The registered maintainer hasn't touched thunderbird in recent years, but you did, Nicolas, thanks a lot for that.
Assigning to you, because you are the de-facto maintainer.

Assignee: bugsquad => nicolas.salguero
CC: (none) => marja11

Mozilla has released Thunderbird 128.2 on September 4:
https://www.thunderbird.net/en-US/thunderbird/128.2.0esr/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/

Summary: Thunderbird 115.14 or 128.1.1 => Thunderbird 128.2
CVE: CVE-2024-7518, CVE-2024-7519, CVE-2024-7520, CVE-2024-7521, CVE-2024-7522, CVE-2024-7524, CVE-2024-7525, CVE-2024-7526, CVE-2024-7527, CVE-2024-7528, CVE-2024-7529, CVE-2024-7531 => CVE-2024-7519, CVE-2024-7520, CVE-2024-7521, CVE-2024-7522, CVE-2024-7524, CVE-2024-7525, CVE-2024-7526, CVE-2024-7527, CVE-2024-7528, CVE-2024-7529, CVE-2024-7531, CVE-2024-8385, CVE-2024-8381, CVE-2024-8382, CVE-2024-8383, CVE-2024-8384, CVE-2024-8386, CVE-2024-8387

Installed 128.1 via tarball, now updated to 128.2. No issues in several months of using 128.1, should be perfectly suitable for core release.

CC: (none) => nightingalenelson

Mozilla has released several bugfix versions:
https://www.thunderbird.net/en-US/thunderbird/128.2.1esr/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/128.2.2esr/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/128.2.3esr/releasenotes/

Summary: Thunderbird 128.2 => Thunderbird 128.2.3

Mozilla has released Thunderbird 128.3 on October 1:
https://www.thunderbird.net/en-US/thunderbird/128.3.0esr/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-49/

Summary: Thunderbird 128.2.3 => Thunderbird 128.3

Suggested advisory:
========================

The current version reach EOL and several security vulnerabilities were fixed by mozilla.
We are having some issues that are delaying the build for some architectures, so for the moment we are releasing this update just for x86_64.

References:
https://www.thunderbird.net/en-US/thunderbird/128.1.0esr/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/128.1.1esr/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-37/
https://www.thunderbird.net/en-US/thunderbird/128.2.0esr/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/128.2.1esr/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/128.2.2esr/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/128.2.3esr/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/
https://www.thunderbird.net/en-US/thunderbird/128.3.0esr/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-49/
========================

Updated packages in core/updates_testing:
========================
thunderbird-128.3.0-1.mga9
thunderbird-af-128.3.0-1.mga9
thunderbird-ar-128.3.0-1.mga9
thunderbird-ast-128.3.0-1.mga9
thunderbird-be-128.3.0-1.mga9
thunderbird-bg-128.3.0-1.mga9
thunderbird-br-128.3.0-1.mga9
thunderbird-ca-128.3.0-1.mga9
thunderbird-cs-128.3.0-1.mga9
thunderbird-cy-128.3.0-1.mga9
thunderbird-da-128.3.0-1.mga9
thunderbird-de-128.3.0-1.mga9
thunderbird-dsb-128.3.0-1.mga9
thunderbird-el-128.3.0-1.mga9
thunderbird-en_CA-128.3.0-1.mga9
thunderbird-en_GB-128.3.0-1.mga9
thunderbird-en_US-128.3.0-1.mga9
thunderbird-es_AR-128.3.0-1.mga9
thunderbird-es_ES-128.3.0-1.mga9
thunderbird-es_MX-128.3.0-1.mga9
thunderbird-et-128.3.0-1.mga9
thunderbird-eu-128.3.0-1.mga9
thunderbird-fi-128.3.0-1.mga9
thunderbird-fr-128.3.0-1.mga9
thunderbird-fy_NL-128.3.0-1.mga9
thunderbird-ga_IE-128.3.0-1.mga9
thunderbird-gd-128.3.0-1.mga9
thunderbird-gl-128.3.0-1.mga9
thunderbird-he-128.3.0-1.mga9
thunderbird-hr-128.3.0-1.mga9
thunderbird-hsb-128.3.0-1.mga9
thunderbird-hu-128.3.0-1.mga9
thunderbird-hy_AM-128.3.0-1.mga9
thunderbird-id-128.3.0-1.mga9
thunderbird-is-128.3.0-1.mga9
thunderbird-it-128.3.0-1.mga9
thunderbird-ja-128.3.0-1.mga9
thunderbird-ka-128.3.0-1.mga9
thunderbird-kab-128.3.0-1.mga9
thunderbird-kk-128.3.0-1.mga9
thunderbird-ko-128.3.0-1.mga9
thunderbird-lt-128.3.0-1.mga9
thunderbird-lv-128.3.0-1.mga9
thunderbird-ms-128.3.0-1.mga9
thunderbird-nb_NO-128.3.0-1.mga9
thunderbird-nl-128.3.0-1.mga9
thunderbird-nn_NO-128.3.0-1.mga9
thunderbird-pa_IN-128.3.0-1.mga9
thunderbird-pl-128.3.0-1.mga9
thunderbird-pt_BR-128.3.0-1.mga9
thunderbird-pt_PT-128.3.0-1.mga9
thunderbird-ro-128.3.0-1.mga9
thunderbird-ru-128.3.0-1.mga9
thunderbird-sk-128.3.0-1.mga9
thunderbird-sl-128.3.0-1.mga9
thunderbird-sq-128.3.0-1.mga9
thunderbird-sr-128.3.0-1.mga9
thunderbird-sv_SE-128.3.0-1.mga9
thunderbird-th-128.3.0-1.mga9
thunderbird-tr-128.3.0-1.mga9
thunderbird-uk-128.3.0-1.mga9
thunderbird-uz-128.3.0-1.mga9
thunderbird-vi-128.3.0-1.mga9
thunderbird-zh_CN-128.3.0-1.mga9
thunderbird-zh_TW-128.3.0-1.mga9

from SRPMS:
thunderbird-128.3.0-1.mga9.src.rpm
thunderbird-l10n-128.3.0-1.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

mga9-64 OK here

Firefox, NSS, rootcerts from Bug 33501

Plasma X11
Intel I7-870, 6.6.52-server-1
GPU AMD Radeon RX 6400 radeonsi navi24

Closed Thunderbird, updated, started:
Thunderbird just keep working OK:
Settings and local mail kept
Swedish locale
IMAP (offline, IMAP to synk to server)
SMTP
Sent mail with inline jpg, and attached pdf
Received  mail with inline jpg, and attached pdf, viewed and printed the pdf.

I do not use calendar nor tasks or filters

Version: Cauldron => 9
CC: (none) => fri
Whiteboard: MGA9TOO => (none)

Installed in Mga x86_64 ç

CPU: AMD Ryzen 7 4800H (16) @ 2,90 GHz
GPU: AMD Renoir [Integrated]

All works fine for the moment. 

Settings ok.
Signatures ok.
Pop3 and Imap email ok, send and receive.
Spanish translations ok.
Calendar and task ok.

From terminal:

[jose@localhost ~]$ thunderbird
ATTENTION: default value of option mesa_glthread overridden by environment.
[Parent 25919, Main Thread] WARNING: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.: 'glib warning', file /home/iurt/rpmbuild/BUILD/thunderbird-128.3.0/thunderbird-128.3.0/toolkit/xre/nsSigHandlers.cpp:187

(thunderbird:25919): GLib-GIO-WARNING **: 22:30:27.698: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.

Greetings and good job!

CC: (none) => joselp

Installed in Mga 9 x86_64

CPU: 11th Gen Intel(R) Core(TM) i5-1155G7 (8) @ 4,50 GHz
GPU: Intel Iris Xe Graphics @ 1,35 GHz [Integrated]

Settings ok.
Signatures ok.
Pop3 and Imap email ok, send and receive.
Spanish translations ok.
Calendar and task ok.

From terminal:

[jose@localhost ~]$ thunderbird
[Parent 19753, Main Thread] WARNING: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.: 'glib warning', file /home/iurt/rpmbuild/BUILD/thunderbird-128.3.0/thunderbird-128.3.0/toolkit/xre/nsSigHandlers.cpp:187

(thunderbird:19753): GLib-GIO-WARNING **: 09:30:30.018: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.
ALSA lib pcm_dmix.c:999:(snd_pcm_dmix_open) unable to open slave
ALSA lib pcm_dmix.c:999:(snd_pcm_dmix_open) unable to open slave
ALSA lib pcm_dmix.c:999:(snd_pcm_dmix_open) unable to open slave
ALSA lib pcm_dmix.c:999:(snd_pcm_dmix_open) unable to open slave


Greetings and good job!

Installed in Mageia x86_64 Lxqt



Settings ok.
Signatures ok.
Pop3 and Imap email ok, send and receive.
Spanish translations ok.
Calendar and task ok.

CPU: Intel(R) Atom(TM) N450 (2) @ 1,67 GHz
GPU: Intel evice A011 (VGA compatible) [Integrate]

From terminal:

[jose@localhost ~]$ thunderbird
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt (t=112.673) [GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt   

Greetings!

MGA9-64 Plasma. No installation issues, and no issues with sending or receiving POP mail, or with newsgroups on Usenet.

I do not use the calendar.

CC: (none) => andrewsfarm

mga9, x64
New version opens with Local Folders intact!!
i.e. no forcing new profile.

IMAP email sent OK.  Receiving as normal.
Local social media links open fine in Firefox.
No issues closing and then launching from the command line.

CC: (none) => tarazed25

MGA9 X64 GNOME

Tested with RPMs:

thunderbird-128.3.0-1.mga9
thunderbird-fr-128.3.0-1.mga9

Send and receive mail with IMAP ok
calendar synchronization ok
contact synchronization ok

No issues after installation

CC: (none) => guillaume.royer

Another test on another computer, again no issues to report. This looks good to go to me. 

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK

This bug is still listing 33322 as a dependency. Is that still valid, given that clearly a new Thunderbird has been built?

CC: (none) => dan

(In reply to Dan Fandrich from comment #15)
> This bug is still listing 33322 as a dependency. Is that still valid, given
> that clearly a new Thunderbird has been built?

Obviously not, if you can please just move the packages in x86_64 as the noarch i18n packages in i586 can't be installed due the lack of main packages as Thomas point in https://bugs.mageia.org/show_bug.cgi?id=33607#c4 for firefox

Reminder, the x86_64 packages are still in testing

I'm not sure the tooling lets us withhold certain architectures. The push will probably have to be done manually, which is error prone. I'm trying to think of a good way to do it.

I think I've figured out a way to do this relatively safely. But, there is a risk (either now or later) that some tooling expects all architectures to have the same versions and may misbehave otherwise. In any case, pushing the remaining architectures later will have to be done equally carefully. Is this expected to be a short-term situation? Are there any projected future updates that will need to be done in a similar fashion?

(In reply to Dan Fandrich from comment #19)
> I think I've figured out a way to do this relatively safely. But, there is a
> risk (either now or later) that some tooling expects all architectures to
> have the same versions and may misbehave otherwise. In any case, pushing the
> remaining architectures later will have to be done equally carefully. Is
> this expected to be a short-term situation? 

As short as we can release llvm19-suite https://bugs.mageia.org/show_bug.cgi?id=33322

>Are there any projected future
> updates that will need to be done in a similar fashion?

I really not hope so, but who knows? ,this is a special case due the vulnerabilities and end of support in current versions plus the need to use new llvm for the mozilla's products

If you think is too hard perhaps we must proceed as usual and publish a blog post asking to i586 user to ignore the update of langpacks for thunderbird and firefox.

I add to marja to hear what she says about that possibility

It's not too hard, but since I don't think we've done this before, there's a possibility of some issues. I'm happy to try it and see how it works, since I have a feeling this may be the start of a trend.

(In reply to katnatek from comment #20)
> As short as we can release llvm19-suite
> https://bugs.mageia.org/show_bug.cgi?id=33322

Sadly, llvm19-suite will be the first step but not the only one: it will only help building Firefox and Thunderbird 128.x for i586.

To be able to build Firefox and Thunderbird 128.x for ARM arches, we also need a recent version of rust (at least, 1.76 but 1.81 would be better as it would also fix bug 33522).

llvm19 is built, and rust 1.76 is in testing repos since a while.
So we can build for all arches now?
ASAP please.

I think we can not wait for all rust iterations this time to hold back security updates of Firefox and Thunderbird any more now.

Maybe rust is newer when we soon build FF and TB 128.3.*1*

To be able to build Firefox and Thunderbird 12.8x, the minimum version of rust is 1.76, which is only available, for the moment, for i586 and x86_64.  For arm arches, the latest version currently built is 1.75.

I am trying to build version 1.76 for all arches but I have a problem: LLVM 19 is too recent so I am trying to patch rust 1.76 by adding some changes, related to LLVM 19, that I found in version 1.81.

I've manually moved only the x86_64 architecture for this package. I believe I've set it up so that future security or bugfix pushes won't automatically move the other architectures' packages, although this bug may spontaneously auto-close on the next push. In any case, it's probably wise to create a new bug, new new package version and new MGASA when it comes time to push the other architectures, because the tooling thinks this one is complete, plus, the advisories themselves say that only x86_64 has been pushed.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0332.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED