Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: thunderb...@packages.debian.org Control: affects -1 + src:thunderbird
Please unblock package thunderbird [ Reason ] A new upstream release of the Thunderbird ESR series did happen that fixes a few CVE vulnerabilities. [ Impact ] Debian testing/bullseye would stick with version 102.8.0. [ Tests ] Even if the autopkgtests are marked superficial the main test did show that Thunbderbird is able to start and is picking up the global settings from /etc/thunderbird. Besides that I tested the new version a lot on alocal basis. [ Risks ] We are in the middle of the ESR releases and upstream change are now a lot less deep and agressive than on a start of a new ESR series. stable-security and also oldstable-security already are using 102.9.0 as actual version. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing (only for the debian/folder) [ Other info ] The modifications for the source are quite big as usual but are going in parallel with firefox-esr due the same sorce code base. Please see further down for a diff of the chnages on the debian side. Basically only the Standards-Version was changed. unblock thunderbird/1:102.9.0-1 $ git diff debian/1%102.8.0-1 debian/ diff --git a/debian/changelog b/debian/changelog index b1c0dd97102..340fa97407c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +thunderbird (1:102.9.0-1) unstable; urgency=medium + + * [ad8cc7c] New upstream version 102.9.0 + Fixed CVE issues in upstream version 102.9 (MFSA 2023-11): + CVE-2023-25751: Incorrect code generation during JIT compilation + CVE-2023-28164: URL being dragged from a removed cross-origin iframe + into the same tab triggered navigation + CVE-2023-28162: Invalid downcast in Worklets + CVE-2023-25752: Potential out-of-bounds when accessing throttled streams + CVE-2023-28176: Memory safety bugs fixed in Thunderbird 102.9 + * [b0a22c0] d/control: Increase Standards-Version to 4.6.2 + No further changes needed. + + -- Carsten Schoenert <c.schoen...@t-online.de> Wed, 15 Mar 2023 19:54:53 +0100 + thunderbird (1:102.8.0-1) unstable; urgency=medium * [b130936] New upstream version 102.8.0 diff --git a/debian/control b/debian/control index 13c0245e0c8..7f30678cab7 100644 --- a/debian/control +++ b/debian/control @@ -60,7 +60,7 @@ Vcs-Git: https://salsa.debian.org/mozilla-team/thunderbird.git -b debian/sid Vcs-Browser: https://salsa.debian.org/mozilla-team/thunderbird/commits/debian/sid/ Homepage: https://www.thunderbird.net/ X-Debian-Homepage: http://wiki.debian.org/Thunderbird -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Package: thunderbird Architecture: amd64 arm64 i386 mips64el ppc64el s390x ppc64