Package Release Info

MozillaThunderbird-45.3.0-9.1

Update Info: openSUSE-2016-1057
Available in Package Hub : 12 GA-SP5

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

MozillaThunderbird
MozillaThunderbird-buildsymbols
MozillaThunderbird-devel
MozillaThunderbird-translations-common
MozillaThunderbird-translations-other

Change Logs

* Tue Aug 30 2016 wr@rosenauer.org
- update to Thunderbird 45.3.0 (boo#991809)
  * Disposition-Notification-To could not be used in
    mail.compose.other.header
  * "edit as new message" on a received message pre-filled the sender
    as the composing identity.
  * Certain messages caused corruption of the drafts summary database.
  security fixes:
  * MFSA 2016-62/CVE-2016-2836
    Miscellaneous memory safety hazards
  * MFSA 2016-63/CVE-2016-2830 (bmo#1255270)
    Favicon network connection can persist when page is closed
  * MFSA 2016-64/CVE-2016-2838 (bmo#1279814)
    Buffer overflow rendering SVG with bidirectional content
  * MFSA 2016-65/CVE-2016-2839 (bmo#1275339)
    Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
  * MFSA 2016-67/CVE-2016-5252 (bmo#1268854)
    Stack underflow during 2D graphics rendering
  * MFSA 2016-70/CVE-2016-5254 (bmo#1266963)
    Use-after-free when using alt key and toplevel menus
  * MFSA 2016-72/CVE-2016-5258 (bmo#1279146)
    Use-after-free in DTLS during WebRTC session shutdown
  * MFSA 2016-73/CVE-2016-5259 (bmo#1282992)
    Use-after-free in service workers with nested sync events
  * MFSA 2016-76/CVE-2016-5262 (bmo#1277475)
    Scripts on marquee tag can execute in sandboxed iframes
  * MFSA 2016-77/CVE-2016-2837 (bmo#1274637)
    Buffer overflow in ClearKey Content Decryption Module (CDM)
    during video playback
  * MFSA 2016-78/CVE-2016-5263 (bmo#1276897)
    Type confusion in display transformation
  * MFSA 2016-79/CVE-2016-5264 (bmo#1286183)
    Use-after-free when applying SVG effects
  * MFSA 2016-80/CVE-2016-5265 (bmo#1278013)
    Same-origin policy violation using local HTML file and saved shortcut file
* Fri Aug 05 2016 pcerny@suse.com
- Fix for possible buffer overrun (bsc#990856)
  CVE-2016-6354 (bmo#1292534)
  [mozilla-flex_buffer_overrun.patch]
* Thu Jul 21 2016 mailaender@opensuse.org
- add a screenshot to appdata.xml
Version: 45.2-6.1
* Thu Jun 30 2016 wr@rosenauer.org
- update to Thunderbird 45.2 (boo#983549)
  Security fixes:
  * CVE-2016-2818, CVE-2016-2815: Memory safety bugs (MFSA2016-49)
- drop mozilla-flexible-array-member-in-union.patch, upstream
* Fri Jun 24 2016 wr@rosenauer.org
- mozilla-binutils-visibility.patch to fix build issues with
  gcc/binutils combination used in Leap 42.2 (boo#984637)
* Thu Jun 23 2016 wr@rosenauer.org
- build with -fno-delete-null-pointer-checks for Tumbleweed/gcc6
  as long as underlying issues have been addressed upstream
  (boo#986162)
* Mon Jun 13 2016 agraf@suse.com
- Fix running on 48bit va aarch64 (bsc#984126)
  - Add patch mozilla-aarch64-48bit-va.patch
* Fri May 27 2016 wr@rosenauer.org
- update to Thunderbird 45.1.1
  * When entering members into a mailing list, the enter key
    dismissed the panel instead of just moving onto the next line
  * Email without HTML elements was sent as HTML, despite
    "Delivery Format: Auto-detect" option
  * Options applied to a template were lost when the template was used
  * Contacts could not be deleted when they were found through a search
  * Views from global searches did not respect
    "mail.threadpane.use_correspondents"
* Wed May 25 2016 badshah400@gmail.com
- The conditional testing for gcc was failing for different
  openSUSE versions, drop it and apply patches unconditionally.
* Tue May 24 2016 badshah400@gmail.com
- Add patches to fix building with gcc >= 6:
  + mozilla-gcc6.patch: patch taken from fedora's git and is
    essentially identical to upstream firefox patch:
    https://hg.mozilla.org/mozilla-central/rev/55212130f19d.
  + mozilla-flexible-array-member-in-union.patch: patch taken
    from upstream bmo#1272649.
* Thu May 12 2016 dimstar@opensuse.org
- Copy the icons to /usr/share/icons instead of symlinking them:
  in preparation for containerized apps (e.g. xdg-app) as well as
  AppStream metadata extraction, there are a couple locations that
  need to be real files for system integration (.desktop files,
  icons, mime-type info).
* Sat May 07 2016 wr@rosenauer.org
- update to Thunderbird 45.1.0 (boo#977333)
  * MFSA 2016-39/CVE-2016-2806/CVE-2016-2807 (boo#977375, boo#977376)
    Miscellaneous memory safety hazards
* Wed Apr 27 2016 badshah400@gmail.com
- For openSUSE > 13.2, the build fails for i586 as it goes out of
  memory. Prevent this from happening by disabing parallel build
  in this particular case (i.e. do not pass
  mk_add_options MOZ_MAKE_FLAGS%{?jobs:-j%jobs}).
* Sat Apr 16 2016 wr@rosenauer.org
- update to Thunderbird 45.0 (boo#969894)
  * Add a Correspondents column combining Sender and Recipient
  * Much better support for XMPP chatrooms and commands
  * Remote content exceptions: Improved options to add exceptions
  * Implement option to always use HTML formatting to prevent
    unexpected format loss when converting messages to plain text
  * Use OpenStreetmap for maps (even allow the user to choose from
    list of map services)
  * Allow spell checking and dictionary selection in the subject line
  * Allow editing of From when composing a message
  * Add dropdown in compose to allow specific setting of font size
  * Return/Enter in composer will now insert a new paragraph by
    default (shift-Enter will insert a line break)
  * Allow copying of name and email address from the message header
    of an email
  * Mail.ru supports OAuth authentication
  * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
    Miscellaneous memory safety hazards
  * MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
    Local file overwriting and potential privilege escalation through
    CSP reports
  * MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
    CSP reports fail to strip location information for embedded iframe pages
  * MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
    Linux video memory DOS with Intel drivers
  * MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
    Memory leak in libstagefright when deleting an array during MP4
    processing
  * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
    Use-after-free in HTML5 string parser
  * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
    Use-after-free in SetBody
  * MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
    Use-after-free during XML transformations
  * MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
    Out-of-bounds read in HTML parser following a failed allocation
  * MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
    Buffer overflow during ASN.1 decoding in NSS
    (fixed by requiring 3.21.1)
  * MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
    Use-after-free during processing of DER encoded keys in NSS
    (fixed by requiring 3.21.1)
  * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
    CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
    CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
    CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
    Font vulnerabilities in the Graphite 2 library
- remove obsolete patches:
  * mozilla-arm-disable-edsp.patch
  * mozilla-icu-strncat.patch
  * mozilla-arm64-libjpeg-turbo.patch
- added required mozilla platform patches:
  * mozilla-no-stdcxx-check.patch
* Wed Apr 06 2016 astieger@suse.com
- update to Thunderbird 38.7.2
  * disable Graphite font shaping library (same upstream changelog
    as 38.7.1)
* Fri Mar 25 2016 wr@rosenauer.org
- update to Thunderbird 38.7.1
  * disabled Graphite font shaping library
Version: 38.7.0-3.1
* Fri Mar 11 2016 wr@rosenauer.org
- update to Thunderbird 38.7.0 (boo#969894)
  * MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
    Use-after-free in MediaStream playback
  * MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
    Same-origin policy violation using performance.getEntries and
    history navigation
  * MFSA 2016-16/CVE-2016-1952
    Miscellaneous memory safety hazards
  * MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
    Local file overwriting and potential privilege escalation through
    CSP reports
  * MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
    Memory leak in libstagefright when deleting an array during MP4
    processing
  * MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
    Displayed page address can be overridden
  * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
    Use-after-free in HTML5 string parser
  * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
    Use-after-free in SetBody
  * MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
    Use-after-free when using multiple WebRTC data channels
  * MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
    Use-after-free during XML transformations
  * MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
    Addressbar spoofing though history navigation and Location protocol
    property
  * MFSA 2016-31/CVE-2016-1966 (bmo#1246054)
    Memory corruption with malicious NPAPI plugin
  * MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
    Out-of-bounds read in HTML parser following a failed allocation
  * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
    CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
    CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
    CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
    Font vulnerabilities in the Graphite 2 library
* Fri Feb 26 2016 astieger@suse.com
- adjust _constraints to current peak build memory and disk usage
* Sat Feb 13 2016 wr@rosenauer.org
- update to Thunderbird 38.6.0 (boo#963520)
  * Filters ran on a different folder than selected
  * MFSA 2016-01/CVE-2016-1930
    Miscellaneous memory safety hazards
  * MFSA 2016-03/CVE-2016-1935 (bmo#1220450)
    Buffer overflow in WebGL after out of memory allocation
* Mon Jan 25 2016 olaf@aepfle.de
- Using -g for CFLAGS is controlled via project settings, it should
  not be enforced by the mozilla buildsystem.
* Mon Jan 18 2016 olaf@aepfle.de
- Add build conditionals for valgrind and -Os
- Convert existing conditions for kde to bcond
* Tue Dec 29 2015 wr@rosenauer.org
- update to Thunderbird 38.5.1
  * requires NSS 3.20.2 to fix
    MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
    MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
    server signature
- explicitely require libXcomposite-devel
* Wed Dec 23 2015 wr@rosenauer.org
- update to Thunderbird 38.5.0 (bnc#959277)
  * MFSA 2015-134/CVE-2015-7201
    Miscellaneous memory safety hazards
  * MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
    Use-after-free in WebRTC when datachannel is used after being
    destroyed
  * MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
    Integer overflow allocating extremely large textures
  * MFSA 2015-145/CVE-2015-7205 (bmo#1220493)
    Underflow through code inspection
  * MFSA 2015-146/CVE-2015-7213 (bmo#1206211)
    Integer overflow in MP4 playback in 64-bit versions
  * MFSA 2015-147/CVE-2015-7222 (bmo#1216748)
    Integer underflow and buffer overflow processing MP4 metadata in
    libstagefright
  * MFSA 2015-149/CVE-2015-7214 (bmo#1228950)
    Cross-site reading attack through data and view-source URIs
* Tue Nov 17 2015 wr@rosenauer.org
- update to Thunderbird 38.4.0 (bnc#952810)
  * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
    Miscellaneous memory safety hazards
  * MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
    Trailing whitespace in IP address hostnames can bypass same-origin policy
  * MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
    Buffer overflow during image interactions in canvas
  * MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
    CORS preflight is bypassed when non-standard Content-Type headers
    are received
  * MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
    Memory corruption in libjar through zip files
  * MFSA 2015-130/CVE-2015-7196 (bmo#1140616)
    JavaScript garbage collection crash with Java applet
  * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
    (bmo#1188010, bmo#1204061, bmo#1204155)
    Vulnerabilities found through code inspection
  * MFSA 2015-132/CVE-2015-7197 (bmo#1204269)
    Mixed content WebSocket policy bypass through workers
  * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
    (bmo#1202868, bmo#1205157)
    NSS and NSPR memory corruption issues
    (fixed in mozilla-nspr and mozilla-nss packages)
- requires NSPR 4.10.10 and NSS 3.19.2.1
- added explicit appdata provides (bnc#952325)
* Mon Oct 05 2015 dmueller@suse.com
- fix build on aarch64 by reusing the crashreporter conditional
  from MozillaFirefox
* Mon Sep 28 2015 wr@rosenauer.org
- update to Thunderbird 38.3.0 (bnc#947003)
  * MFSA 2015-96/CVE-2015-4500
    Miscellaneous memory safety hazards
  * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
    Arbitrary file manipulation by local user through Mozilla updater
  * MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
    Buffer overflow in libvpx while parsing vp9 format video
  * MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
    Buffer overflow while decoding WebM video
  * MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
    Use-after-free while manipulating HTML media content
  * MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
    Dragging and dropping images exposes final URL after redirects
  * MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
    Errors in the handling of CORS preflight request headers
  * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
    CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/
    CVE-2015-7180
    Vulnerabilities found through code inspection
  * MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
    bmo#1190526) (Windows only)
    Memory safety errors in libGLES in the ANGLE graphics library
- rebased patches
* Sat Aug 15 2015 wr@rosenauer.org
- update to Thunderbird 38.2.0 (bnc#940806)
  * MFSA 2015-79/CVE-2015-4473
    Miscellaneous memory safety hazards
  * MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
    Out-of-bounds read with malformed MP3 file
  * MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
    Redefinition of non-configurable JavaScript object properties
  * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
    Overflow issues in libstagefright
  * MFSA 2015-84/CVE-2015-4481 (bmo1171518)
    Arbitrary file overwriting through Mozilla Maintenance Service
    with hard links (only affected Windows)
  * MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
    Out-of-bounds write with Updater and malicious MAR file
    (does not affect openSUSE RPM packages which do not ship the
    updater)
  * MFSA 2015-87/CVE-2015-4484 (bmo#1171540)
    Crash when using shared memory in JavaScript
  * MFSA 2015-88/CVE-2015-4491 (bmo#1184009)
    Heap overflow in gdk-pixbuf when scaling bitmap images
  * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
    Buffer overflows on Libvpx when decoding WebM video
  * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
    Vulnerabilities found through code inspection
  * MFSA 2015-92/CVE-2015-4492 (bmo#1185820)
    Use-after-free in XMLHttpRequest with shared workers
* Wed Jul 08 2015 wr@rosenauer.org
- update to Thunderbird 38.1.0 (bnc#935979)
  * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725
    Miscellaneous memory safety hazards
  * MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
    Local files or privileged URLs in pages can be opened into new tabs
  * MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
    Type confusion in Indexed Database Manager
  * MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
    Out-of-bound read while computing an oscillator rendering range in Web Audio
  * MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
    Use-after-free in Content Policy due to microtask execution error
  * MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
    ECDSA signature validation fails to handle some signatures correctly
    (this fix is shipped by NSS 3.19.1 externally)
  * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
    Use-after-free in workers while using XMLHttpRequest
  * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
    CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
    Vulnerabilities found through code inspection
  * MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
    Key pinning is ignored when overridable errors are encountered
  * MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
    Privilege escalation in PDF.js
  * MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
    NSS accepts export-length DHE keys with regular DHE cipher suites
    (this fix is shipped by NSS 3.19.1 externally)
  * MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
    NSS incorrectly permits skipping of ServerKeyExchange
    (this fix is shipped by NSS 3.19.1 externally)
- requires NSS 3.19.2
* Fri Jun 19 2015 wr@rosenauer.org
- update to Thunderbird 38.0.1
  * includes Lightning as default extension
- rebased patches
- removed obsolete patches:
  * mozilla-ppc.patch
  * mozilla-nullptr-gcc45.patch
  * mozilla-bug1024492.patch
- dropped openSUSE specific patches
  * thunderbird-shared-nss-db.patch
  * mozilla-shared-nss-db.patch
    the provided feature seems not to be used and its maintenance
    is not worth the ongoing efforts
- tb-develdirs.patch is now mozilla-develdirs.patch as it is a
  platform configuration now
* Thu Jun 18 2015 schwab@suse.de
- mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration
* Thu May 28 2015 dmueller@suse.com
- add mozilla-bug1024492.patch:
  * Fixes build against GCC 5.x
* Sat May 09 2015 wr@rosenauer.org
- update to Thunderbird 31.7.0 (bnc#930622)
  * MFSA 2015-46/CVE-2015-2708
    Miscellaneous memory safety hazards
  * MFSA 2015-47/VE-2015-0797 (bmo#1080995)
    Buffer overflow parsing H.264 video with Linux Gstreamer
  * MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
    Buffer overflow with SVG content and CSS
  * MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
    Use-after-free during text processing with vertical text enabled
  * MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
    Buffer overflow when parsing compressed XML
  * MFSA 2015-57/CVE-2011-3079 (bmo#1087565)
    Privilege escalation through IPC channel messages
* Tue Mar 31 2015 wr@rosenauer.org
- update to Thunderbird 31.6.0 (bnc#925368)
  * MFSA 2015-30/CVE-2015-0815
    Miscellaneous memory safety hazards
  * MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
    Use-after-free when using the Fluendo MP3 GStreamer plugin
  * MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
    resource:// documents can load privileged pages
  * MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
    CORS requests should not follow 30x redirections after preflight
  * MFSA-2015-40/CVE-2015-0801 (bmo#1146339)
    Same-origin bypass through anchor navigation
* Mon Feb 23 2015 wr@rosenauer.org
- update to Thunderbird 31.5.0 (bnc#917597)
  * MFSA 2015-11/CVE-2015-0836
    Miscellaneous memory safety hazards
  * MFSA 2015-12/CVE-2015-0833 (bmo#945192)
    Invoking Mozilla updater will load locally stored DLL files
    (Windows only)
  * MFSA 2015-16/CVE-2015-0831 (bmo#1130514)
    Use-after-free in IndexedDB
  * MFSA 2015-19/CVE-2015-0827 (bmo#1117304)
    Out-of-bounds read and write while rendering SVG content
  * MFSA 2015-24/CVE-2015-0822 (bmo#1110557)
    Reading of local files through manipulation of form autocomplete
* Sat Jan 10 2015 wr@rosenauer.org
- update to Thunderbird 31.4.0 (bnc#910669)
  * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
    Miscellaneous memory safety hazards
  * MFSA 2015-03/CVE-2014-8638 (bmo#1080987)
    sendBeacon requests lack an Origin header
  * MFSA 2015-04/CVE-2014-8639 (bmo#1095859)
    Cookie injection through Proxy Authenticate responses
- added mozilla-icu-strncat.patch to fix post build checks
* Sun Nov 30 2014 wr@rosenauer.org
- update to Thunderbird 31.3.0 (bnc#908009)
  * MFSA 2014-83/CVE-2014-1587
    Miscellaneous memory safety hazards
  * MFSA 2014-85/CVE-2014-1590 (bmo#1087633)
    XMLHttpRequest crashes with some input streams
  * MFSA 2014-87/CVE-2014-1592 (bmo#1088635)
    Use-after-free during HTML5 parsing
  * MFSA 2014-88/CVE-2014-1593 (bmo#1085175)
    Buffer overflow while parsing media content
  * MFSA 2014-89/CVE-2014-1594 (bmo#1074280)
    Bad casting from the BasicThebesLayer to BasicContainerLayer