MozillaThunderbird-68.9.0-bp152.1.1

- Mozilla Thunderbird 68.9.0
  * fixed: Custom headers added for searching or filtering could
    not be removed (bmo#1631577)
  * fixed: Calendar: Today Pane updated prior to loading all data
    (bmo#1635613)
  * fixed: Stability improvements (bmo#1625677)
  * fixed: Various security fixes
  MFSA 2020-22 (bsc#1172402)
  * CVE-2020-12405 (bmo#1631618)
    Use-after-free in SharedWorkerService
  * CVE-2020-12406 (bmo#1639590)
    JavaScript Type confusion with NativeTypes
  * CVE-2020-12410 (bmo#1619305, bmo#1632717)
    Memory safety bugs fixed in Thunderbird 68.9.0
  * CVE-2020-12398 (bmo#1613623)
    Security downgrade with IMAP STARTTLS leads to information
    leakage

- Mozilla Thunderbird 68.8.1
  * fixed: IMAP stability improvements (bmo#1586494)
  * fixed: HTML tags in IRC topic changes were rendered
    incorrectly (bmo#1607097)
  * fixed: MailExtensions: Websockets could not be used
    (bmo#1627649)
- Use a symbolic icon from branding internals

- Mozilla Thunderbird 68.8.0
  * fixed: Account Manager: text fields were too small in some
    cases (bmo#1616387)
  * fixed: Account Manager: Authentication method did not update
    when selecting an SMTP server (bmo#1631437)
  * fixed: Links with embedded credentials did not open on
    Windows (bmo#1609451)
  * fixed: Messages were sometimes sent with a badly formed
    address when filled from the address book (bmo#1629842)
  * fixed: Accessibility: Screen readers were reporting too many
    activities from the status bar (bmo#1628891)
  * fixed: MailExtensions: Setting IMAP messages as read with
    browser.messages.updated failed to persist (bmo#1631184)
  * fixed: Various security fixes
  MFSA 2020-18 (bsc#1171186)
  * CVE-2020-12397 (bmo#1617370)
    Sender Email Address Spoofing using encoded Unicode
    characters
  * CVE-2020-12387 (bmo#1545345)
    Use-after-free during worker shutdown
  * CVE-2020-6831 (bmo#1632241)
    Buffer overflow in SCTP chunk input validation
  * CVE-2020-12392 (bmo#1614468)
    Arbitrary local file access with 'Copy as cURL'
  * CVE-2020-12393 (bmo#1615471)
    Devtools' 'Copy as cURL' feature did not fully escape
    website-controlled data, potentially leading to command
    injection
  * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704,
    bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076,
    bmo#1631508)
    Memory safety bugs fixed in Thunderbird 68.8.0

- Mozilla Thunderbird 68.7.0
  * new: MailExtensions: Raw message source available to
    MailExtensions (bmo#1525274)
  * changed: MailExtensions: messages.update function extended to
    mark messages as junk or not junk (bmo#1598332)
  * changed: MailExtensions: browser.compose.begin functions no
    longer expand mailing lists (bmo#1612480)
  * fixed: Various improvements to account setup when connecting
    to an Exchange server (bmo#1598861)
  * fixed: Thread collapsed when opening news message in a new
    window (bmo#1526765)
  * fixed: Addons not automatically updated to compatible version
    after upgrade from Thunderbird 60 (bmo#1574183)
  * fixed: Updating addons did not prompt when requesting new
    permissions (bmo#1620861)
  * fixed: Extra recipients panel not keyboard-accessible
    (bmo#1612717)
  * fixed: Accessibility: Status bar was not detected by
    screenreaders (bmo#1621287)
  * fixed: MailExtensions: messages.query by folder name did not
    require accountsRead permission (bmo#1625793)
  * fixed: Calendar: Invitations with embedded null bytes did not
    always decode correctly (bmo#1623896)
  * fixed: Calendar: Cancelled events didn't show with a line-
    through (bmo#1621210)
  * fixed: Various security fixes
  MFSA 2020-14 (bsc#1168874)
  In general, these flaws cannot be exploited through email in
  Thunderbird because scripting is disabled when reading mail, but
  are potentially risks in browser or browser-like contexts.
  * CVE-2020-6819 (bmo#1620818, bsc#1168630)
    Use-after-free while running the nsDocShell destructor
  * CVE-2020-6820 (bmo#1626728, bsc#1168630)
    Use-after-free when handling a ReadableStream
  * CVE-2020-6821 (bmo#1625404, bsc#1168874)
    Uninitialized memory could be read when using the WebGL
    copyTexSubImage method
  * CVE-2020-6822 (bmo#1544181, bsc#1168874)
    Out of bounds write in GMPDecodeData when processing large images
  * CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203, bsc#1168874)
    Memory safety bugs fixed in Thunderbird 68.7.0

- Mozilla Thunderbird 68.6
  * new: Thunderbird now displays a popup window when starting up
    on a new profile (bmo#1590036)
  * changed: Thunderbird now provides partial updates resulting
    in smaller downloads (bmo#1410512)
  * fixed: Searching in message bodies led to false negatives
    under some circumstances in quoted-printable encoded HTML
    bodies (bmo#1614796)
  * fixed: "Get New Messages for All Accounts" not working for
    OAuth2-authenticated IMAP accounts (bmo#1593611)
  * fixed: Various security fixes
  MFSA 2020-10 (bsc#1166238)
  * CVE-2020-6805 (bmo#1610880)
    Use-after-free when removing data about origins
  * CVE-2020-6806 (bmo#1612308)
    BodyStream::OnInputStreamReady was missing protections
    against state confusion
  * CVE-2020-6807 (bmo#1614971)
    Use-after-free in cubeb during stream destruction
  * CVE-2020-6811 (bmo#1607742)
    Devtools' 'Copy as cURL' feature did not fully escape
    website-controlled data, potentially leading to command
    injection
  * CVE-2019-20503 (bmo#1613765)
    Out of bounds reads in sctp_load_addresses_from_init
  * CVE-2020-6812 (bmo#1616661)
    The names of AirPods with personally identifiable information
    were exposed to websites with camera or microphone permission
  * CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256,
    bmo#1612636, bmo#1614339)
    Memory safety bugs fixed in Thunderbird 68.6

- Mozilla Thunderbird 68.5
  * new: Support for Client Identity IMAP/SMTP Service Extension
    (bmo#1532388)
  * new: Support for OAuth 2.0 authentication for POP3 accounts
    (bmo#1538409)
  * fixed: Status area goes blank during account setup
    (bmo#1593122)
  * fixed: Calendar: Could not remove color for default
    categories (bmo#1584853)
  * fixed: Calendar: Prevent calendar component loading multiple
    times (bmo#1606375)
  * fixed: Calendar: Today pane did not retain width between
    sessions (bmo#1610207)
  * fixed: Various <a href="https://www.mozilla.org/en-
    US/security/known-
    vulnerabilities/thunderbird/#thunderbird68.5">security
    fixes</a>
  * unresolved: When upgrading from Thunderbird version 60 to
    version 68, add-ons are not automatically updated during the
    upgrade process. They will however be updated during the add-
    on update check. It is of course possible to reinstall
    compatible add-ons via the Add-ons Manager or via
    addons.thunderbird.net. (bmo#1574183)
  MFSA 2020-07 (bsc#1163368)
  * CVE-2020-6793 (bmo#1608539)
    Out-of-bounds read when processing certain email messages
  * CVE-2020-6794 (bmo#1606619)
    Setting a master password post-Thunderbird 52 does not delete
    unencrypted previously stored passwords
  * CVE-2020-6795 (bmo#1611105)
    Crash processing S/MIME messages with multiple signatures
  * CVE-2020-6797 (bmo#1596668)
    Extensions granted downloads.open permission could open
    arbitrary applications on Mac OSX
  * CVE-2020-6798 (bmo#1602944)
    Incorrect parsing of template tag could result in JavaScript
    injection
  * CVE-2020-6792 (bmo#1609607)
    Message ID calculcation was based on uninitialized data
  * CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543,
    bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785)
    Memory safety bugs fixed in Thunderbird 68.5

- Mozilla Thunderbird 68.4.2 (bsc#1162777)
  * changed: Calendar: Task and Event tree colours adjusted for
    the dark theme (bmo#1608344)
  * fixed: Retrieval of S/MIME certificates from LDAP failed
    (bmo#1604773)
  * fixed: Address-parsing crash on some IMAP servers when
    preference mail.imap.use_envelope_cmd was set (bmo#1609690)
  * fixed: Incorrect forwarding of HTML messages caused SMTP
    servers to respond with a timeout (bmo#1222046)
  * fixed: Calendar: Various parts of the calendar UI stopped
    working when a second Thunderbird window opened (bmo#1608407)

- Mozilla Thunderbird 68.4.1
  * changed: Various improvements when setting up an account for
    a Microsoft Exchange server: Now offers IMAP/SMTP if
    available, better detection for Office 365 accounts; re-run
    configuration after password change. (bmo#1592258)
  * fixed: Attachments with one or more spaces in their names
    couldn't be opened under some circumstances (bmo#1601905)
  * fixed: After changing view layout, the message display pane
    showed garbled content under some circumstances (bmo#265393)
  * fixed: Tags were lost on messages in shared IMAP folders
    under some circumstances (bmo#1596371)
  * fixed: Various theme changes to achieve "pixel perfection":
    Unread icon, "no results" icon, paragraph format and font
    selector, background of folder summary tooltip (bmo#1605612)
  * fixed: Calendar: Event attendee dialog was not displayed
    correctly (bmo#1604797)
  * fixed: Various security fixes
  MFSA 2020-04 (bsc#1160305, bsc#1160498)
  * CVE-2019-17026 (bmo#1607443)
    IonMonkey type confusion with StoreElementHole and
    FallibleStoreElement
  * CVE-2019-17015 (bmo#1599005)
    Memory corruption in parent process during new content
    process initialization on Windows
  * CVE-2019-17016 (bmo#1599181)
    Bypass of @namespace CSS sanitization during pasting
  * CVE-2019-17017 (bmo#1603055)
    Type Confusion in XPCVariant.cpp
  * CVE-2019-17021 (bmo#1599008)
    Heap address disclosure in parent process during content
    process initialization on Windows
  * CVE-2019-17022 (bmo#1602843)
    CSS sanitization does not escape HTML tags
  * CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605,
    bmo#1601826)
    Memory safety bugs fixed in Thunderbird 68.4.1
- Removed patch that is now upstream: mozilla-bmo1511604.patch
- Added patch to fix broken URL-bar on s390x:
  mozilla-bmo1602730.patch

- Mozilla Thunderbird 68.3.1
  * changed: In dark theme unread messages no longer shown in
    blue to distinguish from tagged messages (bmo#1596702)
  * changed: Account setup is now using client side DNS MX lookup
    instead of relying on a server. (bmo#1349337)
  * fixed: Searching LDAP address book crashed in some
    circumstances (bmo#1601389)
  * fixed: Message navigation with backward and forward buttons
    did not work in some circumstances (bmo#533504)
  * fixed: WebExtension toolbar icons were displayed too small
    (bmo#1598955)
  * fixed: Calendar: Tasks due today were not listed in bold
    (bmo#1598885)
  * fixed: Calendar: Last day of long-running events was not
    shown (bmo#1572964)

- Mozilla Firefox Thunderbird 68.3
  * new: Message display toolbar action WebExtension API
    (bmo#1531597)
  * new: Navigation buttons are now available in content tabs,
    for example those opened via an add-on search (bmo#787683)
  * changed: "New email" icon in Windows systray changed from in-
    tray with arrow to envelope (bmo#1594200)
  * fixed: Icons of attachments in the attachment pane of the
    Write window not always correct (bmo#1593280)
  * fixed: Toolbar buttons of add-ons in the menubar not shown
    after startup (bmo#1584160)
  * fixed: LDAP lookup not working when SSL was enabled. LDAP
    search not working when "All Address Books" was selected.
    (bmo#1576364)
  * fixed: Scam link confirmation panel not working (bmo#1596413)
  * fixed: In Write window, the Link Properties dialog wasn't
    showing named anchors in context menu (bmo#1593629)
  * fixed: Calendar: Start-up failed if the application menu is
    not on the calendar toolbars (bmo#1588516)
  * fixed: Chat: Account reordering via drag-and-drop not working
    on Instant messaging status dialog (Show Accounts)
    (bmo#1591505)
  MFSA 2019-37 (bsc#1158328)
  * CVE-2019-17008 (bmo#1546331)
    Use-after-free in worker destruction
  * CVE-2019-13722 (bmo#1580156)
    Stack corruption due to incorrect number of arguments in
    WebRTC code
  * CVE-2019-11745 (bmo#1586176)
    Out of bounds write in NSS when encrypting with a block
    cipher
  * CVE-2019-17009 (bmo#1510494)
    Updater temporary files accessible to unprivileged processes
  * CVE-2019-17010 (bmo#1581084)
    Use-after-free when performing device orientation checks
  * CVE-2019-17005 (bmo#1584170)
    Buffer overflow in plain text serializer
  * CVE-2019-17011 (bmo#1591334)
    Use-after-free when retrieving a document in antitracking
  * CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667,
    bmo#1567209, bmo#1580288, bmo#1585760, bmo#1592502)
    Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3

- Remove patch thunderbird-broken-locales-build.patch due to
  switch to a different method for building locales
- Added patch mozilla-bmo849632.patch to fix some webgl-problems
  on big endian machines (sync from FF)

- Mozilla Thunderbird 68.2.1
  * new: A language for the user interface can now be chosen in
    the advanced settings (multilingual UI) (bmo#1590206)
  * fixed: Problem with Google authentication (OAuth2)
    (bmo#1592407)
  * fixed: Selected or unread messages not shown in the correct
    color in the thread pane (message list) under some
    circumstances (bmo#1585765)
  * fixed: When using a language pack, names of standard folders
    weren't localized (bmo#1575512, boo#1149126)
  * fixed: Address book default startup directory in preferences
    panel not persisted (bmo#1591364)
  * fixed: Various visual glitches: Conditions in filter editor
    not high enough, folder location widget not showing folder
    name, problem with menubar customization, add-on home page
    links accumulating, theme issues on Windows 7 (bmo#1590666)
  * fixed: Issues when upgrading from a 32bit version of
    Thunderbird to a 64bit version. Note: If your profile is
    still not recognised, selected it by visiting about:profiles
    in the Troubleshooting Information. (bmo#1587067)
  * fixed: Chat: Extended context menu on Instant messaging
    status dialog (Show Accounts) (bmo#1591506)
- added mozilla-bmo1504834-part4.patch to fix some visual issues
  on big endian platforms

- Mozilla Thunderbird 68.2
  * new: Message Display WebExtension API
  * new: Message Search WebExtension API
  * Bugfixes
    Better visual feedback for unread messages when using the
    dark theme
    Various issues when editing mailing lists
    Integration with macOS addressbook and notifications not working
    after introduction of notarization
    Application windows not maintaining their size after restart
    Issues when upgrading from a 32bit version of Thunderbird to a
    64bit version.
  * various security fixes
  MFSA 2019-33/2019-35 (bsc#1154738)
  * CVE-2019-15903 (bmo#1584907)
    Heap overflow in expat library in XML_GetCurrentLineNumber
  * CVE-2019-11757 (bmo#1577107)
    Use-after-free when creating index updates in IndexedDB
  * CVE-2019-11758 (bmo#1536227)
    Potentially exploitable crash due to 360 Total Security
  * CVE-2019-11759 (bmo#1577953)
    Stack buffer overflow in HKDF output
  * CVE-2019-11760 (bmo#1577719)
    Stack buffer overflow in WebRTC networking
  * CVE-2019-11761 (bmo#1561502)
    Unintended access to a privileged JSONView object
  * CVE-2019-11762 (bmo#1582857)
    document.domain-based origin isolation has same-origin-
    property violation
  * CVE-2019-11763 (bmo#1584216)
    Incorrect HTML parsing results in XSS bypass technique
  * CVE-2019-11764 (bmo#1548044, bmo#1558522, bmo#1571223,
    bmo#1573048, bmo#1575217, bmo#1577061, bmo#1578933,
    bmo#1581950, bmo#1583463, bmo#1583684, bmo#1586599,
    bmo#1586845)
    Memory safety bugs fixed in Thunderbird 68.2
- removed upstream patches:
  * mozilla-bmo1512162.patch
  * mozilla-bmo1573381.patch
  * mozilla-bmo1585099.patch

- Mozilla Thunderbird 68.1.2 (bsc#1153879)
  Bugfixes
  * Some attachments couldn't be opened in messages originating from
    MS Outlook 2016
  * Address book import from CSV
  * Performance problem in message body search
  * Ctrl+Enter to send a message would open an attachment if the
    attachment pane had focus
  * Calendar: Issues with "Today Pane" start-up
  * Calendar: Glitches with custom repeat and reminder number input
  * Calendar: Problems with WCAP provider
- add mozilla-bmo1585099.patch to fix build with rust >= 1.38
- add mozilla-fix-top-level-asm.patch to fix LTO build (w/o PGO)
- updated translations-other locale list
- remove kde.js since disabling instantApply breaks extensions and
  is obsolete with the move to HTML views for preferences (boo#1151186)
- Update create-tar.sh (bsc#1152778)
- Update mozilla-bmo1512162.patch to the patch now commited upstream
  * No more -O1 builds for ppc64le necessary
- Deactivate currently useless crashreporter for the last remaining
  arch

- Mozilla Thunderbird 68.1.1
  Bugfixes
  * Issues with attachments in IMAP messages
  * Gmail accounts ignored a non-standard trash folder selection
  * Entering/pasting lists of recipients into the addressing widget or
    mailing list not working reliably, especially when lists contained
    multiple commas or semicolons
  * Edit mailing list not working
  * Various theme fixes, especially dark theme improvements for Calendar
  * Contrast between tag label and background not optimal
  * Account Central pane always loaded at start-up
  * "Config Editor" button not removed if blocked by policy
  * Calendar: Free/busy information in attendees dialog not scrolled
    correctly. Note: Scroll arrows still not behaving correctly
  MFSA 2019-32
  * CVE-2019-11755 (bmo#1240290)
    Spoofing a message author via a crafted S/MIME message

- Mozilla Thunderbird 68.1.0
  * Offer to configure Exchange accounts for Office365. A third-
    party add-on is required for this account type.
    IMAP still exists as alternative.
  * Edit tag not working
  * Write window: "Insert > Characters and Symbols" not working
  * Moving/dragging messages from "Search Messages" result
    dialog not working
  * Command line -compose "attachment=" not working
  * Custom views not working
  * Issues with list of content types/actions for incoming attachments
  * "Learn More" links in Error Console not working
  * Visual glitches: Quick Filter Bar tag buttons too tall, missing
    scroll bar on Connection Setting subdialog, LDAP server
    selection after "New", "Edit" and "Delete"
  * Calendar: Parts of CalDAV dialog not working
  MFSA 2019-30
  * CVE-2019-11739 (bmo#1571481, bsc#1150939)
    Covert Content Attack on S/MIME encryption using a crafted
    multipart/alternative message
  * CVE-2019-11746 (bmo#1564449, bsc#1149297)
    Use-after-free while manipulating video
  * CVE-2019-11744 (bmo#1562033, bsc#1149304)
    XSS by breaking out of title and textarea elements using
    innerHTML
  * CVE-2019-11742 (bmo#1559715, bsc#1149303)
    Same-origin policy violation with SVG filters and canvas to
    steal cross-origin images
  * CVE-2019-11752 (bmo#1501152, bsc#1149296)
    Use-after-free while extracting a key value in IndexedDB
  * CVE-2019-11743 (bmo#1560495, bsc#1149298,
    https://w3c.github.io/navigation-timing)
    Cross-origin access to unload event attributes
  * CVE-2019-11740 (bmo#1563133, bmo#1573160, bsc#1149299)
    Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1,
    Firefox ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9
- Mozilla Thunderbird 68.0
  * based on Firefox ESR 68
  * File link attachments can now be linked to again instead of
    uploading them again
  * Mark all folders of an account as read
  * Run filters periodically. Improved filter logging
  * OAuth2 authentication for Yandex
  * Language packs can now be selected in the Advanced Options.
    Preference intl.multilingual.enabled needs to be set (and possily
    also extensions.langpacks.signatures.required needs to be set to false)
  * Added a policy engine that allows customized Thunderbird deployments
    in enterprise environments, using Windows Group Policy or a
    cross-platform JSON file
  * TCP keepalive for IMAP protocol
  * Full Unicode support for MAPI interfaces: New support for MAPISendMailW
  * Calendar: Time zone data can now include past and future changes.
    All known time zone changes from 2018 to 2022 are included.
  * Chat: In each conversation an individual spellcheck language can
    be selected now
  MFSA 2019-28
  * CVE-2019-11711 (bmo#1552541)
    Script injection within domain through inner window reuse
  * CVE-2019-11712 (bmo#1543804)
    Cross-origin POST requests can be made with NPAPI plugins by
    following 308 redirects
  * CVE-2019-11713 (bmo#1528481)
    Use-after-free with HTTP/2 cached stream
  * CVE-2019-11714 (bmo#1542593)
    NeckoChild can trigger crash when accessed off of main thread
  * CVE-2019-11729 (bmo#1515342)
    Empty or malformed p256-ECDH public keys may trigger a
    segmentation fault
  * CVE-2019-11715 (bmo#1555523)
    HTML parsing error can contribute to content XSS
  * CVE-2019-11716 (bmo#1552632)
    globalThis not enumerable until accessed
  * CVE-2019-11717 (bmo#1548306)
    Caret character improperly escaped in origins
  * CVE-2019-11719 (bmo#1540541)
    Out-of-bounds read when importing curve25519 private key
  * CVE-2019-11720 (bmo#1556230)
    Character encoding XSS vulnerability
  * CVE-2019-11721 (bmo#1256009)
    Domain spoofing through unicode latin 'kra' character
  * CVE-2019-11730 (bmo#1558299)
    Same-origin policy treats all files in a directory as having
    the same-origin
  * CVE-2019-11723 (bmo#1528335)
    Cookie leakage during add-on fetching across private browsing
    boundaries
  * CVE-2019-11724 (bmo#1512511)
    Retired site input.mozilla.org has remote troubleshooting
    permissions
  * CVE-2019-11725 (bmo#1483510)
    Websocket resources bypass safebrowsing protections
  * CVE-2019-11727 (bmo#1552208)
    PKCS#1 v1.5 signatures can be used for TLS 1.3
  * CVE-2019-11728 (bmo#1552993)
    Port scanning through Alt-Svc header
  * CVE-2019-11710 (bmo#1400563, bmo#1507696, bmo#1510345,
    bmo#1533842, bmo#1535482, bmo#1535848, bmo#1537692,
    bmo#1540590, bmo#1544180, bmo#1547472, bmo#1547760,
    bmo#1548611, bmo#1549768, bmo#1551907)
    Memory safety bugs fixed in Firefox 68 and Thunderbird 68
  * CVE-2019-11709 (bmo#1515052, bmo#1533522, bmo#1539219,
    bmo#1540759, bmo#1547266, bmo#1547757, bmo#1548822,
    bmo#1550498, bmo#1550498)
    Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8, and
    Thunderbird 68
- removed patches that are now upstream
  * mozilla-bmo1375074.patch
  * mozilla-i586-DecoderDoctorLogger.patch
  * mozilla-i586-domPrefs.patch
  * mozilla-bmo1464766.patch
  * mozilla-bigendian_bit_flags_alias.patch
- added patch to make builds reproducible
  * mozilla-bmo1568145.patch
- added a bunch of patches mainly for big endian platforms
  * mozilla-bmo1504834-part1.patch
  * mozilla-bmo1504834-part2.patch
  * mozilla-bmo1504834-part3.patch
  * mozilla-bmo1511604.patch
  * mozilla-bmo1512162.patch
  * mozilla-bmo1554971.patch
  * mozilla-bmo1573381.patch
  * mozilla-nestegg-big-endian.patch
  * mozilla-ppc-altivec_static_inline.patch
- added patches to fix build on armv7:
  * mozilla-bmo1463035.patch
  * mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
- added patch to fix non-return function
  * mozilla-cubeb-noreturn.patch
- added patch to fix aarch64 build:
  * mozilla-fix-aarch64-libopus.patch (bmo#1539737)
- added patch to reduce build-load
  * mozilla-reduce-rust-debuginfo.patch
- added patch to fix locales-build
  * thunderbird-broken-locales-build.patch
- added patch to fix implicit declarations
  * mozilla-openaes-decl.patch
- added samba-patch from Firefox
  * mozilla-ntlm-full-path.patch

- Mozilla Firefox Thunderbird 60.8
  MFSA 2019-23 (bsc#1140868)
  * CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
    Sandbox escape via installation of malicious language pack
  * CVE-2019-11711 (bmo#1552541)
    Script injection within domain through inner window reuse
  * CVE-2019-11712 (bmo#1543804)
    Cross-origin POST requests can be made with NPAPI plugins by
    following 308 redirects
  * CVE-2019-11713 (bmo#1528481)
    Use-after-free with HTTP/2 cached stream
  * CVE-2019-11729 (bmo#1515342)
    Empty or malformed p256-ECDH public keys may trigger a
    segmentation fault
  * CVE-2019-11715 (bmo#1555523)
    HTML parsing error can contribute to content XSS
  * CVE-2019-11717 (bmo#1548306)
    Caret character improperly escaped in origins
  * CVE-2019-11719 (bmo#1540541)
    Out-of-bounds read when importing curve25519 private key
  * CVE-2019-11730 (bmo#1558299)
    Same-origin policy treats all files in a directory as having
    the same-origin
  * CVE-2019-11709 (bmo#1515052, bmo#1533522, bmo#1539219,
    bmo#1540759, bmo#1547266, bmo#1547757, bmo#1548822,
    bmo#1550498, bmo#1550498)
    Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8, and
    Thunderbird 60.8
- Calendar: Problems when editing event times, some related to
  AM/PM setting in non-English locales

- Mozilla Firefox Thunderbird 60.7.2
  MFSA 2019-20 (bsc#1138872)
  * CVE-2019-11707 (bmo#1544386)
    Type confusion in Array.pop
  * CVE-2019-11708 (bmo#1559858)
    sandbox escape using Prompt:Open

- Mozilla Firefox Thunderbird 60.7.1
  MFSA 2019-17 (bsc#1137595)
  * CVE-2019-11703 (bmo#1553820)
    Heap buffer overflow in icalparser.c
  * CVE-2019-11704 (bmo#1553814)
    Heap buffer overflow in icalvalue.c
  * CVE-2019-11705 (bmo#1553808)
    Stack buffer overflow in icalrecur.c
  * CVE-2019-11706 (bmo#1555646)
    Type confusion in icalproperty.c
- No prompt for smartcard PIN when S/MIME signing is used
- Removed obsolete patches:
    [thunderbird-bsc1137595.patch]

- Fix security vulnerabilities in Thunderbird 60.7 (bsc#1137595)
  * CVE-2019-11706 (bmo#1555646)
  * CVE-2019-11705 (bmo#1553808)
  * CVE-2019-11704 (bmo#1553814)
  * CVE-2019-11703 (bmo#1553820)
- Added patches:
    [thunderbird-bsc1137595.patch]

- Add build_limit for s390x on SLE16 (bsc#1247774)
  * by Martin Sirringhaus <martin.sirringhaus@suse.com>

- Mozilla Thunderbird 140.5.0 ESR
  MFSA 2025-91 (bsc#1253188)
  * CVE-2025-13012 (bmo#1991458)
    Race condition in the Graphics component
  * CVE-2025-13016 (bmo#1992130)
    Incorrect boundary conditions in the JavaScript: WebAssembly
    component
  * CVE-2025-13017 (bmo#1980904)
    Same-origin policy bypass in the DOM: Notifications component
  * CVE-2025-13018 (bmo#1984940)
    Mitigation bypass in the DOM: Security component
  * CVE-2025-13019 (bmo#1988412)
    Same-origin policy bypass in the DOM: Workers component
  * CVE-2025-13013 (bmo#1991945)
    Mitigation bypass in the DOM: Core & HTML component
  * CVE-2025-13020 (bmo#1995686)
    Use-after-free in the WebRTC: Audio/Video component
  * CVE-2025-13014 (bmo#1994241)
    Use-after-free in the Audio/Video component
  * CVE-2025-13015 (bmo#1994164)
    Spoofing issue in Thunderbird
  * fixed: Could not drag and drop ICS file to Today Pane
    (bmo#1992935)
  * fixed: With Thunderbird closed, clicking a 'mailto:' link to
    send signed message failed (bmo#1972857)
  * fixed: Upgrade from 128.x->140.x broke authentication for
    @att.net using Yahoo backend (bmo#1978361)

- Mozilla Thunderbird 140.4.0 ESR
  * Account Hub is now disabled by default for second email account
  * Users could not read mail signed with OpenPGP v6 and PQC keys
  * Image preview in Insert Image dialog failed with CSP error for web resources
  * Emptying trash on exit did not work with some providers
  * Thunderbird could crash when applying filters
  * Users were unable to override expired mail server certificate
  * Opening Website header link in RSS feed incorrectly re-encoded
    URL parameters
  MFSA 2025-85 (bsc#1251263)
  * CVE-2025-11708 (bmo#1988931)
    Use-after-free in MediaTrackGraphImpl::GetInstance()
  * CVE-2025-11709 (bmo#1989127)
    Out of bounds read/write in a privileged process triggered by
    WebGL textures
  * CVE-2025-11710 (bmo#1989899)
    Cross-process information leaked due to malicious IPC
    messages
  * CVE-2025-11711 (bmo#1989978)
    Some non-writable Object properties could be modified
  * CVE-2025-11712 (bmo#1979536)
    An OBJECT tag type attribute overrode browser behavior on web
    resources without a content-type
  * CVE-2025-11713 (bmo#1986142)
    Potential user-assisted code execution in “Copy as cURL”
    command
  * CVE-2025-11714 (bmo#1973699, bmo#1989945, bmo#1990970,
    bmo#1991040, bmo#1992113)
    Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR
    140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
  * CVE-2025-11715 (bmo#1983838, bmo#1987624, bmo#1988244,
    bmo#1988912, bmo#1989734, bmo#1990085, bmo#1991899)
    Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
    ESR 140.4, Firefox 144 and Thunderbird 144

- Mozilla Thunderbird 140.3.1 ESR
  * several bugfixes listed here
    https://www.thunderbird.net/en-US/thunderbird/140.3.1esr/releasenotes

- Mozilla Thunderbird 140.4
  * changed: Account Hub is now disabled by default for second
    email account (bmo#1992027)
  * changed: Flatpak runtime has been updated to Freedesktop SDK
    24.08 (bmo#1952100)
  * fixed: Users could not read mail signed with OpenPGP v6 and
    PQC keys (bmo#1986845)
  * fixed: Image preview in Insert Image dialog failed with CSP
    error for web resources (bmo#1989392)
  * fixed: Emptying trash on exit did not work with some
    providers (bmo#1975147)
  * fixed: Thunderbird could crash when applying filters
    (bmo#1987880)
  * fixed: Users were unable to override expired mail server
    certificate (bmo#1979323)
  * fixed: Opening Website header link in RSS feed incorrectly
    re-encoded URL parameters (bmo#1971035)
  * fixed: Security fixes
  MFSA 2025-85 (bsc#1251263)
  * CVE-2025-11708 (bmo#1988931)
    Use-after-free in MediaTrackGraphImpl::GetInstance()
  * CVE-2025-11709 (bmo#1989127)
    Out of bounds read/write in a privileged process triggered by
    WebGL textures
  * CVE-2025-11710 (bmo#1989899)
    Cross-process information leaked due to malicious IPC
    messages
  * CVE-2025-11711 (bmo#1989978)
    Some non-writable Object properties could be modified
  * CVE-2025-11712 (bmo#1979536)
    An OBJECT tag type attribute overrode browser behavior on web
    resources without a content-type
  * CVE-2025-11713 (bmo#1986142)
    Potential user-assisted code execution in “Copy as cURL”
    command
  * CVE-2025-11714 (bmo#1973699, bmo#1989945, bmo#1990970,
    bmo#1991040, bmo#1992113)
    Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR
    140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
  * CVE-2025-11715 (bmo#1983838, bmo#1987624, bmo#1988244,
    bmo#1988912, bmo#1989734, bmo#1990085, bmo#1991899)
    Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
    ESR 140.4, Firefox 144 and Thunderbird 144
- Replace mozilla-bmo998749.patch with upstreams version

- Add build_limit for s390x on SLE16 (bsc#1247774)

- Mozilla Thunderbird 140.3.0 ESR
  * Right-clicking 'List-ID' -> 'Unsubscribe' created double encoded
    draft subject
  * Thunderbird could crash on startup
  * Thunderbird could crash when importing mail
  * Opening Website header link in RSS feed incorrectly re-encoded
    URL parameters
  MFSA 2025-78 (bsc#1249391)
  * CVE-2025-10527 (bmo#1984825)
    Sandbox escape due to use-after-free in the Graphics:
    Canvas2D component
  * CVE-2025-10528 (bmo#1986185)
    Sandbox escape due to undefined behavior, invalid pointer in
    the Graphics: Canvas2D component
  * CVE-2025-10529 (bmo#1970490)
    Same-origin policy bypass in the Layout component
  * CVE-2025-10532 (bmo#1979502)
    Incorrect boundary conditions in the JavaScript: GC component
  * CVE-2025-10533 (bmo#1980788)
    Integer overflow in the SVG component
  * CVE-2025-10536 (bmo#1981502)
    Information disclosure in the Networking: Cache component
  * CVE-2025-10537 (bmo#1938220, bmo#1980730, bmo#1981280,
    bmo#1981283, bmo#1984505, bmo#1985067)
    Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird
    ESR 140.3, Firefox 143 and Thunderbird 143

- Fix suse_version check for 16.0

- Build for Leap 16 using gcc13 (gcc14 is unavailable on Leap 16)

- Mozilla Thunderbird 140.2.1
  * Users could no longer send using smtp-relay.gmail.com
  * Folder compaction could fail to complete due to folder write errors
  * Creating an event or task from mail failed if the mail was
    opened in a tab

- Mozilla Thunderbird 140.2
  * fixed: Users were unable to use Fastmail calendars due to
    missing OAuth settings (bmo#1978192)
  * fixed: Account setup error handling was broken for Account
    hub (bmo#1971303)
  * fixed: Menu bar was hidden after updating from 128esr to
    140esr (bmo#1979002)
  * fixed: Security fixes
  MFSA 2025-72 (bsc#1248162)
  * CVE-2025-9179 (bmo#1979527)
    Sandbox escape due to invalid pointer in the Audio/Video: GMP
    component
  * CVE-2025-9180 (bmo#1979782)
    Same-origin policy bypass in the Graphics: Canvas2D component
  * CVE-2025-9181 (bmo#1977130)
    Uninitialized memory in the JavaScript Engine component
  * CVE-2025-9182 (bmo#1975837)
    Denial-of-service due to out-of-memory in the Graphics:
    WebRender component
  * CVE-2025-9184 (bmo#1929482, bmo#1976376, bmo#1979163,
    bmo#1979955)
    Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird
    ESR 140.2, Firefox 142 and Thunderbird 142
  * CVE-2025-9185 (bmo#1970154, bmo#1976782, bmo#1977166)
    Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR
    128.14, Thunderbird ESR 128.14, Firefox ESR 140.2,
    Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142

- Mozilla Thunderbird ESR 140.1.1
  Fixed
  * Users with attachments open in tabs saw an error on Thunderbird restart
  * Sending from unified or local folder failed if no default account was set
  * Delete button could remove attachment instead of message
  * Message list scrolled back when returning to mail tab after opening a message

- Update memory constraints

- Mozilla Thunderbird ESR 140.1.0
  * New folders were not added alphabetically if folders manually
    reordered beforehand
  * Message archive folder creation could silently stop during async
    folder creation
  MFSA 2025-63 (bsc#1246664)
  * CVE-2025-8027 (bmo#1968423)
    JavaScript engine only wrote partial return value to stack
  * CVE-2025-8028 (bmo#1971581)
    Large branch table could lead to truncated instruction
  * CVE-2025-8029 (bmo#1928021)
    javascript: URLs executed on object and embed tags
  * CVE-2025-8036 (bmo#1960834)
    DNS rebinding circumvents CORS
  * CVE-2025-8037 (bmo#1964767)
    Nameless cookies shadow secure cookies
  * CVE-2025-8030 (bmo#1968414)
    Potential user-assisted code execution in “Copy as cURL” command
  * CVE-2025-8031 (bmo#1971719)
    Incorrect URL stripping in CSP reports
  * CVE-2025-8032 (bmo#1974407)
    XSLT documents could bypass CSP
  * CVE-2025-8038 (bmo#1808979)
    CSP frame-src was not correctly enforced for paths
  * CVE-2025-8039 (bmo#1970997)
    Search terms persisted in URL bar
  * CVE-2025-8033 (bmo#1973990)
    Incorrect JavaScript state machine for generators
  * CVE-2025-8034 (bmo#1970422, bmo#1970422, bmo#1970422, bmo#1970422)
    Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR
    128.13, Thunderbird ESR 128.13, Firefox ESR 140.1,
    Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
  * CVE-2025-8040 (bmo#1975058, bmo#1975058, bmo#1975998, bmo#1975998)
    Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird
    ESR 140.1, Firefox 141 and Thunderbird 141
  * CVE-2025-8035 (bmo#1975961, bmo#1975961, bmo#1975961)
    Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird
    ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox
    141 and Thunderbird 141

- Mozilla Thunderbird ESR 140.0.1
  MFSA 2025-54
  * CVE-2025-6424 (bmo#1966423)
    Use-after-free in FontFaceSet
  * CVE-2025-6425 (bmo#1717672)
    The WebCompat WebExtension shipped exposed a persistent UUID
  * CVE-2025-6426 (bmo#1964385)
    No warning when opening executable terminal files on macOS
  * CVE-2025-6427 (bmo#1966927)
    connect-src Content Security Policy restriction could be
    bypassed
  * CVE-2025-6429 (bmo#1970658)
    Incorrect parsing of URLs could have allowed embedding of
    youtube.com
  * CVE-2025-6430 (bmo#1971140)
    Content-Disposition header ignored when a file is included in
    an embed or object tag
  * CVE-2025-6432 (bmo#1943804)
    DNS Requests leaked outside of a configured SOCKS proxy
  * CVE-2025-6433 (bmo#1954033)
    WebAuthn would allow a user to sign a challenge on a webpage
    with an invalid TLS certificate
  * CVE-2025-6434 (bmo#1955182)
    HTTPS-Only exception screen lacked anti-clickjacking delay
  * CVE-2025-6435 (bmo#1961777 bmo#1950056)
    Save as in Devtools could download files without sanitizing
    the extension
  * CVE-2025-6436 (bmo#1941377 bmo#1960948 bmo#1966187 bmo#1966505
    bmo#1970764)
    Memory safety bugs fixed in Firefox 140 and Thunderbird 140
- adapt mozilla-ntlm-full-path.patch for Thunderbird 140.0.1
- adapt mozilla-silence-no-return-type.patch for Thunderbird
  140.0.1

- Mozilla Thunderbird ESR 128.12.0
  MFSA 2025-55 (bsc#1244670)
  * CVE-2025-6424 (bmo#1966423)
    Use-after-free in FontFaceSet
  * CVE-2025-6425 (bmo#1717672)
    The WebCompat WebExtension shipped exposed a persistent UUID
  * CVE-2025-6426 (bmo#1964385)
    No warning when opening executable terminal files on macOS
  * CVE-2025-6429 (bmo#1970658)
    Incorrect parsing of URLs could have allowed embedding of
    youtube.com
  * CVE-2025-6430 (bmo#1971140)
    Content-Disposition header ignored when a file is included in
    an embed or object tag

- Use these tools/versions unconditionally, package won't build on
  Tumbleweed with new gcc15 otherwise:
  gcc14, gcc14-c++, cargo1.84, rust1.84

- Mozilla Thunderbird ESR 128.11.1
  MFSA 2025-49
  * CVE-2025-5986 (bmo#1958580, bmo#1968012)
    Unsolicited File Download, Disk Space Exhaustion, and Credential
    Leakage via mailbox:/// Links