Bug#992216: thunderbird: Version 91 available upstream and fixes security problems
Hello, Am 03.09.21 um 11:28 schrieb Dimitris Pitsioris: Thank you for informing me. I did update it and it works. A minor issue I had remains though, but that's not important. Sorry for complaining, but I do not know how ftp masters works. All I know is to check these 2 for new packages in unstable and experimental https://packages.debian.org/unstable/newpkg https://packages.debian.org/experimental/newpkg for me the most practical view for any package is quite always the tracker site. For Thunderbird this can be found on this URL https://tracker.debian.org/pkg/thunderbird Now there is version 1:91.0.2-1 visible for the experimental release. Before you would have found a URL with a link text of "NEW/experimental $(version)" which points to package within the NEW queue. The complete NEW queue itself can be found here: https://ftp-master.debian.org/new.html -- Regards Carsten
Bug#992216: thunderbird: Version 91 available upstream and fixes security problems
Just for the record, the FTP-Masters accepted 1:91.0-1 and 1:91.0.2-1 from the new queue. Should be installable already. -- Regards Carsten
Bug#992216: thunderbird: Version 91 available upstream and fixes security problems
Hi, Am 29.08.21 um 10:27 schrieb jim_p: > Although I agree with what you say about security, please consider uploading > v91 to experimental, like you already do for firefox-esr. For anyone that is > on > 91b5, the upgrade to v91 as stable will come in November, when v78.x will be > eol. have you read really the past communication that was happen in this bug report? It's already explained what is/need to happen and why. Version 91.0.3 is already uploaded to the archive in the between time. As needed for 91.0 this version requires a review from the FTP team. https://ftp-master.debian.org/new/thunderbird_1:91.0.2-1.html > By then, v91 will probably be on 91.3.x and debian's package of 91b5 will > probaly have a few dozens of security holes. No, if you use experimental you are on your own, this isn't a suite intended for daily use, and especially not if personal security is affected. https://wiki.debian.org/DebianExperimental We do support the current ESR version 78.x of Thunderbird long as possible. This will happen at least for the planned versions 78.13 and also 78.14. > Downgrading to 78.x so as not to miss those security updates is not an option > because it will definitely cause issues with a profile made/used in a newer > version. Not even mozilla supports downgrading for that reason! > And no, downgrading to 78.x, deleting profiles etc from 91.x and starting > fresh > is not an option, at least for me. As pointed out, then you are on your own if you haven't a backup of the old profile. The only supported way for packages is done by starting uploading new packages to unstable that migrate to all other suites. For supporting the stable releases there is a process established by the security team. -- Regards Carsten
Bug#992216: thunderbird: Version 91 available upstream and fixes security problems
Package: thunderbird Version: 1:91.0~b5-1 Followup-For: Bug #992216 X-Debbugs-Cc: pitsior...@outlook.com Although I agree with what you say about security, please consider uploading v91 to experimental, like you already do for firefox-esr. For anyone that is on 91b5, the upgrade to v91 as stable will come in November, when v78.x will be eol. By then, v91 will probably be on 91.3.x and debian's package of 91b5 will probaly have a few dozens of security holes. Downgrading to 78.x so as not to miss those security updates is not an option because it will definitely cause issues with a profile made/used in a newer version. Not even mozilla supports downgrading for that reason! And no, downgrading to 78.x, deleting profiles etc from 91.x and starting fresh is not an option, at least for me.
Bug#992216: thunderbird: Version 91 available upstream and fixes security problems
Am 16.08.21 um 12:06 schrieb Demi Marie Obenour: >> such reports have quite never a severity of grave or serious. >> Please have a look (again) at the various types for the severity. > > This seems to fall under the “user security hole” justification, > unless I am missing something. The holes I am aware of aren’t > exploitable if one has `javascript.enabled` turned off in about:config, > but that is not the default. Requests for packaging newer versions so far are always just wishlist bug reports per default. There are only a really small amount of exceptions out there to that rule. Debian is providing Thunderbird packages based on the ESR 78.x version. This release isn't effected by some CVEs that are currently happen to the version 91.x. So there is no security hole. The planned version bump from 78 to 91 is going to be the same as for 68 to 78. We will provide 78.x until approximately TB 91.2 will get released. >> You can see there Thunderbird 91.0 is already uploaded to the archive >> backend, due to new languages, means there are new binary packages, the >> upload is waiting in the NEW queue for approval. > > Any chance of getting it released? It will get automatically released once the FTP masters have reviewed the package and hopefully agree on the introducing into the archive. But it's up to the people within the FTP team to judge on that. -- Regards Carsten Schönert
Bug#992216: thunderbird: Version 91 available upstream and fixes security problems
Package: thunderbird Version: 78 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: demioben...@gmail.com, Debian Security Team Dear Maintainer, Mozilla has released Thunderbird 91, which fixes several security holes. Please upgrade the Thunderbird package. -- System Information: Debian Release: 11.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.136-1.fc25.qubes.x86_64 (SMP w/1 CPU thread) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=C.UTF-8 (charmap=locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages thunderbird depends on: ii debianutils 4.11.2 ii fontconfig 2.13.1-4.2 ii libatk1.0-0 2.36.0-2 pn libbotan-2-17 ii libbz2-1.0 1.0.8-4 ii libc62.31-13 ii libcairo-gobject21.16.0-5 ii libcairo21.16.0-5 ii libdbus-1-3 1.12.20-2 pn libdbus-glib-1-2 ii libevent-2.1-7 2.1.12-stable-1 ii libffi7 3.3-6 ii libfontconfig1 2.13.1-4.2 ii libfreetype6 2.10.4+dfsg-1 ii libgcc-s110.2.1-6 ii libgdk-pixbuf-2.0-0 2.42.2+dfsg-1 ii libglib2.0-0 2.66.8-1 ii libgtk-3-0 3.24.24-4 ii libicu67 67.1-7 ii libjson-c5 0.15-2 ii libnspr4 2:4.29-1 ii libpango-1.0-0 1.46.2-3 ii libstdc++6 10.2.1-6 ii libvpx6 1.9.0-1 ii libx11-6 2:1.7.2-1 ii libx11-xcb1 2:1.7.2-1 ii libxcb-shm0 1.14-3 ii libxcb1 1.14-3 ii libxext6 2:1.3.3-1.1 ii libxrender1 1:0.9.10-1 ii psmisc 23.4-2 pn x11-utils ii zlib1g 1:1.2.11.dfsg-2 Versions of packages thunderbird recommends: pn myspell-en-us | hunspell-dictionary | myspell-dictionary Versions of packages thunderbird suggests: ii apparmor 2.13.6-10 pn fonts-lyx ii libgssapi-krb5-2 1.18.3-6 pn libgtk2.0-0