Bug#1033188: unblock: thunderbird/1:102.9.0-1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: thunderbird@packages.debian.org
Control: affects -1 + src:thunderbird
Please unblock package thunderbird
[ Reason ]
A new upstream release of the Thunderbird ESR series did happen that fixes a
few CVE vulnerabilities.
[ Impact ]
Debian testing/bullseye would stick with version 102.8.0.
[ Tests ]
Even if the autopkgtests are marked superficial the main test did show
that Thunbderbird is able to start and is picking up the global settings
from /etc/thunderbird.
Besides that I tested the new version a lot on alocal basis.
[ Risks ]
We are in the middle of the ESR releases and upstream change are now a
lot less deep and agressive than on a start of a new ESR series.
stable-security and also oldstable-security already are using 102.9.0 as
actual version.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing (only for the
debian/folder)
[ Other info ]
The modifications for the source are quite big as usual but are going in
parallel with firefox-esr due the same sorce code base. Please see further down
for a diff of the chnages on the debian side.
Basically only the Standards-Version was changed.
unblock thunderbird/1:102.9.0-1
$ git diff debian/1%102.8.0-1 debian/
diff --git a/debian/changelog b/debian/changelog
index b1c0dd97102..340fa97407c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+thunderbird (1:102.9.0-1) unstable; urgency=medium
+
+ * [ad8cc7c] New upstream version 102.9.0
+ Fixed CVE issues in upstream version 102.9 (MFSA 2023-11):
+ CVE-2023-25751: Incorrect code generation during JIT compilation
+ CVE-2023-28164: URL being dragged from a removed cross-origin iframe
+ into the same tab triggered navigation
+ CVE-2023-28162: Invalid downcast in Worklets
+ CVE-2023-25752: Potential out-of-bounds when accessing throttled streams
+ CVE-2023-28176: Memory safety bugs fixed in Thunderbird 102.9
+ * [b0a22c0] d/control: Increase Standards-Version to 4.6.2
+ No further changes needed.
+
+ -- Carsten Schoenert <c.schoenert@t-online.de> Wed, 15 Mar 2023 19:54:53 +0100
+
thunderbird (1:102.8.0-1) unstable; urgency=medium
* [b130936] New upstream version 102.8.0
diff --git a/debian/control b/debian/control
index 13c0245e0c8..7f30678cab7 100644
--- a/debian/control
+++ b/debian/control
@@ -60,7 +60,7 @@ Vcs-Git: https://salsa.debian.org/mozilla-team/thunderbird.git -b debian/sid
Vcs-Browser: https://salsa.debian.org/mozilla-team/thunderbird/commits/debian/sid/
Homepage: https://www.thunderbird.net/
X-Debian-Homepage: http://wiki.debian.org/Thunderbird
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
Package: thunderbird
Architecture: amd64 arm64 i386 mips64el ppc64el s390x ppc64
Reply to: