification bypass. (CVE-2022-46877)

Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive. (CVE-2023-23603)

Memory safety bugs fixed in Thunderbird 102.7. (CVE-2023-23605)

Revocation status of S/Mime signature certificates was not checked. (CVE-2023-0430)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46871
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23598
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23602
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46877
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23603
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23605
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0430
https://www.thunderbird.net/en-US/thunderbird/102.7.0/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/102.7.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-03/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-04/
https://access.redhat.com/errata/RHSA-2023:0463
https://access.redhat.com/errata/RHSA-2023:0456
========================

Updated packages in core/updates_testing:
========================
thunderbird-102.7.1-1.mga8
thunderbird-ka-102.7.1-1.mga8
thunderbird-ru-102.7.1-1.mga8
thunderbird-uk-102.7.1-1.mga8
thunderbird-el-102.7.1-1.mga8
thunderbird-ja-102.7.1-1.mga8
thunderbird-zh_TW-102.7.1-1.mga8
thunderbird-kk-102.7.1-1.mga8
thunderbird-th-102.7.1-1.mga8
thunderbird-sk-102.7.1-1.mga8
thunderbird-vi-102.7.1-1.mga8
thunderbird-hu-102.7.1-1.mga8
thunderbird-zh_CN-102.7.1-1.mga8
thunderbird-cs-102.7.1-1.mga8
thunderbird-hsb-102.7.1-1.mga8
thunderbird-dsb-102.7.1-1.mga8
thunderbird-hy_AM-102.7.1-1.mga8
thunderbird-sr-102.7.1-1.mga8
thunderbird-es_MX-102.7.1-1.mga8
thunderbird-fr-102.7.1-1.mga8
thunderbird-de-102.7.1-1.mga8
thunderbird-tr-102.7.1-1.mga8
thunderbird-es_AR-102.7.1-1.mga8
thunderbird-pl-102.7.1-1.mga8
thunderbird-ko-102.7.1-1.mga8
thunderbird-kab-102.7.1-1.mga8
thunderbird-fy_NL-102.7.1-1.mga8
thunderbird-sq-102.7.1-1.mga8
thunderbird-pt_BR-102.7.1-1.mga8
thunderbird-cy-102.7.1-1.mga8
thunderbird-bg-102.7.1-1.mga8
thunderbird-sv_SE-102.7.1-1.mga8
thunderbird-be-102.7.1-1.mga8
thunderbird-sl-102.7.1-1.mga8
thunderbird-is-102.7.1-1.mga8
thunderbird-nl-102.7.1-1.mga8
thunderbird-lt-102.7.1-1.mga8
thunderbird-eu-102.7.1-1.mga8
thunderbird-et-102.7.1-1.mga8
thunderbird-da-102.7.1-1.mga8
thunderbird-fi-102.7.1-1.mga8
thunderbird-gl-102.7.1-1.mga8
thunderbird-pt_PT-102.7.1-1.mga8
thunderbird-he-102.7.1-1.mga8
thunderbird-hr-102.7.1-1.mga8
thunderbird-ro-102.7.1-1.mga8
thunderbird-ar-102.7.1-1.mga8
thunderbird-nn_NO-102.7.1-1.mga8
thunderbird-es_ES-102.7.1-1.mga8
thunderbird-en_GB-102.7.1-1.mga8
thunderbird-nb_NO-102.7.1-1.mga8
thunderbird-en_CA-102.7.1-1.mga8
thunderbird-pa_IN-102.7.1-1.mga8
thunderbird-en_US-102.7.1-1.mga8
thunderbird-ca-102.7.1-1.mga8
thunderbird-id-102.7.1-1.mga8
thunderbird-gd-102.7.1-1.mga8
thunderbird-it-102.7.1-1.mga8
thunderbird-lv-102.7.1-1.mga8
thunderbird-br-102.7.1-1.mga8
thunderbird-ga_IE-102.7.1-1.mga8
thunderbird-af-102.7.1-1.mga8
thunderbird-ms-102.7.1-1.mga8
thunderbird-ast-102.7.1-1.mga8
thunderbird-uz-102.7.1-1.mga8

from SRPMS:
thunderbird-102.7.1-1.mga8.src.rpm
thunderbird-l10n-102.7.1-1.mga8.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: nicolas.salguero => qa-bugs
Source RPM: thunderbird => thunderbird, thunderbird-l10n

Comment 3 Morgan Leijström 2023-02-01 17:22:20 CET
mga8-64, Plasma, nvidia-current, old i7

§ Clean update
§ Swedish OK
§ Settings and mails kept
§ IMAP
§ SMTP

CC: (none) => fri

Comment 4 Morgan Leijström 2023-02-02 06:46:15 CET
This thunderbird version crashes with IMAP on cauldron

Bug 31488 - TB crashes if you attempt to switch to an IMAP Inbox

Should be investigated before OKing for mga8.

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=31488

Comment 5 Herman Viaene 2023-02-02 10:24:37 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
First deleted my .thunderbird folder, then run thunderbird and follow the wizard to setup my hotmail account as pop3.
Send and receive to/from gmail account on my desktop PC, without or with attachament, all works OK.
Leave thunderbird and again delete my .thunderbird folder. Start thunderbird again and the wizard to setup my hotmail account as imap and operate it the same way as above. All OK.

@ Morgan: is this sufficient for the problem you found?

CC: (none) => herman.viaene

Comment 6 Morgan Leijström 2023-02-02 10:39:55 CET
I find it scaring that for Frank on cauldron 102.7.1-1 crashes, while 102.6.0 did not.

I.e is it possible some of our users have configurations where this update would brake their work?

It does not crash for me but i use "offline" IMAP (local storage, sync by IMAP), and it may also depend on which "dialect" IMAP the server use.

Until we know i would like this delayed.

I asked Frank in the other bug if he can test his IMAP on mga8.
Comment 7 Frank Griffin 2023-02-02 14:16:53 CET
I have used this IMAP account throughout the MGA8 cycle in cauldron (which is all I usually run) without a problem.  A comment above indicates that 102.7.0 had a regression in MS 365 support (which this account is), but with oAuth2 it has been working right along.

Did 102.7.1 claim to fix the regression ?

CC: (none) => ftg

Comment 8 David Walser 2023-02-02 15:28:58 CET
(In reply to Morgan Leijström from comment #4)
> This thunderbird version crashes with IMAP on cauldron
> 
> Bug 31488 - TB crashes if you attempt to switch to an IMAP Inbox
> 
> Should be investigated before OKing for mga8.

If this doesn't happen with a clean profile, it shouldn't hold anything up.  Unfortunately TB has a recent history of bugs that only affect one person's profile.
Comment 9 Morgan Leijström 2023-02-02 23:11:19 CET
(In reply to David Walser from comment #8)
> (In reply to Morgan Leijström from comment #4)
> If this doesn't happen with a clean profile, it shouldn't hold anything up. 

Users getting updates do not want to make a clean profile...


Anyway, the problem on cauldron was fixed with thunderbird-102.7.1-2.mga9

I have not checked why, but feels better to get an mga8 version of it here?
Comment 10 David Walser 2023-02-03 00:30:02 CET
I don't want a new profile, but like most users, I've never been bit by any if these weird bugs.  The update in Cauldron was related to hardware graphics acceleration, and not about that issue.  It sounds like it was just a transient issue.  Let's move this along.
Comment 11 Morgan Leijström 2023-02-03 00:32:10 CET
OK then.

Should we have a 32 bit test?

Whiteboard: (none) => MGA8-64-OK

Comment 12 David Walser 2023-02-03 00:32:58 CET
It would be nice, but not strictly necessary for validation.
Comment 13 Thomas Andrews 2023-02-03 14:07:07 CET
Working OK for me here, too. Validating. Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-06 20:51:40 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 14 Mageia Robot 2023-02-07 01:08:45 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0034.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 15 David Walser 2023-02-07 16:49:09 CET
RedHat has posted an advisory for this on February 6:
https://access.redhat.com/errata/RHSA-2023:0600

I'm guessing the ones in Comment 1 were a typo and were for 102.7.0.

Note You need to log in before you can comment on or make changes to this bug.