Opened 4 months ago
Closed 4 months ago
Last modified 4 months ago
New point version
Mozilla Foundation Security Advisory 2021-13
Security Vulnerabilities fixed in Thunderbird 78.9.1
Fixed in revision 24461.
No security advisory ?
Sorry, I somehow missed that this now has to be done for any packages containing security fixes. Can you point me to a quick instructions of what I have to do?
First you need to follow the git editors guide to clone the lfswww repository.
Within that, the files are in blfs/advisories/
First go to consolidated.html. There is quite a long commented note about what to do.
Please read that.
After the comments you will find the latest advisory, with older ones below it. Note that the id link (above the h4 header) starts sa- to make the html validation tool happy, and
that emphasis is now shown with <em>...</em> instead of <b> or <i>.
It is often easiest to find an earlier link for the same package - sa-10.1-012 seems a nice short one, you could copy that as a basis (e.g. the links to the books should be correct). In this case the mozilla advisory is mfsa2021-13/ and the severity is Medium.
Change the text as necessary, add cve links to nvd, or else to mitre, if they exist and are informative. In the general case, start searching for other links if nothing was found (for mozilla, the mfsa will normally say something, other vulnerabilities might need a summary of what the problem is).
When you think you have got the consolidated item correct, check it in your browser. If you are doing the edit on your desktop machine, no problem. I keep my repos on my local server and render the books via apache. In my case I need to set files to point to where the books should be rendered, and for advisories and errata I have symlinks pointing to the blfs/advisories/ and blfs/errata/ directories (and also for lfs).
If the new consolidated item looks ok and the links (both external and to the dev books) work, you can then do the second part:
Edit 10.1.html (i.e. the name changes after each release). This is ordered alphabetically, except when I've screwed up, and within the package newest updates come first.
You will see there is a commented <h3>PackageName</h3> as a guide. We now have sa- id's on each item, which allows links to other packages if needed (it is not normally needed).
Find where the new advisory belongs, copy the id and h4 from consolidated,html with a note of the problem (often short). Finish with: To fix this(or these) update to PackageName-x.y.z or
later. Follow that with a link to the consolidated page (remember to change the link number if copying it).
For thunderbird there is a standard paragraph (italic, using css because it is a whole paragraph) which comes before the newest thunderbird advisory.
We now try to use upstream's preferred capitalization, if there is one.
Take a look at the existing items (and in the general case, perhaps previous existing items in 10.0).
Again, check the file in your browser, and check that the link to consolidated goes to the right item (it should be the first item on the consolidated page).
When ready, push. If I am ever doing a lot, and suspect someone else might be doing something, I try to first do the consolidated, push that to grab the numbers, and then do the rest.
Ok, I did a security advisory, hope it's ok.
Looks good to me, although you might want to adjust:
+ <p>To fix these, update to the BLFS 20210411 git tarball
+ using the instructions at
And replace Updated with Date
Also, the links are labelled CVE-2021-23991, MOZ-2021-23992,
CVE-2021-23993 but they all go to
It might be simpler to just mention the CVE numbers anf then point
to 'mfsa2021-13' ? Take a look at previous thunderbird advisories.
In general, I think it is often easier to start by copying a previous
entry for the *same* package if one exists, then modify as
Powered by Trac 1.5.3.dev0
By Edgewall Software
© 1998-2021 Gerard Beekmans.