| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: MozillaThunderbird | Distribution: openSUSE Tumbleweed |
| Version: 91.9.0 | Vendor: openSUSE |
| Release: 1.1 | Build date: Fri May 6 23:08:08 2022 |
| Group: Productivity/Networking/Email/Clients | Build host: obs-arm-10 |
| Size: 208407882 | Source RPM: MozillaThunderbird-91.9.0-1.1.src.rpm |
| Packager: http://bugs.opensuse.org | |
| Url: https://www.thunderbird.net/ | |
| Summary: An integrated email, news feeds, chat, and newsgroups client | |
Thunderbird is a free, open-source, cross-platform application for managing email, news feeds, chat, and news groups. It is a local (rather than browser- or web-based) email application that is powerful yet easy to use.
MPL-2.0
* Mon May 02 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.9.0
* A warning is now displayed if an OpenPGP key has unsafe
attributes that are ignored
* OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not
allow SHA-1 key signatures
* CalDAV calendars were marked read-only on startup
MFSA 2022-18 (bsc#1198970)
* CVE-2022-1520 (bmo#1745019)
Incorrect security status shown after viewing an attached
email
* CVE-2022-29914 (bmo#1746448)
Fullscreen notification bypass using popups
* CVE-2022-29909 (bmo#1755081)
Bypassing permission prompt in nested browsing contexts
* CVE-2022-29916 (bmo#1760674)
Leaking browser history with CSS variables
* CVE-2022-29911 (bmo#1761981)
iframe sandbox bypass
* CVE-2022-29912 (bmo#1692655)
Reader mode bypassed SameSite cookies
* CVE-2022-29913 (bmo#1764778)
Speech Synthesis feature not properly disabled
* CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
bmo#1762614, bmo#1762620)
Memory safety bugs fixed in Thunderbird 91.9
* Sat Apr 16 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.8.1
* CLIENTID extension to SMTP was not supported by smtp-js#
* Additional SMTP errors now propagated to user
* OpenPGP was not able to use some previously supported key types
* OpenPGP Key Manager did not always display correct information
after importing additional IDs
* Duplicate new mail notifications could be displayed when
server-side filters were in use
* Cancelling an SMTP password entry resulted in multiple failure
dialogs being displayed
* Tue Apr 12 2022 Martin Liška <mliska@suse.cz>
- Set memory limits for DWZ to 4x.
* Sat Apr 02 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.8.0
* Google accounts using password authentication will be migrated
to OAuth2.
* bugfixes
https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes
MFSA 2022- (bsc#1197903)
- update create-tar.sh
* Thu Mar 17 2022 Dirk Müller <dmueller@suse.com>
- skip slow workers, this is a tough build job
* Sun Mar 06 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.7.0
* Thunderbird will use the first occurrence of headers that should
only appear once
* Auto-complete incorrectly changed a pasted email address to the
primary address of a contact
* Attachments with filename extensions that were not registered in
MIME types could not be opened
* Copy/Cut/Paste actions not working in Thunderbird Preferences
* Improved screen reader support of displayed message headers
MFSA 2022-12 (bsc#1196900)
* CVE-2022-26383 (bmo#1742421)
Browser window spoof using fullscreen mode
* CVE-2022-26384 (bmo#1744352)
iframe allow-scripts sandbox bypass
* CVE-2022-26387 (bmo#1752979)
Time-of-check time-of-use bug when verifying add-on signatures
* CVE-2022-26381 (bmo#1736243)
Use-after-free in text reflows
* CVE-2022-26386 (bmo#1752396)
Temporary files downloaded to /tmp and accessible by other
local users
* Sun Mar 06 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.6.2
MFSA 2022-09
* CVE-2022-26485 (bmo#1758062)
Use-after-free in XSLT parameter processing
* CVE-2022-26486 (bmo#1758070)
Use-after-free in WebGPU IPC Framework
* Tue Feb 15 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.6.1
* generated views of meeting invitations are now expanded by default
* Emails were not downloading at startup under some conditions
* Port numbers were not shown in "Confirm Security Exception"
dialog for CalDAV connections
MFSA 2022-07 (bsc#1196072)
* CVE-2022-0566 (bmo#1753094)
Crafted email could trigger an out-of-bounds write
* Sat Feb 05 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.6.0
* TB will now offer to send large forwarded attachments via FileLink
* Partially signed unencrypted messages displayed an incorrect
"parrtially encrypted" notification
* Attachments filenames were not sanitized before saving to disk
* In the attachment bar, the "Import OpenPGP Key" item displayed
for public keys displayed an error and did not import the key
* "Open with" attachment dialog did not have a selected radio
button option
MFSA 2022-06 (bsc#1195682)
* CVE-2022-22753 (bmo#1732435)
Privilege Escalation to SYSTEM on Windows via Maintenance
Service
* CVE-2022-22754 (bmo#1750565)
Extensions could have bypassed permission confirmation during
update
* CVE-2022-22756 (bmo#1317873)
Drag and dropping an image could have resulted in the dropped
object being an executable
* CVE-2022-22759 (bmo#1739957)
Sandboxed iframes could have executed script if the parent
appended elements
* CVE-2022-22760 (bmo#1740985, bmo#1748503)
Cross-Origin responses could be distinguished between script
and non-script content-types
* CVE-2022-22761 (bmo#1745566)
frame-ancestors Content Security Policy directive was not
enforced for framed extension pages
* CVE-2022-22763 (bmo#1740534)
Script Execution during invalid object state
* CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545,
bmo#1748210, bmo#1748279)
Memory safety bugs fixed in Thunderbird 91.6
- do not use ccache by default
- removed obsolete mozilla-bmo1745560.patch
* Sat Jan 22 2022 Manfred Hollstein <manfred.h@gmx.net>
- Mozilla Thunderbird 91.5.1
* JS LDAP implementation did not support self-signed SSL certificates
* After saving a draft and subsequently sending a FileLink email,
the original file was removed from disk
* Chat OTR encryption did not work
* OTR verification bar was not removed after completing verification
* Various theme improvements
* Thu Jan 20 2022 Martin Liška <mliska@suse.cz>
- Enable -fimplicit-constexpr for GCC 12+.
* Fri Jan 07 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.5.0
https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes
MFSA 2022-03 (bsc#1194547)
* CVE-2022-22746 (bmo#1735071)
Calling into reportValidity could have lead to fullscreen
window spoof
* CVE-2022-22743 (bmo#1739220)
Browser window spoof using fullscreen mode
* CVE-2022-22742 (bmo#1739923)
Out-of-bounds memory access when inserting text in edit mode
* CVE-2022-22741 (bmo#1740389)
Browser window spoof using fullscreen mode
* CVE-2022-22740 (bmo#1742334)
Use-after-free of ChannelEventQueue::mOwner
* CVE-2022-22738 (bmo#1742382)
Heap-buffer-overflow in blendGaussianBlur
* CVE-2022-22737 (bmo#1745874)
Race condition when playing audio files
* CVE-2021-4140 (bmo#1746720)
Iframe sandbox bypass with XSLT
* CVE-2022-22748 (bmo#1705211)
Spoofed origin on external protocol launch dialog
* CVE-2022-22745 (bmo#1735856)
Leaking cross-origin URLs through securitypolicyviolation event
* CVE-2022-22744 (bmo#1737252)
The 'Copy as curl' feature in DevTools did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2022-22747 (bmo#1735028)
Crash when handling empty pkcs7 sequence
* CVE-2022-22739 (bmo#1744158)
Missing throttling on external protocol launch dialog
* CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366,
bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869, bmo#1743221,
bmo#1743515, bmo#1745373, bmo#1746011)
Memory safety bugs fixed in Thunderbird 91.5
* Tue Dec 28 2021 Bjørn Lie <bjorn.lie@gmail.com>
- Add mozilla-bmo1745560.patch: Fix build against wayland 1.20.
* Fri Dec 17 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.4.1
* several fixes as outlined here
https://www.thunderbird.net/en-US/thunderbird/91.4.1/releasenotes/
MFSA 2021-55 (bsc#1193845)
* CVE-2021-4126 (bmo#1732310)
OpenPGP signature status doesn't consider additional message
content
* CVE-2021-44538 (bmo#1744056)
Matrix chat library libolm bundled with Thunderbird
vulnerable to a buffer overflow
- updated _constraints
* Thu Dec 02 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.4.0
* several fixes as outlined here
https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes
MFSA 2021-54 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120)
URL leakage when navigating while executing asynchronous
function
* CVE-2021-43537 (bmo#1738237)
Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091)
Missing fullscreen and pointer lock notification when
requesting both
* CVE-2021-43539 (bmo#1739683)
GC rooting failure when calling wasm instance methods
* CVE-2021-43541 (bmo#1696685)
External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281)
XMLHttpRequest error codes could have leaked the existence of
an external protocol handler
* CVE-2021-43543 (bmo#1738418)
Bypass of CSP sandbox directive when embedding
* CVE-2021-43545 (bmo#1720926)
Denial of Service when using the Location API in a loop
* CVE-2021-43546 (bmo#1737751)
Cursor spoofing could overlay user interface when native
cursor is zoomed
* CVE-2021-43528 (bmo#1742579)
JavaScript unexpectedly enabled for the composition area
* MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
bmo#1737009, bmo#1739372, bmo#1739421)
Memory safety bugs fixed in Thunderbird 91.4.0
* Thu Nov 25 2021 Bjørn Lie <bjorn.lie@gmail.com>
- Drop unused libidl-devel BuildRequires.
* Sat Nov 20 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.3.2
* Date selection in Calendar print settings widget changed to use
mini calendar widget
* OpenPGP: Botan updated to 2.18.2; addresses CVE-2021-40529
boo#1189244
* Bugfixes as outlined in release notes
https://www.thunderbird.net/en-US/thunderbird/91.3.2/releasenotes/
* Sat Nov 13 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.3.1
* OpenPGP public keys will no longer count as an attachment in
the message list
* Adding a search engine via URL now supported
* FileLink messages' template updated; Thunderbird advertisement
removed
* After an update, Thunderbird will now check installed addons
for updates
* Bugfixes as outlined in release notes
https://www.thunderbird.net/en-US/thunderbird/91.3.1/releasenotes/
* Sun Oct 31 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.3.0
* several fixes as outlined here
https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/
MFSA 2021-50 (bsc#1192250)
* CVE-2021-38503 (bmo#1729517)
iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504 (bmo#1730156)
Use-after-free in file picker dialog
* CVE-2021-38505 (bmo#1730194)
Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506 (bmo#1730750)
Thunderbird could be coaxed into going into fullscreen mode
without notification or warning
* CVE-2021-38507 (bmo#1730935)
Opportunistic Encryption in HTTP2 could be used to bypass the
Same-Origin-Policy on services hosted on other ports
* MOZ-2021-0008 (bmo#1667102)
Use-after-free in HTTP2 Session object
* CVE-2021-38508 (bmo#1366818)
Permission Prompt could be overlaid, resulting in user
confusion and potential spoofing
* CVE-2021-38509 (bmo#1718571)
Javascript alert box could have been spoofed onto an
arbitrary domain
* CVE-2021-38510 (bmo#1731779)
Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048,
bmo#1735152)
Memory safety bugs fixed in Thunderbird ESR 91.3
- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires
* Fri Oct 22 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.2.1
* Preference added to disable automatic pausing RSS feed updates
after a fetch failure
* several bugfixes as outlined in release notes
https://www.thunderbird.net/en-US/thunderbird/91.2.1/releasenotes/
* Fri Oct 22 2021 Guillaume GARDET <guillaume.gardet@opensuse.org>
- Increase memory required per threads for aarch64 to avoid OOM
* Thu Oct 21 2021 Martin Liška <mliska@suse.cz>
- Enable LTO on Tumbleweed.
* Fri Oct 15 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- add mozilla-bmo1724679.patch (bmo#1724679, boo#1182863)
fix some env variables which are enabled for any value
* Mon Oct 04 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.2.0
* Saving a single message as .eml now uses a unique filename
* New mail notifications did not properly take subfolders into account
* Decrypting binary attachments when using an external GnuPG
configuration failed
* Account name fields in the account manager were not big enough
for long names
* LDAP searches using an extensibleMatch filter returned no results
* Read-only CalDAV calendars and CardDAV address books were not detected
* Multipart messages containing a calendar invite did not display
any of the human-readable alternatives
* Some calendar days were displayed incorrectly or duplicated
(eg. two "29th" days of a particular month)
* Phantom event was shown at the end of each day in Calendar week view
MFSA 2021-46 (bsc#1191332)
* CVE-2021-38496 (bmo#1725335)
Use-after-free in MessageTask
* CVE-2021-38497 (bmo#1726621)
Validation message could have been overlaid on another origin
* CVE-2021-38498 (bmo#1729642)
Use-after-free of nsLanguageAtomService object
* CVE-2021-32810 (bmo#1729813,
https://github.com/crossbeam-
rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
Data race in crossbeam-deque
* CVE-2021-38500 (bmo#1725854, bmo#1728321)
Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
and Firefox ESR 91.2
* CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
* Sun Sep 26 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.1.2
* Thunderbird will now warn if an S/MIME encrypted message includes
BCC recipients
* several bugfixes listed on
https://www.thunderbird.net/en-US/thunderbird/91.1.2/releasenotes/
* Wed Sep 15 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.1.1
* Menu item for disabling subject encryption for a single message added
* Printing messages that are not currently displayed is no longer
supported, including printing multiple messages at once
* for bugfixes see
https://www.thunderbird.net/en-US/thunderbird/91.1.1/releasenotes
- MOZ_ENABLE_WAYLAND env variable now overrides automatic detection
if already set before startup
* Thu Sep 02 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.1.0
* Thunderbird registered Accessibility Handlers using same GUIDs
as Firefox, causing performance issues for NVDA users
* Focus lost when reordering accounts by keyboard in the Account Manager
* Account setup did not use provider display name for setting up
calendars
* Various theme and UX fixes
MFSA 2021-41 (bsc#1190269)
* CVE-2021-38492 (bmo#1721107)
Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495 (bmo#1723391, bmo#1723920, bmo#1724101,
bmo#1724107)
Memory safety bugs fixed in Thunderbird 91.1
- (re-)added mozilla-silence-no-return-type.patch
- add mozilla-bmo531915.patch to fix build for i586
* Fri Aug 27 2021 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 91.0.3:
* fixed: Folder icons could be overridden by linked favicons in
HTML messages
* fixed: Unified folders showed no messages when underlying
folders were removed
* fixed: Folder pane toolbar did not always persist after
restarting Thunderbird
* fixed: Compose window attachment pane did not close when
disabling signing of an OpenPGP message
* fixed: Using "Reply to List" with some list emails
incorrectly opened a "no-reply" warning
* fixed: Account setup UX issues with Exchange autodiscover
* fixed: Account settings did not display non-UTF-8 server
descriptions correctly
* fixed: Thunderbird sometimes sent an unnecessary "SMTPUTF8",
causing some servers to reject mail
* fixed: No mouseover pop was displayed with event details for
non-all-day events in the Today Pane
* fixed: Filtering tasks in the Today Pane did not work
* fixed: Email based event scheduling displayed the date and
time in a format unreadable by humans
* Fri Aug 27 2021 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 91.0.2:
* new: Tags are now colored in mail filter editor
* changed: Context menu items related to OpenPGP and
attachments are now hidden when not applicable
* fixed: Creating a new account with manual setup failed
* fixed: Recipient autocomplete always preferred the primary
email address for a contact
* fixed: LDAP performance improvements
* fixed: Extensions listed on the Recommended Addons did not
have a clear way to view details in a browser
* fixed: Status checkmark on View > Calendar > Calendar Pane >
Show Calendar Pane was reversed
* fixed: mid: URLs in calendar invites did not open the linked
mail message
* fixed: Various theme and UX fixes
* Tue Aug 17 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.0.1
MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
- appdate screenshot URL updated (by mailaender@opensuse.org)
* Sun Aug 15 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.0
* based on Mozilla's 91 ESR codebase
* many new and changed features
https://www.thunderbird.net/en-US/thunderbird/91.0/releasenotes/#whatsnew
* Renamed "Add-ons" to "Add-ons and Themes" and "Options" to "Preferences"
* Thunderbird now operates in multi-process (e10s) mode by default
* New user interface for adding attachments
* Enable redirect of messages
* CardDAV address book support
- Removed obsolete patches:
* mozilla-bmo1463035.patch
* mozilla-ppc-altivec_static_inline.patch
* mozilla-pipewire-0-3.patch
* mozilla-bmo1554971.patch
- add mozilla-libavcodec58_91.patch
- removed obsolete BigEndian ICU build workaround
- updated build requirements
- build using clang
* Thu Aug 05 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.13.0
* removed WeTransfer integration package (not supported by vendor
any longer)
MFSA 2021-35 (bsc#1188891)
* CVE-2021-29986 (bmo#1696138)
Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29988 (bmo#1717922)
Memory corruption as a result of incorrect style treatment
* CVE-2021-29984 (bmo#1720031)
Incorrect instruction reordering during JIT optimization
* CVE-2021-29980 (bmo#1722204)
Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29985 (bmo#1722083)
Use-after-free media channels
* CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
bmo#1719998, bmo#1720568)
Memory safety bugs fixed in Thunderbird 78.13
* Wed Jul 14 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.12.0
MFSA 2021-30 (bsc#1188275)
* CVE-2021-29969 (bmo#1682370)
IMAP server responses sent by a MITM prior to STARTTLS could be
processed
* CVE-2021-29970 (bmo#1709976)
Use-after-free in accessibility features of a document
* CVE-2021-30547 (bmo#1715766)
Out of bounds write in ANGLE
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
bmo#1711576, bmo#1714391)
Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
* Sat May 29 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.11.0
* OpenPGP could not be disabled for an account if a key was
previously configured
* Recipients were unable to decrypt some messages when the sender
had changed the message encryption from OpenPGP to S/MIME
* Contacts moved between CardDAV address books were not synced to
the new server
* CardDAV compatibility fixes for Google Contacts
MFSA 2021-26 (bsc#1186696)
* CVE-2021-29964 (bmo#1706501)
Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
bmo#1704722, bmo#1706041)
Memory safety bugs fixed in Thunderbird 78.11
- renewed expired mozilla.keyring
* Fri May 14 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.10.2
* Added support for importing OpenPGP keys without a primary
secret key
* Add-ons manager displays a preferences icon for mail extensions
that include an options page
Fixed
* OpenPGP messages with a high compression ratio (over 10x) could
not be decrypted
* Selected OpenPGP key was lost after opening the Key Properties
dialog in Account Settings
* Parsing some OpenPGP user IDs failed
* Various improvements to OpenPGP partial encryption reminders
* Mail toolbar buttons were too big when displaying both icons
and text
MFSA 2021-22
* CVE-2021-29956 (boo#1186199, bmo#1710290)
Thunderbird stored OpenPGP secret keys without master password
protection
* CVE-2021-29957 (boo#1186198, bmo#1673241)
Partial protection of inline OpenPGP message not indicated
- do not rely on nodejs10 explicitely
* Tue May 04 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.10.1
* Remove the fix for bmo#1689804 introduced in 78.9.0,
restoring the previous behavior
* MFSA 2021-19 (bsc#1185633) does not affect this platform
* Sun Apr 18 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.10.0
MFSA 2021-14 (bsc#1184960)
* CVE-2021-23994 (bmo#1699077)
Out of bound write due to lazy initialization
* CVE-2021-23995 (bmo#1699835)
Use-after-free in Responsive Design Mode
* CVE-2021-23998 (bmo#1667456)
Secure Lock icon could have been spoofed
* CVE-2021-23961 (bmo#1677940)
More internal network hosts could have been probed by a
malicious webpage
* CVE-2021-23999 (bmo#1691153)
Blob URLs may have been granted additional privileges
* CVE-2021-24002 (bmo#1702374)
Arbitrary FTP command execution on FTP servers using an
encoded URL
* CVE-2021-29945 (bmo#1700690)
Incorrect size computation in WebAssembly JIT could lead to
null-reads
* CVE-2021-29946 (bmo#1698503)
Port blocking could be bypassed
* CVE-2021-29948 (bmo#1692899)
Race condition when reading from disk while verifying
signatures
- recommend libotr5
* Sat Apr 10 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.9.1
* Support recipient aliases for OpenPGP encryption
* The key and signature parts of the message security popup on a
received message could not be selected for copy/paste
* Various UX and theme improvements
MFSA 2021-13
* CVE-2021-23991 (bmo#1673240)
An attacker may use Thunderbird's OpenPGP key refresh mechanism
to poison an existing key
* MOZ-2021-23992 (bmo#1666236)
A crafted OpenPGP key with an invalid user ID could be used to
confuse the user
* CVE-2021-23993 (bmo#1666360)
Inability to send encrypted OpenPGP email after importing a
crafted OpenPGP key
* Sat Mar 20 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.9.0
* bugfixes:
https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes
MFSA 2021-12 (boo#1183942)
* CVE-2021-23981 (bmo#1692832)
Texture upload into an unbound backing buffer resulted in an
out-of-bound read
* MOZ-2021-0002 (bmo#1691547)
Angle graphics library out of date
* CVE-2021-23982 (bmo#1677046)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2021-23984 (bmo#1693664)
Malicious extensions could have spoofed popup information
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718)
Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
- cleaned up and fixed mozilla.sh.in for wayland (boo#1177542)
* Sun Mar 07 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.8.1
* several bugfixes and improvements
* https://www.thunderbird.net/en-US/thunderbird/78.8.1/releasenotes/
- updated create-tar.sh (bsc#1182357)
* Fri Feb 19 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.8.0
* various bugfixes
MFSA 2021-09 (bsc#1182614)
* CVE-2021-23969 (bmo#1542194)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23968 (bmo#1687342)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23973 (bmo#1690976)
MediaError message property could have leaked information
about cross-origin resources
* CVE-2021-23978 (bmo#786797, bmo#1682928, bmo#1687391,
bmo#1687597)
Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
* Fri Feb 05 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.7.1
* CardDAV address books now support OAuth2 and Google Contacts
* Thunderbird will no longer allow installation of addons that
use legacy APIs
* Tue Jan 26 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.7.0
MFSA 2021-05 (bsc#1181414)
* CVE-2021-23953 (bmo#1683940)
Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954 (bmo#1684020)
Type confusion when using logical assignment operators in
JavaScript switch statements
* CVE-2020-15685 (bmo#1622640)
IMAP Response Injection when using STARTTLS
* CVE-2020-26976 (bmo#1674343)
HTTPS pages could have been intercepted by a registered
service worker when they should not have been
* CVE-2021-23960 (bmo#1675755)
Use-after-poison for incorrectly redeclared JavaScript
variables during GC
* CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526,
bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844,
bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410,
bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736,
bmo#1685260, bmo#1685925)
Memory safety bugs fixed in Thunderbird 78.7
* Sun Jan 24 2021 Manfred Hollstein <manfred.h@gmx.net>
- MozillaThunderbird.spec: Don't abuse BUILDROOT during %build as newer
rpm versions in TW remove everything there as the first action
of %install
* Mon Jan 11 2021 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.6.1
MFSA 2021-02 (bsc#1180623)
* CVE-2020-16044 (bmo#1683964)
Use-after-free write when handling a malicious COOKIE-ECHO SCTP
chunk
* Sat Dec 12 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.6.0
* changes and additions in MailExtensions
* several bugfixes
* https://www.thunderbird.net/en-US/thunderbird/78.6.0/releasenotes/
MFSA 2020-56 (bsc#1180039))
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-35111 (bmo#1657916)
The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365)
Opening an extension-less download may have inadvertently
launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589)
Memory safety bugs fixed in Thunderbird 78.6
* Tue Dec 01 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.5.1
MFSA 2020-53 (bsc#1179530)
* CVE-2020-26970 (bmo#1677338)
Stack overflow due to incorrect parsing of SMTP server response codes
* Mon Nov 16 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.5.0
MFSA 2020-52 (bsc#1178894)
* CVE-2020-26951 (bmo#1667113)
Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
* CVE-2020-16012 (bmo#1642028)
Variable time processing of cross-origin images during
drawImage calls
* CVE-2020-26953 (bmo#1656741)
Fullscreen could be enabled without displaying the security
UI
* CVE-2020-26956 (bmo#1666300)
XSS through paste (manual and clipboard API)
* CVE-2020-26958 (bmo#1669355)
Requests intercepted through ServiceWorkers lacked MIME type
restrictions
* CVE-2020-26959 (bmo#1669466)
Use-after-free in WebRequestService
* CVE-2020-26960 (bmo#1670358)
Potential use-after-free in uses of nsTArray
* CVE-2020-15999 (bmo#1672223)
Heap buffer overflow in freetype
* CVE-2020-26961 (bmo#1672528)
DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965 (bmo#1661617)
Software keyboards may have remembered typed passwords
* CVE-2020-26966 (bmo#1663571)
Single-word search queries were also broadcast to local
network
* CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,
bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479,
bmo#1671923)
Memory safety bugs fixed in Thunderbird 78.5
- removed obsolete mozilla-rust-1.47.patch
* Wed Nov 11 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.4.3
https://www.thunderbird.net/en-US/thunderbird/78.4.3/releasenotes/
- added mozilla-rust-1.47.patch to fix build with rust 1.47
* Mon Nov 09 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.4.2
MFSA 2020-49
* CVE-2020-26950 (bmo#1675905)
Write side effects in MCallGetProperty opcode not accounted for
* Thu Nov 05 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.4.1
* Bugfixes and minor features
https://www.thunderbird.net/en-US/thunderbird/78.4.1/releasenotes/
* Tue Oct 20 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.4.0
* MailExtensions: browser.tabs.sendMessage API added
* MailExtensions: messageDisplayScripts API added
* Yahoo and AOL mail users using password authentication will be
migrated to OAuth2
* MailExtensions: messageDisplay APIs extended to support multiple
selected messages
* MailExtensions: compose.begin functions now support creating a
message with attachments
* multiple bugfixes
MFSA 2020-47 (bsc#1177872)
* CVE-2020-15969 (bmo#1666570)
Use-after-free in usersctp
* CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954, bmo#1662760,
bmo#1663439, bmo#1666140)
Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* Thu Oct 15 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.3.3
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP message status icons were not visible in message header pane
* OpenPGP Key Manager was missing from Tools menu on macOS
* Creating a new calendar event did not require an event title
- remove python2 dependencies for TW
- support wayland mode/autodetection in startup wrapper
- replace some Requires to use requires_ge macro where appropriate
- improve langpack build (as already used for Firefox)
- add ccache statistics output to build
* Wed Oct 07 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.3.2
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP: Encrypted messages with international characters were
sometimes displayed incorrectly
* Single-click deletion of recipient pills with middle mouse
button restored
* Searching an address book list did not display results
* Dark mode, high contrast, and Windows theming fixes
* Fri Sep 25 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.3.1
* fix crash in nsImapProtocol::CreateNewLineFromSocket (bmo#1667120)
* Wed Sep 23 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.3.0
MFSA 2020-44 (bsc#1176756)
* CVE-2020-15677 (bmo#1641487)
Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140)
XSS when pasting attacker-controlled data into a
contenteditable element
* CVE-2020-15678 (bmo#1660211)
When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-
free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
Memory safety bugs fixed in Thunderbird 78.3
- requires NSPR >= 4.25.1
- removed obsolete thunderbird-bmo1664607.patch
* Sun Sep 13 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.2.2
https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes
- added thunderbird-bmo1664607.patch required for builds w/o updater
(boo#1176384)
* Mon Aug 31 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 78.2.1
* based on Mozilla's 78 ESR codebase
* many new and changed features
https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/#whatsnew
* built-in OpenPGP support (enigmail neither required nor supported)
- added platform patches:
* mozilla-s390x-skia-gradient.patch
* mozilla-pipewire-0-3.patch
* mozilla-bmo1512162.patch
* mozilla-bmo1626236.patch
* mozilla-bmo998749.patch
* mozilla-sandbox-fips.patch
- removed obsolete platform patches
* mozilla-s390-bigendian.patch
* mozilla-nestegg-big-endian.patch
* mozilla-openaes-decl.patch
* mozilla-cubeb-noreturn.patch
* Sun Aug 30 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.12.0
MFSA 2020-40 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could have
resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-15669 (bmo#1656957)
Use-After-Free when aborting an operation
* Fri Aug 28 2020 Michel Normand <normand@linux.vnet.ibm.com>
- Put back %limit_build macro usage to avoid build error PowerPC
(remove memoryperjob constraint)
* Thu Aug 20 2020 Martin Liška <mliska@suse.cz>
- Use memoryperjob constraint instead of %limit_build macro.
* Sat Aug 01 2020 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 68.11.0
* fixed: FileLink attachments included as a link and file when
added from a network drive via drag & drop (bmo#793118)
MFSA 2020-35 (bsc#1174538)
* CVE-2020-15652 (bmo#1634872)
Potential leak of redirect targets when loading scripts in a
worker
* CVE-2020-6514 (bmo#1642792)
WebRTC data channel leaks internal address to peer
* CVE-2020-6463 (bmo#1635293)
Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
* CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1646787,
bmo#1650811)
Memory safety bugs fixed in Thunderbird 68.11
* Wed Jul 01 2020 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 68.10.0
* fixed: Chat: Topics displayed some characters improperly
(bmo#1644024)
* fixed: Calendar: Filtering tasks did not work when
"Incomplete Tasks" was selected (bmo#1593711)
MFSA 2020-26 (bsc#1173576)
* CVE-2020-12417 (bmo#1640737)
Memory corruption due to missing sign-extension for ValueTags
on ARM64
* CVE-2020-12418 (bmo#1641303)
Information disclosure due to manipulated URL object
* CVE-2020-12419 (bmo#1643874)
Use-after-free in nsGlobalWindowInner
* CVE-2020-12420 (bmo#1643437)
Use-After-Free when trying to connect to a STUN server
* MFSA-2020-0001 (bmo#1606610)
Automatic account setup leaks Microsoft Exchange login
credentials
* CVE-2020-12421 (bmo#1308251)
Add-On updates did not respect the same certificate trust
rules as software updates
* Thu Jun 11 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- build with nodejs10 to be able to drop nodejs8 from TW
- updated create-tar.sh
* Sat Jun 06 2020 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 68.9.0
* fixed: Custom headers added for searching or filtering could
not be removed (bmo#1631577)
* fixed: Calendar: Today Pane updated prior to loading all data
(bmo#1635613)
* fixed: Stability improvements (bmo#1625677)
MFSA 2020-22 (bsc#1172402)
* CVE-2020-12405 (bmo#1631618)
Use-after-free in SharedWorkerService
* CVE-2020-12406 (bmo#1639590)
JavaScript Type confusion with NativeTypes
* CVE-2020-12410 (bmo#1619305, bmo#1632717)
Memory safety bugs fixed in Thunderbird 68.9.0
* CVE-2020-12398 (bmo#1613623)
Security downgrade with IMAP STARTTLS leads to information
leakage
* Sun May 24 2020 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 68.8.1
* fixed: IMAP stability improvements (bmo#1586494)
* fixed: HTML tags in IRC topic changes were rendered
incorrectly (bmo#1607097)
* fixed: MailExtensions: Websockets could not be used
(bmo#1627649)
* Tue May 05 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.8.0
* Account Manager fixes and improvements
* https://www.thunderbird.net/en-US/thunderbird/68.8.0/releasenotes
MFSA 2020-18 (bsc#1171186)
* CVE-2020-12397 (bmo#1617370)
Sender Email Address Spoofing using encoded Unicode characters
* CVE-2020-12387 (bmo#1545345)
Use-after-free during worker shutdown
* CVE-2020-6831 (bmo#1632241)
Buffer overflow in SCTP chunk input validation
* CVE-2020-12392 (bmo#1614468)
Arbitrary local file access with 'Copy as cURL'
* CVE-2020-12393 (bmo#1615471)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098,
bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508)
Memory safety bugs fixed in Thunderbird 68.8.0
- removed obsolete patch mozilla-bmo1580963.patch
* Tue May 05 2020 Ismail Dönmez <idonmez@suse.com>
- Add mozilla-bmo1580963.patch to fix build with rust 1.43
(bmo#1580963)
* Thu Apr 09 2020 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 68.7.0
* Updates to MailExtensions API
* Various improvements to account setup when connecting to an
Exchange server
* Thread collapsed when opening news message in a new window
* Fix Addons not automatically updated to compatible version after
upgrade from Thunderbird 60
* Updating addons did not prompt when requesting new permissions
* Extra recipients panel not keyboard-accessible
* Accessibility: Status bar was not detected by screenreaders
* Calendar: Invitations with embedded null bytes did not always decode correctly
* Calendar: Cancelled events didn't show with a line-through
* Various security fixes
MFSA 2020-14
In general, these flaws cannot be exploited through email in
Thunderbird because scripting is disabled when reading mail, but
are potentially risks in browser or browser-like contexts.
* CVE-2020-6819 (bmo#1620818, bsc#1168630)
Use-after-free while running the nsDocShell destructor
* CVE-2020-6820 (bmo#1626728, bsc#1168630)
Use-after-free when handling a ReadableStream
* CVE-2020-6821 (bmo#1625404, bsc#1168874)
Uninitialized memory could be read when using the WebGL
copyTexSubImage method
* CVE-2020-6822 (bmo#1544181, bsc#1168874)
Out of bounds write in GMPDecodeData when processing large images
* CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203,bsc#1168874)
Memory safety bugs fixed in Thunderbird 68.7.0
* Sat Mar 14 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.6.0
MFSA 2020-10 (bsc#1166238)
* CVE-2020-6805 (bmo#1610880)
Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308)
BodyStream::OnInputStreamReady was missing protections against
state confusion
* CVE-2020-6807 (bmo#1614971)
Use-after-free in cubeb during stream destruction
* CVE-2020-6811 (bmo#1607742)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2019-20503 (bmo#1613765)
Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661)
The names of AirPods with personally identifiable information
were exposed to websites with camera or microphone permission
* CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256, bmo#1612636,
bmo#1614339)
Memory safety bugs fixed in Thunderbird 68.6
- requires NSS >= 3.44.3
* Mon Feb 10 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.5.0
New
* Support for Client Identity IMAP/SMTP Service Extension
* Support for OAuth 2.0 authentication for POP3 accounts
Fixes
* Status area goes blank during account setup
* Calendar: Could not remove color for default categories
* Calendar: Prevent calendar component loading multiple times
* Calendar: Today pane did not retain width between sessions
MFSA 2020-07 (bsc#1163368)
* CVE-2020-6793 (bmo#1608539)
Out-of-bounds read when processing certain email messages
* CVE-2020-6794 (bmo#1606619)
Setting a master password post-Thunderbird 52 does not delete
unencrypted previously stored passwords
* CVE-2020-6795 (bmo#1611105)
Crash processing S/MIME messages with multiple signatures
* CVE-2020-6797 (bmo#1596668) (Mac OSX only)
Extensions granted downloads.open permission could open arbitrary
applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6792 (bmo#1609607)
Message ID calculcation was based on uninitialized data
* CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851,
bmo#1608580,bmo#1608785,bmo#1605777)
Memory safety bugs fixed in Thunderbird 68.5
* Tue Jan 28 2020 Stasiek Michalski <stasiek@michalski.cc>
- Use a symbolic icon from branding internals
* Fri Jan 24 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.4.2
* Calendar: Task and Event tree colours adjusted for the dark theme
* Retrieval of S/MIME certificates from LDAP failed
* Address-parsing crash on some IMAP servers when
mail.imap.use_envelope_cmd is set
* Incorrect forwarding of HTML messages caused SMTP servers to
respond with a timeout
* Calendar: Various parts of the calendar UI stopped working when
a second Thunderbird window opened
* Fri Jan 10 2020 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.4.1
* Various improvements when setting up an account for a Microsoft
Exchange server: Now offers IMAP/SMTP if available, better
detection for Office 365 accounts; re-run configuration after
password change
Fixes:
* After changing view layout, the message display pane showed
garbled content under some circumstances
* Various theme changes to achieve "pixel perfection": Unread icon,
"no results" icon, paragraph format and font selector, background
of folder summary tooltip
* Tags were lost on messages in shared IMAP folders under some
circumstances
* Calendar: Event attendee dialog was not displayed correctly
MFSA 2020-04 (bsc#1160498, bsc#1160305)
* CVE-2019-17026 (bmo#1607443)
IonMonkey type confusion with StoreElementHole and FallibleStoreElement
* CVE-2019-17015 (bmo#1599005)
Memory corruption in parent process during new content process
initialization on Windows
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17021 (bmo#1599008)
Heap address disclosure in parent process during content process
initialization on Windows
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605, bmo#1601826)
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
- removed obsolete patch mozilla-bmo1511604.patch
- added mozilla-bmo1602730.patch to fix LE<->BE issues in the
platform (bmo#1602730)
* Fri Dec 27 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- add mozilla-bmo1583471.patch to allow building with rust 1.39
* Fri Dec 20 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.3.1
* In dark theme unread messages no longer shown in blue to
distinguish from tagged messages
* Account setup is now using client side DNS MX lookup instead of
relying on a server
Bugfixes
* Searching LDAP address book crashed in some circumstances
* Message navigation with backward and forward buttons did not work
in some circumstances
* WebExtension toolbar icons were displayed too small
* Calendar: Tasks due today were not listed in bold
* Calendar: Last day of long-running events was not shown
* Thu Dec 05 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.3.0:
* Message display toolbar action WebExtension API
* Navigation buttons are now available in content tabs, for example
those opened via an add-on search
* other bugfixes
MFSA 2019-38
* CVE-2019-17008 (bmo#1546331)
Use-after-free in worker destruction
* CVE-2019-13722 (bmo#1580156)
Stack corruption due to incorrect number of arguments in WebRTC code
* CVE-2019-17010 (bmo#1581084)
Use-after-free when performing device orientation checks
* CVE-2019-17005 (bmo#1584170)
Buffer overflow in plain text serializer
* CVE-2019-17011 (bmo#1591334)
Use-after-free when retrieving a document in antitracking
* CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209,
bmo#1580288, bmo#1585760, bmo#1592502)
Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
* Various updates to improve performance and stability
- updated create-tar.sh to cover buildid and origin repo information
- changed locale building procedure
* removed obsolete compare-locales.tar.xz and
thunderbird-broken-locales-build.patch
- add mozilla-bmo849632.patch to fix color issues on big endian
* Sat Nov 09 2019 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 68.2.2:
* fix age calculation in address book (bmo#1592536)
* fix column menu behavior in address book (bmo#1592393)
* Fri Nov 01 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.2.1
* A language for the user interface can now be chosen in the
advanced settings (multilingual UI)
* Fixed problem with Google authentication (OAuth2)
* Selected or unread messages were not shown in the correct color
in the thread pane (message list) under some circumstances
* When using a language pack, names of standard folders weren't
localized (boo#1149126)
* Address book default startup directory in preferences panel was
not persisted
* Chat: Extended context menu on Instant messaging status dialog
(Show Accounts)
- added mozilla-bmo1504834-part4.patch to fix some visual issues on
big endian platforms
* Tue Oct 22 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.2.0
* Message Display WebExtension API
* Message Search WebExtension API
* Better visual feedback for unread messages when using the dark theme
* Fixed various issues when editing mailing list
* Fixed application windows not maintaining their size after restart
MFSA 2019-33 (bsc#1154738)
* CVE-2019-15903 (bmo#1584907)
Heap overflow in expat library in XML_GetCurrentLineNumber
* CVE-2019-11757 (bmo#1577107)
Use-after-free when creating index updates in IndexedDB
* CVE-2019-11758 (bmo#1536227)
Potentially exploitable crash due to 360 Total Security
* CVE-2019-11759 (bmo#1577953)
Stack buffer overflow in HKDF output
* CVE-2019-11760 (bmo#1577719)
Stack buffer overflow in WebRTC networking
* CVE-2019-11761 (bmo#1561502)
Unintended access to a privileged JSONView object
* CVE-2019-11762 (bmo#1582857)
document.domain-based origin isolation has same-origin-property violation
* CVE-2019-11763 (bmo#1584216)
Incorrect HTML parsing results in XSS bypass technique
* CVE-2019-11764 (bmo#1558522, bmo#1577061, bmo#1548044, bmo#1571223,
bmo#1573048, bmo#1578933, bmo#1575217, bmo#1583684, bmo#1586845,
bmo#1581950, bmo#1583463, bmo#1586599)
Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
- removed obsolete patches
mozilla-bmo1573381.patch
mozilla-bmo1512162.patch
mozilla-bmo1585099.patch
* Thu Oct 10 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.1.2
Bugfixes
* Some attachments couldn't be opened in messages originating from
MS Outlook 2016
* Address book import from CSV
* Performance problem in message body search
* Ctrl+Enter to send a message would open an attachment if the
attachment pane had focus
* Calendar: Issues with "Today Pane" start-up
* Calendar: Glitches with custom repeat and reminder number input
* Calendar: Problems with WCAP provider
- add mozilla-bmo1585099.patch to fix build with rust >= 1.38
* Wed Sep 25 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.1.1
Bugfixes
* Issues with attachments in IMAP messages
* Gmail accounts ignored a non-standard trash folder selection
* Entering/pasting lists of recipients into the addressing widget or
mailing list not working reliably, especially when lists contained
multiple commas or semicolons
* Edit mailing list not working
* Various theme fixes, especially dark theme improvements for Calendar
* Contrast between tag label and background not optimal
* Account Central pane always loaded at start-up
* "Config Editor" button not removed if blocked by policy
* Calendar: Free/busy information in attendees dialog not scrolled
correctly. Note: Scroll arrows still not behaving correctly
MFSA 2019-32
* CVE-2019-11755 (bmo#1240290, boo#1152375)
Spoofing a message author via a crafted S/MIME message
- require nodejs8 instead of generic nodejs for better cross-distribution
support
- call desktop database update on install
- updated translations-other locale list
- build correct ICU for Big Endian
- remove kde.js since disabling instantApply breaks extensions and
is obsolete with the move to HTML views for preferences (boo#1151186)
- update create-tar.sh to latest revision and adjust tar_stamps
- added platform patches from Firefox 68esr
mozilla-bmo1005535.patch
mozilla-bmo1463035.patch
mozilla-bmo1504834-part1.patch
mozilla-bmo1504834-part2.patch
mozilla-bmo1504834-part3.patch
mozilla-bmo1511604.patch
mozilla-bmo1554971.patch
mozilla-bmo1573381.patch
mozilla-cubeb-noreturn.patch
mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
mozilla-fix-aarch64-libopus.patch
mozilla-fix-top-level-asm.patch
mozilla-nestegg-big-endian.patch
mozilla-ntlm-full-path.patch
mozilla-openaes-decl.patch
mozilla-ppc-altivec_static_inline.patch
mozilla-reduce-rust-debuginfo.patch
mozilla-s390-bigendian.patch
mozilla-s390-context.patch
mozilla-bmo1512162.patch
thunderbird-broken-locales-build.patch
- removed renamed patches
fix-missing-return-warning.patch
fix-top-level-asm-issue.patch
thunderbird-locale-build.patch
* Fri Sep 20 2019 munix9@googlemail.com
- repack the lightning xpi with all available locales (boo#939153) (lp#545778)
* Fri Sep 20 2019 Martin Liška <mliska@suse.cz>
- Add fix-top-level-asm-issue.patch in order to fix LTO build.
- Enable LTO on TW on x86_64.
- Use GCC.
* Fri Sep 20 2019 Bernhard Wiedemann <bwiedemann@suse.com>
- added mozilla-bmo1568145.patch to make builds reproducible (boo#1047218)
* Tue Sep 10 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.1.0
* Offer to configure Exchange accounts for Office365. A third-party
add-on is required for this account type. IMAP still exists as
alternative.
* several bugfixes
MFSA 2019-30
* CVE-2019-11739 (bmo#1571481, boo#1150939)
Covert Content Attack on S/MIME encryption using a crafted
multipart/alternative message
* CVE-2019-11746 (bmo#1564449, boo#1149297)
Use-after-free while manipulating video
* CVE-2019-11744 (bmo#1562033, boo#1149304)
XSS by breaking out of title and textarea elements using innerHTML
* CVE-2019-11742 (bmo#1559715, boo#1149303)
Same-origin policy violation with SVG filters and canvas to steal
cross-origin images
* CVE-2019-11752 (bmo#1501152, boo#1149296)
Use-after-free while extracting a key value in IndexedDB
* CVE-2019-11743 (bmo#1560495, boo#1149298)
Cross-origin access to unload event attributes
* CVE-2019-11740 (bmo#1563133,bmo#1573160, boo#1149299)
Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox
ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9
- removed upstreamed fix-build-after-y2038-changes-in-glibc.patch
- added thunderbird-locale-build.patch to fix locale build
* Fri Aug 30 2019 Manfred Hollstein <manfred.h@gmx.net>
- Add -L flag to the stat call for checking file size of %{SOURCE4}.
- Add fix-missing-return-warning.patch to silence a compiler warning.
* Wed Aug 28 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 68.0
* based on Firefox ESR 68
* File link attachments can now be linked to again instead of
uploading them again
* Mark all folders of an account as read
* Run filters periodically. Improved filter logging
* OAuth2 authentication for Yandex
* Language packs can now be selected in the Advanced Options.
Preference intl.multilingual.enabled needs to be set (and possily
also extensions.langpacks.signatures.required needs to be set to false)
* Added a policy engine that allows customized Thunderbird deployments
in enterprise environments, using Windows Group Policy or a
cross-platform JSON file
* TCP keepalive for IMAP protocol
* Full Unicode support for MAPI interfaces: New support for MAPISendMailW
* Calendar: Time zone data can now include past and future changes.
All known time zone changes from 2018 to 2022 are included.
* Chat: In each conversation an individual spellcheck language can
be selected now
- removed obsolete patches
* mozilla-bmo1463035.patch
* mozilla-i586-domPrefs.patch
* mozilla-bmo1464766.patch
* mozilla-bmo1519629.patch
* mozilla-i586-DecoderDoctorLogger.patch
* mozilla-bmo1375074.patch
- added fix-build-after-y2038-changes-in-glibc.patch to fix build
in Tumbleweed (patch already upstream for next release)
* Thu Aug 01 2019 Tristan Miller <psychonaut@nothingisreal.com>
- Update package summary, description, and AppData using more informative
and up-to-date text from the official Thunderbird FAQ, replacing obsolete
references to the Mozilla Application Suite and Thunderbird's relation to
the Mozilla organization
* Wed Jul 10 2019 Bernhard Wiedemann <bwiedemann@suse.com>
- Generate langpacks sequentially to avoid file corruption
from racy file writes (boo#1137970)
* Mon Jul 08 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.8.0
* Calendar: Problems when editing event times, some related to
AM/PM setting in non-English locales
MFSA 2019-23 (boo#1140868)
* CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
Sandbox escape via installation of malicious languagepack
* CVE-2019-11711 (bmo#1552541)
Script injection within domain through inner window reuse
* CVE-2019-11712 (bmo#1543804)
Cross-origin POST requests can be made with NPAPI plugins by
following 308 redirects
* CVE-2019-11713 (bmo#1528481)
Use-after-free with HTTP/2 cached stream
* CVE-2019-11729 (bmo#1515342)
Empty or malformed p256-ECDH public keys may trigger a segmentation fault
* CVE-2019-11715 (bmo#1555523)
HTML parsing error can contribute to content XSS
* CVE-2019-11717 (bmo#1548306)
Caret character improperly escaped in origins
* CVE-2019-11719 (bmo#1540541)
Out-of-bounds read when importing curve25519 private key
* CVE-2019-11730 (bmo#1558299)
Same-origin policy treats all files in a directory as having the
same-origin
* CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498
bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522)
Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 and
Thunderbird 60.8
* Thu Jun 20 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.7.2
MFSA 2019-20 (boo#1138872)
* CVE-2019-11707 (bmo#1544386)
Type confusion in Array.pop
* CVE-2019-11708 (bmo#1559858)
sandbox escape using Prompt:Open
* Wed Jun 12 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.7.1
* fixed: No prompt for smartcard PIN when S/MIME signing is used
MFSA 2019-17 (boo#1137595)
* CVE-2019-11703 (bmo#1553820)
Heap buffer overflow in icalparser.c
* CVE-2019-11704 (bmo#1553814)
Heap buffer overflow in icalvalue.c
* CVE-2019-11705 (bmo#1553808)
Stack buffer overflow in icalrecur.c
* CVE-2019-11706 (bmo#1555646)
Type confusion in icalproperty.c
* Sat Jun 08 2019 Aaron Puchert <aaronpuchert@alice-dsl.net>
- Increase disk space requirements in _constraints.
* Fri May 24 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.7.0
* Attachment pane of Write window no longer focussed when attaching
files using a keyboard shortcut
MFSA 2019-15 (boo#1135824)
* CVE-2019-9815 (bmo#1546544)
Disable hyperthreading on content JavaScript threads on macOS
* CVE-2019-9816 (bmo#1536768)
Type confusion with object groups and UnboxedObjects
* CVE-2019-9817 (bmo#1540221)
Stealing of cross-domain images using canvas
* CVE-2019-9818 (bmo#1542581) (Windows only)
Use-after-free in crash generation server
* CVE-2019-9819 (bmo#1532553)
Compartment mismatch with fetch API
* CVE-2019-9820 (bmo#1536405)
Use-after-free of ChromeEventHandler by DocShell
* CVE-2019-11691 (bmo#1542465)
Use-after-free in XMLHttpRequest
* CVE-2019-11692 (bmo#1544670)
Use-after-free removing listeners in the event listener manager
* CVE-2019-11693 (bmo#1532525)
Buffer overflow in WebGL bufferdata on Linux
* CVE-2019-7317 (bmo#1542829)
Use-after-free in png_image_free of libpng library
* CVE-2019-9797 (bmo#1528909)
Cross-origin theft of images with createImageBitmap
* CVE-2018-18511 (bmo#1526218)
Cross-origin theft of images with ImageBitmapRenderingContext
* CVE-2019-11694 (bmo#1534196) (Windows only)
Uninitialized memory memory leakage in Windows sandbox
* CVE-2019-11698 (bmo#1543191)
Theft of user history data through drag and drop of hyperlinks
to and from bookmarks
* CVE-2019-5798 (bmo#1535518)
Out-of-bounds read in Skia
* CVE-2019-9800 (bmo#1540166, bmo#1534593, bmo#1546327, bmo#1540136,
bmo#1538736, bmo#1538042, bmo#1535612, bmo#1499719, bmo#1499108,
bmo#1538619, bmo#1535194, bmo#1516325, bmo#1542324, bmo#1542097,
bmo#1532465, bmo#1533554, bmo#1541580)
Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
* Wed Apr 24 2019 Martin Liška <mliska@suse.cz>
- Disable LTO (boo#1133267).
* Sat Mar 30 2019 Manfred Hollstein <manfred.h@gmx.net>
- Add patch to fix build using rust-1.33: (boo#1130694)
* mozilla-bmo1519629.patch (bmo#1519629)
* Mon Mar 25 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.6.1
MFSA 2019-12 (bsc#1130262)
* CVE-2019-9810 (bmo#1537924)
IonMonkey MArraySlice has incorrect alias information
* CVE-2019-9813 (bmo#1538006)
Ionmonkey type confusion with __proto__ mutations
* Wed Mar 20 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.6.0
* Calendar: Can't create repeating event with end date when using
certain time zones, for example Europe/Minsk
* some minor bugfixes
* using 60.6.0esr Mozilla platform (bsc#1129821)
* Thu Mar 07 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.5.3
* fixed a regression on the Windows platform:
Problem when using "Send to > Mail recipient" on Windows
* Sun Feb 24 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.5.2
* UTF-8 support for MAPISendMail
* Problem with S/MIME certificate verification when receiving email
from Outlook (issue introduced in version 60.5.1)
* Thu Feb 14 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.5.1
* CalDav access to some servers not working
MFSA 2019-06 (bsc#1125330)
* CVE-2018-18356 bmo#1525817
Use-after-free in Skia
* CVE-2019-5785 bmo#1525433
Integer overflow in Skia
* CVE-2018-18335 bmo#1525815
Buffer overflow in Skia with accelerated Canvas 2D
* CVE-2018-18509 bmo#1507218
S/MIME signature spoofing
* Fri Jan 25 2019 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 60.5.0:
* FileLink provider WeTransfer to upload large attachments
* Thunderbird now allows the addition of OpenSearch search engines
from a local XML file using a minimal user inferface: [+] button
to select a file an add, [-] to remove.
* More search engines: Google and DuckDuckGo available by default
in some locales
* During account creation, Thunderbird will now detect servers
using the Microsoft Exchange protocol. It will offer the
installation of a 3rd party add-on (Owl) which supports that
protocol.
* Thunderbird now compatible with other WebExtension-based
FileLink add-ons like the Dropbox add-on
MFSA 2019-03 (bsc#1122983)
* CVE-2018-18500 bmo#1510114
Use-after-free parsing HTML5 stream
* CVE-2018-18505 bmo#1497749
Privilege escalation through IPC channel messages
* CVE-2016-5824 bmo#1275400
DoS (use-after-free) via a crafted ics file
* CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619
bmo#1502871 bmo#1516738 bmo#1516514
Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
- requires NSS 3.36.7
- removed obsolete patch
mozilla-no-stdcxx-check.patch
- rebased patches
/usr/bin/thunderbird /usr/lib/thunderbird /usr/lib/thunderbird/application.ini /usr/lib/thunderbird/chrome /usr/lib/thunderbird/chrome/icons /usr/lib/thunderbird/chrome/icons/default /usr/lib/thunderbird/chrome/icons/default/default128.png /usr/lib/thunderbird/chrome/icons/default/default16.png /usr/lib/thunderbird/chrome/icons/default/default22.png /usr/lib/thunderbird/chrome/icons/default/default24.png /usr/lib/thunderbird/chrome/icons/default/default256.png /usr/lib/thunderbird/chrome/icons/default/default32.png /usr/lib/thunderbird/chrome/icons/default/default48.png /usr/lib/thunderbird/chrome/icons/default/default64.png /usr/lib/thunderbird/defaults /usr/lib/thunderbird/defaults/messenger /usr/lib/thunderbird/defaults/messenger/mailViews.dat /usr/lib/thunderbird/defaults/pref /usr/lib/thunderbird/defaults/pref/all-l10n.js /usr/lib/thunderbird/defaults/pref/all-opensuse.js /usr/lib/thunderbird/defaults/pref/channel-prefs.js /usr/lib/thunderbird/dependentlibs.list /usr/lib/thunderbird/fonts /usr/lib/thunderbird/fonts/TwemojiMozilla.ttf /usr/lib/thunderbird/isp /usr/lib/thunderbird/isp/Bogofilter.sfd /usr/lib/thunderbird/isp/DSPAM.sfd /usr/lib/thunderbird/isp/POPFile.sfd /usr/lib/thunderbird/isp/SpamAssassin.sfd /usr/lib/thunderbird/isp/SpamPal.sfd /usr/lib/thunderbird/libldap60.so /usr/lib/thunderbird/libldif60.so /usr/lib/thunderbird/liblgpllibs.so /usr/lib/thunderbird/libmozgtk.so /usr/lib/thunderbird/libmozsandbox.so /usr/lib/thunderbird/libmozsqlite3.so /usr/lib/thunderbird/libmozwayland.so /usr/lib/thunderbird/libprldap60.so /usr/lib/thunderbird/librnp.so /usr/lib/thunderbird/libxul.so /usr/lib/thunderbird/omni.ja /usr/lib/thunderbird/pingsender /usr/lib/thunderbird/platform.ini /usr/lib/thunderbird/plugin-container /usr/lib/thunderbird/thunderbird-bin /usr/lib/thunderbird/thunderbird.sh /usr/share/appdata /usr/share/appdata/thunderbird.appdata.xml /usr/share/applications/thunderbird.desktop /usr/share/icons/hicolor/128x128/apps/thunderbird.png /usr/share/icons/hicolor/16x16/apps/thunderbird.png /usr/share/icons/hicolor/22x22/apps/thunderbird.png /usr/share/icons/hicolor/24x24/apps/thunderbird.png /usr/share/icons/hicolor/32x32/apps/thunderbird.png /usr/share/icons/hicolor/48x48/apps/thunderbird.png /usr/share/icons/hicolor/64x64/apps/thunderbird.png /usr/share/icons/hicolor/symbolic/apps/thunderbird-symbolic.svg
Generated by rpm2html 1.8.1
Fabrice Bellet, Fri Oct 24 23:22:36 2025