* Tue Apr 20 2021 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.10
* fixed: Usability & theme improvements on Windows
* fixed: Various security fixes
MFSA 2021-14 (bsc#1184960)
* CVE-2021-23994 (bmo#1699077)
Out of bound write due to lazy initialization
* CVE-2021-23995 (bmo#1699835)
Use-after-free in Responsive Design Mode
* CVE-2021-23998 (bmo#1667456)
Secure Lock icon could have been spoofed
* CVE-2021-23961 (bmo#1677940)
More internal network hosts could have been probed by a
malicious webpage
* CVE-2021-23999 (bmo#1691153)
Blob URLs may have been granted additional privileges
* CVE-2021-24002 (bmo#1702374)
Arbitrary FTP command execution on FTP servers using an
encoded URL
* CVE-2021-29945 (bmo#1700690)
Incorrect size computation in WebAssembly JIT could lead to
null-reads
* CVE-2021-29946 (bmo#1698503)
Port blocking could be bypassed
* CVE-2021-29948 (bmo#1692899)
Race condition when reading from disk while verifying
signatures
* Fri Apr 09 2021 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.9.1
* new: Support recipient aliases for OpenPGP encryption.
Documentation can be found https://wiki.mozilla.org/
Thunderbird:OpenPGP:Aliases.
* fixed: The key and signature parts of the message security
popup on a received message could not be selected for
copy/paste.
* fixed: Various UX and theme improvements
MFSA 2021-13 (bsc#1184536)
* CVE-2021-23991 (bmo#1673240)
An attacker may use Thunderbird's OpenPGP key refresh
mechanism to poison an existing key
* MOZ-2021-23992 (bmo#1666236)
A crafted OpenPGP key with an invalid user ID could be used
to confuse the user
* CVE-2021-23993 (bmo#1666360)
Inability to send encrypted OpenPGP email after importing a
crafted OpenPGP key
* Fri Mar 26 2021 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.9
* fixed: New mail notification displayed old messages that were
unread
* fixed: Spaces following soft line breaks in messages using
quoted-printable and format=flowed were incorrectly encoded;
existing messages which were previously incorrectly encoded
may now display with some words not separated by a space
* fixed: Some fields were unreadable in the Dark theme in the
General preferences panel
* fixed: Sending a message containing an anchor tag with an
invalid data URI failed
* fixed: When switching tabs, input focus was not moved to the
new tab
* fixed: Address Book: Syncing a read-only Google address book
via CardDAV failed
* fixed: Address Book: Importing VCards with non-ascii
characters would fail
* fixed: Address Book: Some values may not have been parsed
when syncing from Google address books.
* fixed: Add-ons Manager did not show if an addon used
experiment APIs
* fixed: Calendar: Removing a recurring task was not possible
* fixed: Various security fixes
MFSA 2021-12 (bsc#1183942)
* CVE-2021-23981 (bmo#1692832)
Texture upload into an unbound backing buffer resulted in an
out-of-bound read
* MOZ-2021-0002 (bmo#1691547)
Angle graphics library out of date
* CVE-2021-23982 (bmo#1677046)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2021-23984 (bmo#1693664)
Malicious extensions could have spoofed popup information
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169,
bmo#1690718)
Memory safety bugs fixed in Thunderbird 78.9
- cleaned up and fixed mozilla.sh.in for wayland (boo#1177542)
* Wed Feb 24 2021 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.8
* fixed: Importing an address book from a CSV file always
reported an error (bmo#1685048)
* fixed: Security information for S/MIME messages was not
displayed correctly prior to a draft being saved
(bmo#1683701)
* fixed: Calendar: FileLink UI fixes for Caldav calendars
(bmo#1669803)
* fixed: Recurring tasks were always marked incomplete; unable
to use filters (bmo#1686466)
* fixed: Various UI widgets not working (bmo#1690098)
* fixed: Dark theme improvements (bmo#1691106)
* fixed: Extension manager was missing link to addon support
web page (bmo#1642219)
* fixed: Various security fixes
MFSA 2021-09 (bsc#1182614)
* CVE-2021-23969 (bmo#1542194)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23968 (bmo#1687342)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23973 (bmo#1690976)
MediaError message property could have leaked information
about cross-origin resources
* CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597,
bmo#786797)
Memory safety bugs fixed in Thunderbird 78.8
- Update create-tar.sh to use https instead of http (bsc#1182357)
* Mon Feb 08 2021 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.7.1 (bsc#1181848)
* changed: Building OpenPGP shared library linked to system
libraries now supported (bmo#1634963)
* changed: MailExtension errors now shown in Developer Tools
console by default (bmo#1650149)
* changed: MailExtensions: Dynamic registration of calendar
providers now supported (bmo#1652885)
* fixed: OpenPGP improvements (bmo#1655210)
* fixed: Message preview was sometimes blank after upgrading
from Thunderbird 68 (bmo#1653168)
* fixed: Email addresses whitelisted for remote content not
displayed in preferences (bmo#1652575)
* fixed: Importing data from Seamonkey did not work
(bmo#272292)
* fixed: Renaming a mail list did not update the side bar
(bmo#1632331)
* fixed: MailExtensions: messenger.* namespace was undefined
(bmo#1641573)
* Wed Jan 27 2021 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.7
* changed: MailExtensions: browserAction, composeAction, and
messageDisplayAction toolbar buttons now support label and
default_label properties (bmo#1583478)
* fixed: Running a quicksearch that returned no results did not
offer to re-run as a global search (bmo#1663153)
* fixed: Message search toolbar fixes (bmo#1681010)
* fixed: Very long subject lines distorted the message compose
and display windows, making them unusable (bmo#77806)
* fixed: Compose window: Recipient addresses that had not yet
been autocompleted were lost when clicking Send button
(bmo#1674054)
* fixed: Compose window: New message is no longer marked as
"changed" just from tabbing out of the recipient field
without editing anything (bmo#1681389)
* fixed: Account autodiscover fixes when using MS Exchange
servers (bmo#1679759)
* fixed: LDAP address book stability fix (bmo#1680914)
* fixed: Messages with invalid vcard attachments were not
marked as read when viewed in the preview window
(bmo#1680468)
* fixed: Chat: Could not add TLS certificate exceptions for
XMPP connections (bmo#1590471)
* fixed: Calendar: System timezone was not always properly
detected (bmo#1678839)
* fixed: Calendar: Descriptions were sometimes blank when
editing a single occurrence of a repeating event
(bmo#1664731)
* fixed: Various printing bugfixes (bmo#1676166)
* fixed: Visual consistency and theme improvements
(bmo#1682808)
* fixed: Various security fixes
MFSA 2021-05 (bsc#1181414)
* CVE-2021-23953 (bmo#1683940)
Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954 (bmo#1684020)
Type confusion when using logical assignment operators in
JavaScript switch statements
* CVE-2020-15685 (bmo#1622640)
IMAP Response Injection when using STARTTLS
* CVE-2020-26976 (bmo#1674343)
HTTPS pages could have been intercepted by a registered
service worker when they should not have been
* CVE-2021-23960 (bmo#1675755)
Use-after-poison for incorrectly redeclared JavaScript
variables during GC
* CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526,
bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844,
bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410,
bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736,
bmo#1685260, bmo#1685925)
Memory safety bugs fixed in Thunderbird 78.7
* Tue Jan 12 2021 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.6.1
* changed: MailExtensions: browserAction, composeAction, and
messageDisplayAction toolbar buttons now support label and
default_label properties (bmo#1583478)
* fixed: Running a quicksearch that returned no results did not
offer to re-run as a global search (bmo#1663153)
* fixed: Message search toolbar fixes (bmo#1681010)
* fixed: Very long subject lines distorted the message compose
and display windows, making them unusable (bmo#77806)
* fixed: Compose window: Recipient addresses that had not yet
been autocompleted were lost when clicking Send button
(bmo#1674054)
* fixed: Compose window: New message is no longer marked as
"changed" just from tabbing out of the recipient field
without editing anything (bmo#1681389)
* fixed: Account autodiscover fixes when using MS Exchange
servers (bmo#1679759)
* fixed: LDAP address book stability fix (bmo#1680914)
* fixed: Messages with invalid vcard attachments were not
marked as read when viewed in the preview window
(bmo#1680468)
* fixed: Chat: Could not add TLS certificate exceptions for
XMPP connections (bmo#1590471)
* fixed: Calendar: System timezone was not always properly
detected (bmo#1678839)
* fixed: Calendar: Descriptions were sometimes blank when
editing a single occurrence of a repeating event
(bmo#1664731)
* fixed: Various printing bugfixes (bmo#1676166)
* fixed: Visual consistency and theme improvements
(bmo#1682808)
MFSA 2021-02 (bsc#1180623)
* CVE-2020-16044 (bmo#1683964)
Use-after-free write when handling a malicious COOKIE-ECHO
SCTP chunk
* Tue Dec 15 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.6
* new: MailExtensions: Added
browser.windows.openDefaultBrowser() (bmo#1664708)
* changed: Thunderbird now only shows quota exceeded
indications on the main window (bmo#1671748)
* changed: MailExtensions: menus API enabled in messages being
composed (bmo#1670832)
* changed: MailExtensions: Honor allowScriptsToClose argument
in windows.create API function (bmo#1675940)
* changed: MailExtensions: APIs that returned an accountId will
reflect the account the message belongs to, not what is
stored in message headers (bmo#1644032)
* fixed: Keyboard shortcut for toggling message "read" status
not shown in menus (bmo#1619248)
* fixed: OpenPGP: After importing a secret key, Key Manager
displayed properties of the wrong key (bmo#1667054)
* fixed: OpenPGP: Inline PGP parsing improvements (bmo#1660041)
* fixed: OpenPGP: Discovering keys online via Key Manager
sometimes failed on Linux (bmo#1634053)
* fixed: OpenPGP: Encrypted attachment "Decrypt and Open/Save
As" did not work (bmo#1663169)
* fixed: OpenPGP: Importing keys failed on macOS (bmo#1680757)
* fixed: OpenPGP: Verification of clear signed UTF-8 text
failed (bmo#1679756)
* fixed: Address book: Some columns incorrectly displayed no
data (bmo#1631201)
* fixed: Address book: The address book view did not update
after changing the name format in the menu (bmo#1678555)
* fixed: Calendar: Could not import an ICS file into a CalDAV
calendar (bmo#1652984)
* fixed: Calendar: Two "Home" calendars were visible on a new
profile (bmo#1656782)
* fixed: Calendar: Dark theme was incomplete on Linux
(bmo#1655543)
* fixed: Dark theme did not apply to new mail notification
popups (bmo#1681083)
* fixed: Folder icon, message list, and contact side bar visual
improvements (bmo#1679436)
* fixed: MailExtensions: HTTP refresh in browser content tabs
did not work (bmo#1667774)
* fixed: MailExtensions: messageDisplayScripts failed to run in
main window (bmo#1674932)
* fixed: Various security fixes
MFSA 2020-56 (bsc#1180039)
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-35111 (bmo#1657916)
The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365)
Opening an extension-less download may have inadvertently
launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589)
Memory safety bugs fixed in Thunderbird 78.6
* Wed Dec 02 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.5.1
* new: OpenPGP: Added option to disable email subject
encryption (bmo#1666073)
* changed: OpenPGP public key import now supports multi-file
selection and bulk accepting imported keys (bmo#1665145)
* changed: MailExtensions: getComposeDetails will wait for
"compose-editor-ready" event (bmo#1675012)
* fixed: New mail icon was not removed from the system tray at
shutdown (bmo#1664586)
* fixed: "Place replies in the folder of the message being
replied to" did not work when using "Reply to List"
(bmo#522450)
* fixed: Thunderbird did not honor the "Run search on server"
option when searching messages (bmo#546925)
* fixed: Highlight color for folders with unread messages
wasn't visible in dark theme (bmo#1676697)
* fixed: OpenPGP: Key were missing from Key Manager
(bmo#1674521)
* fixed: OpenPGP: Option to import keys from clipboard always
disabled (bmo#1676842)
* fixed: The "Link" button on the large attachments info bar
failed to open up Filelink section in Options if the user had
not yet configured Filelink (bmo#1677647)
* fixed: Address book: Printing members of a mailing list
resulted in incorrect output (bmo#1676859)
* fixed: Unable to connect to LDAP servers configured with a
self-signed SSL certificate (bmo#1659947)
* fixed: Autoconfig via LDAP did not work as expected
(bmo#1662433)
* fixed: Calendar: Pressing Ctrl-Enter in the new event dialog
would create duplicate events (bmo#1668478)
* fixed: Various security fixes
MFSA 2020-53 (bsc#1179530)
* CVE-2020-26970 (bmo#1677338)
Stack overflow due to incorrect parsing of SMTP server
response codes
* Thu Nov 19 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.5.0
* new: OpenPGP: Added option to disable attaching the public
key to a signed message (bmo#1654950)
* new: MailExtensions: "compose_attachments" context added to
Menus API (bmo#1670822)
* new: MailExtensions: Menus API now available on displayed
messages (bmo#1670825)
* changed: MailExtensions: browser.tabs.create will now wait
for "mail-delayed-startup-finished" event (bmo#1674407)
* fixed: OpenPGP: Support for inline PGP messages improved
(bmo#1672851)
* fixed: OpenPGP: Message security dialog showed unverified
keys as unavailable (bmo#1675285)
* fixed: Chat: New chat contact menu item did not function
(bmo#1663321)
* fixed: Various theme and usability improvements (bmo#1673861)
* fixed: Various security fixes
MFSA 2020-52 (bsc#1178894)
* CVE-2020-26951 (bmo#1667113)
Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
* CVE-2020-16012 (bmo#1642028)
Variable time processing of cross-origin images during
drawImage calls
* CVE-2020-26953 (bmo#1656741)
Fullscreen could be enabled without displaying the security UI
* CVE-2020-26956 (bmo#1666300)
XSS through paste (manual and clipboard API)
* CVE-2020-26958 (bmo#1669355)
Requests intercepted through ServiceWorkers lacked MIME type
restrictions
* CVE-2020-26959 (bmo#1669466)
Use-after-free in WebRequestService
* CVE-2020-26960 (bmo#1670358)
Potential use-after-free in uses of nsTArray
* CVE-2020-15999 (bmo#1672223)
Heap buffer overflow in freetype
* CVE-2020-26961 (bmo#1672528)
DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965 (bmo#1661617)
Software keyboards may have remembered typed passwords
* CVE-2020-26966 (bmo#1663571)
Single-word search queries were also broadcast to local
network
* CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,
bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479,
bmo#1671923)
Memory safety bugs fixed in Thunderbird 78.5
* Mon Nov 16 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.4.3
* fixed: User interface was inconsistent when switching from
the default theme to the dark theme and back to the default
theme (bmo#1659282)
* fixed: Email subject would disappear when hovering over it
with the mouse when using Windows 7 Classic theme
(bmo#1675970)
* Tue Nov 10 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.4.2
MFSA 2020-49 (bsc#1178611)
* CVE-2020-26950 (bmo#1675905)
Write side effects in MCallGetProperty opcode not accounted
for
- Mozilla Thunderbird 78.4.1
* new: Thunderbird prompts for an address to use when starting
an email from an address book entry with multiple addresses
(bmo#84028)
* fixed: Searching global search results did not work
(bmo#1664761)
* fixed: Link location was not focused by default when adding a
hyperlink in message composer (bmo#1670660)
* fixed: Advanced address book search dialog was unusable
(bmo#1668147)
* fixed: Encrypted draft reply emails lost "Re:" prefix
(bmo#1661510)
* fixed: Replying to a newsgroup message did not open the
compose window (bmo#1672667)
* fixed: Unable to delete multiple newsgroup messages
(bmo#1657988)
* fixed: Appmenu displayed visual glitches (bmo#1636243)
* fixed: Visual glitches when selecting multiple messages in
the message pane and using Ctrl+click (bmo#1671800)
* fixed: Switching between dark and light mode could lead to
unreadable text on macOS (bmo#1668989)
* Thu Oct 22 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.4
* new: MailExtensions: browser.tabs.sendMessage API added
(bmo#1641576)
* new: MailExtensions: messageDisplayScripts API added
(bmo#1504475)
* changed: Yahoo and AOL mail users using password
authentication will be migrated to OAuth2 (bmo#1606339)
* changed: MailExtensions: messageDisplay APIs extended to
support multiple selected messages (bmo#1617461)
* changed: MailExtensions: compose.begin functions now support
creating a message with attachments (bmo#1662018)
* fixed: Thunderbird could freeze when updating global search
index (bmo#1669872)
* fixed: Multiple issues with handling of self-signed SSL
certificates addressed (bmo#1590474)
* fixed: Recipient address fields in compose window could
expand to fill all available space (bmo#1666463)
* fixed: Inserting emoji characters in message compose window
caused unexpected behavior (bmo#1638874)
* fixed: Button to restore default folder icon color was not
keyboard accessible (bmo#1663075)
* fixed: Various keyboard navigation fixes (bmo#1667567)
* fixed: Various color-related theme fixes (bmo#1668410)
* fixed: MailExtensions: Updating attachments with
onBeforeSend.addListener() did not work (bmo#1662015)
MFSA 2020-47 (bsc#1177977)
* CVE-2020-15969 (bmo#1666570, https://github.com/sctplab/
usrsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019)
Use-after-free in usersctp
* CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954,
bmo#1662760, bmo#1663439, bmo#1666140)
Memory safety bugs fixed in Thunderbird 78.4
* Mon Oct 19 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.3.3
* OpenPGP: Improved support for encrypting with subkeys
(bmo#1665497)
* OpenPGP message status icons were not visible in
message header pane (bmo#1670067)
* OpenPGP Key Manager was missing from Tools menu on
macOS (bmo#1662279)
* Creating a new calendar event did not require an event
title (bmo#1663303)
* Wed Oct 14 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 78.3.2 (bsc#1176899)
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP: Encrypted messages with international characters were
sometimes displayed incorrectly
* Single-click deletion of recipient pills with middle mouse
button restored
* Searching an address book list did not display results
* Dark mode, high contrast, and Windows theming fixes
- Mozilla Thunderbird 78.3.1
* fix crash in nsImapProtocol::CreateNewLineFromSocket (bmo#1667120)
- Mozilla Thunderbird 78.3.0
MFSA 2020-44 (bsc#1176756)
* CVE-2020-15677 (bmo#1641487)
Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140)
XSS when pasting attacker-controlled data into a
contenteditable element
* CVE-2020-15678 (bmo#1660211)
When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-
free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
Memory safety bugs fixed in Thunderbird 78.3
- requires NSPR >= 4.25.1
- removed obsolete thunderbird-bmo1664607.patch
- Mozilla Thunderbird 78.2.2
https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes
- added thunderbird-bmo1664607.patch required for builds w/o updater
(boo#1176384)
- Mozilla Thunderbird 78.2.1 (bsc#1174230)
* based on Mozilla's 78 ESR codebase
* many new and changed features
https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/#whatsnew
* built-in OpenPGP support (enigmail neither required nor supported)
- added platform patches:
* mozilla-s390x-skia-gradient.patch
* mozilla-pipewire-0-3.patch
* mozilla-bmo1512162.patch
* mozilla-bmo1626236.patch
* mozilla-bmo998749.patch
* mozilla-sandbox-fips.patch
* thunderbird-remove-python2.patch
- removed obsolete platform patches
* mozilla-s390-bigendian.patch
* mozilla-nestegg-big-endian.patch
* mozilla-openaes-decl.patch
* mozilla-cubeb-noreturn.patch
* Mon Aug 31 2020 Charles Robertson <cgrobertson@suse.com>
- Mozilla Thunderbird 68.12
* fixed: Various security vulnerabilities
MFSA 2020-40 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-15669 (bmo#1656957)
Use-After-Free when aborting an operation
* Fri Jul 31 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.11
* fixed: FileLink attachments included as a link and file when
added from a network drive via drag & drop (bmo#793118)
* fixed: Various security fixes
MFSA 2020-35 (bsc#1174538)
* CVE-2020-15652 (bmo#1634872)
Potential leak of redirect targets when loading scripts in a
worker
* CVE-2020-6514 (bmo#1642792)
WebRTC data channel leaks internal address to peer
* CVE-2020-6463 (bmo#1635293)
Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
* CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1646787,
bmo#1650811)
Memory safety bugs fixed in Thunderbird 68.11
* Fri Jul 03 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.10.0
* fixed: Chat: Topics displayed some characters improperly
(bmo#1644024)
* fixed: Calendar: Filtering tasks did not work when
"Incomplete Tasks" was selected (bmo#1593711)
MFSA 2020-26 (bsc#1173576)
* CVE-2020-12417 (bmo#1640737)
Memory corruption due to missing sign-extension for ValueTags
on ARM64
* CVE-2020-12418 (bmo#1641303)
Information disclosure due to manipulated URL object
* CVE-2020-12419 (bmo#1643874)
Use-after-free in nsGlobalWindowInner
* CVE-2020-12420 (bmo#1643437)
Use-After-Free when trying to connect to a STUN server
* MFSA-2020-0001 (bmo#1606610)
Automatic account setup leaks Microsoft Exchange login
credentials
* CVE-2020-12421 (bmo#1308251)
Add-On updates did not respect the same certificate trust
rules as software updates
Version: 68.9.0-bp152.1.1
* Thu Jun 04 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.9.0
* fixed: Custom headers added for searching or filtering could
not be removed (bmo#1631577)
* fixed: Calendar: Today Pane updated prior to loading all data
(bmo#1635613)
* fixed: Stability improvements (bmo#1625677)
* fixed: Various security fixes
MFSA 2020-22 (bsc#1172402)
* CVE-2020-12405 (bmo#1631618)
Use-after-free in SharedWorkerService
* CVE-2020-12406 (bmo#1639590)
JavaScript Type confusion with NativeTypes
* CVE-2020-12410 (bmo#1619305, bmo#1632717)
Memory safety bugs fixed in Thunderbird 68.9.0
* CVE-2020-12398 (bmo#1613623)
Security downgrade with IMAP STARTTLS leads to information
leakage
* Mon May 25 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.8.1
* fixed: IMAP stability improvements (bmo#1586494)
* fixed: HTML tags in IRC topic changes were rendered
incorrectly (bmo#1607097)
* fixed: MailExtensions: Websockets could not be used
(bmo#1627649)
- Use a symbolic icon from branding internals
* Wed May 06 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.8.0
* fixed: Account Manager: text fields were too small in some
cases (bmo#1616387)
* fixed: Account Manager: Authentication method did not update
when selecting an SMTP server (bmo#1631437)
* fixed: Links with embedded credentials did not open on
Windows (bmo#1609451)
* fixed: Messages were sometimes sent with a badly formed
address when filled from the address book (bmo#1629842)
* fixed: Accessibility: Screen readers were reporting too many
activities from the status bar (bmo#1628891)
* fixed: MailExtensions: Setting IMAP messages as read with
browser.messages.updated failed to persist (bmo#1631184)
* fixed: Various security fixes
MFSA 2020-18 (bsc#1171186)
* CVE-2020-12397 (bmo#1617370)
Sender Email Address Spoofing using encoded Unicode
characters
* CVE-2020-12387 (bmo#1545345)
Use-after-free during worker shutdown
* CVE-2020-6831 (bmo#1632241)
Buffer overflow in SCTP chunk input validation
* CVE-2020-12392 (bmo#1614468)
Arbitrary local file access with 'Copy as cURL'
* CVE-2020-12393 (bmo#1615471)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command
injection
* CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704,
bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076,
bmo#1631508)
Memory safety bugs fixed in Thunderbird 68.8.0
* Tue Apr 14 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.7.0
* new: MailExtensions: Raw message source available to
MailExtensions (bmo#1525274)
* changed: MailExtensions: messages.update function extended to
mark messages as junk or not junk (bmo#1598332)
* changed: MailExtensions: browser.compose.begin functions no
longer expand mailing lists (bmo#1612480)
* fixed: Various improvements to account setup when connecting
to an Exchange server (bmo#1598861)
* fixed: Thread collapsed when opening news message in a new
window (bmo#1526765)
* fixed: Addons not automatically updated to compatible version
after upgrade from Thunderbird 60 (bmo#1574183)
* fixed: Updating addons did not prompt when requesting new
permissions (bmo#1620861)
* fixed: Extra recipients panel not keyboard-accessible
(bmo#1612717)
* fixed: Accessibility: Status bar was not detected by
screenreaders (bmo#1621287)
* fixed: MailExtensions: messages.query by folder name did not
require accountsRead permission (bmo#1625793)
* fixed: Calendar: Invitations with embedded null bytes did not
always decode correctly (bmo#1623896)
* fixed: Calendar: Cancelled events didn't show with a line-
through (bmo#1621210)
* fixed: Various security fixes
MFSA 2020-14 (bsc#1168874)
In general, these flaws cannot be exploited through email in
Thunderbird because scripting is disabled when reading mail, but
are potentially risks in browser or browser-like contexts.
* CVE-2020-6819 (bmo#1620818, bsc#1168630)
Use-after-free while running the nsDocShell destructor
* CVE-2020-6820 (bmo#1626728, bsc#1168630)
Use-after-free when handling a ReadableStream
* CVE-2020-6821 (bmo#1625404, bsc#1168874)
Uninitialized memory could be read when using the WebGL
copyTexSubImage method
* CVE-2020-6822 (bmo#1544181, bsc#1168874)
Out of bounds write in GMPDecodeData when processing large images
* CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203, bsc#1168874)
Memory safety bugs fixed in Thunderbird 68.7.0
* Fri Mar 13 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.6
* new: Thunderbird now displays a popup window when starting up
on a new profile (bmo#1590036)
* changed: Thunderbird now provides partial updates resulting
in smaller downloads (bmo#1410512)
* fixed: Searching in message bodies led to false negatives
under some circumstances in quoted-printable encoded HTML
bodies (bmo#1614796)
* fixed: "Get New Messages for All Accounts" not working for
OAuth2-authenticated IMAP accounts (bmo#1593611)
* fixed: Various security fixes
MFSA 2020-10 (bsc#1166238)
* CVE-2020-6805 (bmo#1610880)
Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308)
BodyStream::OnInputStreamReady was missing protections
against state confusion
* CVE-2020-6807 (bmo#1614971)
Use-after-free in cubeb during stream destruction
* CVE-2020-6811 (bmo#1607742)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command
injection
* CVE-2019-20503 (bmo#1613765)
Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661)
The names of AirPods with personally identifiable information
were exposed to websites with camera or microphone permission
* CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256,
bmo#1612636, bmo#1614339)
Memory safety bugs fixed in Thunderbird 68.6
* Thu Feb 13 2020 Charles Robertson <cgrobertson@suse.com>
- Mozilla Thunderbird 68.5
* new: Support for Client Identity IMAP/SMTP Service Extension
(bmo#1532388)
* new: Support for OAuth 2.0 authentication for POP3 accounts
(bmo#1538409)
* fixed: Status area goes blank during account setup
(bmo#1593122)
* fixed: Calendar: Could not remove color for default
categories (bmo#1584853)
* fixed: Calendar: Prevent calendar component loading multiple
times (bmo#1606375)
* fixed: Calendar: Today pane did not retain width between
sessions (bmo#1610207)
* fixed: Various <a href="https://www.mozilla.org/en-
US/security/known-
vulnerabilities/thunderbird/#thunderbird68.5">security
fixes</a>
* unresolved: When upgrading from Thunderbird version 60 to
version 68, add-ons are not automatically updated during the
upgrade process. They will however be updated during the add-
on update check. It is of course possible to reinstall
compatible add-ons via the Add-ons Manager or via
addons.thunderbird.net. (bmo#1574183)
MFSA 2020-07 (bsc#1163368)
* CVE-2020-6793 (bmo#1608539)
Out-of-bounds read when processing certain email messages
* CVE-2020-6794 (bmo#1606619)
Setting a master password post-Thunderbird 52 does not delete
unencrypted previously stored passwords
* CVE-2020-6795 (bmo#1611105)
Crash processing S/MIME messages with multiple signatures
* CVE-2020-6797 (bmo#1596668)
Extensions granted downloads.open permission could open
arbitrary applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript
injection
* CVE-2020-6792 (bmo#1609607)
Message ID calculcation was based on uninitialized data
* CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543,
bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785)
Memory safety bugs fixed in Thunderbird 68.5
* Mon Jan 27 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.4.2 (bsc#1162777)
* changed: Calendar: Task and Event tree colours adjusted for
the dark theme (bmo#1608344)
* fixed: Retrieval of S/MIME certificates from LDAP failed
(bmo#1604773)
* fixed: Address-parsing crash on some IMAP servers when
preference mail.imap.use_envelope_cmd was set (bmo#1609690)
* fixed: Incorrect forwarding of HTML messages caused SMTP
servers to respond with a timeout (bmo#1222046)
* fixed: Calendar: Various parts of the calendar UI stopped
working when a second Thunderbird window opened (bmo#1608407)
* Fri Jan 10 2020 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.4.1
* changed: Various improvements when setting up an account for
a Microsoft Exchange server: Now offers IMAP/SMTP if
available, better detection for Office 365 accounts; re-run
configuration after password change. (bmo#1592258)
* fixed: Attachments with one or more spaces in their names
couldn't be opened under some circumstances (bmo#1601905)
* fixed: After changing view layout, the message display pane
showed garbled content under some circumstances (bmo#265393)
* fixed: Tags were lost on messages in shared IMAP folders
under some circumstances (bmo#1596371)
* fixed: Various theme changes to achieve "pixel perfection":
Unread icon, "no results" icon, paragraph format and font
selector, background of folder summary tooltip (bmo#1605612)
* fixed: Calendar: Event attendee dialog was not displayed
correctly (bmo#1604797)
* fixed: Various security fixes
MFSA 2020-04 (bsc#1160305, bsc#1160498)
* CVE-2019-17026 (bmo#1607443)
IonMonkey type confusion with StoreElementHole and
FallibleStoreElement
* CVE-2019-17015 (bmo#1599005)
Memory corruption in parent process during new content
process initialization on Windows
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17021 (bmo#1599008)
Heap address disclosure in parent process during content
process initialization on Windows
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605,
bmo#1601826)
Memory safety bugs fixed in Thunderbird 68.4.1
- Removed patch that is now upstream: mozilla-bmo1511604.patch
- Added patch to fix broken URL-bar on s390x:
mozilla-bmo1602730.patch
* Tue Dec 17 2019 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.3.1
* changed: In dark theme unread messages no longer shown in
blue to distinguish from tagged messages (bmo#1596702)
* changed: Account setup is now using client side DNS MX lookup
instead of relying on a server. (bmo#1349337)
* fixed: Searching LDAP address book crashed in some
circumstances (bmo#1601389)
* fixed: Message navigation with backward and forward buttons
did not work in some circumstances (bmo#533504)
* fixed: WebExtension toolbar icons were displayed too small
(bmo#1598955)
* fixed: Calendar: Tasks due today were not listed in bold
(bmo#1598885)
* fixed: Calendar: Last day of long-running events was not
shown (bmo#1572964)
* Wed Dec 04 2019 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Firefox Thunderbird 68.3
* new: Message display toolbar action WebExtension API
(bmo#1531597)
* new: Navigation buttons are now available in content tabs,
for example those opened via an add-on search (bmo#787683)
* changed: "New email" icon in Windows systray changed from in-
tray with arrow to envelope (bmo#1594200)
* fixed: Icons of attachments in the attachment pane of the
Write window not always correct (bmo#1593280)
* fixed: Toolbar buttons of add-ons in the menubar not shown
after startup (bmo#1584160)
* fixed: LDAP lookup not working when SSL was enabled. LDAP
search not working when "All Address Books" was selected.
(bmo#1576364)
* fixed: Scam link confirmation panel not working (bmo#1596413)
* fixed: In Write window, the Link Properties dialog wasn't
showing named anchors in context menu (bmo#1593629)
* fixed: Calendar: Start-up failed if the application menu is
not on the calendar toolbars (bmo#1588516)
* fixed: Chat: Account reordering via drag-and-drop not working
on Instant messaging status dialog (Show Accounts)
(bmo#1591505)
MFSA 2019-37 (bsc#1158328)
* CVE-2019-17008 (bmo#1546331)
Use-after-free in worker destruction
* CVE-2019-13722 (bmo#1580156)
Stack corruption due to incorrect number of arguments in
WebRTC code
* CVE-2019-11745 (bmo#1586176)
Out of bounds write in NSS when encrypting with a block
cipher
* CVE-2019-17009 (bmo#1510494)
Updater temporary files accessible to unprivileged processes
* CVE-2019-17010 (bmo#1581084)
Use-after-free when performing device orientation checks
* CVE-2019-17005 (bmo#1584170)
Buffer overflow in plain text serializer
* CVE-2019-17011 (bmo#1591334)
Use-after-free when retrieving a document in antitracking
* CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667,
bmo#1567209, bmo#1580288, bmo#1585760, bmo#1592502)
Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
* Tue Nov 26 2019 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Remove patch thunderbird-broken-locales-build.patch due to
switch to a different method for building locales
- Added patch mozilla-bmo849632.patch to fix some webgl-problems
on big endian machines (sync from FF)
* Mon Nov 04 2019 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.2.1
* new: A language for the user interface can now be chosen in
the advanced settings (multilingual UI) (bmo#1590206)
* fixed: Problem with Google authentication (OAuth2)
(bmo#1592407)
* fixed: Selected or unread messages not shown in the correct
color in the thread pane (message list) under some
circumstances (bmo#1585765)
* fixed: When using a language pack, names of standard folders
weren't localized (bmo#1575512, boo#1149126)
* fixed: Address book default startup directory in preferences
panel not persisted (bmo#1591364)
* fixed: Various visual glitches: Conditions in filter editor
not high enough, folder location widget not showing folder
name, problem with menubar customization, add-on home page
links accumulating, theme issues on Windows 7 (bmo#1590666)
* fixed: Issues when upgrading from a 32bit version of
Thunderbird to a 64bit version. Note: If your profile is
still not recognised, selected it by visiting about:profiles
in the Troubleshooting Information. (bmo#1587067)
* fixed: Chat: Extended context menu on Instant messaging
status dialog (Show Accounts) (bmo#1591506)
- added mozilla-bmo1504834-part4.patch to fix some visual issues
on big endian platforms
* Wed Oct 23 2019 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.2
* new: Message Display WebExtension API
* new: Message Search WebExtension API
* Bugfixes
Better visual feedback for unread messages when using the
dark theme
Various issues when editing mailing lists
Integration with macOS addressbook and notifications not working
after introduction of notarization
Application windows not maintaining their size after restart
Issues when upgrading from a 32bit version of Thunderbird to a
64bit version.
* various security fixes
MFSA 2019-33/2019-35 (bsc#1154738)
* CVE-2019-15903 (bmo#1584907)
Heap overflow in expat library in XML_GetCurrentLineNumber
* CVE-2019-11757 (bmo#1577107)
Use-after-free when creating index updates in IndexedDB
* CVE-2019-11758 (bmo#1536227)
Potentially exploitable crash due to 360 Total Security
* CVE-2019-11759 (bmo#1577953)
Stack buffer overflow in HKDF output
* CVE-2019-11760 (bmo#1577719)
Stack buffer overflow in WebRTC networking
* CVE-2019-11761 (bmo#1561502)
Unintended access to a privileged JSONView object
* CVE-2019-11762 (bmo#1582857)
document.domain-based origin isolation has same-origin-
property violation
* CVE-2019-11763 (bmo#1584216)
Incorrect HTML parsing results in XSS bypass technique
* CVE-2019-11764 (bmo#1548044, bmo#1558522, bmo#1571223,
bmo#1573048, bmo#1575217, bmo#1577061, bmo#1578933,
bmo#1581950, bmo#1583463, bmo#1583684, bmo#1586599,
bmo#1586845)
Memory safety bugs fixed in Thunderbird 68.2
- removed upstream patches:
* mozilla-bmo1512162.patch
* mozilla-bmo1573381.patch
* mozilla-bmo1585099.patch
* Mon Oct 14 2019 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.1.2 (bsc#1153879)
Bugfixes
* Some attachments couldn't be opened in messages originating from
MS Outlook 2016
* Address book import from CSV
* Performance problem in message body search
* Ctrl+Enter to send a message would open an attachment if the
attachment pane had focus
* Calendar: Issues with "Today Pane" start-up
* Calendar: Glitches with custom repeat and reminder number input
* Calendar: Problems with WCAP provider
- add mozilla-bmo1585099.patch to fix build with rust >= 1.38
- add mozilla-fix-top-level-asm.patch to fix LTO build (w/o PGO)
- updated translations-other locale list
- remove kde.js since disabling instantApply breaks extensions and
is obsolete with the move to HTML views for preferences (boo#1151186)
- Update create-tar.sh (bsc#1152778)
- Update mozilla-bmo1512162.patch to the patch now commited upstream
* No more -O1 builds for ppc64le necessary
- Deactivate currently useless crashreporter for the last remaining
arch
* Fri Sep 27 2019 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.1.1
Bugfixes
* Issues with attachments in IMAP messages
* Gmail accounts ignored a non-standard trash folder selection
* Entering/pasting lists of recipients into the addressing widget or
mailing list not working reliably, especially when lists contained
multiple commas or semicolons
* Edit mailing list not working
* Various theme fixes, especially dark theme improvements for Calendar
* Contrast between tag label and background not optimal
* Account Central pane always loaded at start-up
* "Config Editor" button not removed if blocked by policy
* Calendar: Free/busy information in attendees dialog not scrolled
correctly. Note: Scroll arrows still not behaving correctly
MFSA 2019-32
* CVE-2019-11755 (bmo#1240290)
Spoofing a message author via a crafted S/MIME message
* Thu Sep 12 2019 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 68.1.0
* Offer to configure Exchange accounts for Office365. A third-
party add-on is required for this account type.
IMAP still exists as alternative.
* Edit tag not working
* Write window: "Insert > Characters and Symbols" not working
* Moving/dragging messages from "Search Messages" result
dialog not working
* Command line -compose "attachment=" not working
* Custom views not working
* Issues with list of content types/actions for incoming attachments
* "Learn More" links in Error Console not working
* Visual glitches: Quick Filter Bar tag buttons too tall, missing
scroll bar on Connection Setting subdialog, LDAP server
selection after "New", "Edit" and "Delete"
* Calendar: Parts of CalDAV dialog not working
MFSA 2019-30
* CVE-2019-11739 (bmo#1571481, bsc#1150939)
Covert Content Attack on S/MIME encryption using a crafted
multipart/alternative message
* CVE-2019-11746 (bmo#1564449, bsc#1149297)
Use-after-free while manipulating video
* CVE-2019-11744 (bmo#1562033, bsc#1149304)
XSS by breaking out of title and textarea elements using
innerHTML
* CVE-2019-11742 (bmo#1559715, bsc#1149303)
Same-origin policy violation with SVG filters and canvas to
steal cross-origin images
* CVE-2019-11752 (bmo#1501152, bsc#1149296)
Use-after-free while extracting a key value in IndexedDB
* CVE-2019-11743 (bmo#1560495, bsc#1149298,
https://w3c.github.io/navigation-timing)
Cross-origin access to unload event attributes
* CVE-2019-11740 (bmo#1563133, bmo#1573160, bsc#1149299)
Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1,
Firefox ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9
- Mozilla Thunderbird 68.0
* based on Firefox ESR 68
* File link attachments can now be linked to again instead of
uploading them again
* Mark all folders of an account as read
* Run filters periodically. Improved filter logging
* OAuth2 authentication for Yandex
* Language packs can now be selected in the Advanced Options.
Preference intl.multilingual.enabled needs to be set (and possily
also extensions.langpacks.signatures.required needs to be set to false)
* Added a policy engine that allows customized Thunderbird deployments
in enterprise environments, using Windows Group Policy or a
cross-platform JSON file
* TCP keepalive for IMAP protocol
* Full Unicode support for MAPI interfaces: New support for MAPISendMailW
* Calendar: Time zone data can now include past and future changes.
All known time zone changes from 2018 to 2022 are included.
* Chat: In each conversation an individual spellcheck language can
be selected now
MFSA 2019-28
* CVE-2019-11711 (bmo#1552541)
Script injection within domain through inner window reuse
* CVE-2019-11712 (bmo#1543804)
Cross-origin POST requests can be made with NPAPI plugins by
following 308 redirects
* CVE-2019-11713 (bmo#1528481)
Use-after-free with HTTP/2 cached stream
* CVE-2019-11714 (bmo#1542593)
NeckoChild can trigger crash when accessed off of main thread
* CVE-2019-11729 (bmo#1515342)
Empty or malformed p256-ECDH public keys may trigger a
segmentation fault
* CVE-2019-11715 (bmo#1555523)
HTML parsing error can contribute to content XSS
* CVE-2019-11716 (bmo#1552632)
globalThis not enumerable until accessed
* CVE-2019-11717 (bmo#1548306)
Caret character improperly escaped in origins
* CVE-2019-11719 (bmo#1540541)
Out-of-bounds read when importing curve25519 private key
* CVE-2019-11720 (bmo#1556230)
Character encoding XSS vulnerability
* CVE-2019-11721 (bmo#1256009)
Domain spoofing through unicode latin 'kra' character
* CVE-2019-11730 (bmo#1558299)
Same-origin policy treats all files in a directory as having
the same-origin
* CVE-2019-11723 (bmo#1528335)
Cookie leakage during add-on fetching across private browsing
boundaries
* CVE-2019-11724 (bmo#1512511)
Retired site input.mozilla.org has remote troubleshooting
permissions
* CVE-2019-11725 (bmo#1483510)
Websocket resources bypass safebrowsing protections
* CVE-2019-11727 (bmo#1552208)
PKCS#1 v1.5 signatures can be used for TLS 1.3
* CVE-2019-11728 (bmo#1552993)
Port scanning through Alt-Svc header
* CVE-2019-11710 (bmo#1400563, bmo#1507696, bmo#1510345,
bmo#1533842, bmo#1535482, bmo#1535848, bmo#1537692,
bmo#1540590, bmo#1544180, bmo#1547472, bmo#1547760,
bmo#1548611, bmo#1549768, bmo#1551907)
Memory safety bugs fixed in Firefox 68 and Thunderbird 68
* CVE-2019-11709 (bmo#1515052, bmo#1533522, bmo#1539219,
bmo#1540759, bmo#1547266, bmo#1547757, bmo#1548822,
bmo#1550498, bmo#1550498)
Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8, and
Thunderbird 68
- removed patches that are now upstream
* mozilla-bmo1375074.patch
* mozilla-i586-DecoderDoctorLogger.patch
* mozilla-i586-domPrefs.patch
* mozilla-bmo1464766.patch
* mozilla-bigendian_bit_flags_alias.patch
- added patch to make builds reproducible
* mozilla-bmo1568145.patch
- added a bunch of patches mainly for big endian platforms
* mozilla-bmo1504834-part1.patch
* mozilla-bmo1504834-part2.patch
* mozilla-bmo1504834-part3.patch
* mozilla-bmo1511604.patch
* mozilla-bmo1512162.patch
* mozilla-bmo1554971.patch
* mozilla-bmo1573381.patch
* mozilla-nestegg-big-endian.patch
* mozilla-ppc-altivec_static_inline.patch
- added patches to fix build on armv7:
* mozilla-bmo1463035.patch
* mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
- added patch to fix non-return function
* mozilla-cubeb-noreturn.patch
- added patch to fix aarch64 build:
* mozilla-fix-aarch64-libopus.patch (bmo#1539737)
- added patch to reduce build-load
* mozilla-reduce-rust-debuginfo.patch
- added patch to fix locales-build
* thunderbird-broken-locales-build.patch
- added patch to fix implicit declarations
* mozilla-openaes-decl.patch
- added samba-patch from Firefox
* mozilla-ntlm-full-path.patch
* Fri Jul 12 2019 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Firefox Thunderbird 60.8
MFSA 2019-23 (bsc#1140868)
* CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
Sandbox escape via installation of malicious language pack
* CVE-2019-11711 (bmo#1552541)
Script injection within domain through inner window reuse
* CVE-2019-11712 (bmo#1543804)
Cross-origin POST requests can be made with NPAPI plugins by
following 308 redirects
* CVE-2019-11713 (bmo#1528481)
Use-after-free with HTTP/2 cached stream
* CVE-2019-11729 (bmo#1515342)
Empty or malformed p256-ECDH public keys may trigger a
segmentation fault
* CVE-2019-11715 (bmo#1555523)
HTML parsing error can contribute to content XSS
* CVE-2019-11717 (bmo#1548306)
Caret character improperly escaped in origins
* CVE-2019-11719 (bmo#1540541)
Out-of-bounds read when importing curve25519 private key
* CVE-2019-11730 (bmo#1558299)
Same-origin policy treats all files in a directory as having
the same-origin
* CVE-2019-11709 (bmo#1515052, bmo#1533522, bmo#1539219,
bmo#1540759, bmo#1547266, bmo#1547757, bmo#1548822,
bmo#1550498, bmo#1550498)
Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8, and
Thunderbird 60.8
- Calendar: Problems when editing event times, some related to
AM/PM setting in non-English locales
* Fri Jun 21 2019 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Firefox Thunderbird 60.7.2
MFSA 2019-20 (bsc#1138872)
* CVE-2019-11707 (bmo#1544386)
Type confusion in Array.pop
* CVE-2019-11708 (bmo#1559858)
sandbox escape using Prompt:Open
* Fri Jun 14 2019 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Firefox Thunderbird 60.7.1
MFSA 2019-17 (bsc#1137595)
* CVE-2019-11703 (bmo#1553820)
Heap buffer overflow in icalparser.c
* CVE-2019-11704 (bmo#1553814)
Heap buffer overflow in icalvalue.c
* CVE-2019-11705 (bmo#1553808)
Stack buffer overflow in icalrecur.c
* CVE-2019-11706 (bmo#1555646)
Type confusion in icalproperty.c
- No prompt for smartcard PIN when S/MIME signing is used
- Removed obsolete patches:
[thunderbird-bsc1137595.patch]
* Thu Jun 13 2019 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Fix security vulnerabilities in Thunderbird 60.7 (bsc#1137595)
* CVE-2019-11706 (bmo#1555646)
* CVE-2019-11705 (bmo#1553808)
* CVE-2019-11704 (bmo#1553814)
* CVE-2019-11703 (bmo#1553820)
- Added patches:
[thunderbird-bsc1137595.patch]
Version: 60.7.2-85.1
* Thu Jun 20 2019 wr@rosenauer.org
- Mozilla Thunderbird 60.7.2
MFSA 2019-20 (boo#1138872)
* CVE-2019-11707 (bmo#1544386)
Type confusion in Array.pop
* CVE-2019-11708 (bmo#1559858)
sandbox escape using Prompt:Open
* Wed Jun 12 2019 wr@rosenauer.org
- Mozilla Thunderbird 60.7.1
* fixed: No prompt for smartcard PIN when S/MIME signing is used
MFSA 2019-17 (boo#1137595)
* CVE-2019-11703 (bmo#1553820)
Heap buffer overflow in icalparser.c
* CVE-2019-11704 (bmo#1553814)
Heap buffer overflow in icalvalue.c
* CVE-2019-11705 (bmo#1553808)
Stack buffer overflow in icalrecur.c
* CVE-2019-11706 (bmo#1555646)
Type confusion in icalproperty.c
* Sat Jun 08 2019 aaronpuchert@alice-dsl.net
- Increase disk space requirements in _constraints.
* Fri May 24 2019 wr@rosenauer.org
- Mozilla Thunderbird 60.7.0
* Attachment pane of Write window no longer focussed when attaching
files using a keyboard shortcut
MFSA 2019-15 (boo#1135824)
* CVE-2019-9815 (bmo#1546544)
Disable hyperthreading on content JavaScript threads on macOS
* CVE-2019-9816 (bmo#1536768)
Type confusion with object groups and UnboxedObjects
* CVE-2019-9817 (bmo#1540221)
Stealing of cross-domain images using canvas
* CVE-2019-9818 (bmo#1542581) (Windows only)
Use-after-free in crash generation server
* CVE-2019-9819 (bmo#1532553)
Compartment mismatch with fetch API
* CVE-2019-9820 (bmo#1536405)
Use-after-free of ChromeEventHandler by DocShell
* CVE-2019-11691 (bmo#1542465)
Use-after-free in XMLHttpRequest
* CVE-2019-11692 (bmo#1544670)
Use-after-free removing listeners in the event listener manager
* CVE-2019-11693 (bmo#1532525)
Buffer overflow in WebGL bufferdata on Linux
* CVE-2019-7317 (bmo#1542829)
Use-after-free in png_image_free of libpng library
* CVE-2019-9797 (bmo#1528909)
Cross-origin theft of images with createImageBitmap
* CVE-2018-18511 (bmo#1526218)
Cross-origin theft of images with ImageBitmapRenderingContext
* CVE-2019-11694 (bmo#1534196) (Windows only)
Uninitialized memory memory leakage in Windows sandbox
* CVE-2019-11698 (bmo#1543191)
Theft of user history data through drag and drop of hyperlinks
to and from bookmarks
* CVE-2019-5798 (bmo#1535518)
Out-of-bounds read in Skia
* CVE-2019-9800 (bmo#1540166, bmo#1534593, bmo#1546327, bmo#1540136,
bmo#1538736, bmo#1538042, bmo#1535612, bmo#1499719, bmo#1499108,
bmo#1538619, bmo#1535194, bmo#1516325, bmo#1542324, bmo#1542097,
bmo#1532465, bmo#1533554, bmo#1541580)
Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
* Wed Apr 24 2019 mliska@suse.cz
- Disable LTO (boo#1133267).
* Sat Mar 30 2019 manfred.h@gmx.net
- Add patch to fix build using rust-1.33: (boo#1130694)
* mozilla-bmo1519629.patch (bmo#1519629)
Version: 60.5.1-79.1
* Thu Feb 14 2019 wr@rosenauer.org
- Mozilla Thunderbird 60.5.1
* CalDav access to some servers not working
MFSA 2019-06 (bsc#1125330)
* CVE-2018-18356 bmo#1525817
Use-after-free in Skia
* CVE-2019-5785 bmo#1525433
Integer overflow in Skia
* CVE-2018-18335 bmo#1525815
Buffer overflow in Skia with accelerated Canvas 2D
* CVE-2018-18509 bmo#1507218
S/MIME signature spoofing
* Fri Jan 25 2019 wr@rosenauer.org
- Mozilla Thunderbird 60.5.0:
* FileLink provider WeTransfer to upload large attachments
* Thunderbird now allows the addition of OpenSearch search engines
from a local XML file using a minimal user inferface: [+] button
to select a file an add, [-] to remove.
* More search engines: Google and DuckDuckGo available by default
in some locales
* During account creation, Thunderbird will now detect servers
using the Microsoft Exchange protocol. It will offer the
installation of a 3rd party add-on (Owl) which supports that
protocol.
* Thunderbird now compatible with other WebExtension-based
FileLink add-ons like the Dropbox add-on
MFSA 2019-03 (bsc#1122983)
* CVE-2018-18500 bmo#1510114
Use-after-free parsing HTML5 stream
* CVE-2018-18505 bmo#1497749
Privilege escalation through IPC channel messages
* CVE-2016-5824 bmo#1275400
DoS (use-after-free) via a crafted ics file
* CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619
bmo#1502871 bmo#1516738 bmo#1516514
Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
- requires NSS 3.36.7
- removed obsolete patch
mozilla-no-stdcxx-check.patch
- rebased patches
* Fri Dec 21 2018 astieger@suse.com
- Mozilla Thunderbird 60.4.0:
* New WebExtensions FileLink API to facilitate add-ons
* Fix decoding problems for messages with less common charsets
(cp932, cp936)
* New messages in the drafts folder (and other special or virtual
folders) will no longer be included in the new messages
notification
MFSA 2018-31
* CVE-2018-17466 bmo#1488295
Buffer overflow and out-of-bounds read in ANGLE library with
TextureStorage11
* CVE-2018-18492 bmo#1499861
Use-after-free with select element
* CVE-2018-18493 bmo#1504452
Buffer overflow in accelerated 2D canvas with Skia
* CVE-2018-18494 bmo#1487964
Same-origin policy violation using location attribute and
performance.getEntries to steal cross-origin URLs
* CVE-2018-18498 bmo#1500011
Integer overflow when calculating buffer sizes for images
* CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759
bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471
Memory safety bugs fixed in Firefox 64, 60.4, and Thunderbird 60.4
- requires NSS 3.36.6
* Tue Dec 04 2018 wr@rosenauer.org
- Mozilla Thunderbird 60.3.3
* Thunderbird 60 will migrate security databases (key3.db, cert8.db
to key4.db, cert9.db). Thunderbird 60.3.2 and earlier contained a
fault that potentially deleted saved passwords and private certificate
keys for users using a master password. Version 60.3.3 will prevent
the loss of data; affected users who have already upgraded to version
60.3.2 or earlier can restore the deleted key3.db file from backup
to complete the migration.
* Address book search and auto-complete slowness introduced in
Thunderbird 60.3.2
* Plain text markup with * for bold, / for italics, _ for underline
and | for code did not work when the enclosed text contained
non-ASCII characters
* While composing a message, a link not removed when link location
was removed in the link properties panel
* Mon Dec 03 2018 astieger@suse.com
- Fix build on openSUSE Leap 15.x w.r.t. rust-std requirement
* Thu Nov 29 2018 wr@rosenauer.org
- Mozilla Thunderbird 60.3.2
* Encoding problems when exporting address books or messages using
the system charset. Messages are now always exported using the
UTF-8 encoding
* If the "Date" header of a message was invalid, Jan 1970 or Dec 1969
was displayed. Now using date from "Received" header instead.
* Body search/filtering didn't reliably ignore content of tags
* Inappropriate warning "Thunderbird prevented the site
(addons.thunderbird.net) from asking you to install software on
your computer" when installing add-ons
* Incorrect display of correspondents column since own email
address was not always detected
* Spurious 
 (encoded newline) inserted into drafts and sent email
* Thu Nov 15 2018 astieger@suse.com
- Mozilla Thunderbird 60.3.1:
* Double-clicking on a word in the Write window sometimes
launched the Advanced Property Editor or Link Properties dialog
* Fixe Cookie removal
* "Download rest of message" was not working if global inbox was
used
* Fix Encoding problems for users (especially in Poland) when a
file was sent via a folder using "Sent to > Mail recipient"
due to a problem in the Thunderbird MAPI interface
* According to RFC 4616 and RFC 5721, passwords containing
non-ASCII characters are encoded using UTF-8 which can lead to
problems with non-compliant providers, for example
office365.com. The SMTP LOGIN and POP3 USER/PASS
authentication methods are now using a Latin-1 encoding again
to work around this issue
* Fix shutdown crash/hang after entering an empty IMAP password
Version: 60.3.0-74.2
* Tue Oct 30 2018 wr@rosenauer.org
- update to Thunderbird 60.3.0
* various theme fixes
* Shift+PageUp/PageDown in Write window
* Gloda attachment filtering
* Mailing list address auto-complete enter/return handling
* Thunderbird hung if HTML signature references non-existent image
* Filters not working for headers that appear more than once
- Security fixes for the Mozilla platform picked up from 60.3
(Firefox ESR release). In general, these flaws cannot be exploited
through email in Thunderbird because scripting is disabled when
reading mail, but are potentially risks in browser or browser-like
contexts (MFSA 2018-28) (bsc#1112852)
* CVE-2018-12391 (bmo#1478843) (Android only)
HTTP Live Stream audio data is accessible cross-origin
* CVE-2018-12392 (bmo#1492823)
Crash with nested event loops
* CVE-2018-12393 (bmo#1495011)
Integer overflow during Unicode conversion while loading JavaScript
* CVE-2018-12389 (bmo#1498460, bmo#1499198)
Memory safety bugs fixed in Firefox ESR 60.3
* CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159,
bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803,
bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699,
bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844)
Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
* Thu Oct 25 2018 guillaume.gardet@opensuse.org
- Update _constraints for armv6/7
* Thu Oct 25 2018 guillaume.gardet@opensuse.org
- Update _constraints for armv6/7
* Thu Oct 25 2018 guillaume.gardet@opensuse.org
- Add patch to fix build on armv7:
* mozilla-bmo1463035.patch
* Fri Oct 12 2018 meissner@suse.com
- provide / obsolete MozillaThunderbird-devel as this is no longer
shipped to allow migration scenarios
* Tue Oct 02 2018 wr@rosenauer.org
- update to Thunderbird 60.2.1:
* Calendar: Default values for the first day of the week and
working days are now derived from the selected datetime
formatting locale
* Calendar: Switch to a Photon-style icon set for all platforms
* Fix multiple requests for master password when Google Mail or
Calendar OAuth2 is enabled
* Fix scrollbar of the address entry auto-complete popup
* Fix security info dialog in compose window not showing
certificate status
* Fix links in the Add-on Manager's search results and theme
browsing tabs that opened in external browser
* Fix localization not showing the localized name for the
"Drafts" and "Sent" folders for certain IMAP providers
* Fix replying to a message with an empty subject which
inserted Re: twice
* Fix spellcheck marks disappeaing erroneously for words with
an apostrophe
* Calendar: First day of the week can now be set
* Calendar: Several fixes related to cutting/deleting of events
and email schedulin
* Fix date display issues (bsc#1109379)
* Fix start-up crash due to folder name with special characters
(bsc#1107772)
- Security fixes for the Mozilla platform picked up from 60.1 and
60.2 (Firefox ESR releases). In general, these flaws
cannot be exploited through email in Thunderbird because
scripting is disabled when reading mail, but are potentially
risks in browser or browser-like contexts (MFSA 2018-25):
* CVE-2018-12377 (bsc#1107343, bmo#1470260)
Use-after-free in refresh driver timers
* CVE-2018-12378 (bsc#1107343, bmo#1459383)
Use-after-free in IndexedDB
* CVE-2017-16541 (bsc#1066489, bmo#1412081)
Proxy bypass using automount and autofs
* CVE-2018-12376 (bmo#69309,bmo#69914,bmo#50989,bmo#80092,
bmo#80517,bmo#81093,bmo#78575,bmo#71953,bmo#73161,bmo#66991,
bmo#68738,bmo#83120,bmo#67363,bmo#72925,bmo#66577,bmo#67889,
bmo#80521,bsc#1107343)
Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
* CVE-2018-12385 (bsc#1109363, bmo#1490585)
Crash in TransportSecurityInfo due to cached data
* CVE-2018-12383 (bsc#1107343, bmo#1475775)
Setting a master password did not delete unencrypted
previously stored passwords
* Tue Sep 11 2018 guillaume.gardet@opensuse.org
- Update file list since minidump-analyzer is only available when
crashreporter is enabled
* Sat Aug 25 2018 astieger@suse.com
- remove non-free untar licenced code from distributed tarball
* Wed Aug 15 2018 bjorn.lie@gmail.com
- Add conditional for pkgconfig(gconf-2.0) BuildRequires, and pass
conditional --disable-gconf to configure: no longer pull in
obsolete gconf2 for Tumbleweed.
* Fri Aug 03 2018 wr@rosenauer.org
- update to Thunderbird 60.0:
https://www.thunderbird.net/en-US/thunderbird/60.0/releasenotes/
* Improved message handling and composing
* Improved handling of message templates
* Support for OAuth2 and FIDO U2F
* Various Calendar improvements
* Various fixes and changes to e-mail workflow
* Various IMAP fixes
* Native desktop notifications
- Security fixes which can not, in general, be exploited through
email, but are potential risks in browser or browser-like contexts:
MFSA 2018-19 (bsc#1098998)
* CVE-2018-12359 (bmo#1459162)
Buffer overflow using computed size of canvas element
* CVE-2018-12360 (bmo#1459693)
Use-after-free when using focus()
* CVE-2018-12361 (bmo#1463244)
Integer overflow in SwizzleData
* CVE-2018-12362 (bmo#1452375)
Integer overflow in SSSE3 scaler
* CVE-2018-5156 (bmo#1453127)
Media recorder segmentation fault when track type is changed
during capture
* CVE-2018-12363 (bmo#1464784)
Use-after-free when appending DOM nodes
* CVE-2018-12364 (bmo#1436241)
CSRF attacks through 307 redirects and NPAPI plugins
* CVE-2018-12365 (bmo#1459206)
Compromised IPC child process can list local filenames
* CVE-2018-12371 (bmo#1465686)
Integer overflow in Skia library during edge builder allocation
* CVE-2018-12366 (bmo#1464039)
Invalid data handling during QCMS transformations
* CVE-2018-12367 (bmo#1462891)
Timing attack mitigation of PerformanceNavigationTiming
* CVE-2018-5187 (bmo#1461324,bmo#1414829,bmo#1395246,bmo#1467938,
bmo#1461619,bmo#1425930,bmo#1438556,bmo#1454285,bmo#1459568,
bmo#1463884)
Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and
Thunderbird 60
* CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576,
bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829,
bmo#1464079,bmo#1463494,bmo#1458048)
Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox
ESR 52.9, and Thunderbird 60
- requires NSPR 4.19 and NSS 3.36.4
- source archives are now signed directly
(removed checksum signature check)
- imported patches from Firefox 60
* mozilla-bmo1375074.patch
* mozilla-bmo1464766.patch
* mozilla-i586-DecoderDoctorLogger.patch
* mozilla-i586-domPrefs.patch
- removed obsolete patches
* mozilla-language.patch
* tb-ssldap.patch
* mozilla-develdirs.patch
- removed -devel subpackage as old-style extensions are mainly gone
- storing of remote content settings fixed (boo#1084603)
Version: 52.1.0-30.1
* Mon May 01 2017 wr@rosenauer.org
- update to Thunderbird 52.1.0
* Background images not working and other issues related to
embedded images when composing email have been fixed
* Google Oauth setup can sometimes not progress to the next step
* requires NSS >= 3.28.4
- security fixes (boo#1035082), MFSA 2017-13
* CVE-2017-5443 (bmo#1342661)
Out-of-bounds write during BinHex decoding
* CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
Firefox ESR 52.1
* CVE-2017-5464 (bmo#1347075)
Memory corruption with accessibility and DOM manipulation
* CVE-2017-5465 (bmo#1347617)
Out-of-bounds read in ConvolvePixel
* CVE-2017-5466 (bmo#1353975)
Origin confusion when reloading isolated data:text/html URL
* CVE-2017-5467 (bmo#1347262)
Memory corruption when drawing Skia content
* CVE-2017-5460 (bmo#1343642)
Use-after-free in frame selection
* CVE-2017-5461 (bmo#1344380)
Out-of-bounds write in Base64 encoding in NSS
* CVE-2017-5449 (bmo#1340127)
Crash during bidirectional unicode manipulation with animation
* CVE-2017-5446 (bmo#1343505)
Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
* CVE-2017-5447 (bmo#1343552)
Out-of-bounds read during glyph processing
* CVE-2017-5444 (bmo#1344461)
Buffer overflow while parsing application/http-index-format content
* CVE-2017-5445 (bmo#1344467)
Uninitialized values used while parsing application/http-index-format
content
* CVE-2017-5442 (bmo#1347979)
Use-after-free during style changes
* CVE-2017-5469 (bmo#1292534)
Potential Buffer overflow in flex-generated code
* CVE-2017-5440 (bmo#1336832)
Use-after-free in txExecutionState destructor during XSLT processing
* CVE-2017-5441 (bmo#1343795)
Use-after-free with selection during scroll events
* CVE-2017-5439 (bmo#1336830)
Use-after-free in nsTArray Length() during XSLT processing
* CVE-2017-5438 (bmo#1336828)
Use-after-free in nsAutoPtr during XSLT processing
* CVE-2017-5437 (bmo#1343453)
Vulnerabilities in Libevent library
* CVE-2017-5436 (bmo#1345461)
Out-of-bounds write with malicious font in Graphite 2
* CVE-2017-5435 (bmo#1350683)
Use-after-free during transaction processing in the editor
* CVE-2017-5434 (bmo#1349946)
Use-after-free during focus handling
* CVE-2017-5433 (bmo#1347168)
Use-after-free in SMIL animation functions
* CVE-2017-5432 (bmo#1346654)
Use-after-free in text input selection
* CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140,
bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476)
Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
* CVE-2017-5459 (bmo#1333858)
Buffer overflow in WebGL
* CVE-2017-5462 (bmo#1345089)
DRBG flaw in NSS
* CVE-2017-5454 (bmo#1349276)
Sandbox escape allowing file system read access through file
picker
* CVE-2017-5451 (bmo#1273537)
Addressbar spoofing with onblur event
* Mon Apr 17 2017 wr@rosenauer.org
- update to Thunderbird 52.0.1
* Clicking on a link in an email may not open this link in the
external browser
* addon blocklist updates
- enable ALSA for systems w/o PA
- require libffi explicitely to fix PPC64LE build where a system
library is required
* Sat Mar 18 2017 wr@rosenauer.org
- update to Thunderbird 52.0
* Optionally remove corresponding data files when removing an account
* Possibility to copy message filter
* Calendar: Event can now be created and edited in a tab
* Calendar: Processing of received invitation counter proposals
* Chat: Support Twitter Direct Messages
* Chat: Liking and favoriting in Twitter
* Chat: Removed Yahoo! Messenger support
* serveral bugfixes
- security fixes (bsc#1028391, MFSA 2017-09):
In general, these flaws cannot be exploited through email because
scripting is disabled when reading mail, but are potentially
risks in browser or browser-like contexts.
* CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933)
* CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861)
* CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876)
* CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186)
* CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138)
* CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890)
* CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622)
* CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687)
* CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711)
* CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
* CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504)
* CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370)
* CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
* CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361)
* CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876)
* CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243)
* CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699)
* CVE-2017-5421: Print preview spoofing (bmo#1301876)
* CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002)
* CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52
* CVE-2017-5398: Memory safety bugs fixed in Thunderbird 52 and Thunderbird 45.8
- removed obsolete patches
* mozilla-aarch64-48bit-va.patch
* mozilla-binutils-visibility.patch
* mozilla-flex_buffer_overrun.patch
* mozilla-gcc6.patch
- added generic mozilla patches
* mozilla-aarch64-startup-crash.patch
- require newer versions of NSPR and NSS
- use Gtk3 for Tumbleweed
Version: 45.2-6.1
* Thu Jun 30 2016 wr@rosenauer.org
- update to Thunderbird 45.2 (boo#983549)
Security fixes:
* CVE-2016-2818, CVE-2016-2815: Memory safety bugs (MFSA2016-49)
- drop mozilla-flexible-array-member-in-union.patch, upstream
* Fri Jun 24 2016 wr@rosenauer.org
- mozilla-binutils-visibility.patch to fix build issues with
gcc/binutils combination used in Leap 42.2 (boo#984637)
* Thu Jun 23 2016 wr@rosenauer.org
- build with -fno-delete-null-pointer-checks for Tumbleweed/gcc6
as long as underlying issues have been addressed upstream
(boo#986162)
* Mon Jun 13 2016 agraf@suse.com
- Fix running on 48bit va aarch64 (bsc#984126)
- Add patch mozilla-aarch64-48bit-va.patch
* Fri May 27 2016 wr@rosenauer.org
- update to Thunderbird 45.1.1
* When entering members into a mailing list, the enter key
dismissed the panel instead of just moving onto the next line
* Email without HTML elements was sent as HTML, despite
"Delivery Format: Auto-detect" option
* Options applied to a template were lost when the template was used
* Contacts could not be deleted when they were found through a search
* Views from global searches did not respect
"mail.threadpane.use_correspondents"
* Wed May 25 2016 badshah400@gmail.com
- The conditional testing for gcc was failing for different
openSUSE versions, drop it and apply patches unconditionally.
* Tue May 24 2016 badshah400@gmail.com
- Add patches to fix building with gcc >= 6:
+ mozilla-gcc6.patch: patch taken from fedora's git and is
essentially identical to upstream firefox patch:
https://hg.mozilla.org/mozilla-central/rev/55212130f19d.
+ mozilla-flexible-array-member-in-union.patch: patch taken
from upstream bmo#1272649.
* Thu May 12 2016 dimstar@opensuse.org
- Copy the icons to /usr/share/icons instead of symlinking them:
in preparation for containerized apps (e.g. xdg-app) as well as
AppStream metadata extraction, there are a couple locations that
need to be real files for system integration (.desktop files,
icons, mime-type info).
* Sat May 07 2016 wr@rosenauer.org
- update to Thunderbird 45.1.0 (boo#977333)
* MFSA 2016-39/CVE-2016-2806/CVE-2016-2807 (boo#977375, boo#977376)
Miscellaneous memory safety hazards
* Wed Apr 27 2016 badshah400@gmail.com
- For openSUSE > 13.2, the build fails for i586 as it goes out of
memory. Prevent this from happening by disabing parallel build
in this particular case (i.e. do not pass
mk_add_options MOZ_MAKE_FLAGS%{?jobs:-j%jobs}).
* Sat Apr 16 2016 wr@rosenauer.org
- update to Thunderbird 45.0 (boo#969894)
* Add a Correspondents column combining Sender and Recipient
* Much better support for XMPP chatrooms and commands
* Remote content exceptions: Improved options to add exceptions
* Implement option to always use HTML formatting to prevent
unexpected format loss when converting messages to plain text
* Use OpenStreetmap for maps (even allow the user to choose from
list of map services)
* Allow spell checking and dictionary selection in the subject line
* Allow editing of From when composing a message
* Add dropdown in compose to allow specific setting of font size
* Return/Enter in composer will now insert a new paragraph by
default (shift-Enter will insert a line break)
* Allow copying of name and email address from the message header
of an email
* Mail.ru supports OAuth authentication
* MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
Miscellaneous memory safety hazards
* MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
Local file overwriting and potential privilege escalation through
CSP reports
* MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
CSP reports fail to strip location information for embedded iframe pages
* MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
Linux video memory DOS with Intel drivers
* MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
Memory leak in libstagefright when deleting an array during MP4
processing
* MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
Use-after-free in HTML5 string parser
* MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
Use-after-free in SetBody
* MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
Use-after-free during XML transformations
* MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
Out-of-bounds read in HTML parser following a failed allocation
* MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
Buffer overflow during ASN.1 decoding in NSS
(fixed by requiring 3.21.1)
* MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
Use-after-free during processing of DER encoded keys in NSS
(fixed by requiring 3.21.1)
* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
Font vulnerabilities in the Graphite 2 library
- remove obsolete patches:
* mozilla-arm-disable-edsp.patch
* mozilla-icu-strncat.patch
* mozilla-arm64-libjpeg-turbo.patch
- added required mozilla platform patches:
* mozilla-no-stdcxx-check.patch
* Wed Apr 06 2016 astieger@suse.com
- update to Thunderbird 38.7.2
* disable Graphite font shaping library (same upstream changelog
as 38.7.1)
* Fri Mar 25 2016 wr@rosenauer.org
- update to Thunderbird 38.7.1
* disabled Graphite font shaping library
Version: 38.7.0-3.1
* Fri Mar 11 2016 wr@rosenauer.org
- update to Thunderbird 38.7.0 (boo#969894)
* MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
Use-after-free in MediaStream playback
* MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
Same-origin policy violation using performance.getEntries and
history navigation
* MFSA 2016-16/CVE-2016-1952
Miscellaneous memory safety hazards
* MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
Local file overwriting and potential privilege escalation through
CSP reports
* MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
Memory leak in libstagefright when deleting an array during MP4
processing
* MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
Displayed page address can be overridden
* MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
Use-after-free in HTML5 string parser
* MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
Use-after-free in SetBody
* MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
Use-after-free when using multiple WebRTC data channels
* MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
Use-after-free during XML transformations
* MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
Addressbar spoofing though history navigation and Location protocol
property
* MFSA 2016-31/CVE-2016-1966 (bmo#1246054)
Memory corruption with malicious NPAPI plugin
* MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
Out-of-bounds read in HTML parser following a failed allocation
* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
Font vulnerabilities in the Graphite 2 library
* Fri Feb 26 2016 astieger@suse.com
- adjust _constraints to current peak build memory and disk usage
* Sat Feb 13 2016 wr@rosenauer.org
- update to Thunderbird 38.6.0 (boo#963520)
* Filters ran on a different folder than selected
* MFSA 2016-01/CVE-2016-1930
Miscellaneous memory safety hazards
* MFSA 2016-03/CVE-2016-1935 (bmo#1220450)
Buffer overflow in WebGL after out of memory allocation
* Mon Jan 25 2016 olaf@aepfle.de
- Using -g for CFLAGS is controlled via project settings, it should
not be enforced by the mozilla buildsystem.
* Mon Jan 18 2016 olaf@aepfle.de
- Add build conditionals for valgrind and -Os
- Convert existing conditions for kde to bcond
* Tue Dec 29 2015 wr@rosenauer.org
- update to Thunderbird 38.5.1
* requires NSS 3.20.2 to fix
MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
server signature
- explicitely require libXcomposite-devel
* Wed Dec 23 2015 wr@rosenauer.org
- update to Thunderbird 38.5.0 (bnc#959277)
* MFSA 2015-134/CVE-2015-7201
Miscellaneous memory safety hazards
* MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
Use-after-free in WebRTC when datachannel is used after being
destroyed
* MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
Integer overflow allocating extremely large textures
* MFSA 2015-145/CVE-2015-7205 (bmo#1220493)
Underflow through code inspection
* MFSA 2015-146/CVE-2015-7213 (bmo#1206211)
Integer overflow in MP4 playback in 64-bit versions
* MFSA 2015-147/CVE-2015-7222 (bmo#1216748)
Integer underflow and buffer overflow processing MP4 metadata in
libstagefright
* MFSA 2015-149/CVE-2015-7214 (bmo#1228950)
Cross-site reading attack through data and view-source URIs
* Tue Nov 17 2015 wr@rosenauer.org
- update to Thunderbird 38.4.0 (bnc#952810)
* MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
Miscellaneous memory safety hazards
* MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
Trailing whitespace in IP address hostnames can bypass same-origin policy
* MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
Buffer overflow during image interactions in canvas
* MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
CORS preflight is bypassed when non-standard Content-Type headers
are received
* MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
Memory corruption in libjar through zip files
* MFSA 2015-130/CVE-2015-7196 (bmo#1140616)
JavaScript garbage collection crash with Java applet
* MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
(bmo#1188010, bmo#1204061, bmo#1204155)
Vulnerabilities found through code inspection
* MFSA 2015-132/CVE-2015-7197 (bmo#1204269)
Mixed content WebSocket policy bypass through workers
* MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
(bmo#1202868, bmo#1205157)
NSS and NSPR memory corruption issues
(fixed in mozilla-nspr and mozilla-nss packages)
- requires NSPR 4.10.10 and NSS 3.19.2.1
- added explicit appdata provides (bnc#952325)
* Mon Oct 05 2015 dmueller@suse.com
- fix build on aarch64 by reusing the crashreporter conditional
from MozillaFirefox
* Mon Sep 28 2015 wr@rosenauer.org
- update to Thunderbird 38.3.0 (bnc#947003)
* MFSA 2015-96/CVE-2015-4500
Miscellaneous memory safety hazards
* MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
Arbitrary file manipulation by local user through Mozilla updater
* MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
Buffer overflow in libvpx while parsing vp9 format video
* MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
Buffer overflow while decoding WebM video
* MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
Use-after-free while manipulating HTML media content
* MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
Dragging and dropping images exposes final URL after redirects
* MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
Errors in the handling of CORS preflight request headers
* MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/
CVE-2015-7180
Vulnerabilities found through code inspection
* MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
bmo#1190526) (Windows only)
Memory safety errors in libGLES in the ANGLE graphics library
- rebased patches
* Sat Aug 15 2015 wr@rosenauer.org
- update to Thunderbird 38.2.0 (bnc#940806)
* MFSA 2015-79/CVE-2015-4473
Miscellaneous memory safety hazards
* MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
Out-of-bounds read with malformed MP3 file
* MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
Redefinition of non-configurable JavaScript object properties
* MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
Overflow issues in libstagefright
* MFSA 2015-84/CVE-2015-4481 (bmo1171518)
Arbitrary file overwriting through Mozilla Maintenance Service
with hard links (only affected Windows)
* MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
Out-of-bounds write with Updater and malicious MAR file
(does not affect openSUSE RPM packages which do not ship the
updater)
* MFSA 2015-87/CVE-2015-4484 (bmo#1171540)
Crash when using shared memory in JavaScript
* MFSA 2015-88/CVE-2015-4491 (bmo#1184009)
Heap overflow in gdk-pixbuf when scaling bitmap images
* MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
Buffer overflows on Libvpx when decoding WebM video
* MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
Vulnerabilities found through code inspection
* MFSA 2015-92/CVE-2015-4492 (bmo#1185820)
Use-after-free in XMLHttpRequest with shared workers
* Wed Jul 08 2015 wr@rosenauer.org
- update to Thunderbird 38.1.0 (bnc#935979)
* MFSA 2015-59/CVE-2015-2724/CVE-2015-2725
Miscellaneous memory safety hazards
* MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
Local files or privileged URLs in pages can be opened into new tabs
* MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
Type confusion in Indexed Database Manager
* MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
Out-of-bound read while computing an oscillator rendering range in Web Audio
* MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
Use-after-free in Content Policy due to microtask execution error
* MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
ECDSA signature validation fails to handle some signatures correctly
(this fix is shipped by NSS 3.19.1 externally)
* MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
Use-after-free in workers while using XMLHttpRequest
* MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
Vulnerabilities found through code inspection
* MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
Key pinning is ignored when overridable errors are encountered
* MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
Privilege escalation in PDF.js
* MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
NSS accepts export-length DHE keys with regular DHE cipher suites
(this fix is shipped by NSS 3.19.1 externally)
* MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
NSS incorrectly permits skipping of ServerKeyExchange
(this fix is shipped by NSS 3.19.1 externally)
- requires NSS 3.19.2
* Fri Jun 19 2015 wr@rosenauer.org
- update to Thunderbird 38.0.1
* includes Lightning as default extension
- rebased patches
- removed obsolete patches:
* mozilla-ppc.patch
* mozilla-nullptr-gcc45.patch
* mozilla-bug1024492.patch
- dropped openSUSE specific patches
* thunderbird-shared-nss-db.patch
* mozilla-shared-nss-db.patch
the provided feature seems not to be used and its maintenance
is not worth the ongoing efforts
- tb-develdirs.patch is now mozilla-develdirs.patch as it is a
platform configuration now
* Thu Jun 18 2015 schwab@suse.de
- mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration
* Thu May 28 2015 dmueller@suse.com
- add mozilla-bug1024492.patch:
* Fixes build against GCC 5.x
* Sat May 09 2015 wr@rosenauer.org
- update to Thunderbird 31.7.0 (bnc#930622)
* MFSA 2015-46/CVE-2015-2708
Miscellaneous memory safety hazards
* MFSA 2015-47/VE-2015-0797 (bmo#1080995)
Buffer overflow parsing H.264 video with Linux Gstreamer
* MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
Buffer overflow with SVG content and CSS
* MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
Use-after-free during text processing with vertical text enabled
* MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
Buffer overflow when parsing compressed XML
* MFSA 2015-57/CVE-2011-3079 (bmo#1087565)
Privilege escalation through IPC channel messages
* Tue Mar 31 2015 wr@rosenauer.org
- update to Thunderbird 31.6.0 (bnc#925368)
* MFSA 2015-30/CVE-2015-0815
Miscellaneous memory safety hazards
* MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
Use-after-free when using the Fluendo MP3 GStreamer plugin
* MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
resource:// documents can load privileged pages
* MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
CORS requests should not follow 30x redirections after preflight
* MFSA-2015-40/CVE-2015-0801 (bmo#1146339)
Same-origin bypass through anchor navigation
* Mon Feb 23 2015 wr@rosenauer.org
- update to Thunderbird 31.5.0 (bnc#917597)
* MFSA 2015-11/CVE-2015-0836
Miscellaneous memory safety hazards
* MFSA 2015-12/CVE-2015-0833 (bmo#945192)
Invoking Mozilla updater will load locally stored DLL files
(Windows only)
* MFSA 2015-16/CVE-2015-0831 (bmo#1130514)
Use-after-free in IndexedDB
* MFSA 2015-19/CVE-2015-0827 (bmo#1117304)
Out-of-bounds read and write while rendering SVG content
* MFSA 2015-24/CVE-2015-0822 (bmo#1110557)
Reading of local files through manipulation of form autocomplete
* Sat Jan 10 2015 wr@rosenauer.org
- update to Thunderbird 31.4.0 (bnc#910669)
* MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
Miscellaneous memory safety hazards
* MFSA 2015-03/CVE-2014-8638 (bmo#1080987)
sendBeacon requests lack an Origin header
* MFSA 2015-04/CVE-2014-8639 (bmo#1095859)
Cookie injection through Proxy Authenticate responses
- added mozilla-icu-strncat.patch to fix post build checks
* Sun Nov 30 2014 wr@rosenauer.org
- update to Thunderbird 31.3.0 (bnc#908009)
* MFSA 2014-83/CVE-2014-1587
Miscellaneous memory safety hazards
* MFSA 2014-85/CVE-2014-1590 (bmo#1087633)
XMLHttpRequest crashes with some input streams
* MFSA 2014-87/CVE-2014-1592 (bmo#1088635)
Use-after-free during HTML5 parsing
* MFSA 2014-88/CVE-2014-1593 (bmo#1085175)
Buffer overflow while parsing media content
* MFSA 2014-89/CVE-2014-1594 (bmo#1074280)
Bad casting from the BasicThebesLayer to BasicContainerLayer