MX Linux Forum

The latest thunderbird-52.5.0 is now available to upgrade to. This one does include a critical security fix.

Security vulnerabilities fixed in Thunderbird 52.5
ANNOUNCED
November 23, 2017
IMPACT
CRITICAL
PRODUCTS
Thunderbird
FIXED IN
Thunderbird 52.5
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

#CVE-2017-7828: Use-after-free of PressShell while restyling layout

REPORTER
Nils
IMPACT
CRITICAL
Description

A use-after-free vulnerability can occur when flushing and resizing layout because the PressShell object has been freed while still in use. This results in a potentially exploitable crash during these operations.

References

Bug 1406750
Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource Timing API

REPORTER
Jun Kokatsu
IMPACT
HIGH
Description

The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users.

References

Bug 1408990
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5

REPORTER
Mozilla developers and community
IMPACT
CRITICAL
Description

Mozilla developers and community members Christian Holler, David Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer, Philipp, Nicholas Nethercote, Oriol Brufau, André Bargull, Bob Clary, Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and Ryan VanderMeulen reported memory safety bugs present in Firefox 56, Firefox ESR 52.4, and Thunderbird 52.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

References

For more info, check out the release notes at the mozilla site.

- mike

thunderbird_52.6.0 is now available to upgrade to. Critical security fixes were made on this release.

Upgrading is advised.

- mike

No hiccups here, thanks for keeping up with this.

thunderbird-52.7 is now available to upgrade to.

Fixed - Searching message bodies of messages in local folders, including filter and quick filter operations, did not find content in message attachments
Fixed - Better error handling for Yahoo accounts
Fixed - Various critical security fixes

Note: Probably a good idea to upgrade to get the security fixes.

See the release notes page for more information.

- mike

Thanks Mike :)

Within in another thread here I tried to provide a solution to sort out the
localization issue we had for getting thunderbird full localized easier for the user.

After some discussions with mmikeinsantarosa and stevo I have tried stevo's proposal
to use debian provided version instead of mx-provided mozilla-version.
And yes, the debian-version will sort out the l10n-issue just out of the box,
without any tweaking!
Based on this, here is now my new proposal to finally have sorted the language issues:

The Situation:
We do have within mx-repo and debian-stable repo two identical thundebird versions.
The package-version in mx-repo is higher than the debian-version so that it gets installed by default.
The mx-version based on mozilla includes the calendar lightning, whereas the debian version
provides the calendar within an extra lightning-package.

The Challenge:
How to install the version from debian-repo which has a lower package-version number than the mx-repo without breaking anything else and without get upgraded to the higher mx-package version from the mx-repo? How to receive further updates from debian, without holding just the current debian-version? How to include the calandar into the debian version so it will be always available for the user as it was before when he just was installing thunderbird?

The Solution:
Without doing any re-packaging or any further big development work and without
breaking any dependency the solution is provided here within 2 steps:
1. Make apt-package manager accept to install and update debian's version from debian repo
with upgrading from mx-provided mozilla-version by applying the following apt-preferences: 2. Make MX Package Installer (MXPI) to install thunderbird+lightning together
as one 'meta' combo-pack and have all debian provided languages for the thundebird-lightning
combo available as one lang-'meta'-pack combo also.
To create the correct MXPI package-list for all debian provided languages is just matter for
running a little script. The is actually fairly easy exercise and would not require any
development work.
It's even better to generate all MXPI menu-entries for all debian provided languages
than to manually adjust or modify the existing one's. Not to mention that within the current
MXPI langpacks we already missing some languages which are officially available.

The Migration:
To make sure to migrate exiting thunderbirds together with the user installed mx-language-packs
to the debian-version we just need to include into an apt-preference-package within
the pre- and post install steps to check which langpacks are needed do a reinstall of debians
version for both thunderbird-and lightning lang-packs!
Such an apt-preference-package could be included e.g. either with mx-apps- or mx-systems-metapack!

The End:
Any comments, corrections or concerns are welcome!

--fehlix

I'm camping all week and not in a position to do much.

That looks really good to me, and I can't see any thing that should block the transition.

Since the language packages have differentbase names , the only way I can think of to have an automatic changeover to the new versions is to add dummy packages for the old names that depend on the equivalent new langpacks, which requires a lot of editing of the control file, the user ends up with a dummy package installed unless they manually remove it, and we are stuck with that system from now on.

The alternative is to just manage the changeover with a script, but that depends on having the user execute that command, something like "sudo langpack-switch".

So...what are your thoughts?

Stevo wrote: ↑Tue Jun 05, 2018 2:01 pm Since the language packages have differentbase names , the only way I can think of to have an automatic changeover to the new versions is to add dummy packages for the old names that depend on the equivalent new langpacks, which requires a lot of editing of the control file, the user ends up with a dummy package installed unless they manually remove it, and we are stuck with that system from now on.

The alternative is to just manage the changeover with a script, but that depends on having the user execute that command, something like "sudo langpack-switch".

From user perspective the smoothest transition to the debian based packages would be to have for all l10n-xpi-LANG-packages higher version-ed dummy meta-packs, which would pull in during update the required debian lang packs.
Any alternative which requires a manual actions from the user will certainly dramatically increase the number of help-post's within this forum about missing languages within thunderbird .
--fehlix