Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package thunderbird
There was again a new ESR release of Thunderbird which fixes as usual
some CVEs.
[ Reason ]
These CVEs got fixed by upstream release of 78.11.0 and 78.12.0.
CVE-2021-29969: IMAP server responses sent by a MITM prior to STARTTLS
could be processed
CVE-2021-29970: Use-after-free in accessibility features of a document
CVE-2021-30547: Out of bounds write in ANGLE
CVE-2021-29976: Memory safety bugs fixed in Thunderbird 78.12
[ Impact ]
Users of testing will get excluded from using the newer version with the
fixed CVE related issues.
[ Tests ]
The local usage and installation tests didn't have shown any anomalies,
the autopkgtests did run also successful.
[ Risks ]
The same risks are given as in the unblock request for 78.11.0-1, but
contrary to 78.11.0-1 and the libnss3 library issue, which was worked
around by -2 no other new issues come up until then. Thus I expect
really no new bug reports due the new bumped version of Thunderbird.
The upload of 78.12.0-1 to unstable did happen yesterday, even if the
new Thunderbird version was released on Tuesday in the past week as I was
offline for a few days due the various flood catastrophes near my home.
You might want to decerase the transition time really only to a few days
so we can act quick enough in case some issues will come up.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[ ] attach debdiff against the package in testing
[ Other info ]
Again I'm not attaching a debdiff as even a smaller set of upstream
modifications did happen it would be rather big and time consuming to
read.
unblock thunderbird/1:78.12.0-1
