MozillaThunderbird-52.8-60.1

- update to Thunderbird 52.8 (bsc#1092548)
  MFSA 2018-13
  * CVE-2018-5183 (bmo#1454692)
    Backport critical security fixes in Skia
  * CVE-2018-5184 (bmo#1411592, bsc#1093152)
    Full plaintext recovery in S/MIME via chosen-ciphertext attack
  * CVE-2018-5154 (bmo#1443092)
    Use-after-free with SVG animations and clip paths
  * CVE-2018-5155 (bmo#1448774)
    Use-after-free with SVG animations and text paths
  * CVE-2018-5159 (bmo#1441941)
    Integer overflow and out-of-bounds write in Skia
  * CVE-2018-5161 (bmo#1411720)
    Hang via malformed headers
  * CVE-2018-5162 (bmo#1457721, bsc#1093152)
    Encrypted mail leaks plaintext through src attribute
  * CVE-2018-5170 (bmo#1411732)
    Filename spoofing for external attachments
  * CVE-2018-5168 (bmo#1449548)
    Lightweight themes can be installed without user interaction
  * CVE-2018-5174 (bmo#1447080) (Windows only)
    Windows Defender SmartScreen UI runs with less secure behavior
    for downloaded files in Windows 10 April 2018 Update
  * CVE-2018-5178 (bmo#1443891)
    Buffer overflow during UTF-8 to Unicode string conversion
    through legacy extension
  * CVE-2018-5185 (bmo#1450345)
    Leaking plaintext through HTML forms
  * CVE-2018-5150 (bmo#1388020,bmo#1433609,bmo#1409440,bmo#1448705,
    bmo#1451376,bmo#1452202,bmo#1444668,bmo#1393367,bmo#1411415,
    bmo#1426129)
    Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8 and
    Thunderbird 52.8

- Exclude bigendian archs for now, have not built
  since version 45.8.0
  ExcludeArch: ppc ppc64 s390 s390x

- update to Thunderbird 52.7
  * Searching message bodies of messages in local folders, including
    filter and quick filter operations, did not find content in
    message attachments
  * Better error handling for Yahoo accounts
- The following security fixes are included as part of the mozilla
  platform. In general, these flaws cannot be exploited through
  email in the Thunderbird product because scripting is disabled
  when reading mail, but are potentially risks in browser or
  browser-like contexts (MFSA 2018-09, bsc#1085130, bsc#1085671):
  * CVE-2018-5127 (bmo#1430557)
    Buffer overflow manipulating SVG animatedPathSegList
  * CVE-2018-5129 (bmo#1428947)
    Out-of-bounds write with malformed IPC messages
  * CVE-2018-5144 (bmo#1440926)
    Integer overflow during Unicode conversion
  * CVE-2018-5146 (bmo#1446062)
    Out of bounds memory write in libvorbis
  * CVE-2018-5125 (bmo1416529,bmo#1434580,bmo#1434384,bmo#1437450,
    bmo#1437507,bmo#1426988,bmo#1438425,bmo#1324042,bmo#1437087,
    bmo#1443865,bmo#1425520)
    Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7, and
    Thunderbird 52.7
  * CVE-2018-5145 (bmo#1261175,bmo#1348955)
    Memory safety bugs fixed in Firefox ESR 52.7 and Thunderbird
    52.7

- update to Thunderbird 52.6 (bsc#1077291)
  * Searching message bodies of messages in local folders, including
    filter and quick filter operations, not working reliably: Content
    not found in base64-encode message parts, non-ASCII text not found
    and false positives found.
  * Defective messages (without at least one expected header) not shown
    in IMAP folders but shown on mobile devices
  * Calendar: Unintended task deletion if numlock is enabled
  * Mozilla platform security fixes
  MFSA 2018-04
  * CVE-2018-5095 (bmo#1418447)
    Integer overflow in Skia library during edge builder allocation
  * CVE-2018-5096 (bmo#1418922)
    Use-after-free while editing form elements
  * CVE-2018-5097 (bmo#1387427)
    Use-after-free when source document is manipulated during XSLT
  * CVE-2018-5098 (bmo#1399400)
    Use-after-free while manipulating form input elements
  * CVE-2018-5099 (bmo#1416878)
    Use-after-free with widget listener
  * CVE-2018-5102 (bmo#1419363)
    Use-after-free in HTML media elements
  * CVE-2018-5103 (bmo#1423159)
    Use-after-free during mouse event handling
  * CVE-2018-5104 (bmo#1425000)
    Use-after-free during font face manipulation
  * CVE-2018-5117 (bmo#1395508)
    URL spoofing with right-to-left text aligned left-to-right
  * CVE-2018-5089
    Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
- dropped obsolete mozilla-ucontext.patch

- update to Thunderbird 52.5.2
  * This releases fixes the "Mailsploit" vulnerability and other
    vulnerabilities detected by the "Cure53" audit
  MFSA 2017-30
  * CVE-2017-7845 (bmo#1402372)
    Buffer overflow when drawing and validating elements with ANGLE
    library using Direct 3D 9
  * CVE-2017-7846 (bmo#1411716, bsc#1074043)
    JavaScript Execution via RSS in mailbox:// origin
  * CVE-2017-7847 (bmo#1411708, bsc#1074044)
    Local path string can be leaked from RSS feed
  * CVE-2017-7848 (bmo#1411699, bsc#1074045)
    RSS Feed vulnerable to new line Injection
  * CVE-2017-7829 (bmo#1423432, bsc#1074046)
    Mailsploit part 1: From address with encoded null character is
    cut off in message header display

- Explicitly buildrequires python2-xml: The build system relies on
  it. We wrongly relied on other packages pulling it in for us.

- Escape the usage of %{VERSION} when calling out to rpm.
  RPM 4.14 has %{VERSION} defined as 'the main packages version'.

- update to Thunderbird 52.5.0 (bsc#1068101)
  * Better support for Charter/Spectrum IMAP: Thunderbird will now
    detect Charter's IMAP service and send an additional IMAP select
    command to the server. Check the various preferences ending in
    "force_select" to see whether auto-detection has discovered this case.
  * In search folders spanning multiple base folders clicking on a
    message sometimes marked another message as read
  * IMAP alerts have been corrected and now show the correct server
    name in case of connection problems
  * POP alerts have been corrected and now indicate connection problems
    in case the configured POP server cannot be found
  MFSA 2017-26
  * CVE-2017-7828 (bmo#1406750. bmo#1412252)
    Use-after-free of PressShell while restyling layout
  * CVE-2017-7830 (bmo#1408990)
    Cross-origin URL information leak through Resource Timing API
  * CVE-2017-7826
    Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5

- Drop obsolete libgnomeui-devel BuildRequires: No longer needed.
- Add explicit pkgconfig(gconf-2.0), pkgconfig(gobject-2.0),
  pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
  pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
  pkgconfig(gdk-x11-2.0) BuildRequires: Previously pulled in by
  libgnomeui-devel, and is what configure really checks for.

- Mozilla Thunderbird 52.4.0 (bsc#1060445)
  * new behavior was introduced for replies to mailing list posts:
    "When replying to a mailing list, reply will be sent to address
    in From header ignoring Reply-to header". A new preference
    mail.override_list_reply_to allows to restore the previous behavior.
  * Under certain circumstances (image attachment and non-image
    attachment), attached images were shown truncated in messages
    stored in IMAP folders not synchronised for offline use.
  * IMAP UIDs > 0x7FFFFFFF now handled properly
  Security fixes from Gecko 52.4esr
  * CVE-2017-7793 (bmo#1371889)
    Use-after-free with Fetch API
  * CVE-2017-7818 (bmo#1363723)
    Use-after-free during ARIA array manipulation
  * CVE-2017-7819 (bmo#1380292)
    Use-after-free while resizing images in design mode
  * CVE-2017-7824 (bmo#1398381)
    Buffer overflow when drawing and validating elements with ANGLE
  * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
    Use-after-free in TLS 1.2 generating handshake hashes
  * CVE-2017-7814 (bmo#1376036)
    Blob and data URLs bypass phishing and malware protection warnings
  * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
    OS X fonts render some Tibetan and Arabic unicode characters as spaces
  * CVE-2017-7823 (bmo#1396320)
    CSP sandbox directive did not create a unique origin
  * CVE-2017-7810
    Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4

- Add alsa-devel BuildRequires: we care for ALSA support to be
  built and thus need to ensure we get the dependencies in place.
  In the past, alsa-devel was pulled in by accident: we
  buildrequire libgnome-devel. This required esound-devel and that
  in turn pulled in alsa-devel for us. libgnome is being fixed to
  no longer require esound-devel.

- update to Thunderbird 52.3 (boo#1052829)
  Fixed issues:
  * Unwanted inline images shown in rogue SPAM messages
  * Deleting message from the POP3 server not working when maildir
    storage was used
  * Message disposition flag (replied / forwarded) lost when reply or
    forwarded message was stored as draft and draft was sent later
  * Inline images not scaled to fit when printing
  * Selected text from another message sometimes included in a reply
  * No authorisation prompt displayed when inserting image into email
    body although image URL requires authentication
  * Large attachments taking a long time to open under some circumstances
  security
  Security fixes from Gecko 52.3esr
  * CVE-2017-7798 (bmo#1371586, bmo#1372112)
    XUL injection in the style editor in devtools
  * CVE-2017-7800 (bmo#1374047)
    Use-after-free in WebSockets during disconnection
  * CVE-2017-7801 (bmo#1371259)
    Use-after-free with marquee during window resizing
  * CVE-2017-7784 (bmo#1376087)
    Use-after-free with image observers
  * CVE-2017-7802 (bmo#1378147)
    Use-after-free resizing image elements
  * CVE-2017-7785 (bmo#1356985)
    Buffer overflow manipulating ARIA attributes in DOM
  * CVE-2017-7786 (bmo#1365189)
    Buffer overflow while painting non-displayable SVG
  * CVE-2017-7753 (bmo#1353312)
    Out-of-bounds read with cached style data and pseudo-elements#
  * CVE-2017-7787 (bmo#1322896)
    Same-origin policy bypass with iframes through page reloads
  * CVE-2017-7807 (bmo#1376459)
    Domain hijacking through AppCache fallback
  * CVE-2017-7792 (bmo#1368652)
    Buffer overflow viewing certificates with an extremely long OID
  * CVE-2017-7804 (bmo#1372849)
    Memory protection bypass through WindowsDllDetourPatcher
  * CVE-2017-7791 (bmo#1365875)
    Spoofing following page navigation with data: protocol and modal alerts
  * CVE-2017-7782 (bmo#1344034)
    WindowsDllDetourPatcher allocates memory without DEP protections
  * CVE-2017-7803 (bmo#1377426)
    CSP containing 'sandbox' improperly applied
  * CVE-2017-7779
    Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3

- mozilla-ucontext.patch: use ucontext_t instead of struct ucontext

- mozilla-disable-neon-option.patch has been dropped silently, so
  remove the --disable-neon option as it is not available anymore.

- update to Thunderbird 52.2.1
  * Problems with Gmail fixed (folders not showing, repeated email
    download, etc.) introduced in version 52.2.0. (boo#1045895)

- update to Thunderbird 52.2 (boo#1043960)
  * Embedded images not shown in email received from Hotmail/Outlook
    webmailer
  * Detection of non-ASCII font names in font selector
  * Attachment not forwarded correctly under certain circumstances
  * Multiple requests for master password when GMail OAuth2 is enabled
  * Large number of blank pages being printed under certain
    circumstances when invalid preferences were present
  * Messages sent via the Simple MAPI interface are forced to HTML
  * Calendar: Invitations can't be printed
  * Mailing list (group) not accessible from macOS or Outlook address book
  * Clicking on links with references/anchors where target doesn't
    exist in the message not opening in external browser
  MFSA 2017-17
  * CVE-2017-5472 (bmo#1365602)
    Use-after-free using destroyed node when regenerating trees
  * CVE-2017-7749 (bmo#1355039)
    Use-after-free during docshell reloading
  * CVE-2017-7750 (bmo#1356558)
    Use-after-free with track elements
  * CVE-2017-7751 (bmo#1363396)
    Use-after-free with content viewer listeners
  * CVE-2017-7752 (bmo#1359547)
    Use-after-free with IME input
  * CVE-2017-7754 (bmo#1357090)
    Out-of-bounds read in WebGL with ImageInfo object
  * CVE-2017-7756 (bmo#1366595)
    Use-after-free and use-after-scope logging XHR header errors
  * CVE-2017-7757 (bmo#1356824)
    Use-after-free in IndexedDB
  * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,
    CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,
    CVE-2017-7777
    Vulnerabilities in the Graphite 2 library
  * CVE-2017-7758 (bmo#1368490)
    Out-of-bounds read in Opus encoder
  * CVE-2017-7763 (bmo#1360309)
    Mac fonts render some unicode characters as spaces (MacOS only)
  * CVE-2017-7764 (bmo#1364283)
    Domain spoofing with combination of Canadian Syllabics and other
    unicode blocks
  * CVE-2017-7765 (bmo#1273265)
    Mark of the Web bypass when saving executable files (Windows only)
  * CVE-2017-5470
    Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
- requires NSS 3.28.5

- remove legacy -Os optimization breaking gcc7/i586 (boo#1042090)

- explicitely optimize with -O2 for openSUSE > 13.2/Leap 42 to work
  with gcc7 (boo#1040105, boo#1042090)

- update to Thunderbird 52.1.1
  * fixed crash when compacting IMAP folder (boo#1038753)
  * Some attachments could not be opened or saved if the message
    body is empty
  * Unable to load full message via POP if message was downloaded
    partially (or only headers) before
  * Large attachments may not be shown or saved correctly if the
    message is stored in an IMAP folder which is not synchronized
    for offline use

- update to Thunderbird 52.1.0
  * Background images not working and other issues related to
    embedded images when composing email have been fixed
  * Google Oauth setup can sometimes not progress to the next step
  * requires NSS >= 3.28.4
- security fixes (boo#1035082), MFSA 2017-13
  * CVE-2017-5443 (bmo#1342661)
    Out-of-bounds write during BinHex decoding
  * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
    bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
    Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
    Firefox ESR 52.1
  * CVE-2017-5464 (bmo#1347075)
    Memory corruption with accessibility and DOM manipulation
  * CVE-2017-5465 (bmo#1347617)
    Out-of-bounds read in ConvolvePixel
  * CVE-2017-5466 (bmo#1353975)
    Origin confusion when reloading isolated data:text/html URL
  * CVE-2017-5467 (bmo#1347262)
    Memory corruption when drawing Skia content
  * CVE-2017-5460 (bmo#1343642)
    Use-after-free in frame selection
  * CVE-2017-5461 (bmo#1344380)
    Out-of-bounds write in Base64 encoding in NSS
  * CVE-2017-5449 (bmo#1340127)
    Crash during bidirectional unicode manipulation with animation
  * CVE-2017-5446 (bmo#1343505)
    Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
  * CVE-2017-5447 (bmo#1343552)
    Out-of-bounds read during glyph processing
  * CVE-2017-5444 (bmo#1344461)
    Buffer overflow while parsing application/http-index-format content
  * CVE-2017-5445 (bmo#1344467)
    Uninitialized values used while parsing application/http-index-format
    content
  * CVE-2017-5442 (bmo#1347979)
    Use-after-free during style changes
  * CVE-2017-5469 (bmo#1292534)
    Potential Buffer overflow in flex-generated code
  * CVE-2017-5440 (bmo#1336832)
    Use-after-free in txExecutionState destructor during XSLT processing
  * CVE-2017-5441 (bmo#1343795)
    Use-after-free with selection during scroll events
  * CVE-2017-5439 (bmo#1336830)
    Use-after-free in nsTArray Length() during XSLT processing
  * CVE-2017-5438 (bmo#1336828)
    Use-after-free in nsAutoPtr during XSLT processing
  * CVE-2017-5437 (bmo#1343453)
    Vulnerabilities in Libevent library
  * CVE-2017-5436 (bmo#1345461)
    Out-of-bounds write with malicious font in Graphite 2
  * CVE-2017-5435 (bmo#1350683)
    Use-after-free during transaction processing in the editor
  * CVE-2017-5434 (bmo#1349946)
    Use-after-free during focus handling
  * CVE-2017-5433 (bmo#1347168)
    Use-after-free in SMIL animation functions
  * CVE-2017-5432 (bmo#1346654)
    Use-after-free in text input selection
  * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
    bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140,
    bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476)
    Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
  * CVE-2017-5459 (bmo#1333858)
    Buffer overflow in WebGL
  * CVE-2017-5462 (bmo#1345089)
    DRBG flaw in NSS
  * CVE-2017-5454 (bmo#1349276)
    Sandbox escape allowing file system read access through file
    picker
  * CVE-2017-5451 (bmo#1273537)
    Addressbar spoofing with onblur event

- update to Thunderbird 52.0.1
  * Clicking on a link in an email may not open this link in the
    external browser
  * addon blocklist updates
- enable ALSA for systems w/o PA
- require libffi explicitely to fix PPC64LE build where a system
  library is required

- update to Thunderbird 52.0
  * Optionally remove corresponding data files when removing an account
  * Possibility to copy message filter
  * Calendar: Event can now be created and edited in a tab
  * Calendar: Processing of received invitation counter proposals
  * Chat: Support Twitter Direct Messages
  * Chat: Liking and favoriting in Twitter
  * Chat: Removed Yahoo! Messenger support
  * serveral bugfixes
- security fixes (bsc#1028391, MFSA 2017-09):
  In general, these flaws cannot be exploited through email because
  scripting is disabled when reading mail, but are potentially
  risks in browser or browser-like contexts.
  * CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933)
  * CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861)
  * CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876)
  * CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186)
  * CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138)
  * CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890)
  * CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622)
  * CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687)
  * CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711)
  * CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
  * CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504)
  * CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370)
  * CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
  * CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361)
  * CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876)
  * CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243)
  * CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699)
  * CVE-2017-5421: Print preview spoofing (bmo#1301876)
  * CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002)
  * CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52
  * CVE-2017-5398: Memory safety bugs fixed in Thunderbird 52 and Thunderbird 45.8
- removed obsolete patches
  * mozilla-aarch64-48bit-va.patch
  * mozilla-binutils-visibility.patch
  * mozilla-flex_buffer_overrun.patch
  * mozilla-gcc6.patch
- added generic mozilla patches
  * mozilla-aarch64-startup-crash.patch
- require newer versions of NSPR and NSS
- use Gtk3 for Tumbleweed

- update to Thunderbird 45.8.0 (boo#1028391)
  * MFSA 2017-07
    CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
    (bmo#1334933)
    CVE-2017-5401: Memory Corruption when handling ErrorResult
    (bmo#1328861)
    CVE-2017-5402: Use-after-free working with events in FontFace
    objects (bmo#1334876)
    CVE-2017-5404: Use-after-free working with ranges in selections
    (bmo#1340138)
    CVE-2017-5407: Pixel and history stealing via floating-point
    timing side channel with SVG filters (bmo#1336622)
    CVE-2017-5410: Memory corruption during JavaScript garbage
    collection incremental sweeping (bmo#1330687)
    CVE-2017-5408: Cross-origin reading of video captions in violation
    of CORS (bmo#1313711)
    CVE-2017-5405: FTP response codes can cause use of
    uninitialized values for ports (bmo#1336699)
    CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and
    Firefox ESR 45.8

- update to Thunderbird 45.7.1
  * fixed Crash when viewing certain IMAP messages (introduced in 45.7.0)

- update to Thunderbird 45.7.0
  * Message preview pane non-functional after IMAP folder was renamed
    or moved
  * "Move To" button on "Search Messages" panel not working
  * Message sent to "undisclosed recipients" shows no recipient
    (non-functional since Thunderbird version 38)
  * Security updates from MFSA 2017-03 (Gecko 45.7.0) boo#1021991.
    In general, these flaws cannot be exploited through email in
    Thunderbird because scripting is disabled when reading mail,
    but are potentially risks in browser or browser-like contexts:
    CVE-2017-5375: Excessive JIT code allocation allows bypass of
    ASLR and DEP (bmo#1325200, boo#1021814)
    CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
    CVE-2017-5378: Pointer and frame data leakage of Javascript objects
    (bmo#1312001, bmo#1330769, boo#1021818)
    CVE-2017-5380: Potential use-after-free during DOM manipulations
    (bmo#1322107, boo#1021819)
    CVE-2017-5390: Insecure communication methods in Developer Tools
    JSON viewer (bmo#1297361, boo#1021820)
    CVE-2017-5396: Use-after-free with Media Decoder
    (bmo#1329403, boo#1021821)
    CVE-2017-5383: Location bar spoofing with unicode characters
    (bmo#1323338, bmo#1324716, boo#1021822)
    CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7
    (boo#1021824)

- update to Thunderbird 45.6.0 (boo#1015422)
  * The system integration dialog was shown every time when starting
    Thunderbird
  * MFSA 2016-96
    CVE-2016-9899: Use-after-free while manipulating DOM events and
    audio elements (bmo#1317409)
    CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272)
    CVE-2016-9897: Memory corruption in libGLES (bmo#1301381)
    CVE-2016-9898: Use-after-free in Editor while manipulating DOM
    subtrees (bmo#1314442)
    CVE-2016-9900: Restricted external resources can be loaded by
    SVG images through data URLs (bmo#1319122)
    CVE-2016-9904: Cross-origin information leak in shared atoms
    (bmo#1317936)
    CVE-2016-9905: Crash in EnumerateSubDocuments (bmo#1293985)
    CVE-2016-9893: Memory safety bugs fixed in Thunderbird 45.6

- Mozilla Thunderbird 45.5.1:
  * CVE-2016-9079: SVG Animation Remote Code Execution
    (MFSA 2016-92, bsc#1012964, bmo#1321066)

- Mozilla Thunderbird 45.5.0 (boo#1009026)
  * Fixes for security flaws that cannot be exploited through email
    because scripting is disabled when reading mail, but are
    potentially risks in browser or browser-like contexts:
    CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
    (bsc#1010411)
    CVE-2016-5297: Incorrect argument length checking in Javascript
    (bsc#1010401)
    CVE-2016-9066: Integer overflow leading to a buffer overflow in
    nsScriptLoadHandler (bsc#1010404)
    CVE-2016-5291: Same-origin policy violation using local HTML file
    and saved shortcut file (bsc#1010410)
    CVE-2016-5290: Memory safety bugs fixed in Thunderbird ESR 45.5
    (bsc#1010427)
- Changed behavior:
  * Changed recipient address entry: Arrow-keys now copy the pop-up
    value to the input field. Mouse-hovered pop-up value can no
    longer be confirmed with tab or enter key. This restores the
    behavior of Thunderbird 24.
  * Support changes to character limit in Twitter
- Bugs fixed:
  * Reply with selected text containing quote resulted in wrong
    quoting level indication
  * Email invitation might not be displayed when description
    contains non-ASCII characters
  * Attempting to sort messages on the Date field whilst a quick
    filter is applied got stuck on sort descending
  * Mail address display at header pane displayed incorrectly if
    the address contains UTF-8 according to RFC 6532

- update to Thunderbird 45.4.0 (boo#999701)
  * Display name was truncated if no separating space before email
    address.
  * Recipient addresses were shown in wrong color in some circumstances.
  * Additional spaces were inserted when drafts were edited.
  * Mail saved as template copied In-Reply-To and References from
    original email.
  * Threading broken when editing message draft, due to loss of Message-ID
  * "Apply columns to..." did not honor special folders

- update to Thunderbird 45.3.0 (boo#991809)
  * Disposition-Notification-To could not be used in
    mail.compose.other.header
  * "edit as new message" on a received message pre-filled the sender
    as the composing identity.
  * Certain messages caused corruption of the drafts summary database.
  security fixes:
  * MFSA 2016-62/CVE-2016-2836
    Miscellaneous memory safety hazards
  * MFSA 2016-63/CVE-2016-2830 (bmo#1255270)
    Favicon network connection can persist when page is closed
  * MFSA 2016-64/CVE-2016-2838 (bmo#1279814)
    Buffer overflow rendering SVG with bidirectional content
  * MFSA 2016-65/CVE-2016-2839 (bmo#1275339)
    Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
  * MFSA 2016-67/CVE-2016-5252 (bmo#1268854)
    Stack underflow during 2D graphics rendering
  * MFSA 2016-70/CVE-2016-5254 (bmo#1266963)
    Use-after-free when using alt key and toplevel menus
  * MFSA 2016-72/CVE-2016-5258 (bmo#1279146)
    Use-after-free in DTLS during WebRTC session shutdown
  * MFSA 2016-73/CVE-2016-5259 (bmo#1282992)
    Use-after-free in service workers with nested sync events
  * MFSA 2016-76/CVE-2016-5262 (bmo#1277475)
    Scripts on marquee tag can execute in sandboxed iframes
  * MFSA 2016-77/CVE-2016-2837 (bmo#1274637)
    Buffer overflow in ClearKey Content Decryption Module (CDM)
    during video playback
  * MFSA 2016-78/CVE-2016-5263 (bmo#1276897)
    Type confusion in display transformation
  * MFSA 2016-79/CVE-2016-5264 (bmo#1286183)
    Use-after-free when applying SVG effects
  * MFSA 2016-80/CVE-2016-5265 (bmo#1278013)
    Same-origin policy violation using local HTML file and saved shortcut file

- Fix for possible buffer overrun (bsc#990856)
  CVE-2016-6354 (bmo#1292534)
  [mozilla-flex_buffer_overrun.patch]

- add a screenshot to appdata.xml

- update to Thunderbird 45.2 (boo#983549)
  Security fixes:
  * CVE-2016-2818, CVE-2016-2815: Memory safety bugs (MFSA2016-49)
- drop mozilla-flexible-array-member-in-union.patch, upstream

- mozilla-binutils-visibility.patch to fix build issues with
  gcc/binutils combination used in Leap 42.2 (boo#984637)

- build with -fno-delete-null-pointer-checks for Tumbleweed/gcc6
  as long as underlying issues have been addressed upstream
  (boo#986162)

- Fix running on 48bit va aarch64 (bsc#984126)
  - Add patch mozilla-aarch64-48bit-va.patch

- update to Thunderbird 45.1.1
  * When entering members into a mailing list, the enter key
    dismissed the panel instead of just moving onto the next line
  * Email without HTML elements was sent as HTML, despite
    "Delivery Format: Auto-detect" option
  * Options applied to a template were lost when the template was used
  * Contacts could not be deleted when they were found through a search
  * Views from global searches did not respect
    "mail.threadpane.use_correspondents"

- The conditional testing for gcc was failing for different
  openSUSE versions, drop it and apply patches unconditionally.

- Add patches to fix building with gcc >= 6:
  + mozilla-gcc6.patch: patch taken from fedora's git and is
    essentially identical to upstream firefox patch:
    https://hg.mozilla.org/mozilla-central/rev/55212130f19d.
  + mozilla-flexible-array-member-in-union.patch: patch taken
    from upstream bmo#1272649.

- Copy the icons to /usr/share/icons instead of symlinking them:
  in preparation for containerized apps (e.g. xdg-app) as well as
  AppStream metadata extraction, there are a couple locations that
  need to be real files for system integration (.desktop files,
  icons, mime-type info).

- update to Thunderbird 45.1.0 (boo#977333)
  * MFSA 2016-39/CVE-2016-2806/CVE-2016-2807 (boo#977375, boo#977376)
    Miscellaneous memory safety hazards

- For openSUSE > 13.2, the build fails for i586 as it goes out of
  memory. Prevent this from happening by disabing parallel build
  in this particular case (i.e. do not pass
  mk_add_options MOZ_MAKE_FLAGS%{?jobs:-j%jobs}).

- update to Thunderbird 45.0 (boo#969894)
  * Add a Correspondents column combining Sender and Recipient
  * Much better support for XMPP chatrooms and commands
  * Remote content exceptions: Improved options to add exceptions
  * Implement option to always use HTML formatting to prevent
    unexpected format loss when converting messages to plain text
  * Use OpenStreetmap for maps (even allow the user to choose from
    list of map services)
  * Allow spell checking and dictionary selection in the subject line
  * Allow editing of From when composing a message
  * Add dropdown in compose to allow specific setting of font size
  * Return/Enter in composer will now insert a new paragraph by
    default (shift-Enter will insert a line break)
  * Allow copying of name and email address from the message header
    of an email
  * Mail.ru supports OAuth authentication
  * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
    Miscellaneous memory safety hazards
  * MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
    Local file overwriting and potential privilege escalation through
    CSP reports
  * MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
    CSP reports fail to strip location information for embedded iframe pages
  * MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
    Linux video memory DOS with Intel drivers
  * MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
    Memory leak in libstagefright when deleting an array during MP4
    processing
  * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
    Use-after-free in HTML5 string parser
  * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
    Use-after-free in SetBody
  * MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
    Use-after-free during XML transformations
  * MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
    Out-of-bounds read in HTML parser following a failed allocation
  * MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
    Buffer overflow during ASN.1 decoding in NSS
    (fixed by requiring 3.21.1)
  * MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
    Use-after-free during processing of DER encoded keys in NSS
    (fixed by requiring 3.21.1)
  * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
    CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
    CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
    CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
    Font vulnerabilities in the Graphite 2 library
- remove obsolete patches:
  * mozilla-arm-disable-edsp.patch
  * mozilla-icu-strncat.patch
  * mozilla-arm64-libjpeg-turbo.patch
- added required mozilla platform patches:
  * mozilla-no-stdcxx-check.patch

- update to Thunderbird 38.7.2
  * disable Graphite font shaping library (same upstream changelog
    as 38.7.1)

- update to Thunderbird 38.7.1
  * disabled Graphite font shaping library

- update to Thunderbird 38.7.0 (boo#969894)
  * MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
    Use-after-free in MediaStream playback
  * MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
    Same-origin policy violation using performance.getEntries and
    history navigation
  * MFSA 2016-16/CVE-2016-1952
    Miscellaneous memory safety hazards
  * MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
    Local file overwriting and potential privilege escalation through
    CSP reports
  * MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
    Memory leak in libstagefright when deleting an array during MP4
    processing
  * MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
    Displayed page address can be overridden
  * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
    Use-after-free in HTML5 string parser
  * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
    Use-after-free in SetBody
  * MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
    Use-after-free when using multiple WebRTC data channels
  * MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
    Use-after-free during XML transformations
  * MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
    Addressbar spoofing though history navigation and Location protocol
    property
  * MFSA 2016-31/CVE-2016-1966 (bmo#1246054)
    Memory corruption with malicious NPAPI plugin
  * MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
    Out-of-bounds read in HTML parser following a failed allocation
  * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
    CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
    CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
    CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
    Font vulnerabilities in the Graphite 2 library

- adjust _constraints to current peak build memory and disk usage

- update to Thunderbird 38.6.0 (boo#963520)
  * Filters ran on a different folder than selected
  * MFSA 2016-01/CVE-2016-1930
    Miscellaneous memory safety hazards
  * MFSA 2016-03/CVE-2016-1935 (bmo#1220450)
    Buffer overflow in WebGL after out of memory allocation

- Using -g for CFLAGS is controlled via project settings, it should
  not be enforced by the mozilla buildsystem.

- Add build conditionals for valgrind and -Os
- Convert existing conditions for kde to bcond

- update to Thunderbird 38.5.1
  * requires NSS 3.20.2 to fix
    MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
    MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
    server signature
- explicitely require libXcomposite-devel

- update to Thunderbird 38.5.0 (bnc#959277)
  * MFSA 2015-134/CVE-2015-7201
    Miscellaneous memory safety hazards
  * MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
    Use-after-free in WebRTC when datachannel is used after being
    destroyed
  * MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
    Integer overflow allocating extremely large textures
  * MFSA 2015-145/CVE-2015-7205 (bmo#1220493)
    Underflow through code inspection
  * MFSA 2015-146/CVE-2015-7213 (bmo#1206211)
    Integer overflow in MP4 playback in 64-bit versions
  * MFSA 2015-147/CVE-2015-7222 (bmo#1216748)
    Integer underflow and buffer overflow processing MP4 metadata in
    libstagefright
  * MFSA 2015-149/CVE-2015-7214 (bmo#1228950)
    Cross-site reading attack through data and view-source URIs

- update to Thunderbird 38.4.0 (bnc#952810)
  * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
    Miscellaneous memory safety hazards
  * MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
    Trailing whitespace in IP address hostnames can bypass same-origin policy
  * MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
    Buffer overflow during image interactions in canvas
  * MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
    CORS preflight is bypassed when non-standard Content-Type headers
    are received
  * MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
    Memory corruption in libjar through zip files
  * MFSA 2015-130/CVE-2015-7196 (bmo#1140616)
    JavaScript garbage collection crash with Java applet
  * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
    (bmo#1188010, bmo#1204061, bmo#1204155)
    Vulnerabilities found through code inspection
  * MFSA 2015-132/CVE-2015-7197 (bmo#1204269)
    Mixed content WebSocket policy bypass through workers
  * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
    (bmo#1202868, bmo#1205157)
    NSS and NSPR memory corruption issues
    (fixed in mozilla-nspr and mozilla-nss packages)
- requires NSPR 4.10.10 and NSS 3.19.2.1
- added explicit appdata provides (bnc#952325)

- fix build on aarch64 by reusing the crashreporter conditional
  from MozillaFirefox

- update to Thunderbird 38.3.0 (bnc#947003)
  * MFSA 2015-96/CVE-2015-4500
    Miscellaneous memory safety hazards
  * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
    Arbitrary file manipulation by local user through Mozilla updater
  * MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
    Buffer overflow in libvpx while parsing vp9 format video
  * MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
    Buffer overflow while decoding WebM video
  * MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
    Use-after-free while manipulating HTML media content
  * MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
    Dragging and dropping images exposes final URL after redirects
  * MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
    Errors in the handling of CORS preflight request headers
  * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
    CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/
    CVE-2015-7180
    Vulnerabilities found through code inspection
  * MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
    bmo#1190526) (Windows only)
    Memory safety errors in libGLES in the ANGLE graphics library
- rebased patches

- update to Thunderbird 38.2.0 (bnc#940806)
  * MFSA 2015-79/CVE-2015-4473
    Miscellaneous memory safety hazards
  * MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
    Out-of-bounds read with malformed MP3 file
  * MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
    Redefinition of non-configurable JavaScript object properties
  * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
    Overflow issues in libstagefright
  * MFSA 2015-84/CVE-2015-4481 (bmo1171518)
    Arbitrary file overwriting through Mozilla Maintenance Service
    with hard links (only affected Windows)
  * MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
    Out-of-bounds write with Updater and malicious MAR file
    (does not affect openSUSE RPM packages which do not ship the
    updater)
  * MFSA 2015-87/CVE-2015-4484 (bmo#1171540)
    Crash when using shared memory in JavaScript
  * MFSA 2015-88/CVE-2015-4491 (bmo#1184009)
    Heap overflow in gdk-pixbuf when scaling bitmap images
  * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
    Buffer overflows on Libvpx when decoding WebM video
  * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
    Vulnerabilities found through code inspection
  * MFSA 2015-92/CVE-2015-4492 (bmo#1185820)
    Use-after-free in XMLHttpRequest with shared workers

- update to Thunderbird 38.1.0 (bnc#935979)
  * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725
    Miscellaneous memory safety hazards
  * MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
    Local files or privileged URLs in pages can be opened into new tabs
  * MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
    Type confusion in Indexed Database Manager
  * MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
    Out-of-bound read while computing an oscillator rendering range in Web Audio
  * MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
    Use-after-free in Content Policy due to microtask execution error
  * MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
    ECDSA signature validation fails to handle some signatures correctly
    (this fix is shipped by NSS 3.19.1 externally)
  * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
    Use-after-free in workers while using XMLHttpRequest
  * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
    CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
    Vulnerabilities found through code inspection
  * MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
    Key pinning is ignored when overridable errors are encountered
  * MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
    Privilege escalation in PDF.js
  * MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
    NSS accepts export-length DHE keys with regular DHE cipher suites
    (this fix is shipped by NSS 3.19.1 externally)
  * MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
    NSS incorrectly permits skipping of ServerKeyExchange
    (this fix is shipped by NSS 3.19.1 externally)
- requires NSS 3.19.2

- update to Thunderbird 38.0.1
  * includes Lightning as default extension
- rebased patches
- removed obsolete patches:
  * mozilla-ppc.patch
  * mozilla-nullptr-gcc45.patch
  * mozilla-bug1024492.patch
- dropped openSUSE specific patches
  * thunderbird-shared-nss-db.patch
  * mozilla-shared-nss-db.patch
    the provided feature seems not to be used and its maintenance
    is not worth the ongoing efforts
- tb-develdirs.patch is now mozilla-develdirs.patch as it is a
  platform configuration now

- mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration

- add mozilla-bug1024492.patch:
  * Fixes build against GCC 5.x

- update to Thunderbird 31.7.0 (bnc#930622)
  * MFSA 2015-46/CVE-2015-2708
    Miscellaneous memory safety hazards
  * MFSA 2015-47/VE-2015-0797 (bmo#1080995)
    Buffer overflow parsing H.264 video with Linux Gstreamer
  * MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
    Buffer overflow with SVG content and CSS
  * MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
    Use-after-free during text processing with vertical text enabled
  * MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
    Buffer overflow when parsing compressed XML
  * MFSA 2015-57/CVE-2011-3079 (bmo#1087565)
    Privilege escalation through IPC channel messages

- update to Thunderbird 31.6.0 (bnc#925368)
  * MFSA 2015-30/CVE-2015-0815
    Miscellaneous memory safety hazards
  * MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
    Use-after-free when using the Fluendo MP3 GStreamer plugin
  * MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
    resource:// documents can load privileged pages
  * MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
    CORS requests should not follow 30x redirections after preflight
  * MFSA-2015-40/CVE-2015-0801 (bmo#1146339)
    Same-origin bypass through anchor navigation

- update to Thunderbird 31.5.0 (bnc#917597)
  * MFSA 2015-11/CVE-2015-0836
    Miscellaneous memory safety hazards
  * MFSA 2015-12/CVE-2015-0833 (bmo#945192)
    Invoking Mozilla updater will load locally stored DLL files
    (Windows only)
  * MFSA 2015-16/CVE-2015-0831 (bmo#1130514)
    Use-after-free in IndexedDB
  * MFSA 2015-19/CVE-2015-0827 (bmo#1117304)
    Out-of-bounds read and write while rendering SVG content
  * MFSA 2015-24/CVE-2015-0822 (bmo#1110557)
    Reading of local files through manipulation of form autocomplete

- update to Thunderbird 31.4.0 (bnc#910669)
  * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
    Miscellaneous memory safety hazards
  * MFSA 2015-03/CVE-2014-8638 (bmo#1080987)
    sendBeacon requests lack an Origin header
  * MFSA 2015-04/CVE-2014-8639 (bmo#1095859)
    Cookie injection through Proxy Authenticate responses
- added mozilla-icu-strncat.patch to fix post build checks

- update to Thunderbird 31.3.0 (bnc#908009)
  * MFSA 2014-83/CVE-2014-1587
    Miscellaneous memory safety hazards
  * MFSA 2014-85/CVE-2014-1590 (bmo#1087633)
    XMLHttpRequest crashes with some input streams
  * MFSA 2014-87/CVE-2014-1592 (bmo#1088635)
    Use-after-free during HTML5 parsing
  * MFSA 2014-88/CVE-2014-1593 (bmo#1085175)
    Buffer overflow while parsing media content
  * MFSA 2014-89/CVE-2014-1594 (bmo#1074280)
    Bad casting from the BasicThebesLayer to BasicContainerLayer