| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: MozillaThunderbird-translations-other | Distribution: SUSE Linux Enterprise 16 |
| Version: 128.9.2 | Vendor: openSUSE |
| Release: bp160.1.2 | Build date: Tue Apr 15 22:16:38 2025 |
| Group: System/Localization | Build host: reproducible |
| Size: 29170606 | Source RPM: MozillaThunderbird-128.9.2-bp160.1.2.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://www.thunderbird.net/ | |
| Summary: Extra translations for Thunderbird | |
This package contains rarely used languages for the user interface of Thunderbird.
MPL-2.0
* Tue Apr 15 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 128.9.2
* Two-factor auth via text or email did not work with Office 365 using Oauth2
* IRC channel was not visible after restart
* Global indexing failed when processing email with invalid calendar data
MFSA 2025-27
* CVE-2025-3522 (bmo#1955372)
Leak of hashed Window credentials via crafted attachment URL
* CVE-2025-2830 (bmo#1956379)
Information Disclosure of /tmp directory listing
* CVE-2025-3523 (bmo#1958385)
User Interface (UI) Misrepresentation of attachment URL
* Sat Apr 05 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 128.9.1
* Added delay to built-in notifications when new profile is
created in offline mode
* Thu Apr 03 2025 Ana Guerrero <ana.guerrero@suse.com>
- Update to use BuildRequires on clang-devel on Tumbleweed/Factory
instead of clang18-tools.
* Thu Mar 27 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 128.9.0
* Thunderbird now has a notification system for real-time desktop alerts
* Data corruption occurred when compacting IMAP Drafts folder after
saving a message
* Right-clicking "Decrypt and Save As..." on an attachment file failed.
* Thunderbird could crash when importing mail
* Sort indicators were missing on the calendar events list
MFSA 2025-24 (bsc#1240083)
* CVE-2025-3028 (bmo#1941002)
Use-after-free triggered by XSLTProcessor
* CVE-2025-3029 (bmo#1952213)
URL Bar Spoofing via non-BMP Unicode characters
* CVE-2025-3030 (bmo#1850615, bmo#1932468, bmo#1942551,
bmo#1951017, bmo#1951494)
Memory safety bugs fixed in Firefox 137, Thunderbird 137,
Firefox ESR 128.9, and Thunderbird 128.9
* Wed Mar 05 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.8.0
* Opening an .EML file in profiles with many folders could take a long time
* Users with many folders experienced poor performance when resizing
message panes
* "Replace" button in compose window was overwritten when the window
was narrow
* Export to mobile did not work when "Use default server" was selected
* "Save Link As" was not working in feed web content
MFSA 2025-18 (bsc#1237683)
* CVE-2024-43097 (bmo#1945624)
Overflow when growing an SkRegion's RunArray
* CVE-2025-1930 (bmo#1902309)
AudioIPC StreamData could trigger a use-after-free in the
Browser process
* CVE-2025-1931 (bmo#1944126)
Use-after-free in WebTransportChild
* CVE-2025-1932 (bmo#1944313)
Inconsistent comparator in XSLT sorting led to out-of-bounds access
* CVE-2025-1933 (bmo#1946004)
JIT corruption of WASM i32 return values on 64-bit CPUs
* CVE-2025-1934 (bmo#1942881)
Unexpected GC during RegExp bailout processing
* CVE-2025-1935 (bmo#1866661)
Clickjacking the registerProtocolHandler info-bar
* CVE-2025-1936 (bmo#1940027)
Adding %00 and a fake extension to a jar: URL changed the
interpretation of the contents
* CVE-2025-1937 (bmo#1938471, bmo#1940716)
Memory safety bugs fixed in Firefox 136, Thunderbird 136,
Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8
* CVE-2025-1938 (bmo#1922889, bmo#1935004, bmo#1943586,
bmo#1943912, bmo#1948111)
Memory safety bugs fixed in Firefox 136, Thunderbird 136,
Firefox ESR 128.8, and Thunderbird 128.8
* Wed Feb 19 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.7.1
* Users may not have been notified if messages arrived in multiple
folders at once
* Message list scrolled to the wrong place on start-up
* Unified folders could become unusable instead of being
automatically rebuilt
* Some messages may have been threaded incorrectly in unified folders
* Middle-click autoscroll cursor appeared without arrows instead
of expected design
* Wed Feb 05 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.7.0
MFSA 2025-10 (bsc#1236539)
* CVE-2025-1009 (bmo#1936613)
Use-after-free in XSLT
* CVE-2025-1010 (bmo#1936982)
Use-after-free in Custom Highlight
* CVE-2025-1011 (bmo#1936454)
A bug in WebAssembly code generation could result in a crash
* CVE-2025-1012 (bmo#1939710)
Use-after-free during concurrent delazification
* CVE-2024-11704 (bmo#1899402)
Potential double-free vulnerability in PKCS#7 decryption
handling
* CVE-2025-1013 (bmo#1932555)
Potential opening of private browsing tabs in normal browsing
windows
* CVE-2025-1014 (bmo#1940804)
Certificate length was not properly checked
* CVE-2025-1015 (bmo#1939458)
Unsanitized address book fields
* CVE-2025-0510 (bmo#1940570)
Address of e-mail sender can be spoofed by malicious email
* CVE-2025-1016 (bmo#1936601, bmo#1936844, bmo#1937694,
bmo#1938469, bmo#1939583, bmo#1940994)
Memory safety bugs fixed in Firefox 135, Thunderbird 135,
Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 115.20,
and Thunderbird 128.7
* CVE-2025-1017 (bmo#1926256, bmo#1935471, bmo#1935984)
Memory safety bugs fixed in Firefox 135, Thunderbird 135,
Firefox ESR 128.7, and Thunderbird 128.7
* Mon Jan 27 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.6.1
* fixed: Link at about:rights pointed to Firefox privacy policy
instead of Thunderbird's (bmo#1941998)
* fixed: POP3 'fetch headers only' and 'get selected messages'
could delete messages (bmo#1930847)
* fixed: 'Search Online' checkbox in saved search properties
was incorrectly disabled (bmo#1937642)
* fixed: POP3 status message showed incorrect download count
when messages were deleted (bmo#1935800)
* fixed: Space bar did not always advance to the next unread
message (bmo#1468925)
* fixed: Folder creation or renaming failed due to incorrect
preference settings (bmo#1911225)
* fixed: Forwarding/editing S/MIME drafts/templates unusable
due to regression (bmo#1940605, boo#1236411)
* fixed: Sort order in 'Search Messages' panel reset after
search or on first launch (bmo#1935073)
* fixed: Reply window added an unnecessary third blank line at
the top (bmo#1935938)
* fixed: Thunderbird spell check box did not allow ENTER to
accept suggested changes (bmo#1935401)
* fixed: Long email subject lines could overlap window control
buttons on macOS (bmo#1940201)
* fixed: Flathub manifest link was not correct (bmo#1907695)
* fixed: 'Prefer client-side email scheduling' needed to be
selected twice (bmo#1862400)
* fixed: Duplicate invitations were sent if CALDAV calendar
email case did not match (bmo#1889607)
* fixed: Visual and UX improvements
(bmo#1875325,bmo#1901846,bmo#1939603,bmo#1855276)
* Wed Jan 08 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.6.0
* New mail notification was not hidden after reading the new message
* New mail notification could show for the wrong folder, causing
repeated alerts
* macOS shortcut CMD+1 did not restore the main window when it was
minimized
* Clicking the context menu "Reply" button resulted in "Reply-All"
* Switching from "All", "Unread", and "Threads with unread" did not work
* Downloading message headers from a newsgroup could cause a hang
* Message list performance slow when many updates happened at once
* "mailto:" links did not apply the compose format of the current identity
* Authentication failure of AUTH PLAIN or AUTH LOGIN did not fall
back to USERPASS
MFSA 2025-05 (bsc#1234991)
* CVE-2025-0237 (bmo#1915257)
WebChannel APIs susceptible to confused deputy attack
* CVE-2025-0238 (bmo#1915535)
Use-after-free when breaking lines in text
* CVE-2025-0239 (bmo#1929156)
Alt-Svc ALPN validation failure when redirected
* CVE-2025-0240 (bmo#1929623)
Compartment mismatch when parsing JavaScript JSON module
* CVE-2025-0241 (bmo#1933023)
Memory corruption when using JavaScript Text Segmentation
* CVE-2025-0242 (bmo#1874523, bmo#1926454, bmo#1931873, bmo#1932169)
Memory safety bugs fixed in Firefox 134, Thunderbird 134,
Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19,
and Thunderbird 128.6
* CVE-2025-0243 (bmo#1827142, bmo#1932783)
Memory safety bugs fixed in Firefox 134, Thunderbird 134,
Firefox ESR 128.6, and Thunderbird 128.6
* Wed Dec 11 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.5.2
* Large virtual folders could be very slow
* Message could disappear after moving from IMAP folder followed
by Undo and Redo
* XMPP chat did not display messages sent inside a CDATA element
* Selected calendar day did not move forward at midnight
* Today pane agenda sometimes scrolled for no apparent reason
* CalDAV calendars without offline support could degrade start-up
performance
* Visual and UX improvements
MFSA 2024-69
* CVE-2024-50336 (bmo#1929264)
matrix-js-sdk has insufficient MXC URI validation which could
allow client-side path traversal
* Tue Dec 03 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.5.1
* Add end of year donation appeal
* Total message count for favorite folders did not work consistently
* Thu Nov 28 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- make spec compatible with rpm < 4.17 again
- correct appdata for different desktop filename
* Tue Nov 26 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.5.0
* IMAP could crash when reading cached messages
* Enabling "Show Folder Size" on Maildir profile could render
Thunderbird unusable
* Messages corrupted by folder compaction were only fixed by user
intervention
* Reading a message from past the end of an mbox file did not
cause an error
* View -> Folders had duplicate F access keys
* Add-ons adding columns to the message list could fail and cause
display issue
* "Empty trash on exit" and "Expunge inbox on exit" did not
always work
* Selecting a display option in View -> Tasks did not apply in
the Task interface
MFSA 2024-68 (bsc#1233695)
* CVE-2024-11691 (bmo#1914707, bmo#1924184)
Memory corruption in Apple GPU drivers
* CVE-2024-11692 (bmo#1909535)
Select list elements could be shown over another site
* CVE-2024-11693 (bmo#1921458)
Download Protections were bypassed by .library-ms files on Windows
* CVE-2024-11694 (bmo#1924167)
CSP Bypass and XSS Exposure via Web Compatibility Shims
* CVE-2024-11695 (bmo#1925496)
URL Bar Spoofing via Manipulated Punycode and Whitespace Characters
* CVE-2024-11696 (bmo#1929600)
Unhandled Exception in Add-on Signature Verification
* CVE-2024-11697 (bmo#1842187)
Improper Keypress Handling in Executable File Confirmation Dialog
* CVE-2024-11698 (bmo#1916152)
Fullscreen Lock-Up When Modal Dialog Interrupts Transition on macOS
* CVE-2024-11699 (bmo#1880582, bmo#1929911)
Memory safety bugs fixed in Firefox 133, Thunderbird 133,
Firefox ESR 128.5, and Thunderbird 128.5
- appid is thunderbird-esr currently; use the matching desktop
file name (boo#1233650)
* Wed Nov 20 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.4.4
* QR codes were not scannable by Android app when using most
high-contrast themes
* Primary password prompt cancellation during mobile export was
confusing
- revert using xdg-desktop-portal as some desktops have limited
support
* Sat Nov 09 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.4.3
Fixes:
* Folder corruption could cause Thunderbird to freeze and become unusable
* Message corruption could be propagated when reading mbox
* Folder compaction was not abandoned on shutdown
* Folder compaction did not clean up on failure
* Collapsed NNTP thread incorrectly indicated there were unread messages
* Navigating to next unread message did not wait for all messages
to be loaded
* Applying column view to folder and children could break if folder
error occurred
* Remote content notifications were broken with encrypted messages
* Updating criteria of a saved search resulted in poor search performance
* Drop-downs may not work in some places
MFSA 2024-61
* CVE-2024-11159 (bmo#1925929)
Potential disclosure of plaintext in OpenPGP encrypted message
- remove kmozillahelper support (boo#1226112)
* removed mozilla-kde.patch
* requires xdg-desktop-portal instead
* Wed Nov 06 2024 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 128.4.2
* Increased the auto-compaction threshold to reduce the frequency
of compaction (bmo#1927656)
* fixed: New profile creation caused console errors (bmo#1912675)
* fixed: Repair folder could result in older messages showing
wrong date and time (bmo#1911916)
* fixed: Recently deleted messages could become undeleted if
message compaction failed (bmo#1924927)
* fixed: Visual and UX improvements
(bmo#1857413,bmo#1922934,bmo#1924437)
* fixed: Clicking on an HTML button could cause Thunderbird to
freeze (bmo#1879355)
* fixed: Messages could not be selected for dragging
(bmo#1887518)
* fixed: Could not open attached file in a MIME encrypted
message (bmo#1924637)
* fixed: Account creation "Setup Documentation" link was broken
(bmo#1925493)
* fixed: Unable to generate QR codes when exporting to mobile
in some cases (bmo#1928114)
* fixed: Operating system reauthentication was missing when
exporting QR codes for mobile (bmo#1928232)
* fixed: Could not drag all-day events from one day to another
in week view (bmo#1922944)
* Sat Nov 02 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.4.1
* Add the 20 year donation appeal (bmo#192538)
* Wed Oct 30 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.4.0
* Export Thunderbird account settings to Thunderbird Mobile via QRCode
Bugfixes:
* Unable to send an unencrypted response to an OpenPGP encrypted message
MFSA 2024-58 (bsc#1231879)
* CVE-2024-10458 (bmo#1921733)
Permission leak via embed or object elements
* CVE-2024-10459 (bmo#1919087)
Use-after-free in layout with accessibility
* CVE-2024-10460 (bmo#1912537)
Confusing display of origin for external protocol handler prompt
* CVE-2024-10461 (bmo#1914521)
XSS due to Content-Disposition being ignored in
multipart/x-mixed-replace response
* CVE-2024-10462 (bmo#1920423)
Origin of permission prompt could be spoofed by long URL
* CVE-2024-10463 (bmo#1920800)
Cross origin video frame leak
* CVE-2024-10464 (bmo#1913000)
History interface could have been used to cause a Denial of
Service condition in the browser
* CVE-2024-10465 (bmo#1918853)
Clipboard "paste" button persisted across tabs
* CVE-2024-10466 (bmo#1924154)
DOM push subscription message could hang Firefox
* CVE-2024-10467 (bmo#1829029, bmo#1888538, bmo#1900394, bmo#1904059,
bmo#1917742, bmo#1919809, bmo#1923706)
Memory safety bugs fixed in Firefox 132, Thunderbird 132,
Firefox ESR 128.4, and Thunderbird 128.4
* Wed Oct 23 2024 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 128.3.3
* Files left over from failed folder compactions could use up
disk space (bmo#1878541)
* Message list returned to selected message after action on
another message (bmo#1917485)
* Some faulty messages were downloaded and never stored
(bmo#1923765)
* Messages could become corrupted during folder compaction
(bmo#1923747,bmo#1923541,bmo#1720047)
* Searching events by Location, Description, or URL failed
(bmo#1912710)
* "Remove All Shown" saved passwords deleted all logins if
filtered without results (bmo#601447)
* Calendar event updates were not always sent to attendees
(bmo#1877640)
* Wed Oct 16 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.3.2
bugfix release:
https://www.thunderbird.net/en-US/thunderbird/128.3.2esr/releasenotes
- bring back mozilla-bmo531915.patch to fix x86
* Thu Oct 10 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.3.1
https://www.thunderbird.net/en-US/thunderbird/128.0esr/releasenotes/
and following release notes for minor version updates
MFSA 2024-52 (bsc#1231413)
* CVE-2024-9680 (bmo#1923344)
Use-after-free in Animation timeline
Mozilla Thunderbird 128.3.0
MFSA 2024-32 (128.0)
MFSA 2024-37 (128.1)
MFSA 2024-43 (128.2)
MFSA 2024-49 (128.3) (bsc#1230979)
* CVE-2024-9392 (bmo#1899154, bmo#1905843)
Compromised content process can bypass site isolation
* CVE-2024-9393 (bmo#1918301)
Cross-origin access to PDF contents through multipart responses
* CVE-2024-9394 (bmo#1918874)
Cross-origin access to JSON contents through multipart responses
* CVE-2024-8900 (bmo#1872841)
Clipboard write permission bypass
* CVE-2024-9396 (bmo#1912471)
Potential memory corruption may occur when cloning certain objects
* CVE-2024-9397 (bmo#1916659)
Potential directory upload bypass via clickjacking
* CVE-2024-9398 (bmo#1881037)
External protocol handlers could be enumerated via popups
* CVE-2024-9399 (bmo#1907726)
Specially crafted WebTransport requests could lead to denial
of service
* CVE-2024-9400 (bmo#1915249)
Potential memory corruption during JIT compilation
* CVE-2024-9401 (bmo#1872744, bmo#1897792, bmo#1911317, bmo#1916476)
Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
* CVE-2024-9402 (bmo#1872744, bmo#1897792, bmo#1911317, bmo#1913445,
bmo#1914106, bmo#1914475, bmo#1914963, bmo#1915008, bmo#1916476)
Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
Thunderbird 131, and Thunderbird 128.3
- removed obsolete patches
mozilla-bmo1504834-part3.patch
mozilla-bmo1512162.patch
mozilla-bmo1775202.patch
mozilla-bmo531915.patch
mozilla-fix-aarch64-libopus.patch
mozilla-fix-issues-with-llvm18.patch
mozilla-fix-top-level-asm.patch
mozilla-partial-revert-1768632.patch
mozilla-rust-disable-future-incompat.patch
thunderbird-fix-CVE-2024-34703.patch
- new patch thunderbird-silence-no-return.patch
- rebased
mozilla-bmo1504834-part1.patch
mozilla-kde.patch
mozilla-libavcodec58_91.patch
mozilla-silence-no-return-type.patch
* Fri Sep 06 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.15.0
MFSA 2024-44 (bsc#1229821)
* CVE-2024-8381 (bmo#1912715)
Type confusion when looking up a property name in a "with"
block
* CVE-2024-8382 (bmo#1906744)
Internal event interfaces were exposed to web content when
browser EventHandler listener callbacks ran
* CVE-2024-8384 (bmo#1911288)
Garbage collection could mis-color cross-compartment objects
in OOM conditions
* Thu Aug 29 2024 Manfred Hollstein <manfred.h@gmx.net>
- Use gcc13 on Tumbleweed and where it is available.
- Don't use gcc14 as sources don't compile.
* Fri Aug 02 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.14.0
* When using an external installation of GnuPG, Thunderbird
occassionally sent/received corrupted messages (bmo#1898832)
* Users of external GnuPG were unable to decrypt incorrectly
encoded messages (bmo#1906903)
MFSA 2024-38 (bsc#1228648)
* CVE-2024-7519 (bmo#1902307)
Out of bounds memory access in graphics shared memory handling
* CVE-2024-7521 (bmo#1904644)
Incomplete WebAssembly exception handing
* CVE-2024-7522 (bmo#1906727)
Out of bounds read in editor component
* CVE-2024-7525 (bmo#1909298)
Missing permission check when creating a StreamFilter
* CVE-2024-7526 (bmo#1910306)
Uninitialized memory used by WebGL
* CVE-2024-7527 (bmo#1871303)
Use-after-free in JavaScript garbage collection
* CVE-2024-7529 (bmo#1903187)
Document content could partially obscure security prompts
* Wed Jul 10 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.13.0
* After starting Thunderbird, the message list position was
sometimes set to an incorrect position
MFSA 2024-30 (bsc#1226316)
* CVE-2024-6600 (bmo#1888340)
Memory corruption in WebGL API
* CVE-2024-6601 (bmo#1890748)
Race condition in permission assignment
* CVE-2024-6602 (bmo#1895032)
Memory corruption in NSS
* CVE-2024-6603 (bmo#1895081)
Memory corruption in thread creation
* CVE-2024-6604 (bmo#1748105, bmo#1837550, bmo#1884266)
Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13,
and Thunderbird 115.13
* Tue Jul 02 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 115.12.2
* fixed: Annual Thunderbird Beta appeal intended for
Thunderbird 115.12.0 did not open as expected (bmo#1898084)
- Mozilla Thunderbird 115.12.1
* 115.12.0 got pulled because of upstream automation process errors
and Windows installer signing changes.
No code changes, changelog is the same as 115.12.0 (bsc#1226495)
- Added thunderbird-fix-CVE-2024-34703.patch (bsc#1227239)
* Mon Jun 17 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.12.0
https://www.thunderbird.net/en-US/thunderbird/115.12.0/releasenotes
MFSA 2024-28 (bsc#1226027)
* CVE-2024-5702 (bmo#1193389)
Use-after-free in networking
* CVE-2024-5688 (bmo#1895086)
Use-after-free in JavaScript object transplant
* CVE-2024-5690 (bmo#1883693)
External protocol handlers leaked by timing attack
* CVE-2024-5691 (bmo#1888695)
Sandboxed iframes were able to bypass sandbox restrictions to
open a new window
* CVE-2024-5692 (bmo#1891234)
Bypass of file name restrictions during saving
* CVE-2024-5693 (bmo#1891319)
Cross-Origin Image leak via Offscreen Canvas
* CVE-2024-5696 (bmo#1896555)
Memory Corruption in Text Fragments
* CVE-2024-5700 (bmo#1862809, bmo#1889355, bmo#1893388, bmo#1895123)
Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12,
and Thunderbird 115.12
* Wed May 29 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.11.1
* Added a short anonymous survey that a small number of users will
be randomly asked to complete
* Tue May 14 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.11.0
MFSA 2024-23 (bsc#1224056)
* CVE-2024-4367 (bmo#1893645)
Arbitrary JavaScript execution in PDF.js
* CVE-2024-4767 (bmo#1878577)
IndexedDB files retained in private browsing mode
* CVE-2024-4768 (bmo#1886082)
Potential permissions request bypass via clickjacking
* CVE-2024-4769 (bmo#1886108)
Cross-origin responses could be distinguished between script
and non-script content-types
* CVE-2024-4770 (bmo#1893270)
Use-after-free could occur when printing to PDF
* CVE-2024-4777 (bmo#1878199, bmo#1893340)
Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11,
and Thunderbird 115.11
* Sat May 04 2024 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 115.10.2:
https://www.thunderbird.net/en-US/thunderbird/115.10.2/releasenotes/
This release is identical to 115.10.1, other than changing the
Update channel for self-updating builds to ESR. (bmo#1893271)
* Fri Apr 19 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.10.1
https://www.thunderbird.net/en-US/thunderbird/115.10.1/releasenotes/
* fixed hangup introduced with 115.10.0 (bmo#1891889)
* Sun Apr 14 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.10.0
https://www.thunderbird.net/en-US/thunderbird/115.10.0/releasenotes/
MFSA 2024-20 (bsc#1222535)
* CVE-2024-3852 (bmo#1883542)
GetBoundName in the JIT returned the wrong object
* CVE-2024-3854 (bmo#1884552)
Out-of-bounds-read after mis-optimized switch statement
* CVE-2024-3857 (bmo#1886683)
Incorrect JITting of arguments led to use-after-free during
garbage collection
* CVE-2024-2609 (bmo#1866100)
Permission prompt input delay could expire when not in focus
* CVE-2024-3859 (bmo#1874489)
Integer-overflow led to out-of-bounds-read in the OpenType sanitizer
* CVE-2024-3861 (bmo#1883158)
Potential use-after-free due to AlignedBuffer self-move
* CVE-2024-3863 (bmo#1885855)
Download Protections were bypassed by .xrm-ms files on Windows
* CVE-2024-3302 (bmo#1881183)
Denial of Service using HTTP/2 CONTINUATION frames
* CVE-2024-3864 (bmo#1888333)
Memory safety bug fixed in Firefox 125, Firefox ESR 115.10,
and Thunderbird 115.10
* Wed Mar 20 2024 Manfred Hollstein <manfred.h@gmx.net>
- LLVM18 breaks building Thunderbird on Tumbleweed; add
* mozilla-fix-issues-with-llvm18.patch
* Sat Mar 16 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.9.0
https://www.thunderbird.net/en-US/thunderbird/115.9.0/releasenotes/
MFSA 2024-14 (bsc#1221327)
* CVE-2024-0743 (bmo#1867408)
Crash in NSS TLS method
* CVE-2024-2605 (bmo#1872920)
Windows Error Reporter could be used as a Sandbox escape vector
* CVE-2024-2607 (bmo#1879939)
JIT code failed to save return registers on Armv7-A
* CVE-2024-2608 (bmo#1880692)
Integer overflow could have led to out of bounds write
* CVE-2024-2616 (bmo#1846197)
Improve handling of out-of-memory conditions in ICU
* CVE-2023-5388 (bmo#1780432)
NSS susceptible to timing attack against RSA decryption
* CVE-2024-2610 (bmo#1871112)
Improper handling of html and body tags enabled CSP nonce leakage
* CVE-2024-2611 (bmo#1876675)
Clickjacking vulnerability could have led to a user accidentally
granting permissions
* CVE-2024-2612 (bmo#1879444)
Self referencing object could have potentially led to a use-
after-free
* CVE-2024-2614 (bmo#1685358, bmo#1861016, bmo#1880405, bmo#1881093)
Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9,
and Thunderbird 115.9
* Tue Mar 05 2024 Adam Mizerski <adam@mizerski.pl>
- Create subpackage MozillaThunderbird-openpgp-librnp
* Tue Mar 05 2024 Wolfgang Rosenauer <wr@@rosenauer.org>
- Mozilla Thunderbird 115.8.1
https://www.thunderbird.net/en-US/thunderbird/115.8.1/releasenotes/
MFSA 2024-11
* CVE-2024-1936 (bmo#1860977)
Leaking of encrypted email subjects to other conversations
* Mon Feb 19 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.8.0
MFSA 2024-07 (bsc#1220048)
* CVE-2024-1546 (bmo#1843752)
Out-of-bounds memory read in networking channels
* CVE-2024-1547 (bmo#1877879)
Alert dialog could have been spoofed on another site
* CVE-2024-1548 (bmo#1832627)
Fullscreen Notification could have been hidden by select
element
* CVE-2024-1549 (bmo#1833814)
Custom cursor could obscure the permission dialog
* CVE-2024-1550 (bmo#1860065)
Mouse cursor re-positioned unexpectedly could have led to
unintended permission grants
* CVE-2024-1551 (bmo#1864385)
Multipart HTTP Responses would accept the Set-Cookie header
in response parts
* CVE-2024-1552 (bmo#1874502)
Incorrect code generation on 32-bit ARM devices
* CVE-2024-1553 (bmo#1855686, bmo#1867982, bmo#1871498,
bmo#1872296, bmo#1873521, bmo#1873577, bmo#1873597,
bmo#1873866, bmo#1874080, bmo#1874740, bmo#1875795,
bmo#1875906, bmo#1876425, bmo#1878211, bmo#1878286)
Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8,
and Thunderbird 115.8
* new: Added option to show packet dump when OpenPGP fails to
decrypt (bmo#1874504)
* fixed: Thunderbird slowed down significantly when opening
email files (.eml) (bmo#1863957)
* fixed: Inbox view intermittently reverted to default view
after moving or deleting messages (bmo#1725127)
* fixed: Size of collapsed folders in folder pane did not
include size of subfolders (bmo#1870641)
* fixed: Hovering over folder does not always expand subfolders
(bmo#1873101)
* fixed: Switching to thread pane of a folder using keyboard
navigation did not focus top message (bmo#1869557)
* fixed: Clicking "Sent unsent messages" in Outbox context menu
while in offline mode did not prompt user to go online
(bmo#1873487)
* fixed: Mail tab-specific Unified Toolbar buttons received
focus incorrectly (bmo#1872239)
* fixed: Quick Filter settings did not persist when Quick
Filter bar was turned off (bmo#1850266)
* fixed: Quick Filters were unusually slow (bmo#1849650)
* fixed: OpenPGP Key Manager filtering did not work
(bmo#1873655)
* fixed: OpenPGP sometimes attempted to decrypt message with
incorrect key (bmo#1865620)
* fixed: Autoconfig failed on servers that did not support
OAuth2 (bmo#1869122)
* fixed: Opening different attachments with the same name in
different messages could cause attachment files to become
conflated (bmo#1873023)
* fixed: Overflowed attachment list could not be scrolled
(bmo#1871343)
* fixed: Passwords disappeared from password manager list after
applying and clearing filters (bmo#1874646)
* fixed: Cookies in cookie manager list disappeared after
applying and then clearing filters (bmo#1876733)
* Sun Jan 21 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.7.0
https://www.thunderbird.net/en-US/thunderbird/115.7.0/releasenotes/
MFSA 2024-04 (bsc#1218955)
* CVE-2024-0741 (bmo#1864587)
Out of bounds write in ANGLE
* CVE-2024-0742 (bmo#1867152)
Failure to update user input timestamp
* CVE-2024-0746 (bmo#1660223)
Crash when listing printers on Linux
* CVE-2024-0747 (bmo#1764343)
Bypass of Content Security Policy when directive unsafe-inline was set
* CVE-2024-0749 (bmo#1813463)
Phishing site popup could show local origin in address bar
* CVE-2024-0750 (bmo#1863083)
Potential permissions request bypass via clickjacking
* CVE-2024-0751 (bmo#1865689)
Privilege escalation through devtools
* CVE-2024-0753 (bmo#1870262)
HSTS policy on subdomain could bypass policy of upper domain
* CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701)
Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7,
and Thunderbird 115.7
* Wed Jan 10 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 115.6.1
https://www.thunderbird.net/en-US/thunderbird/115.6.1/releasenotes/
* new: OAuth2 now supported for comcast.net (bmo#1844810)
* fixed: High CPU usage sometimes occurred with IMAP CONDSTORE
(conditional STORE) enabled (bmo#1839256)
* fixed: Replying to a collapsed thread via keyboard shortcut
(Ctrl+R/Cmd+R) opened a reply for every message in the thread
(bmo#1866819)
* fixed: Enabling Grouped By view after reversing sort order of
column header caused messages to be grouped incorrectly
(bmo#1868794)
* fixed: Opening thread pane context menu via keyboard did not
always scroll view to selection (bmo#1867532)
* fixed: New mail indicator for POP3 accounts did not indicate
new messages ready to be downloaded (bmo#1870619)
* fixed: Messages could not be moved to folders using Message >
Move To if text or a link in the message had been clicked on
first (bmo#1868474)
* fixed: MIME part boundaries were not properly terminated
(bmo#1805558)
* Sun Dec 17 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.6.0
https://www.thunderbird.net/en-US/thunderbird/115.6.0/releasenotes/
* Message selection misbehaved after selecting a sub-message in an
expanded thread, collapsing the thread, then pressing up/down to
move selection
* Thunderbird now attempts to reconnect on a new connection after
SMTP 4xx errors
* HTML FileLink attachments used the wrong encoding
MFSA 2023-55 (bsc#1217230)
* CVE-2023-50762 (bmo#1862625)
Truncated signed text was shown with a valid OpenPGP
signature
* CVE-2023-50761 (bmo#1865647)
S/MIME signature accepted despite mismatching message date
* CVE-2023-6856 (bmo#1843782)
Heap-buffer-overflow affecting WebGL DrawElementsInstanced
method with Mesa VM driver
* CVE-2023-6857 (bmo#1796023)
Symlinks may resolve to smaller than expected buffers
* CVE-2023-6858 (bmo#1826791)
Heap buffer overflow in nsTextFragment
* CVE-2023-6859 (bmo#1840144)
Use-after-free in PR_GetIdentitiesLayer
* CVE-2023-6860 (bmo#1854669)
Potential sandbox escape due to VideoBridge lack of texture
validation
* CVE-2023-6861 (bmo#1864118)
Heap buffer overflow affected nsWindow::PickerOpen(void) in
headless mode
* CVE-2023-6862 (bmo#1868042)
Use-after-free in nsDNSService
* CVE-2023-6863 (bmo#1868901)
Undefined behavior in ShutdownObserver()
* CVE-2023-6864 (bmo#1736385, bmo#1810805, bmo#1846328,
bmo#1856090, bmo#1858033, bmo#1858509, bmo#1862089,
bmo#1862777, bmo#1864015)
Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6,
and Thunderbird 115.6
* Tue Dec 12 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.5.2
Bugfix release
https://www.thunderbird.net/en-US/thunderbird/115.5.2/releasenotes/
* Tue Nov 28 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.5.1
Bugfix release
https://www.thunderbird.net/en-US/thunderbird/115.5.1/releasenotes
* Advanced GnuPG keys may be protected with an unexpected passphrase
* OpenPGP signatures rejected due to mismatched signature timestamp
now display signature timestamp and clarifying message
* Advanced address book search did not return results if display name
was left blank
* Clicking on attendee when inviting attendees added the attendee twice
* Wed Nov 22 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.5.0
https://www.thunderbird.net/en-US/thunderbird/115.5.0/releasenotes
MFSA 2023-52 (bsc#1217230)
* CVE-2023-6204 (bmo#1841050)
Out-of-bound memory access in WebGL2 blitFramebuffer
* CVE-2023-6205 (bmo#1854076)
Use-after-free in MessagePort::Entangled
* CVE-2023-6206 (bmo#1857430)
Clickjacking permission prompts using the fullscreen transition
* CVE-2023-6207 (bmo#1861344)
Use-after-free in ReadableByteStreamQueueEntry::Buffer
* CVE-2023-6208 (bmo#1855345)
Using Selection API would copy contents into X11 primary
selection.
* CVE-2023-6209 (bmo#1858570)
Incorrect parsing of relative URLs starting with "///"
* CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252, bmo#1856072,
bmo#1856091, bmo#1859030, bmo#1860943, bmo#1862782)
Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5,
and Thunderbird 115.5
* Wed Nov 15 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.4.3
Bugfix release
https://www.thunderbird.net/en-US/thunderbird/115.4.3/releasenotes
* Sat Nov 04 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.4.2
https://www.thunderbird.net/en-US/thunderbird/115.4.2/releasenotes
- build using rust/cargo 1.72 (1.69 about to be dropped from Factory)
* Tue Oct 24 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.4.1
https://www.thunderbird.net/en-US/thunderbird/115.4.1/releasenotes
https://www.thunderbird.net/en-US/thunderbird/115.4.0/releasenotes
MFSA 2023-47 (bsc#1216338)
* CVE-2023-5721 (bmo#1830820)
Queued up rendering could have allowed websites to clickjack
* CVE-2023-5732 (bmo#1690979, bmo#1836962)
Address bar spoofing via bidirectional characters
* CVE-2023-5724 (bmo#1836705)
Large WebGL draw could have led to a crash
* CVE-2023-5725 (bmo#1845739)
WebExtensions could open arbitrary URLs
* CVE-2023-5726 (bmo#1846205)
Full screen notification obscured by file open dialog on macOS
* CVE-2023-5727 (bmo#1847180)
Download Protections were bypassed by .msix, .msixbundle,
.appx, and .appxbundle files on Windows
* CVE-2023-5728 (bmo#1852729)
Improper object tracking during GC in the JavaScript engine
could have led to a crash.
* CVE-2023-5730 (bmo#1836607, bmo#1840918, bmo#1848694, bmo#1848833,
bmo#1850191, bmo#1850259, bmo#1852596, bmo#1853201, bmo#1854002,
bmo#1855306, bmo#1855640, bmo#1856695)
Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4,
and Thunderbird 115.4.1
- removed obsolete mozilla-bmo1846703.patch
* Tue Oct 24 2023 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 115.3.3
* fixed: "Folder Location" toolbar button did not work for
local folders (bmo#1843979)
* fixed: "Copy to <folder name> again" option disappeared from
context menu after copying to Gmail folder with non-ASCII
name (bmo#1856712)
* fixed: Default reply identity did not use "Delivered-To"
address when catch-all was active (bmo#1815559)
* fixed: "View Headers All" did not work when selected in
standalone message window (bmo#1855316)
* fixed: Viewing the mail filter log displayed an error if no
log file was present (bmo#1789244)
* Tue Oct 10 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.3.2
Bugfix release
https://www.thunderbird.net/en-US/thunderbird/115.3.2/releasenotes
* Fri Sep 29 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.3.1
MFSA 2023-45 (bsc#1215814)
* CVE-2023-5217 (bmo#1855550)
Heap buffer overflow in libvpx
- Add mozilla-bmo1846703.patch
* Tue Sep 26 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.3.0
https://www.thunderbird.net/en-US/thunderbird/115.3.0/releasenotes
MFSA 2023-43 (bsc#1215575)
* CVE-2023-5168 (bmo#1846683)
Out-of-bounds write in FilterNodeD2D1
* CVE-2023-5169 (bmo#1846685)
Out-of-bounds write in PathOps
* CVE-2023-5171 (bmo#1851599)
Use-after-free in Ion Compiler
* CVE-2023-5174 (bmo#1848454)
Double-free in process spawning on Windows
* CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824,
bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983,
bmo#1851195)
Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3,
and Thunderbird 115.3
* Wed Sep 20 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.2.3
Bugfix release:
https://www.thunderbird.net/en-US/thunderbird/115.2.3/releasenotes
* Tue Sep 12 2023 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 115.2.2
https://www.thunderbird.net/en-US/thunderbird/115.2.2/releasenotes
MFSA 2023-40 (bsc#1215231)
* CVE-2023-4863 (bmo# bmo#1852649)
Heap buffer overflow in libwebp
* Tue Sep 12 2023 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 115.2.1
https://www.thunderbird.net/en-US/thunderbird/115.2.1/releasenotes
* new: Column separators are now shown between all columns in
tree view (bmo#1847441)
* fixed: New mail notification always opened message in message
pane, even if pane was disabled (bmo#1840092)
* fixed: After moving an IMAP message to another folder, the
incorrect message was selected in the message list
(bmo#1845376)
* fixed: Adding a tag to an IMAP message opened in a tab failed
(bmo#1844452)
* fixed: Junk/Spam folders were not always shown in Unified
Folders mode (bmo#1838672)
* fixed: Middle-clicking a folder or message did not open it in
a background tab, as in previous versions (bmo#1842482)
* fixed: Settings tab visual improvements: Advanced Fonts
dialog, Section headers hidden behind search box
(bmo#1717382,bmo#1846751)
* fixed: Various visual and style fixes
(bmo#1843707,bmo#1849823)
* Sun Aug 27 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.2.0
https://www.thunderbird.net/en-US/thunderbird/115.2.0/releasenotes
MFSA 2023-38 (bsc#1214606)
* CVE-2023-4573 (bmo#1846687)
Memory corruption in IPC CanvasTranslator
* CVE-2023-4574 (bmo#1846688)
Memory corruption in IPC ColorPickerShownCallback
* CVE-2023-4575 (bmo#1846689)
Memory corruption in IPC FilePickerShownCallback
* CVE-2023-4576 (bmo#1846694)
Integer Overflow in RecordedSourceSurfaceCreation
* CVE-2023-4577 (bmo#1847397)
Memory corruption in JIT UpdateRegExpStatics
* CVE-2023-4051 (bmo#1821884)
Full screen notification obscured by file open dialog
* CVE-2023-4578 (bmo#1839007)
Error reporting methods in SpiderMonkey could have triggered
an Out of Memory Exception
* CVE-2023-4053 (bmo#1839079)
Full screen notification obscured by external program
* CVE-2023-4580 (bmo#1843046)
Push notifications saved to disk unencrypted
* CVE-2023-4581 (bmo#1843758)
XLL file extensions were downloadable without warnings
* CVE-2023-4582 (bmo#1773874)
Buffer Overflow in WebGL glGetProgramiv
* CVE-2023-4583 (bmo#1842030)
Browsing Context potentially not cleared when closing Private
Window
* CVE-2023-4584 (bmo#1843968, bmo#1845205, bmo#1846080,
bmo#1846526, bmo#1847529)
Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15,
Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2
* CVE-2023-4585 (bmo#1751583, bmo#1833504, bmo#1841082,
bmo#1847904, bmo#1848999)
Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2,
and Thunderbird 115.2
* Tue Aug 15 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.1.1
bugfixes as documented here
https://www.thunderbird.net/en-US/thunderbird/115.1.1/releasenotes
* Tue Aug 01 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.1.0
New major release with Supernova UI
Releasenotes for 115.0:
https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes
MFSA 2023-33 (bsc#1213746)
* CVE-2023-4045 (bmo#1833876)
Offscreen Canvas could have bypassed cross-origin restrictions
* CVE-2023-4046 (bmo#1837686)
Incorrect value used during WASM compilation
* CVE-2023-4047 (bmo#1839073)
Potential permissions request bypass via clickjacking
* CVE-2023-4048 (bmo#1841368)
Crash in DOMParser due to out-of-memory conditions
* CVE-2023-4049 (bmo#1842658)
Fix potential race conditions when releasing platform objects
* CVE-2023-4050 (bmo#1843038)
Stack buffer overflow in StorageManager
* CVE-2023-4052 (bmo#1824420)
File deletion and privilege escalation through Firefox uninstaller
* CVE-2023-4054 (bmo#1840777)
Lack of warning when opening appref-ms files
* CVE-2023-4055 (bmo#1782561)
Cookie jar overflow caused unexpected cookie jar state
* CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235, bmo#1842325,
bmo#1843847)
Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
* CVE-2023-4057 (bmo#1841682)
Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
and Thunderbird 115.1
- requires NSS 3.90
- add patches:
mozilla-rust-disable-future-incompat.patch
mozilla-partial-revert-1768632.patch
mozilla-bmo1775202.patch
- removed obsolete patches:
gcc13-fix.patch
mozilla-bmo1568145.patch
mozilla-bmo1005535.patch
mozilla-s390x-skia-gradient.patch
- update create-tar.sh
* Tue Jul 25 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.13.1
MFSA 2023-28
* CVE-2023-3417 (bmo#1835582, boo#1213658)
File Extension Spoofing using the Text Direction Override Character
* Fri Jul 07 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.13.0
* Upstream RNP version numbers now recognized as official in about:support
MFSA 2023-24 (bsc#1212438)
* CVE-2023-37201 (bmo#1826002)
Use-after-free in WebRTC certificate generation
* CVE-2023-37202 (bmo#1834711)
Potential use-after-free from compartment mismatch in
SpiderMonkey
* CVE-2023-37207 (bmo#1816287)
Fullscreen notification obscured
* CVE-2023-37208 (bmo#1837675)
Lack of warning when opening Diagcab files
* CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886,
bmo#1836550, bmo#1837450)
Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13,
and Thunderbird 102.13
- mozilla-llvm16.patch has been applied upstream, remove it here
* Sun Jun 04 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.12.0:
MFSA 2023-21 (bsc#1211922)
* CVE-2023-34414 (bmo#1695986)
Click-jacking certificate exceptions through rendering lag
* CVE-2023-34416 (bmo#1752703, bmo#1818394, bmo#1826875,
bmo#1827340, bmo#1827655, bmo#1828065, bmo#1830190,
bmo#1830206, bmo#1830795, bmo#1833339)
Memory safety bugs fixed in Thunderbird 102.12
* fixed: "Searching the directory for recipients certificates"
popup could block compose window when "S/MIME reminder" was
enabled and using an LDAP address book (bmo#1833651)
* fixed: Some elements still used animations with "prefers-
reduced-motion" set (bmo#1833353)
* fixed: Visual and theme improvements
(bmo#1832943,bmo#1832990)
* Sat May 27 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.11.2
* fixed: Thunderbird 102.11.1 contained POP3 client regressions
with offline mode and TLS certificate overrides
(bmo#1801286,bmo#1816596,bmo#1798785)
- Includes changes from Thunderbird 102.11.1
* fixed: POP message retrieval stopped after a network error
occurred and connectivity was restored (bmo#1798785)
* fixed: Reused SMTP connections sometimes silently
disconnected, causing timeouts (bmo#1766382)
* fixed: Thunderbird could freeze if saving a sent message to
IMAP failed (bmo#1745130)
* fixed: Creating OpenPGP keys with no expiration was not
possible (bmo#1830094)
* fixed: News reader did not always issue GROUP command after
authentication with remote server, preventing Thundebird from
displaying or refreshing news from the server (bmo#1824377)
- updated mozilla.keyring
* Thu May 11 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.11.0
* https://www.thunderbird.net/en-US/thunderbird/102.11.0/releasenotes
MFSA 2023-18 (bsc#1211175)
* CVE-2023-32205 (bmo#1753339, bmo#1753341)
Browser prompts could have been obscured by popups
* CVE-2023-32206 (bmo#1824892)
Crash in RLBox Expat driver
* CVE-2023-32207 (bmo#1826116)
Potential permissions request bypass via clickjacking
* CVE-2023-32211 (bmo#1823379)
Content process crash due to invalid wasm code
* CVE-2023-32212 (bmo#1826622)
Potential spoof due to obscured address bar
* CVE-2023-32213 (bmo#1826666)
Potential memory corruption in FileReader::DoReadData()
* CVE-2023-32214 (bmo#1828716)
Potential DoS via exposed protocol handlers
* CVE-2023-32215 (bmo#1540883, bmo#1751943, bmo#1814856,
bmo#1820210, bmo#1821480, bmo#1827019, bmo#1827024, bmo#1827144,
bmo#1827359, bmo#1830186)
Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11
* Sun Apr 23 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.10.1
* https://www.thunderbird.net/en-US/thunderbird/102.10.1/releasenotes
* Wed Apr 05 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.10.0
* New messages will automatically select S/MIME if configured and
OpenPGP is not
* Calendar events with timezone America/Mexico_City incorrectly
applied Daylight Savings Time
MFSA 2023-15 (bsc#1210212)
* CVE-2023-29531 (bmo#1794292)
Out-of-bound memory access in WebGL on macOS
* CVE-2023-29532 (bmo#1806394)
Mozilla Maintenance Service Write-lock bypass
* CVE-2023-29533 (bmo#1798219, bmo#1814597)
Fullscreen notification obscured
* MFSA-TMP-2023-0001 (bmo#1819244)
Double-free in libwebp
* CVE-2023-29535 (bmo#1820543)
Potential Memory Corruption following Garbage Collector compaction
* CVE-2023-29536 (bmo#1821959)
Invalid free from JavaScript code
* CVE-2023-0547 (bmo#1811298)
Revocation status of S/Mime recipient certificates was not checked
* CVE-2023-29479 (bmo#1824978)
Hang when processing certain OpenPGP messages
* CVE-2023-29539 (bmo#1784348)
Content-Disposition filename truncation leads to Reflected
File Download
* CVE-2023-29541 (bmo#1810191)
Files with malicious extensions could have been downloaded
unsafely on Linux
* CVE-2023-29542 (bmo#1810793, bmo#1815062)
Bypass of file download extension restrictions
* CVE-2023-29545 (bmo#1823077)
Windows Save As dialog resolved environment variables
* CVE-2023-1945 (bmo#1777588)
Memory Corruption in Safe Browsing Code
* CVE-2023-29548 (bmo#1822754)
Incorrect optimization result on ARM64
* CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, bmo#1814217,
bmo#1818357, bmo#1818762, bmo#1819493, bmo#1820389, bmo#1820602,
bmo#1821448, bmo#1822413, bmo#1824828)
Memory safety bugs fixed in Thunderbird 102.10
- add mozilla-llvm16.patch to fix build with LLVM16
* Wed Mar 29 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.9.1
MFSA 2023-12
* CVE-2023-28427 (bmo#1822595)
Matrix SDK bundled with Thunderbird vulnerable to
denial-of-service attack
* Sun Mar 26 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- add gcc13-fix.patch to support current Tumbleweed
* Sun Mar 12 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.9.0
* https://www.thunderbird.net/en-US/thunderbird/102.9.0/releasenotes
MFSA 2023-11 (bsc#1209173))
* CVE-2023-25751 (bmo#1814899)
Incorrect code generation during JIT compilation
* CVE-2023-28164 (bmo#1809122)
URL being dragged from a removed cross-origin iframe into the
same tab triggered navigation
* CVE-2023-28162 (bmo#1811327)
Invalid downcast in Worklets
* CVE-2023-25752 (bmo#1811627)
Potential out-of-bounds when accessing throttled streams
* CVE-2023-28163 (bmo#1817768)
Windows Save As dialog resolved environment variables
* CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904,
bmo#1817442, bmo#1818674)
Memory safety bugs fixed in Thunderbird 102.9
- update create-tar.sh
- build using rust 1.67
* Tue Mar 07 2023 Manfred Hollstein <manfred.h@gmx.net>
- Ensure gcc11-c++ gets used on Leap 15.5, too.
* Wed Feb 15 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.8.0
* https://www.thunderbird.net/en-US/thunderbird/102.8.0/releasenotes
MFSA 2023-07 (bsc#1208144)
* CVE-2023-0616 (bmo#1806507)
User Interface lockup with messages combining S/MIME and OpenPGP
* CVE-2023-25728 (bmo#1790345)
Content security policy leak in violation reports using iframes
* CVE-2023-25730 (bmo#1794622)
Screen hijack via browser fullscreen mode
* CVE-2023-0767 (bmo#1804640)
Arbitrary memory write via PKCS 12 in NSS
* CVE-2023-25735 (bmo#1810711)
Potential use-after-free from compartment mismatch in SpiderMonkey
* CVE-2023-25737 (bmo#1811464)
Invalid downcast in SVGUtils::SetupStrokeGeometry
* CVE-2023-25738 (bmo#1811852)
Printing on Windows could potentially crash Thunderbird with
some device drivers
* CVE-2023-25739 (bmo#1811939)
Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
* CVE-2023-25729 (bmo#1792138)
Extensions could have opened external schemes without user knowledge
* CVE-2023-25732 (bmo#1804564)
Out of bounds memory write from EncodeInputStream
* CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338)
Opening local .url files could cause unexpected network loads
* CVE-2023-25742 (bmo#1813424)
Web Crypto ImportKey crashes tab
* CVE-2023-25746 (bmo#1544127, bmo#1762368, bmo#1789449, bmo#1803628,
bmo#1810536)
Memory safety bugs fixed in Thunderbird 102.8
- requires
NSPR >= 4.34.1
NSS >= 3.79.4
* Wed Feb 08 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.7.2
* Various crash fixes
* Tue Jan 31 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.7.1
* Microsoft Office 365 accounts were unable to authenticate
* https://www.thunderbird.net/en-US/thunderbird/102.7.1/releasenotes/
MFSA 2023-04
* CVE-2023-0430 (bmo#1769000)
Revocation status of S/Mime signature certificates was not checked
- update create-tar.sh
* Tue Jan 17 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.7.0
https://www.thunderbird.net/en-US/thunderbird/102.7.0/releasenotes/
MFSA 2023-03 (bsc#1207119)
* CVE-2022-46871 (bmo#1795697)
libusrsctp library out of date
* CVE-2023-23598 (bmo#1800425)
Arbitrary file read from GTK drag and drop on Linux
* CVE-2023-23599 (bmo#1777800)
Malicious command could be hidden in devtools output on
Windows
* CVE-2023-23601 (bmo#1794268)
URL being dragged from cross-origin iframe into same tab
triggers navigation
* CVE-2023-23602 (bmo#1800890)
Content Security Policy wasn't being correctly applied to
WebSockets in WebWorkers
* CVE-2022-46877 (bmo#1795139)
Fullscreen notification bypass
* CVE-2023-23603 (bmo#1800832)
Calls to <code>console.log</code> allowed bypasing Content
Security Policy via format directive
* CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974)
Memory safety bugs fixed in Thunderbird 102.7
* Tue Dec 20 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.6.1
* Remote content did not load in user-defined signatures
* Addons that added new action buttons were not shown for addon
upgrades, requiring removal and reinstall
* Various stability improvements
MFSA 2022-54
* CVE-2022-46874 (bmo#1746139)
Drag and Dropped Filenames could have been truncated to
malicious extensions
* Tue Dec 13 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.6.0
https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/
MFSA 2022-53 (bsc#1206242)
* CVE-2022-46880 (bmo#1749292)
Use-after-free in WebGL
* CVE-2022-46872 (bmo#1799156)
Arbitrary file read from a compromised content process
* CVE-2022-46881 (bmo#1770930)
Memory corruption in WebGL
* CVE-2022-46874 (bmo#1746139)
Drag and Dropped Filenames could have been truncated to
malicious extensions
* CVE-2022-46875 (bmo#1786188)
Download Protections were bypassed by .atloc and .ftploc
files on Mac OS
* CVE-2022-46882 (bmo#1789371)
Use-after-free in WebGL
* CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685,
bmo#1801102, bmo#1801315, bmo#1802395)
Memory safety bugs fixed in Thunderbird 102.6
- removed obsolete patches
mozilla-newer-cbindgen.patch
mozilla-glibc236.patch
* Wed Nov 30 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.5.1
MFSA 2022-50
* CVE-2022-45414 (bmo#1788096)
Quoting from an HTML email with certain tags will trigger network
requests and load remote content, regardless of a configuration
to block remote content
* Sat Nov 12 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.5.0
* changes and fixes as described here
https://www.thunderbird.net/en-US/thunderbird/102.5.0/releasenotes
MFSA 2022-49 (bsc#1205270)
* CVE-2022-45403 (bmo#1762078)
Service Workers might have learned size of cross-origin media files
* CVE-2022-45404 (bmo#1790815)
Fullscreen notification bypass
* CVE-2022-45405 (bmo#1791314)
Use-after-free in InputStream implementation
* CVE-2022-45406 (bmo#1791975)
Use-after-free of a JavaScript Realm
* CVE-2022-45408 (bmo#1793829)
Fullscreen notification bypass via windowName
* CVE-2022-45409 (bmo#1796901)
Use-after-free in Garbage Collection
* CVE-2022-45410 (bmo#1658869)
ServiceWorker-intercepted requests bypassed SameSite cookie policy
* CVE-2022-45411 (bmo#1790311)
Cross-Site Tracing was possible via non-standard override headers
* CVE-2022-45412 (bmo#1791029)
Symlinks may resolve to partially uninitialized buffers
* CVE-2022-45416 (bmo#1793676)
Keystroke Side-Channel Leakage
* CVE-2022-45418 (bmo#1795815)
Custom mouse cursor could have been drawn over browser UI
* CVE-2022-45420 (bmo#1792643)
Iframe contents could be rendered outside the iframe
* CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061)
Memory safety bugs fixed in Thunderbird 102.5
* Sat Nov 05 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.4.2
* "Address Book" button in Account Central will now create a
CardDAV address book instead of a local address book
* Bugfixes as described here
https://www.thunderbird.net/en-US/thunderbird/102.4.2/releasenotes
* Tue Oct 25 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.4.1
* Thunderbird will now catch and report errors parsing vCards
that contain incorrectly formatted dates
* Dynamic language switching did not update interface when switched
to right-to-left languages
* Custom header data was discarded after messages were saved as
draft and reopened
* -remote command line argument did not work, affecting integration
with various applications such as LibreOffice
* Messages received via some SMS-to-email services could not
display images
* VCards with nickname field set could not be edited
* Some recurring events were missing from Agenda on first load
* Download requests for remote ICS calendars incorrectly set
"Accept" header to text/xml
* Monthly events created on the 31st of a month with <30 days placed
first occurrence 1-2 days after the beginning of the following month
* Various visual and UX improvements
* Fri Oct 14 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.4.0
https://www.thunderbird.net/en-US/thunderbird/102.4.0/releasenotes
MFSA 2022-46 (bsc#1203477)
* CVE-2022-42927 (bmo#1789128)
Same-origin policy violation could have leaked cross-origin URLs
* CVE-2022-42928 (bmo#1791520)
Memory Corruption in JS Engine
* CVE-2022-42929 (bmo#1789439)
Denial of Service via window.print
* CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041)
Memory safety bugs fixed in Firefox 106, Firefox ESR 102.4 and
Thunderbird 102.4.0
* Tue Oct 11 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.3.3
* Option added to show containing address book for a contact when
using All Address Books in vertical mode
* Thunderbird will try to use POP NTLM authentication even if
not advertised by server
* Task List and Today Pane sidebars will no longer load when not visible
* bugfixes as documented here
https://www.thunderbird.net/en-US/thunderbird/102.3.3/releasenotes
* Thu Oct 06 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.3.2
* Thunderbird will try to use POP CRAM-MD5 authentication even if
not advertised by server
* more bugfixes as in
https://www.thunderbird.net/en-US/thunderbird/102.3.2/releasenotes
* Mon Oct 03 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- build using rust 1.63
* Wed Sep 28 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.3.1
* Compose window encryption options now only appear for encryption
technologies that have already been configured
* Number of contacts in currently selected address book now
displayed at bottom of Address Book list column
Fixes
* Password prompt did not include server hostname for POP servers
* Edit Contact was missing from Contacts sidebar context menus
* Address Book contact lists cut off display of some characters,
the result being unreadable
MFSA 2022-43
* CVE-2022-39249 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to an
impersonation attack by malicious server administrators
* CVE-2022-39250 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to a device
verification attack
* CVE-2022-39251 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to an
impersonation attack
* CVE-2022-39236 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to a data
corruption issue
* Fri Sep 16 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.3.0
https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/
* Thunderbird will no longer attempt to import account passwords
when importing from another Thunderbird profile in order to
prevent profile corruption and permanent data loss. (bmo#1790605)
* Devtools performance profile will use Thunderbird presets
instead of Web Developer presets (bmo#1785954)
* Thunderbird startup performance improvements (bmo#1785967)
* Saving email source and images failed (bmo#1777323, bmo#1778804)
* Error message was shown repeatedly when temporary disk
space was full (bmo#1788580)
* Attaching OpenPGP keys without a set size to non-encrypted
messages briefly displayed a size of zero bytes (bmo#1788952)
* Global Search entry box initially contained "undefined" (bmo#1780963)
* Delete from POP Server mail filter rule intermittently
failed to trigger (bmo#1789418)
* Connections to POP3 servers without UIDL support failed (bmo#1789314)
* Pop accounts with "Fetch headers only" set downloaded complete
messages if server did not advertise TOP capability (bmo#1789356)
* "File -> New -> Address Book Contact" from Compose window did
not work (bmo#1782418)
* Attach "My vCard" option in compose window was not available
(bmo#1787614)
* Improved performance of matching a contact to an email address
(bmo#1782725)
* Address book only recognized a contact's first two email
addresses (bmo#1777156)
* Address book search and autocomplete failed if a contact vCard
could not be parsed (bmo#1789793)
* Downloading NNTP messages for offline use failed (bmo#1785773)
* NNTP client became stuck when connecting to Public-Inbox servers
(bmo#1786203, boo#1203554)
* Various visual and UX improvements (bmo#1782235, bmo#1787448,
bmo#1788725, bmo#1790324)
* unresolved: No dedicated "Department" field in address book
(bmo#1777780)
MFSA 2022-42 (bsc#1203477)
* CVE-2022-40959 (bmo#1782211)
Bypassing FeaturePolicy restrictions on transient pages
* CVE-2022-40960 (bmo#1787633)
Data-race when parsing non-UTF-8 URLs in threads
* CVE-2022-40958 (bmo#1779993)
Bypassing Secure Context restriction for cookies with __Host
and __Secure prefix
* CVE-2022-40956 (bmo#1770094)
Content-Security-Policy base-uri bypass
* CVE-2022-40957 (bmo#1777604)
Incoherent instruction cache when building WASM on ARM64
* CVE-2022-3155 (bmo#1789061)
Attachment files saved to disk on macOS could be executed
without warning
* CVE-2022-40962 (bmo#1767360, bmo#1776655, bmo#1777574, bmo#1784835,
bmo#1785109, bmo#1786502, bmo#1789440)
Memory safety bugs fixed in Thunderbird 102.3
* Thu Sep 08 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.2.2
https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/
* Setting added to change Calendar event double-click action to
open Edit Event dialog rather than view only;
Set calendar.events.defaultActionEdit to true
* Running Compact Folders on maildir folders caused a redownload
of all messages in the folder
* Accessing mail folders in profiles with many folders was slow
* SMTP servers were not always properly initialized, and were not
listed in Account Settings
* APOP authentication unsupported when connecting to POP3 server
* OpenPGP key discovery failed
* POP accounts hosted by AOL were not able to authenticate using OAuth2
* Unable to open context menu in newsgroups header for groups
that are not subscribed
* Thu Sep 08 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.2.2
https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/
* Setting added to change Calendar event double-click action to
open Edit Event dialog rather than view only;
Set calendar.events.defaultActionEdit to true
* Running Compact Folders on maildir folders caused a redownload
of all messages in the folder
* Accessing mail folders in profiles with many folders was slow
* SMTP servers were not always properly initialized, and were not
listed in Account Settings
* APOP authentication unsupported when connecting to POP3 server
* OpenPGP key discovery failed
* POP accounts hosted by AOL were not able to authenticate using OAuth2
* Unable to open context menu in newsgroups header for groups
that are not subscribed
* Thu Sep 01 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.2.1
MFSA 2022-38 (bsc#1203007)
* CVE-2022-3033 (bmo#1784838)
Leaking of sensitive information when composing a response to
an HTML email with a META refresh tag
* CVE-2022-3032 (bmo#1783831)
Remote content specified in an HTML document that was nested
inside an iframe's srcdoc attribute was not blocked
* CVE-2022-3034 (bmo#1745751)
An iframe element in an HTML email could trigger a network
request
* CVE-2022-36059 (bmo#1787741)
Matrix SDK bundled with Thunderbird vulnerable to denial-of-
service attack
* Fri Aug 19 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.2.0
* https://www.thunderbird.net/en-US/thunderbird/102.2.0/releasenotes/
MFSA 2022-36 (bsc#1202645)
* CVE-2022-38472 (bmo#1769155)
Address bar spoofing via XSLT error handling
* CVE-2022-38473 (bmo#1771685)
Cross-origin XSLT Documents would have inherited the parent's
permissions
* CVE-2022-38476 (bmo#1760998)
Data race and potential use-after-free in PK11_ChangePW
* CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363)
Memory safety bugs fixed in Thunderbird 102.2
* CVE-2022-38478 (bmo#1770630, bmo#1776658)
Memory safety bugs fixed in Thunderbird 102.2, and
Thunderbird 91.13
- disabled automatic usage of wayland because of known issues
using MOZ_ENABLE_WAYLAND=1 in environment would still enable it
(boo#1202606)
* Sun Aug 14 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- added mozilla-glibc236.patch (bmo#1782988, boo#1202323)
* Tue Aug 09 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.1.2
* fix for bmo#1777765 (no POP download progress bar) was backed
out from this release to address broken POP message download
with Fetch headers only selected in Account Settings (bmo#1783552)
* Mon Aug 08 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.1.1
Bugfixes:
* https://www.thunderbird.net/en-US/thunderbird/102.1.1/releasenotes/
* Tue Jul 26 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.1.0
* https://www.thunderbird.net/en-US/thunderbird/102.1.0/releasenotes
MFSA 2022-32 (bsc#1201758)
* CVE-2022-36319 (bmo#1737722)
Mouse Position spoofing with CSS transforms
* CVE-2022-36318 (bmo#1771774)
Directory indexes for bundled resources reflected URL parameters
* CVE-2022-36314 (bmo#1773894)
Opening local <code>.lnk</code> files could cause unexpected
network loads
* CVE-2022-2505 (bmo#1769739, bmo#1772824)
Memory safety bugs fixed in Thunderbird 102.1
- added mozilla-newer-cbindgen.patch to fix build with
rust-cbindgen >= 0.24 (and also require that for build)
- added mozilla-pgo.patch to fix LTO builds with gcc
* Tue Jul 19 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.0.3
Bugfixes as in
* https://www.thunderbird.net/en-US/thunderbird/102.0.3/releasenotes/
* Sat Jul 09 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.0.2
* https://www.thunderbird.net/en-US/thunderbird/102.0/releasenotes/
- removed obsolete patches
mozilla-bmo1504834-part2.patch
mozilla-bmo1504834-part4.patch
mozilla-bmo1602730.patch
mozilla-bmo1626236.patch
mozilla-bmo1724679.patch
mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
mozilla-sandbox-fips.patch
- added patches inherited from FF 102
one_swizzle_to_rule_them_all.patch
svg-rendering.patch
- fix KDE detection (boo#1200987) in mozilla-kde.patch
- requires
rust = 1.60
NSPR >= 4.34
NSS >= 3.79
rust-cbindgen >= 0.23.0
- remove special breakpad debug symbol creation
* Sun Jun 26 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.11.0
* CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work
additional fix applied
* "Save-As" attachment dialog did not have filename pre-populated
MFSA 2022-26 (bsc#1200793)
* CVE-2022-34479 (bmo#1745595)
A popup window could be resized in a way to overlay the
address bar with web content
* CVE-2022-34470 (bmo#1765951)
Use-after-free in nsSHistory
* CVE-2022-34468 (bmo#1768537)
CSP sandbox header without `allow-scripts` can be bypassed
via retargeted javascript: URI
* CVE-2022-2226 (bmo#1775441)
An email with a mismatching OpenPGP signature date was
accepted as valid
* CVE-2022-34481 (bmo#1497246)
Potential integer overflow in ReplaceElementsAt
* CVE-2022-31744 (bmo#1757604)
CSP bypass enabling stylesheet injection
* CVE-2022-34472 (bmo#1770123)
Unavailable PAC file resulted in OCSP requests being blocked
* CVE-2022-34478 (bmo#1773717)
Microsoft protocols can be attacked if a user accepts a prompt
* CVE-2022-2200 (bmo#1771381)
Undesired attributes could be set as part of prototype pollution
* CVE-2022-34484 (bmo#1763634, bmo#1772651)
Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102
* Thu May 26 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.10.0
* Various UX and theme improvements
MFSA 2022-22 (bsc#1200027)
* CVE-2022-31736 (bmo#1735923)
Cross-Origin resource's length leaked
* CVE-2022-31737 (bmo#1743767)
Heap buffer overflow in WebGL
* CVE-2022-31738 (bmo#1756388)
Browser window spoof using fullscreen mode
* CVE-2022-31739 (bmo#1765049)
Attacker-influenced path traversal when saving downloaded
files
* CVE-2022-31740 (bmo#1766806)
Register allocation problem in WASM on arm64
* CVE-2022-31741 (bmo#1767590)
Uninitialized variable leads to invalid memory read
* CVE-2022-1834 (bmo#1767816)
Braille space character caused incorrect sender email to be
shown for a digitally signed email
* CVE-2022-31742 (bmo#1730434)
Querying a WebAuthn token with a large number of
allowCredential entries may have leaked cross-origin
information
* CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
bmo#1767365, bmo#1768559, bmo#1768734)
Memory safety bugs fixed in Thunderbird 91.10
* Sat May 21 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.9.1
MFSA 2022-19 (bsc#1199768)
* CVE-2022-1802 (bmo#1770137)
Prototype pollution in Top-Level Await implementation
* CVE-2022-1529 (bmo#1770048)
Untrusted input used in JavaScript object indexing, leading
to prototype pollution
* Mon May 02 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.9.0
* A warning is now displayed if an OpenPGP key has unsafe
attributes that are ignored
* OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not
allow SHA-1 key signatures
* CalDAV calendars were marked read-only on startup
MFSA 2022-18 (bsc#1198970)
* CVE-2022-1520 (bmo#1745019)
Incorrect security status shown after viewing an attached
email
* CVE-2022-29914 (bmo#1746448)
Fullscreen notification bypass using popups
* CVE-2022-29909 (bmo#1755081)
Bypassing permission prompt in nested browsing contexts
* CVE-2022-29916 (bmo#1760674)
Leaking browser history with CSS variables
* CVE-2022-29911 (bmo#1761981)
iframe sandbox bypass
* CVE-2022-29912 (bmo#1692655)
Reader mode bypassed SameSite cookies
* CVE-2022-29913 (bmo#1764778)
Speech Synthesis feature not properly disabled
* CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
bmo#1762614, bmo#1762620)
Memory safety bugs fixed in Thunderbird 91.9
* Sat Apr 16 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.8.1
* CLIENTID extension to SMTP was not supported by smtp-js#
* Additional SMTP errors now propagated to user
* OpenPGP was not able to use some previously supported key types
* OpenPGP Key Manager did not always display correct information
after importing additional IDs
* Duplicate new mail notifications could be displayed when
server-side filters were in use
* Cancelling an SMTP password entry resulted in multiple failure
dialogs being displayed
* Tue Apr 12 2022 Martin Liška <mliska@suse.cz>
- Set memory limits for DWZ to 4x.
* Sat Apr 02 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.8.0
* Google accounts using password authentication will be migrated
to OAuth2.
* bugfixes
https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes
MFSA 2022- (bsc#1197903)
- update create-tar.sh
* Thu Mar 17 2022 Dirk Müller <dmueller@suse.com>
- skip slow workers, this is a tough build job
* Sun Mar 06 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.7.0
* Thunderbird will use the first occurrence of headers that should
only appear once
* Auto-complete incorrectly changed a pasted email address to the
primary address of a contact
* Attachments with filename extensions that were not registered in
MIME types could not be opened
* Copy/Cut/Paste actions not working in Thunderbird Preferences
* Improved screen reader support of displayed message headers
MFSA 2022-12 (bsc#1196900)
* CVE-2022-26383 (bmo#1742421)
Browser window spoof using fullscreen mode
* CVE-2022-26384 (bmo#1744352)
iframe allow-scripts sandbox bypass
* CVE-2022-26387 (bmo#1752979)
Time-of-check time-of-use bug when verifying add-on signatures
* CVE-2022-26381 (bmo#1736243)
Use-after-free in text reflows
* CVE-2022-26386 (bmo#1752396)
Temporary files downloaded to /tmp and accessible by other
local users
* Sun Mar 06 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.6.2
MFSA 2022-09
* CVE-2022-26485 (bmo#1758062)
Use-after-free in XSLT parameter processing
* CVE-2022-26486 (bmo#1758070)
Use-after-free in WebGPU IPC Framework
* Tue Feb 15 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.6.1
* generated views of meeting invitations are now expanded by default
* Emails were not downloading at startup under some conditions
* Port numbers were not shown in "Confirm Security Exception"
dialog for CalDAV connections
MFSA 2022-07 (bsc#1196072)
* CVE-2022-0566 (bmo#1753094)
Crafted email could trigger an out-of-bounds write
* Sat Feb 05 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.6.0
* TB will now offer to send large forwarded attachments via FileLink
* Partially signed unencrypted messages displayed an incorrect
"parrtially encrypted" notification
* Attachments filenames were not sanitized before saving to disk
* In the attachment bar, the "Import OpenPGP Key" item displayed
for public keys displayed an error and did not import the key
* "Open with" attachment dialog did not have a selected radio
button option
MFSA 2022-06 (bsc#1195682)
* CVE-2022-22753 (bmo#1732435)
Privilege Escalation to SYSTEM on Windows via Maintenance
Service
* CVE-2022-22754 (bmo#1750565)
Extensions could have bypassed permission confirmation during
update
* CVE-2022-22756 (bmo#1317873)
Drag and dropping an image could have resulted in the dropped
object being an executable
* CVE-2022-22759 (bmo#1739957)
Sandboxed iframes could have executed script if the parent
appended elements
* CVE-2022-22760 (bmo#1740985, bmo#1748503)
Cross-Origin responses could be distinguished between script
and non-script content-types
* CVE-2022-22761 (bmo#1745566)
frame-ancestors Content Security Policy directive was not
enforced for framed extension pages
* CVE-2022-22763 (bmo#1740534)
Script Execution during invalid object state
* CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545,
bmo#1748210, bmo#1748279)
Memory safety bugs fixed in Thunderbird 91.6
- do not use ccache by default
- removed obsolete mozilla-bmo1745560.patch
* Sat Jan 22 2022 Manfred Hollstein <manfred.h@gmx.net>
- Mozilla Thunderbird 91.5.1
* JS LDAP implementation did not support self-signed SSL certificates
* After saving a draft and subsequently sending a FileLink email,
the original file was removed from disk
* Chat OTR encryption did not work
* OTR verification bar was not removed after completing verification
* Various theme improvements
* Thu Jan 20 2022 Martin Liška <mliska@suse.cz>
- Enable -fimplicit-constexpr for GCC 12+.
* Fri Jan 07 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.5.0
https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes
MFSA 2022-03 (bsc#1194547)
* CVE-2022-22746 (bmo#1735071)
Calling into reportValidity could have lead to fullscreen
window spoof
* CVE-2022-22743 (bmo#1739220)
Browser window spoof using fullscreen mode
* CVE-2022-22742 (bmo#1739923)
Out-of-bounds memory access when inserting text in edit mode
* CVE-2022-22741 (bmo#1740389)
Browser window spoof using fullscreen mode
* CVE-2022-22740 (bmo#1742334)
Use-after-free of ChannelEventQueue::mOwner
* CVE-2022-22738 (bmo#1742382)
Heap-buffer-overflow in blendGaussianBlur
* CVE-2022-22737 (bmo#1745874)
Race condition when playing audio files
* CVE-2021-4140 (bmo#1746720)
Iframe sandbox bypass with XSLT
* CVE-2022-22748 (bmo#1705211)
Spoofed origin on external protocol launch dialog
* CVE-2022-22745 (bmo#1735856)
Leaking cross-origin URLs through securitypolicyviolation event
* CVE-2022-22744 (bmo#1737252)
The 'Copy as curl' feature in DevTools did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2022-22747 (bmo#1735028)
Crash when handling empty pkcs7 sequence
* CVE-2022-22739 (bmo#1744158)
Missing throttling on external protocol launch dialog
* CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366,
bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869, bmo#1743221,
bmo#1743515, bmo#1745373, bmo#1746011)
Memory safety bugs fixed in Thunderbird 91.5
* Tue Dec 28 2021 Bjørn Lie <bjorn.lie@gmail.com>
- Add mozilla-bmo1745560.patch: Fix build against wayland 1.20.
* Fri Dec 17 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.4.1
* several fixes as outlined here
https://www.thunderbird.net/en-US/thunderbird/91.4.1/releasenotes/
MFSA 2021-55 (bsc#1193845)
* CVE-2021-4126 (bmo#1732310)
OpenPGP signature status doesn't consider additional message
content
* CVE-2021-44538 (bmo#1744056)
Matrix chat library libolm bundled with Thunderbird
vulnerable to a buffer overflow
- updated _constraints
* Thu Dec 02 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.4.0
* several fixes as outlined here
https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes
MFSA 2021-54 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120)
URL leakage when navigating while executing asynchronous
function
* CVE-2021-43537 (bmo#1738237)
Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091)
Missing fullscreen and pointer lock notification when
requesting both
* CVE-2021-43539 (bmo#1739683)
GC rooting failure when calling wasm instance methods
* CVE-2021-43541 (bmo#1696685)
External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281)
XMLHttpRequest error codes could have leaked the existence of
an external protocol handler
* CVE-2021-43543 (bmo#1738418)
Bypass of CSP sandbox directive when embedding
* CVE-2021-43545 (bmo#1720926)
Denial of Service when using the Location API in a loop
* CVE-2021-43546 (bmo#1737751)
Cursor spoofing could overlay user interface when native
cursor is zoomed
* CVE-2021-43528 (bmo#1742579)
JavaScript unexpectedly enabled for the composition area
* MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
bmo#1737009, bmo#1739372, bmo#1739421)
Memory safety bugs fixed in Thunderbird 91.4.0
* Thu Nov 25 2021 Bjørn Lie <bjorn.lie@gmail.com>
- Drop unused libidl-devel BuildRequires.
* Sat Nov 20 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.3.2
* Date selection in Calendar print settings widget changed to use
mini calendar widget
* OpenPGP: Botan updated to 2.18.2; addresses CVE-2021-40529
boo#1189244
* Bugfixes as outlined in release notes
https://www.thunderbird.net/en-US/thunderbird/91.3.2/releasenotes/
* Sat Nov 13 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.3.1
* OpenPGP public keys will no longer count as an attachment in
the message list
* Adding a search engine via URL now supported
* FileLink messages' template updated; Thunderbird advertisement
removed
* After an update, Thunderbird will now check installed addons
for updates
* Bugfixes as outlined in release notes
https://www.thunderbird.net/en-US/thunderbird/91.3.1/releasenotes/
* Sun Oct 31 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.3.0
* several fixes as outlined here
https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/
MFSA 2021-50 (bsc#1192250)
* CVE-2021-38503 (bmo#1729517)
iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504 (bmo#1730156)
Use-after-free in file picker dialog
* CVE-2021-38505 (bmo#1730194)
Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506 (bmo#1730750)
Thunderbird could be coaxed into going into fullscreen mode
without notification or warning
* CVE-2021-38507 (bmo#1730935)
Opportunistic Encryption in HTTP2 could be used to bypass the
Same-Origin-Policy on services hosted on other ports
* MOZ-2021-0008 (bmo#1667102)
Use-after-free in HTTP2 Session object
* CVE-2021-38508 (bmo#1366818)
Permission Prompt could be overlaid, resulting in user
confusion and potential spoofing
* CVE-2021-38509 (bmo#1718571)
Javascript alert box could have been spoofed onto an
arbitrary domain
* CVE-2021-38510 (bmo#1731779)
Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048,
bmo#1735152)
Memory safety bugs fixed in Thunderbird ESR 91.3
- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires
* Fri Oct 22 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.2.1
* Preference added to disable automatic pausing RSS feed updates
after a fetch failure
* several bugfixes as outlined in release notes
https://www.thunderbird.net/en-US/thunderbird/91.2.1/releasenotes/
* Fri Oct 22 2021 Guillaume GARDET <guillaume.gardet@opensuse.org>
- Increase memory required per threads for aarch64 to avoid OOM
* Thu Oct 21 2021 Martin Liška <mliska@suse.cz>
- Enable LTO on Tumbleweed.
* Fri Oct 15 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- add mozilla-bmo1724679.patch (bmo#1724679, boo#1182863)
fix some env variables which are enabled for any value
* Mon Oct 04 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.2.0
* Saving a single message as .eml now uses a unique filename
* New mail notifications did not properly take subfolders into account
* Decrypting binary attachments when using an external GnuPG
configuration failed
* Account name fields in the account manager were not big enough
for long names
* LDAP searches using an extensibleMatch filter returned no results
* Read-only CalDAV calendars and CardDAV address books were not detected
* Multipart messages containing a calendar invite did not display
any of the human-readable alternatives
* Some calendar days were displayed incorrectly or duplicated
(eg. two "29th" days of a particular month)
* Phantom event was shown at the end of each day in Calendar week view
MFSA 2021-46 (bsc#1191332)
* CVE-2021-38496 (bmo#1725335)
Use-after-free in MessageTask
* CVE-2021-38497 (bmo#1726621)
Validation message could have been overlaid on another origin
* CVE-2021-38498 (bmo#1729642)
Use-after-free of nsLanguageAtomService object
* CVE-2021-32810 (bmo#1729813,
https://github.com/crossbeam-
rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
Data race in crossbeam-deque
* CVE-2021-38500 (bmo#1725854, bmo#1728321)
Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
and Firefox ESR 91.2
* CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
* Sun Sep 26 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.1.2
* Thunderbird will now warn if an S/MIME encrypted message includes
BCC recipients
* several bugfixes listed on
https://www.thunderbird.net/en-US/thunderbird/91.1.2/releasenotes/
* Wed Sep 15 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.1.1
* Menu item for disabling subject encryption for a single message added
* Printing messages that are not currently displayed is no longer
supported, including printing multiple messages at once
* for bugfixes see
https://www.thunderbird.net/en-US/thunderbird/91.1.1/releasenotes
- MOZ_ENABLE_WAYLAND env variable now overrides automatic detection
if already set before startup
* Thu Sep 02 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.1.0
* Thunderbird registered Accessibility Handlers using same GUIDs
as Firefox, causing performance issues for NVDA users
* Focus lost when reordering accounts by keyboard in the Account Manager
* Account setup did not use provider display name for setting up
calendars
* Various theme and UX fixes
MFSA 2021-41 (bsc#1190269)
* CVE-2021-38492 (bmo#1721107)
Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495 (bmo#1723391, bmo#1723920, bmo#1724101,
bmo#1724107)
Memory safety bugs fixed in Thunderbird 91.1
- (re-)added mozilla-silence-no-return-type.patch
- add mozilla-bmo531915.patch to fix build for i586
* Fri Aug 27 2021 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 91.0.3:
* fixed: Folder icons could be overridden by linked favicons in
HTML messages
* fixed: Unified folders showed no messages when underlying
folders were removed
* fixed: Folder pane toolbar did not always persist after
restarting Thunderbird
* fixed: Compose window attachment pane did not close when
disabling signing of an OpenPGP message
* fixed: Using "Reply to List" with some list emails
incorrectly opened a "no-reply" warning
* fixed: Account setup UX issues with Exchange autodiscover
* fixed: Account settings did not display non-UTF-8 server
descriptions correctly
* fixed: Thunderbird sometimes sent an unnecessary "SMTPUTF8",
causing some servers to reject mail
* fixed: No mouseover pop was displayed with event details for
non-all-day events in the Today Pane
* fixed: Filtering tasks in the Today Pane did not work
* fixed: Email based event scheduling displayed the date and
time in a format unreadable by humans
* Fri Aug 27 2021 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 91.0.2:
* new: Tags are now colored in mail filter editor
* changed: Context menu items related to OpenPGP and
attachments are now hidden when not applicable
* fixed: Creating a new account with manual setup failed
* fixed: Recipient autocomplete always preferred the primary
email address for a contact
* fixed: LDAP performance improvements
* fixed: Extensions listed on the Recommended Addons did not
have a clear way to view details in a browser
* fixed: Status checkmark on View > Calendar > Calendar Pane >
Show Calendar Pane was reversed
* fixed: mid: URLs in calendar invites did not open the linked
mail message
* fixed: Various theme and UX fixes
* Tue Aug 17 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.0.1
MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
- appdate screenshot URL updated (by mailaender@opensuse.org)
* Sun Aug 15 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.0
* based on Mozilla's 91 ESR codebase
* many new and changed features
https://www.thunderbird.net/en-US/thunderbird/91.0/releasenotes/#whatsnew
* Renamed "Add-ons" to "Add-ons and Themes" and "Options" to "Preferences"
* Thunderbird now operates in multi-process (e10s) mode by default
* New user interface for adding attachments
* Enable redirect of messages
* CardDAV address book support
- Removed obsolete patches:
* mozilla-bmo1463035.patch
* mozilla-ppc-altivec_static_inline.patch
* mozilla-pipewire-0-3.patch
* mozilla-bmo1554971.patch
- add mozilla-libavcodec58_91.patch
- removed obsolete BigEndian ICU build workaround
- updated build requirements
- build using clang
* Thu Aug 05 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.13.0
* removed WeTransfer integration package (not supported by vendor
any longer)
MFSA 2021-35 (bsc#1188891)
* CVE-2021-29986 (bmo#1696138)
Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29988 (bmo#1717922)
Memory corruption as a result of incorrect style treatment
* CVE-2021-29984 (bmo#1720031)
Incorrect instruction reordering during JIT optimization
* CVE-2021-29980 (bmo#1722204)
Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29985 (bmo#1722083)
Use-after-free media channels
* CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
bmo#1719998, bmo#1720568)
Memory safety bugs fixed in Thunderbird 78.13
* Wed Jul 14 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.12.0
MFSA 2021-30 (bsc#1188275)
* CVE-2021-29969 (bmo#1682370)
IMAP server responses sent by a MITM prior to STARTTLS could be
processed
* CVE-2021-29970 (bmo#1709976)
Use-after-free in accessibility features of a document
* CVE-2021-30547 (bmo#1715766)
Out of bounds write in ANGLE
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
bmo#1711576, bmo#1714391)
Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
* Sat May 29 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.11.0
* OpenPGP could not be disabled for an account if a key was
previously configured
* Recipients were unable to decrypt some messages when the sender
had changed the message encryption from OpenPGP to S/MIME
* Contacts moved between CardDAV address books were not synced to
the new server
* CardDAV compatibility fixes for Google Contacts
MFSA 2021-26 (bsc#1186696)
* CVE-2021-29964 (bmo#1706501)
Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
bmo#1704722, bmo#1706041)
Memory safety bugs fixed in Thunderbird 78.11
- renewed expired mozilla.keyring
* Fri May 14 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.10.2
* Added support for importing OpenPGP keys without a primary
secret key
* Add-ons manager displays a preferences icon for mail extensions
that include an options page
Fixed
* OpenPGP messages with a high compression ratio (over 10x) could
not be decrypted
* Selected OpenPGP key was lost after opening the Key Properties
dialog in Account Settings
* Parsing some OpenPGP user IDs failed
* Various improvements to OpenPGP partial encryption reminders
* Mail toolbar buttons were too big when displaying both icons
and text
MFSA 2021-22
* CVE-2021-29956 (boo#1186199, bmo#1710290)
Thunderbird stored OpenPGP secret keys without master password
protection
* CVE-2021-29957 (boo#1186198, bmo#1673241)
Partial protection of inline OpenPGP message not indicated
- do not rely on nodejs10 explicitely
* Tue May 04 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.10.1
* Remove the fix for bmo#1689804 introduced in 78.9.0,
restoring the previous behavior
* MFSA 2021-19 (bsc#1185633) does not affect this platform
* Sun Apr 18 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.10.0
MFSA 2021-14 (bsc#1184960)
* CVE-2021-23994 (bmo#1699077)
Out of bound write due to lazy initialization
* CVE-2021-23995 (bmo#1699835)
Use-after-free in Responsive Design Mode
* CVE-2021-23998 (bmo#1667456)
Secure Lock icon could have been spoofed
* CVE-2021-23961 (bmo#1677940)
More internal network hosts could have been probed by a
malicious webpage
* CVE-2021-23999 (bmo#1691153)
Blob URLs may have been granted additional privileges
* CVE-2021-24002 (bmo#1702374)
Arbitrary FTP command execution on FTP servers using an
encoded URL
* CVE-2021-29945 (bmo#1700690)
Incorrect size computation in WebAssembly JIT could lead to
null-reads
* CVE-2021-29946 (bmo#1698503)
Port blocking could be bypassed
* CVE-2021-29948 (bmo#1692899)
Race condition when reading from disk while verifying
signatures
- recommend libotr5
* Sat Apr 10 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.9.1
* Support recipient aliases for OpenPGP encryption
* The key and signature parts of the message security popup on a
received message could not be selected for copy/paste
* Various UX and theme improvements
MFSA 2021-13
* CVE-2021-23991 (bmo#1673240)
An attacker may use Thunderbird's OpenPGP key refresh mechanism
to poison an existing key
* MOZ-2021-23992 (bmo#1666236)
A crafted OpenPGP key with an invalid user ID could be used to
confuse the user
* CVE-2021-23993 (bmo#1666360)
Inability to send encrypted OpenPGP email after importing a
crafted OpenPGP key
* Sat Mar 20 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.9.0
* bugfixes:
https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes
MFSA 2021-12 (boo#1183942)
* CVE-2021-23981 (bmo#1692832)
Texture upload into an unbound backing buffer resulted in an
out-of-bound read
* MOZ-2021-0002 (bmo#1691547)
Angle graphics library out of date
* CVE-2021-23982 (bmo#1677046)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2021-23984 (bmo#1693664)
Malicious extensions could have spoofed popup information
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718)
Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
- cleaned up and fixed mozilla.sh.in for wayland (boo#1177542)
* Sun Mar 07 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.8.1
* several bugfixes and improvements
* https://www.thunderbird.net/en-US/thunderbird/78.8.1/releasenotes/
- updated create-tar.sh (bsc#1182357)
* Fri Feb 19 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.8.0
* various bugfixes
MFSA 2021-09 (bsc#1182614)
* CVE-2021-23969 (bmo#1542194)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23968 (bmo#1687342)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23973 (bmo#1690976)
MediaError message property could have leaked information
about cross-origin resources
* CVE-2021-23978 (bmo#786797, bmo#1682928, bmo#1687391,
bmo#1687597)
Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
* Fri Feb 05 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.7.1
* CardDAV address books now support OAuth2 and Google Contacts
* Thunderbird will no longer allow installation of addons that
use legacy APIs
* Tue Jan 26 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.7.0
MFSA 2021-05 (bsc#1181414)
* CVE-2021-23953 (bmo#1683940)
Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954 (bmo#1684020)
Type confusion when using logical assignment operators in
JavaScript switch statements
* CVE-2020-15685 (bmo#1622640)
IMAP Response Injection when using STARTTLS
* CVE-2020-26976 (bmo#1674343)
HTTPS pages could have been intercepted by a registered
service worker when they should not have been
* CVE-2021-23960 (bmo#1675755)
Use-after-poison for incorrectly redeclared JavaScript
variables during GC
* CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526,
bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844,
bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410,
bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736,
bmo#1685260, bmo#1685925)
Memory safety bugs fixed in Thunderbird 78.7
* Sun Jan 24 2021 Manfred Hollstein <manfred.h@gmx.net>
- MozillaThunderbird.spec: Don't abuse BUILDROOT during %build as newer
rpm versions in TW remove everything there as the first action
of %install
* Mon Jan 11 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.6.1
MFSA 2021-02 (bsc#1180623)
* CVE-2020-16044 (bmo#1683964)
Use-after-free write when handling a malicious COOKIE-ECHO SCTP
chunk
* Sat Dec 12 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.6.0
* changes and additions in MailExtensions
* several bugfixes
* https://www.thunderbird.net/en-US/thunderbird/78.6.0/releasenotes/
MFSA 2020-56 (bsc#1180039))
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-35111 (bmo#1657916)
The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365)
Opening an extension-less download may have inadvertently
launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589)
Memory safety bugs fixed in Thunderbird 78.6
* Tue Dec 01 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.5.1
MFSA 2020-53 (bsc#1179530)
* CVE-2020-26970 (bmo#1677338)
Stack overflow due to incorrect parsing of SMTP server response codes
* Mon Nov 16 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.5.0
MFSA 2020-52 (bsc#1178894)
* CVE-2020-26951 (bmo#1667113)
Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
* CVE-2020-16012 (bmo#1642028)
Variable time processing of cross-origin images during
drawImage calls
* CVE-2020-26953 (bmo#1656741)
Fullscreen could be enabled without displaying the security
UI
* CVE-2020-26956 (bmo#1666300)
XSS through paste (manual and clipboard API)
* CVE-2020-26958 (bmo#1669355)
Requests intercepted through ServiceWorkers lacked MIME type
restrictions
* CVE-2020-26959 (bmo#1669466)
Use-after-free in WebRequestService
* CVE-2020-26960 (bmo#1670358)
Potential use-after-free in uses of nsTArray
* CVE-2020-15999 (bmo#1672223)
Heap buffer overflow in freetype
* CVE-2020-26961 (bmo#1672528)
DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965 (bmo#1661617)
Software keyboards may have remembered typed passwords
* CVE-2020-26966 (bmo#1663571)
Single-word search queries were also broadcast to local
network
* CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,
bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479,
bmo#1671923)
Memory safety bugs fixed in Thunderbird 78.5
- removed obsolete mozilla-rust-1.47.patch
* Wed Nov 11 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.4.3
https://www.thunderbird.net/en-US/thunderbird/78.4.3/releasenotes/
- added mozilla-rust-1.47.patch to fix build with rust 1.47
* Mon Nov 09 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.4.2
MFSA 2020-49
* CVE-2020-26950 (bmo#1675905)
Write side effects in MCallGetProperty opcode not accounted for
* Thu Nov 05 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.4.1
* Bugfixes and minor features
https://www.thunderbird.net/en-US/thunderbird/78.4.1/releasenotes/
* Tue Oct 20 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.4.0
* MailExtensions: browser.tabs.sendMessage API added
* MailExtensions: messageDisplayScripts API added
* Yahoo and AOL mail users using password authentication will be
migrated to OAuth2
* MailExtensions: messageDisplay APIs extended to support multiple
selected messages
* MailExtensions: compose.begin functions now support creating a
message with attachments
* multiple bugfixes
MFSA 2020-47 (bsc#1177872)
* CVE-2020-15969 (bmo#1666570)
Use-after-free in usersctp
* CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954, bmo#1662760,
bmo#1663439, bmo#1666140)
Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* Thu Oct 15 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.3.3
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP message status icons were not visible in message header pane
* OpenPGP Key Manager was missing from Tools menu on macOS
* Creating a new calendar event did not require an event title
- remove python2 dependencies for TW
- support wayland mode/autodetection in startup wrapper
- replace some Requires to use requires_ge macro where appropriate
- improve langpack build (as already used for Firefox)
- add ccache statistics output to build
* Wed Oct 07 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.3.2
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP: Encrypted messages with international characters were
sometimes displayed incorrectly
* Single-click deletion of recipient pills with middle mouse
button restored
* Searching an address book list did not display results
* Dark mode, high contrast, and Windows theming fixes
* Fri Sep 25 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.3.1
* fix crash in nsImapProtocol::CreateNewLineFromSocket (bmo#1667120)
* Wed Sep 23 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.3.0
MFSA 2020-44 (bsc#1176756)
* CVE-2020-15677 (bmo#1641487)
Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140)
XSS when pasting attacker-controlled data into a
contenteditable element
* CVE-2020-15678 (bmo#1660211)
When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-
free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
Memory safety bugs fixed in Thunderbird 78.3
- requires NSPR >= 4.25.1
- removed obsolete thunderbird-bmo1664607.patch
* Sun Sep 13 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.2.2
https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes
- added thunderbird-bmo1664607.patch required for builds w/o updater
(boo#1176384)
* Mon Aug 31 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.2.1
* based on Mozilla's 78 ESR codebase
* many new and changed features
https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/#whatsnew
* built-in OpenPGP support (enigmail neither required nor supported)
- added platform patches:
* mozilla-s390x-skia-gradient.patch
* mozilla-pipewire-0-3.patch
* mozilla-bmo1512162.patch
* mozilla-bmo1626236.patch
* mozilla-bmo998749.patch
* mozilla-sandbox-fips.patch
- removed obsolete platform patches
* mozilla-s390-bigendian.patch
* mozilla-nestegg-big-endian.patch
* mozilla-openaes-decl.patch
* mozilla-cubeb-noreturn.patch
* Sun Aug 30 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.12.0
MFSA 2020-40 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could have
resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-15669 (bmo#1656957)
Use-After-Free when aborting an operation
* Fri Aug 28 2020 Michel Normand <normand@linux.vnet.ibm.com>
- Put back %limit_build macro usage to avoid build error PowerPC
(remove memoryperjob constraint)
* Thu Aug 20 2020 Martin Liška <mliska@suse.cz>
- Use memoryperjob constraint instead of %limit_build macro.
* Sat Aug 01 2020 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 68.11.0
* fixed: FileLink attachments included as a link and file when
added from a network drive via drag & drop (bmo#793118)
MFSA 2020-35 (bsc#1174538)
* CVE-2020-15652 (bmo#1634872)
Potential leak of redirect targets when loading scripts in a
worker
* CVE-2020-6514 (bmo#1642792)
WebRTC data channel leaks internal address to peer
* CVE-2020-6463 (bmo#1635293)
Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
* CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1646787,
bmo#1650811)
Memory safety bugs fixed in Thunderbird 68.11
* Wed Jul 01 2020 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 68.10.0
* fixed: Chat: Topics displayed some characters improperly
(bmo#1644024)
* fixed: Calendar: Filtering tasks did not work when
"Incomplete Tasks" was selected (bmo#1593711)
MFSA 2020-26 (bsc#1173576)
* CVE-2020-12417 (bmo#1640737)
Memory corruption due to missing sign-extension for ValueTags
on ARM64
* CVE-2020-12418 (bmo#1641303)
Information disclosure due to manipulated URL object
* CVE-2020-12419 (bmo#1643874)
Use-after-free in nsGlobalWindowInner
* CVE-2020-12420 (bmo#1643437)
Use-After-Free when trying to connect to a STUN server
* MFSA-2020-0001 (bmo#1606610)
Automatic account setup leaks Microsoft Exchange login
credentials
* CVE-2020-12421 (bmo#1308251)
Add-On updates did not respect the same certificate trust
rules as software updates
* Thu Jun 11 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- build with nodejs10 to be able to drop nodejs8 from TW
- updated create-tar.sh
* Sat Jun 06 2020 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 68.9.0
* fixed: Custom headers added for searching or filtering could
not be removed (bmo#1631577)
* fixed: Calendar: Today Pane updated prior to loading all data
(bmo#1635613)
* fixed: Stability improvements (bmo#1625677)
MFSA 2020-22 (bsc#1172402)
* CVE-2020-12405 (bmo#1631618)
Use-after-free in SharedWorkerService
* CVE-2020-12406 (bmo#1639590)
JavaScript Type confusion with NativeTypes
* CVE-2020-12410 (bmo#1619305, bmo#1632717)
Memory safety bugs fixed in Thunderbird 68.9.0
* CVE-2020-12398 (bmo#1613623)
Security downgrade with IMAP STARTTLS leads to information
leakage
* Sun May 24 2020 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 68.8.1
* fixed: IMAP stability improvements (bmo#1586494)
* fixed: HTML tags in IRC topic changes were rendered
incorrectly (bmo#1607097)
* fixed: MailExtensions: Websockets could not be used
(bmo#1627649)
* Tue May 05 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.8.0
* Account Manager fixes and improvements
* https://www.thunderbird.net/en-US/thunderbird/68.8.0/releasenotes
MFSA 2020-18 (bsc#1171186)
* CVE-2020-12397 (bmo#1617370)
Sender Email Address Spoofing using encoded Unicode characters
* CVE-2020-12387 (bmo#1545345)
Use-after-free during worker shutdown
* CVE-2020-6831 (bmo#1632241)
Buffer overflow in SCTP chunk input validation
* CVE-2020-12392 (bmo#1614468)
Arbitrary local file access with 'Copy as cURL'
* CVE-2020-12393 (bmo#1615471)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098,
bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508)
Memory safety bugs fixed in Thunderbird 68.8.0
- removed obsolete patch mozilla-bmo1580963.patch
* Tue May 05 2020 Ismail Dönmez <idonmez@suse.com>
- Add mozilla-bmo1580963.patch to fix build with rust 1.43
(bmo#1580963)
* Thu Apr 09 2020 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 68.7.0
* Updates to MailExtensions API
* Various improvements to account setup when connecting to an
Exchange server
* Thread collapsed when opening news message in a new window
* Fix Addons not automatically updated to compatible version after
upgrade from Thunderbird 60
* Updating addons did not prompt when requesting new permissions
* Extra recipients panel not keyboard-accessible
* Accessibility: Status bar was not detected by screenreaders
* Calendar: Invitations with embedded null bytes did not always decode correctly
* Calendar: Cancelled events didn't show with a line-through
* Various security fixes
MFSA 2020-14
In general, these flaws cannot be exploited through email in
Thunderbird because scripting is disabled when reading mail, but
are potentially risks in browser or browser-like contexts.
* CVE-2020-6819 (bmo#1620818, bsc#1168630)
Use-after-free while running the nsDocShell destructor
* CVE-2020-6820 (bmo#1626728, bsc#1168630)
Use-after-free when handling a ReadableStream
* CVE-2020-6821 (bmo#1625404, bsc#1168874)
Uninitialized memory could be read when using the WebGL
copyTexSubImage method
* CVE-2020-6822 (bmo#1544181, bsc#1168874)
Out of bounds write in GMPDecodeData when processing large images
* CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203,bsc#1168874)
Memory safety bugs fixed in Thunderbird 68.7.0
* Sat Mar 14 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.6.0
MFSA 2020-10 (bsc#1166238)
* CVE-2020-6805 (bmo#1610880)
Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308)
BodyStream::OnInputStreamReady was missing protections against
state confusion
* CVE-2020-6807 (bmo#1614971)
Use-after-free in cubeb during stream destruction
* CVE-2020-6811 (bmo#1607742)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2019-20503 (bmo#1613765)
Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661)
The names of AirPods with personally identifiable information
were exposed to websites with camera or microphone permission
* CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256, bmo#1612636,
bmo#1614339)
Memory safety bugs fixed in Thunderbird 68.6
- requires NSS >= 3.44.3
* Mon Feb 10 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.5.0
New
* Support for Client Identity IMAP/SMTP Service Extension
* Support for OAuth 2.0 authentication for POP3 accounts
Fixes
* Status area goes blank during account setup
* Calendar: Could not remove color for default categories
* Calendar: Prevent calendar component loading multiple times
* Calendar: Today pane did not retain width between sessions
MFSA 2020-07 (bsc#1163368)
* CVE-2020-6793 (bmo#1608539)
Out-of-bounds read when processing certain email messages
* CVE-2020-6794 (bmo#1606619)
Setting a master password post-Thunderbird 52 does not delete
unencrypted previously stored passwords
* CVE-2020-6795 (bmo#1611105)
Crash processing S/MIME messages with multiple signatures
* CVE-2020-6797 (bmo#1596668) (Mac OSX only)
Extensions granted downloads.open permission could open arbitrary
applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6792 (bmo#1609607)
Message ID calculcation was based on uninitialized data
* CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851,
bmo#1608580,bmo#1608785,bmo#1605777)
Memory safety bugs fixed in Thunderbird 68.5
* Tue Jan 28 2020 Stasiek Michalski <stasiek@michalski.cc>
- Use a symbolic icon from branding internals
* Fri Jan 24 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.4.2
* Calendar: Task and Event tree colours adjusted for the dark theme
* Retrieval of S/MIME certificates from LDAP failed
* Address-parsing crash on some IMAP servers when
mail.imap.use_envelope_cmd is set
* Incorrect forwarding of HTML messages caused SMTP servers to
respond with a timeout
* Calendar: Various parts of the calendar UI stopped working when
a second Thunderbird window opened
* Fri Jan 10 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.4.1
* Various improvements when setting up an account for a Microsoft
Exchange server: Now offers IMAP/SMTP if available, better
detection for Office 365 accounts; re-run configuration after
password change
Fixes:
* After changing view layout, the message display pane showed
garbled content under some circumstances
* Various theme changes to achieve "pixel perfection": Unread icon,
"no results" icon, paragraph format and font selector, background
of folder summary tooltip
* Tags were lost on messages in shared IMAP folders under some
circumstances
* Calendar: Event attendee dialog was not displayed correctly
MFSA 2020-04 (bsc#1160498, bsc#1160305)
* CVE-2019-17026 (bmo#1607443)
IonMonkey type confusion with StoreElementHole and FallibleStoreElement
* CVE-2019-17015 (bmo#1599005)
Memory corruption in parent process during new content process
initialization on Windows
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17021 (bmo#1599008)
Heap address disclosure in parent process during content process
initialization on Windows
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605, bmo#1601826)
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
- removed obsolete patch mozilla-bmo1511604.patch
- added mozilla-bmo1602730.patch to fix LE<->BE issues in the
platform (bmo#1602730)
* Fri Dec 27 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- add mozilla-bmo1583471.patch to allow building with rust 1.39
* Fri Dec 20 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.3.1
* In dark theme unread messages no longer shown in blue to
distinguish from tagged messages
* Account setup is now using client side DNS MX lookup instead of
relying on a server
Bugfixes
* Searching LDAP address book crashed in some circumstances
* Message navigation with backward and forward buttons did not work
in some circumstances
* WebExtension toolbar icons were displayed too small
* Calendar: Tasks due today were not listed in bold
* Calendar: Last day of long-running events was not shown
* Thu Dec 05 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.3.0:
* Message display toolbar action WebExtension API
* Navigation buttons are now available in content tabs, for example
those opened via an add-on search
* other bugfixes
MFSA 2019-38
* CVE-2019-17008 (bmo#1546331)
Use-after-free in worker destruction
* CVE-2019-13722 (bmo#1580156)
Stack corruption due to incorrect number of arguments in WebRTC code
* CVE-2019-17010 (bmo#1581084)
Use-after-free when performing device orientation checks
* CVE-2019-17005 (bmo#1584170)
Buffer overflow in plain text serializer
* CVE-2019-17011 (bmo#1591334)
Use-after-free when retrieving a document in antitracking
* CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209,
bmo#1580288, bmo#1585760, bmo#1592502)
Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
* Various updates to improve performance and stability
- updated create-tar.sh to cover buildid and origin repo information
- changed locale building procedure
* removed obsolete compare-locales.tar.xz and
thunderbird-broken-locales-build.patch
- add mozilla-bmo849632.patch to fix color issues on big endian
* Sat Nov 09 2019 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 68.2.2:
* fix age calculation in address book (bmo#1592536)
* fix column menu behavior in address book (bmo#1592393)
* Fri Nov 01 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.2.1
* A language for the user interface can now be chosen in the
advanced settings (multilingual UI)
* Fixed problem with Google authentication (OAuth2)
* Selected or unread messages were not shown in the correct color
in the thread pane (message list) under some circumstances
* When using a language pack, names of standard folders weren't
localized (boo#1149126)
* Address book default startup directory in preferences panel was
not persisted
* Chat: Extended context menu on Instant messaging status dialog
(Show Accounts)
- added mozilla-bmo1504834-part4.patch to fix some visual issues on
big endian platforms
* Tue Oct 22 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.2.0
* Message Display WebExtension API
* Message Search WebExtension API
* Better visual feedback for unread messages when using the dark theme
* Fixed various issues when editing mailing list
* Fixed application windows not maintaining their size after restart
MFSA 2019-33 (bsc#1154738)
* CVE-2019-15903 (bmo#1584907)
Heap overflow in expat library in XML_GetCurrentLineNumber
* CVE-2019-11757 (bmo#1577107)
Use-after-free when creating index updates in IndexedDB
* CVE-2019-11758 (bmo#1536227)
Potentially exploitable crash due to 360 Total Security
* CVE-2019-11759 (bmo#1577953)
Stack buffer overflow in HKDF output
* CVE-2019-11760 (bmo#1577719)
Stack buffer overflow in WebRTC networking
* CVE-2019-11761 (bmo#1561502)
Unintended access to a privileged JSONView object
* CVE-2019-11762 (bmo#1582857)
document.domain-based origin isolation has same-origin-property violation
* CVE-2019-11763 (bmo#1584216)
Incorrect HTML parsing results in XSS bypass technique
* CVE-2019-11764 (bmo#1558522, bmo#1577061, bmo#1548044, bmo#1571223,
bmo#1573048, bmo#1578933, bmo#1575217, bmo#1583684, bmo#1586845,
bmo#1581950, bmo#1583463, bmo#1586599)
Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
- removed obsolete patches
mozilla-bmo1573381.patch
mozilla-bmo1512162.patch
mozilla-bmo1585099.patch
* Thu Oct 10 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.1.2
Bugfixes
* Some attachments couldn't be opened in messages originating from
MS Outlook 2016
* Address book import from CSV
* Performance problem in message body search
* Ctrl+Enter to send a message would open an attachment if the
attachment pane had focus
* Calendar: Issues with "Today Pane" start-up
* Calendar: Glitches with custom repeat and reminder number input
* Calendar: Problems with WCAP provider
- add mozilla-bmo1585099.patch to fix build with rust >= 1.38
* Wed Sep 25 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.1.1
Bugfixes
* Issues with attachments in IMAP messages
* Gmail accounts ignored a non-standard trash folder selection
* Entering/pasting lists of recipients into the addressing widget or
mailing list not working reliably, especially when lists contained
multiple commas or semicolons
* Edit mailing list not working
* Various theme fixes, especially dark theme improvements for Calendar
* Contrast between tag label and background not optimal
* Account Central pane always loaded at start-up
* "Config Editor" button not removed if blocked by policy
* Calendar: Free/busy information in attendees dialog not scrolled
correctly. Note: Scroll arrows still not behaving correctly
MFSA 2019-32
* CVE-2019-11755 (bmo#1240290, boo#1152375)
Spoofing a message author via a crafted S/MIME message
- require nodejs8 instead of generic nodejs for better cross-distribution
support
- call desktop database update on install
- updated translations-other locale list
- build correct ICU for Big Endian
- remove kde.js since disabling instantApply breaks extensions and
is obsolete with the move to HTML views for preferences (boo#1151186)
- update create-tar.sh to latest revision and adjust tar_stamps
- added platform patches from Firefox 68esr
mozilla-bmo1005535.patch
mozilla-bmo1463035.patch
mozilla-bmo1504834-part1.patch
mozilla-bmo1504834-part2.patch
mozilla-bmo1504834-part3.patch
mozilla-bmo1511604.patch
mozilla-bmo1554971.patch
mozilla-bmo1573381.patch
mozilla-cubeb-noreturn.patch
mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
mozilla-fix-aarch64-libopus.patch
mozilla-fix-top-level-asm.patch
mozilla-nestegg-big-endian.patch
mozilla-ntlm-full-path.patch
mozilla-openaes-decl.patch
mozilla-ppc-altivec_static_inline.patch
mozilla-reduce-rust-debuginfo.patch
mozilla-s390-bigendian.patch
mozilla-s390-context.patch
mozilla-bmo1512162.patch
thunderbird-broken-locales-build.patch
- removed renamed patches
fix-missing-return-warning.patch
fix-top-level-asm-issue.patch
thunderbird-locale-build.patch
* Fri Sep 20 2019 munix9@googlemail.com
- repack the lightning xpi with all available locales (boo#939153) (lp#545778)
* Fri Sep 20 2019 Martin Liška <mliska@suse.cz>
- Add fix-top-level-asm-issue.patch in order to fix LTO build.
- Enable LTO on TW on x86_64.
- Use GCC.
* Fri Sep 20 2019 Bernhard Wiedemann <bwiedemann@suse.com>
- added mozilla-bmo1568145.patch to make builds reproducible (boo#1047218)
* Tue Sep 10 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.1.0
* Offer to configure Exchange accounts for Office365. A third-party
add-on is required for this account type. IMAP still exists as
alternative.
* several bugfixes
MFSA 2019-30
* CVE-2019-11739 (bmo#1571481, boo#1150939)
Covert Content Attack on S/MIME encryption using a crafted
multipart/alternative message
* CVE-2019-11746 (bmo#1564449, boo#1149297)
Use-after-free while manipulating video
* CVE-2019-11744 (bmo#1562033, boo#1149304)
XSS by breaking out of title and textarea elements using innerHTML
* CVE-2019-11742 (bmo#1559715, boo#1149303)
Same-origin policy violation with SVG filters and canvas to steal
cross-origin images
* CVE-2019-11752 (bmo#1501152, boo#1149296)
Use-after-free while extracting a key value in IndexedDB
* CVE-2019-11743 (bmo#1560495, boo#1149298)
Cross-origin access to unload event attributes
* CVE-2019-11740 (bmo#1563133,bmo#1573160, boo#1149299)
Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox
ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9
- removed upstreamed fix-build-after-y2038-changes-in-glibc.patch
- added thunderbird-locale-build.patch to fix locale build
* Fri Aug 30 2019 Manfred Hollstein <manfred.h@gmx.net>
- Add -L flag to the stat call for checking file size of %{SOURCE4}.
- Add fix-missing-return-warning.patch to silence a compiler warning.
* Wed Aug 28 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.0
* based on Firefox ESR 68
* File link attachments can now be linked to again instead of
uploading them again
* Mark all folders of an account as read
* Run filters periodically. Improved filter logging
* OAuth2 authentication for Yandex
* Language packs can now be selected in the Advanced Options.
Preference intl.multilingual.enabled needs to be set (and possily
also extensions.langpacks.signatures.required needs to be set to false)
* Added a policy engine that allows customized Thunderbird deployments
in enterprise environments, using Windows Group Policy or a
cross-platform JSON file
* TCP keepalive for IMAP protocol
* Full Unicode support for MAPI interfaces: New support for MAPISendMailW
* Calendar: Time zone data can now include past and future changes.
All known time zone changes from 2018 to 2022 are included.
* Chat: In each conversation an individual spellcheck language can
be selected now
- removed obsolete patches
* mozilla-bmo1463035.patch
* mozilla-i586-domPrefs.patch
* mozilla-bmo1464766.patch
* mozilla-bmo1519629.patch
* mozilla-i586-DecoderDoctorLogger.patch
* mozilla-bmo1375074.patch
- added fix-build-after-y2038-changes-in-glibc.patch to fix build
in Tumbleweed (patch already upstream for next release)
* Thu Aug 01 2019 Tristan Miller <psychonaut@nothingisreal.com>
- Update package summary, description, and AppData using more informative
and up-to-date text from the official Thunderbird FAQ, replacing obsolete
references to the Mozilla Application Suite and Thunderbird's relation to
the Mozilla organization
* Wed Jul 10 2019 Bernhard Wiedemann <bwiedemann@suse.com>
- Generate langpacks sequentially to avoid file corruption
from racy file writes (boo#1137970)
* Mon Jul 08 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.8.0
* Calendar: Problems when editing event times, some related to
AM/PM setting in non-English locales
MFSA 2019-23 (boo#1140868)
* CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
Sandbox escape via installation of malicious languagepack
* CVE-2019-11711 (bmo#1552541)
Script injection within domain through inner window reuse
* CVE-2019-11712 (bmo#1543804)
Cross-origin POST requests can be made with NPAPI plugins by
following 308 redirects
* CVE-2019-11713 (bmo#1528481)
Use-after-free with HTTP/2 cached stream
* CVE-2019-11729 (bmo#1515342)
Empty or malformed p256-ECDH public keys may trigger a segmentation fault
* CVE-2019-11715 (bmo#1555523)
HTML parsing error can contribute to content XSS
* CVE-2019-11717 (bmo#1548306)
Caret character improperly escaped in origins
* CVE-2019-11719 (bmo#1540541)
Out-of-bounds read when importing curve25519 private key
* CVE-2019-11730 (bmo#1558299)
Same-origin policy treats all files in a directory as having the
same-origin
* CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498
bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522)
Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 and
Thunderbird 60.8
* Thu Jun 20 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.7.2
MFSA 2019-20 (boo#1138872)
* CVE-2019-11707 (bmo#1544386)
Type confusion in Array.pop
* CVE-2019-11708 (bmo#1559858)
sandbox escape using Prompt:Open
* Wed Jun 12 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.7.1
* fixed: No prompt for smartcard PIN when S/MIME signing is used
MFSA 2019-17 (boo#1137595)
* CVE-2019-11703 (bmo#1553820)
Heap buffer overflow in icalparser.c
* CVE-2019-11704 (bmo#1553814)
Heap buffer overflow in icalvalue.c
* CVE-2019-11705 (bmo#1553808)
Stack buffer overflow in icalrecur.c
* CVE-2019-11706 (bmo#1555646)
Type confusion in icalproperty.c
* Sat Jun 08 2019 Aaron Puchert <aaronpuchert@alice-dsl.net>
- Increase disk space requirements in _constraints.
* Fri May 24 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.7.0
* Attachment pane of Write window no longer focussed when attaching
files using a keyboard shortcut
MFSA 2019-15 (boo#1135824)
* CVE-2019-9815 (bmo#1546544)
Disable hyperthreading on content JavaScript threads on macOS
* CVE-2019-9816 (bmo#1536768)
Type confusion with object groups and UnboxedObjects
* CVE-2019-9817 (bmo#1540221)
Stealing of cross-domain images using canvas
* CVE-2019-9818 (bmo#1542581) (Windows only)
Use-after-free in crash generation server
* CVE-2019-9819 (bmo#1532553)
Compartment mismatch with fetch API
* CVE-2019-9820 (bmo#1536405)
Use-after-free of ChromeEventHandler by DocShell
* CVE-2019-11691 (bmo#1542465)
Use-after-free in XMLHttpRequest
* CVE-2019-11692 (bmo#1544670)
Use-after-free removing listeners in the event listener manager
* CVE-2019-11693 (bmo#1532525)
Buffer overflow in WebGL bufferdata on Linux
* CVE-2019-7317 (bmo#1542829)
Use-after-free in png_image_free of libpng library
* CVE-2019-9797 (bmo#1528909)
Cross-origin theft of images with createImageBitmap
* CVE-2018-18511 (bmo#1526218)
Cross-origin theft of images with ImageBitmapRenderingContext
* CVE-2019-11694 (bmo#1534196) (Windows only)
Uninitialized memory memory leakage in Windows sandbox
* CVE-2019-11698 (bmo#1543191)
Theft of user history data through drag and drop of hyperlinks
to and from bookmarks
* CVE-2019-5798 (bmo#1535518)
Out-of-bounds read in Skia
* CVE-2019-9800 (bmo#1540166, bmo#1534593, bmo#1546327, bmo#1540136,
bmo#1538736, bmo#1538042, bmo#1535612, bmo#1499719, bmo#1499108,
bmo#1538619, bmo#1535194, bmo#1516325, bmo#1542324, bmo#1542097,
bmo#1532465, bmo#1533554, bmo#1541580)
Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
* Wed Apr 24 2019 Martin Liška <mliska@suse.cz>
- Disable LTO (boo#1133267).
* Sat Mar 30 2019 Manfred Hollstein <manfred.h@gmx.net>
- Add patch to fix build using rust-1.33: (boo#1130694)
* mozilla-bmo1519629.patch (bmo#1519629)
* Mon Mar 25 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.6.1
MFSA 2019-12 (bsc#1130262)
* CVE-2019-9810 (bmo#1537924)
IonMonkey MArraySlice has incorrect alias information
* CVE-2019-9813 (bmo#1538006)
Ionmonkey type confusion with __proto__ mutations
* Wed Mar 20 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.6.0
* Calendar: Can't create repeating event with end date when using
certain time zones, for example Europe/Minsk
* some minor bugfixes
* using 60.6.0esr Mozilla platform (bsc#1129821)
* Thu Mar 07 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.5.3
* fixed a regression on the Windows platform:
Problem when using "Send to > Mail recipient" on Windows
* Sun Feb 24 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.5.2
* UTF-8 support for MAPISendMail
* Problem with S/MIME certificate verification when receiving email
from Outlook (issue introduced in version 60.5.1)
* Thu Feb 14 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.5.1
* CalDav access to some servers not working
MFSA 2019-06 (bsc#1125330)
* CVE-2018-18356 bmo#1525817
Use-after-free in Skia
* CVE-2019-5785 bmo#1525433
Integer overflow in Skia
* CVE-2018-18335 bmo#1525815
Buffer overflow in Skia with accelerated Canvas 2D
* CVE-2018-18509 bmo#1507218
S/MIME signature spoofing
* Fri Jan 25 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.5.0:
* FileLink provider WeTransfer to upload large attachments
* Thunderbird now allows the addition of OpenSearch search engines
from a local XML file using a minimal user inferface: [+] button
to select a file an add, [-] to remove.
* More search engines: Google and DuckDuckGo available by default
in some locales
* During account creation, Thunderbird will now detect servers
using the Microsoft Exchange protocol. It will offer the
installation of a 3rd party add-on (Owl) which supports that
protocol.
* Thunderbird now compatible with other WebExtension-based
FileLink add-ons like the Dropbox add-on
MFSA 2019-03 (bsc#1122983)
* CVE-2018-18500 bmo#1510114
Use-after-free parsing HTML5 stream
* CVE-2018-18505 bmo#1497749
Privilege escalation through IPC channel messages
* CVE-2016-5824 bmo#1275400
DoS (use-after-free) via a crafted ics file
* CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619
bmo#1502871 bmo#1516738 bmo#1516514
Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
- requires NSS 3.36.7
- removed obsolete patch
mozilla-no-stdcxx-check.patch
- rebased patches
* Fri Dec 21 2018 astieger@suse.com
- Mozilla Thunderbird 60.4.0:
* New WebExtensions FileLink API to facilitate add-ons
* Fix decoding problems for messages with less common charsets
(cp932, cp936)
* New messages in the drafts folder (and other special or virtual
folders) will no longer be included in the new messages
notification
MFSA 2018-31
* CVE-2018-17466 bmo#1488295
Buffer overflow and out-of-bounds read in ANGLE library with
TextureStorage11
* CVE-2018-18492 bmo#1499861
Use-after-free with select element
* CVE-2018-18493 bmo#1504452
Buffer overflow in accelerated 2D canvas with Skia
* CVE-2018-18494 bmo#1487964
Same-origin policy violation using location attribute and
performance.getEntries to steal cross-origin URLs
* CVE-2018-18498 bmo#1500011
Integer overflow when calculating buffer sizes for images
* CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759
bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471
Memory safety bugs fixed in Firefox 64, 60.4, and Thunderbird 60.4
- requires NSS 3.36.6
* Tue Dec 04 2018 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.3.3
* Thunderbird 60 will migrate security databases (key3.db, cert8.db
to key4.db, cert9.db). Thunderbird 60.3.2 and earlier contained a
fault that potentially deleted saved passwords and private certificate
keys for users using a master password. Version 60.3.3 will prevent
the loss of data; affected users who have already upgraded to version
60.3.2 or earlier can restore the deleted key3.db file from backup
to complete the migration.
* Address book search and auto-complete slowness introduced in
Thunderbird 60.3.2
* Plain text markup with * for bold, / for italics, _ for underline
and | for code did not work when the enclosed text contained
non-ASCII characters
* While composing a message, a link not removed when link location
was removed in the link properties panel
* Mon Dec 03 2018 astieger@suse.com
- Fix build on openSUSE Leap 15.x w.r.t. rust-std requirement
* Thu Nov 29 2018 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.3.2
* Encoding problems when exporting address books or messages using
the system charset. Messages are now always exported using the
UTF-8 encoding
* If the "Date" header of a message was invalid, Jan 1970 or Dec 1969
was displayed. Now using date from "Received" header instead.
* Body search/filtering didn't reliably ignore content of tags
* Inappropriate warning "Thunderbird prevented the site
(addons.thunderbird.net) from asking you to install software on
your computer" when installing add-ons
* Incorrect display of correspondents column since own email
address was not always detected
* Spurious 
 (encoded newline) inserted into drafts and sent email
* Thu Nov 15 2018 astieger@suse.com
- Mozilla Thunderbird 60.3.1:
* Double-clicking on a word in the Write window sometimes
launched the Advanced Property Editor or Link Properties dialog
* Fixe Cookie removal
* "Download rest of message" was not working if global inbox was
used
* Fix Encoding problems for users (especially in Poland) when a
file was sent via a folder using "Sent to > Mail recipient"
due to a problem in the Thunderbird MAPI interface
* According to RFC 4616 and RFC 5721, passwords containing
non-ASCII characters are encoded using UTF-8 which can lead to
problems with non-compliant providers, for example
office365.com. The SMTP LOGIN and POP3 USER/PASS
authentication methods are now using a Latin-1 encoding again
to work around this issue
* Fix shutdown crash/hang after entering an empty IMAP password
* Tue Oct 30 2018 wr@rosenauer.org
- update to Thunderbird 60.3.0
* various theme fixes
* Shift+PageUp/PageDown in Write window
* Gloda attachment filtering
* Mailing list address auto-complete enter/return handling
* Thunderbird hung if HTML signature references non-existent image
* Filters not working for headers that appear more than once
- Security fixes for the Mozilla platform picked up from 60.3
(Firefox ESR release). In general, these flaws cannot be exploited
through email in Thunderbird because scripting is disabled when
reading mail, but are potentially risks in browser or browser-like
contexts (MFSA 2018-28) (bsc#1112852)
* CVE-2018-12391 (bmo#1478843) (Android only)
HTTP Live Stream audio data is accessible cross-origin
* CVE-2018-12392 (bmo#1492823)
Crash with nested event loops
* CVE-2018-12393 (bmo#1495011)
Integer overflow during Unicode conversion while loading JavaScript
* CVE-2018-12389 (bmo#1498460, bmo#1499198)
Memory safety bugs fixed in Firefox ESR 60.3
* CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159,
bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803,
bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699,
bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844)
Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
* Thu Oct 25 2018 guillaume.gardet@opensuse.org
- Update _constraints for armv6/7
* Thu Oct 25 2018 guillaume.gardet@opensuse.org
- Add patch to fix build on armv7:
* mozilla-bmo1463035.patch
* Thu Oct 25 2018 guillaume.gardet@opensuse.org
- Add memory-constraints to avoid OOM errors
* Fri Oct 12 2018 meissner@suse.com
- provide / obsolete MozillaThunderbird-devel as this is no longer
shipped to allow migration scenarios
* Tue Oct 02 2018 wr@rosenauer.org
- update to Thunderbird 60.2.1:
* Calendar: Default values for the first day of the week and
working days are now derived from the selected datetime
formatting locale
* Calendar: Switch to a Photon-style icon set for all platforms
* Fix multiple requests for master password when Google Mail or
Calendar OAuth2 is enabled
* Fix scrollbar of the address entry auto-complete popup
* Fix security info dialog in compose window not showing
certificate status
* Fix links in the Add-on Manager's search results and theme
browsing tabs that opened in external browser
* Fix localization not showing the localized name for the
"Drafts" and "Sent" folders for certain IMAP providers
* Fix replying to a message with an empty subject which
inserted Re: twice
* Fix spellcheck marks disappeaing erroneously for words with
an apostrophe
* Calendar: First day of the week can now be set
* Calendar: Several fixes related to cutting/deleting of events
and email schedulin
* Fix date display issues (bsc#1109379)
* Fix start-up crash due to folder name with special characters
(bsc#1107772)
- Security fixes for the Mozilla platform picked up from 60.1 and
60.2 (Firefox ESR releases). In general, these flaws
cannot be exploited through email in Thunderbird because
scripting is disabled when reading mail, but are potentially
risks in browser or browser-like contexts (MFSA 2018-25):
* CVE-2018-12377 (bsc#1107343, bmo#1470260)
Use-after-free in refresh driver timers
* CVE-2018-12378 (bsc#1107343, bmo#1459383)
Use-after-free in IndexedDB
* CVE-2017-16541 (bsc#1066489, bmo#1412081)
Proxy bypass using automount and autofs
* CVE-2018-12376 (bmo#69309,bmo#69914,bmo#50989,bmo#80092,
bmo#80517,bmo#81093,bmo#78575,bmo#71953,bmo#73161,bmo#66991,
bmo#68738,bmo#83120,bmo#67363,bmo#72925,bmo#66577,bmo#67889,
bmo#80521,bsc#1107343)
Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
* CVE-2018-12385 (bsc#1109363, bmo#1490585)
Crash in TransportSecurityInfo due to cached data
* CVE-2018-12383 (bsc#1107343, bmo#1475775)
Setting a master password did not delete unencrypted
previously stored passwords
* Tue Sep 11 2018 Guillaume GARDET <guillaume.gardet@opensuse.org>
- Update file list since minidump-analyzer is only available when
crashreporter is enabled
* Sat Aug 25 2018 astieger@suse.com
- remove non-free untar licenced code from distributed tarball
* Wed Aug 15 2018 bjorn.lie@gmail.com
- Add conditional for pkgconfig(gconf-2.0) BuildRequires, and pass
conditional --disable-gconf to configure: no longer pull in
obsolete gconf2 for Tumbleweed.
* Fri Aug 03 2018 wr@rosenauer.org
- update to Thunderbird 60.0:
https://www.thunderbird.net/en-US/thunderbird/60.0/releasenotes/
* Improved message handling and composing
* Improved handling of message templates
* Support for OAuth2 and FIDO U2F
* Various Calendar improvements
* Various fixes and changes to e-mail workflow
* Various IMAP fixes
* Native desktop notifications
- Security fixes which can not, in general, be exploited through
email, but are potential risks in browser or browser-like contexts:
MFSA 2018-19 (bsc#1098998)
* CVE-2018-12359 (bmo#1459162)
Buffer overflow using computed size of canvas element
* CVE-2018-12360 (bmo#1459693)
Use-after-free when using focus()
* CVE-2018-12361 (bmo#1463244)
Integer overflow in SwizzleData
* CVE-2018-12362 (bmo#1452375)
Integer overflow in SSSE3 scaler
* CVE-2018-5156 (bmo#1453127)
Media recorder segmentation fault when track type is changed
during capture
* CVE-2018-12363 (bmo#1464784)
Use-after-free when appending DOM nodes
* CVE-2018-12364 (bmo#1436241)
CSRF attacks through 307 redirects and NPAPI plugins
* CVE-2018-12365 (bmo#1459206)
Compromised IPC child process can list local filenames
* CVE-2018-12371 (bmo#1465686)
Integer overflow in Skia library during edge builder allocation
* CVE-2018-12366 (bmo#1464039)
Invalid data handling during QCMS transformations
* CVE-2018-12367 (bmo#1462891)
Timing attack mitigation of PerformanceNavigationTiming
* CVE-2018-5187 (bmo#1461324,bmo#1414829,bmo#1395246,bmo#1467938,
bmo#1461619,bmo#1425930,bmo#1438556,bmo#1454285,bmo#1459568,
bmo#1463884)
Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and
Thunderbird 60
* CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576,
bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829,
bmo#1464079,bmo#1463494,bmo#1458048)
Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox
ESR 52.9, and Thunderbird 60
- requires NSPR 4.19 and NSS 3.36.4
- source archives are now signed directly
(removed checksum signature check)
- imported patches from Firefox 60
* mozilla-bmo1375074.patch
* mozilla-bmo1464766.patch
* mozilla-i586-DecoderDoctorLogger.patch
* mozilla-i586-domPrefs.patch
- removed obsolete patches
* mozilla-language.patch
* tb-ssldap.patch
* mozilla-develdirs.patch
- removed -devel subpackage as old-style extensions are mainly gone
- storing of remote content settings fixed (boo#1084603)
* Tue Jul 10 2018 wr@rosenauer.org
- update to Thunderbird 52.9.1
* Deleting or detaching attachments corrupted messages under certain
circumstances (bmo#1473893, bsc#1100780)
* Mon Jul 02 2018 wr@rosenauer.org
- update to Thunderbird 52.9.0:
MFSA 2018-16 (bsc#1098998)
* CVE-2018-12359 (bmo#1459162)
Buffer overflow using computed size of canvas element
* CVE-2018-12360 (bmo#1459693)
Use-after-free when using focus()
* CVE-2018-12372 (bmo#1419417, bsc#1100082)
S/MIME and PGP decryption oracles can be built with HTML emails
* CVE-2018-12373 (bmo#1464667, bmo#1464056, bsc#1100079)
S/MIME plaintext can be leaked through HTML reply/forward
* CVE-2018-12362 (bmo#1452375)
Integer overflow in SSSE3 scaler
* CVE-2018-12363 (bmo#1464784)
Use-after-free when appending DOM nodes
* CVE-2018-12364 (bmo#1436241)
CSRF attacks through 307 redirects and NPAPI plugins
* CVE-2018-12365 (bmo#1459206)
Compromised IPC child process can list local filenames
* CVE-2018-12366 (bmo#1464039)
Invalid data handling during QCMS transformations
* CVE-2018-12374 (bmo#1462910, bsc#1100081)
Using form to exfiltrate encrypted mail part by pressing enter in form field
* CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576,
bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829,
bmo#1464079,bmo#1463494,bmo#1458048)
Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
* Thunderbird will now prompt to compact IMAP folders even if the
account is online
* Option for not decrypting subordinate message parts that
otherwise might reveal decryted content to the attacker.
Preference mailnews.p7m_subparts_external needs to be set to
true for added security.
* Fix various problems when forwarding messages inline when using
"simple" HTML view
- correct requires and provides handling (boo#1076907)
- reduce memory footprint with %ix86 at linking time via additional
compiler flags (boo#1091376)
* Sun Jul 01 2018 astieger@suse.com
- Build from upstream source archive and verify source signature
(boo#1085780)
* Sat May 19 2018 wr@rosenauer.org
- update to Thunderbird 52.8 (bsc#1092548)
MFSA 2018-13
* CVE-2018-5183 (bmo#1454692)
Backport critical security fixes in Skia
* CVE-2018-5184 (bmo#1411592, bsc#1093152)
Full plaintext recovery in S/MIME via chosen-ciphertext attack
* CVE-2018-5154 (bmo#1443092)
Use-after-free with SVG animations and clip paths
* CVE-2018-5155 (bmo#1448774)
Use-after-free with SVG animations and text paths
* CVE-2018-5159 (bmo#1441941)
Integer overflow and out-of-bounds write in Skia
* CVE-2018-5161 (bmo#1411720)
Hang via malformed headers
* CVE-2018-5162 (bmo#1457721, bsc#1093152)
Encrypted mail leaks plaintext through src attribute
* CVE-2018-5170 (bmo#1411732)
Filename spoofing for external attachments
* CVE-2018-5168 (bmo#1449548)
Lightweight themes can be installed without user interaction
* CVE-2018-5174 (bmo#1447080) (Windows only)
Windows Defender SmartScreen UI runs with less secure behavior
for downloaded files in Windows 10 April 2018 Update
* CVE-2018-5178 (bmo#1443891)
Buffer overflow during UTF-8 to Unicode string conversion
through legacy extension
* CVE-2018-5185 (bmo#1450345)
Leaking plaintext through HTML forms
* CVE-2018-5150 (bmo#1388020,bmo#1433609,bmo#1409440,bmo#1448705,
bmo#1451376,bmo#1452202,bmo#1444668,bmo#1393367,bmo#1411415,
bmo#1426129)
Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8 and
Thunderbird 52.8
* Tue Mar 27 2018 ro@suse.de
- Exclude bigendian archs for now, have not built
since version 45.8.0
ExcludeArch: ppc ppc64 s390 s390x
* Fri Mar 23 2018 wr@rosenauer.org
- update to Thunderbird 52.7
* Searching message bodies of messages in local folders, including
filter and quick filter operations, did not find content in
message attachments
* Better error handling for Yahoo accounts
- The following security fixes are included as part of the mozilla
platform. In general, these flaws cannot be exploited through
email in the Thunderbird product because scripting is disabled
when reading mail, but are potentially risks in browser or
browser-like contexts (MFSA 2018-09, bsc#1085130, bsc#1085671):
* CVE-2018-5127 (bmo#1430557)
Buffer overflow manipulating SVG animatedPathSegList
* CVE-2018-5129 (bmo#1428947)
Out-of-bounds write with malformed IPC messages
* CVE-2018-5144 (bmo#1440926)
Integer overflow during Unicode conversion
* CVE-2018-5146 (bmo#1446062)
Out of bounds memory write in libvorbis
* CVE-2018-5125 (bmo1416529,bmo#1434580,bmo#1434384,bmo#1437450,
bmo#1437507,bmo#1426988,bmo#1438425,bmo#1324042,bmo#1437087,
bmo#1443865,bmo#1425520)
Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7, and
Thunderbird 52.7
* CVE-2018-5145 (bmo#1261175,bmo#1348955)
Memory safety bugs fixed in Firefox ESR 52.7 and Thunderbird
52.7
* Wed Jan 24 2018 wr@rosenauer.org
- update to Thunderbird 52.6 (bsc#1077291)
* Searching message bodies of messages in local folders, including
filter and quick filter operations, not working reliably: Content
not found in base64-encode message parts, non-ASCII text not found
and false positives found.
* Defective messages (without at least one expected header) not shown
in IMAP folders but shown on mobile devices
* Calendar: Unintended task deletion if numlock is enabled
* Mozilla platform security fixes
MFSA 2018-04
* CVE-2018-5095 (bmo#1418447)
Integer overflow in Skia library during edge builder allocation
* CVE-2018-5096 (bmo#1418922)
Use-after-free while editing form elements
* CVE-2018-5097 (bmo#1387427)
Use-after-free when source document is manipulated during XSLT
* CVE-2018-5098 (bmo#1399400)
Use-after-free while manipulating form input elements
* CVE-2018-5099 (bmo#1416878)
Use-after-free with widget listener
* CVE-2018-5102 (bmo#1419363)
Use-after-free in HTML media elements
* CVE-2018-5103 (bmo#1423159)
Use-after-free during mouse event handling
* CVE-2018-5104 (bmo#1425000)
Use-after-free during font face manipulation
* CVE-2018-5117 (bmo#1395508)
URL spoofing with right-to-left text aligned left-to-right
* CVE-2018-5089
Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
- dropped obsolete mozilla-ucontext.patch
* Sat Dec 23 2017 wr@rosenauer.org
- update to Thunderbird 52.5.2
* This releases fixes the "Mailsploit" vulnerability and other
vulnerabilities detected by the "Cure53" audit
MFSA 2017-30
* CVE-2017-7845 (bmo#1402372)
Buffer overflow when drawing and validating elements with ANGLE
library using Direct 3D 9
* CVE-2017-7846 (bmo#1411716, bsc#1074043)
JavaScript Execution via RSS in mailbox:// origin
* CVE-2017-7847 (bmo#1411708, bsc#1074044)
Local path string can be leaked from RSS feed
* CVE-2017-7848 (bmo#1411699, bsc#1074045)
RSS Feed vulnerable to new line Injection
* CVE-2017-7829 (bmo#1423432, bsc#1074046)
Mailsploit part 1: From address with encoded null character is
cut off in message header display
* Fri Dec 08 2017 dimstar@opensuse.org
- Explicitly buildrequires python2-xml: The build system relies on
it. We wrongly relied on other packages pulling it in for us.
* Thu Dec 07 2017 dimstar@opensuse.org
- Escape the usage of %{VERSION} when calling out to rpm.
RPM 4.14 has %{VERSION} defined as 'the main packages version'.
* Wed Nov 22 2017 wr@rosenauer.org
- update to Thunderbird 52.5.0 (bsc#1068101)
* Better support for Charter/Spectrum IMAP: Thunderbird will now
detect Charter's IMAP service and send an additional IMAP select
command to the server. Check the various preferences ending in
"force_select" to see whether auto-detection has discovered this case.
* In search folders spanning multiple base folders clicking on a
message sometimes marked another message as read
* IMAP alerts have been corrected and now show the correct server
name in case of connection problems
* POP alerts have been corrected and now indicate connection problems
in case the configured POP server cannot be found
MFSA 2017-26
* CVE-2017-7828 (bmo#1406750. bmo#1412252)
Use-after-free of PressShell while restyling layout
* CVE-2017-7830 (bmo#1408990)
Cross-origin URL information leak through Resource Timing API
* CVE-2017-7826
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
* Fri Nov 10 2017 zaitor@opensuse.org
- Drop obsolete libgnomeui-devel BuildRequires: No longer needed.
- Add explicit pkgconfig(gconf-2.0), pkgconfig(gobject-2.0),
pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
pkgconfig(gdk-x11-2.0) BuildRequires: Previously pulled in by
libgnomeui-devel, and is what configure really checks for.
* Wed Oct 04 2017 astieger@suse.com
- Mozilla Thunderbird 52.4.0 (bsc#1060445)
* new behavior was introduced for replies to mailing list posts:
"When replying to a mailing list, reply will be sent to address
in From header ignoring Reply-to header". A new preference
mail.override_list_reply_to allows to restore the previous behavior.
* Under certain circumstances (image attachment and non-image
attachment), attached images were shown truncated in messages
stored in IMAP folders not synchronised for offline use.
* IMAP UIDs > 0x7FFFFFFF now handled properly
Security fixes from Gecko 52.4esr
* CVE-2017-7793 (bmo#1371889)
Use-after-free with Fetch API
* CVE-2017-7818 (bmo#1363723)
Use-after-free during ARIA array manipulation
* CVE-2017-7819 (bmo#1380292)
Use-after-free while resizing images in design mode
* CVE-2017-7824 (bmo#1398381)
Buffer overflow when drawing and validating elements with ANGLE
* CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
Use-after-free in TLS 1.2 generating handshake hashes
* CVE-2017-7814 (bmo#1376036)
Blob and data URLs bypass phishing and malware protection warnings
* CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
OS X fonts render some Tibetan and Arabic unicode characters as spaces
* CVE-2017-7823 (bmo#1396320)
CSP sandbox directive did not create a unique origin
* CVE-2017-7810
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
* Thu Sep 28 2017 dimstar@opensuse.org
- Add alsa-devel BuildRequires: we care for ALSA support to be
built and thus need to ensure we get the dependencies in place.
In the past, alsa-devel was pulled in by accident: we
buildrequire libgnome-devel. This required esound-devel and that
in turn pulled in alsa-devel for us. libgnome is being fixed to
no longer require esound-devel.
* Tue Aug 15 2017 wr@rosenauer.org
- update to Thunderbird 52.3 (boo#1052829)
Fixed issues:
* Unwanted inline images shown in rogue SPAM messages
* Deleting message from the POP3 server not working when maildir
storage was used
* Message disposition flag (replied / forwarded) lost when reply or
forwarded message was stored as draft and draft was sent later
* Inline images not scaled to fit when printing
* Selected text from another message sometimes included in a reply
* No authorisation prompt displayed when inserting image into email
body although image URL requires authentication
* Large attachments taking a long time to open under some circumstances
security
Security fixes from Gecko 52.3esr
* CVE-2017-7798 (bmo#1371586, bmo#1372112)
XUL injection in the style editor in devtools
* CVE-2017-7800 (bmo#1374047)
Use-after-free in WebSockets during disconnection
* CVE-2017-7801 (bmo#1371259)
Use-after-free with marquee during window resizing
* CVE-2017-7784 (bmo#1376087)
Use-after-free with image observers
* CVE-2017-7802 (bmo#1378147)
Use-after-free resizing image elements
* CVE-2017-7785 (bmo#1356985)
Buffer overflow manipulating ARIA attributes in DOM
* CVE-2017-7786 (bmo#1365189)
Buffer overflow while painting non-displayable SVG
* CVE-2017-7753 (bmo#1353312)
Out-of-bounds read with cached style data and pseudo-elements#
* CVE-2017-7787 (bmo#1322896)
Same-origin policy bypass with iframes through page reloads
* CVE-2017-7807 (bmo#1376459)
Domain hijacking through AppCache fallback
* CVE-2017-7792 (bmo#1368652)
Buffer overflow viewing certificates with an extremely long OID
* CVE-2017-7804 (bmo#1372849)
Memory protection bypass through WindowsDllDetourPatcher
* CVE-2017-7791 (bmo#1365875)
Spoofing following page navigation with data: protocol and modal alerts
* CVE-2017-7782 (bmo#1344034)
WindowsDllDetourPatcher allocates memory without DEP protections
* CVE-2017-7803 (bmo#1377426)
CSP containing 'sandbox' improperly applied
* CVE-2017-7779
Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
* Wed Aug 09 2017 schwab@suse.de
- mozilla-ucontext.patch: use ucontext_t instead of struct ucontext
* Wed Jun 28 2017 guillaume@opensuse.org
- mozilla-disable-neon-option.patch has been dropped silently, so
remove the --disable-neon option as it is not available anymore.
* Sun Jun 25 2017 wr@rosenauer.org
- update to Thunderbird 52.2.1
* Problems with Gmail fixed (folders not showing, repeated email
download, etc.) introduced in version 52.2.0. (boo#1045895)
* Wed Jun 14 2017 wr@rosenauer.org
- update to Thunderbird 52.2 (boo#1043960)
* Embedded images not shown in email received from Hotmail/Outlook
webmailer
* Detection of non-ASCII font names in font selector
* Attachment not forwarded correctly under certain circumstances
* Multiple requests for master password when GMail OAuth2 is enabled
* Large number of blank pages being printed under certain
circumstances when invalid preferences were present
* Messages sent via the Simple MAPI interface are forced to HTML
* Calendar: Invitations can't be printed
* Mailing list (group) not accessible from macOS or Outlook address book
* Clicking on links with references/anchors where target doesn't
exist in the message not opening in external browser
MFSA 2017-17
* CVE-2017-5472 (bmo#1365602)
Use-after-free using destroyed node when regenerating trees
* CVE-2017-7749 (bmo#1355039)
Use-after-free during docshell reloading
* CVE-2017-7750 (bmo#1356558)
Use-after-free with track elements
* CVE-2017-7751 (bmo#1363396)
Use-after-free with content viewer listeners
* CVE-2017-7752 (bmo#1359547)
Use-after-free with IME input
* CVE-2017-7754 (bmo#1357090)
Out-of-bounds read in WebGL with ImageInfo object
* CVE-2017-7756 (bmo#1366595)
Use-after-free and use-after-scope logging XHR header errors
* CVE-2017-7757 (bmo#1356824)
Use-after-free in IndexedDB
* CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,
CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,
CVE-2017-7777
Vulnerabilities in the Graphite 2 library
* CVE-2017-7758 (bmo#1368490)
Out-of-bounds read in Opus encoder
* CVE-2017-7763 (bmo#1360309)
Mac fonts render some unicode characters as spaces (MacOS only)
* CVE-2017-7764 (bmo#1364283)
Domain spoofing with combination of Canadian Syllabics and other
unicode blocks
* CVE-2017-7765 (bmo#1273265)
Mark of the Web bypass when saving executable files (Windows only)
* CVE-2017-5470
Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
- requires NSS 3.28.5
* Sun Jun 04 2017 wr@rosenauer.org
- remove legacy -Os optimization breaking gcc7/i586 (boo#1042090)
* Thu Jun 01 2017 wr@rosenauer.org
- explicitely optimize with -O2 for openSUSE > 13.2/Leap 42 to work
with gcc7 (boo#1040105, boo#1042090)
* Thu May 11 2017 wr@rosenauer.org
- update to Thunderbird 52.1.1
* fixed crash when compacting IMAP folder (boo#1038753)
* Some attachments could not be opened or saved if the message
body is empty
* Unable to load full message via POP if message was downloaded
partially (or only headers) before
* Large attachments may not be shown or saved correctly if the
message is stored in an IMAP folder which is not synchronized
for offline use
* Mon May 01 2017 wr@rosenauer.org
- update to Thunderbird 52.1.0
* Background images not working and other issues related to
embedded images when composing email have been fixed
* Google Oauth setup can sometimes not progress to the next step
* requires NSS >= 3.28.4
- security fixes (boo#1035082), MFSA 2017-13
* CVE-2017-5443 (bmo#1342661)
Out-of-bounds write during BinHex decoding
* CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
Firefox ESR 52.1
* CVE-2017-5464 (bmo#1347075)
Memory corruption with accessibility and DOM manipulation
* CVE-2017-5465 (bmo#1347617)
Out-of-bounds read in ConvolvePixel
* CVE-2017-5466 (bmo#1353975)
Origin confusion when reloading isolated data:text/html URL
* CVE-2017-5467 (bmo#1347262)
Memory corruption when drawing Skia content
* CVE-2017-5460 (bmo#1343642)
Use-after-free in frame selection
* CVE-2017-5461 (bmo#1344380)
Out-of-bounds write in Base64 encoding in NSS
* CVE-2017-5449 (bmo#1340127)
Crash during bidirectional unicode manipulation with animation
* CVE-2017-5446 (bmo#1343505)
Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
* CVE-2017-5447 (bmo#1343552)
Out-of-bounds read during glyph processing
* CVE-2017-5444 (bmo#1344461)
Buffer overflow while parsing application/http-index-format content
* CVE-2017-5445 (bmo#1344467)
Uninitialized values used while parsing application/http-index-format
content
* CVE-2017-5442 (bmo#1347979)
Use-after-free during style changes
* CVE-2017-5469 (bmo#1292534)
Potential Buffer overflow in flex-generated code
* CVE-2017-5440 (bmo#1336832)
Use-after-free in txExecutionState destructor during XSLT processing
* CVE-2017-5441 (bmo#1343795)
Use-after-free with selection during scroll events
* CVE-2017-5439 (bmo#1336830)
Use-after-free in nsTArray Length() during XSLT processing
* CVE-2017-5438 (bmo#1336828)
Use-after-free in nsAutoPtr during XSLT processing
* CVE-2017-5437 (bmo#1343453)
Vulnerabilities in Libevent library
* CVE-2017-5436 (bmo#1345461)
Out-of-bounds write with malicious font in Graphite 2
* CVE-2017-5435 (bmo#1350683)
Use-after-free during transaction processing in the editor
* CVE-2017-5434 (bmo#1349946)
Use-after-free during focus handling
* CVE-2017-5433 (bmo#1347168)
Use-after-free in SMIL animation functions
* CVE-2017-5432 (bmo#1346654)
Use-after-free in text input selection
* CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140,
bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476)
Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
* CVE-2017-5459 (bmo#1333858)
Buffer overflow in WebGL
* CVE-2017-5462 (bmo#1345089)
DRBG flaw in NSS
* CVE-2017-5454 (bmo#1349276)
Sandbox escape allowing file system read access through file
picker
* CVE-2017-5451 (bmo#1273537)
Addressbar spoofing with onblur event
* Mon Apr 17 2017 wr@rosenauer.org
- update to Thunderbird 52.0.1
* Clicking on a link in an email may not open this link in the
external browser
* addon blocklist updates
- enable ALSA for systems w/o PA
- require libffi explicitely to fix PPC64LE build where a system
library is required
* Sat Mar 18 2017 wr@rosenauer.org
- update to Thunderbird 52.0
* Optionally remove corresponding data files when removing an account
* Possibility to copy message filter
* Calendar: Event can now be created and edited in a tab
* Calendar: Processing of received invitation counter proposals
* Chat: Support Twitter Direct Messages
* Chat: Liking and favoriting in Twitter
* Chat: Removed Yahoo! Messenger support
* serveral bugfixes
- security fixes (bsc#1028391, MFSA 2017-09):
In general, these flaws cannot be exploited through email because
scripting is disabled when reading mail, but are potentially
risks in browser or browser-like contexts.
* CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933)
* CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861)
* CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876)
* CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186)
* CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138)
* CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890)
* CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622)
* CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687)
* CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711)
* CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
* CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504)
* CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370)
* CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
* CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361)
* CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876)
* CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243)
* CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699)
* CVE-2017-5421: Print preview spoofing (bmo#1301876)
* CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002)
* CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52
* CVE-2017-5398: Memory safety bugs fixed in Thunderbird 52 and Thunderbird 45.8
- removed obsolete patches
* mozilla-aarch64-48bit-va.patch
* mozilla-binutils-visibility.patch
* mozilla-flex_buffer_overrun.patch
* mozilla-gcc6.patch
- added generic mozilla patches
* mozilla-aarch64-startup-crash.patch
- require newer versions of NSPR and NSS
- use Gtk3 for Tumbleweed
* Tue Mar 07 2017 wr@rosenauer.org
- update to Thunderbird 45.8.0 (boo#1028391)
* MFSA 2017-07
CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
(bmo#1334933)
CVE-2017-5401: Memory Corruption when handling ErrorResult
(bmo#1328861)
CVE-2017-5402: Use-after-free working with events in FontFace
objects (bmo#1334876)
CVE-2017-5404: Use-after-free working with ranges in selections
(bmo#1340138)
CVE-2017-5407: Pixel and history stealing via floating-point
timing side channel with SVG filters (bmo#1336622)
CVE-2017-5410: Memory corruption during JavaScript garbage
collection incremental sweeping (bmo#1330687)
CVE-2017-5408: Cross-origin reading of video captions in violation
of CORS (bmo#1313711)
CVE-2017-5405: FTP response codes can cause use of
uninitialized values for ports (bmo#1336699)
CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and
Firefox ESR 45.8
* Thu Feb 09 2017 wr@rosenauer.org
- update to Thunderbird 45.7.1
* fixed Crash when viewing certain IMAP messages (introduced in 45.7.0)
* Tue Jan 24 2017 wr@rosenauer.org
- update to Thunderbird 45.7.0
* Message preview pane non-functional after IMAP folder was renamed
or moved
* "Move To" button on "Search Messages" panel not working
* Message sent to "undisclosed recipients" shows no recipient
(non-functional since Thunderbird version 38)
* Security updates from MFSA 2017-03 (Gecko 45.7.0) boo#1021991.
In general, these flaws cannot be exploited through email in
Thunderbird because scripting is disabled when reading mail,
but are potentially risks in browser or browser-like contexts:
CVE-2017-5375: Excessive JIT code allocation allows bypass of
ASLR and DEP (bmo#1325200, boo#1021814)
CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
CVE-2017-5378: Pointer and frame data leakage of Javascript objects
(bmo#1312001, bmo#1330769, boo#1021818)
CVE-2017-5380: Potential use-after-free during DOM manipulations
(bmo#1322107, boo#1021819)
CVE-2017-5390: Insecure communication methods in Developer Tools
JSON viewer (bmo#1297361, boo#1021820)
CVE-2017-5396: Use-after-free with Media Decoder
(bmo#1329403, boo#1021821)
CVE-2017-5383: Location bar spoofing with unicode characters
(bmo#1323338, bmo#1324716, boo#1021822)
CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7
(boo#1021824)
* Thu Dec 29 2016 wr@rosenauer.org
- update to Thunderbird 45.6.0 (boo#1015422)
* The system integration dialog was shown every time when starting
Thunderbird
* MFSA 2016-96
CVE-2016-9899: Use-after-free while manipulating DOM events and
audio elements (bmo#1317409)
CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272)
CVE-2016-9897: Memory corruption in libGLES (bmo#1301381)
CVE-2016-9898: Use-after-free in Editor while manipulating DOM
subtrees (bmo#1314442)
CVE-2016-9900: Restricted external resources can be loaded by
SVG images through data URLs (bmo#1319122)
CVE-2016-9904: Cross-origin information leak in shared atoms
(bmo#1317936)
CVE-2016-9905: Crash in EnumerateSubDocuments (bmo#1293985)
CVE-2016-9893: Memory safety bugs fixed in Thunderbird 45.6
* Thu Dec 01 2016 astieger@suse.com
- Mozilla Thunderbird 45.5.1:
* CVE-2016-9079: SVG Animation Remote Code Execution
(MFSA 2016-92, bsc#1012964, bmo#1321066)
* Sat Nov 19 2016 astieger@suse.com
- Mozilla Thunderbird 45.5.0 (boo#1009026)
* Fixes for security flaws that cannot be exploited through email
because scripting is disabled when reading mail, but are
potentially risks in browser or browser-like contexts:
CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
(bsc#1010411)
CVE-2016-5297: Incorrect argument length checking in Javascript
(bsc#1010401)
CVE-2016-9066: Integer overflow leading to a buffer overflow in
nsScriptLoadHandler (bsc#1010404)
CVE-2016-5291: Same-origin policy violation using local HTML file
and saved shortcut file (bsc#1010410)
CVE-2016-5290: Memory safety bugs fixed in Thunderbird ESR 45.5
(bsc#1010427)
- Changed behavior:
* Changed recipient address entry: Arrow-keys now copy the pop-up
value to the input field. Mouse-hovered pop-up value can no
longer be confirmed with tab or enter key. This restores the
behavior of Thunderbird 24.
* Support changes to character limit in Twitter
- Bugs fixed:
* Reply with selected text containing quote resulted in wrong
quoting level indication
* Email invitation might not be displayed when description
contains non-ASCII characters
* Attempting to sort messages on the Date field whilst a quick
filter is applied got stuck on sort descending
* Mail address display at header pane displayed incorrectly if
the address contains UTF-8 according to RFC 6532
* Sat Oct 01 2016 wr@rosenauer.org
- update to Thunderbird 45.4.0 (boo#999701)
* Display name was truncated if no separating space before email
address.
* Recipient addresses were shown in wrong color in some circumstances.
* Additional spaces were inserted when drafts were edited.
* Mail saved as template copied In-Reply-To and References from
original email.
* Threading broken when editing message draft, due to loss of Message-ID
* "Apply columns to..." did not honor special folders
* Tue Aug 30 2016 wr@rosenauer.org
- update to Thunderbird 45.3.0 (boo#991809)
* Disposition-Notification-To could not be used in
mail.compose.other.header
* "edit as new message" on a received message pre-filled the sender
as the composing identity.
* Certain messages caused corruption of the drafts summary database.
security fixes:
* MFSA 2016-62/CVE-2016-2836
Miscellaneous memory safety hazards
* MFSA 2016-63/CVE-2016-2830 (bmo#1255270)
Favicon network connection can persist when page is closed
* MFSA 2016-64/CVE-2016-2838 (bmo#1279814)
Buffer overflow rendering SVG with bidirectional content
* MFSA 2016-65/CVE-2016-2839 (bmo#1275339)
Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
* MFSA 2016-67/CVE-2016-5252 (bmo#1268854)
Stack underflow during 2D graphics rendering
* MFSA 2016-70/CVE-2016-5254 (bmo#1266963)
Use-after-free when using alt key and toplevel menus
* MFSA 2016-72/CVE-2016-5258 (bmo#1279146)
Use-after-free in DTLS during WebRTC session shutdown
* MFSA 2016-73/CVE-2016-5259 (bmo#1282992)
Use-after-free in service workers with nested sync events
* MFSA 2016-76/CVE-2016-5262 (bmo#1277475)
Scripts on marquee tag can execute in sandboxed iframes
* MFSA 2016-77/CVE-2016-2837 (bmo#1274637)
Buffer overflow in ClearKey Content Decryption Module (CDM)
during video playback
* MFSA 2016-78/CVE-2016-5263 (bmo#1276897)
Type confusion in display transformation
* MFSA 2016-79/CVE-2016-5264 (bmo#1286183)
Use-after-free when applying SVG effects
* MFSA 2016-80/CVE-2016-5265 (bmo#1278013)
Same-origin policy violation using local HTML file and saved shortcut file
* Fri Aug 05 2016 pcerny@suse.com
- Fix for possible buffer overrun (bsc#990856)
CVE-2016-6354 (bmo#1292534)
[mozilla-flex_buffer_overrun.patch]
* Thu Jul 21 2016 mailaender@opensuse.org
- add a screenshot to appdata.xml
* Thu Jun 30 2016 wr@rosenauer.org
- update to Thunderbird 45.2 (boo#983549)
Security fixes:
* CVE-2016-2818, CVE-2016-2815: Memory safety bugs (MFSA2016-49)
- drop mozilla-flexible-array-member-in-union.patch, upstream
* Fri Jun 24 2016 wr@rosenauer.org
- mozilla-binutils-visibility.patch to fix build issues with
gcc/binutils combination used in Leap 42.2 (boo#984637)
* Thu Jun 23 2016 wr@rosenauer.org
- build with -fno-delete-null-pointer-checks for Tumbleweed/gcc6
as long as underlying issues have been addressed upstream
(boo#986162)
* Mon Jun 13 2016 agraf@suse.com
- Fix running on 48bit va aarch64 (bsc#984126)
- Add patch mozilla-aarch64-48bit-va.patch
* Fri May 27 2016 wr@rosenauer.org
- update to Thunderbird 45.1.1
* When entering members into a mailing list, the enter key
dismissed the panel instead of just moving onto the next line
* Email without HTML elements was sent as HTML, despite
"Delivery Format: Auto-detect" option
* Options applied to a template were lost when the template was used
* Contacts could not be deleted when they were found through a search
* Views from global searches did not respect
"mail.threadpane.use_correspondents"
* Wed May 25 2016 badshah400@gmail.com
- The conditional testing for gcc was failing for different
openSUSE versions, drop it and apply patches unconditionally.
* Tue May 24 2016 badshah400@gmail.com
- Add patches to fix building with gcc >= 6:
+ mozilla-gcc6.patch: patch taken from fedora's git and is
essentially identical to upstream firefox patch:
https://hg.mozilla.org/mozilla-central/rev/55212130f19d.
+ mozilla-flexible-array-member-in-union.patch: patch taken
from upstream bmo#1272649.
* Thu May 12 2016 dimstar@opensuse.org
- Copy the icons to /usr/share/icons instead of symlinking them:
in preparation for containerized apps (e.g. xdg-app) as well as
AppStream metadata extraction, there are a couple locations that
need to be real files for system integration (.desktop files,
icons, mime-type info).
* Sat May 07 2016 wr@rosenauer.org
- update to Thunderbird 45.1.0 (boo#977333)
* MFSA 2016-39/CVE-2016-2806/CVE-2016-2807 (boo#977375, boo#977376)
Miscellaneous memory safety hazards
* Wed Apr 27 2016 badshah400@gmail.com
- For openSUSE > 13.2, the build fails for i586 as it goes out of
memory. Prevent this from happening by disabing parallel build
in this particular case (i.e. do not pass
mk_add_options MOZ_MAKE_FLAGS%{?jobs:-j%jobs}).
* Sat Apr 16 2016 wr@rosenauer.org
- update to Thunderbird 45.0 (boo#969894)
* Add a Correspondents column combining Sender and Recipient
* Much better support for XMPP chatrooms and commands
* Remote content exceptions: Improved options to add exceptions
* Implement option to always use HTML formatting to prevent
unexpected format loss when converting messages to plain text
* Use OpenStreetmap for maps (even allow the user to choose from
list of map services)
* Allow spell checking and dictionary selection in the subject line
* Allow editing of From when composing a message
* Add dropdown in compose to allow specific setting of font size
* Return/Enter in composer will now insert a new paragraph by
default (shift-Enter will insert a line break)
* Allow copying of name and email address from the message header
of an email
* Mail.ru supports OAuth authentication
* MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
Miscellaneous memory safety hazards
* MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
Local file overwriting and potential privilege escalation through
CSP reports
* MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
CSP reports fail to strip location information for embedded iframe pages
* MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
Linux video memory DOS with Intel drivers
* MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
Memory leak in libstagefright when deleting an array during MP4
processing
* MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
Use-after-free in HTML5 string parser
* MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
Use-after-free in SetBody
* MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
Use-after-free during XML transformations
* MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
Out-of-bounds read in HTML parser following a failed allocation
* MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
Buffer overflow during ASN.1 decoding in NSS
(fixed by requiring 3.21.1)
* MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
Use-after-free during processing of DER encoded keys in NSS
(fixed by requiring 3.21.1)
* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
Font vulnerabilities in the Graphite 2 library
- remove obsolete patches:
* mozilla-arm-disable-edsp.patch
* mozilla-icu-strncat.patch
* mozilla-arm64-libjpeg-turbo.patch
- added required mozilla platform patches:
* mozilla-no-stdcxx-check.patch
* Wed Apr 06 2016 astieger@suse.com
- update to Thunderbird 38.7.2
* disable Graphite font shaping library (same upstream changelog
as 38.7.1)
* Fri Mar 25 2016 wr@rosenauer.org
- update to Thunderbird 38.7.1
* disabled Graphite font shaping library
* Fri Mar 11 2016 wr@rosenauer.org
- update to Thunderbird 38.7.0 (boo#969894)
* MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
Use-after-free in MediaStream playback
* MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
Same-origin policy violation using performance.getEntries and
history navigation
* MFSA 2016-16/CVE-2016-1952
Miscellaneous memory safety hazards
* MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
Local file overwriting and potential privilege escalation through
CSP reports
* MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
Memory leak in libstagefright when deleting an array during MP4
processing
* MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
Displayed page address can be overridden
* MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
Use-after-free in HTML5 string parser
* MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
Use-after-free in SetBody
* MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
Use-after-free when using multiple WebRTC data channels
* MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
Use-after-free during XML transformations
* MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
Addressbar spoofing though history navigation and Location protocol
property
* MFSA 2016-31/CVE-2016-1966 (bmo#1246054)
Memory corruption with malicious NPAPI plugin
* MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
Out-of-bounds read in HTML parser following a failed allocation
* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
Font vulnerabilities in the Graphite 2 library
* Fri Feb 26 2016 astieger@suse.com
- adjust _constraints to current peak build memory and disk usage
* Sat Feb 13 2016 wr@rosenauer.org
- update to Thunderbird 38.6.0 (boo#963520)
* Filters ran on a different folder than selected
* MFSA 2016-01/CVE-2016-1930
Miscellaneous memory safety hazards
* MFSA 2016-03/CVE-2016-1935 (bmo#1220450)
Buffer overflow in WebGL after out of memory allocation
* Mon Jan 25 2016 olaf@aepfle.de
- Using -g for CFLAGS is controlled via project settings, it should
not be enforced by the mozilla buildsystem.
* Mon Jan 18 2016 olaf@aepfle.de
- Add build conditionals for valgrind and -Os
- Convert existing conditions for kde to bcond
* Tue Dec 29 2015 wr@rosenauer.org
- update to Thunderbird 38.5.1
* requires NSS 3.20.2 to fix
MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
server signature
- explicitely require libXcomposite-devel
* Wed Dec 23 2015 wr@rosenauer.org
- update to Thunderbird 38.5.0 (bnc#959277)
* MFSA 2015-134/CVE-2015-7201
Miscellaneous memory safety hazards
* MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
Use-after-free in WebRTC when datachannel is used after being
destroyed
* MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
Integer overflow allocating extremely large textures
* MFSA 2015-145/CVE-2015-7205 (bmo#1220493)
Underflow through code inspection
* MFSA 2015-146/CVE-2015-7213 (bmo#1206211)
Integer overflow in MP4 playback in 64-bit versions
* MFSA 2015-147/CVE-2015-7222 (bmo#1216748)
Integer underflow and buffer overflow processing MP4 metadata in
libstagefright
* MFSA 2015-149/CVE-2015-7214 (bmo#1228950)
Cross-site reading attack through data and view-source URIs
* Tue Nov 17 2015 wr@rosenauer.org
- update to Thunderbird 38.4.0 (bnc#952810)
* MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
Miscellaneous memory safety hazards
* MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
Trailing whitespace in IP address hostnames can bypass same-origin policy
* MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
Buffer overflow during image interactions in canvas
* MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
CORS preflight is bypassed when non-standard Content-Type headers
are received
* MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
Memory corruption in libjar through zip files
* MFSA 2015-130/CVE-2015-7196 (bmo#1140616)
JavaScript garbage collection crash with Java applet
* MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
(bmo#1188010, bmo#1204061, bmo#1204155)
Vulnerabilities found through code inspection
* MFSA 2015-132/CVE-2015-7197 (bmo#1204269)
Mixed content WebSocket policy bypass through workers
* MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
(bmo#1202868, bmo#1205157)
NSS and NSPR memory corruption issues
(fixed in mozilla-nspr and mozilla-nss packages)
- requires NSPR 4.10.10 and NSS 3.19.2.1
- added explicit appdata provides (bnc#952325)
* Mon Oct 05 2015 dmueller@suse.com
- fix build on aarch64 by reusing the crashreporter conditional
from MozillaFirefox
* Mon Sep 28 2015 wr@rosenauer.org
- update to Thunderbird 38.3.0 (bnc#947003)
* MFSA 2015-96/CVE-2015-4500
Miscellaneous memory safety hazards
* MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
Arbitrary file manipulation by local user through Mozilla updater
* MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
Buffer overflow in libvpx while parsing vp9 format video
* MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
Buffer overflow while decoding WebM video
* MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
Use-after-free while manipulating HTML media content
* MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
Dragging and dropping images exposes final URL after redirects
* MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
Errors in the handling of CORS preflight request headers
* MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/
CVE-2015-7180
Vulnerabilities found through code inspection
* MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
bmo#1190526) (Windows only)
Memory safety errors in libGLES in the ANGLE graphics library
- rebased patches
* Sat Aug 15 2015 wr@rosenauer.org
- update to Thunderbird 38.2.0 (bnc#940806)
* MFSA 2015-79/CVE-2015-4473
Miscellaneous memory safety hazards
* MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
Out-of-bounds read with malformed MP3 file
* MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
Redefinition of non-configurable JavaScript object properties
* MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
Overflow issues in libstagefright
* MFSA 2015-84/CVE-2015-4481 (bmo1171518)
Arbitrary file overwriting through Mozilla Maintenance Service
with hard links (only affected Windows)
* MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
Out-of-bounds write with Updater and malicious MAR file
(does not affect openSUSE RPM packages which do not ship the
updater)
* MFSA 2015-87/CVE-2015-4484 (bmo#1171540)
Crash when using shared memory in JavaScript
* MFSA 2015-88/CVE-2015-4491 (bmo#1184009)
Heap overflow in gdk-pixbuf when scaling bitmap images
* MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
Buffer overflows on Libvpx when decoding WebM video
* MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
Vulnerabilities found through code inspection
* MFSA 2015-92/CVE-2015-4492 (bmo#1185820)
Use-after-free in XMLHttpRequest with shared workers
* Wed Jul 08 2015 wr@rosenauer.org
- update to Thunderbird 38.1.0 (bnc#935979)
* MFSA 2015-59/CVE-2015-2724/CVE-2015-2725
Miscellaneous memory safety hazards
* MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
Local files or privileged URLs in pages can be opened into new tabs
* MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
Type confusion in Indexed Database Manager
* MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
Out-of-bound read while computing an oscillator rendering range in Web Audio
* MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
Use-after-free in Content Policy due to microtask execution error
* MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
ECDSA signature validation fails to handle some signatures correctly
(this fix is shipped by NSS 3.19.1 externally)
* MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
Use-after-free in workers while using XMLHttpRequest
* MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
Vulnerabilities found through code inspection
* MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
Key pinning is ignored when overridable errors are encountered
* MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
Privilege escalation in PDF.js
* MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
NSS accepts export-length DHE keys with regular DHE cipher suites
(this fix is shipped by NSS 3.19.1 externally)
* MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
NSS incorrectly permits skipping of ServerKeyExchange
(this fix is shipped by NSS 3.19.1 externally)
- requires NSS 3.19.2
* Fri Jun 19 2015 wr@rosenauer.org
- update to Thunderbird 38.0.1
* includes Lightning as default extension
- rebased patches
- removed obsolete patches:
* mozilla-ppc.patch
* mozilla-nullptr-gcc45.patch
* mozilla-bug1024492.patch
- dropped openSUSE specific patches
* thunderbird-shared-nss-db.patch
* mozilla-shared-nss-db.patch
the provided feature seems not to be used and its maintenance
is not worth the ongoing efforts
- tb-develdirs.patch is now mozilla-develdirs.patch as it is a
platform configuration now
* Thu Jun 18 2015 schwab@suse.de
- mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration
* Thu May 28 2015 dmueller@suse.com
- add mozilla-bug1024492.patch:
* Fixes build against GCC 5.x
* Sat May 09 2015 wr@rosenauer.org
- update to Thunderbird 31.7.0 (bnc#930622)
* MFSA 2015-46/CVE-2015-2708
Miscellaneous memory safety hazards
* MFSA 2015-47/VE-2015-0797 (bmo#1080995)
Buffer overflow parsing H.264 video with Linux Gstreamer
* MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
Buffer overflow with SVG content and CSS
* MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
Use-after-free during text processing with vertical text enabled
* MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
Buffer overflow when parsing compressed XML
* MFSA 2015-57/CVE-2011-3079 (bmo#1087565)
Privilege escalation through IPC channel messages
* Tue Mar 31 2015 wr@rosenauer.org
- update to Thunderbird 31.6.0 (bnc#925368)
* MFSA 2015-30/CVE-2015-0815
Miscellaneous memory safety hazards
* MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
Use-after-free when using the Fluendo MP3 GStreamer plugin
* MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
resource:// documents can load privileged pages
* MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
CORS requests should not follow 30x redirections after preflight
* MFSA-2015-40/CVE-2015-0801 (bmo#1146339)
Same-origin bypass through anchor navigation
* Mon Feb 23 2015 wr@rosenauer.org
- update to Thunderbird 31.5.0 (bnc#917597)
* MFSA 2015-11/CVE-2015-0836
Miscellaneous memory safety hazards
* MFSA 2015-12/CVE-2015-0833 (bmo#945192)
Invoking Mozilla updater will load locally stored DLL files
(Windows only)
* MFSA 2015-16/CVE-2015-0831 (bmo#1130514)
Use-after-free in IndexedDB
* MFSA 2015-19/CVE-2015-0827 (bmo#1117304)
Out-of-bounds read and write while rendering SVG content
* MFSA 2015-24/CVE-2015-0822 (bmo#1110557)
Reading of local files through manipulation of form autocomplete
* Sat Jan 10 2015 wr@rosenauer.org
- update to Thunderbird 31.4.0 (bnc#910669)
* MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
Miscellaneous memory safety hazards
* MFSA 2015-03/CVE-2014-8638 (bmo#1080987)
sendBeacon requests lack an Origin header
* MFSA 2015-04/CVE-2014-8639 (bmo#1095859)
Cookie injection through Proxy Authenticate responses
- added mozilla-icu-strncat.patch to fix post build checks
* Sun Nov 30 2014 wr@rosenauer.org
- update to Thunderbird 31.3.0 (bnc#908009)
* MFSA 2014-83/CVE-2014-1587
Miscellaneous memory safety hazards
* MFSA 2014-85/CVE-2014-1590 (bmo#1087633)
XMLHttpRequest crashes with some input streams
* MFSA 2014-87/CVE-2014-1592 (bmo#1088635)
Use-after-free during HTML5 parsing
* MFSA 2014-88/CVE-2014-1593 (bmo#1085175)
Buffer overflow while parsing media content
* MFSA 2014-89/CVE-2014-1594 (bmo#1074280)
Bad casting from the BasicThebesLayer to BasicContainerLayer
* Sun Nov 16 2014 Led <ledest@gmail.com>
- fix bashism in mozilla.sh script
* Tue Nov 04 2014 guillaume@opensuse.org
- Limit RAM usage during link for ARM
* Sat Oct 25 2014 wr@rosenauer.org
- remove add-plugins.sh and use /usr/share/myspell directly
(bnc#900639)
* Sun Oct 12 2014 wr@rosenauer.org
- update to Thunderbird 31.2.0 (bnc#900941)
* MFSA 2014-74/CVE-2014-1574
Miscellaneous memory safety hazards
* MFSA 2014-75/CVE-2014-1576 (bmo#1041512)
Buffer overflow during CSS manipulation
* MFSA 2014-76/CVE-2014-1577 (bmo#1012609)
Web Audio memory corruption issues with custom waveforms
* MFSA 2014-77/CVE-2014-1578 (bmo#1063327)
Out-of-bounds write with WebM video
* MFSA 2014-79/CVE-2014-1581 (bmo#1068218)
Use-after-free interacting with text directionality
* MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
Inconsistent video sharing within iframe
- added basic appdata definition
* Wed Sep 24 2014 wr@rosenauer.org
- update to Thunderbird 31.1.2
* Tue Sep 09 2014 wolfgang@rosenauer.org
- update to Thunderbird 31.1.1
* Fixed an issue where mailing lists with spaces in their names
couldn't be autocompleted (bmo#1060901)
* Fixed an occasional startup crash (bmo#1005336)
* Fri Aug 29 2014 wr@rosenauer.org
- update to Thunderbird 31.1.0 (bnc#894370)
* MFSA 2014-67/CVE-2014-1553/CVE-2014-1562
Miscellaneous memory safety hazards
* MFSA 2014-68/CVE-2014-1563 (bmo#1018524)
Use-after-free during DOM interactions with SVG
* MFSA 2014-69/CVE-2014-1564 (bmo#1045977)
Uninitialized memory use during GIF rendering
* MFSA 2014-70/CVE-2014-1565 (bmo#1047831)
Out-of-bounds read in Web Audio audio timeline
* MFSA 2014-72/CVE-2014-1567 (bmo#1037641)
Use-after-free setting text directionality
- added mozilla-nullptr-gcc45.patch to build on gcc 4.5 dists
(e.g. openSUSE 11.4)
* Sun Jul 27 2014 wr@rosenauer.org
- update to Thunderbird 31.0
* based on Gecko 31
* Autocompleting email addresses now matches against any part of
the name or email
* Composing a mail to a newsgroup will now autocomplete newsgroup
names
* Insecure NTLM (pre-NTLMv2) authentication disabled
- rebased patches
- removed enigmail entirely from source package
- removed obsolete patches
* libffi-ppc64le.patch
* ppc64le-support.patch
* xpcom-ppc64le.patch
- use GStreamer 1.0 after 13.1
- switched source archives to use xz instead of bz2
* Sun Jul 20 2014 wr@rosenauer.org
- update to Thunderbird 24.7.0 (bnc#887746)
* MFSA 2014-56/CVE-2014-1547/CVE-2014-1548
Miscellaneous memory safety hazards
* MFSA 2014-61/CVE-2014-1555 (bmo#1023121)
Use-after-free with FireOnStateChange event
* MFSA 2014-62/CVE-2014-1556 (bmo#1028891)
Exploitable WebGL crash with Cesium JavaScript library
* MFSA 2014-63/CVE-2014-1544 (bmo#963150)
Use-after-free while when manipulating certificates in the trusted cache
(solved with NSS 3.16.2 requirement)
* MFSA 2014-64/CVE-2014-1557 (bmo#913805)
Crash in Skia library when scaling high quality images
- disabled enigmail build as with version 1.7 it's a standalone
source package
* Sat Jun 07 2014 wr@rosenauer.org
- update to Thunderbird 24.6.0 (bnc#881874)
* MFSA 2014-48/CVE-2014-1533/CVE-2014-1534
(bmo#921622, bmo#967354, bmo#969517, bmo#969549, bmo#973874,
bmo#978652, bmo#978811, bmo#988719, bmo#990868, bmo#991981,
bmo#992274, bmo#994907, bmo#995679, bmo#995816, bmo#995817,
bmo#996536, bmo#996715, bmo#999651, bmo#1000598,
bmo#1000960, bmo#1002340, bmo#1005578, bmo#1007223,
bmo#1009952, bmo#1011007)
Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)
* MFSA 2014-49/CVE-2014-1536/CVE-2014-1537/CVE-2014-1538
(bmo#989994, bmo#999274, bmo#1005584)
Use-after-free and out of bounds issues found using Address Sanitizer
* MFSA 2014-52/CVE-2014-1541 (bmo#1000185)
Use-after-free with SMIL Animation Controller
* MFSA 2014-55/CVE-2014-1545 (bmo#1018783)
Out of bounds write in NSPR
- require NSPR 4.10.6 because of MFSA 2014-55/CVE-2014-1545
* Fri Apr 25 2014 wr@rosenauer.org
- update to Thunderbird 24.5.0 (bnc#875378)
* MFSA 2014-34/CVE-2014-1518
Miscellaneous memory safety hazards
* MFSA 2014-37/CVE-2014-1523 (bmo#969226)
Out of bounds read while decoding JPG images
* MFSA 2014-38/CVE-2014-1524 (bmo#989183)
Buffer overflow when using non-XBL object as XBL
* MFSA 2014-42/CVE-2014-1529 (bmo#987003)
Privilege escalation through Web Notification API
* MFSA 2014-43/CVE-2014-1530 (bmo#895557)
Cross-site scripting (XSS) using history navigations
* MFSA 2014-44/CVE-2014-1531 (bmo#987140)
Use-after-free in imgLoader while resizing images
* MFSA 2014-46/CVE-2014-1532 (bmo#966006)
Use-after-free in nsHostResolver
- use shipped-locales as the authoritative source for supported
locales (some unsupported locales disappear from -other package)
* Tue Mar 18 2014 wr@rosenauer.org
- update to Thunderbird 24.4.0 (bnc#868603)
* MFSA 2014-15/CVE-2014-1493/CVE-2014-1494
Miscellaneous memory safety hazards
* MFSA 2014-17/CVE-2014-1497 (bmo#966311)
Out of bounds read during WAV file decoding
* MFSA 2014-26/CVE-2014-1508 (bmo#963198)
Information disclosure through polygon rendering in MathML
* MFSA 2014-27/CVE-2014-1509 (bmo#966021)
Memory corruption in Cairo during PDF font rendering
* MFSA 2014-28/CVE-2014-1505 (bmo#941887)
SVG filters information disclosure through feDisplacementMap
* MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909)
Privilege escalation using WebIDL-implemented APIs
* MFSA 2014-30/CVE-2014-1512 (bmo#982957)
Use-after-free in TypeObject
* MFSA 2014-31/CVE-2014-1513 (bmo#982974)
Out-of-bounds read/write through neutering ArrayBuffer objects
* MFSA 2014-32/CVE-2014-1514 (bmo#983344)
Out-of-bounds write through TypedArrayObject after neutering
* Mon Feb 03 2014 wr@rosenauer.org
- update to Thunderbird 24.3.0 (bnc#861847)
* MFSA 2014-01/CVE-2014-1477/CVE-2014-1478
Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
* MFSA 2014-02/CVE-2014-1479 (bmo#911864)
Clone protected content with XBL scopes
* MFSA 2014-04/CVE-2014-1482 (bmo#943803)
Incorrect use of discarded images by RasterImage
* MFSA 2014-08/CVE-2014-1486 (bmo#942164)
Use-after-free with imgRequestProxy and image proccessing
* MFSA 2014-09/CVE-2014-1487 (bmo#947592)
Cross-origin information leak through web workers
* MFSA 2014-12/CVE-2014-1490/CVE-2014-1491
(bmo#934545, bmo#930874, bmo#930857)
NSS ticket handling issues
* MFSA 2014-13/CVE-2014-1481(bmo#936056)
Inconsistent JavaScript handling of access to Window objects
- requires NSS 3.15.4
- renamed ppc64le patches to streamline with Firefox package
* Fri Dec 13 2013 uweigand@de.ibm.com
- Add support for powerpc64le-linux.
* ppc64le-support.patch: general support
* libffi-ppc64le.patch: libffi backport
* xpcom-ppc64le.patch: port xpcom
* Sun Dec 08 2013 wr@rosenauer.org
- update to Thunderbird 24.2.0 (bnc#854370)
* requires NSS 3.15.3.1 or higher
* MFSA 2013-104/CVE-2013-5609/CVE-2013-5610
Miscellaneous memory safety hazards
* MFSA 2013-108/CVE-2013-5616 (bmo#938341)
Use-after-free in event listeners
* MFSA 2013-109/CVE-2013-5618 (bmo#926361)
Use-after-free during Table Editing
* MFSA 2013-111/CVE-2013-6671 (bmo#930281)
Segmentation violation when replacing ordered list elements
* MFSA 2013-113/CVE-2013-6673 (bmo#970380)
Trust settings for built-in roots ignored during EV certificate
validation
* MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449)
Use-after-free in synthetic mouse movement
* MFSA 2013-115/CVE-2013-5615 (bmo#929261)
GetElementIC typed array stubs can be generated outside observed
typesets
* MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693)
JPEG information leak
* MFSA 2013-117 (bmo#946351)
Mis-issued ANSSI/DCSSI certificate
(fixed via NSS 3.15.3.1)
* Tue Nov 19 2013 wr@rosenauer.org
- update to Thunderbird 24.1.1
* requires NSPR 4.10.2 and NSS 3.15.3 for security reasons
* fix binary compatibility issues for patch level updates
(bmo#927073)
* Thu Oct 24 2013 wr@rosenauer.org
- update to Thunderbird 24.1.0 (bnc#847708)
* requires NSS 3.15.2 or above
* MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592
Miscellaneous memory safety hazards
* MFSA 2013-94/CVE-2013-5593 (bmo#868327)
Spoofing addressbar through SELECT element
* MFSA 2013-95/CVE-2013-5604 (bmo#914017)
Access violation with XSLT and uninitialized data
* MFSA 2013-96/CVE-2013-5595 (bmo#916580)
Improperly initialized memory and overflows in some JavaScript
functions
* MFSA 2013-97/CVE-2013-5596 (bmo#910881)
Writing to cycle collected object during image decoding
* MFSA 2013-98/CVE-2013-5597 (bmo#918864)
Use-after-free when updating offline cache
* MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601
(bmo#915210, bmo#915576, bmo#916685)
Miscellaneous use-after-free issues found through ASAN fuzzing
* MFSA 2013-101/CVE-2013-5602 (bmo#897678)
Memory corruption in workers
* MFSA 2013-102/CVE-2013-5603 (bmo#916404)
Use-after-free in HTML document templates
* Thu Oct 10 2013 wr@rosenauer.org
- update to Thunderbird 24.0.1
* fqdn for smtp server name was not accepted (bmo#913785)
* fixed crash in PL_strncasecmp (bmo#917955)
- update Enigmail to 1.6
* The passphrase timeout configuration in Enigmail is now read and
written from/to gpg-agent.
* New dialog to change the expiry date of keys
* New function to search for the OpenPGP keys of all Address Book
entries on a keyserver
* removed obsolete enigmail-build.patch
* Sat Sep 14 2013 wr@rosenauer.org
- update to Thunderbird 24.0 (bnc#840485)
* MFSA 2013-76/CVE-2013-1718/CVE-2013-1719
Miscellaneous memory safety hazards
* MFSA 2013-77/CVE-2013-1720 (bmo#888820)
Improper state in HTML5 Tree Builder with templates
* MFSA 2013-79/CVE-2013-1722 (bmo#893308)
Use-after-free in Animation Manager during stylesheet cloning
* MFSA 2013-80/CVE-2013-1723 (bmo#891292)
NativeKey continues handling key messages after widget is destroyed
* MFSA 2013-81/CVE-2013-1724 (bmo#894137)
Use-after-free with select element
* MFSA 2013-82/CVE-2013-1725 (bmo#876762)
Calling scope for new Javascript objects can lead to memory corruption
* MFSA 2013-85/CVE-2013-1728 (bmo#883686)
Uninitialized data in IonMonkey
* MFSA 2013-88/CVE-2013-1730 (bmo#851353)
Compartment mismatch re-attaching XBL-backed nodes
* MFSA 2013-89/CVE-2013-1732 (bmo#883514)
Buffer overflow with multi-column, lists, and floats
* MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301)
Memory corruption involving scrolling
* MFSA 2013-91/CVE-2013-1737 (bmo#907727)
User-defined properties on DOM proxies get the wrong "this" object
* MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897)
GC hazard with default compartments and frame chain restoration
- moved greek to common translation package
- require NSPR 4.10 and NSS 3.15.1
- add GStreamer build requirements for Gecko
- added enigmail-build.patch to fix TB packaging (bmo#886095)
- removed obsolete patches:
* enigmail-old-gcc.patch
* mozilla-gcc43-enums.patch
* mozilla-gcc43-template_hacks.patch
* mozilla-gcc43-templates_instantiation.patch
* ppc-xpcshell.patch
* Fri Aug 02 2013 wr@rosenauer.org
- update to Thunderbird 17.0.8 (bnc#833389)
* MFSA 2013-63/CVE-2013-1701
Miscellaneous memory safety hazards
* MFSA 2013-68/CVE-2013-1709 (bmo#838253)
Document URI misrepresentation and masquerading
* MFSA 2013-69/CVE-2013-1710 (bmo#871368)
CRMF requests allow for code execution and XSS attacks
* MFSA 2013-72/CVE-2013-1713 (bmo#887098)
Wrong principal used for validating URI for some Javascript
components
* MFSA 2013-73/CVE-2013-1714 (bmo#879787)
Same-origin bypass with web workers and XMLHttpRequest
* MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
Local Java applets may read contents of local file system
* Wed Jul 17 2013 wr@rosenauer.org
- update Enigmail to 1.5.2
* bugfix release
* Mon Jun 24 2013 wr@rosenauer.org
- update to Thunderbird 17.0.7 (bnc#825935)
* MFSA 2013-49/CVE-2013-1682
Miscellaneous memory safety hazards
* MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686
Memory corruption found using Address Sanitizer
* MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)
Privileged content access and execution via XBL
* MFSA 2013-53/CVE-2013-1690 (bmo#857883)
Execution of unmapped memory through onreadystatechange event
* MFSA 2013-54/CVE-2013-1692 (bmo#866915)
Data in the body of XHR HEAD requests leads to CSRF attacks
* MFSA 2013-55/CVE-2013-1693 (bmo#711043)
SVG filters can lead to information disclosure
* MFSA 2013-56/CVE-2013-1694 (bmo#848535)
PreserveWrapper has inconsistent behavior
* MFSA 2013-59/CVE-2013-1697 (bmo#858101)
XrayWrappers can be bypassed to run user defined methods in a
privileged context
* Tue Jun 04 2013 dvaleev@suse.com
- prevent xpc-shell crashing on powerpc
ppc-xpcshell.patch
* Sat May 11 2013 wr@rosenauer.org
- update to Thunderbird 17.0.6 (bnc#819204)
* MFSA 2013-41/CVE-2013-0801/CVE-2013-1669
Miscellaneous memory safety hazards
* MFSA 2013-42/CVE-2013-1670 (bmo#853709)
Privileged access for content level constructor
* MFSA 2013-46/CVE-2013-1674 (bmo#860971)
Use-after-free with video and onresize event
* MFSA 2013-47/CVE-2013-1675 (bmo#866825)
Uninitialized functions in DOMSVGZoomEvent
* MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/
CVE-2013-1679/CVE-2013-1680/CVE-2013-1681
Memory corruption found using Address Sanitizer
* Fri Mar 29 2013 wr@rosenauer.org
- update to Thunderbird 17.0.5 (bnc#813026)
* requires NSPR 4.9.5 and NSS 3.14.3
* MFSA 2013-30/CVE-2013-0788/CVE-2013-0789
Miscellaneous memory safety hazards
* MFSA 2013-31/CVE-2013-0800 (bmo#825721)
Out-of-bounds write in Cairo library
* MFSA 2013-35/CVE-2013-0796 (bmo#827106)
WebGL crash with Mesa graphics driver on Linux
* MFSA 2013-36/CVE-2013-0795 (bmo#825697)
Bypass of SOW protections allows cloning of protected nodes
* MFSA 2013-38/CVE-2013-0793 (bmo#803870)
Cross-site scripting (XSS) using timed history navigations
* Fri Mar 08 2013 wr@rosenauer.org
- update to Thunderbird 17.0.4 (bnc#808243)
* MFSA 2013-29/CVE-2013-0787 (bmo#848644)
Use-after-free in HTML Editor
* Sun Feb 17 2013 wr@rosenauer.org
- update to Thunderbird 17.0.3 (bnc#804248)
* MFSA 2013-21/CVE-2013-0783
Miscellaneous memory safety hazards
* MFSA 2013-24/CVE-2013-0773 (bmo#809652)
Web content bypass of COW and SOW security wrappers
* MFSA 2013-25/CVE-2013-0774 (bmo#827193)
Privacy leak in JavaScript Workers
* MFSA 2013-26/CVE-2013-0775 (bmo#831095)
Use-after-free in nsImageLoadingContent
* MFSA 2013-27/CVE-2013-0776 (bmo#796475)
Phishing on HTTPS connection through malicious proxy
* MFSA 2013-28/CVE-2013-0780/CVE-2013-0782
Use-after-free, out of bounds read, and buffer overflow issues
found using Address Sanitizer
* Mon Feb 11 2013 wr@rosenauer.org
- update Enigmail to 1.5.1
* The release fixes the regressions found in the past few
weeks
* Sat Jan 05 2013 wr@rosenauer.org
- update to Thunderbird 17.0.2 (bnc#796895)
* MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770
Miscellaneous memory safety hazards
* MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767
CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829
Use-after-free and buffer overflow issues found using Address Sanitizer
* MFSA 2013-03/CVE-2013-0768 (bmo#815795)
Buffer Overflow in Canvas
* MFSA 2013-04/CVE-2012-0759 (bmo#802026)
URL spoofing in addressbar during page loads
* MFSA 2013-05/CVE-2013-0744 (bmo#814713)
Use-after-free when displaying table with many columns and column groups
* MFSA 2013-07/CVE-2013-0764 (bmo#804237)
Crash due to handling of SSL on threads
* MFSA 2013-08/CVE-2013-0745 (bmo#794158)
AutoWrapperChanger fails to keep objects alive during garbage collection
* MFSA 2013-09/CVE-2013-0746 (bmo#816842)
Compartment mismatch with quickstubs returned values
* MFSA 2013-10/CVE-2013-0747 (bmo#733305)
Event manipulation in plugin handler to bypass same-origin policy
* MFSA 2013-11/CVE-2013-0748 (bmo#806031)
Address space layout leaked in XBL objects
* MFSA 2013-12/CVE-2013-0750 (bmo#805121)
Buffer overflow in Javascript string concatenation
* MFSA 2013-13/CVE-2013-0752 (bmo#805024)
Memory corruption in XBL with XML bindings containing SVG
* MFSA 2013-14/CVE-2013-0757 (bmo#813901)
Chrome Object Wrapper (COW) bypass through changing prototype
* MFSA 2013-15/CVE-2013-0758 (bmo#813906)
Privilege escalation through plugin objects
* MFSA 2013-16/CVE-2013-0753 (bmo#814001)
Use-after-free in serializeToStream
* MFSA 2013-17/CVE-2013-0754 (bmo#814026)
Use-after-free in ListenerManager
* MFSA 2013-18/CVE-2013-0755 (bmo#814027)
Use-after-free in Vibrate
* MFSA 2013-19/CVE-2013-0756 (bmo#814029)
Use-after-free in Javascript Proxy objects
- requires NSS 3.14.1 (MFSA 2013-20, CVE-2013-0743)
- update Enigmail to 1.5.0
* Mon Nov 26 2012 wr@rosenauer.org
- fix KDE integration for file dialogs
- fix some rpmlint warnings (mkdir.done files)
- build on SLE11
* mozilla-gcc43-enums.patch
* mozilla-gcc43-template_hacks.patch
* mozilla-gcc43-templates_instantiation.patch
* Tue Nov 20 2012 wr@rosenauer.org
- update to Thunderbird 17.0 (bnc#790140)
* MFSA 2012-91/CVE-2012-5842/CVE-2012-5843
Miscellaneous memory safety hazards
* MFSA 2012-92/CVE-2012-4202 (bmo#758200)
Buffer overflow while rendering GIF images
* MFSA 2012-93/CVE-2012-4201 (bmo#747607)
evalInSanbox location context incorrectly applied
* MFSA 2012-94/CVE-2012-5836 (bmo#792857)
Crash when combining SVG text on path with CSS
* MFSA 2012-96/CVE-2012-4204 (bmo#778603)
Memory corruption in str_unescape
* MFSA 2012-97/CVE-2012-4205 (bmo#779821)
XMLHttpRequest inherits incorrect principal within sandbox
* MFSA 2012-99/CVE-2012-4208 (bmo#798264)
XrayWrappers exposes chrome-only properties when not in chrome
compartment
* MFSA 2012-100/CVE-2012-5841 (bmo#805807)
Improper security filtering for cross-origin wrappers
* MFSA 2012-101/CVE-2012-4207 (bmo#801681)
Improper character decoding in HZ-GB-2312 charset
* MFSA 2012-102/CVE-2012-5837 (bmo#800363)
Script entered into Developer Toolbar runs with chrome privileges
* MFSA 2012-103/CVE-2012-4209 (bmo#792405)
Frames can shadow top.location
* MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/
CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/
CVE-2012-4213/CVE-2012-4217/CVE-2012-4218
Use-after-free and buffer overflow issues found using Address
Sanitizer
* MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2012-5838
Use-after-free, buffer overflow, and memory corruption issues
found using Address Sanitizer
- rebased patches
- disabled WebRTC since build is broken (bmo#776877)
- update Enigmail to 1.4.6
* Sat Oct 27 2012 wr@rosenauer.org
- update to Thunderbird 16.0.2 (bnc#786522)
* MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196
(bmo#800666, bmo#793121, bmo#802557)
Fixes for Location object issues
* Thu Oct 11 2012 wr@rosenauer.org
- update to Thunderbird 16.0.1 (bnc#783533)
* MFSA 2012-88/CVE-2012-4191 (bmo#798045)
Miscellaneous memory safety hazards
* MFSA 2012-89/CVE-2012-4192/CVE-2012-4193 (bmo#799952, bmo#720619)
defaultValue security checks not applied
* Mon Oct 08 2012 wr@rosenauer.org
- update to Thunderbird 16.0 (bnc#783533)
* MFSA 2012-74/CVE-2012-3982/CVE-2012-3983
Miscellaneous memory safety hazards
* MFSA 2012-75/CVE-2012-3984 (bmo#575294)
select element persistance allows for attacks
* MFSA 2012-76/CVE-2012-3985 (bmo#655649)
Continued access to initial origin after setting document.domain
* MFSA 2012-77/CVE-2012-3986 (bmo#775868)
Some DOMWindowUtils methods bypass security checks
* MFSA 2012-79/CVE-2012-3988 (bmo#725770)
DOS and crash with full screen and history navigation
* MFSA 2012-80/CVE-2012-3989 (bmo#783867)
Crash with invalid cast when using instanceof operator
* MFSA 2012-81/CVE-2012-3991 (bmo#783260)
GetProperty function can bypass security checks
* MFSA 2012-82/CVE-2012-3994 (bmo#765527)
top object and location property accessible by plugins
* MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370)
Chrome Object Wrapper (COW) does not disallow acces to privileged
functions or properties
* MFSA 2012-84/CVE-2012-3992 (bmo#775009)
Spoofing and script injection through location.hash
* MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/
CVE-2012-4181/CVE-2012-4182/CVE-2012-4183
Use-after-free, buffer overflow, and out of bounds read issues
found using Address Sanitizer
* MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/
CVE-2012-4188
Heap memory corruption issues found using Address Sanitizer
* MFSA 2012-87/CVE-2012-3990 (bmo#787704)
Use-after-free in the IME State Manager
- update Enigmail to version 1.4.5
* Sun Aug 26 2012 wr@rosenauer.org
- update to Thunderbird 15.0 (bnc#777588)
* MFSA 2012-57/CVE-2012-1970
Miscellaneous memory safety hazards
* MFSA 2012-58/CVE-2012-1972/CVE-2012-1973/CVE-2012-1974/CVE-2012-1975
CVE-2012-1976/CVE-2012-3956/CVE-2012-3957/CVE-2012-3958/CVE-2012-3959
CVE-2012-3960/CVE-2012-3961/CVE-2012-3962/CVE-2012-3963/CVE-2012-3964
Use-after-free issues found using Address Sanitizer
* MFSA 2012-59/CVE-2012-1956 (bmo#756719)
Location object can be shadowed using Object.defineProperty
* MFSA 2012-61/CVE-2012-3966 (bmo#775794, bmo#775793)
Memory corruption with bitmap format images with negative height
* MFSA 2012-62/CVE-2012-3967/CVE-2012-3968
WebGL use-after-free and memory corruption
* MFSA 2012-63/CVE-2012-3969/CVE-2012-3970
SVG buffer overflow and use-after-free issues
* MFSA 2012-64/CVE-2012-3971
Graphite 2 memory corruption
* MFSA 2012-65/CVE-2012-3972 (bmo#746855)
Out-of-bounds read in format-number in XSLT
* MFSA 2012-68/CVE-2012-3975 (bmo#770684)
DOMParser loads linked resources in extensions when parsing
text/html
* MFSA 2012-70/CVE-2012-3978 (bmo#770429)
Location object security checks bypassed by chrome code
* MFSA 2012-72/CVE-2012-3980 (bmo#771859)
Web console eval capable of executing chrome-privileged code
- update Enigmail to 1.4.4
* Sun Jul 29 2012 aj@suse.de
- Fix mozilla-kde.patch to include sys/resource.h for getrlimit etc (glibc 2.16)
* Sun Jul 15 2012 wr@rosenauer.org
- update to Thunderbird 14.0 (bnc#771583)
* MFSA 2012-42/CVE-2012-1949/CVE-2012-1948
Miscellaneous memory safety hazards
* MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1952
Gecko memory corruption
* MFSA 2012-45/CVE-2012-1955 (bmo#757376)
Spoofing issue with location
* MFSA 2012-47/CVE-2012-1957 (bmo#750096)
Improper filtering of javascript in HTML feed-view
* MFSA 2012-48/CVE-2012-1958 (bmo#750820)
use-after-free in nsGlobalWindow::PageHidden
* MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559)
Same-compartment Security Wrappers can be bypassed
* MFSA 2012-50/CVE-2012-1960 (bmo#761014)
Out of bounds read in QCMS
* MFSA 2012-51/CVE-2012-1961 (bmo#761655)
X-Frame-Options header ignored when duplicated
* MFSA 2012-52/CVE-2012-1962 (bmo#764296)
JSDependentString::undepend string conversion results in memory
corruption
* MFSA 2012-53/CVE-2012-1963 (bmo#767778)
Content Security Policy 1.0 implementation errors cause data
leakage
* MFSA 2012-56/CVE-2012-1967 (bmo#758344)
Code execution through javascript: URLs
* relicensed to MPL-2.0
- update Enigmail to 1.4.3
* Thu Jul 05 2012 adrian@suse.de
- no crashreport on %arm, fixing build
* Fri Jun 15 2012 wr@rosenauer.org
- update to Thunderbird 13.0.1
* bugfix release
* Sat Jun 02 2012 wr@rosenauer.org
- update to Thunderbird 13.0 (bnc#765204)
* MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101
Miscellaneous memory safety hazards
* MFSA 2012-36/CVE-2012-1944 (bmo#751422)
Content Security Policy inline-script bypass
* MFSA 2012-37/CVE-2012-1945 (bmo#670514)
Information disclosure though Windows file shares and shortcut
files
* MFSA 2012-38/CVE-2012-1946 (bmo#750109)
Use-after-free while replacing/inserting a node in a document
* MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941
Buffer overflow and use-after-free issues found using Address
Sanitizer
- require NSS 3.13.4
* MFSA 2012-39/CVE-2012-0441 (bmo#715073)
- fix build with system NSPR (mozilla-system-nspr.patch)
- add dependentlibs.list for improved XRE startup
- update enigmail to 1.4.2
* Wed May 16 2012 wr@rosenauer.org
- reenabled crashreporter for Factory/12.2
(fix in mozilla-gcc47.patch)
* Mon Apr 30 2012 wr@rosenauer.org
- update to Thunderbird 12.0.1
* fix regressions
- POP3 filters (bmo#748090)
- Message Body not loaded when using "Fetch Headers Only"
(bmo#748865)
- Received messages contain parts of other messages with
movemail account (bmo#748726)
- New mail notification issue (bmo#748997)
- crash in nsMsgDatabase::MatchDbName (bmo#748432)
* Fri Apr 27 2012 wr@rosenauer.org
- fixed build with gcc 4.7
* Sat Apr 21 2012 wr@rosenauer.org
- update to Thunderbird 12.0 (bnc#758408)
* MFSA 2012-20/CVE-2012-0467/CVE-2012-0468
Miscellaneous memory safety hazards
* MFSA 2012-22/CVE-2012-0469 (bmo#738985)
use-after-free in IDBKeyRange
* MFSA 2012-23/CVE-2012-0470 (bmo#734288)
Invalid frees causes heap corruption in gfxImageSurface
* MFSA 2012-24/CVE-2012-0471 (bmo#715319)
Potential XSS via multibyte content processing errors
* MFSA 2012-25/CVE-2012-0472 (bmo#744480)
Potential memory corruption during font rendering using cairo-dwrite
* MFSA 2012-26/CVE-2012-0473 (bmo#743475)
WebGL.drawElements may read illegal video memory due to
FindMaxUshortElement error
* MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307)
Page load short-circuit can lead to XSS
* MFSA 2012-28/CVE-2012-0475 (bmo#694576)
Ambiguous IPv6 in Origin headers may bypass webserver access
restrictions
* MFSA 2012-29/CVE-2012-0477 (bmo#718573)
Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
* MFSA 2012-30/CVE-2012-0478 (bmo#727547)
Crash with WebGL content using textImage2D
* MFSA 2012-31/CVE-2011-3062 (bmo#739925)
Off-by-one error in OpenType Sanitizer
* MFSA 2012-32/CVE-2011-1187 (bmo#624621)
HTTP Redirections and remote content can be read by javascript errors
* MFSA 2012-33/CVE-2012-0479 (bmo#714631)
Potential site identity spoofing when loading RSS and Atom feeds
- update Enigmail to 1.4.1
- added mozilla-revert_621446.patch
- added mozilla-libnotify.patch (bmo#737646)
- added mailnew-showalert.patch (bmo#739146)
- added mozilla-gcc47.patch and mailnews-literals.patch to fix
compilation issues with recent gcc 4.7
- disabled crashreporter temporarily for Factory (gcc 4.7 issue)
* Tue Mar 27 2012 wr@rosenauer.org
- update to Thunderbird 11.0.1 (bnc#755060)
* Fixing an issue where filters can get messed up (bmo#735940)
* Fixes a hang when switching IMAP folders, or doing other
imap functions (bmo#733731)
* Fri Mar 09 2012 wr@rosenauer.org
- update to Thunderbird 11.0 (bnc#750044)
* MFSA 2012-13/CVE-2012-0455 (bmo#704354)
XSS with Drag and Drop and Javascript: URL
* MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103)
SVG issues found with Address Sanitizer
* MFSA 2012-15/CVE-2012-0451 (bmo#717511)
XSS with multiple Content Security Policy headers
* MFSA 2012-16/CVE-2012-0458
Escalation of privilege with Javascript: URL as home page
* MFSA 2012-17/CVE-2012-0459 (bmo#723446)
Crash when accessing keyframe cssText after dynamic modification
* MFSA 2012-18/CVE-2012-0460 (bmo#727303)
window.fullScreen writeable by untrusted content
* MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/
CVE-2012-0463
Miscellaneous memory safety hazards
- update enigmail to 1.4
- added KDE integration patches (bnc#749440)
* Mon Feb 27 2012 jslaby@suse.de
- update enigmail to 1.3.99 (1.4a1pre)
* Thu Feb 16 2012 wr@rosenauer.org
- update to Thunderbird 10.0.2 (bnc#747328)
* CVE-2011-3026 (bmo#727401)
libpng: integer overflow leading to heap-buffer overflow
* Thu Feb 09 2012 wr@rosenauer.org
- update to version 10.0.1 (bnc#746616)
* MFSA 2012-10/CVE-2012-0452 (bmo#724284)
use after free in nsXBLDocumentInfo::ReadPrototypeBindings
- Use YARR interpreter instead of PCRE on platforms where YARR JIT
is not supported, since PCRE doesnt build (bmo#691898)
- fix ppc64 build (bmo#703534)
* Sun Jan 29 2012 wr@rosenauer.org
- update to version 10.0 (bnc#744275)
* MFSA 2012-01/CVE-2012-0442/CVE-2012-0443
Miscellaneous memory safety hazards
* MFSA 2012-03/CVE-2012-0445 (bmo#701071)
<iframe> element exposed across domains via name attribute
* MFSA 2012-04/CVE-2011-3659 (bmo#708198)
Child nodes from nsDOMAttribute still accessible after removal
of nodes
* MFSA 2012-05/CVE-2012-0446 (bmo#705651)
Frame scripts calling into untrusted objects bypass security
checks
* MFSA 2012-06/CVE-2012-0447 (bmo#710079)
Uninitialized memory appended when encoding icon images may
cause information disclosure
* MFSA 2012-07/CVE-2012-0444 (bmo#719612)
Potential Memory Corruption When Decoding Ogg Vorbis files
* MFSA 2012-08/CVE-2012-0449 (bmo#701806, bmo#702466)
Crash with malformed embedded XSLT stylesheets
- update enigmail to 1.3.5
- added mozilla-disable-neon-option.patch to be able to disable
neon on ARM
- removed obsolete PPC64 patch
* Sun Dec 18 2011 wr@rosenauer.org
- update to version 9.0 (bnc#737533)
* MFSA 2011-53/CVE-2011-3660
Miscellaneous memory safety hazards (rv:9.0)
* MFSA 2011-54/CVE-2011-3661 (bmo#691299)
Potentially exploitable crash in the YARR regular expression
library
* MFSA 2011-55/CVE-2011-3658 (bmo#708186)
nsSVGValue out-of-bounds access
* MFSA 2011-56/CVE-2011-3663 (bmo#704482)
Key detection without JavaScript via SVG animation
* MFSA 2011-58/VE-2011-3665 (bmo#701259)
Crash scaling <video> to extreme sizes
- fixed accessibility under GNOME 3 (bnc#732898)
(mozilla-a11y.patch)
- do not show update channel in about box
(tb-no-update-channel.patch)
* Sun Dec 04 2011 wr@rosenauer.org
- update enigmail to 1.3.4 (bnc#733002)
* fixes several regressions from previous release
* Mon Nov 21 2011 wr@rosenauer.org
- do not disable system addons
- fixed enigmail localizations
* Mon Nov 21 2011 dvaleev@suse.com
- fix powerpc build
- disable crashreporter on ppc and ppc64
* Mon Nov 07 2011 wr@rosenauer.org
- update to version 8.0 (bnc#728520)
* MFSA 2011-47/CVE-2011-3648 (bmo#690225)
Potential XSS against sites using Shift-JIS
* MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654
Miscellaneous memory safety hazards
* MFSA 2011-49/CVE-2011-3650 (bmo#674776)
Memory corruption while profiling using Firebug
* MFSA 2011-52/CVE-2011-3655 (bmo#672182)
Code execution via NoWaiverWrapper
- rebased patches
- update enigmail to 1.3.3
- update icon cache after install/removal (bnc#726758)
* Fri Sep 30 2011 wr@rosenauer.org
- update to minor version 7.0.1
* fixed staged addon updates
* Disabled the what's new tab for updaters from 7.0 (bmo#690290)
* Insert Characters & Symbols fix (bmo#690267)
* Mon Sep 26 2011 wr@rosenauer.org
- update to version 7.0 (bnc#720264)
* MFSA 2011-36
Miscellaneous memory safety hazards
* MFSA 2011-39/CVE-2011-3000 (bmo#655389)
Defense against multiple Location headers due to CRLF Injection
* MFSA 2011-40/CVE-2011-2372/CVE-2011-3001
Code installation through holding down Enter
* MFSA 2011-42/CVE-2011-3232
Potentially exploitable crash in the YARR regular expression
library
* MFSA 2011-44/CVE-2011-3005 (bmo#675747)
Use after free reading OGG headers
- removed obsolete mozilla-cairo-lcd.patch
* Tue Sep 13 2011 wr@rosenauer.org
- update enigmail to 1.3.2 (no changelog available)
- add dbus-1-glib-devel to BuildRequires (not pulled automatically
anymore with 12.1)
* Fri Sep 09 2011 wr@rosenauer.org
- make enigmail a subversion of Thunderbird to fix %release
number tracking issues with the Open Build Service
(taken from dmueller's 3.1.x changes)
* Wed Sep 07 2011 pcerny@suse.com
- security update to 6.0.2 (bnc#714931)
* Complete blocking of certificates issued by DigiNotar
(bmo#683449)
* Fri Sep 02 2011 pcerny@suse.com
- security update to 6.0.1 (bnc#714931)
* MFSA 2011-34
Protection against fraudulent DigiNotar certificates
(bmo#682927)
* Wed Aug 17 2011 jslaby@suse.de
- update enigmail to 1.3 final
* Fri Aug 12 2011 wr@rosenauer.org
- update to version 6.0 (bnc#712224)
including security fixes MFSA 2011-31
* CVE-2011-2989/CVE-2011-2991/CVE-2011-2992/CVE-2011-2985
Miscellaneous memory safety hazards
* CVE-2011-2988 (bmo#665936)
String crash using WebGL shaders
* CVE-2011-2987 (bmo#665934)
Heap overflow in ANGLE library
* CVE-2011-0084 (bmo#648094)
Crash in SVGTextElement.getCharNumAtPosition()
* CVE-2011-2986 (bmo#655836)
Cross-origin data theft using canvas and Windows D2D
- add mozilla-curl.patch to remove dependencies to obsolete curl
header
* Sat Jul 30 2011 jslaby@suse.de
- update enigmail to 1.2.99 (1.3a1pre)
* Fri Jul 29 2011 wr@rosenauer.org
- update to version 6.0b2
* removed obsolete patches
- mozilla-gio.patch
- thunderbird-gio.patch
- fix symbol dumper for linux3 platform
* Sat Jul 09 2011 wr@rosenauer.org
- update to version 5.0
- update enigmail to version 1.2
- improved logic for the launcher command
- enable gio usage (instead of gnomevfs) for 11.4 and newer
- build dump_syms dynamic to build on 12.1 and above
* Mon Jun 20 2011 wr@rosenauer.org
- security update to version 3.1.11 (bnc#701296)
* MFSA 2011-19/CVE-2011-2374 CVE-2011-2376 CVE-2011-2364
CVE-2011-2365
Miscellaneous memory safety hazards
* MFSA 2011-20/CVE-2011-2373 (bmo#617247)
Use-after-free vulnerability when viewing XUL document with
script disabled
* MFSA 2011-21/CVE-2011-2377 (bmo#638018, bmo#639303)
Memory corruption due to multipart/x-mixed-replace images
* MFSA 2011-22/CVE-2011-2371 (bmo#664009)
Integer overflow and arbitrary code execution in
Array.reduceRight()
* MFSA 2011-23/CVE-2011-0083 CVE-2011-0085 CVE-2011-2363
Multiple dangling pointer vulnerabilities
* MFSA 2011-24/CVE-2011-2362 (bmo#616264)
Cookie isolation error
- speed up find-external-requires.sh
- do not build dump_syms static as it is not needed for us
- > fixes build for 12.1 and above
* Fri Apr 15 2011 wr@rosenauer.org
- security update to version 3.1.10 (bnc#689281)
* MFSA 2011-12/ CVE-2011-0069 CVE-2011-0070 CVE-2011-0072
CVE-2011-0074 CVE-2011-0075 CVE-2011-0077 CVE-2011-0078
CVE-2011-0080 CVE-2011-0081
Miscellaneous memory safety hazards
* Fri Mar 25 2011 idoenmez@novell.com
- Add mozilla-gcc46.patch: fix compilation with gcc 4.6
See the following bug reports:
https://bugzilla.mozilla.org/show_bug.cgi?id=623116
https://bugzilla.mozilla.org/show_bug.cgi?id=623123
https://bugzilla.mozilla.org/show_bug.cgi?id=623126
https://bugzilla.mozilla.org/show_bug.cgi?id=628371
* Tue Feb 22 2011 wr@rosenauer.org
- security update to version 3.1.8 (build3) (bnc#667155)
* MFSA 2011-01/CVE-2011-0053/CVE-2011-0062
Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)
* MFSA 2011-08/CVE-2010-1585 (bmo#562547)
ParanoidFragmentSink allows javascript: URLs in chrome documents
* MFSA 2011-09/CVE-2011-0061 (bmo#610601)
Crash caused by corrupted JPEG image
* Thu Jan 13 2011 wr@rosenauer.org
- rename desktop file for 11.4 and above (bnc#664211)
* Mon Jan 10 2011 wr@rosenauer.org
- add x-scheme-handler/mailto as mimetype to the desktop file
as needed by newer Gnome environment
* Mon Nov 29 2010 wr@rosenauer.org
- security update to version 3.1.7 (bnc#657016)
* MFSA 2010-74/CVE-2010-3776/CVE-2010-3777/CVE-2010-3778
Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)
* MFSA 2010-75/CVE-2010-3769 (bmo#608336)
Buffer overflow while line breaking after document.write with
long string
* MFSA 2010-78/CVE-2010-3768 (bmo#527276)
Add support for OTS font sanitizer
- provide versioned "thunderbird" symbol
* Wed Oct 27 2010 wr@rosenauer.org
- security update to version 3.1.6 (bnc#649492)
* MFSA 2010-73/CVE-2010-3765 (bmo#607222)
Heap buffer overflow mixing document.write and DOM insertion
* Wed Oct 06 2010 wr@rosenauer.org
- security update to version 3.1.5 (bnc#645315)
* MFSA 2010-64/CVE-2010-3174/CVE-2010-3175/CVE-2010-3176
Miscellaneous memory safety hazards
* MFSA 2010-65/CVE-2010-3179 (bmo#583077)
Buffer overflow and memory corruption using document.write
* MFSA 2010-66/CVE-2010-3180 (bmo#588929)
Use-after-free error in nsBarProp
* MFSA 2010-67/CVE-2010-3183 (bmo#598669)
Dangling pointer vulnerability in LookupGetterOrSetter
* MFSA 2010-69/CVE-2010-3178 (bmo#576616)
Cross-site information disclosure via modal calls
* MFSA 2010-70/CVE-2010-3170 (bmo#578697)
SSL wildcard certificate matching IP addresses
* MFSA 2010-71/CVE-2010-3182 (bmo#590753, bnc#642502)
Unsafe library loading vulnerabilities
* MFSA 2010-72/CVE-2010-3173
Insecure Diffie-Hellman key exchange
* new extra locales
* removed upstreamed mozilla-helper-app.patch
- require mozilla-nss >= 3.12.8
* Wed Sep 15 2010 wr@rosenauer.org
- update to version 3.1.4
* fixing startup topcrash
* Mon Aug 30 2010 wr@rosenauer.org
- security update to version 3.1.3 (bnc#637303)
* MFSA 2010-49/CVE-2010-3169
Miscellaneous memory safety hazards
* MFSA 2010-50/CVE-2010-2765 (bmo#576447)
Frameset integer overflow vulnerability
* MFSA 2010-51/CVE-2010-2767 (bmo#584512)
Dangling pointer vulnerability using DOM plugin array
* MFSA 2010-53/CVE-2010-3166 (bmo#579655)
Heap buffer overflow in nsTextFrameUtils::TransformText
* MFSA 2010-54/CVE-2010-2760 (bmo#585815)
Dangling pointer vulnerability in nsTreeSelection
* MFSA 2010-55/CVE-2010-3168 (bmo#576075)
XUL tree removal crash and remote code execution
* MFSA 2010-56/CVE-2010-3167 (bmo#576070)
Dangling pointer vulnerability in nsTreeContentView
* MFSA 2010-57/CVE-2010-2766 (bmo#580445)
Crash and remote code execution in normalizeDocument
* MFSA 2010-59/CVE-2010-2762 (bmo#584180)
SJOW creates scope chains ending in outer object
* MFSA 2010-61/CVE-2010-2768 (bmo#579744)
UTF-7 XSS by overriding document charset using <object> type
attribute
* MFSA 2010-62/CVE-2010-2769 (bmo#520189)
Copy-and-paste or drag-and-drop into designMode document allows
XSS
* MFSA 2010-63/CVE-2010-2764 (bmo#552090)
Information leak via XMLHttpRequest statusText
- ESD notification sound fix included upstream
* Mon Aug 30 2010 wr@rosenauer.org
- fixed build with latest Gnome
(mozilla-gdk-pixbuf.patch)
* Sat Jul 24 2010 wr@rosenauer.org
- update to version 3.1.1
* based on the Gecko 1.9.2 platform
* Faster Search Results
* Quick Filter Toolbar
* New Migration Assistant
* Saved Files Manager
- update to enigmail 1.1.2
- enable crashreporter and package buildsymbols
- fixed esd sound output (notifications) (bmo#576365)
* Fri Jul 16 2010 wr@rosenauer.org
- security update to 3.0.6 (bnc#622506)
* MFSA 2010-34/CVE-2010-1211/CVE-2010-1212
Miscellaneous memory safety hazards
* MFSA 2010-39/CVE-2010-2752 (bmo#574059)
nsCSSValue::Array index integer overflow
* MFSA 2010-40/CVE-2010-2753 (bmo#571106)
nsTreeSelection dangling pointer remote code execution
vulnerability
* MFSA 2010-41/CVE-2010-1205 (bmo#570451)
Remote code execution using malformed PNG image
* MFSA 2010-42/CVE-2010-1213 (bmo#568148)
Cross-origin data disclosure via Web Workers and importScripts
* MFSA 2010-46/CVE-2010-0654 (bmo#524223)
Cross-domain data theft using CSS
* MFSA 2010-47/CVE-2010-2754 (bmo#568564)
Cross-origin data leakage from script filename in error messages
* Fri May 21 2010 wr@rosenauer.org
- security update to 3.0.5 (bnc#603356)
* MFSA 2010-25/CVE-2010-1121 (bmo#555109)
Re-use of freed object due to scope confusion
* MFSA 2010-26/CVE-2010-1200/CVE-2010-1201/CVE-2010-1202/
CVE-2010-1203
Crashes with evidence of memory corruption (rv:1.9.1.10)
* MFSA 2010-29/CVE-2010-1196 (bmo#534666)
Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
* MFSA 2010-30/CVE-2010-1199 (bmo#554255)
Integer Overflow in XSLT Node Sorting
* Mon Apr 12 2010 wr@rosenauer.org
- do not encode the RPM release number into the useragent
to avoid non useful republishing (bnc#593807)
* Wed Mar 17 2010 wr@rosenauer.org
- security update to 3.0.4 (bnc#586567)
* MFSA 2010-16/CVE-2010-0173/CVE-2010-0174
Crashes with evidence of memory corruption
* MFSA 2010-17/CVE-2010-0175 (bmo#540100,375928)
Remote code execution with use-after-free in nsTreeSelection
* MFSA 2010-18/CVE-2010-0176 (bmo#538308)
Dangling pointer vulnerability in nsTreeContentView
* MFSA 2010-22/CVE-2009-3555 (bmo#545755)
Update NSS to support TLS renegotiation indication
* MFSA 2010-24/CVE-2010-0182 (bmo#490790)
XMLDocument::load() doesn't check nsIContentPolicy
* Sun Feb 28 2010 wr@rosenauer.org
- update to 3.0.3
* Fix for missing folders or empty folder pane after updating
to Thunderbird 3.0.2
* Fri Feb 26 2010 wr@rosenauer.org
- security update to 3.0.2 (bnc#576969)
* MFSA 2010-01/CVE-2010-0159
Crashes with evidence of memory corruption
* MFSA 2010-03/CVE-2009-1571
Use-after-free crash in HTML parser
* various stability improvements
- update enigmail to 1.0.1
* Czech, Dutch, Polish and Portuguese (Brazilian) languages
were added to the release.
* there are several fixes related using OpenPGP Smartcards
- use system hunspell again (bnc#582276)
* Mon Jan 11 2010 wr@rosenauer.org
- update to 3.0.1
* fixed UI issues related to some combinations of installed addons
(bmo#398702)
- fixed session restore (bnc#528406, bmo#508986)
- removed obsolete lightning stuff from spec file
- removed obsolete orbit-devel build requirement
* Mon Dec 07 2009 wr@rosenauer.org
- update to 3.0 (bnc#559819)
- update enigmail to final version 1.0.0
- use --disable-updater and removed obsolete UI patch and
pref changes
- use internal cairo up to 11.1 (Gecko now requires at least 1.8.8)
- added mozilla-clipboard.patch fixing a common crash (bmo#495392)
- removed upstreamed patch thunderbird-cs-smtpauth.patch
* Wed Oct 07 2009 wr@rosenauer.org
- fixed startup-notification (bnc#518603)
(mozilla-startup-notification.patch)
* Tue Sep 29 2009 wr@rosenauer.org
- fixed CS locale to allow SMTP AUTH sending of mails (bnc#542809)
* Tue Sep 15 2009 wr@rosenauer.org
- update to 3.0b4
* removed upstreamed patches
* based on Gecko 1.9.1.3 (inheriting security fixes)
* new global search
* Tue Aug 25 2009 wr@rosenauer.org
- reversioned enigmail to 0.96.99 (as it's actually 0.97a and 0.96
has been released already)
- fixed RPM group for the translation subpackages
* Fri Aug 21 2009 wr@rosenauer.org
- remove obsolete code for protocol handlers (bmo#389732)
(mozilla-protocol_handler.patch)
- new enigmail snapshot (20090813)
- require pinentry-gui for 11.2 and up (bnc#441084)
* Sun Aug 09 2009 wr@rosenauer.org
- Gtk filechooser allows alternative button order (as used in KDE)
(bnc#527418)
- translations{,-common} package doesn't provide en-US
- split translations into -common and -other packages (bnc#529180)
* Tue Jul 28 2009 wr@rosenauer.org
- fixed wrong %exclude by removing unwanted files at %install stage
* Fri Jul 17 2009 wr@rosenauer.org
- major update to 3.0b3
- update enigmail to 0.96pre
- created enigmail subpackage and install to system wide location
for Thunderbird and SeaMonkey
- define MOZ_APP_LAUNCHER for session management (bmo#453689)
(mozilla-app-launcher.patch and mozilla.sh.in)
- move opensuse.js prefs to all-opensuse.js prefs to be able
to override prefs in all-thunderbird.js
- move intl.locale.matchOS to all-opensuse.js
- added mozilla-jemalloc_deepbind.patch to fix various possible
crashes (bnc#503151, bmo#493541)
* Fri Jun 19 2009 coolo@novell.com
- disable as-needed for this package as it fails to build with it
* Tue Jun 02 2009 wr@rosenauer.org
- Fixed build issue for gcc 4.4 (mozilla-gcc44.patch)
* Wed Mar 18 2009 wr@rosenauer.org
- security update to version 2.0.0.21 (bnc#484321)
* MFSA 2009-07/CVE-2009-0771, CVE-2009-0772, CVE-2009-0773
CVE-2009-0774:
Crashes with evidence of memory corruption (rv:1.9.0.7)
* MFSA 2009-09/CVE-2009-0776:
XML data theft via RDFXMLDataSource and cross-domain redirect
* MFSA 2009-10/CVE-2009-0040:
Upgrade PNG library to fix memory safety hazards
* Fri Jan 02 2009 hfiguiere@suse.de
- Review and approve changes.
* Wed Dec 31 2008 wr@rosenauer.org
- security update to version 2.0.0.19 (bnc#455804)
+ MFSA 2008-68/CVE-2008-5511 and CVE-2008-5512: XSS and JavaScript
privilege escalation
+ MFSA 2008-67/CVE-2008-5510: Escaped null characters ignored by
CSS parser
+ MFSA 2008-66/CVE-2008-5508: Errors parsing URLs with leading
whitespace and control characters
+ MFSA 2008-65/CVE-2008-5507: Cross-domain data theft via script
redirect error message
+ MFSA 2008-64/CVE-2008-5506: XMLHttpRequest 302 response disclosure
+ MFSA 2008-61/CVE-2008-5503: Information stealing via loadBindingDocument
+ MFSA 2008-60/CVE-2008-5500, CVE-2008-5501 and CVE-2008-5502:
Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
- improved mozilla-shared-nss-db.patch and
mozilla-system-hunspell.patch to be able to apply them
unconditionally
* Fri Nov 21 2008 wr@rosenauer.org
- Add mozilla-shared-nss-db.patch which allows migrating to and
sharing with other applications using NSS
(same functionality as in xulrunner/firefox)
(can be disabled completely exporting MOZ_TB_NO_NSSHELPER=1)
* Fri Nov 21 2008 maw@suse.de
- Review and approve changes.
* Thu Nov 13 2008 wr@rosenauer.org
- security update to version 2.0.0.18 (bnc#439841)
* MFSA 2008-48 / CVE-2008-5012
Image stealing via canvas and HTTP redirect
* MFSA 2008-50 / CVE-2008-5014 (bmo#436741)
Crash and remote code execution via __proto__ tampering
* MFSA 2008-52 / CVE-2008-5016 / CVE-2008-5017 / CVE-2008-5018
Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
* MFSA 2008-55 / CVE-2008-5021 (bmo#456896)
Crash and remote code execution in nsFrameManager
* MFSA 2008-56 / CVE-2008-5022 (bmo#460002)
nsXMLHttpRequest::NotifyEventListeners() same-origin violation
* MFSA 2008-58 / CVE-2008-5024 (bmo#453915)
Parsing error in E4X default namespace
* Wed Oct 15 2008 maw@suse.de
- Review and approve changes.
* Wed Oct 08 2008 wr@rosenauer.org
- use system hunspell from 11.0 on (bnc#385739)
- remove more executable bits from non-executable files
* Tue Sep 23 2008 wr@rosenauer.org
- security update to version 2.0.0.17 (bnc#429179)
* MFSA 2008-37 / CVE-2008-0016
UTF-8 URL stack buffer overflow
* MFSA 2008-38 / CVE-2008-3835
nsXMLDocument::OnChannelRedirect() same-origin violation
* MFSA 2008-41 / CVE-2008-4058 / CVE-2008-4059 / CVE-2008-4060
Privilege escalation via XPCnativeWrapper pollution
* MFSA 2008-42 / CVE-2008-4061 / CVE-2008-4062 / CVE-2008-4063
CVE-2008-4064
Crashes with evidence of memory corruption
* MFSA 2008-43 / CVE-2008-4065 / CVE-2008-4066
BOM characters, low surrogates stripped from JavaScript before
execution
* MFSA 2008-44 / CVE-2008-4067 / CVE-2008-4068
resource: traversal vulnerabilities
* MFSA 2008-46 / CVE-2008-4070
Heap overflow when canceling newsgroup message
* Mon Sep 15 2008 wr@rosenauer.org
- fixed undefined operation in nsMailboxService.cpp (abuild.patch)
- cleanup spec a bit while merging from OBS/mozilla
* forwarding old fixes to cups-paper.patch, mozilla.sh.in and
add-plugins.sh (were fixed long ago in the OBS repo)
* Thu Sep 11 2008 mauro@suse.de
- Update to 2.0.0.16 (fixed bnc#417869), fixes:
+ MFSA 2008-34 Remote code execution by overflowing CSS
reference counter
+ MFSA 2008-33 Crash and remote code execution in block reflow
+ MFSA 2008-31 Peer-trusted certs can use alt names to spoof
+ MFSA 2008-29 Faulty .properties file results in uninitialized
memory being used
+ MFSA 2008-26 Buffer length checks in MIME processing
+ MFSA 2008-25 Arbitrary code execution in
mozIJSSubScriptLoader.loadSubScript()
+ MFSA 2008-24 Chrome script loading from fastload file
+ MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)
* Wed Jul 23 2008 schwab@suse.de
- Remove unused includes.
* Tue Jun 24 2008 maw@suse.de
- Security update to version 2.0.0.14 (bnc#390992):
+ MFSA 2008-15 / CVE-2008-1236 and CVE-2008-1237: Crashes with
evidence of memory corruption (rv:1.8.1.13)
+ MFSA 2008-14 / CVE-2008-1233, CVE-2008-1234, and CVE-2008-1235:
JavaScript privilege escalation and arbitrary code execution
- Drop the following patches: thunderbird-2.0.0.14-backports.patch,
mozilla-missing-decl.patch, and unused-includes.patch
- Respin mozilla-gcc4.3-fixes.patch.
* Fri May 30 2008 maw@suse.de
- Add thunderbird-2.0.0.14-backports.patch (bnc390992).
* Fri May 16 2008 schwab@suse.de
- Remove unused includes.
* Mon Mar 24 2008 maw@suse.de
- Add mozilla-missing-decl.patch, which is necessary when building
against new versions of mozilla-nss (bmo#399589).
* Fri Mar 07 2008 maw@suse.de
- Security update to version 2.0.0.12 (bnc#354469)
* MFSA 2008-12 Buffer overflow in external MIME bodies
- Replace mozilla-maxpathlen.patch with mozilla-path_len.patch, for
consistency's sake.
* Thu Jan 17 2008 maw@suse.de
- Add mozilla-maxpathlen.patch (#354150 and bmo #412610).
* Tue Jan 15 2008 maw@suse.de
- Merge changes from the build service (thanks, Wolfgang)
- Update to version 2.0.9.9 (MFSA 2007-29)
- Update enigmail to version 0.95.6
- Add a -devel subpackage
- Various fixes to enable building with gcc 4.3.
* Tue Nov 13 2007 maw@suse.de
- Add thunderbird-gcc4.3-fixes.patch
- Add visibility.patch.
* Thu Sep 13 2007 cthiel@suse.de
- recommend gpg instead of requireing a fixed path
* Wed Sep 12 2007 maw@suse.de
- Added gpg/pinentry requirements (#309160).
* Mon Sep 03 2007 maw@suse.de
- Don't run %fdupes on directories where multiple partitions
are liable to be mounted.
* Mon Sep 03 2007 maw@suse.de
- Merge some changes from the build service (thanks, Wolfgang):
+ Provide locale info (#302288)
+ Update releasedate
- Uncomment %clean.
* Tue Aug 21 2007 maw@suse.de
- Use %fdupes.
* Tue Aug 21 2007 maw@suse.de
- Merge updates from the build service:
- Update to security release 2.0.0.6:
* MFSA 2007-26 Privilege escalation through chrome-loaded
about:blank windows
* MFSA 2007-27 Unescaped URIs passed to external programs
- Update enigmail to version 0.95.3.
* Wed Aug 15 2007 maw@suse.de
- On x86_64, s390, and s390x, deactivate the hidden visibility
support, thereby fixing the build.
* Wed Jul 25 2007 maw@suse.de
- Security update to version 2.0.0.5 (#288115)
- This new release has fixes for:
MFSA 2007-18
CVE-2007-3734 - Browser flaws
CVE-2007-3735 - Javascript flaws
MFSA 2007-19
CVE-2007-3736
MFSA 2007-20
CVE-2007-3089
MFSA 2007-21
CVE-2007-3737
MFSA 2007-22
CVE-2007-3285
MFSA 2007-23
CVE-2007-3670
MFSA 2007-24
CVE-2007-3656
MFSA 2007-25
CVE-2007-3738
- Update to enigmail 0.95.2.
* Thu Jun 21 2007 adrian@suse.de
- fix changelog entry order
* Fri Jun 15 2007 maw@suse.de
- Merge update to 2.0.0.4 from the build service (thanks, Wolfgang)
- Remove some commented out stuff.
* Wed Jun 13 2007 wr@rosenauer.org
- update to maintenance release 2.0.0.4
- update enigmail to 0.95.1
- adopted patches:
* fixed cups-paper.patch (copied from FF)
* removed obsolete visibility.patch
* Tue Jun 12 2007 maw@suse.de
- Merge chagnges from the build service (thanks, Wolfgang)
- Now use l10n-%{version}.tar.bz2 instead of l10n.tar.bz2 as
before.
* Tue Jun 05 2007 maw@suse.de
- Security update to version 1.5.0.12 (#271197).
* Tue Jun 05 2007 sbrabec@suse.cz
- Removed invalid desktop category "Application" (#254654).
* Thu Apr 19 2007 wr@rosenauer.org
- update to final version 2.0.0.0
(http://www.mozilla.com/en-US/thunderbird/2.0.0.0/releasenotes/)
- update enigmail to 0.95.0
* Wed Apr 18 2007 mfabian@suse.de
- add Japanese to the languages which get PANGO enabled in the
start script to support the Japanese combining characters
U+3099 U+309A (see bugzilla #262718 comment #29).
* Thu Apr 12 2007 wr@rosenauer.org
- update to 2.0.0.0rc1
- enabled translations package
* Fri Mar 30 2007 wr@rosenauer.org
- update to snapshot 2.0.0.0pre-20070329
- security update enigmail 0.94.3
(Bugtraq #22758)
* Fri Mar 30 2007 meissner@suse.de
- require unzip
* Tue Mar 13 2007 wr@rosenauer.org
- update to snapshot 2.0pre-20060312
- removed implicit NSS version dependency
* Thu Mar 08 2007 meissner@suse.de
- Upgraded to 1.5.0.10 security release.
- Upgraded to enigmail 0.94.2.
* Thu Feb 15 2007 wr@rosenauer.org
- update to snapshot 2.0beta2-20060214
- fixed build on SLES9
* Mon Feb 05 2007 wr@rosenauer.org
- fixed check in add-plugins.sh (#242237)
* Tue Jan 30 2007 maw@suse.de
- Add thunderbird-1.5.0.8-uninitalized-vars-232305.patch (#232305).
* Thu Jan 18 2007 maw@suse.de
- Add undefined-ops.patch, silencing some warnings.
* Thu Nov 09 2006 jhargadon@suse.de
- security update to version 1.5.0.8
* Tue Sep 12 2006 stark@suse.de
- security update to version 1.5.0.7
* Mon Aug 14 2006 stark@suse.de
- update enigmail to 0.94.1
* Added support for signing attachments with inline-PGP
- update mailredirect to 0.7.4
- added backend patch to allow replies to list with
ReplyToListThunderbirdExtension (#199125, bmo #45715)
- added mailnews.clobber_list_reply pref which switches
"Reply All" to "Reply List" functionality if set
* Thu Jul 27 2006 stark@suse.de
- security update to version 1.5.0.5 (#195043)
- fixed overwrite confirmation for GTK filesaver (#179531)
* Wed Jun 07 2006 stark@suse.de
- fixed up BuildRequires
* Fri Jun 02 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Fri Jun 02 2006 stark@suse.de
- update to security/stability release 1.5.0.4 (#179011)
(http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird)
* Mon May 15 2006 stark@suse.de
- update to version 1.5.0.2
- update mailredirect to 0.7.3
- save printer settings properly (#174082, bmo #324072)
- improved postscript output (bmo #334485)
- changed defaults for printer properties (#6534)
- get available paper sizes from CUPS (#65482)
* Sat Mar 18 2006 stark@suse.de
- translations package is suggested now by main package
- yet another set of upstream fixes (#148876)
* Sun Mar 12 2006 stark@suse.de
- added Khmer (km-*) to pango locales (#157397)
- yet another set of upstream fixes (#148876)
* Sat Mar 04 2006 stark@suse.de
- latest security fixes from upstream (#148876)
- show multiple Reply-To addresses (bmo #106189)
* Fri Feb 24 2006 stark@suse.de
- added GTK category to desktop-file
- dumpstack.patch is in upstream patches now
- get some more patches (#148876)
* Tue Feb 14 2006 stark@suse.de
- applied set of security patches (#148876)
* Tue Feb 07 2006 stark@suse.de
- fixed disabling of Pango (#148788)
* Thu Feb 02 2006 stark@suse.de
- defined gssapi lib explicitely (#147670)
* Wed Feb 01 2006 stark@suse.de
- removed additional CA certs from builtin NSS
- make it possible to choose $HOME as download directory
(#144894, bmo #300856)
- cleaned up BuildRequires
* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Mon Jan 23 2006 stark@suse.de
- disable Pango if MOZ_ENABLE_PANGO is not set
and no typical language which needs Pango is used (#143428)
- preload libaoss for plugin sound (#117079)
- fix to ignore X composite extension (#135373)
* Wed Jan 18 2006 stark@suse.de
- added default (font) settings
- tweak useragent
- fixed DumpStackToFile() for glibc 2.4
* Thu Jan 12 2006 stark@suse.de
- update to 1.5 (20060111)
- added sytem extensions patch
- added XUL filechooser patch (MOZ_XUL_PICKER)
- update enigmail to 0.94.0
- use -fstack-protector where available
- use system NSS since CODE10
* Wed Dec 28 2005 stark@suse.de
- update to 1.5rc2 (20051227)
* Sun Dec 11 2005 stark@suse.de
- update to 1.5 (20051211)
- update enigmail to 0.93.2
* Tue Nov 29 2005 stark@suse.de
- update enigmail to 0.93.1
- added patch for GTK2 handling (#134831)
* Fri Nov 25 2005 stark@suse.de
- update to 1.5 (20051124)
* Fri Oct 28 2005 stark@suse.de
- update to latest 1.5 snapshot (20051027)
- added patch to be able to reply to and forward rfc822 messages
(bmo #204350)
- again don't provide and require NSS stuff
- removed disable-gconf patch (no registration needed in build
process anymore)
- added mailredirect extension
- removed update functionality
* Mon Oct 10 2005 stark@suse.de
- update to 1.5b2 (20051008)
- preinstall Enigmail (version 0.93.0) as global extension
- add all supported locales and use if installed
* Tue Oct 04 2005 stark@suse.de
- update to 1.5b2 (20051003) (RPM version 1.4.1)
- prerequire NSPR
- prepared translations subpackage
- fixed filelist
- fixed build with new gcc
* Wed Sep 21 2005 stark@suse.de
- update to 1.5b1 (20050920)
- added spellchecker integration with myspell (add-plugins.sh)
- removed aviary-install-global patch (not needed anymore, with
new EM)
- enabled pango font rendering (through cairo hopefully)
- fixed GNOME gconf registration (#117851)
* Sat Aug 20 2005 stark@suse.de
- workaround for linking with pangoxft and pangox
(broken by gtk 2.8 update) (#105764)
* Thu Aug 18 2005 stark@suse.de
- fixed Gdk-WARNING at startup (gtk.patch)
- fixed regression in profile locking change (bmo #303633)
- fixed crash with gtk 2.7 (bmo #300226, bnc #104586)
* Wed Aug 03 2005 stark@suse.de
- fixed profile locking (bmo #151188)
* Fri Jul 29 2005 stark@suse.de
- don't require and provide NSS libs (#98002)
* Fri Jul 22 2005 stark@suse.de
- fixed printing patch
* Tue Jul 19 2005 stark@suse.de
- added NSPR to PreReq
- disable stripping in specfile
* Fri Jul 15 2005 stark@suse.de
- update to 1.0.6 which restores API compatibility
- fixed width calculation in Postscript module (bmo #290292)
* Thu Jul 14 2005 stark@suse.de
- fixed filelist to include icon-file and startscript again
* Tue Jul 12 2005 stark@suse.de
- fixed remote usage behaviour in start script (bnc #41903)
- update to 1.0.5 security release
- fixed quoting patch
- moved desktop file to a Gnome independent location
- don't strip explicitely
- use RPM_OPT_FLAGS for NSS component
- fixed implicit declarations and uninitialized used variables
* Thu Apr 28 2005 stark@suse.de
- updated to current 1.0 branch version
- use static NSPR from other location
* Sat Apr 23 2005 stark@suse.de
- activate usage of system NSPR for distributions after 9.3
- add patch to be able to use systen NSPR at all
- extended desktop file
* Fri Apr 22 2005 ro@suse.de
- apply mozilla-gcc4.patch
* Wed Mar 23 2005 stark@suse.de
- update to 1.0.2
- use system NSPR on SUSE releases after 9.3
- made startscript PIS aware
- set g-application-name correctly (bmo #281979)
* Mon Mar 07 2005 stark@suse.de
- don't use gconfd in registration phase (#66381)
* Fri Feb 25 2005 stark@suse.de
- update to version 1.0.1
* Tue Feb 22 2005 stark@suse.de
- added patch to create Postscript level 2 (instead of 3)
(special thanks to Jungshik Shin)
- disabled freetype explicitly to be able to use the above patch
(freetype wasn't used anymore since some time anyway)
* Wed Feb 02 2005 stark@suse.de
- added a JS crasher fix (bmc #268535)
* Sat Jan 22 2005 stark@suse.de
- added some backported bugfixes
* Tue Dec 07 2004 stark@suse.de
- update to 1.0
- fixed extra lines in replies (bmo #144998)
- fixed build on s390/s390x
* Wed Nov 24 2004 stark@suse.de
- update to 20041123 snapshot
- inherit downloadFolder patch from Firefox
* Fri Nov 12 2004 stark@suse.de
- fixed chrome filelist
* Thu Nov 04 2004 stark@suse.de
- update to 0.9
- sync patch-set with firefox base
- fixed neededforbuild to get GNOME functionalities
* Fri Sep 17 2004 stark@suse.de
- added some missing fixes for official release
- synced add-plugins.sh
* Sat Sep 11 2004 stark@suse.de
- update to official 0.8 version (20040911)
- fixed enigmail config
* Mon Sep 06 2004 stark@suse.de
- fixed profile directory
* Fri Sep 03 2004 stark@suse.de
- update to thunderbird 0.8 (20040903)
- update enigmail to 0.86.0 and ipc to 1.0.8 (deactivated)
* Tue Aug 24 2004 stark@suse.de
- update to thunderbird 0.7.3
- update enigmail to 0.85.0 and ipc to 1.0.7
* Tue Jun 29 2004 stark@suse.de
- update to thunderbird 0.7.1
- update enigmail to 0.84.1
* Wed May 12 2004 ro@suse.de
- add some missing return values
* Mon May 03 2004 stark@suse.de
- update to Thunderbird 0.6 (based on 1.7rc1)
- use official branding for release builds
- added desktop-icon (#39139)
* Fri Apr 02 2004 stark@suse.de
- removing relocation of TEMP directory (#34391)
* Fri Mar 26 2004 uli@suse.de
- fixed hang during build on s390* (bug #35440)
* Sun Mar 07 2004 ro@suse.de
- match function declaration in enigmail mimedummy.cpp
* Fri Mar 05 2004 stark@suse.de
- more fixes for #35179
- added firefox as default handler for its protocols
- update enigmail to 0.83.4
* Wed Mar 03 2004 stark@suse.de
- removed unused patches for GTK2 build
* Sun Feb 29 2004 stark@suse.de
- improved start-script to interact with firefox and mozilla
(#35179)
* Fri Feb 27 2004 stark@suse.de
- update to 0.5
- spec-file cleanup
* Wed Oct 15 2003 stark@suse.de
- update to 0.3 (sync with mozilla 1.5)
* Tue Jul 15 2003 stark@suse.de
- initial package (snapshot 20030714)
/usr/lib64/thunderbird/extensions /usr/lib64/thunderbird/extensions/langpack-af@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-ast@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-be@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-bg@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-br@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-cak@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-cy@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-dsb@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-en-CA@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-es-MX@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-et@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-eu@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-fy-NL@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-gd@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-gl@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-he@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-hr@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-hsb@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-hy-AM@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-id@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-is@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-ka@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-kab@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-kk@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-lt@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-lv@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-ms@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-nn-NO@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-pa-IN@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-rm@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-ro@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-sk@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-sl@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-sq@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-sr@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-th@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-tr@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-uk@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-uz@thunderbird.mozilla.org.xpi /usr/lib64/thunderbird/extensions/langpack-vi@thunderbird.mozilla.org.xpi
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Jun 10 00:14:58 2025