Bug 32643 - Thunderbird 115.6
Summary: Thunderbird 115.6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on: 32642
Blocks:
  Show dependency treegraph
 
Reported: 2023-12-21 10:14 CET by Nicolas Salguero
Modified: 2024-01-12 21:12 CET (History)
7 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE: CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, CVE-2023-50761, CVE-2023-50762
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-12-21 10:14:40 CET 
Mozilla has released Thunderbird 115.5.2 on December 11:
https://www.thunderbird.net/en-US/thunderbird/115.5.2/releasenotes/
Mozilla has released Thunderbird 115.6 on December 19:
https://www.thunderbird.net/en-US/thunderbird/115.6.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/
Nicolas Salguero 2023-12-21 10:15:04 CET

Depends on: (none) => 32642
Source RPM: (none) => thunderbird, thunderbird-l10n
Whiteboard: (none) => MGA9TOO

Comment 1 Morgan Leijström 2023-12-22 20:43:35 CET 
Thunderbird can be tested after updating nss and lib(64)nss to 3.96.1 from
 Bug 32642 - Firefox 115.6
- Firefox rpm is missing currently, but Thunderbird can be tested with that nss

---

mga9-64 OK here

Tested under Plasma X11, Intel I7-870, nvidia 470.223.02-1 on GTX750, kernel 6.5.13-desktop-5

Closed thunderbird, and backed up
Updated nss and lib(64)nss to 3.96.1
Updated thunderbird;
 thunderbird-sv_SE-115.6.0-1.mga9
 thunderbird-115.6.0-1.mga9

And started TB:
settings and local mail kept
Swedish locale
IMAP (offline, IMAP to synk to server)
SMTP

I do not use calendar nor tasks

---

This bug (and Firefox) need advisory proposals and package lists

Assignee: bugsquad => qa-bugs
CC: (none) => fri

Comment 2 Morgan Leijström 2023-12-26 01:14:03 CET 
(In reply to Morgan Leijström from comment #1)
> This bug (and Firefox) need advisory proposals and package lists

CC: (none) => nicolas.salguero

Comment 3 Brian Rockwell 2024-01-06 17:06:36 CET 
mga9-64, Plasma, Vbox

The following 5 packages are going to be installed:

- lib64nss3-3.96.1-1.mga9.x86_64
- lib64otr5-4.1.1-5.mga9.x86_64
- thunderbird-115.6.0-1.mga9.x86_64
- thunderbird-compose-1.1-1.mga9.noarch
- thunderbird-en_CA-115.6.0-1.mga9.noarch

244MB of additional disk space will be used.

--

new install

-set up yahoo account with no issues and sent/received emails
-created a new calendar - that worked from what I can tell

Works for me.

I'm not a regular Thunderbird user - anyone want to test an upgrade before I approve

CC: (none) => brtians1

Thomas Andrews 2024-01-07 21:26:30 CET

CC: (none) => andrewsfarm

Comment 4 christian barranco 2024-01-07 21:28:55 CET 
Hi.

MGA9, Plasma, bare metal machine, french locale.

As no package list is provided, I activated core/updates_testing and :
# urpmi thunderbird

Pour satisfaire les dépendances, les paquetages suivants vont être installés :
  Paquetage                      Version      Révision      Arch    
(média « Core Updates Testing (distrib5) »)
  lib64nss3                      3.96.1       1.mga9        x86_64  
  thunderbird                    115.6.0      1.mga9        x86_64  
  thunderbird-fr                 115.6.0      1.mga9        noarch  
un espace de 2.3Mo sera libéré.
71Mo de paquets seront récupérés.


Multiple accounts = ok
Calendar with Nextcloud sync = ok
Contacts with Nexcloud sync = ok

CC: (none) => chb0

Comment 5 Thomas Andrews 2024-01-07 21:37:17 CET 
Has this been pushed to Cauldron yet? I've been holding off until that happened.
Comment 6 Morgan Leijström 2024-01-07 21:45:46 CET 
Good you checked.
It seems the nss update is in Cauldron but not Firefox nor Thunderbird.

Setting feedback for packager to update Cauldron.
(Maybe it did it get lost due to the disk space problem?)

And we still lack package list and advisory proposal.

Anyway, I think we can still go on testing it in mga9.
It is a security update, so in a hurry.

Keywords: (none) => feedback

Comment 7 Nicolas Salguero 2024-01-08 10:24:38 CET 
Hi,

Sadly, neither Firefox ESR nor Thunderbird can be built with python 3.12 and Cauldron switched to that version of python.

Best regards,
Comment 8 Morgan Leijström 2024-01-08 12:21:12 CET 
We should not hinder a security update in our supported release because of whatever problem in our development cauldron.

Please open a separate issue for Cauldron.

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Keywords: feedback => (none)

Comment 9 Nicolas Salguero 2024-01-08 14:33:12 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Truncated signed text was shown with a valid OpenPGP signature. (CVE-2023-50762)

S/MIME signature accepted despite mismatching message date. (CVE-2023-50761)

Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver. (CVE-2023-6856)

Symlinks may resolve to smaller than expected buffers. (CVE-2023-6857)

Heap buffer overflow in nsTextFragment. (CVE-2023-6858)

Use-after-free in PR_GetIdentitiesLayer. (CVE-2023-6859)

Potential sandbox escape due to VideoBridge lack of texture validation. (CVE-2023-6860)

Heap buffer overflow affected nsWindow::PickerOpen(void) in headless mode. (CVE-2023-6861)

Use-after-free in nsDNSService. (CVE-2023-6862)

Undefined behavior in ShutdownObserver(). (CVE-2023-6863)

Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. (CVE-2023-6864)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50761
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6856
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6857
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6858
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6859
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6860
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6861
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6862
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6863
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6864
https://www.thunderbird.net/en-US/thunderbird/115.5.2/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/115.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/
========================

Updated packages in core/updates_testing:
========================
thunderbird-115.6.0-1.mga9
thunderbird-af-115.6.0-1.mga9
thunderbird-ar-115.6.0-1.mga9
thunderbird-ast-115.6.0-1.mga9
thunderbird-be-115.6.0-1.mga9
thunderbird-bg-115.6.0-1.mga9
thunderbird-br-115.6.0-1.mga9
thunderbird-ca-115.6.0-1.mga9
thunderbird-cs-115.6.0-1.mga9
thunderbird-cy-115.6.0-1.mga9
thunderbird-da-115.6.0-1.mga9
thunderbird-de-115.6.0-1.mga9
thunderbird-dsb-115.6.0-1.mga9
thunderbird-el-115.6.0-1.mga9
thunderbird-en_CA-115.6.0-1.mga9
thunderbird-en_GB-115.6.0-1.mga9
thunderbird-en_US-115.6.0-1.mga9
thunderbird-es_AR-115.6.0-1.mga9
thunderbird-es_ES-115.6.0-1.mga9
thunderbird-es_MX-115.6.0-1.mga9
thunderbird-et-115.6.0-1.mga9
thunderbird-eu-115.6.0-1.mga9
thunderbird-fi-115.6.0-1.mga9
thunderbird-fr-115.6.0-1.mga9
thunderbird-fy_NL-115.6.0-1.mga9
thunderbird-ga_IE-115.6.0-1.mga9
thunderbird-gd-115.6.0-1.mga9
thunderbird-gl-115.6.0-1.mga9
thunderbird-he-115.6.0-1.mga9
thunderbird-hr-115.6.0-1.mga9
thunderbird-hsb-115.6.0-1.mga9
thunderbird-hu-115.6.0-1.mga9
thunderbird-hy_AM-115.6.0-1.mga9
thunderbird-id-115.6.0-1.mga9
thunderbird-is-115.6.0-1.mga9
thunderbird-it-115.6.0-1.mga9
thunderbird-ja-115.6.0-1.mga9
thunderbird-ka-115.6.0-1.mga9
thunderbird-kab-115.6.0-1.mga9
thunderbird-kk-115.6.0-1.mga9
thunderbird-ko-115.6.0-1.mga9
thunderbird-lt-115.6.0-1.mga9
thunderbird-lv-115.6.0-1.mga9
thunderbird-ms-115.6.0-1.mga9
thunderbird-nb_NO-115.6.0-1.mga9
thunderbird-nl-115.6.0-1.mga9
thunderbird-nn_NO-115.6.0-1.mga9
thunderbird-pa_IN-115.6.0-1.mga9
thunderbird-pl-115.6.0-1.mga9
thunderbird-pt_BR-115.6.0-1.mga9
thunderbird-pt_PT-115.6.0-1.mga9
thunderbird-ro-115.6.0-1.mga9
thunderbird-ru-115.6.0-1.mga9
thunderbird-sk-115.6.0-1.mga9
thunderbird-sl-115.6.0-1.mga9
thunderbird-sq-115.6.0-1.mga9
thunderbird-sr-115.6.0-1.mga9
thunderbird-sv_SE-115.6.0-1.mga9
thunderbird-th-115.6.0-1.mga9
thunderbird-tr-115.6.0-1.mga9
thunderbird-uk-115.6.0-1.mga9
thunderbird-uz-115.6.0-1.mga9
thunderbird-vi-115.6.0-1.mga9
thunderbird-zh_CN-115.6.0-1.mga9
thunderbird-zh_TW-115.6.0-1.mga9

from SRPMS:
thunderbird-115.6.0-1.mga9.src.rpm
thunderbird-l10n-115.6.0-1.mga9.src.rpm

Status: NEW => ASSIGNED

Comment 10 Thomas Andrews 2024-01-08 16:24:59 CET 
MGA9-64 Plasma.

I updated both firefox and thunderbird in one operation, with no apparent issues. Then I ran thunderbird, immediately getting confirmation that firefox is working when before anything else happened a web page was opened by Mozilla begging for money. Seems like that happened with the last thunderbird update, too...

Anyway, I received and sent mail, checked newsgroups and read a couple of posts.

Looks OK here.
Marja Van Waes 2024-01-08 18:02:55 CET

CVE: (none) => CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, 2023-50761, CVE-2023-50762
CC: (none) => marja11

Comment 11 Marja Van Waes 2024-01-08 18:14:18 CET 
Advisory from comment 9 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

CVE: CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, 2023-50761, CVE-2023-50762 => CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, CVE-2023-50761, CVE-2023-50762
Keywords: (none) => advisory

Comment 12 Marja Van Waes 2024-01-08 23:01:50 CET Comment hidden (obsolete)

Whiteboard: (none) => MGA9TOO
Version: 9 => Cauldron

Comment 13 Marja Van Waes 2024-01-08 23:21:12 CET 
Bug 32707 opened for TB in cauldron

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Comment 14 Thomas Andrews 2024-01-11 00:06:38 CET 
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Morgan Leijström 2024-01-11 00:48:45 CET

Whiteboard: (none) => MGA9-64-OK

Comment 15 Mageia Robot 2024-01-12 13:37:46 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0006.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 16 Morgan Leijström 2024-01-12 19:27:27 CET 
How come this got shipped before bug 32642 despite this bug was set to depend on that?
Comment 17 David Walser 2024-01-12 21:12:07 CET 
Indeed, the updates pushing script won't just do that (unless it's changed), someone would have had to have manually forced it.  Not good.
Note You need to log in before you can comment on or make changes to this bug.