Mozilla Thunderbird 3.0.2 released on February 25, 2010. Follow URL for release notes and complete list of closed bug entries. This release fixes two Mozilla Security Advisories marked as critical: http://www.mozilla.org/security/announce/2010/mfsa2010-01.html and http://www.mozilla.org/security/announce/2010/mfsa2010-03.html. Reproducible: Always Steps to Reproduce:
3.0.3 is out
(In reply to comment #1) > 3.0.3 is out Fixes critical regression since 3.0.2.
tb-3.0.3 tb-bin-3.0.3 are in the tree, will also require sqlite-3.6.22-r2 be made stable along with enigmail-1.0.1-r1. Security team feel free to bring in the archs.
Arches, please test and mark stable: =mail-client/mozilla-thunderbird-3.0.3 Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86" Arches, please test and mark stable: =mail-client/mozilla-thunderbird-bin-3.0.3 Target keywords : "amd64 x86"
(In reply to comment #3) > tb-3.0.3 tb-bin-3.0.3 are in the tree, will also require sqlite-3.6.22-r2 be > made stable along with enigmail-1.0.1-r1. Security team feel free to bring in > the archs. Is SQLite good to go, too?
(In reply to comment #5) > (In reply to comment #3) > > tb-3.0.3 tb-bin-3.0.3 are in the tree, will also require sqlite-3.6.22-r2 be > > made stable along with enigmail-1.0.1-r1. Security team feel free to bring in > > the archs. > > Is SQLite good to go, too? > I have done spoken with betelgeuse and he said there was nothing to prevent it when we were ready.
x86 stable
amd64 stable
ppc64 done
Marked ppc stable.
stable on sparc: Portage 2.2_rc65 (default/linux/sparc/10.0/desktop, gcc-4.3.4, glibc-2.11-r1, 2.6.33-gentoo sparc64) ================================================================= System uname: Linux-2.6.33-gentoo-sparc64-sun4u-with-gentoo-2.0.1 Timestamp of tree: Sun, 07 Mar 2010 19:15:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.1_p2 dev-lang/python: 2.6.4-r1, 3.1.1-r1 dev-util/ccache: 2.4-r8 dev-util/cmake: 2.8.0-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.0-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.13, 2.65 sys-devel/automake: 1.8.5-r3, 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20-r1 sys-devel/gcc: 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.32 ACCEPT_KEYWORDS="sparc ~sparc" ACCEPT_LICENSE="* -@EULA" CBUILD="sparc-unknown-linux-gnu" CFLAGS="-O2 -mcpu=ultrasparc -pipe" CHOST="sparc-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -mcpu=ultrasparc -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests buildpkg ccache collision-protect distlocks fixpackages getbinpkg news parallel-fetch preserve-libs protect-owned sandbox sfperms strict test unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://dev.bonyari.local" LANG="en_US.utf8" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://dev.bonyari.local/gentoo-portage" USE="X a52 aac acl alsa berkdb branding bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr eds emboss encode evo fam firefox flac fortran gcc64 gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 jpeg kde ldap libnotify mad mikmod mng modules mp3 mp4 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3support qt4 quicktime readline redland reflection sdl session sparc spell spl sql sqlite sqlite3 ssl startup-notification svg sysfs tcpd thunar tiff truetype unicode usb virtuoso vorbis webkit x264 xml xorg xulrunner xv xvid zlib" ALSA_CARDS="sun-cs4231" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev mach64" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
alpha/ia64/sparc stable
CVE-2009-1571 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1571): Use-after-free vulnerability in the HTML parser in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to execute arbitrary code via unspecified method calls that attempt to access freed objects in low-memory situations.
CVE-2009-3979 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3979): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
CVE-2009-3980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3980): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
CVE-2009-3981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3981): Unspecified vulnerability in the browser engine in Mozilla Firefox before 3.0.16, SeaMonkey before 2.0.1, and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2009-3982 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3982): Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
CVE-2010-0159 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0159): The browser engine in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the nsBlockFrame::StealFrame function in layout/generic/nsBlockFrame.cpp, and unspecified other vectors.
CVE-2010-0167 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0167): The browser engine in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via vectors related to (1) layout/generic/nsBlockFrame.cpp and (2) the _evaluate function in modules/plugin/base/src/nsNPAPIPlugin.cpp.
CVE-2010-0169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0169): The CSSLoaderImpl::DoSheetComplete function in layout/style/nsCSSLoader.cpp in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 changes the case of certain strings in a stylesheet before adding this stylesheet to the XUL cache, which might allow remote attackers to modify the browser's font and other CSS attributes, and potentially disrupt rendering of a web page, by forcing the browser to perform this erroneous stylesheet caching. CVE-2010-0171 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0171): Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allow remote attackers to perform cross-origin keystroke capture, and possibly conduct cross-site scripting (XSS) attacks, by using the addEventListener and setTimeout functions in conjunction with a wrapped object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-3736.
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).