Slow Thunderbird updates endanger users

Hello dear Desktop team!

The latest Thunderbird update, 91.6.1, prepared since 14.02.2022 in the Mozilla Security PPA and already published to jammy, closes a high risk security issue, CVE-2022-0566. Just receiving a malicious email, without opening it, is enough to be attacked. That is the highest possible threat. What is the reason for not pushing the button to publish the long prepared packages into bionic, focal and impish as well? When will this happen?

Thank you for your work and kind regards

usr11elf

Moved from the Desktop section to the Security section since this seems to be a question specifically about a published CVE.

I believe @oSoMoN is already working on this for the various Ubuntu releases (I can see it in the PPA already - https://launchpad.net/~ubuntu-mozilla-security/+archive/ubuntu/ppa/+packages) - so if you want you can always try installing it from there before it gets officially published for Ubuntu.

Otherwise you could try installing the snap which is already at 91.6.1 and use this instead as this is able to be updated more frequently (since it doesn’t suffer the same issues around outdated toolchains etc which can occur for the older LTS releases of Ubuntu which then causes delays in getting these updates published).

This is exactly the PPA I meant. The packages there are successfully built for all still supported target systems and one is already published to jammy so - that is my question - why not to push them immediately to protect all the users out there? It is not only important for me personally (knowing the alternative methods) but for the masses who do not know them and even that they are threatened at all. Using the debian packages from the repositories is the standard way how users have (pre!)installed their thunderbird.

Could you please ping oSoMoN and ask him to push the packages or to explain why it is not possible at the moment?

Thank you!

Hi usr11elf, and thanks for sharing your concerns. You are right that we’re lagging behind, and this is a potential security problem.

Building updates in the ubuntu-mozilla-security PPA is only one part of the process. After updates are built, they need to be tested and validated on all supported Ubuntu releases, after which the security team sponsors them into the respective security pockets. This is a time-consuming process, which explains (but doesn’t excuse) the delay between a new upstream release and its availability in Ubuntu.

On this specific version, there is a new upstream release candidate (91.7.0) that is currently building in the PPA, we will do our best to get it on everyone’s machine as soon as possible.

Hi Olivier,

For Jammy, the plan is to stick to deb or switch to snap for TB?
I mean (too), will TB deb be upgraded as snap will be?

I switched back to TB deb in Jammy since it’s up to date (I run 91.7.0!) but I don’t know if I will have to roll back to snap to get updates/upgrades on time.

Hi oSoMoN, thanks for your kind words and the insight into the process of building and publishing of packages.

Is the mentioned release candidate, 91.7.0, similarly critical in terms of security? If not, is it a good decision to stop the (I hope nearly finished) delivery process of Thunderbird 91.6.1 now and further delay the delivery of the fix for CVE-2022-0566?

Hi oSoMoN,

besides the question above whether it was the right decision to further delay the delivery of the fix for CVE-2022-0566, why is it taking significantly longer than pushing a new Firefox (major) version (normally within a week, similar software stack)?

The current problem is that I have to tell my relatives and friends (that I brought to Ubuntu) how to act in this situation. As workaround they are using web UI for checking their accounts now which is very uncomfortable (especially for more than one account) and they are getting impatient. Can the period “as soon as possible” be narrowed a little bit down? Are we talking about few days, next week, longer?

Thank you for your hard work!

Hi everybody!

Another 10 days later we not only have the same situation but even worse:
The interim Thunderbird version 91.6.2 fixes another two critical bugs that are not marked as being exploitable in web context only, so they also seem dangerous.
The already prepared 91.7.0 packages would fix them all and even more (some new web context bugs) but are still not published.

Why does it take significantly longer to publish these than Firefox packages?

We should quickly move on to discussing measures to defuse the situation and not just sit it out any longer.
What can be done quickly and what for 22.04?

Does anyone care about safety here or is this the wrong platform to discuss?

I use TB snap and it’s up to date.
I understand your concerns but from a pragmatic POV the only way is to use the snap.

Personally, I use the Mozilla Security PPA to pick these updates up sooner

It’s not an ideal answer, and it would be nice to get the debs sooner by default, I agree 100%, but this has worked well for me.

Ok, we are POSITIVE, there are solutions.

BUT, as a long time Ubuntu user, I feel it’s not a good practice to deliver such a security-critical software as TB and not propose security updates on time.

If Ubuntu is not able to do that, I do not judge this - Ubuntu is free, maybe the point would be to not keep TB in repository to force users to use an up to date version (snap or Mozilla PPA, whatever)?

Not everybody cares about its TB versions. My wife never will, e.g. (So she uses webmail.)

I thank both of you. I am glad others see it the same way!
True, there are the mentioned solutions, snap package and PPA. Unfortunately they only help us. We know how to include a PPA, how to install a snap package and migrate data, that there is an action needed at all.

But the masses remain threatened and most don’t even know it. They just use the preinstalled Thunderbird and don’t read IT news about security. They trust Ubuntu/Canonical, they trust in their expertise regarding security.

What can be done now?
In the short term, probably only staff from other departments of Canonical can assist to expedite delivery. I still don’t understand the problem - why does it take so much longer than publishing Firefox packages, even of major versions?

What can be done for 22.04?
If sufficient capacities cannot be built up, I see following options as well:
a) Replace debian package with snap package, similar to Chromium and Firefox.
b) Remove Thunderbird debian package from standard repositories. Offer another (better supported) or no preinstalled mail client.

Safety comes first, so it’s better not to offer a debian package at all than an insecure one and let people think they are safe.

37 days passed since Thunderbird 91.6.1 packages were prepared and would close CVE-2022-0566.
20 days passed since Thunderbird 91.7.0 packages were prepared and would close CVE-2022-0566 and two more critical issues (CVE-2022-26485, CVE-2022-26486).

oSoMoN built the Thunderbird packages soon after the corresponding versions appeared, so the delay is in the testing and approval process.
So far it has not been answered why testing and approving Firefox packages of similar technology is happening much much faster.

What can we do to resolve this intolerable situation?
Who can we contact to escalate this or to help with tests etc.?
@oSoMoN @alexmurray @sabdfl ?

Ubuntus reputation is at stake, but most of all, most users of Thunderbird are threatened, so what can be done immediately?

FYI Thunderbird 91.7.0 was released for 18.04, 20.04 and 21.10 earlier today - https://ubuntu.com/security/notices/USN-5345-1

@usr11elf Indeed the delay is in the testing and approval process - and unfortunately this takes a certain amount of time. Firefox is given higher priority than Thunderbird because it is a lot more popular than Thunderbird is seeded on the desktop media - and is the default web browser for Ubuntu. With the rise of web-based mail services like gmail etc, desktop email clients have become a lot less popular than they were 10-20 years ago. Thunderbird has not been seeded in the desktop image since before 18.04 LTS as a reflection of this as generally users are not using desktop email clients - most just use the web browser to access their webmail.

As such, testing etc of Firefox updates (and other desktop packages seeded on the desktop image etc) are prioritised over Thunderbird so in general Thunderbird updates will lag behind Firefox updates. Unfortunately in a world where new security issues are found daily across the vast array of software that is distributed in Ubuntu, there is a constant stream of security updates which need to be prepared, tested and released by a finite number of developers. The security and desktop teams have to prioritise which packages to target and so we prefer to take the approach of protecting the greatest number of users as possible by updating the packages that are most used first. Hence why unfortunately Thunderbird updates generally will come later - there are just a lot more users of Firefox (and many other applications) than Thunderbird.

If you are still concerned, the immediate steps you could take would be to either:

1. Consume the pre-release updates from the Mozilla Security PPA - but note these have not gone through the full validation so may have stability or other issues
2. Switch to the Thunderbird snap - this is generally more up-to-date as it can use the same set of dependencies across all releases and so doesn’t get held up when Mozilla decide to depend on newer technologies/packages than are available on older Ubuntu releases like 18.04
3. Switch to using the binaries provided by Mozilla

As a small follow up on the previous post after talking to Alex, he did an error while checking but thunderbird is still installed by default on the desktop image. That doesn’t change the rational though; firefox has more users and is more sensitive so get higher priority in testing.

One change that would help with having thunderbird updates out in more timelined manner is for us to switch to the snap and that’s something we will investigate in the next cycles.

Thanks for the clarification @seb128 - apologies - I will strike out the incorrect parts of the original reply to try and avoid the confusion.

To be complete, what are the problems that cause TB not to be migrated to snap?

I remember the first times of TB snap… @seb128
I reinstalled TB snap back from deb in Jammy recently, it was so straightforward (apart copy/paste of profile).