Bug 31561 - Thunderbird 102.8
Summary: Thunderbird 102.8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on: 31556
Blocks:
  Show dependency treegraph
 
Reported: 2023-02-16 14:03 CET by Nicolas Salguero
Modified: 2023-02-23 17:57 CET (History)
6 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2023-02-16 14:03:44 CET
Mozilla has released Thunderbird 102.8.0 on February 15:
https://www.thunderbird.net/en-US/thunderbird/102.8.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/
Nicolas Salguero 2023-02-16 14:03:57 CET

CC: (none) => nicolas.salguero
Assignee: bugsquad => nicolas.salguero
Whiteboard: (none) => MGA8TOO
Source RPM: (none) => thunderbird, thunderbird-l10n

Comment 1 Nicolas Salguero 2023-02-16 17:23:36 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

User Interface lockup with messages combining S/MIME and OpenPGP. (CVE-2023-0616)

Content security policy leak in violation reports using iframes. (CVE-2023-25728)

Screen hijack via browser fullscreen mode. (CVE-2023-25730)

Arbitrary memory write via PKCS 12 in NSS. (CVE-2023-0767)

Potential use-after-free from compartment mismatch in SpiderMonkey. (CVE-2023-25735)

Invalid downcast in SVGUtils::SetupStrokeGeometry. (CVE-2023-25737)

Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext. (CVE-2023-25739)

Extensions could have opened external schemes without user knowledge. (CVE-2023-25729)

Out of bounds memory write from EncodeInputStream. (CVE-2023-25732)

Web Crypto ImportKey crashes tab. (CVE-2023-25742)

Memory safety bugs fixed in Thunderbird 102.8. (CVE-2023-25746)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0616
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25728
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25730
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0767
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25746
https://www.thunderbird.net/en-US/thunderbird/102.8.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/
========================

Updated packages in core/updates_testing:
========================
thunderbird-102.8.0-1.mga8
thunderbird-ka-102.8.0-1.mga8
thunderbird-ru-102.8.0-1.mga8
thunderbird-uk-102.8.0-1.mga8
thunderbird-el-102.8.0-1.mga8
thunderbird-ja-102.8.0-1.mga8
thunderbird-zh_TW-102.8.0-1.mga8
thunderbird-kk-102.8.0-1.mga8
thunderbird-th-102.8.0-1.mga8
thunderbird-sk-102.8.0-1.mga8
thunderbird-vi-102.8.0-1.mga8
thunderbird-hu-102.8.0-1.mga8
thunderbird-zh_CN-102.8.0-1.mga8
thunderbird-cs-102.8.0-1.mga8
thunderbird-hsb-102.8.0-1.mga8
thunderbird-dsb-102.8.0-1.mga8
thunderbird-hy_AM-102.8.0-1.mga8
thunderbird-sr-102.8.0-1.mga8
thunderbird-es_MX-102.8.0-1.mga8
thunderbird-fr-102.8.0-1.mga8
thunderbird-de-102.8.0-1.mga8
thunderbird-tr-102.8.0-1.mga8
thunderbird-es_AR-102.8.0-1.mga8
thunderbird-pl-102.8.0-1.mga8
thunderbird-ko-102.8.0-1.mga8
thunderbird-kab-102.8.0-1.mga8
thunderbird-fy_NL-102.8.0-1.mga8
thunderbird-sq-102.8.0-1.mga8
thunderbird-pt_BR-102.8.0-1.mga8
thunderbird-cy-102.8.0-1.mga8
thunderbird-bg-102.8.0-1.mga8
thunderbird-sv_SE-102.8.0-1.mga8
thunderbird-be-102.8.0-1.mga8
thunderbird-sl-102.8.0-1.mga8
thunderbird-is-102.8.0-1.mga8
thunderbird-nl-102.8.0-1.mga8
thunderbird-lt-102.8.0-1.mga8
thunderbird-eu-102.8.0-1.mga8
thunderbird-et-102.8.0-1.mga8
thunderbird-da-102.8.0-1.mga8
thunderbird-fi-102.8.0-1.mga8
thunderbird-gl-102.8.0-1.mga8
thunderbird-pt_PT-102.8.0-1.mga8
thunderbird-he-102.8.0-1.mga8
thunderbird-hr-102.8.0-1.mga8
thunderbird-ro-102.8.0-1.mga8
thunderbird-ar-102.8.0-1.mga8
thunderbird-nn_NO-102.8.0-1.mga8
thunderbird-es_ES-102.8.0-1.mga8
thunderbird-en_GB-102.8.0-1.mga8
thunderbird-nb_NO-102.8.0-1.mga8
thunderbird-en_CA-102.8.0-1.mga8
thunderbird-pa_IN-102.8.0-1.mga8
thunderbird-en_US-102.8.0-1.mga8
thunderbird-ca-102.8.0-1.mga8
thunderbird-id-102.8.0-1.mga8
thunderbird-gd-102.8.0-1.mga8
thunderbird-it-102.8.0-1.mga8
thunderbird-lv-102.8.0-1.mga8
thunderbird-br-102.8.0-1.mga8
thunderbird-ga_IE-102.8.0-1.mga8
thunderbird-af-102.8.0-1.mga8
thunderbird-ms-102.8.0-1.mga8
thunderbird-ast-102.8.0-1.mga8
thunderbird-uz-102.8.0-1.mga8

from SRPMS:
thunderbird-102.8.0-1.mga8.src.rpm
thunderbird-l10n-102.8.0-1.mga8.src.rpm

Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 8
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)

Nicolas Salguero 2023-02-16 17:24:21 CET

Depends on: (none) => 31556

Comment 2 Morgan Leijström 2023-02-17 13:39:36 CET
mga8-64, Plasma, nvidia-current, intel i7
  Tests OK:
Swedish locale
settings and local mail kept
IMAP (offline, IMAP to synk to server)
SMTP
tested incl inline pictures and attached files.

Did not test Filters, Calendar, PGP, RSS...

CC: (none) => fri

Comment 3 Herman Viaene 2023-02-17 17:20:55 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Using existing profile, sending and receiving mails without and with attachments work OK.

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2023-02-18 15:39:39 CET
MGA8-64 Plasma. Updated both Firefox and Thunderbird US English versions at the same time, with no installation issues.

Used Thunderbird all afternoon yesterday, sent and received several emails about QA, order confirmations, notifications from various farming forums I frequent and from Facebook, used links inside some of the trusted emails, checked some newsgroups. Everything worked as it should.

I don't use the calendar, but what I do use is OK.

CC: (none) => andrewsfarm

Comment 5 Thomas Andrews 2023-02-19 23:34:10 CET
Another day of usage with no problems. Sending this on. Validating. Advisory in comment 1.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2023-02-20 20:58:33 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2023-02-20 22:27:15 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0057.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 7 David Walser 2023-02-23 17:57:15 CET
RedHat has issued an advisory for this on February 20:
https://access.redhat.com/errata/RHSA-2023:0824

Note You need to log in before you can comment on or make changes to this bug.