Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 670102 (MFSA-2018-28) - <mail-client/thunderbird{,-bin}-60.3.0 - multiple vulnerabilities (MFSA-2018-28)
Summary: <mail-client/thunderbird{,-bin}-60.3.0 - multiple vulnerabilities (MFSA-2018-28)
Status: RESOLVED FIXED
Alias: MFSA-2018-28
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-01 17:59 UTC by Ian Stakenvicius (RETIRED)
Modified: 2019-11-02 13:05 UTC (History)
1 user (show)

See Also:
Package list:
=mail-client/thunderbird-60.3.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Stakenvicius (RETIRED) gentoo-dev 2018-11-01 17:59:10 UTC
Per URL , vulnerabilities discovered thunderbird and thunderbird-bin , addressed in v60.3.0 of each.
Comment 1 Ian Stakenvicius (RETIRED) gentoo-dev 2018-11-01 18:04:13 UTC
Ebuilds pushed to gentoo repo.  Arches please stabilize when ready.
Comment 2 Manfred Knick 2018-11-01 20:42:38 UTC
Please, see Bug 670104 :
   mail-client/thunderbird-60.3.0 
     thunderbird-60.3.0-de.xpi Filesize does not match recorded size
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-04 19:15:41 UTC
x86 stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-11-05 18:22:27 UTC
amd64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-06 13:39:38 UTC
@ Maintainer(s): Please cleanup and drop <mail-client/thunderbird-60.3.0!
Comment 6 Ian Stakenvicius (RETIRED) gentoo-dev 2018-11-07 16:55:11 UTC
Somehow the =mail-client/thunderbird-bin-60.3.0 atom in the package list was eaten..  I see where I added it but not where it was dropped.

Anyways, I've pushed it directly to stable as well (since there's noting we can do about it anyways, binary package and all).

Versions prior to 60.0 are p.masked for removal by year-end -- the jump from 52 to 60 could still be problematic for some deployments.
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-16 10:42:55 UTC
New GLSA request filed.
Comment 8 Plüss Roland 2018-11-18 17:29:41 UTC
Update broken. Portage does not install 60+ version but wants to remove 60- versions due to masking. Can you please fix this so either 60+ can be emerged or push back the masking of 60- until this issue is fixed?

(My report is based on a fresh sync today)
Comment 9 Ian Stakenvicius (RETIRED) gentoo-dev 2018-11-19 14:20:55 UTC
(In reply to Plüss Roland from comment #8)
> Update broken. Portage does not install 60+ version but wants to remove 60-
> versions due to masking. Can you please fix this so either 60+ can be
> emerged or push back the masking of 60- until this issue is fixed?
> 
> (My report is based on a fresh sync today)

Please file a new bug with all the usual details.  There should not be a reason for portage disallowing an update to 60+
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2018-11-24 19:52:54 UTC
This issue was resolved and addressed in
 GLSA 201811-13 at https://security.gentoo.org/glsa/201811-13
by GLSA coordinator Aaron Bauman (b-man).
Comment 11 Manfred Knick 2019-10-31 11:51:27 UTC
(In reply to GLSAMaker/CVETool Bot from comment #10)
> This issue was resolved and addressed in
>  GLSA 201811-13 at https://security.gentoo.org/glsa/201811-13
> by GLSA coordinator Aaron Bauman (b-man).
Just realized that

. . . [-P-] [M ] mail-client/thunderbird-52.9.1:0

is still contained in MainPortageTree ?
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-31 12:40:19 UTC
(In reply to Manfred Knick from comment #11)
> (In reply to GLSAMaker/CVETool Bot from comment #10)
> > This issue was resolved and addressed in
> >  GLSA 201811-13 at https://security.gentoo.org/glsa/201811-13
> > by GLSA coordinator Aaron Bauman (b-man).
> Just realized that
> 
> . . . [-P-] [M ] mail-client/thunderbird-52.9.1:0
> 
> is still contained in MainPortageTree ?

...which isn't a problem and package is masked with a clear message indicating security problems:

>  on behalf of Mozilla Project Mask old/vuln thunderbird for removal by 2019, see security bug 670102
Comment 13 Manfred Knick 2019-10-31 13:13:05 UTC
(In reply to Thomas Deutschmann from comment #12)
> ...which isn't a problem and package is masked with a clear message
> indicating security problems:
Sure, Thomas!
That's exactly why I cited the "[M ]" in front.

Just wondering why all the later versions in between have been deleted,
but exactly this one is being kept.
I definitely expected that to have it's reason behind - 
but I was not able to find out which one;
can you help with a hint?
Comment 14 Ian Stakenvicius (RETIRED) gentoo-dev 2019-10-31 16:32:57 UTC
52.9.1 is the last version in the 52.x series, the 60.x series has some regressions compared to 52.x.  

New versions being released in 60.x are security and bugfix updates to previous releases in the 60.x series and so it doesn't make sense to keep them around.

We will likely keep the last of the 60.x series in the repo for a while as we continue to update the 68.x series for similar reasons, although I read a note from upstream that 68.2.2 should address all regressions.
Comment 15 Manfred Knick 2019-10-31 17:07:56 UTC
(In reply to Ian Stakenvicius from comment #14)

Ian, thank you for enlightening me, very much!

> ... I read a
> note from upstream that 68.2.2 should address all regressions.
Could you perhaps share a reference, please, as info for Bug 693602 ?
Comment 16 Anton Bolshakov 2019-11-02 01:27:40 UTC
The current package list in this bug includes -bin version. However, it is not in sync with the src version.

Did you forget about it -bin? Please sync.
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2019-11-02 13:05:12 UTC
No. Multiple things to keep in mind:

1) You are writing in an old, already closed bug from 1y ago.

2) mail-client/thunderbird-bin ebuilds will be committed straight to stable, therefore they will never show in package list in security bugs (only summary) because package list field is only for stabilization work.