Bug#1033188: unblock: thunderbird/1:102.9.0-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1033188: unblock: thunderbird/1:102.9.0-1
From: Carsten Schoenert <c.schoenert@t-online.de>
Date: Sun, 19 Mar 2023 10:11:28 +0100
Message-id: <[🔎] 167921708820.896022.17545830449007869453.reportbug@i7.cruise.homelinux.net>
Reply-to: Carsten Schoenert <c.schoenert@t-online.de>, 1033188@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: thunderbird@packages.debian.org
Control: affects -1 + src:thunderbird

Please unblock package thunderbird

[ Reason ]
A new upstream release of the Thunderbird ESR series did happen that fixes a
few CVE vulnerabilities.

[ Impact ]
Debian testing/bullseye would stick with version 102.8.0.

[ Tests ]
Even if the autopkgtests are marked superficial the main test did show
that Thunbderbird is able to start and is picking up the global settings
from /etc/thunderbird.
Besides that I tested the new version a lot on alocal basis.

[ Risks ]
We are in the middle of the ESR releases and upstream change are now a
lot less deep and agressive than on a start of a new ESR series.
stable-security and also oldstable-security already are using 102.9.0 as
actual version.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing (only for the
      debian/folder)

[ Other info ]
The modifications for the source are quite big as usual but are going in
parallel with firefox-esr due the same sorce code base. Please see further down
for a diff of the chnages on the debian side.
Basically only the Standards-Version was changed.

unblock thunderbird/1:102.9.0-1

$ git diff debian/1%102.8.0-1 debian/
diff --git a/debian/changelog b/debian/changelog
index b1c0dd97102..340fa97407c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+thunderbird (1:102.9.0-1) unstable; urgency=medium
+
+  * [ad8cc7c] New upstream version 102.9.0
+    Fixed CVE issues in upstream version 102.9 (MFSA 2023-11):
+    CVE-2023-25751: Incorrect code generation during JIT compilation
+    CVE-2023-28164: URL being dragged from a removed cross-origin iframe
+                    into the same tab triggered navigation
+    CVE-2023-28162: Invalid downcast in Worklets
+    CVE-2023-25752: Potential out-of-bounds when accessing throttled streams
+    CVE-2023-28176: Memory safety bugs fixed in Thunderbird 102.9
+  * [b0a22c0] d/control: Increase Standards-Version to 4.6.2
+    No further changes needed.
+
+ -- Carsten Schoenert <c.schoenert@t-online.de>  Wed, 15 Mar 2023 19:54:53 +0100
+
 thunderbird (1:102.8.0-1) unstable; urgency=medium
 
   * [b130936] New upstream version 102.8.0
diff --git a/debian/control b/debian/control
index 13c0245e0c8..7f30678cab7 100644
--- a/debian/control
+++ b/debian/control
@@ -60,7 +60,7 @@ Vcs-Git: https://salsa.debian.org/mozilla-team/thunderbird.git -b debian/sid
 Vcs-Browser: https://salsa.debian.org/mozilla-team/thunderbird/commits/debian/sid/
 Homepage: https://www.thunderbird.net/
 X-Debian-Homepage: http://wiki.debian.org/Thunderbird
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 
 Package: thunderbird
 Architecture: amd64 arm64 i386 mips64el ppc64el s390x ppc64

Reply to:

Follow-Ups:
- Processed: unblock: thunderbird/1:102.9.0-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1033188: marked as done (unblock: thunderbird/1:102.9.0-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: unblock: thunderbird/1:102.9.0-1
Next by Date: Bug#1033189: unblock: girara/0.4.0-1
Previous by thread: Processed: unblock: flask-security/5.1.2-1
Next by thread: Processed: unblock: thunderbird/1:102.9.0-1
Index(es):
- Date
- Thread