Summary: | <mail-client/thunderbird{,-bin}-52.9.0: multiple vulnerabilities (MFSA-2018-18) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | D'juan McDonald (domhnall) <flopwiki> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | mozilla, whissi |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/ | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
=mail-client/thunderbird-52.9.1
|
Runtime testing required: | --- |
Description
D'juan McDonald (domhnall)
2018-07-04 08:13:18 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=619516f953b6e3996c547d3a9914f3e1f72ed128 commit 619516f953b6e3996c547d3a9914f3e1f72ed128 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-07-04 17:37:48 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-07-04 17:38:04 +0000 mail-client/thunderbird-bin: security cleanup Bug: https://bugs.gentoo.org/660342 Package-Manager: Portage-2.3.40, Repoman-2.3.9 mail-client/thunderbird-bin/Manifest | 58 -------- .../thunderbird-bin/thunderbird-bin-52.8.0.ebuild | 164 --------------------- 2 files changed, 222 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=062f178d70318f572464fc01549ca8be9f5cbbb8 commit 062f178d70318f572464fc01549ca8be9f5cbbb8 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-07-04 17:37:19 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-07-04 17:38:02 +0000 mail-client/thunderbird-bin: amd64 & x86 stable Bug: https://bugs.gentoo.org/660342 Package-Manager: Portage-2.3.40, Repoman-2.3.9 mail-client/thunderbird-bin/thunderbird-bin-52.9.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f9ec87ad944573045c7d120266aebd95db4323b commit 1f9ec87ad944573045c7d120266aebd95db4323b Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-07-04 17:36:44 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-07-04 17:38:00 +0000 mail-client/thunderbird-bin: bump to v52.9.0 Bug: https://bugs.gentoo.org/660342 Package-Manager: Portage-2.3.40, Repoman-2.3.9 mail-client/thunderbird-bin/Manifest | 58 ++++++++ .../thunderbird-bin/thunderbird-bin-52.9.0.ebuild | 164 +++++++++++++++++++++ 2 files changed, 222 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2b86ec725fa2f9751b5177e16c9105e2ce3ea2b commit b2b86ec725fa2f9751b5177e16c9105e2ce3ea2b Author: Ian Stakenvicius <axs@gentoo.org> AuthorDate: 2018-07-04 19:38:45 +0000 Commit: Ian Stakenvicius <axs@gentoo.org> CommitDate: 2018-07-04 20:00:40 +0000 mail-client/thunderbird: bump to 52.9 for security bug 660342 Bug: http://bugs.gentoo.org/660342 Package-Manager: Portage-2.3.40, Repoman-2.3.9 mail-client/thunderbird/Manifest | 58 ++++ mail-client/thunderbird/thunderbird-52.9.0.ebuild | 342 ++++++++++++++++++++++ 2 files changed, 400 insertions(+) Ebuilds are in gentoo repo, and have been stabilized on amd64, x86 by maintainers. ppc/ppc64 please stabilize or remove stable keywords. Reading https://www.thunderbird.net/en-US/thunderbird/52.9.1/releasenotes/ it looks like CVE-2018-12372 was incomplete: "Complete fix of the EFAIL vulnerability: 1) Removing some HTML crafted to carry out an attack. 2) Optionally: Not decrypting subordinate message parts that otherwise might reveal decrypted content to the attacker. Preference mailnews.p7m_subparts_external needs to be set to true for added security." Can you bump to 52.9.1? (In reply to Manuel Rüger from comment #4) > Reading https://www.thunderbird.net/en-US/thunderbird/52.9.1/releasenotes/ > it looks like CVE-2018-12372 was incomplete: "Complete fix of the EFAIL > vulnerability: 1) Removing some HTML crafted to carry out an attack. 2) > Optionally: Not decrypting subordinate message parts that otherwise might > reveal decrypted content to the attacker. Preference > mailnews.p7m_subparts_external needs to be set to true for added security." > My mistake: Deleting or detaching attachments corrupted messages under certain circumstances (not working only in Thunderbird version 52.9.0) was fixed. > Can you bump to 52.9.1? I can open a separate bug for this if you like. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f94bdcc58b3b1fdbcff246f364533be2ced7ce8 commit 1f94bdcc58b3b1fdbcff246f364533be2ced7ce8 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-08-22 01:43:43 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-08-22 02:12:25 +0000 mail-client/thunderbird: bump to v52.9.1 Note: Lightning version from source doesn't match MOZ_LIGHTNING_VER in ebuild but this isn't critical and only affects localizaton which wasn't changed. Bug: https://bugs.gentoo.org/660342 Package-Manager: Portage-2.3.48, Repoman-2.3.10 RepoMan-Options: --force mail-client/thunderbird/Manifest | 114 ++++++++++----------- ...ird-52.9.0.ebuild => thunderbird-52.9.1.ebuild} | 0 2 files changed, 57 insertions(+), 57 deletions(-) ppc/ppc64 stable. all arches stable Added to an existing GLSA request. This issue was resolved and addressed in GLSA 201811-13 at https://security.gentoo.org/glsa/201811-13 by GLSA coordinator Aaron Bauman (b-man). |