31684 – Thunderbird 102.9

Bug 31684 - Thunderbird 102.9

Summary: Thunderbird 102.9

Status:	ASSIGNED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:	31663
Blocks:
	Show dependency tree / graph

Reported:	2023-03-16 09:19 CET by Nicolas Salguero
Modified:	2023-03-20 20:03 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	thunderbird, thunderbird-l10n
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-03-16 09:19:03 CET

Mozilla has released Thunderbird 102.8.0 on March 14:
https://www.thunderbird.net/en-US/thunderbird/102.9.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/

Comment 1 Nicolas Salguero 2023-03-16 09:35:39 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Incorrect code generation during JIT compilation. (CVE-2023-25751)

URL being dragged from a removed cross-origin iframe into the same tab triggered navigation. (CVE-2023-28164)

Invalid downcast in Worklets. (CVE-2023-28162)

Potential out-of-bounds when accessing throttled streams. (CVE-20223-25752)

Memory safety bugs fixed in Thunderbird 102.9. (CVE-2023-28176)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25751
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28164
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28162
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28176
https://www.thunderbird.net/en-US/thunderbird/102.9.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/
========================

Updated packages in core/updates_testing:
========================
thunderbird-102.9.0-1.mga8
thunderbird-ka-102.9.0-1.mga8
thunderbird-ru-102.9.0-1.mga8
thunderbird-uk-102.9.0-1.mga8
thunderbird-el-102.9.0-1.mga8
thunderbird-ja-102.9.0-1.mga8
thunderbird-zh_TW-102.9.0-1.mga8
thunderbird-kk-102.9.0-1.mga8
thunderbird-th-102.9.0-1.mga8
thunderbird-sk-102.9.0-1.mga8
thunderbird-vi-102.9.0-1.mga8
thunderbird-hu-102.9.0-1.mga8
thunderbird-zh_CN-102.9.0-1.mga8
thunderbird-cs-102.9.0-1.mga8
thunderbird-hsb-102.9.0-1.mga8
thunderbird-dsb-102.9.0-1.mga8
thunderbird-hy_AM-102.9.0-1.mga8
thunderbird-sr-102.9.0-1.mga8
thunderbird-es_MX-102.9.0-1.mga8
thunderbird-fr-102.9.0-1.mga8
thunderbird-de-102.9.0-1.mga8
thunderbird-tr-102.9.0-1.mga8
thunderbird-es_AR-102.9.0-1.mga8
thunderbird-pl-102.9.0-1.mga8
thunderbird-ko-102.9.0-1.mga8
thunderbird-kab-102.9.0-1.mga8
thunderbird-fy_NL-102.9.0-1.mga8
thunderbird-sq-102.9.0-1.mga8
thunderbird-pt_BR-102.9.0-1.mga8
thunderbird-cy-102.9.0-1.mga8
thunderbird-bg-102.9.0-1.mga8
thunderbird-sv_SE-102.9.0-1.mga8
thunderbird-be-102.9.0-1.mga8
thunderbird-sl-102.9.0-1.mga8
thunderbird-is-102.9.0-1.mga8
thunderbird-nl-102.9.0-1.mga8
thunderbird-lt-102.9.0-1.mga8
thunderbird-eu-102.9.0-1.mga8
thunderbird-et-102.9.0-1.mga8
thunderbird-da-102.9.0-1.mga8
thunderbird-fi-102.9.0-1.mga8
thunderbird-gl-102.9.0-1.mga8
thunderbird-pt_PT-102.9.0-1.mga8
thunderbird-he-102.9.0-1.mga8
thunderbird-hr-102.9.0-1.mga8
thunderbird-ro-102.9.0-1.mga8
thunderbird-ar-102.9.0-1.mga8
thunderbird-nn_NO-102.9.0-1.mga8
thunderbird-es_ES-102.9.0-1.mga8
thunderbird-en_GB-102.9.0-1.mga8
thunderbird-nb_NO-102.9.0-1.mga8
thunderbird-en_CA-102.9.0-1.mga8
thunderbird-pa_IN-102.9.0-1.mga8
thunderbird-en_US-102.9.0-1.mga8
thunderbird-ca-102.9.0-1.mga8
thunderbird-id-102.9.0-1.mga8
thunderbird-gd-102.9.0-1.mga8
thunderbird-it-102.9.0-1.mga8
thunderbird-lv-102.9.0-1.mga8
thunderbird-br-102.9.0-1.mga8
thunderbird-ga_IE-102.9.0-1.mga8
thunderbird-af-102.9.0-1.mga8
thunderbird-ms-102.9.0-1.mga8
thunderbird-ast-102.9.0-1.mga8
thunderbird-uz-102.9.0-1.mga8

from SRPMS:
thunderbird-102.9.0-1.mga8.src.rpm
thunderbird-l10n-102.9.0-1.mga8.src.rpm

Assignee: bugsquad => qa-bugs
Source RPM: (none) => thunderbird, thunderbird-l10n
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

Nicolas Salguero 2023-03-16 09:39:13 CET

Depends on: (none) => 31663

Comment 2 Morgan Leijström 2023-03-16 12:15:54 CET

mga8-64, Plasma, nvidia-current, intel i7

- thunderbird-102.9.0-1.mga8.x86_64
- thunderbird-sv_SE-102.9.0-1.mga8.noarch

  Tests OK:
Swedish locale
settings and local mail kept
IMAP (offline, IMAP to synk to server)
SMTP
tested incl inline pictures and attached files.

Did not test Filters, Calendar, PGP, RSS...

CC: (none) => fri

Comment 3 Herman Viaene 2023-03-16 16:34:11 CET

Sorry, the following package cannot be selected:

- thunderbird-102.9.0-1.mga8.x86_64 (due to unsatisfied lib64nss3[>= 2:3.89.0])

CC: (none) => herman.viaene

Comment 4 Morgan Leijström 2023-03-16 16:35:36 CET

First perform update to Bug 31663 - Firefox 102.9

Comment 5 Thomas Andrews 2023-03-18 23:22:21 CET

Updated Firefox and Thunderbird together using qarepo, since both usually go out together. 

This particular install of Thunderbird had not been used since 2018, so there was some catching up to do. Authentication for Gmail was converted from password to 0Auth2 without incident. I use POP mail, so it only had a few emails to download. Sent and received emails OK. I don't use the calendar.

CC: (none) => andrewsfarm

Comment 6 Len Lawrence 2023-03-20 20:03:39 CET

mga8, x64
Firefox update already done.
Updated Thunderbird for en_GB and restarted it without any problems.
Selected an address from the addressbook, composed a message and sent it successfully.
Tried out the alarm facility in the calendar - that worked OK - reminder arrived on the dot.

CC: (none) => tarazed25

Note You need to log in before you can comment on or make changes to this bug.