Mozilla Thunderbird 10.0.7 has been released.
CC: (none) => doktor5000Whiteboard: (none) => MGA1TOO
Submitted for mga1 and mga2, together with -l10n packages. There is now thunderbird-10.0.7-1.mga2 and thunderbird-l10n-10.0.7-1.mga in core/updates_testing to validate ------------------------------------------------------- Suggested advisory: ------------------- This update addresses the following issues: - to be filled later when Mozilla actually puts up the security advisories for 10.0.7 Other fixes in this release: ------------------------------------------------------- Steps to reproduce: - install/update to update candidate - make sure language packs are still in effect after the update
Status: NEW => ASSIGNEDSource RPM: thunderbird-10.0.6-1.mga2.src.rpm, mozilla-thunderbird-10.0.6-1.mga1.src.rpm => thunderbird-10.0.7-1.mga2.src.rpm, mozilla-thunderbird-10.0.7-1.mga1.src.rpm
Summary: Thunderbird 10.0.7 => Update candidate for Thunderbird 10.0.7
SRPMs: mozilla-thunderbird-10.0.7-1.mga1.src.rpm mozilla-thunderbird-l10n-10.0.7-1.mga1.src.rpm thunderbird-10.0.7-1.mga2.src.rpm thunderbird-l10n-10.0.7-1.mga2.src.rpm Full RPMs list: mozilla-thunderbird-10.0.7-1.mga1 mozilla-thunderbird-enigmail-10.0.7-1.mga1 nsinstall-10.0.7-1.mga1 mozilla-thunderbird-enigmail-ar-10.0.7-1.mga1 mozilla-thunderbird-enigmail-ca-10.0.7-1.mga1 mozilla-thunderbird-enigmail-cs-10.0.7-1.mga1 mozilla-thunderbird-enigmail-de-10.0.7-1.mga1 mozilla-thunderbird-enigmail-el-10.0.7-1.mga1 mozilla-thunderbird-enigmail-es-10.0.7-1.mga1 mozilla-thunderbird-enigmail-fi-10.0.7-1.mga1 mozilla-thunderbird-enigmail-fr-10.0.7-1.mga1 mozilla-thunderbird-enigmail-it-10.0.7-1.mga1 mozilla-thunderbird-enigmail-ja-10.0.7-1.mga1 mozilla-thunderbird-enigmail-ko-10.0.7-1.mga1 mozilla-thunderbird-enigmail-nb-10.0.7-1.mga1 mozilla-thunderbird-enigmail-nl-10.0.7-1.mga1 mozilla-thunderbird-enigmail-pl-10.0.7-1.mga1 mozilla-thunderbird-enigmail-pt-10.0.7-1.mga1 mozilla-thunderbird-enigmail-pt_BR-10.0.7-1.mga1 mozilla-thunderbird-enigmail-ru-10.0.7-1.mga1 mozilla-thunderbird-enigmail-sl-10.0.7-1.mga1 mozilla-thunderbird-enigmail-sv-10.0.7-1.mga1 mozilla-thunderbird-enigmail-tr-10.0.7-1.mga1 mozilla-thunderbird-enigmail-vi-10.0.7-1.mga1 mozilla-thunderbird-enigmail-zh_CN-10.0.7-1.mga1 mozilla-thunderbird-enigmail-zh_TW-10.0.7-1.mga1 mozilla-thunderbird-ar-10.0.7-1.mga1 mozilla-thunderbird-be-10.0.7-1.mga1 mozilla-thunderbird-bg-10.0.7-1.mga1 mozilla-thunderbird-bn_BD-10.0.7-1.mga1 mozilla-thunderbird-br-10.0.7-1.mga1 mozilla-thunderbird-ca-10.0.7-1.mga1 mozilla-thunderbird-cs-10.0.7-1.mga1 mozilla-thunderbird-da-10.0.7-1.mga1 mozilla-thunderbird-de-10.0.7-1.mga1 mozilla-thunderbird-el-10.0.7-1.mga1 mozilla-thunderbird-en_GB-10.0.7-1.mga1 mozilla-thunderbird-es_AR-10.0.7-1.mga1 mozilla-thunderbird-es_ES-10.0.7-1.mga1 mozilla-thunderbird-et-10.0.7-1.mga1 mozilla-thunderbird-eu-10.0.7-1.mga1 mozilla-thunderbird-fi-10.0.7-1.mga1 mozilla-thunderbird-fr-10.0.7-1.mga1 mozilla-thunderbird-fy-10.0.7-1.mga1 mozilla-thunderbird-ga-10.0.7-1.mga1 mozilla-thunderbird-gd-10.0.7-1.mga1 mozilla-thunderbird-gl-10.0.7-1.mga1 mozilla-thunderbird-he-10.0.7-1.mga1 mozilla-thunderbird-hu-10.0.7-1.mga1 mozilla-thunderbird-id-10.0.7-1.mga1 mozilla-thunderbird-is-10.0.7-1.mga1 mozilla-thunderbird-it-10.0.7-1.mga1 mozilla-thunderbird-ja-10.0.7-1.mga1 mozilla-thunderbird-ko-10.0.7-1.mga1 mozilla-thunderbird-lt-10.0.7-1.mga1 mozilla-thunderbird-nb_NO-10.0.7-1.mga1 mozilla-thunderbird-nl-10.0.7-1.mga1 mozilla-thunderbird-nn_NO-10.0.7-1.mga1 mozilla-thunderbird-pl-10.0.7-1.mga1 mozilla-thunderbird-pt_BR-10.0.7-1.mga1 mozilla-thunderbird-pt_PT-10.0.7-1.mga1 mozilla-thunderbird-ro-10.0.7-1.mga1 mozilla-thunderbird-ru-10.0.7-1.mga1 mozilla-thunderbird-si-10.0.7-1.mga1 mozilla-thunderbird-sk-10.0.7-1.mga1 mozilla-thunderbird-sl-10.0.7-1.mga1 mozilla-thunderbird-sq-10.0.7-1.mga1 mozilla-thunderbird-sv_SE-10.0.7-1.mga1 mozilla-thunderbird-ta_LK-10.0.7-1.mga1 mozilla-thunderbird-tr-10.0.7-1.mga1 mozilla-thunderbird-uk-10.0.7-1.mga1 mozilla-thunderbird-vi-10.0.7-1.mga1 mozilla-thunderbird-zh_CN-10.0.7-1.mga1 mozilla-thunderbird-zh_TW-10.0.7-1.mga1 thunderbird-10.0.7-1.mga2 thunderbird-enigmail-10.0.7-1.mga2 nsinstall-10.0.7-1.mga2 thunderbird-ar-10.0.7-1.mga2 thunderbird-ast-10.0.7-1.mga2 thunderbird-be-10.0.7-1.mga2 thunderbird-bg-10.0.7-1.mga2 thunderbird-bn_BD-10.0.7-1.mga2 thunderbird-br-10.0.7-1.mga2 thunderbird-ca-10.0.7-1.mga2 thunderbird-cs-10.0.7-1.mga2 thunderbird-da-10.0.7-1.mga2 thunderbird-de-10.0.7-1.mga2 thunderbird-el-10.0.7-1.mga2 thunderbird-en_GB-10.0.7-1.mga2 thunderbird-es_AR-10.0.7-1.mga2 thunderbird-es_ES-10.0.7-1.mga2 thunderbird-et-10.0.7-1.mga2 thunderbird-eu-10.0.7-1.mga2 thunderbird-fi-10.0.7-1.mga2 thunderbird-fr-10.0.7-1.mga2 thunderbird-fy-10.0.7-1.mga2 thunderbird-ga-10.0.7-1.mga2 thunderbird-gd-10.0.7-1.mga2 thunderbird-gl-10.0.7-1.mga2 thunderbird-he-10.0.7-1.mga2 thunderbird-hu-10.0.7-1.mga2 thunderbird-id-10.0.7-1.mga2 thunderbird-is-10.0.7-1.mga2 thunderbird-it-10.0.7-1.mga2 thunderbird-ja-10.0.7-1.mga2 thunderbird-ko-10.0.7-1.mga2 thunderbird-lt-10.0.7-1.mga2 thunderbird-nb_NO-10.0.7-1.mga2 thunderbird-nl-10.0.7-1.mga2 thunderbird-nn_NO-10.0.7-1.mga2 thunderbird-pl-10.0.7-1.mga2 thunderbird-pa_IN-10.0.7-1.mga2 thunderbird-pt_BR-10.0.7-1.mga2 thunderbird-pt_PT-10.0.7-1.mga2 thunderbird-ro-10.0.7-1.mga2 thunderbird-ru-10.0.7-1.mga2 thunderbird-si-10.0.7-1.mga2 thunderbird-sk-10.0.7-1.mga2 thunderbird-sl-10.0.7-1.mga2 thunderbird-sq-10.0.7-1.mga2 thunderbird-sv_SE-10.0.7-1.mga2 thunderbird-ta_LK-10.0.7-1.mga2 thunderbird-tr-10.0.7-1.mga2 thunderbird-uk-10.0.7-1.mga2 thunderbird-vi-10.0.7-1.mga2 thunderbird-zh_CN-10.0.7-1.mga2 thunderbird-zh_TW-10.0.7-1.mga2
Testing may begin. The advisory will come later.
Assignee: bugsquad => qa-bugs
Testing on Mageia 2 x86/i568 and x86_64.
CC: (none) => ed_rus099
No problems with Mageia 2 x86_64 or Mageia 2 x86/i568. I had to install a plugin called quick locale switcher to change the language interface.
testing on Mageia 2 x86_64 : - lib64nss3-3.13.6-1.mga2.x86_64 - thunderbird-10.0.7-1.mga2.x86_64 - thunderbird-enigmail-10.0.7-1.mga2.x86_64
CC: (none) => stblack
Same testing as Stefano. email, nntp, spellcheck, enigmail all OK. I am not able to find much info about nsinstall or find any way to test it. Is it used in the build process?
Hardware: i586 => AllWhiteboard: MGA1TOO => MGA1TOO mga2-64-OK?
Upstream advisories are available now, so we have references. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1970 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1972 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1973 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1976 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3956 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3957 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3958 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3959 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3961 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3962 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3963 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3964 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3966 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3967 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3968 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3969 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3970 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3972 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3978 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3980 http://www.mozilla.org/security/announce/2012/mfsa2012-57.html http://www.mozilla.org/security/announce/2012/mfsa2012-58.html http://www.mozilla.org/security/announce/2012/mfsa2012-61.html http://www.mozilla.org/security/announce/2012/mfsa2012-62.html http://www.mozilla.org/security/announce/2012/mfsa2012-63.html http://www.mozilla.org/security/announce/2012/mfsa2012-65.html http://www.mozilla.org/security/announce/2012/mfsa2012-67.html http://www.mozilla.org/security/announce/2012/mfsa2012-70.html http://www.mozilla.org/security/announce/2012/mfsa2012-72.html
(In reply to comment #7) > I am not able to find much info about nsinstall or find any way to test it. > > Is it used in the build process? Could be, but i've no complete log of the build process. But no package actually requires it. Apart from that now the complete advisory: There is now thunderbird-10.0.7-1.mga2 and thunderbird-l10n-10.0.7-1.mga in core/updates_testing to validate ------------------------------------------------------- Suggested advisory: ------------------- This update addresses the following issues: http://www.mozilla.org/security/announce/2012/mfsa2012-57.html Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7) CVE-2012-1970 CVE-2012-1971 http://www.mozilla.org/security/announce/2012/mfsa2012-58.html Use-after-free issues found using Address Sanitizer CVE-2012-1972 CVE-2012-1973 CVE-2012-1974 CVE-2012-1975 CVE-2012-1976 CVE-2012-3956 CVE-2012-3957 CVE-2012-3958 CVE-2012-3959 CVE-2012-3960 CVE-2012-3961 CVE-2012-3962 CVE-2012-3963 CVE-2012-3964 http://www.mozilla.org/security/announce/2012/mfsa2012-59.html Location object can be shadowed using Object.defineProperty CVE-2012-1956 http://www.mozilla.org/security/announce/2012/mfsa2012-60.html Escalation of privilege through about:newtab CVE-2012-3965 http://www.mozilla.org/security/announce/2012/mfsa2012-61.html Memory corruption with bitmap format images with negative height CVE-2012-3966 http://www.mozilla.org/security/announce/2012/mfsa2012-62.html WebGL use-after-free and memory corruption CVE-2012-3968 CVE-2012-3967 http://www.mozilla.org/security/announce/2012/mfsa2012-63.html SVG buffer overflow and use-after-free issues CVE-2012-3969 CVE-2012-3970 http://www.mozilla.org/security/announce/2012/mfsa2012-64.html Graphite 2 memory corruption CVE-2012-3971 http://www.mozilla.org/security/announce/2012/mfsa2012-65.html Out-of-bounds read in format-number in XSLT CVE-2012-3972 http://www.mozilla.org/security/announce/2012/mfsa2012-66.html HTTPMonitor extension allows for remote debugging without explicit activation CVE-2012-3973 http://www.mozilla.org/security/announce/2012/mfsa2012-67.html Installer will launch incorrect executable following new installation (only applicable to windows installer) CVE-2012-3974 http://www.mozilla.org/security/announce/2012/mfsa2012-68.html DOMParser loads linked resources in extensions when parsing text/html CVE-2012-3975 http://www.mozilla.org/security/announce/2012/mfsa2012-69.html Incorrect site SSL certificate data display CVE-2012-3976 http://www.mozilla.org/security/announce/2012/mfsa2012-70.html Location object security checks bypassed by chrome code CVE-2012-3978 http://www.mozilla.org/security/announce/2012/mfsa2012-71.html Insecure use of __android_log_print CVE-2012-3979 http://www.mozilla.org/security/announce/2012/mfsa2012-72.html Web console eval capable of executing chrome-privileged code CVE-2012-3980 ------------------------------------------------------- Steps to reproduce: - install/update to update candidate - make sure language packs are still in effect after the update
Testing complete on both arches, both releases with enigmail, lightning, email, and nntp. Could someone from the sysadmin team push the srpms thunderbird-10.0.7-1.mga2.src.rpm thunderbird-l10n-10.0.7-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpms mozilla-thunderbird-10.0.7-1.mga1.src.rpm mozilla-thunderbird-l10n-10.0.7-1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core UPdates. Advisory: This thunderbird update addresses the following issues: http://www.mozilla.org/security/announce/2012/mfsa2012-57.html Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7) CVE-2012-1970 CVE-2012-1971 http://www.mozilla.org/security/announce/2012/mfsa2012-58.html Use-after-free issues found using Address Sanitizer CVE-2012-1972 CVE-2012-1973 CVE-2012-1974 CVE-2012-1975 CVE-2012-1976 CVE-2012-3956 CVE-2012-3957 CVE-2012-3958 CVE-2012-3959 CVE-2012-3960 CVE-2012-3961 CVE-2012-3962 CVE-2012-3963 CVE-2012-3964 http://www.mozilla.org/security/announce/2012/mfsa2012-59.html Location object can be shadowed using Object.defineProperty CVE-2012-1956 http://www.mozilla.org/security/announce/2012/mfsa2012-60.html Escalation of privilege through about:newtab CVE-2012-3965 http://www.mozilla.org/security/announce/2012/mfsa2012-61.html Memory corruption with bitmap format images with negative height CVE-2012-3966 http://www.mozilla.org/security/announce/2012/mfsa2012-62.html WebGL use-after-free and memory corruption CVE-2012-3968 CVE-2012-3967 http://www.mozilla.org/security/announce/2012/mfsa2012-63.html SVG buffer overflow and use-after-free issues CVE-2012-3969 CVE-2012-3970 http://www.mozilla.org/security/announce/2012/mfsa2012-64.html Graphite 2 memory corruption CVE-2012-3971 http://www.mozilla.org/security/announce/2012/mfsa2012-65.html Out-of-bounds read in format-number in XSLT CVE-2012-3972 http://www.mozilla.org/security/announce/2012/mfsa2012-66.html HTTPMonitor extension allows for remote debugging without explicit activation CVE-2012-3973 http://www.mozilla.org/security/announce/2012/mfsa2012-67.html Installer will launch incorrect executable following new installation (only applicable to windows installer) CVE-2012-3974 http://www.mozilla.org/security/announce/2012/mfsa2012-68.html DOMParser loads linked resources in extensions when parsing text/html CVE-2012-3975 http://www.mozilla.org/security/announce/2012/mfsa2012-69.html Incorrect site SSL certificate data display CVE-2012-3976 http://www.mozilla.org/security/announce/2012/mfsa2012-70.html Location object security checks bypassed by chrome code CVE-2012-3978 http://www.mozilla.org/security/announce/2012/mfsa2012-71.html Insecure use of __android_log_print CVE-2012-3979 http://www.mozilla.org/security/announce/2012/mfsa2012-72.html Web console eval capable of executing chrome-privileged code CVE-2012-3980 https://bugs.mageia.org/show_bug.cgi?id=7210
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: MGA1TOO mga2-64-OK? => MGA1TOO mga2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
CVE descriptions are now available from RedHat. Note that the CVE list has been fixed, as one of the Mozilla advisories I had listed previously only affects Windows. Advisory: ======================== Updated mozilla-thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird (CVE-2012-1970, CVE-2012-1972, CVE-2012-1973, CVE-2012-1974, CVE-2012-1975, CVE-2012-1976, CVE-2012-3956, CVE-2012-3957, CVE-2012-3958, CVE-2012-3959, CVE-2012-3960, CVE-2012-3961, CVE-2012-3962, CVE-2012-3963, CVE-2012-3964). Content containing a malicious Scalable Vector Graphics (SVG) image file could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird (CVE-2012-3969, CVE-2012-3970). Two flaws were found in the way Thunderbird rendered certain images using WebGL. Malicious content could cause Thunderbird to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Thunderbird (CVE-2012-3967, CVE-2012-3968). A flaw was found in the way Thunderbird decoded embedded bitmap images in Icon Format (ICO) files. Content containing a malicious ICO file could cause Thunderbird to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Thunderbird (CVE-2012-3966). A flaw was found in the way the "eval" command was handled by the Thunderbird Error Console. Running "eval" in the Error Console while viewing malicious content could possibly cause Thunderbird to execute arbitrary code with the privileges of the user running Thunderbird (CVE-2012-3980). An out-of-bounds memory read flaw was found in the way Thunderbird used the format-number feature of XSLT (Extensible Stylesheet Language Transformations). Malicious content could possibly cause an information leak, or cause Thunderbird to crash (CVE-2012-3972). A flaw was found in the location object implementation in Thunderbird. Malicious content could use this flaw to possibly allow restricted content to be loaded (CVE-2012-3978). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1970 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1972 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1973 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1976 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3956 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3957 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3958 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3959 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3961 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3962 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3963 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3964 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3966 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3967 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3968 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3969 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3970 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3972 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3978 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3980 http://www.mozilla.org/security/announce/2012/mfsa2012-57.html http://www.mozilla.org/security/announce/2012/mfsa2012-58.html http://www.mozilla.org/security/announce/2012/mfsa2012-61.html http://www.mozilla.org/security/announce/2012/mfsa2012-62.html http://www.mozilla.org/security/announce/2012/mfsa2012-63.html http://www.mozilla.org/security/announce/2012/mfsa2012-65.html http://www.mozilla.org/security/announce/2012/mfsa2012-70.html http://www.mozilla.org/security/announce/2012/mfsa2012-72.html https://rhn.redhat.com/errata/RHSA-2012-1211.html
Severity: normal => critical
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0246
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED