Bug 639048 (CVE-2017-7826, CVE-2017-7828, CVE-2017-7830, MFSA2017-26)

Summary:	<mail-client/thunderbird{,-bin}-52.5.0: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Frank Krömmelbein <kroemmelbein>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	ap, mozilla
Priority:	Normal	Flags:	stable-bot: sanity-check-
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa+ cve blocked]
Package list:	=mail-client/thunderbird-52.5.0	Runtime testing required:	---
Bug Depends on:	641764, 645820
Bug Blocks:	627376

Description Frank Krömmelbein 2017-11-28 09:55:38 UTC

https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-11-29 00:08:52 UTC

(In reply to Frank Krömmelbein from comment #0)
> https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/

Thank you for the report Frank, @Maintainers please call for stabilization when ready.

Thanks

Comment 2 Larry the Git Cow gentoo-dev

2017-11-29 17:44:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96b0f1c18b9d36f28addda1a8895988f6350d5e1

commit 96b0f1c18b9d36f28addda1a8895988f6350d5e1
Author:     Ian Stakenvicius <axs@gentoo.org>
AuthorDate: 2017-11-29 17:43:22 +0000
Commit:     Ian Stakenvicius <axs@gentoo.org>
CommitDate: 2017-11-29 17:44:33 +0000

    mail-client/thunderbird-bin: bump to 52.5.0
    
    Bumped directly to stable by maintainers for security
    
    Bug: http://bugs.gentoo.org/639048
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 mail-client/thunderbird-bin/Manifest               | 118 ++++++++++-----------
 ...52.4.0.ebuild => thunderbird-bin-52.5.0.ebuild} |   7 +-
 2 files changed, 62 insertions(+), 63 deletions(-)}

Comment 3 Ian Stakenvicius (RETIRED) gentoo-dev

2017-11-29 17:47:05 UTC

Ebuilds are in the tree now.

mail-client/thunderbird-bin-52.5.0 has been committed directly to stable.

mail-client/thunderbird-52.5.0 requires x11-plugins/enigmail-1.9.8.3-r1 to also be stabilized to adopt improved way the enigmail extension is being installed and loaded by thunderbird.

Comment 4 Stephan Hartmann (RETIRED) gentoo-dev

2017-12-13 12:26:27 UTC

Maybe add arches?

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2017-12-13 13:28:57 UTC

@ Arches,

please test and mark stable:

  =mail-client/thunderbird-52.5.0
  =x11-plugins/enigmail-1.9.8.3-r1

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2017-12-14 15:08:42 UTC

x86 stable

Comment 7 Agostino Sarubbo gentoo-dev

2017-12-14 20:27:24 UTC

amd64 stable

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2017-12-20 12:25:38 UTC

@ Remaining arches:

Please pick up newer >=x11-plugins/enigmail-1.9.9 via bug 641764.

Comment 9 Ian Stakenvicius (RETIRED) gentoo-dev

2018-01-04 15:54:03 UTC

ppc / ppc64 , would you like to drop stable keywords on this package?  The last one that was stabilized was 45.8.0 which has long been unsupported security-wise.

Comment 10 Aaron Bauman (RETIRED) gentoo-dev

2018-01-19 21:28:05 UTC

(In reply to Ian Stakenvicius from comment #9)
> ppc / ppc64 , would you like to drop stable keywords on this package?  The
> last one that was stabilized was 45.8.0 which has long been unsupported
> security-wise.

+1

@ppc/ppc64, how would you like to proceed?

Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-13 22:33:45 UTC

ppc stable

Comment 12 Stabilization helper bot gentoo-dev

2018-03-24 22:00:50 UTC

An automated check of this bug failed - the following atom is unknown:

mail-client/thunderbird-52.5.0

Please verify the atom list.

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2018-03-28 18:24:59 UTC

This issue was resolved and addressed in
 GLSA 201803-14 at https://security.gentoo.org/glsa/201803-14
by GLSA coordinator Aaron Bauman (b-man).