Bug 33984 - Thunderbird 128.7
Summary: Thunderbird 128.7
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on: 33983
Blocks:
  Show dependency treegraph
 
Reported: 2025-02-04 16:43 CET by Nicolas Salguero
Modified: 2025-02-09 01:20 CET (History)
6 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE: CVE-2025-1009, CVE-2025-1010, CVE-2025-1011, CVE-2025-1012, CVE-2024-11704, CVE-2025-1013, CVE-2025-1014, CVE-2025-1015, CVE-2025-0510, CVE-2025-1016, CVE-2025-1017
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-02-04 16:43:43 CET 
Mozilla has released Thunderbird 128.7 on February 5:
https://www.thunderbird.net/en-US/thunderbird/128.7.0esr/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2025-10/
Nicolas Salguero 2025-02-04 16:45:00 CET

CVE: (none) => CVE-2025-1009, CVE-2025-1010, CVE-2025-1011, CVE-2025-1012, CVE-2024-11704, CVE-2025-1013, CVE-2025-1014, CVE-2025-1015, CVE-2025-0510, CVE-2025-1016, CVE-2025-1017
Source RPM: (none) => thunderbird, thunderbird-l10n
Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2025-02-06 09:21:31 CET

Depends on: (none) => 33983

Comment 1 Lewis Smith 2025-02-06 21:20:25 CET 
Assigning to you, Nicolas, since you normally update Thunderbird.

Assignee: bugsquad => nicolas.salguero

Comment 2 Morgan Leijström 2025-02-06 22:16:45 CET 
He is already on it :)

I see it have not yet built successfully on Cauldron, but for mga9, so:

---

mga9-64 OK here
Plasma X11, Swedish locale
Intel Core i7 870, GPU: AMD Navi 24 Radeon RX 6400

$ thunderbird --version
Thunderbird 128.7.0esr

Repeated tests like I use to perform:

Closed Thunderbird, data backup, updated, started:
Thunderbird just keep working OK:
Opened tabs restored
Settings and local mail kept
IMAP (offline, IMAP to synk to server)
SMTP
Sent and received mail with inline png and attached pdf
Viewed attached pdf in Thunderbird, and printed to network printer.

I do not use calendar nor tasks or filters.

CC: (none) => fri

Comment 3 Morgan Leijström 2025-02-07 18:05:36 CET 
I see it built on Cauldron (except armv7hl)
We need package list and advisory for mga9.

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Assignee: nicolas.salguero => qa-bugs

Comment 4 Morgan Leijström 2025-02-07 22:17:09 CET 
In Cauldron, thunderbird-l10n-128.7.0-1.mga10 need be built.
Comment 5 katnatek 2025-02-07 22:47:57 CET 
@Nicolas I can just copy the advisory for firefox changing references?
Comment 6 Jose Manuel López 2025-02-07 23:13:54 CET 
Installed in Mga-x64.

No issues for the moment.

Send and receive ok.
Imap and Pop3 accounts ok.
Gmail ok.
Spanish translation and settings ok.
Addons and signature ok.
Task and calendar ok.

From terminal:
[jose@localhost ~]$ thunderbird
ATTENTION: default value of option mesa_glthread overridden by environment.
[Parent 15080, Main Thread] WARNING: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.: 'glib warning', file /home/iurt/rpmbuild/BUILD/thunderbird-128.7.0/thunderbird-128.7.0/toolkit/xre/nsSigHandlers.cpp:187

(thunderbird:15080): GLib-GIO-WARNING **: 23:09:15.177: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.
[libprotobuf ERROR /home/iurt/rpmbuild/BUILD/thunderbird-128.7.0/thunderbird-128.7.0/toolkit/components/protobuf/src/google/protobuf/message_lite.cc:134] Can't parse message of type "mozilla.cookieBanner.GoogleSOCSCookie" because it is missing required fields: (cannot determine missing fields for lite message)

Greetings!!

CC: (none) => Joselp

Comment 7 Nicolas Salguero 2025-02-08 08:47:34 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Use-after-free in XSLT. (CVE-2025-1009)

Use-after-free in Custom Highlight. (CVE-2025-1010)

A bug in WebAssembly code generation could result in a crash. (CVE-2025-1011)

Use-after-free during concurrent delazification. (CVE-2025-1012)

Potential double-free vulnerability in PKCS#7 decryption handling. (CVE-2024-11704)

Potential opening of private browsing tabs in normal browsing windows. (CVE-2025-1013)

Certificate length was not properly checked. (CVE-2025-1014)

Unsanitized address book fields. (CVE-2025-1015)

Address of e-mail sender can be spoofed by malicious email. (CVE-2025-0510)

Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 115.20, and Thunderbird 128.7. (CVE-2025-1016)

Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7. (CVE-2025-1017)

References:
https://www.thunderbird.net/en-US/thunderbird/128.7.0esr/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-10/
========================

Updated packages in core/updates_testing:
========================
thunderbird-128.7.0-1.mga9
thunderbird-af-128.7.0-1.mga9
thunderbird-ar-128.7.0-1.mga9
thunderbird-ast-128.7.0-1.mga9
thunderbird-be-128.7.0-1.mga9
thunderbird-bg-128.7.0-1.mga9
thunderbird-br-128.7.0-1.mga9
thunderbird-ca-128.7.0-1.mga9
thunderbird-cs-128.7.0-1.mga9
thunderbird-cy-128.7.0-1.mga9
thunderbird-da-128.7.0-1.mga9
thunderbird-de-128.7.0-1.mga9
thunderbird-dsb-128.7.0-1.mga9
thunderbird-el-128.7.0-1.mga9
thunderbird-en_CA-128.7.0-1.mga9
thunderbird-en_GB-128.7.0-1.mga9
thunderbird-en_US-128.7.0-1.mga9
thunderbird-es_AR-128.7.0-1.mga9
thunderbird-es_ES-128.7.0-1.mga9
thunderbird-es_MX-128.7.0-1.mga9
thunderbird-et-128.7.0-1.mga9
thunderbird-eu-128.7.0-1.mga9
thunderbird-fi-128.7.0-1.mga9
thunderbird-fr-128.7.0-1.mga9
thunderbird-fy_NL-128.7.0-1.mga9
thunderbird-ga_IE-128.7.0-1.mga9
thunderbird-gd-128.7.0-1.mga9
thunderbird-gl-128.7.0-1.mga9
thunderbird-he-128.7.0-1.mga9
thunderbird-hr-128.7.0-1.mga9
thunderbird-hsb-128.7.0-1.mga9
thunderbird-hu-128.7.0-1.mga9
thunderbird-hy_AM-128.7.0-1.mga9
thunderbird-id-128.7.0-1.mga9
thunderbird-is-128.7.0-1.mga9
thunderbird-it-128.7.0-1.mga9
thunderbird-ja-128.7.0-1.mga9
thunderbird-ka-128.7.0-1.mga9
thunderbird-kab-128.7.0-1.mga9
thunderbird-kk-128.7.0-1.mga9
thunderbird-ko-128.7.0-1.mga9
thunderbird-lt-128.7.0-1.mga9
thunderbird-lv-128.7.0-1.mga9
thunderbird-ms-128.7.0-1.mga9
thunderbird-nb_NO-128.7.0-1.mga9
thunderbird-nl-128.7.0-1.mga9
thunderbird-nn_NO-128.7.0-1.mga9
thunderbird-pa_IN-128.7.0-1.mga9
thunderbird-pl-128.7.0-1.mga9
thunderbird-pt_BR-128.7.0-1.mga9
thunderbird-pt_PT-128.7.0-1.mga9
thunderbird-ro-128.7.0-1.mga9
thunderbird-ru-128.7.0-1.mga9
thunderbird-sk-128.7.0-1.mga9
thunderbird-sl-128.7.0-1.mga9
thunderbird-sq-128.7.0-1.mga9
thunderbird-sr-128.7.0-1.mga9
thunderbird-sv_SE-128.7.0-1.mga9
thunderbird-th-128.7.0-1.mga9
thunderbird-tr-128.7.0-1.mga9
thunderbird-uk-128.7.0-1.mga9
thunderbird-uz-128.7.0-1.mga9
thunderbird-vi-128.7.0-1.mga9
thunderbird-zh_CN-128.7.0-1.mga9
thunderbird-zh_TW-128.7.0-1.mga9

from SRPMS:
thunderbird-128.7.0-1.mga9.src.rpm
thunderbird-l10n-128.7.0-1.mga9.src.rpm

Status: NEW => ASSIGNED

Comment 8 Herman Viaene 2025-02-08 12:08:13 CET 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Send and receive mail without and with attachment, all OK. Connection to my Google calendar displays OK.

CC: (none) => herman.viaene

Comment 9 Thomas Andrews 2025-02-08 16:07:24 CET 
MGA9-64 Plasma on two machines. No installation issues.

Sent and received mail between my accounts, checked newsgroups for new messages. All OK.

CC: (none) => andrewsfarm

katnatek 2025-02-08 17:35:00 CET

Keywords: (none) => advisory

Comment 10 Len Lawrence 2025-02-08 18:56:49 CET 
Mageia 9, x86_64

IMAP server
It relaunched OK with all local folders intact.
Sent emails, including emoticon and one for myself.
Address book OK.

CC: (none) => tarazed25

Comment 11 Thomas Andrews 2025-02-08 22:15:35 CET 
Good enough. Validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2025-02-09 01:20:36 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0048.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.