Ubuntu
thunderbird package

Security updates missing after 91.11.0

Bug #1990886 reported by Ras
272
This bug affects 2 people
Affects Status Importance Assigned to Milestone
thunderbird (Ubuntu)
Fix Released
High
Olivier Tilloy

Bug Description

Upstream released Thunderbird 91.11.0 on June 28, 2022.
It's now at 91.13.1 from September 19, 2022. The release notes say:
"By popular demand, Thunderbird 91.13.1 contains important security updates that shipped in Thunderbird 102.2.1. Users are encouraged to update as soon as possible."
Source: https://www.thunderbird.net/en-US/thunderbird/91.13.1/releasenotes/

Ubuntu 22.04 Jammy (but also the other supported LTS) still has Thunderbird 91.11.0 (1:91.11.0+build2-0ubuntu0.22.04.1) without the security fixes after 91.11.0.
The package should be updated to 91.13.1.

Given that it has been three months without security updates, there seems to be some general friction with following upstream.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Olivier,

Do you have any updates on line for thunderbird?
We got a similar question last week on IRC.

information type: Private Security → Public Security
Changed in thunderbird (Ubuntu):
status: New → Confirmed
Revision history for this message
Olivier Tilloy (osomon) wrote :

Yes, the update to thunderbird 102.2.2 is ready and awaiting validation and publication by the security team.

Changed in thunderbird (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Olivier Tilloy (osomon)
importance: Undecided → High
Revision history for this message
Rolando Gorgs (rolandogorgs) wrote (last edit ):

Hello Olivier,

thank you very much for your efforts but I have to bring this up here:
Having "some general friction with following upstream" seems to be an ongoing problem with Thunderbird.

Transition from TB 68 to 78 left users of ubuntus latest LTS without security updates for over 6 months
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1895643

From TB 78 to 91 the (un)security gap for (latest) LTS users has been over 4 months
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1949605

and now in the transition between TB 91 and 102 we are already over 3 months without security updates.

All this for the at that points of time latest Ubuntu LTS. Older LTS have/had to wait even longer for security updates.

At the same time unpatched security vulnerabilities and CVEs are popping up more and more.

I've been watching this misery for years now and I really appreciate Olivier's efforts, but there seems to be something fundamentally wrong here.

Besides browsers, mail clients are the second most exposed user applications and a classic gateway for malware. It is unacceptable that Thunderbird regularly exists unpatched for so long periods of time. This casts a very poor light on Ubuntu's security.

I know that there are optional Snaps but the vast majority of users stick with the pre-installed programs and are led to believe that they will receive regular updates this way. And they should be right about that.

So what can be done to fix this "friction" issue once and for all?

/edit: and how long will it take this time?

Revision history for this message
Olivier Tilloy (osomon) wrote :

Thunderbird 102.2.2 was finally released to {bionic,focal,jammy}-{updates,security}. Thank you for your patience, and please excuse the delay.

I am now working on the 102.3.1 update.

Changed in thunderbird (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
John Pye (jdpipe) wrote :

Thank you very much! I just noticed it on my 20.04 system now. However I can no longer access my calendar! This is rather serious! But hopefully it will inspire the add-on developers to catch up...
https://addons.thunderbird.net/en-us/thunderbird/addon/tbsync/

Revision history for this message
Ras (rasdpm) wrote :

It's starting all over again.

Security issues fixed in 102.3.1, released Sep-28: https://www.mozilla.org/en-US/security/advisories/mfsa2022-43/
Security issues fixed in 102.4, released Oct-18: https://www.mozilla.org/en-US/security/advisories/mfsa2022-46/

Meanwhile, Olivier started working on 102.3.1 about a full month ago. At some point in the pipeline, the progress just stalls. The overall process seems to be too convoluted for a single maintainer to cope with.

Revision history for this message
Richard Muller (richy80) wrote :

For transition from TB 102.x to 115.x please look here:
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/2029913

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.