33311 – Thunderbird 115.12

Bug 33311 - Thunderbird 115.12

Summary: Thunderbird 115.12

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-06-17 16:43 CEST by Nicolas Salguero
Modified:	2024-06-22 19:33 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	thunderbird, thunderbird-l10n
CVE:	CVE-2024-5702, CVE-2024-5688, CVE-2024-5690, CVE-2024-5691, CVE-2024-5693, CVE-2024-5696, CVE-2024-5700
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-06-17 16:43:17 CEST

Mozilla has released Thunderbird 115.12 on June 13:
https://www.thunderbird.net/en-US/thunderbird/115.12.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-28/

Nicolas Salguero 2024-06-17 16:44:19 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => thunderbird, thunderbird-l10n
CVE: (none) => CVE-2024-5702, CVE-2024-5688, CVE-2024-5690, CVE-2024-5691, CVE-2024-5693, CVE-2024-5696, CVE-2024-5700

Comment 1 Lewis Smith 2024-06-17 20:23:14 CEST

Passing back to you, Nicolas, as you currently do Thunderbird updates.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2024-06-18 17:09:20 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Use-after-free in networking. (CVE-2024-5702)

Use-after-free in JavaScript object transplant. (CVE-2024-5688)

External protocol handlers leaked by timing attack. (CVE-2024-5690)

Sandboxed iframes were able to bypass sandbox restrictions to open a new window. (CVE-2024-5691)

Cross-Origin Image leak via Offscreen Canvas. (CVE-2024-5693)

Memory Corruption in Text Fragments. (CVE-2024-5696)

Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12. (CVE-2024-5700)

References:
https://www.thunderbird.net/en-US/thunderbird/115.12.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-28/
========================

Updated packages in core/updates_testing:
========================
thunderbird-115.12.0-1.mga9
thunderbird-af-115.12.0-1.mga9
thunderbird-ar-115.12.0-1.mga9
thunderbird-ast-115.12.0-1.mga9
thunderbird-be-115.12.0-1.mga9
thunderbird-bg-115.12.0-1.mga9
thunderbird-br-115.12.0-1.mga9
thunderbird-ca-115.12.0-1.mga9
thunderbird-cs-115.12.0-1.mga9
thunderbird-cy-115.12.0-1.mga9
thunderbird-da-115.12.0-1.mga9
thunderbird-de-115.12.0-1.mga9
thunderbird-dsb-115.12.0-1.mga9
thunderbird-el-115.12.0-1.mga9
thunderbird-en_CA-115.12.0-1.mga9
thunderbird-en_GB-115.12.0-1.mga9
thunderbird-en_US-115.12.0-1.mga9
thunderbird-es_AR-115.12.0-1.mga9
thunderbird-es_ES-115.12.0-1.mga9
thunderbird-es_MX-115.12.0-1.mga9
thunderbird-et-115.12.0-1.mga9
thunderbird-eu-115.12.0-1.mga9
thunderbird-fi-115.12.0-1.mga9
thunderbird-fr-115.12.0-1.mga9
thunderbird-fy_NL-115.12.0-1.mga9
thunderbird-ga_IE-115.12.0-1.mga9
thunderbird-gd-115.12.0-1.mga9
thunderbird-gl-115.12.0-1.mga9
thunderbird-he-115.12.0-1.mga9
thunderbird-hr-115.12.0-1.mga9
thunderbird-hsb-115.12.0-1.mga9
thunderbird-hu-115.12.0-1.mga9
thunderbird-hy_AM-115.12.0-1.mga9
thunderbird-id-115.12.0-1.mga9
thunderbird-is-115.12.0-1.mga9
thunderbird-it-115.12.0-1.mga9
thunderbird-ja-115.12.0-1.mga9
thunderbird-ka-115.12.0-1.mga9
thunderbird-kab-115.12.0-1.mga9
thunderbird-kk-115.12.0-1.mga9
thunderbird-ko-115.12.0-1.mga9
thunderbird-lt-115.12.0-1.mga9
thunderbird-lv-115.12.0-1.mga9
thunderbird-ms-115.12.0-1.mga9
thunderbird-nb_NO-115.12.0-1.mga9
thunderbird-nl-115.12.0-1.mga9
thunderbird-nn_NO-115.12.0-1.mga9
thunderbird-pa_IN-115.12.0-1.mga9
thunderbird-pl-115.12.0-1.mga9
thunderbird-pt_BR-115.12.0-1.mga9
thunderbird-pt_PT-115.12.0-1.mga9
thunderbird-ro-115.12.0-1.mga9
thunderbird-ru-115.12.0-1.mga9
thunderbird-sk-115.12.0-1.mga9
thunderbird-sl-115.12.0-1.mga9
thunderbird-sq-115.12.0-1.mga9
thunderbird-sr-115.12.0-1.mga9
thunderbird-sv_SE-115.12.0-1.mga9
thunderbird-th-115.12.0-1.mga9
thunderbird-tr-115.12.0-1.mga9
thunderbird-uk-115.12.0-1.mga9
thunderbird-uz-115.12.0-1.mga9
thunderbird-vi-115.12.0-1.mga9
thunderbird-zh_CN-115.12.0-1.mga9
thunderbird-zh_TW-115.12.0-1.mga9

from SRPMS:
thunderbird-115.12.0-1.mga9.src.rpm
thunderbird-l10n-115.12.0-1.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

katnatek 2024-06-18 19:02:00 CEST

Keywords: (none) => advisory

Comment 3 Morgan Leijström 2024-06-19 00:37:16 CEST

mga9-64 OK
Plasma X11, Intel I7-870, kernel-server-6.6.28-1
nvidia-current from testing repo

Closed thunderbird, updated, started:
Thunderbird just keep working OK:
Opened tabs restored
Settings and local mail kept
Swedish locale
IMAP (offline, IMAP to synk to server)
SMTP

I do not use calendar nor tasks

CC: (none) => fri

Comment 4 Jose Manuel López 2024-06-19 09:02:33 CEST

Hi,

Updated, mga-64 ok

Works fine for me, bug I have found this announcement in Release notes of Thunderbird: "Thunderbird 115.12.0 will not ship and is being superseded by Thunderbird 115.12.1."

Greetings!

CC: (none) => joselp

Comment 5 Nicolas Salguero 2024-06-19 09:49:15 CEST

Here is the diff between 115.12.0 and 115.12.1:
"""
diff -Naurp thunderbird-115.12.0/comm/mail/config/version_display.txt thunderbird-115.12.1/comm/mail/config/version_display.txt
--- thunderbird-115.12.0/comm/mail/config/version_display.txt	2024-06-10 23:06:58.000000000 +0200
+++ thunderbird-115.12.1/comm/mail/config/version_display.txt	2024-06-18 18:14:31.000000000 +0200
@@ -1 +1 @@
-115.12.0
+115.12.1
diff -Naurp thunderbird-115.12.0/comm/mail/config/version.txt thunderbird-115.12.1/comm/mail/config/version.txt
--- thunderbird-115.12.0/comm/mail/config/version.txt	2024-06-10 23:06:58.000000000 +0200
+++ thunderbird-115.12.1/comm/mail/config/version.txt	2024-06-18 18:14:31.000000000 +0200
@@ -1 +1 @@
-115.12.0
+115.12.1
diff -Naurp thunderbird-115.12.0/comm/mail/installer/windows/nsis/defines.nsi.in thunderbird-115.12.1/comm/mail/installer/windows/nsis/defines.nsi.in
--- thunderbird-115.12.0/comm/mail/installer/windows/nsis/defines.nsi.in	2024-06-10 23:06:58.000000000 +0200
+++ thunderbird-115.12.1/comm/mail/installer/windows/nsis/defines.nsi.in	2024-06-18 18:14:31.000000000 +0200
@@ -40,11 +40,11 @@
 !define InstDirName           "${BrandFullName}"
 
 !define CERTIFICATE_NAME            "Mozilla Corporation"
-!define CERTIFICATE_ISSUER          "DigiCert SHA2 Assured ID Code Signing CA"
+!define CERTIFICATE_ISSUER          "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
 ; Changing the name or issuer requires us to have both the old and the new
 ;  in the registry at the same time, temporarily.
 !define CERTIFICATE_NAME_PREVIOUS   "Mozilla Corporation"
-!define CERTIFICATE_ISSUER_PREVIOUS "DigiCert Assured ID Code Signing CA-1"
+!define CERTIFICATE_ISSUER_PREVIOUS "DigiCert SHA2 Assured ID Code Signing CA"
 
 # ARCH is used when it is necessary to differentiate the x64 registry keys from
 # the x86 registry keys (e.g. the uninstall registry key).
diff -Naurp thunderbird-115.12.0/comm/mail/installer/windows/nsis/maintenanceservice_installer.nsi thunderbird-115.12.1/comm/mail/installer/windows/nsis/maintenanceservice_installer.nsi
--- thunderbird-115.12.0/comm/mail/installer/windows/nsis/maintenanceservice_installer.nsi	2024-06-10 23:06:58.000000000 +0200
+++ thunderbird-115.12.1/comm/mail/installer/windows/nsis/maintenanceservice_installer.nsi	2024-06-18 18:14:31.000000000 +0200
@@ -217,7 +217,7 @@ Section "MaintenanceService"
   ; These keys are used to bypass the installation dir is a valid installation
   ; check from the service so that tests can be run.
   ; WriteRegStr HKLM "${FallbackKey}\0" "name" "Mozilla Corporation"
-  ; WriteRegStr HKLM "${FallbackKey}\0" "issuer" "DigiCert SHA2 Assured ID Code Signing CA"
+  ; WriteRegStr HKLM "${FallbackKey}\0" "issuer" "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
   ${If} ${RunningX64}
   ${OrIf} ${IsNativeARM64}
     SetRegView lastused
diff -Naurp thunderbird-115.12.0/comm/taskcluster/ci/release-flatpak-push/kind.yml thunderbird-115.12.1/comm/taskcluster/ci/release-flatpak-push/kind.yml
--- thunderbird-115.12.0/comm/taskcluster/ci/release-flatpak-push/kind.yml	2024-06-10 23:06:58.000000000 +0200
+++ thunderbird-115.12.1/comm/taskcluster/ci/release-flatpak-push/kind.yml	2024-06-18 18:14:32.000000000 +0200
@@ -31,7 +31,7 @@ job-defaults:
         channel:
             by-release-type:
                 beta: beta
-                release: stable
+                esr115: stable
                 default: mock
 
 jobs:
diff -Naurp thunderbird-115.12.0/sourcestamp.txt thunderbird-115.12.1/sourcestamp.txt
--- thunderbird-115.12.0/sourcestamp.txt	2024-06-10 23:07:17.000000000 +0200
+++ thunderbird-115.12.1/sourcestamp.txt	2024-06-18 18:14:51.000000000 +0200
@@ -1,3 +1,3 @@
-20240610193835
-https://hg.mozilla.org/releases/comm-esr115/rev/daf99ed4f8543bdc753f466b18dbdadfd7f35f84
+20240618125055
+https://hg.mozilla.org/releases/comm-esr115/rev/d6ae5fada4e4c389a74d18d69e55fdfcb9706f3d
 https://hg.mozilla.org/releases/mozilla-esr115/rev/6b05ad1f5f2dbb0d47ac169115e250ff3776289c
"""

If I understand it correctly, the changes affect the installer for Windows so there is no need to build version 115.12.1.

Comment 6 Thomas Andrews 2024-06-19 14:43:38 CEST

MGA9-64 Plasma on two sets of hardware, installing the US English version. 

No installation issues. Sent and received POP mail, worked with newsgroups, no issues to report. 

I do not use the calendar. Perhaps that is why sometimes I don't know what day it is...

CC: (none) => andrewsfarm

Comment 7 Herman Viaene 2024-06-19 16:39:17 CEST

MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
This laptop did not have Thunderbird before, so used the wizard to connect to my hotmail account, that went OK
Send and receive plain message and message with attachment ; works OK.
Connected my google calendar, works OK in the end, took some time to get around
Good enough for me.

CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2024-06-22 16:18:32 CEST

Still OK after several days of use. Validating.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update

Comment 9 Mageia Robot 2024-06-22 19:33:35 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0231.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.