Thunderbird 1.5.0.4

Bug #48084 reported by Bruce Cowan on 2006-06-02
294
Affects Status Importance Assigned to Milestone
mozilla-thunderbird (Ubuntu)
High
Martin Pitt
Hoary
Undecided
Martin Pitt
Breezy
Undecided
Martin Pitt
Dapper
Undecided
Martin Pitt

Bug Description

I notice that Mozilla no longer publish the CVE numbers they fix, mabye there should be a Mozilla Foundation Security Advisory reference thing on launchpad.

There are important security issues fixed with this release.

MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-40 Double-free on malformed VCard
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)

Changed in mozilla-thunderbird:
status: Unconfirmed → Confirmed
Martin Pitt (pitti) wrote :

We'll update dapper to 1.5.0.4 soon.

Changed in mozilla-thunderbird:
assignee: nobody → pitti
Martin Pitt (pitti) wrote :

Dapper security update was just uploaded and will be published soon. Update for Hoary and Breezy is in progress (this requires some more effort, due to the ceased upstream support for 1.0.x).

Changed in mozilla-thunderbird:
status: Confirmed → In Progress
Whoopie (whoopie79) wrote :

@Martin:

Will mozilla-thunderbird-enigmail be rebuilt? Because now, it's supposed to be uninstalled when trying to upgrade mozilla-thunderbird.

Hi Whoopie,

Whoopie [2006-06-13 9:04 -0000]:
> @Martin:
>
> Will mozilla-thunderbird-enigmail be rebuilt? Because now, it's supposed
> to be uninstalled when trying to upgrade mozilla-thunderbird.

Yes, of course. I already uploaded it an hour ago, it should appear on
the archive soon. As soon as it is out, I'm going to release the USN
email.

Martin Pitt (pitti) wrote :

The problem is that there is a hardware failure on the server that controls mirroring (I was told). Therefore the updated enigmail does not appear on the mirror. Sorry for that, our admins are working on it.

Martin Pitt (pitti) wrote :

Dapper now has updated packages (USN-297-1). Update for hoary and breezy is in the works.

Alan Tam (at) wrote :

mozilla-thunderbird-typeaheadfind does not work after upgrading. It says it is compatible up to 1.5.0.2.

thunderbird-quickfile is not compatible with the new security updated version, and is forced to uninstall.

Martin Pitt (pitti) wrote :

I'll release an update for mozilla-thunderbird to fix typeaheadfind. quickfile is bug 49707, will be fixed soon, too.

Martin Pitt (pitti) wrote :
Changed in mozilla-thunderbird:
status: In Progress → Fix Released

Added backport details, it was only updated for Dapper, not sure if Breezy and Hoary are going to be fixed.

Changed in mozilla-thunderbird:
status: Fix Released → Rejected
assignee: nobody → pitti
status: Unconfirmed → In Progress
status: Unconfirmed → In Progress
assignee: nobody → pitti
status: Unconfirmed → Fix Released
assignee: nobody → pitti
Martin Pitt (pitti) wrote :

Thanks, Bruce. Usually I use ubuntu-cve for tracking security, but I'm fine with using this bug as well.

Oh well, can't hurt, it's just that the Firefox bug is like this too.

Martin Pitt (pitti) wrote :

USN-297-3

Changed in mozilla-thunderbird:
status: In Progress → Fix Released
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers