Opened 4 months ago

Closed 4 months ago

Last modified 4 months ago

#14887 closed enhancement (fixed)

thunderbird-78.9.1

Reported by: Douglas R. Reno Owned by: Tim Tassonis
Priority: normal Milestone: 10.2
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version

Change History (8)

comment:1 by Tim Tassonis, 4 months ago

Owner: changed from blfs-book to Tim Tassonis
Status: newassigned

What’s New

  • Support recipient aliases for OpenPGP encryption. Documentation can be found here.

Fixes

  • The key and signature parts of the message security popup on a received message could not be selected for copy/paste.
  • Various UX and theme improvements
  • Various security fixes

Mozilla Foundation Security Advisory 2021-13 Security Vulnerabilities fixed in Thunderbird 78.9.1

  • CVE-2021-23991: An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key
  • MOZ-2021-23992: A crafted OpenPGP key with an invalid user ID could be used to confuse the user
  • CVE-2021-23993: Inability to send encrypted OpenPGP email after importing a crafted OpenPGP key

comment:2 by Tim Tassonis, 4 months ago

Resolution: fixed
Status: assignedclosed

Fixed in revision 24461.

comment:3 by ken@…, 4 months ago

No security advisory ?

comment:4 by Tim Tassonis, 4 months ago

Sorry, I somehow missed that this now has to be done for any packages containing security fixes. Can you point me to a quick instructions of what I have to do?

comment:5 by ken@…, 4 months ago

First you need to follow the git editors guide to clone the lfswww repository.

Within that, the files are in blfs/advisories/

First go to consolidated.html. There is quite a long commented note about what to do. Please read that.

After the comments you will find the latest advisory, with older ones below it. Note that the id link (above the h4 header) starts sa- to make the html validation tool happy, and that emphasis is now shown with <em>...</em> instead of <b> or <i>.

It is often easiest to find an earlier link for the same package - sa-10.1-012 seems a nice short one, you could copy that as a basis (e.g. the links to the books should be correct). In this case the mozilla advisory is mfsa2021-13/ and the severity is Medium.

Change the text as necessary, add cve links to nvd, or else to mitre, if they exist and are informative. In the general case, start searching for other links if nothing was found (for mozilla, the mfsa will normally say something, other vulnerabilities might need a summary of what the problem is).

When you think you have got the consolidated item correct, check it in your browser. If you are doing the edit on your desktop machine, no problem. I keep my repos on my local server and render the books via apache. In my case I need to set files to point to where the books should be rendered, and for advisories and errata I have symlinks pointing to the blfs/advisories/ and blfs/errata/ directories (and also for lfs).

If the new consolidated item looks ok and the links (both external and to the dev books) work, you can then do the second part:

Edit 10.1.html (i.e. the name changes after each release). This is ordered alphabetically, except when I've screwed up, and within the package newest updates come first.

You will see there is a commented <h3>PackageName</h3> as a guide. We now have sa- id's on each item, which allows links to other packages if needed (it is not normally needed). Find where the new advisory belongs, copy the id and h4 from consolidated,html with a note of the problem (often short). Finish with: To fix this(or these) update to PackageName-x.y.z or later. Follow that with a link to the consolidated page (remember to change the link number if copying it).

For thunderbird there is a standard paragraph (italic, using css because it is a whole paragraph) which comes before the newest thunderbird advisory.

We now try to use upstream's preferred capitalization, if there is one.

Take a look at the existing items (and in the general case, perhaps previous existing items in 10.0).

Again, check the file in your browser, and check that the link to consolidated goes to the right item (it should be the first item on the consolidated page).

When ready, push. If I am ever doing a lot, and suspect someone else might be doing something, I try to first do the consolidated, push that to grab the numbers, and then do the rest.

comment:6 by Tim Tassonis, 4 months ago

Ok, I did a security advisory, hope it's ok.

comment:7 by Douglas R. Reno, 4 months ago

Looks good to me, although you might want to adjust:

+    <p>To fix these, update to the BLFS 20210411 git tarball 
+    using the instructions at

And replace Updated with Date

comment:8 by ken@…, 4 months ago

Also, the links are labelled CVE-2021-23991, MOZ-2021-23992, CVE-2021-23993 but they all go to https://www.mozilla.org/en-US/security/advisories/mfsa2021-13

It might be simpler to just mention the CVE numbers anf then point to 'mfsa2021-13' ? Take a look at previous thunderbird advisories.

In general, I think it is often easier to start by copying a previous entry for the *same* package if one exists, then modify as necessary.

Note: See TracTickets for help on using tickets.