Bug 6804 - Thunderbird 10.0.6 [mga1 & 2]
: Thunderbird 10.0.6 [mga1 & 2]
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: RPM Packages
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: MGA1TOO MGA1-32-OK MGA2-32-OK mga1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-17 14:42 CEST by David Walser
Modified: 2012-07-19 03:21 CEST (History)
4 users (show)

See Also:
Source RPM: thunderbird, mozilla-thunderbird
CVE:
Status comment:


Attachments

Description David Walser 2012-07-17 14:42:27 CEST
Funda Wang has built the Thunderbird 10.0.6 for Mageia 1 and Mageia 2.

Advisory to come later.
Comment 1 David Walser 2012-07-17 14:45:12 CEST
Source RPMs:
mozilla-thunderbird-10.0.6-1.mga1
mozilla-thunderbird-l10n-10.0.6-1.mga1
thunderbird-10.0.6-1.mga2
thunderbird-l10n-10.0.6-1.mga2

Full list of packages in Mageia 1 core/updates_testing:
mozilla-thunderbird-10.0.6-1.mga1
mozilla-thunderbird-enigmail-10.0.6-1.mga1
nsinstall-10.0.6-1.mga1
mozilla-thunderbird-enigmail-ar-10.0.6-1.mga1
mozilla-thunderbird-enigmail-ca-10.0.6-1.mga1
mozilla-thunderbird-enigmail-cs-10.0.6-1.mga1
mozilla-thunderbird-enigmail-de-10.0.6-1.mga1
mozilla-thunderbird-enigmail-el-10.0.6-1.mga1
mozilla-thunderbird-enigmail-es-10.0.6-1.mga1
mozilla-thunderbird-enigmail-fi-10.0.6-1.mga1
mozilla-thunderbird-enigmail-fr-10.0.6-1.mga1
mozilla-thunderbird-enigmail-it-10.0.6-1.mga1
mozilla-thunderbird-enigmail-ja-10.0.6-1.mga1
mozilla-thunderbird-enigmail-ko-10.0.6-1.mga1
mozilla-thunderbird-enigmail-nb-10.0.6-1.mga1
mozilla-thunderbird-enigmail-nl-10.0.6-1.mga1
mozilla-thunderbird-enigmail-pl-10.0.6-1.mga1
mozilla-thunderbird-enigmail-pt-10.0.6-1.mga1
mozilla-thunderbird-enigmail-pt_BR-10.0.6-1.mga1
mozilla-thunderbird-enigmail-ru-10.0.6-1.mga1
mozilla-thunderbird-enigmail-sl-10.0.6-1.mga1
mozilla-thunderbird-enigmail-sv-10.0.6-1.mga1
mozilla-thunderbird-enigmail-tr-10.0.6-1.mga1
mozilla-thunderbird-enigmail-vi-10.0.6-1.mga1
mozilla-thunderbird-enigmail-zh_CN-10.0.6-1.mga1
mozilla-thunderbird-enigmail-zh_TW-10.0.6-1.mga1
mozilla-thunderbird-ar-10.0.6-1.mga1
mozilla-thunderbird-be-10.0.6-1.mga1
mozilla-thunderbird-bg-10.0.6-1.mga1
mozilla-thunderbird-bn_BD-10.0.6-1.mga1
mozilla-thunderbird-br-10.0.6-1.mga1
mozilla-thunderbird-ca-10.0.6-1.mga1
mozilla-thunderbird-cs-10.0.6-1.mga1
mozilla-thunderbird-da-10.0.6-1.mga1
mozilla-thunderbird-de-10.0.6-1.mga1
mozilla-thunderbird-el-10.0.6-1.mga1
mozilla-thunderbird-en_GB-10.0.6-1.mga1
mozilla-thunderbird-es_AR-10.0.6-1.mga1
mozilla-thunderbird-es_ES-10.0.6-1.mga1
mozilla-thunderbird-et-10.0.6-1.mga1
mozilla-thunderbird-eu-10.0.6-1.mga1
mozilla-thunderbird-fi-10.0.6-1.mga1
mozilla-thunderbird-fr-10.0.6-1.mga1
mozilla-thunderbird-fy-10.0.6-1.mga1
mozilla-thunderbird-ga-10.0.6-1.mga1
mozilla-thunderbird-gd-10.0.6-1.mga1
mozilla-thunderbird-gl-10.0.6-1.mga1
mozilla-thunderbird-he-10.0.6-1.mga1
mozilla-thunderbird-hu-10.0.6-1.mga1
mozilla-thunderbird-id-10.0.6-1.mga1
mozilla-thunderbird-is-10.0.6-1.mga1
mozilla-thunderbird-it-10.0.6-1.mga1
mozilla-thunderbird-ja-10.0.6-1.mga1
mozilla-thunderbird-ko-10.0.6-1.mga1
mozilla-thunderbird-lt-10.0.6-1.mga1
mozilla-thunderbird-nb_NO-10.0.6-1.mga1
mozilla-thunderbird-nl-10.0.6-1.mga1
mozilla-thunderbird-nn_NO-10.0.6-1.mga1
mozilla-thunderbird-pl-10.0.6-1.mga1
mozilla-thunderbird-pt_BR-10.0.6-1.mga1
mozilla-thunderbird-pt_PT-10.0.6-1.mga1
mozilla-thunderbird-ro-10.0.6-1.mga1
mozilla-thunderbird-ru-10.0.6-1.mga1
mozilla-thunderbird-si-10.0.6-1.mga1
mozilla-thunderbird-sk-10.0.6-1.mga1
mozilla-thunderbird-sl-10.0.6-1.mga1
mozilla-thunderbird-sq-10.0.6-1.mga1
mozilla-thunderbird-sv_SE-10.0.6-1.mga1
mozilla-thunderbird-ta_LK-10.0.6-1.mga1
mozilla-thunderbird-tr-10.0.6-1.mga1
mozilla-thunderbird-uk-10.0.6-1.mga1
mozilla-thunderbird-vi-10.0.6-1.mga1
mozilla-thunderbird-zh_CN-10.0.6-1.mga1
mozilla-thunderbird-zh_TW-10.0.6-1.mga1

Full list of packages in Mageia 2 core/updates_testing:
thunderbird-10.0.6-1.mga2
thunderbird-enigmail-10.0.6-1.mga2
nsinstall-10.0.6-1.mga2
thunderbird-ar-10.0.6-1.mga2
thunderbird-ast-10.0.6-1.mga2
thunderbird-be-10.0.6-1.mga2
thunderbird-bg-10.0.6-1.mga2
thunderbird-bn_BD-10.0.6-1.mga2
thunderbird-br-10.0.6-1.mga2
thunderbird-ca-10.0.6-1.mga2
thunderbird-cs-10.0.6-1.mga2
thunderbird-da-10.0.6-1.mga2
thunderbird-de-10.0.6-1.mga2
thunderbird-el-10.0.6-1.mga2
thunderbird-en_GB-10.0.6-1.mga2
thunderbird-es_AR-10.0.6-1.mga2
thunderbird-es_ES-10.0.6-1.mga2
thunderbird-et-10.0.6-1.mga2
thunderbird-eu-10.0.6-1.mga2
thunderbird-fi-10.0.6-1.mga2
thunderbird-fr-10.0.6-1.mga2
thunderbird-fy-10.0.6-1.mga2
thunderbird-ga-10.0.6-1.mga2
thunderbird-gd-10.0.6-1.mga2
thunderbird-gl-10.0.6-1.mga2
thunderbird-he-10.0.6-1.mga2
thunderbird-hu-10.0.6-1.mga2
thunderbird-id-10.0.6-1.mga2
thunderbird-is-10.0.6-1.mga2
thunderbird-it-10.0.6-1.mga2
thunderbird-ja-10.0.6-1.mga2
thunderbird-ko-10.0.6-1.mga2
thunderbird-lt-10.0.6-1.mga2
thunderbird-nb_NO-10.0.6-1.mga2
thunderbird-nl-10.0.6-1.mga2
thunderbird-nn_NO-10.0.6-1.mga2
thunderbird-pl-10.0.6-1.mga2
thunderbird-pa_IN-10.0.6-1.mga2
thunderbird-pt_BR-10.0.6-1.mga2
thunderbird-pt_PT-10.0.6-1.mga2
thunderbird-ro-10.0.6-1.mga2
thunderbird-ru-10.0.6-1.mga2
thunderbird-si-10.0.6-1.mga2
thunderbird-sk-10.0.6-1.mga2
thunderbird-sl-10.0.6-1.mga2
thunderbird-sq-10.0.6-1.mga2
thunderbird-sv_SE-10.0.6-1.mga2
thunderbird-ta_LK-10.0.6-1.mga2
thunderbird-tr-10.0.6-1.mga2
thunderbird-uk-10.0.6-1.mga2
thunderbird-vi-10.0.6-1.mga2
thunderbird-zh_CN-10.0.6-1.mga2
thunderbird-zh_TW-10.0.6-1.mga2
Comment 2 Manuel Hiebel 2012-07-18 00:06:52 CEST
Ok on mga1 (x86_64)
Comment 3 Dave Hodgins 2012-07-18 00:13:35 CEST
Testing complete on Mageia 1 i586.

Testing used nntp, pop3, enigmail, and the lightning calendar
extension.
Comment 4 David Walser 2012-07-18 00:30:55 CEST
I don't have good CVE descriptions yet, but I imagine I'll be able to get them from Mandriva or RedHat pretty soon.  I do have the list of references for the advisory compiled already.

Assigning to QA now, full advisory to be written later.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1948
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1949
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1951
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1952
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1953
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1954
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1955
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1961
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1962
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1963
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1964
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1967
http://www.mozilla.org/security/announce/2012/mfsa2012-42.html
http://www.mozilla.org/security/announce/2012/mfsa2012-44.html
http://www.mozilla.org/security/announce/2012/mfsa2012-45.html
http://www.mozilla.org/security/announce/2012/mfsa2012-47.html
http://www.mozilla.org/security/announce/2012/mfsa2012-48.html
http://www.mozilla.org/security/announce/2012/mfsa2012-49.html
http://www.mozilla.org/security/announce/2012/mfsa2012-51.html
http://www.mozilla.org/security/announce/2012/mfsa2012-52.html
http://www.mozilla.org/security/announce/2012/mfsa2012-53.html
http://www.mozilla.org/security/announce/2012/mfsa2012-54.html
http://www.mozilla.org/security/announce/2012/mfsa2012-56.html
Comment 5 Dave Hodgins 2012-07-18 03:35:28 CEST
Testing complete on Mageia 2 i586.
Comment 6 David Walser 2012-07-18 14:37:11 CEST
Full advisory, courtesy of RedHat :o)

Advisory:
========================

Updated mozilla-thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird (CVE-2012-1948,
CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1958,
CVE-2012-1962, CVE-2012-1967).

Malicious content could bypass same-compartment security wrappers (SCSW)
and execute arbitrary code with chrome privileges (CVE-2012-1959).

A flaw in the way Thunderbird called history.forward and history.back could
allow an attacker to conceal a malicious URL, possibly tricking a user
into believing they are viewing trusted content (CVE-2012-1955).

A flaw in a parser utility class used by Thunderbird to parse feeds (such
as RSS) could allow an attacker to execute arbitrary JavaScript with the
privileges of the user running Thunderbird. This issue could have affected
other Thunderbird components or add-ons that assume the class returns
sanitized input (CVE-2012-1957).

A flaw in the way Thunderbird handled X-Frame-Options headers could allow
malicious content to perform a clickjacking attack (CVE-2012-1961).

A flaw in the way Content Security Policy (CSP) reports were generated by
Thunderbird could allow malicious content to steal a victim's OAuth 2.0
access tokens and OpenID credentials (CVE-2012-1963).

A flaw in the way Thunderbird handled certificate warnings could allow a
man-in-the-middle attacker to create a crafted warning, possibly tricking
a user into accepting an arbitrary certificate as trusted (CVE-2012-1964).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1948
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1951
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1952
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1953
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1954
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1955
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1961
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1962
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1963
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1964
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1967
http://www.mozilla.org/security/announce/2012/mfsa2012-42.html
http://www.mozilla.org/security/announce/2012/mfsa2012-44.html
http://www.mozilla.org/security/announce/2012/mfsa2012-45.html
http://www.mozilla.org/security/announce/2012/mfsa2012-47.html
http://www.mozilla.org/security/announce/2012/mfsa2012-48.html
http://www.mozilla.org/security/announce/2012/mfsa2012-49.html
http://www.mozilla.org/security/announce/2012/mfsa2012-51.html
http://www.mozilla.org/security/announce/2012/mfsa2012-52.html
http://www.mozilla.org/security/announce/2012/mfsa2012-53.html
http://www.mozilla.org/security/announce/2012/mfsa2012-54.html
http://www.mozilla.org/security/announce/2012/mfsa2012-56.html
========================

Source RPMs:
mozilla-thunderbird-10.0.6-1.mga1
mozilla-thunderbird-l10n-10.0.6-1.mga1
thunderbird-10.0.6-1.mga2
thunderbird-l10n-10.0.6-1.mga2
Comment 7 David Walser 2012-07-18 14:41:03 CEST
Oops, adding the RedHat reference to the advisory.

Advisory:
========================

Updated mozilla-thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird (CVE-2012-1948,
CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1958,
CVE-2012-1962, CVE-2012-1967).

Malicious content could bypass same-compartment security wrappers (SCSW)
and execute arbitrary code with chrome privileges (CVE-2012-1959).

A flaw in the way Thunderbird called history.forward and history.back could
allow an attacker to conceal a malicious URL, possibly tricking a user
into believing they are viewing trusted content (CVE-2012-1955).

A flaw in a parser utility class used by Thunderbird to parse feeds (such
as RSS) could allow an attacker to execute arbitrary JavaScript with the
privileges of the user running Thunderbird. This issue could have affected
other Thunderbird components or add-ons that assume the class returns
sanitized input (CVE-2012-1957).

A flaw in the way Thunderbird handled X-Frame-Options headers could allow
malicious content to perform a clickjacking attack (CVE-2012-1961).

A flaw in the way Content Security Policy (CSP) reports were generated by
Thunderbird could allow malicious content to steal a victim's OAuth 2.0
access tokens and OpenID credentials (CVE-2012-1963).

A flaw in the way Thunderbird handled certificate warnings could allow a
man-in-the-middle attacker to create a crafted warning, possibly tricking
a user into accepting an arbitrary certificate as trusted (CVE-2012-1964).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1948
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1951
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1952
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1953
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1954
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1955
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1961
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1962
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1963
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1964
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1967
http://www.mozilla.org/security/announce/2012/mfsa2012-42.html
http://www.mozilla.org/security/announce/2012/mfsa2012-44.html
http://www.mozilla.org/security/announce/2012/mfsa2012-45.html
http://www.mozilla.org/security/announce/2012/mfsa2012-47.html
http://www.mozilla.org/security/announce/2012/mfsa2012-48.html
http://www.mozilla.org/security/announce/2012/mfsa2012-49.html
http://www.mozilla.org/security/announce/2012/mfsa2012-51.html
http://www.mozilla.org/security/announce/2012/mfsa2012-52.html
http://www.mozilla.org/security/announce/2012/mfsa2012-53.html
http://www.mozilla.org/security/announce/2012/mfsa2012-54.html
http://www.mozilla.org/security/announce/2012/mfsa2012-56.html
https://rhn.redhat.com/errata/RHSA-2012-1089.html
========================

Source RPMs:
mozilla-thunderbird-10.0.6-1.mga1
mozilla-thunderbird-l10n-10.0.6-1.mga1
thunderbird-10.0.6-1.mga2
thunderbird-l10n-10.0.6-1.mga2
Comment 8 claire robinson 2012-07-18 15:57:41 CEST
Manuel tested mga1 x86_64 so adding the whiteboard keyword. Testing mga2 64 now.
Comment 9 claire robinson 2012-07-18 16:44:23 CEST
Testing complete mga2 64

Thunderbird, enigmail and also lightning checked but it isn't part of this update.

Validating

Please see comment 7 for advisory and srpms for mga1 & 2.

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 10 Thomas Backlund 2012-07-19 03:21:13 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0174

Note You need to log in before you can comment on or make changes to this bug.