Bug 1779264

The following Sources of the specfile are not valid URLs so we cannot automatically build the new version for you.  Please use URLs in your Source declarations if possible.

- thunderbird-langpacks-68.3.0-20191203.tar.xz
- thunderbird-mozconfig
- thunderbird-mozconfig-branded
- thunderbird-redhat-default-prefs.js
- lightning-langpacks-68.3.0.tar.xz
- thunderbird.desktop
- thunderbird.sh.in
- thunderbird-symbolic.svg
- thunderbird-wayland.sh.in
- thunderbird-wayland.desktop
- get-calendar-langpacks.sh
- node-stdout-nonblocking-wrapper
- cbindgen-vendor.tar.xz

Latest upstream release: 68.3.1
Current version/release in rawhide: 68.2.2-1.fc32
URL: https://www.thunderbird.net/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy


More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring


Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.


Based on the information from anitya: https://release-monitoring.org/project/4967/

The following Sources of the specfile are not valid URLs so we cannot automatically build the new version for you.  Please use URLs in your Source declarations if possible.

- thunderbird-langpacks-68.3.1-20191203.tar.xz
- thunderbird-mozconfig
- thunderbird-mozconfig-branded
- thunderbird-redhat-default-prefs.js
- lightning-langpacks-68.3.1.tar.xz
- thunderbird.desktop
- thunderbird.sh.in
- thunderbird-symbolic.svg
- thunderbird-wayland.sh.in
- thunderbird-wayland.desktop
- get-calendar-langpacks.sh
- node-stdout-nonblocking-wrapper
- cbindgen-vendor.tar.xz

Latest upstream release: 68.4.1
Current version/release in rawhide: 68.3.1-1.fc32
URL: https://www.thunderbird.net/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy


More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring


Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.


Based on the information from anitya: https://release-monitoring.org/project/4967/

The following Sources of the specfile are not valid URLs so we cannot automatically build the new version for you.  Please use URLs in your Source declarations if possible.

- thunderbird-langpacks-68.4.1-20191217.tar.xz
- thunderbird-mozconfig
- thunderbird-mozconfig-branded
- thunderbird-redhat-default-prefs.js
- lightning-langpacks-68.4.1.tar.xz
- thunderbird.desktop
- thunderbird.sh.in
- thunderbird-symbolic.svg
- thunderbird-wayland.sh.in
- thunderbird-wayland.desktop
- get-calendar-langpacks.sh
- node-stdout-nonblocking-wrapper
- cbindgen-vendor.tar.xz

This release contains critical security fixes, so it would be nice to build it as soon as possible:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/

Latest upstream release: 68.4.2
Current version/release in rawhide: 68.4.1-1.fc32
URL: https://www.thunderbird.net/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy


More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring


Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.


Based on the information from anitya: https://release-monitoring.org/project/4967/

The following Sources of the specfile are not valid URLs so we cannot automatically build the new version for you.  Please use URLs in your Source declarations if possible.

- thunderbird-langpacks-68.4.2-20200113.tar.xz
- thunderbird-mozconfig
- thunderbird-mozconfig-branded
- thunderbird-redhat-default-prefs.js
- lightning-langpacks-68.4.2.tar.xz
- thunderbird.desktop
- thunderbird.sh.in
- thunderbird-symbolic.svg
- thunderbird-wayland.sh.in
- thunderbird-wayland.desktop
- get-calendar-langpacks.sh
- node-stdout-nonblocking-wrapper
- cbindgen-vendor.tar.xz

Latest upstream release: 68.5.0
Current version/release in rawhide: 68.4.1-2.fc32
URL: https://www.thunderbird.net/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy


More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring


Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.


Based on the information from anitya: https://release-monitoring.org/project/4967/

The following Sources of the specfile are not valid URLs so we cannot automatically build the new version for you.  Please use URLs in your Source declarations if possible.

- thunderbird-langpacks-68.5.0-20200113.tar.xz
- thunderbird-mozconfig
- thunderbird-mozconfig-branded
- thunderbird-redhat-default-prefs.js
- lightning-langpacks-68.5.0.tar.xz
- thunderbird.desktop
- thunderbird.sh.in
- thunderbird-symbolic.svg
- thunderbird-wayland.sh.in
- thunderbird-wayland.desktop
- get-calendar-langpacks.sh
- node-stdout-nonblocking-wrapper
- cbindgen-vendor.tar.xz

RCE Condition in Thunderbird < 68.5 !

Request immediate Upgrade!

GERMAN BSI CERT send an advisory today 12.2.2020:h
(in short: DOS Vector, RCE Vector, IDC Vector )

12.02.2020____________________________________________________________________________________________________
Betroffene Systeme:
Mozilla Firefox < 73
Mozilla Firefox ESR < 68.5
Mozilla Thunderbird < 68.5
____________________________________________________________________________________________________
Empfehlung:
Das BürgerCERT empfiehlt die zeitnahe Installation der vom Hersteller bereitgestellten 
Sicherheitsupdates, um die Schwachstellen zu schließen.
____________________________________________________________________________________________________
Zusammenfassung:

Es bestehen mehrere Schwachstellen in Mozilla Firefox und Mozilla Firefox ESR, sowie in Mozilla 
Thunderbird. Ein Angreifer kann dies ausnutzen, um das Programm zum Absturz zu bringen, um Daten zu 
manipulieren, um Sicherheitsmechanismen zu umgehen, um vertrauliche Daten einzusehen oder 
schädlichen Programmcode auszuführen. Zur erfolgreichen Ausnutzung genügt es, einen bösartigen Link 
anzuklicken bzw. eine E-Mail mit schädlichen Inhalten zu öffnen.

thunderbird-68.5.0-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-2211f3adde

thunderbird-68.5.0-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days