RedHat has issued an advisory on November 20: https://rhn.redhat.com/errata/RHSA-2012-1483.html Updated packages uploaded for Mageia 1 and Mageia 2. Source RPMs: mozilla-thunderbird-10.0.11-1.mga1.src.rpm mozilla-thunderbird-l10n-10.0.11-1.mga1.src.rpm thunderbird-10.0.11-1.mga2.src.rpm thunderbird-l10n-10.0.11-1.mga2.src.rpm Advisory: ======================== Updated mozilla-thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird (CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5839, CVE-2012-5840, CVE-2012-5842). A buffer overflow flaw was found in the way Thunderbird handled GIF (Graphics Interchange Format) images. Content containing a malicious GIF image could cause Thunderbird to crash or, possibly, execute arbitrary code with the privileges of the user running Thunderbird (CVE-2012-4202). A flaw was found in the way Thunderbird decoded the HZ-GB-2312 character encoding. Malicious content could cause Thunderbird to run JavaScript code with the permissions of different content (CVE-2012-4207). A flaw was found in the location object implementation in Thunderbird. Malicious content could possibly use this flaw to allow restricted content to be loaded by plug-ins (CVE-2012-4209). A flaw was found in the way cross-origin wrappers were implemented. Malicious content could use this flaw to perform cross-site scripting attacks (CVE-2012-5841). A flaw was found in the evalInSandbox implementation in Thunderbird. Malicious content could use this flaw to perform cross-site scripting attacks (CVE-2012-4201). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4201 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4214 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4215 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4216 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5829 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5830 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5833 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5839 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5840 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5841 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5842 http://www.mozilla.org/security/announce/2012/mfsa2012-91.html http://www.mozilla.org/security/announce/2012/mfsa2012-92.html http://www.mozilla.org/security/announce/2012/mfsa2012-93.html http://www.mozilla.org/security/announce/2012/mfsa2012-100.html http://www.mozilla.org/security/announce/2012/mfsa2012-101.html http://www.mozilla.org/security/announce/2012/mfsa2012-103.html http://www.mozilla.org/security/announce/2012/mfsa2012-105.html http://www.mozilla.org/security/announce/2012/mfsa2012-106.html https://rhn.redhat.com/errata/RHSA-2012-1483.html
Whiteboard: (none) => MGA1TOO
Testing mga2 32 Enigmail gives a warning that it is not compatible and wants to check mozilla for updates. $ rpm -qa | grep thunderbird thunderbird-enigmail-10.0.11-1.mga2 thunderbird-10.0.11-1.mga2 thunderbird-en_GB-10.0.11-1.mga2
It gives a list of incompatible Enigmail 1.4 <language> which for some reason is unable to scroll. Clicked on Don't Check so it wouldn't update from mozilla. From the about: GnuPG support provided by Enigmail Running Enigmail version 1.4 (20121122-0557) Using gpg executable /usr/bin/gpg to encrypt and decrypt It does seem to be working though.
Tested OK mga2 64
Whiteboard: MGA1TOO => MGA1TOO mga2-64-OK
Testing complete. Mageia 1 and 2, i586 and x86-64. Could someone from the sysadmin team push the srpms thunderbird-10.0.11-1.mga2.src.rpm thunderbird-l10n-10.0.11-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpms mozilla-thunderbird-10.0.11-1.mga1.src.rpm mozilla-thunderbird-l10n-10.0.11-1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated mozilla-thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird (CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5839, CVE-2012-5840, CVE-2012-5842). A buffer overflow flaw was found in the way Thunderbird handled GIF (Graphics Interchange Format) images. Content containing a malicious GIF image could cause Thunderbird to crash or, possibly, execute arbitrary code with the privileges of the user running Thunderbird (CVE-2012-4202). A flaw was found in the way Thunderbird decoded the HZ-GB-2312 character encoding. Malicious content could cause Thunderbird to run JavaScript code with the permissions of different content (CVE-2012-4207). A flaw was found in the location object implementation in Thunderbird. Malicious content could possibly use this flaw to allow restricted content to be loaded by plug-ins (CVE-2012-4209). A flaw was found in the way cross-origin wrappers were implemented. Malicious content could use this flaw to perform cross-site scripting attacks (CVE-2012-5841). A flaw was found in the evalInSandbox implementation in Thunderbird. Malicious content could use this flaw to perform cross-site scripting attacks (CVE-2012-4201). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4201 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4214 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4215 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4216 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5829 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5830 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5833 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5839 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5840 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5841 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5842 http://www.mozilla.org/security/announce/2012/mfsa2012-91.html http://www.mozilla.org/security/announce/2012/mfsa2012-92.html http://www.mozilla.org/security/announce/2012/mfsa2012-93.html http://www.mozilla.org/security/announce/2012/mfsa2012-100.html http://www.mozilla.org/security/announce/2012/mfsa2012-101.html http://www.mozilla.org/security/announce/2012/mfsa2012-103.html http://www.mozilla.org/security/announce/2012/mfsa2012-105.html http://www.mozilla.org/security/announce/2012/mfsa2012-106.html https://rhn.redhat.com/errata/RHSA-2012-1483.html https://bugs.mageia.org/show_bug.cgi?id=8181
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: MGA1TOO mga2-64-OK => MGA1TOO mga2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0343
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED