Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#63169 - [thunderbird] < 60.8: CVE galore, including potential RCE
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Friday, 12 July 2019, 08:13 GMT
Last edited by Antonio Rojas (arojas) - Monday, 15 July 2019, 08:39 GMT
Opened by Pascal Ernster (hardfalcon) - Friday, 12 July 2019, 08:13 GMT
Last edited by Antonio Rojas (arojas) - Monday, 15 July 2019, 08:39 GMT
|
DetailsThunderbird 60.8 fixes a bunch of CVEs (sadly, the reference to the security advisory was omitted from upstream's release notes for unknown reasons):
https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/ CVE-2019-11709 "Memory safety bugs" has been hidden at the bottom of the CVE list, but is marked as "critical" since upstream considers it to be a potential RCE vulnerability. Also, since this advisory comes again with the well know remark "In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.", please consider my "javascript.enabled=false" proposal from https://bugs.archlinux.org/task/62974 |
This task depends upon
Comment by Pascal Ernster (hardfalcon) -
Friday, 12 July 2019, 10:07 GMT
Side note to the package maintainer: rust-1.33.patch needs to be modified so the compile run doesn't abort halfway-through due to missing macro documentation comments. I've attached a fixed version of the patch.
rust-1.33.patch
(1.8 KiB)