Ubuntu
thunderbird package

Thunderbird is out of date for two months when Thunderbird 60 was released

Bug #1796126 reported by Martin on 2018-10-04

This bug report is a duplicate of: Bug #1786951: Update to 60.0. Edit Remove

268

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	thunderbird (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

Thunderbird is one of the most used email clients. Thunderbird 60 has been released on 2018-08-06 what is two months ago (https://www.thunderbird.net/en-US/thunderbird/60.0/releasenotes/). As usual there have also been fixes for at least eight critical and high security bugs (https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/).

1) $ lsb_release -rd
Description: Ubuntu 18.04.1 LTS
Release: 18.04

$ apt-cache policy thunderbird
thunderbird:
  Installiert: 1:52.9.1+build3-0ubuntu0.18.04.1
  Installationskandidat: 1:52.9.1+build3-0ubuntu0.18.04.1
  Versionstabelle:
*** 1:52.9.1+build3-0ubuntu0.18.04.1 500
        500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1:52.7.0+build1-0ubuntu1 500
        500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

3) Firefox and Thunderbird have been updated quite closely to the upstream releases even for old LTS releases.

4) Thunderbird got no update since 2018-07-03 (http://changelogs.ubuntu.com/changelogs/pool/main/t/thunderbird/thunderbird_52.9.1+build3-0ubuntu0.18.04.1/changelog) despite the new version 60. For upcoming Ubuntu 18.10 there even is an older version 52.7 version available (https://packages.ubuntu.com/cosmic/thunderbird). Debian Sid has a 60ish version (https://packages.debian.org/sid/thunderbird) that may be reused.

CVE References

Seth Arnold (seth-arnold) on 2018-10-04

information type:	Private Security → Public Security
Changed in thunderbird (Ubuntu):
status:	New → Confirmed

Revision history for this message

Sam Van den Eynde (samvde) wrote on 2018-10-07:

#1

The flatpak build got 60 and was reverted back within days. It is still on 52.x...

I had and would cautious. See https://github.com/flathub/org.mozilla.Thunderbird/issues/46.

Revision history for this message

adasiko (adasiko256) wrote on 2018-10-07:

#2

https://www.thunderbird.net/en-US/thunderbird/60.2.1/releasenotes/

> Version 60.2.1, first offered to channel users on October 2, 2018. Thunderbird version 60.2.1 provides an automatic update from Thunderbird version 52. Note that Thunderbird version 60.1.0 and 60.2.0 were skipped.

Revision history for this message

Jalon Funk (francescohickle15) wrote on 2018-10-07:

#3

To add to above: https://www.thunderbird.net/en-US/thunderbird/60.0/releasenotes/

> Thunderbird version 60.0 is only offered as direct download from thunderbird.net and not as upgrade from Thunderbird version 52 or earlier. A future version 60.1 will provide updates from earlier versions.

This means until 60.2.1, upgrades from older versions weren't fully supported by upstream. Only now it changed.

Revision history for this message

Robie Basak (racb) wrote on 2018-10-07:

#4

Looking at the upstream security advisory linked, I can't find any CVEs that are still open in Ubuntu. I checked all the ones categorised by upstream as Critical or High, and Ubuntu's CVE database shows them all as having fixes published in Ubuntu already.

It seems to me that this is therefore not a security issue.

Please confirm by looking for a CVE that isn't fixed by examining Ubuntu's CVE Tracker at https://people.canonical.com/~ubuntu-security/cve/. If you can find a CVE number that is specifically not fixed, then please highlight that here. Going just on the basis of the version number is not sufficient and is an FAQ item: https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions

Revision history for this message

Martin (martinitram) wrote on 2018-10-12:

#5

@Robie Basak (racb): You are partly right that some security bugs have been fixed in Thunderbird 52.9.1 packages in Ubuntu (I haven't seen that). I also checked the CVE but it seems that at least three "critical" or "high" security bugs are no yet fixed in Ubuntus Thunderbird:

Security vulnerabilities fixed in Thunderbird 60 (https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/):

1. CVE-2018-5156 (Media recorder segmentation fault when track type is changed during
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5156.html) is only fixed in Firefox

2. CVE-2018-12361 (Integer overflow in SwizzleData
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12361.html) is only fixed in Firefox

Security vulnerabilities fixed in Thunderbird 60.2.1 (https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/)

3. CVE-2018-12377 (Use-after-free in refresh driver timers
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12377.html) is only fixed in Firefox and Thunderbird "needs-triage".

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #1786951 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-github-flathub-org.mozilla.thunderbird #46
[closed bug upstream] Edit

Bug watches keep track of this bug in other bug trackers.