[Desktop-packages] [Bug 2029913] Re: [SRU request] Update Thunderbird to 115.x (as 102.x is EOL)
@Rico: I left CVE-2023-5174 and CVE-2023-5168 out on purpose because according to Mozilla these two vulnerabilities only affect Windows users. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/2029913 Title: [SRU request] Update Thunderbird to 115.x (as 102.x is EOL) Status in thunderbird package in Ubuntu: Confirmed Bug description: [ Impact ] * The Thunderbird 102.x series has its final release (12.15.0) planned for release on August 30th. After that, the 102.x series will no longer receive critical security updates. Due to the size and complexity of the Mozilla/Thunderbird codebase, it is extremely unlikely that the Ubuntu team could take on the task of backporting patches to new security issues once official support for the 102.x series has ended. * Updating to Thunderbird 115.x in all currently-supported Ubuntu releases will make sure users stay secure. * It should be noted that 115.x does make changes to the interface. While all these changes are ostensibly for the better, normally this level of change would disqualify an application from getting SRUed. However, running an EOL email client is a security/privacy risk to users that can't be ignored. * Official post detailing the interface changes: https://www.thunderbird.net/en-US/thunderbird/115.0/whatsnew/ * Official changelog for 115.0 release: https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes/ * Official changelog for 115.1 bugfix release: https://www.thunderbird.net/en-US/thunderbird/115.1.0/releasenotes/ [ Test Plan ] Not sure, I'm just a user [ Where problems could occur ] * New major release, usual concerns apply [ Other Info ] * I'm guessing that this SRU was already planned to happen eventually, but since I couldn't find an official request, here we are To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/2029913/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 2029913] Re: [SRU request] Update Thunderbird to 115.x (as 102.x is EOL)
Now we have reached the point, from which security vulnerabilities rated as "high" will stay unfixed in Thunderbird 102! https://www.mozilla.org/en-US/security/advisories/mfsa2023-43/ The CVEs CVE-2023-5169, CVE-2023-5171 and CVE-2023-5176 got fixed in Thunderbird 115.3 but stay open in TB 102. So please don't wait any longer and push TB 115.3! ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-5169 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-5171 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-5176 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4045 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4046 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4047 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4048 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4049 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4050 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4054 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4055 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4056 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4573 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4574 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4575 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4576 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4581 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4584 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4863 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/2029913 Title: [SRU request] Update Thunderbird to 115.x (as 102.x is EOL) Status in thunderbird package in Ubuntu: Confirmed Bug description: [ Impact ] * The Thunderbird 102.x series has its final release (12.15.0) planned for release on August 30th. After that, the 102.x series will no longer receive critical security updates. Due to the size and complexity of the Mozilla/Thunderbird codebase, it is extremely unlikely that the Ubuntu team could take on the task of backporting patches to new security issues once official support for the 102.x series has ended. * Updating to Thunderbird 115.x in all currently-supported Ubuntu releases will make sure users stay secure. * It should be noted that 115.x does make changes to the interface. While all these changes are ostensibly for the better, normally this level of change would disqualify an application from getting SRUed. However, running an EOL email client is a security/privacy risk to users that can't be ignored. * Official post detailing the interface changes: https://www.thunderbird.net/en-US/thunderbird/115.0/whatsnew/ * Official changelog for 115.0 release: https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes/ * Official changelog for 115.1 bugfix release: https://www.thunderbird.net/en-US/thunderbird/115.1.0/releasenotes/ [ Test Plan ] Not sure, I'm just a user [ Where problems could occur ] * New major release, usual concerns apply [ Other Info ] * I'm guessing that this SRU was already planned to happen eventually, but since I couldn't find an official request, here we are To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/2029913/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 2029913] Re: [SRU request] Update Thunderbird to 115.x (as 102.x is EOL)
Thunderbird 102.15.1 and 115.2.2 are out and fix a "critical" issue (CVE-2023-4863) See: https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/ Please push the updates here and to thunderbird-next. Thanks! :) Keep in mind, that this might be the final security fix coming to Thunderbird 102. As I don't see any progress in the color discussion (here and over at mozilla) I'd again push for a transition to 115 in the very near future. Please don't wait until the first unfixed security issue pops up! -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/2029913 Title: [SRU request] Update Thunderbird to 115.x (as 102.x is EOL) Status in thunderbird package in Ubuntu: Confirmed Bug description: [ Impact ] * The Thunderbird 102.x series has its final release (12.15.0) planned for release on August 30th. After that, the 102.x series will no longer receive critical security updates. Due to the size and complexity of the Mozilla/Thunderbird codebase, it is extremely unlikely that the Ubuntu team could take on the task of backporting patches to new security issues once official support for the 102.x series has ended. * Updating to Thunderbird 115.x in all currently-supported Ubuntu releases will make sure users stay secure. * It should be noted that 115.x does make changes to the interface. While all these changes are ostensibly for the better, normally this level of change would disqualify an application from getting SRUed. However, running an EOL email client is a security/privacy risk to users that can't be ignored. * Official post detailing the interface changes: https://www.thunderbird.net/en-US/thunderbird/115.0/whatsnew/ * Official changelog for 115.0 release: https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes/ * Official changelog for 115.1 bugfix release: https://www.thunderbird.net/en-US/thunderbird/115.1.0/releasenotes/ [ Test Plan ] Not sure, I'm just a user [ Where problems could occur ] * New major release, usual concerns apply [ Other Info ] * I'm guessing that this SRU was already planned to happen eventually, but since I couldn't find an official request, here we are To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/2029913/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 2029913] Re: [SRU request] Update Thunderbird to 115.x (as 102.x is EOL)
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4863 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/2029913 Title: [SRU request] Update Thunderbird to 115.x (as 102.x is EOL) Status in thunderbird package in Ubuntu: Confirmed Bug description: [ Impact ] * The Thunderbird 102.x series has its final release (12.15.0) planned for release on August 30th. After that, the 102.x series will no longer receive critical security updates. Due to the size and complexity of the Mozilla/Thunderbird codebase, it is extremely unlikely that the Ubuntu team could take on the task of backporting patches to new security issues once official support for the 102.x series has ended. * Updating to Thunderbird 115.x in all currently-supported Ubuntu releases will make sure users stay secure. * It should be noted that 115.x does make changes to the interface. While all these changes are ostensibly for the better, normally this level of change would disqualify an application from getting SRUed. However, running an EOL email client is a security/privacy risk to users that can't be ignored. * Official post detailing the interface changes: https://www.thunderbird.net/en-US/thunderbird/115.0/whatsnew/ * Official changelog for 115.0 release: https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes/ * Official changelog for 115.1 bugfix release: https://www.thunderbird.net/en-US/thunderbird/115.1.0/releasenotes/ [ Test Plan ] Not sure, I'm just a user [ Where problems could occur ] * New major release, usual concerns apply [ Other Info ] * I'm guessing that this SRU was already planned to happen eventually, but since I couldn't find an official request, here we are To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/2029913/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 2029913] Re: [SRU request] Update Thunderbird to 115.x (as 102.x is EOL later this month)
After the regression reported by Qwerty Chouskie turned out to be expected behavior (https://bugzilla.mozilla.org/show_bug.cgi?id=1849284#c8), I don't see any reason to hold back TB 115.2 Update any longer. @Sebastian: Please don't spend more time on 102.x, when 115.2 is ready and the future of Thunderbird anyway. I'm using the thunderbird-next package on my 20.04.3 machine for some days now without any hassle. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4573 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4574 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4575 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4584 ** Summary changed: - [SRU request] Update Thunderbird to 115.x (as 102.x is EOL later this month) + [SRU request] Update Thunderbird to 115.x (as 102.x is EOL) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/2029913 Title: [SRU request] Update Thunderbird to 115.x (as 102.x is EOL) Status in thunderbird package in Ubuntu: Confirmed Bug description: [ Impact ] * The Thunderbird 102.x series has its final release (12.15.0) planned for release on August 30th. After that, the 102.x series will no longer receive critical security updates. Due to the size and complexity of the Mozilla/Thunderbird codebase, it is extremely unlikely that the Ubuntu team could take on the task of backporting patches to new security issues once official support for the 102.x series has ended. * Updating to Thunderbird 115.x in all currently-supported Ubuntu releases will make sure users stay secure. * It should be noted that 115.x does make changes to the interface. While all these changes are ostensibly for the better, normally this level of change would disqualify an application from getting SRUed. However, running an EOL email client is a security/privacy risk to users that can't be ignored. * Official post detailing the interface changes: https://www.thunderbird.net/en-US/thunderbird/115.0/whatsnew/ * Official changelog for 115.0 release: https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes/ * Official changelog for 115.1 bugfix release: https://www.thunderbird.net/en-US/thunderbird/115.1.0/releasenotes/ [ Test Plan ] Not sure, I'm just a user [ Where problems could occur ] * New major release, usual concerns apply [ Other Info ] * I'm guessing that this SRU was already planned to happen eventually, but since I couldn't find an official request, here we are To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/2029913/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1895643] Re: Backport Thunderbird 78 to 20.04 LTS and 18.04 LTS
I enabled focal-proposed on my testing machine (amd64), updated thunderbird to 1:78.7.1+build1-0ubuntu0.20.04.1 and all went exactly as expected. Thunderbird 78 runs fine so far. No bugs found here. After that I installed tinyjsd and jsunit (not installed before) and also got the expected notice about empty packages. For focal everything seems to be smooth from my side. Have to admit that I don't use PGP. So feedback from that side would be nice too. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/1895643 Title: Backport Thunderbird 78 to 20.04 LTS and 18.04 LTS Status in jsunit package in Ubuntu: Invalid Status in thunderbird package in Ubuntu: Fix Released Status in tinyjsd package in Ubuntu: Invalid Status in jsunit source package in Bionic: New Status in thunderbird source package in Bionic: Triaged Status in tinyjsd source package in Bionic: Invalid Status in jsunit source package in Focal: Fix Committed Status in thunderbird source package in Focal: Fix Committed Status in tinyjsd source package in Focal: Fix Committed Status in jsunit source package in Groovy: Invalid Status in thunderbird source package in Groovy: Fix Committed Status in tinyjsd source package in Groovy: Invalid Bug description: Upstream Thunderbird version 78.2.2 should be a candidate for backporting to stable Ubuntu releases. I've successfully built 78.2.1 against both with forcing nodejs version (20.04, 18.04) and disabling AV1 support due to too old nasm (18.04). Attaching debdiffs here. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jsunit/+bug/1895643/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1895643] Re: Backport Thunderbird 78 to 20.04 LTS and 18.04 LTS
Another 10 days without visible movement. Meanwhile the Thunderbird guys released version 78.7. but we are still stuck at Thunderbird 68. :-( -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/1895643 Title: Backport Thunderbird 78 to 20.04 LTS and 18.04 LTS Status in thunderbird package in Ubuntu: Fix Released Status in thunderbird source package in Bionic: Triaged Status in thunderbird source package in Focal: Fix Committed Status in thunderbird source package in Groovy: Fix Released Bug description: Upstream Thunderbird version 78.2.2 should be a candidate for backporting to stable Ubuntu releases. I've successfully built 78.2.1 against both with forcing nodejs version (20.04, 18.04) and disabling AV1 support due to too old nasm (18.04). Attaching debdiffs here. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1895643/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1895643] Re: Backport Thunderbird 78 to 20.04 LTS and 18.04 LTS
Thank you, Olivier! For those who want to stay up to date - the respective mail thread is here: https://lists.ubuntu.com/archives/technical-board/2021-January/thread.html -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/1895643 Title: Backport Thunderbird 78 to 20.04 LTS and 18.04 LTS Status in thunderbird package in Ubuntu: Fix Released Status in thunderbird source package in Bionic: Triaged Status in thunderbird source package in Focal: Fix Committed Status in thunderbird source package in Groovy: Fix Released Bug description: Upstream Thunderbird version 78.2.2 should be a candidate for backporting to stable Ubuntu releases. I've successfully built 78.2.1 against both with forcing nodejs version (20.04, 18.04) and disabling AV1 support due to too old nasm (18.04). Attaching debdiffs here. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1895643/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1895643] Re: Backport Thunderbird 78 to 20.04 LTS and 18.04 LTS
@osomon: I already saw the proposed link but anyway thanks for summing up the situation. >From my (user) perspective I like and absolutely agree with the ubuntu principle of not breaking things in favor of chasing higher version numbers but I only see one way out of this dilemma: 'Dropping' those two packages as soon as possible because from your links it seems obvious that they will never be interoperable with newer Thunderbird versions than 68. Has there been any progress in the 50 days since your update got blocked? Looks to me more like a communication problem than a technical problem. Does the SRU team even know that we are desperately waiting for any action from their side? Is there anything else you (or we?) could do to get this ball rolling? Thanks for your time, Olivier! -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/1895643 Title: Backport Thunderbird 78 to 20.04 LTS and 18.04 LTS Status in thunderbird package in Ubuntu: Fix Released Status in thunderbird source package in Bionic: Triaged Status in thunderbird source package in Focal: Fix Committed Status in thunderbird source package in Groovy: Fix Released Bug description: Upstream Thunderbird version 78.2.2 should be a candidate for backporting to stable Ubuntu releases. I've successfully built 78.2.1 against both with forcing nodejs version (20.04, 18.04) and disabling AV1 support due to too old nasm (18.04). Attaching debdiffs here. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1895643/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1895643] Re: Backport Thunderbird 78 to 20.04 LTS and 18.04 LTS
@osomon: I'd also kindly ask for more information on what's blocking this update. Thunderbird version 68 - which is the standard mail solution shipping with Ubuntu 20.04 right now - is over 6.5 months old. The upstream version got numerous security fixes over the last half year. Doesn't feel good to have to rely on software for communications that stopped getting updates for such a long time. I really don't want to be pushy, because I know Ubuntu is free software, but I'd like to express my worries that this for many users important question (current versions of browser and mail) doesn't have the focus it should have. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/1895643 Title: Backport Thunderbird 78 to 20.04 LTS and 18.04 LTS Status in thunderbird package in Ubuntu: Fix Released Status in thunderbird source package in Bionic: Triaged Status in thunderbird source package in Focal: Fix Committed Status in thunderbird source package in Groovy: Fix Released Bug description: Upstream Thunderbird version 78.2.2 should be a candidate for backporting to stable Ubuntu releases. I've successfully built 78.2.1 against both with forcing nodejs version (20.04, 18.04) and disabling AV1 support due to too old nasm (18.04). Attaching debdiffs here. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1895643/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp