Ubuntu
mozilla-thunderbird package

Thunderbird 1.5.0.4

Hoary (5.04)
Bug #48084

Bug #48084 reported by Bruce Cowan on 2006-06-02

294

Affects		Status	Importance	Assigned to	Milestone
	mozilla-thunderbird (Ubuntu)	Invalid	High	Martin Pitt
	Hoary	Fix Released	Undecided	Martin Pitt
	Breezy	Fix Released	Undecided	Martin Pitt
	Dapper	Fix Released	Undecided	Martin Pitt

Bug Description

There is a new security release - http://www.mozilla.com/thunderbird/releases/1.5.0.4.html

Revision history for this message

Bruce Cowan (bruce89-deactivatedaccount) wrote on 2006-06-02:

#1

I notice that Mozilla no longer publish the CVE numbers they fix, mabye there should be a Mozilla Foundation Security Advisory reference thing on launchpad.

Revision history for this message

Giuseppe Iuculano (giuseppe-iuculano) wrote on 2006-06-06:

#2

There are important security issues fixed with this release.

MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-40 Double-free on malformed VCard
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)

Changed in mozilla-thunderbird:
status:	Unconfirmed → Confirmed

Revision history for this message

Martin Pitt (pitti) wrote on 2006-06-07:

#3

We'll update dapper to 1.5.0.4 soon.

Changed in mozilla-thunderbird:
assignee:	nobody → pitti

Revision history for this message

Martin Pitt (pitti) wrote on 2006-06-12:

#4

Dapper security update was just uploaded and will be published soon. Update for Hoary and Breezy is in progress (this requires some more effort, due to the ceased upstream support for 1.0.x).

Changed in mozilla-thunderbird:
status:	Confirmed → In Progress

Revision history for this message

Peter Meiser (meiser79) wrote on 2006-06-13:

#5

@Martin:

Will mozilla-thunderbird-enigmail be rebuilt? Because now, it's supposed to be uninstalled when trying to upgrade mozilla-thunderbird.

Revision history for this message

Martin Pitt (pitti) wrote on 2006-06-13: Re: [Bug 48084] Re: Thunderbird 1.5.0.4

#6

Hi Whoopie,

Whoopie [2006-06-13 9:04 -0000]:
> @Martin:
>
> Will mozilla-thunderbird-enigmail be rebuilt? Because now, it's supposed
> to be uninstalled when trying to upgrade mozilla-thunderbird.

Yes, of course. I already uploaded it an hour ago, it should appear on
the archive soon. As soon as it is out, I'm going to release the USN
email.

Revision history for this message

Martin Pitt (pitti) wrote on 2006-06-13:

#7

The problem is that there is a hardware failure on the server that controls mirroring (I was told). Therefore the updated enigmail does not appear on the mirror. Sorry for that, our admins are working on it.

Revision history for this message

Martin Pitt (pitti) wrote on 2006-06-14:

#8

Dapper now has updated packages (USN-297-1). Update for hoary and breezy is in the works.

Revision history for this message

Alan Tam (at) wrote on 2006-06-14:

#9

mozilla-thunderbird-typeaheadfind does not work after upgrading. It says it is compatible up to 1.5.0.2.

Revision history for this message

Tyler Willingham (tyler-ubuntu) wrote on 2006-06-14:

#10

thunderbird-quickfile is not compatible with the new security updated version, and is forced to uninstall.

Revision history for this message

Martin Pitt (pitti) wrote on 2006-06-15:

#11

I'll release an update for mozilla-thunderbird to fix typeaheadfind. quickfile is bug 49707, will be fixed soon, too.

Revision history for this message

Martin Pitt (pitti) wrote on 2006-06-15:

#12

http://www.ubuntu.com/usn/usn-297-2

Changed in mozilla-thunderbird:
status:	In Progress → Fix Released

Revision history for this message

Bruce Cowan (bruce89-deactivatedaccount) wrote on 2006-06-15:

#13

Added backport details, it was only updated for Dapper, not sure if Breezy and Hoary are going to be fixed.

Changed in mozilla-thunderbird:
status:	Fix Released → Rejected
assignee:	nobody → pitti
status:	Unconfirmed → In Progress
status:	Unconfirmed → In Progress
assignee:	nobody → pitti
status:	Unconfirmed → Fix Released
assignee:	nobody → pitti

Revision history for this message

Martin Pitt (pitti) wrote on 2006-06-15:

#14

Thanks, Bruce. Usually I use ubuntu-cve for tracking security, but I'm fine with using this bug as well.

Revision history for this message

Bruce Cowan (bruce89-deactivatedaccount) wrote on 2006-06-15:

#15

Oh well, can't hurt, it's just that the Firefox bug is like this too.

Revision history for this message

Martin Pitt (pitti) wrote on 2006-07-26:

#16

USN-297-3

Changed in mozilla-thunderbird:
status:	In Progress → Fix Released
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.