MX-17/18 Repository: The Thunderbird Thread

Locked
Message
Author
User avatar
mmikeinsantarosa
Developer
Posts: 2192
Joined: Thu May 01, 2014 10:12 am

MX-17/18 Repository: The Thunderbird Thread

#1 Post by mmikeinsantarosa »

The latest thunderbird-52.5.0 is now available to upgrade to. This one does include a critical security fix.
Security vulnerabilities fixed in Thunderbird 52.5
ANNOUNCED
November 23, 2017
IMPACT
CRITICAL
PRODUCTS
Thunderbird
FIXED IN
Thunderbird 52.5
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

#CVE-2017-7828: Use-after-free of PressShell while restyling layout

REPORTER
Nils
IMPACT
CRITICAL
Description

A use-after-free vulnerability can occur when flushing and resizing layout because the PressShell object has been freed while still in use. This results in a potentially exploitable crash during these operations.

References

Bug 1406750
Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource Timing API

REPORTER
Jun Kokatsu
IMPACT
HIGH
Description

The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users.

References

Bug 1408990
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5

REPORTER
Mozilla developers and community
IMPACT
CRITICAL
Description

Mozilla developers and community members Christian Holler, David Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer, Philipp, Nicholas Nethercote, Oriol Brufau, André Bargull, Bob Clary, Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and Ryan VanderMeulen reported memory safety bugs present in Firefox 56, Firefox ESR 52.4, and Thunderbird 52.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

References
For more info, check out the release notes at the mozilla site.

- mike
Last edited by mmikeinsantarosa on Sat Feb 02, 2019 4:17 pm, edited 1 time in total.
LT: MX19.1 Quad Core model: Intel Core i7-6820HQ Kernel: 5.0.0-7.1-liquorix-amd64 x86_64

User avatar
mmikeinsantarosa
Developer
Posts: 2192
Joined: Thu May 01, 2014 10:12 am

Re: MX 17 Repository: The Thunderbird Thread

#2 Post by mmikeinsantarosa »

thunderbird_52.6.0 is now available to upgrade to. Critical security fixes were made on this release.

Upgrading is advised.

- mike
LT: MX19.1 Quad Core model: Intel Core i7-6820HQ Kernel: 5.0.0-7.1-liquorix-amd64 x86_64

User avatar
Jerry3904
Administrator
Posts: 21881
Joined: Wed Jul 19, 2006 6:13 am

Re: MX 17 Repository: The Thunderbird Thread

#3 Post by Jerry3904 »

No hiccups here, thanks for keeping up with this.
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin

User avatar
mmikeinsantarosa
Developer
Posts: 2192
Joined: Thu May 01, 2014 10:12 am

Re: MX 17 Repository: The Thunderbird Thread

#4 Post by mmikeinsantarosa »

thunderbird-52.7 is now available to upgrade to.
Fixed - Searching message bodies of messages in local folders, including filter and quick filter operations, did not find content in message attachments
Fixed - Better error handling for Yahoo accounts
Fixed - Various critical security fixes
Note: Probably a good idea to upgrade to get the security fixes.

See the release notes page for more information.

- mike
LT: MX19.1 Quad Core model: Intel Core i7-6820HQ Kernel: 5.0.0-7.1-liquorix-amd64 x86_64

User avatar
Eadwine Rose
Administrator
Posts: 11895
Joined: Wed Jul 12, 2006 2:10 am

Re: MX 17 Repository: The Thunderbird Thread

#5 Post by Eadwine Rose »

Thanks Mike :)
MX-23.2_x64 July 31 2023 * 6.1.0-18-amd64 ext4 Xfce 4.18.1 * 8core AMD Ryzen 7 2700
Asus TUF B450-Plus Gaming UEFI * Asus GTX 1050 Ti Nvidia 525.147.05 * 2x16Gb DDR4 2666 Kingston HyperX Predator
Samsung 860EVO * Samsung S24D330 & P2250 * HP Envy 5030

User avatar
fehlix
Developer
Posts: 10309
Joined: Wed Apr 11, 2018 5:09 pm

Re: MX 17 Repository: The Thunderbird Thread

#6 Post by fehlix »

Within in another thread here I tried to provide a solution to sort out the
localization issue we had for getting thunderbird full localized easier for the user.

After some discussions with mmikeinsantarosa and stevo I have tried stevo's proposal
to use debian provided version instead of mx-provided mozilla-version.
And yes, the debian-version will sort out the l10n-issue just out of the box,
without any tweaking!
Based on this, here is now my new proposal to finally have sorted the language issues:

The Situation:
We do have within mx-repo and debian-stable repo two identical thundebird versions.
The package-version in mx-repo is higher than the debian-version so that it gets installed by default.
The mx-version based on mozilla includes the calendar lightning, whereas the debian version
provides the calendar within an extra lightning-package.

The Challenge:
How to install the version from debian-repo which has a lower package-version number than the mx-repo without breaking anything else and without get upgraded to the higher mx-package version from the mx-repo? How to receive further updates from debian, without holding just the current debian-version? How to include the calandar into the debian version so it will be always available for the user as it was before when he just was installing thunderbird?

The Solution:
Without doing any re-packaging or any further big development work and without
breaking any dependency the solution is provided here within 2 steps:
1. Make apt-package manager accept to install and update debian's version from debian repo
with upgrading from mx-provided mozilla-version by applying the following apt-preferences:

Code: Select all

## apt-preferences: /etc/apt/preferences.d/debian-thunderbird.pref
##
## this will make apt to prefer debian's provided thunderbird  
## 
Package: thunderbird
Pin: release o=Debian,a=stable,n=stretch
Pin-Priority: 1001
2. Make MX Package Installer (MXPI) to install thunderbird+lightning together
as one 'meta' combo-pack and have all debian provided languages for the thundebird-lightning
combo available as one lang-'meta'-pack combo also.
To create the correct MXPI package-list for all debian provided languages is just matter for
running a little script. The is actually fairly easy exercise and would not require any
development work.
It's even better to generate all MXPI menu-entries for all debian provided languages
than to manually adjust or modify the existing one's. Not to mention that within the current
MXPI langpacks we already missing some languages which are officially available.

The Migration:
To make sure to migrate exiting thunderbirds together with the user installed mx-language-packs
to the debian-version we just need to include into an apt-preference-package within
the pre- and post install steps to check which langpacks are needed do a reinstall of debians
version for both thunderbird-and lightning lang-packs!
Such an apt-preference-package could be included e.g. either with mx-apps- or mx-systems-metapack!

The End:
Any comments, corrections or concerns are welcome!
:puppy:
--fehlix
Gigabyte Z77M-D3H, Intel Xeon E3-1240 V2 (Quad core), 32GB RAM,
GeForce GTX 770, Samsung SSD 850 EVO 500GB, Seagate Barracuda 4TB

User avatar
mmikeinsantarosa
Developer
Posts: 2192
Joined: Thu May 01, 2014 10:12 am

Re: MX 17 Repository: The Thunderbird Thread

#7 Post by mmikeinsantarosa »

I'm camping all week and not in a position to do much.
LT: MX19.1 Quad Core model: Intel Core i7-6820HQ Kernel: 5.0.0-7.1-liquorix-amd64 x86_64

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 17 Repository: The Thunderbird Thread

#8 Post by Stevo »

That looks really good to me, and I can't see any thing that should block the transition.

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 17 Repository: The Thunderbird Thread

#9 Post by Stevo »

Since the language packages have differentbase names , the only way I can think of to have an automatic changeover to the new versions is to add dummy packages for the old names that depend on the equivalent new langpacks, which requires a lot of editing of the control file, the user ends up with a dummy package installed unless they manually remove it, and we are stuck with that system from now on.

The alternative is to just manage the changeover with a script, but that depends on having the user execute that command, something like "sudo langpack-switch".

So...what are your thoughts?

User avatar
fehlix
Developer
Posts: 10309
Joined: Wed Apr 11, 2018 5:09 pm

Re: MX 17 Repository: The Thunderbird Thread

#10 Post by fehlix »

Stevo wrote: Tue Jun 05, 2018 2:01 pm Since the language packages have differentbase names , the only way I can think of to have an automatic changeover to the new versions is to add dummy packages for the old names that depend on the equivalent new langpacks, which requires a lot of editing of the control file, the user ends up with a dummy package installed unless they manually remove it, and we are stuck with that system from now on.

The alternative is to just manage the changeover with a script, but that depends on having the user execute that command, something like "sudo langpack-switch".
From user perspective the smoothest transition to the debian based packages would be to have for all l10n-xpi-LANG-packages higher version-ed dummy meta-packs, which would pull in during update the required debian lang packs.
Any alternative which requires a manual actions from the user will certainly dramatically increase the number of help-post's within this forum about missing languages within thunderbird .
--fehlix
Gigabyte Z77M-D3H, Intel Xeon E3-1240 V2 (Quad core), 32GB RAM,
GeForce GTX 770, Samsung SSD 850 EVO 500GB, Seagate Barracuda 4TB

Locked

Return to “Package Requests/Status - MX 17/18”