Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: MozillaThunderbird | Distribution: openSUSE Tumbleweed |
Version: 128.5.1 | Vendor: openSUSE |
Release: 1.1 | Build date: Tue Dec 3 08:41:29 2024 |
Group: Productivity/Networking/Email/Clients | Build host: reproducible |
Size: 285451541 | Source RPM: MozillaThunderbird-128.5.1-1.1.src.rpm |
Packager: http://bugs.opensuse.org | |
Url: https://www.thunderbird.net/ | |
Summary: An integrated email, news feeds, chat, and newsgroups client |
Thunderbird is a free, open-source, cross-platform application for managing email, news feeds, chat, and news groups. It is a local (rather than browser- or web-based) email application that is powerful yet easy to use.
MPL-2.0
* Tue Dec 03 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 128.5.1 * Add end of year donation appeal * Total message count for favorite folders did not work consistently * Thu Nov 28 2024 Wolfgang Rosenauer <[email protected]> - make spec compatible with rpm < 4.17 again - correct appdata for different desktop filename * Tue Nov 26 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 128.5.0 * IMAP could crash when reading cached messages * Enabling "Show Folder Size" on Maildir profile could render Thunderbird unusable * Messages corrupted by folder compaction were only fixed by user intervention * Reading a message from past the end of an mbox file did not cause an error * View -> Folders had duplicate F access keys * Add-ons adding columns to the message list could fail and cause display issue * "Empty trash on exit" and "Expunge inbox on exit" did not always work * Selecting a display option in View -> Tasks did not apply in the Task interface MFSA 2024-68 (bsc#1233695) * CVE-2024-11691 (bmo#1914707, bmo#1924184) Memory corruption in Apple GPU drivers * CVE-2024-11692 (bmo#1909535) Select list elements could be shown over another site * CVE-2024-11693 (bmo#1921458) Download Protections were bypassed by .library-ms files on Windows * CVE-2024-11694 (bmo#1924167) CSP Bypass and XSS Exposure via Web Compatibility Shims * CVE-2024-11695 (bmo#1925496) URL Bar Spoofing via Manipulated Punycode and Whitespace Characters * CVE-2024-11696 (bmo#1929600) Unhandled Exception in Add-on Signature Verification * CVE-2024-11697 (bmo#1842187) Improper Keypress Handling in Executable File Confirmation Dialog * CVE-2024-11698 (bmo#1916152) Fullscreen Lock-Up When Modal Dialog Interrupts Transition on macOS * CVE-2024-11699 (bmo#1880582, bmo#1929911) Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5 - appid is thunderbird-esr currently; use the matching desktop file name (boo#1233650) * Wed Nov 20 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 128.4.4 * QR codes were not scannable by Android app when using most high-contrast themes * Primary password prompt cancellation during mobile export was confusing - revert using xdg-desktop-portal as some desktops have limited support * Sat Nov 09 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 128.4.3 Fixes: * Folder corruption could cause Thunderbird to freeze and become unusable * Message corruption could be propagated when reading mbox * Folder compaction was not abandoned on shutdown * Folder compaction did not clean up on failure * Collapsed NNTP thread incorrectly indicated there were unread messages * Navigating to next unread message did not wait for all messages to be loaded * Applying column view to folder and children could break if folder error occurred * Remote content notifications were broken with encrypted messages * Updating criteria of a saved search resulted in poor search performance * Drop-downs may not work in some places MFSA 2024-61 * CVE-2024-11159 (bmo#1925929) Potential disclosure of plaintext in OpenPGP encrypted message - remove kmozillahelper support (boo#1226112) * removed mozilla-kde.patch * requires xdg-desktop-portal instead * Wed Nov 06 2024 Andreas Stieger <[email protected]> - Mozilla Thunderbird 128.4.2 * Increased the auto-compaction threshold to reduce the frequency of compaction (bmo#1927656) * fixed: New profile creation caused console errors (bmo#1912675) * fixed: Repair folder could result in older messages showing wrong date and time (bmo#1911916) * fixed: Recently deleted messages could become undeleted if message compaction failed (bmo#1924927) * fixed: Visual and UX improvements (bmo#1857413,bmo#1922934,bmo#1924437) * fixed: Clicking on an HTML button could cause Thunderbird to freeze (bmo#1879355) * fixed: Messages could not be selected for dragging (bmo#1887518) * fixed: Could not open attached file in a MIME encrypted message (bmo#1924637) * fixed: Account creation "Setup Documentation" link was broken (bmo#1925493) * fixed: Unable to generate QR codes when exporting to mobile in some cases (bmo#1928114) * fixed: Operating system reauthentication was missing when exporting QR codes for mobile (bmo#1928232) * fixed: Could not drag all-day events from one day to another in week view (bmo#1922944) * Sat Nov 02 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 128.4.1 * Add the 20 year donation appeal (bmo#192538) * Wed Oct 30 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 128.4.0 * Export Thunderbird account settings to Thunderbird Mobile via QRCode Bugfixes: * Unable to send an unencrypted response to an OpenPGP encrypted message MFSA 2024-58 (bsc#1231879) * CVE-2024-10458 (bmo#1921733) Permission leak via embed or object elements * CVE-2024-10459 (bmo#1919087) Use-after-free in layout with accessibility * CVE-2024-10460 (bmo#1912537) Confusing display of origin for external protocol handler prompt * CVE-2024-10461 (bmo#1914521) XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response * CVE-2024-10462 (bmo#1920423) Origin of permission prompt could be spoofed by long URL * CVE-2024-10463 (bmo#1920800) Cross origin video frame leak * CVE-2024-10464 (bmo#1913000) History interface could have been used to cause a Denial of Service condition in the browser * CVE-2024-10465 (bmo#1918853) Clipboard "paste" button persisted across tabs * CVE-2024-10466 (bmo#1924154) DOM push subscription message could hang Firefox * CVE-2024-10467 (bmo#1829029, bmo#1888538, bmo#1900394, bmo#1904059, bmo#1917742, bmo#1919809, bmo#1923706) Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4 * Wed Oct 23 2024 Andreas Stieger <[email protected]> - Mozilla Thunderbird 128.3.3 * Files left over from failed folder compactions could use up disk space (bmo#1878541) * Message list returned to selected message after action on another message (bmo#1917485) * Some faulty messages were downloaded and never stored (bmo#1923765) * Messages could become corrupted during folder compaction (bmo#1923747,bmo#1923541,bmo#1720047) * Searching events by Location, Description, or URL failed (bmo#1912710) * "Remove All Shown" saved passwords deleted all logins if filtered without results (bmo#601447) * Calendar event updates were not always sent to attendees (bmo#1877640) * Wed Oct 16 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 128.3.2 bugfix release: https://www.thunderbird.net/en-US/thunderbird/128.3.2esr/releasenotes - bring back mozilla-bmo531915.patch to fix x86 * Thu Oct 10 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 128.3.1 https://www.thunderbird.net/en-US/thunderbird/128.0esr/releasenotes/ and following release notes for minor version updates MFSA 2024-52 (bsc#1231413) * CVE-2024-9680 (bmo#1923344) Use-after-free in Animation timeline Mozilla Thunderbird 128.3.0 MFSA 2024-32 (128.0) MFSA 2024-37 (128.1) MFSA 2024-43 (128.2) MFSA 2024-49 (128.3) (bsc#1230979) * CVE-2024-9392 (bmo#1899154, bmo#1905843) Compromised content process can bypass site isolation * CVE-2024-9393 (bmo#1918301) Cross-origin access to PDF contents through multipart responses * CVE-2024-9394 (bmo#1918874) Cross-origin access to JSON contents through multipart responses * CVE-2024-8900 (bmo#1872841) Clipboard write permission bypass * CVE-2024-9396 (bmo#1912471) Potential memory corruption may occur when cloning certain objects * CVE-2024-9397 (bmo#1916659) Potential directory upload bypass via clickjacking * CVE-2024-9398 (bmo#1881037) External protocol handlers could be enumerated via popups * CVE-2024-9399 (bmo#1907726) Specially crafted WebTransport requests could lead to denial of service * CVE-2024-9400 (bmo#1915249) Potential memory corruption during JIT compilation * CVE-2024-9401 (bmo#1872744, bmo#1897792, bmo#1911317, bmo#1916476) Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 * CVE-2024-9402 (bmo#1872744, bmo#1897792, bmo#1911317, bmo#1913445, bmo#1914106, bmo#1914475, bmo#1914963, bmo#1915008, bmo#1916476) Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 - removed obsolete patches mozilla-bmo1504834-part3.patch mozilla-bmo1512162.patch mozilla-bmo1775202.patch mozilla-bmo531915.patch mozilla-fix-aarch64-libopus.patch mozilla-fix-issues-with-llvm18.patch mozilla-fix-top-level-asm.patch mozilla-partial-revert-1768632.patch mozilla-rust-disable-future-incompat.patch thunderbird-fix-CVE-2024-34703.patch - new patch thunderbird-silence-no-return.patch - rebased mozilla-bmo1504834-part1.patch mozilla-kde.patch mozilla-libavcodec58_91.patch mozilla-silence-no-return-type.patch * Fri Sep 06 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.15.0 MFSA 2024-44 (bsc#1229821) * CVE-2024-8381 (bmo#1912715) Type confusion when looking up a property name in a "with" block * CVE-2024-8382 (bmo#1906744) Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran * CVE-2024-8384 (bmo#1911288) Garbage collection could mis-color cross-compartment objects in OOM conditions * Thu Aug 29 2024 Manfred Hollstein <[email protected]> - Use gcc13 on Tumbleweed and where it is available. - Don't use gcc14 as sources don't compile. * Fri Aug 02 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.14.0 * When using an external installation of GnuPG, Thunderbird occassionally sent/received corrupted messages (bmo#1898832) * Users of external GnuPG were unable to decrypt incorrectly encoded messages (bmo#1906903) MFSA 2024-38 (bsc#1228648) * CVE-2024-7519 (bmo#1902307) Out of bounds memory access in graphics shared memory handling * CVE-2024-7521 (bmo#1904644) Incomplete WebAssembly exception handing * CVE-2024-7522 (bmo#1906727) Out of bounds read in editor component * CVE-2024-7525 (bmo#1909298) Missing permission check when creating a StreamFilter * CVE-2024-7526 (bmo#1910306) Uninitialized memory used by WebGL * CVE-2024-7527 (bmo#1871303) Use-after-free in JavaScript garbage collection * CVE-2024-7529 (bmo#1903187) Document content could partially obscure security prompts * Wed Jul 10 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.13.0 * After starting Thunderbird, the message list position was sometimes set to an incorrect position MFSA 2024-30 (bsc#1226316) * CVE-2024-6600 (bmo#1888340) Memory corruption in WebGL API * CVE-2024-6601 (bmo#1890748) Race condition in permission assignment * CVE-2024-6602 (bmo#1895032) Memory corruption in NSS * CVE-2024-6603 (bmo#1895081) Memory corruption in thread creation * CVE-2024-6604 (bmo#1748105, bmo#1837550, bmo#1884266) Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13, and Thunderbird 115.13 * Tue Jul 02 2024 Martin Sirringhaus <[email protected]> - Mozilla Thunderbird 115.12.2 * fixed: Annual Thunderbird Beta appeal intended for Thunderbird 115.12.0 did not open as expected (bmo#1898084) - Mozilla Thunderbird 115.12.1 * 115.12.0 got pulled because of upstream automation process errors and Windows installer signing changes. No code changes, changelog is the same as 115.12.0 (bsc#1226495) - Added thunderbird-fix-CVE-2024-34703.patch (bsc#1227239) * Mon Jun 17 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.12.0 https://www.thunderbird.net/en-US/thunderbird/115.12.0/releasenotes MFSA 2024-28 (bsc#1226027) * CVE-2024-5702 (bmo#1193389) Use-after-free in networking * CVE-2024-5688 (bmo#1895086) Use-after-free in JavaScript object transplant * CVE-2024-5690 (bmo#1883693) External protocol handlers leaked by timing attack * CVE-2024-5691 (bmo#1888695) Sandboxed iframes were able to bypass sandbox restrictions to open a new window * CVE-2024-5692 (bmo#1891234) Bypass of file name restrictions during saving * CVE-2024-5693 (bmo#1891319) Cross-Origin Image leak via Offscreen Canvas * CVE-2024-5696 (bmo#1896555) Memory Corruption in Text Fragments * CVE-2024-5700 (bmo#1862809, bmo#1889355, bmo#1893388, bmo#1895123) Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12 * Wed May 29 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.11.1 * Added a short anonymous survey that a small number of users will be randomly asked to complete * Tue May 14 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.11.0 MFSA 2024-23 (bsc#1224056) * CVE-2024-4367 (bmo#1893645) Arbitrary JavaScript execution in PDF.js * CVE-2024-4767 (bmo#1878577) IndexedDB files retained in private browsing mode * CVE-2024-4768 (bmo#1886082) Potential permissions request bypass via clickjacking * CVE-2024-4769 (bmo#1886108) Cross-origin responses could be distinguished between script and non-script content-types * CVE-2024-4770 (bmo#1893270) Use-after-free could occur when printing to PDF * CVE-2024-4777 (bmo#1878199, bmo#1893340) Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 * Sat May 04 2024 Andreas Stieger <[email protected]> - Mozilla Thunderbird 115.10.2: https://www.thunderbird.net/en-US/thunderbird/115.10.2/releasenotes/ This release is identical to 115.10.1, other than changing the Update channel for self-updating builds to ESR. (bmo#1893271) * Fri Apr 19 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.10.1 https://www.thunderbird.net/en-US/thunderbird/115.10.1/releasenotes/ * fixed hangup introduced with 115.10.0 (bmo#1891889) * Sun Apr 14 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.10.0 https://www.thunderbird.net/en-US/thunderbird/115.10.0/releasenotes/ MFSA 2024-20 (bsc#1222535) * CVE-2024-3852 (bmo#1883542) GetBoundName in the JIT returned the wrong object * CVE-2024-3854 (bmo#1884552) Out-of-bounds-read after mis-optimized switch statement * CVE-2024-3857 (bmo#1886683) Incorrect JITting of arguments led to use-after-free during garbage collection * CVE-2024-2609 (bmo#1866100) Permission prompt input delay could expire when not in focus * CVE-2024-3859 (bmo#1874489) Integer-overflow led to out-of-bounds-read in the OpenType sanitizer * CVE-2024-3861 (bmo#1883158) Potential use-after-free due to AlignedBuffer self-move * CVE-2024-3863 (bmo#1885855) Download Protections were bypassed by .xrm-ms files on Windows * CVE-2024-3302 (bmo#1881183) Denial of Service using HTTP/2 CONTINUATION frames * CVE-2024-3864 (bmo#1888333) Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10 * Wed Mar 20 2024 Manfred Hollstein <[email protected]> - LLVM18 breaks building Thunderbird on Tumbleweed; add * mozilla-fix-issues-with-llvm18.patch * Sat Mar 16 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.9.0 https://www.thunderbird.net/en-US/thunderbird/115.9.0/releasenotes/ MFSA 2024-14 (bsc#1221327) * CVE-2024-0743 (bmo#1867408) Crash in NSS TLS method * CVE-2024-2605 (bmo#1872920) Windows Error Reporter could be used as a Sandbox escape vector * CVE-2024-2607 (bmo#1879939) JIT code failed to save return registers on Armv7-A * CVE-2024-2608 (bmo#1880692) Integer overflow could have led to out of bounds write * CVE-2024-2616 (bmo#1846197) Improve handling of out-of-memory conditions in ICU * CVE-2023-5388 (bmo#1780432) NSS susceptible to timing attack against RSA decryption * CVE-2024-2610 (bmo#1871112) Improper handling of html and body tags enabled CSP nonce leakage * CVE-2024-2611 (bmo#1876675) Clickjacking vulnerability could have led to a user accidentally granting permissions * CVE-2024-2612 (bmo#1879444) Self referencing object could have potentially led to a use- after-free * CVE-2024-2614 (bmo#1685358, bmo#1861016, bmo#1880405, bmo#1881093) Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9 * Tue Mar 05 2024 Adam Mizerski <[email protected]> - Create subpackage MozillaThunderbird-openpgp-librnp * Tue Mar 05 2024 Wolfgang Rosenauer <wr@@rosenauer.org> - Mozilla Thunderbird 115.8.1 https://www.thunderbird.net/en-US/thunderbird/115.8.1/releasenotes/ MFSA 2024-11 * CVE-2024-1936 (bmo#1860977) Leaking of encrypted email subjects to other conversations * Mon Feb 19 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.8.0 MFSA 2024-07 (bsc#1220048) * CVE-2024-1546 (bmo#1843752) Out-of-bounds memory read in networking channels * CVE-2024-1547 (bmo#1877879) Alert dialog could have been spoofed on another site * CVE-2024-1548 (bmo#1832627) Fullscreen Notification could have been hidden by select element * CVE-2024-1549 (bmo#1833814) Custom cursor could obscure the permission dialog * CVE-2024-1550 (bmo#1860065) Mouse cursor re-positioned unexpectedly could have led to unintended permission grants * CVE-2024-1551 (bmo#1864385) Multipart HTTP Responses would accept the Set-Cookie header in response parts * CVE-2024-1552 (bmo#1874502) Incorrect code generation on 32-bit ARM devices * CVE-2024-1553 (bmo#1855686, bmo#1867982, bmo#1871498, bmo#1872296, bmo#1873521, bmo#1873577, bmo#1873597, bmo#1873866, bmo#1874080, bmo#1874740, bmo#1875795, bmo#1875906, bmo#1876425, bmo#1878211, bmo#1878286) Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 * new: Added option to show packet dump when OpenPGP fails to decrypt (bmo#1874504) * fixed: Thunderbird slowed down significantly when opening email files (.eml) (bmo#1863957) * fixed: Inbox view intermittently reverted to default view after moving or deleting messages (bmo#1725127) * fixed: Size of collapsed folders in folder pane did not include size of subfolders (bmo#1870641) * fixed: Hovering over folder does not always expand subfolders (bmo#1873101) * fixed: Switching to thread pane of a folder using keyboard navigation did not focus top message (bmo#1869557) * fixed: Clicking "Sent unsent messages" in Outbox context menu while in offline mode did not prompt user to go online (bmo#1873487) * fixed: Mail tab-specific Unified Toolbar buttons received focus incorrectly (bmo#1872239) * fixed: Quick Filter settings did not persist when Quick Filter bar was turned off (bmo#1850266) * fixed: Quick Filters were unusually slow (bmo#1849650) * fixed: OpenPGP Key Manager filtering did not work (bmo#1873655) * fixed: OpenPGP sometimes attempted to decrypt message with incorrect key (bmo#1865620) * fixed: Autoconfig failed on servers that did not support OAuth2 (bmo#1869122) * fixed: Opening different attachments with the same name in different messages could cause attachment files to become conflated (bmo#1873023) * fixed: Overflowed attachment list could not be scrolled (bmo#1871343) * fixed: Passwords disappeared from password manager list after applying and clearing filters (bmo#1874646) * fixed: Cookies in cookie manager list disappeared after applying and then clearing filters (bmo#1876733) * Sun Jan 21 2024 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.7.0 https://www.thunderbird.net/en-US/thunderbird/115.7.0/releasenotes/ MFSA 2024-04 (bsc#1218955) * CVE-2024-0741 (bmo#1864587) Out of bounds write in ANGLE * CVE-2024-0742 (bmo#1867152) Failure to update user input timestamp * CVE-2024-0746 (bmo#1660223) Crash when listing printers on Linux * CVE-2024-0747 (bmo#1764343) Bypass of Content Security Policy when directive unsafe-inline was set * CVE-2024-0749 (bmo#1813463) Phishing site popup could show local origin in address bar * CVE-2024-0750 (bmo#1863083) Potential permissions request bypass via clickjacking * CVE-2024-0751 (bmo#1865689) Privilege escalation through devtools * CVE-2024-0753 (bmo#1870262) HSTS policy on subdomain could bypass policy of upper domain * CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701) Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7 * Wed Jan 10 2024 Martin Sirringhaus <[email protected]> - Mozilla Thunderbird 115.6.1 https://www.thunderbird.net/en-US/thunderbird/115.6.1/releasenotes/ * new: OAuth2 now supported for comcast.net (bmo#1844810) * fixed: High CPU usage sometimes occurred with IMAP CONDSTORE (conditional STORE) enabled (bmo#1839256) * fixed: Replying to a collapsed thread via keyboard shortcut (Ctrl+R/Cmd+R) opened a reply for every message in the thread (bmo#1866819) * fixed: Enabling Grouped By view after reversing sort order of column header caused messages to be grouped incorrectly (bmo#1868794) * fixed: Opening thread pane context menu via keyboard did not always scroll view to selection (bmo#1867532) * fixed: New mail indicator for POP3 accounts did not indicate new messages ready to be downloaded (bmo#1870619) * fixed: Messages could not be moved to folders using Message > Move To if text or a link in the message had been clicked on first (bmo#1868474) * fixed: MIME part boundaries were not properly terminated (bmo#1805558) * Sun Dec 17 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.6.0 https://www.thunderbird.net/en-US/thunderbird/115.6.0/releasenotes/ * Message selection misbehaved after selecting a sub-message in an expanded thread, collapsing the thread, then pressing up/down to move selection * Thunderbird now attempts to reconnect on a new connection after SMTP 4xx errors * HTML FileLink attachments used the wrong encoding MFSA 2023-55 (bsc#1217230) * CVE-2023-50762 (bmo#1862625) Truncated signed text was shown with a valid OpenPGP signature * CVE-2023-50761 (bmo#1865647) S/MIME signature accepted despite mismatching message date * CVE-2023-6856 (bmo#1843782) Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver * CVE-2023-6857 (bmo#1796023) Symlinks may resolve to smaller than expected buffers * CVE-2023-6858 (bmo#1826791) Heap buffer overflow in nsTextFragment * CVE-2023-6859 (bmo#1840144) Use-after-free in PR_GetIdentitiesLayer * CVE-2023-6860 (bmo#1854669) Potential sandbox escape due to VideoBridge lack of texture validation * CVE-2023-6861 (bmo#1864118) Heap buffer overflow affected nsWindow::PickerOpen(void) in headless mode * CVE-2023-6862 (bmo#1868042) Use-after-free in nsDNSService * CVE-2023-6863 (bmo#1868901) Undefined behavior in ShutdownObserver() * CVE-2023-6864 (bmo#1736385, bmo#1810805, bmo#1846328, bmo#1856090, bmo#1858033, bmo#1858509, bmo#1862089, bmo#1862777, bmo#1864015) Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6 * Tue Dec 12 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.5.2 Bugfix release https://www.thunderbird.net/en-US/thunderbird/115.5.2/releasenotes/ * Tue Nov 28 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.5.1 Bugfix release https://www.thunderbird.net/en-US/thunderbird/115.5.1/releasenotes * Advanced GnuPG keys may be protected with an unexpected passphrase * OpenPGP signatures rejected due to mismatched signature timestamp now display signature timestamp and clarifying message * Advanced address book search did not return results if display name was left blank * Clicking on attendee when inviting attendees added the attendee twice * Wed Nov 22 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.5.0 https://www.thunderbird.net/en-US/thunderbird/115.5.0/releasenotes MFSA 2023-52 (bsc#1217230) * CVE-2023-6204 (bmo#1841050) Out-of-bound memory access in WebGL2 blitFramebuffer * CVE-2023-6205 (bmo#1854076) Use-after-free in MessagePort::Entangled * CVE-2023-6206 (bmo#1857430) Clickjacking permission prompts using the fullscreen transition * CVE-2023-6207 (bmo#1861344) Use-after-free in ReadableByteStreamQueueEntry::Buffer * CVE-2023-6208 (bmo#1855345) Using Selection API would copy contents into X11 primary selection. * CVE-2023-6209 (bmo#1858570) Incorrect parsing of relative URLs starting with "///" * CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252, bmo#1856072, bmo#1856091, bmo#1859030, bmo#1860943, bmo#1862782) Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5 * Wed Nov 15 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.4.3 Bugfix release https://www.thunderbird.net/en-US/thunderbird/115.4.3/releasenotes * Sat Nov 04 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.4.2 https://www.thunderbird.net/en-US/thunderbird/115.4.2/releasenotes - build using rust/cargo 1.72 (1.69 about to be dropped from Factory) * Tue Oct 24 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.4.1 https://www.thunderbird.net/en-US/thunderbird/115.4.1/releasenotes https://www.thunderbird.net/en-US/thunderbird/115.4.0/releasenotes MFSA 2023-47 (bsc#1216338) * CVE-2023-5721 (bmo#1830820) Queued up rendering could have allowed websites to clickjack * CVE-2023-5732 (bmo#1690979, bmo#1836962) Address bar spoofing via bidirectional characters * CVE-2023-5724 (bmo#1836705) Large WebGL draw could have led to a crash * CVE-2023-5725 (bmo#1845739) WebExtensions could open arbitrary URLs * CVE-2023-5726 (bmo#1846205) Full screen notification obscured by file open dialog on macOS * CVE-2023-5727 (bmo#1847180) Download Protections were bypassed by .msix, .msixbundle, .appx, and .appxbundle files on Windows * CVE-2023-5728 (bmo#1852729) Improper object tracking during GC in the JavaScript engine could have led to a crash. * CVE-2023-5730 (bmo#1836607, bmo#1840918, bmo#1848694, bmo#1848833, bmo#1850191, bmo#1850259, bmo#1852596, bmo#1853201, bmo#1854002, bmo#1855306, bmo#1855640, bmo#1856695) Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4.1 - removed obsolete mozilla-bmo1846703.patch * Tue Oct 24 2023 Andreas Stieger <[email protected]> - Mozilla Thunderbird 115.3.3 * fixed: "Folder Location" toolbar button did not work for local folders (bmo#1843979) * fixed: "Copy to <folder name> again" option disappeared from context menu after copying to Gmail folder with non-ASCII name (bmo#1856712) * fixed: Default reply identity did not use "Delivered-To" address when catch-all was active (bmo#1815559) * fixed: "View Headers All" did not work when selected in standalone message window (bmo#1855316) * fixed: Viewing the mail filter log displayed an error if no log file was present (bmo#1789244) * Tue Oct 10 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.3.2 Bugfix release https://www.thunderbird.net/en-US/thunderbird/115.3.2/releasenotes * Fri Sep 29 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.3.1 MFSA 2023-45 (bsc#1215814) * CVE-2023-5217 (bmo#1855550) Heap buffer overflow in libvpx - Add mozilla-bmo1846703.patch * Tue Sep 26 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.3.0 https://www.thunderbird.net/en-US/thunderbird/115.3.0/releasenotes MFSA 2023-43 (bsc#1215575) * CVE-2023-5168 (bmo#1846683) Out-of-bounds write in FilterNodeD2D1 * CVE-2023-5169 (bmo#1846685) Out-of-bounds write in PathOps * CVE-2023-5171 (bmo#1851599) Use-after-free in Ion Compiler * CVE-2023-5174 (bmo#1848454) Double-free in process spawning on Windows * CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824, bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983, bmo#1851195) Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 * Wed Sep 20 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.2.3 Bugfix release: https://www.thunderbird.net/en-US/thunderbird/115.2.3/releasenotes * Tue Sep 12 2023 Andreas Stieger <[email protected]> - Mozilla Thunderbird 115.2.2 https://www.thunderbird.net/en-US/thunderbird/115.2.2/releasenotes MFSA 2023-40 (bsc#1215231) * CVE-2023-4863 (bmo# bmo#1852649) Heap buffer overflow in libwebp * Tue Sep 12 2023 Andreas Stieger <[email protected]> - Mozilla Thunderbird 115.2.1 https://www.thunderbird.net/en-US/thunderbird/115.2.1/releasenotes * new: Column separators are now shown between all columns in tree view (bmo#1847441) * fixed: New mail notification always opened message in message pane, even if pane was disabled (bmo#1840092) * fixed: After moving an IMAP message to another folder, the incorrect message was selected in the message list (bmo#1845376) * fixed: Adding a tag to an IMAP message opened in a tab failed (bmo#1844452) * fixed: Junk/Spam folders were not always shown in Unified Folders mode (bmo#1838672) * fixed: Middle-clicking a folder or message did not open it in a background tab, as in previous versions (bmo#1842482) * fixed: Settings tab visual improvements: Advanced Fonts dialog, Section headers hidden behind search box (bmo#1717382,bmo#1846751) * fixed: Various visual and style fixes (bmo#1843707,bmo#1849823) * Sun Aug 27 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.2.0 https://www.thunderbird.net/en-US/thunderbird/115.2.0/releasenotes MFSA 2023-38 (bsc#1214606) * CVE-2023-4573 (bmo#1846687) Memory corruption in IPC CanvasTranslator * CVE-2023-4574 (bmo#1846688) Memory corruption in IPC ColorPickerShownCallback * CVE-2023-4575 (bmo#1846689) Memory corruption in IPC FilePickerShownCallback * CVE-2023-4576 (bmo#1846694) Integer Overflow in RecordedSourceSurfaceCreation * CVE-2023-4577 (bmo#1847397) Memory corruption in JIT UpdateRegExpStatics * CVE-2023-4051 (bmo#1821884) Full screen notification obscured by file open dialog * CVE-2023-4578 (bmo#1839007) Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception * CVE-2023-4053 (bmo#1839079) Full screen notification obscured by external program * CVE-2023-4580 (bmo#1843046) Push notifications saved to disk unencrypted * CVE-2023-4581 (bmo#1843758) XLL file extensions were downloadable without warnings * CVE-2023-4582 (bmo#1773874) Buffer Overflow in WebGL glGetProgramiv * CVE-2023-4583 (bmo#1842030) Browsing Context potentially not cleared when closing Private Window * CVE-2023-4584 (bmo#1843968, bmo#1845205, bmo#1846080, bmo#1846526, bmo#1847529) Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2 * CVE-2023-4585 (bmo#1751583, bmo#1833504, bmo#1841082, bmo#1847904, bmo#1848999) Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2 * Tue Aug 15 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.1.1 bugfixes as documented here https://www.thunderbird.net/en-US/thunderbird/115.1.1/releasenotes * Tue Aug 01 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 115.1.0 New major release with Supernova UI Releasenotes for 115.0: https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes MFSA 2023-33 (bsc#1213746) * CVE-2023-4045 (bmo#1833876) Offscreen Canvas could have bypassed cross-origin restrictions * CVE-2023-4046 (bmo#1837686) Incorrect value used during WASM compilation * CVE-2023-4047 (bmo#1839073) Potential permissions request bypass via clickjacking * CVE-2023-4048 (bmo#1841368) Crash in DOMParser due to out-of-memory conditions * CVE-2023-4049 (bmo#1842658) Fix potential race conditions when releasing platform objects * CVE-2023-4050 (bmo#1843038) Stack buffer overflow in StorageManager * CVE-2023-4052 (bmo#1824420) File deletion and privilege escalation through Firefox uninstaller * CVE-2023-4054 (bmo#1840777) Lack of warning when opening appref-ms files * CVE-2023-4055 (bmo#1782561) Cookie jar overflow caused unexpected cookie jar state * CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235, bmo#1842325, bmo#1843847) Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14 * CVE-2023-4057 (bmo#1841682) Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1 - requires NSS 3.90 - add patches: mozilla-rust-disable-future-incompat.patch mozilla-partial-revert-1768632.patch mozilla-bmo1775202.patch - removed obsolete patches: gcc13-fix.patch mozilla-bmo1568145.patch mozilla-bmo1005535.patch mozilla-s390x-skia-gradient.patch - update create-tar.sh * Tue Jul 25 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.13.1 MFSA 2023-28 * CVE-2023-3417 (bmo#1835582, boo#1213658) File Extension Spoofing using the Text Direction Override Character * Fri Jul 07 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.13.0 * Upstream RNP version numbers now recognized as official in about:support MFSA 2023-24 (bsc#1212438) * CVE-2023-37201 (bmo#1826002) Use-after-free in WebRTC certificate generation * CVE-2023-37202 (bmo#1834711) Potential use-after-free from compartment mismatch in SpiderMonkey * CVE-2023-37207 (bmo#1816287) Fullscreen notification obscured * CVE-2023-37208 (bmo#1837675) Lack of warning when opening Diagcab files * CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886, bmo#1836550, bmo#1837450) Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13 - mozilla-llvm16.patch has been applied upstream, remove it here * Sun Jun 04 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.12.0: MFSA 2023-21 (bsc#1211922) * CVE-2023-34414 (bmo#1695986) Click-jacking certificate exceptions through rendering lag * CVE-2023-34416 (bmo#1752703, bmo#1818394, bmo#1826875, bmo#1827340, bmo#1827655, bmo#1828065, bmo#1830190, bmo#1830206, bmo#1830795, bmo#1833339) Memory safety bugs fixed in Thunderbird 102.12 * fixed: "Searching the directory for recipients certificates" popup could block compose window when "S/MIME reminder" was enabled and using an LDAP address book (bmo#1833651) * fixed: Some elements still used animations with "prefers- reduced-motion" set (bmo#1833353) * fixed: Visual and theme improvements (bmo#1832943,bmo#1832990) * Sat May 27 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.11.2 * fixed: Thunderbird 102.11.1 contained POP3 client regressions with offline mode and TLS certificate overrides (bmo#1801286,bmo#1816596,bmo#1798785) - Includes changes from Thunderbird 102.11.1 * fixed: POP message retrieval stopped after a network error occurred and connectivity was restored (bmo#1798785) * fixed: Reused SMTP connections sometimes silently disconnected, causing timeouts (bmo#1766382) * fixed: Thunderbird could freeze if saving a sent message to IMAP failed (bmo#1745130) * fixed: Creating OpenPGP keys with no expiration was not possible (bmo#1830094) * fixed: News reader did not always issue GROUP command after authentication with remote server, preventing Thundebird from displaying or refreshing news from the server (bmo#1824377) - updated mozilla.keyring * Thu May 11 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.11.0 * https://www.thunderbird.net/en-US/thunderbird/102.11.0/releasenotes MFSA 2023-18 (bsc#1211175) * CVE-2023-32205 (bmo#1753339, bmo#1753341) Browser prompts could have been obscured by popups * CVE-2023-32206 (bmo#1824892) Crash in RLBox Expat driver * CVE-2023-32207 (bmo#1826116) Potential permissions request bypass via clickjacking * CVE-2023-32211 (bmo#1823379) Content process crash due to invalid wasm code * CVE-2023-32212 (bmo#1826622) Potential spoof due to obscured address bar * CVE-2023-32213 (bmo#1826666) Potential memory corruption in FileReader::DoReadData() * CVE-2023-32214 (bmo#1828716) Potential DoS via exposed protocol handlers * CVE-2023-32215 (bmo#1540883, bmo#1751943, bmo#1814856, bmo#1820210, bmo#1821480, bmo#1827019, bmo#1827024, bmo#1827144, bmo#1827359, bmo#1830186) Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11 * Sun Apr 23 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.10.1 * https://www.thunderbird.net/en-US/thunderbird/102.10.1/releasenotes * Wed Apr 05 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.10.0 * New messages will automatically select S/MIME if configured and OpenPGP is not * Calendar events with timezone America/Mexico_City incorrectly applied Daylight Savings Time MFSA 2023-15 (bsc#1210212) * CVE-2023-29531 (bmo#1794292) Out-of-bound memory access in WebGL on macOS * CVE-2023-29532 (bmo#1806394) Mozilla Maintenance Service Write-lock bypass * CVE-2023-29533 (bmo#1798219, bmo#1814597) Fullscreen notification obscured * MFSA-TMP-2023-0001 (bmo#1819244) Double-free in libwebp * CVE-2023-29535 (bmo#1820543) Potential Memory Corruption following Garbage Collector compaction * CVE-2023-29536 (bmo#1821959) Invalid free from JavaScript code * CVE-2023-0547 (bmo#1811298) Revocation status of S/Mime recipient certificates was not checked * CVE-2023-29479 (bmo#1824978) Hang when processing certain OpenPGP messages * CVE-2023-29539 (bmo#1784348) Content-Disposition filename truncation leads to Reflected File Download * CVE-2023-29541 (bmo#1810191) Files with malicious extensions could have been downloaded unsafely on Linux * CVE-2023-29542 (bmo#1810793, bmo#1815062) Bypass of file download extension restrictions * CVE-2023-29545 (bmo#1823077) Windows Save As dialog resolved environment variables * CVE-2023-1945 (bmo#1777588) Memory Corruption in Safe Browsing Code * CVE-2023-29548 (bmo#1822754) Incorrect optimization result on ARM64 * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493, bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413, bmo#1824828) Memory safety bugs fixed in Thunderbird 102.10 - add mozilla-llvm16.patch to fix build with LLVM16 * Wed Mar 29 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.9.1 MFSA 2023-12 * CVE-2023-28427 (bmo#1822595) Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack * Sun Mar 26 2023 Wolfgang Rosenauer <[email protected]> - add gcc13-fix.patch to support current Tumbleweed * Sun Mar 12 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.9.0 * https://www.thunderbird.net/en-US/thunderbird/102.9.0/releasenotes MFSA 2023-11 (bsc#1209173)) * CVE-2023-25751 (bmo#1814899) Incorrect code generation during JIT compilation * CVE-2023-28164 (bmo#1809122) URL being dragged from a removed cross-origin iframe into the same tab triggered navigation * CVE-2023-28162 (bmo#1811327) Invalid downcast in Worklets * CVE-2023-25752 (bmo#1811627) Potential out-of-bounds when accessing throttled streams * CVE-2023-28163 (bmo#1817768) Windows Save As dialog resolved environment variables * CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904, bmo#1817442, bmo#1818674) Memory safety bugs fixed in Thunderbird 102.9 - update create-tar.sh - build using rust 1.67 * Tue Mar 07 2023 Manfred Hollstein <[email protected]> - Ensure gcc11-c++ gets used on Leap 15.5, too. * Wed Feb 15 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.8.0 * https://www.thunderbird.net/en-US/thunderbird/102.8.0/releasenotes MFSA 2023-07 (bsc#1208144) * CVE-2023-0616 (bmo#1806507) User Interface lockup with messages combining S/MIME and OpenPGP * CVE-2023-25728 (bmo#1790345) Content security policy leak in violation reports using iframes * CVE-2023-25730 (bmo#1794622) Screen hijack via browser fullscreen mode * CVE-2023-0767 (bmo#1804640) Arbitrary memory write via PKCS 12 in NSS * CVE-2023-25735 (bmo#1810711) Potential use-after-free from compartment mismatch in SpiderMonkey * CVE-2023-25737 (bmo#1811464) Invalid downcast in SVGUtils::SetupStrokeGeometry * CVE-2023-25738 (bmo#1811852) Printing on Windows could potentially crash Thunderbird with some device drivers * CVE-2023-25739 (bmo#1811939) Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext * CVE-2023-25729 (bmo#1792138) Extensions could have opened external schemes without user knowledge * CVE-2023-25732 (bmo#1804564) Out of bounds memory write from EncodeInputStream * CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338) Opening local .url files could cause unexpected network loads * CVE-2023-25742 (bmo#1813424) Web Crypto ImportKey crashes tab * CVE-2023-25746 (bmo#1544127, bmo#1762368, bmo#1789449, bmo#1803628, bmo#1810536) Memory safety bugs fixed in Thunderbird 102.8 - requires NSPR >= 4.34.1 NSS >= 3.79.4 * Wed Feb 08 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.7.2 * Various crash fixes * Tue Jan 31 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.7.1 * Microsoft Office 365 accounts were unable to authenticate * https://www.thunderbird.net/en-US/thunderbird/102.7.1/releasenotes/ MFSA 2023-04 * CVE-2023-0430 (bmo#1769000) Revocation status of S/Mime signature certificates was not checked - update create-tar.sh * Tue Jan 17 2023 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.7.0 https://www.thunderbird.net/en-US/thunderbird/102.7.0/releasenotes/ MFSA 2023-03 (bsc#1207119) * CVE-2022-46871 (bmo#1795697) libusrsctp library out of date * CVE-2023-23598 (bmo#1800425) Arbitrary file read from GTK drag and drop on Linux * CVE-2023-23599 (bmo#1777800) Malicious command could be hidden in devtools output on Windows * CVE-2023-23601 (bmo#1794268) URL being dragged from cross-origin iframe into same tab triggers navigation * CVE-2023-23602 (bmo#1800890) Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers * CVE-2022-46877 (bmo#1795139) Fullscreen notification bypass * CVE-2023-23603 (bmo#1800832) Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive * CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974) Memory safety bugs fixed in Thunderbird 102.7 * Tue Dec 20 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.6.1 * Remote content did not load in user-defined signatures * Addons that added new action buttons were not shown for addon upgrades, requiring removal and reinstall * Various stability improvements MFSA 2022-54 * CVE-2022-46874 (bmo#1746139) Drag and Dropped Filenames could have been truncated to malicious extensions * Tue Dec 13 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.6.0 https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/ MFSA 2022-53 (bsc#1206242) * CVE-2022-46880 (bmo#1749292) Use-after-free in WebGL * CVE-2022-46872 (bmo#1799156) Arbitrary file read from a compromised content process * CVE-2022-46881 (bmo#1770930) Memory corruption in WebGL * CVE-2022-46874 (bmo#1746139) Drag and Dropped Filenames could have been truncated to malicious extensions * CVE-2022-46875 (bmo#1786188) Download Protections were bypassed by .atloc and .ftploc files on Mac OS * CVE-2022-46882 (bmo#1789371) Use-after-free in WebGL * CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685, bmo#1801102, bmo#1801315, bmo#1802395) Memory safety bugs fixed in Thunderbird 102.6 - removed obsolete patches mozilla-newer-cbindgen.patch mozilla-glibc236.patch * Wed Nov 30 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.5.1 MFSA 2022-50 * CVE-2022-45414 (bmo#1788096) Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content * Sat Nov 12 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.5.0 * changes and fixes as described here https://www.thunderbird.net/en-US/thunderbird/102.5.0/releasenotes MFSA 2022-49 (bsc#1205270) * CVE-2022-45403 (bmo#1762078) Service Workers might have learned size of cross-origin media files * CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass * CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream implementation * CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm * CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via windowName * CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection * CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests bypassed SameSite cookie policy * CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via non-standard override headers * CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially uninitialized buffers * CVE-2022-45416 (bmo#1793676) Keystroke Side-Channel Leakage * CVE-2022-45418 (bmo#1795815) Custom mouse cursor could have been drawn over browser UI * CVE-2022-45420 (bmo#1792643) Iframe contents could be rendered outside the iframe * CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) Memory safety bugs fixed in Thunderbird 102.5 * Sat Nov 05 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.4.2 * "Address Book" button in Account Central will now create a CardDAV address book instead of a local address book * Bugfixes as described here https://www.thunderbird.net/en-US/thunderbird/102.4.2/releasenotes * Tue Oct 25 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.4.1 * Thunderbird will now catch and report errors parsing vCards that contain incorrectly formatted dates * Dynamic language switching did not update interface when switched to right-to-left languages * Custom header data was discarded after messages were saved as draft and reopened * -remote command line argument did not work, affecting integration with various applications such as LibreOffice * Messages received via some SMS-to-email services could not display images * VCards with nickname field set could not be edited * Some recurring events were missing from Agenda on first load * Download requests for remote ICS calendars incorrectly set "Accept" header to text/xml * Monthly events created on the 31st of a month with <30 days placed first occurrence 1-2 days after the beginning of the following month * Various visual and UX improvements * Fri Oct 14 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.4.0 https://www.thunderbird.net/en-US/thunderbird/102.4.0/releasenotes MFSA 2022-46 (bsc#1203477) * CVE-2022-42927 (bmo#1789128) Same-origin policy violation could have leaked cross-origin URLs * CVE-2022-42928 (bmo#1791520) Memory Corruption in JS Engine * CVE-2022-42929 (bmo#1789439) Denial of Service via window.print * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) Memory safety bugs fixed in Firefox 106, Firefox ESR 102.4 and Thunderbird 102.4.0 * Tue Oct 11 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.3.3 * Option added to show containing address book for a contact when using All Address Books in vertical mode * Thunderbird will try to use POP NTLM authentication even if not advertised by server * Task List and Today Pane sidebars will no longer load when not visible * bugfixes as documented here https://www.thunderbird.net/en-US/thunderbird/102.3.3/releasenotes * Thu Oct 06 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.3.2 * Thunderbird will try to use POP CRAM-MD5 authentication even if not advertised by server * more bugfixes as in https://www.thunderbird.net/en-US/thunderbird/102.3.2/releasenotes * Mon Oct 03 2022 Wolfgang Rosenauer <[email protected]> - build using rust 1.63 * Wed Sep 28 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.3.1 * Compose window encryption options now only appear for encryption technologies that have already been configured * Number of contacts in currently selected address book now displayed at bottom of Address Book list column Fixes * Password prompt did not include server hostname for POP servers * Edit Contact was missing from Contacts sidebar context menus * Address Book contact lists cut off display of some characters, the result being unreadable MFSA 2022-43 * CVE-2022-39249 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators * CVE-2022-39250 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to a device verification attack * CVE-2022-39251 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack * CVE-2022-39236 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue * Fri Sep 16 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.3.0 https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/ * Thunderbird will no longer attempt to import account passwords when importing from another Thunderbird profile in order to prevent profile corruption and permanent data loss. (bmo#1790605) * Devtools performance profile will use Thunderbird presets instead of Web Developer presets (bmo#1785954) * Thunderbird startup performance improvements (bmo#1785967) * Saving email source and images failed (bmo#1777323, bmo#1778804) * Error message was shown repeatedly when temporary disk space was full (bmo#1788580) * Attaching OpenPGP keys without a set size to non-encrypted messages briefly displayed a size of zero bytes (bmo#1788952) * Global Search entry box initially contained "undefined" (bmo#1780963) * Delete from POP Server mail filter rule intermittently failed to trigger (bmo#1789418) * Connections to POP3 servers without UIDL support failed (bmo#1789314) * Pop accounts with "Fetch headers only" set downloaded complete messages if server did not advertise TOP capability (bmo#1789356) * "File -> New -> Address Book Contact" from Compose window did not work (bmo#1782418) * Attach "My vCard" option in compose window was not available (bmo#1787614) * Improved performance of matching a contact to an email address (bmo#1782725) * Address book only recognized a contact's first two email addresses (bmo#1777156) * Address book search and autocomplete failed if a contact vCard could not be parsed (bmo#1789793) * Downloading NNTP messages for offline use failed (bmo#1785773) * NNTP client became stuck when connecting to Public-Inbox servers (bmo#1786203, boo#1203554) * Various visual and UX improvements (bmo#1782235, bmo#1787448, bmo#1788725, bmo#1790324) * unresolved: No dedicated "Department" field in address book (bmo#1777780) MFSA 2022-42 (bsc#1203477) * CVE-2022-40959 (bmo#1782211) Bypassing FeaturePolicy restrictions on transient pages * CVE-2022-40960 (bmo#1787633) Data-race when parsing non-UTF-8 URLs in threads * CVE-2022-40958 (bmo#1779993) Bypassing Secure Context restriction for cookies with __Host and __Secure prefix * CVE-2022-40956 (bmo#1770094) Content-Security-Policy base-uri bypass * CVE-2022-40957 (bmo#1777604) Incoherent instruction cache when building WASM on ARM64 * CVE-2022-3155 (bmo#1789061) Attachment files saved to disk on macOS could be executed without warning * CVE-2022-40962 (bmo#1767360, bmo#1776655, bmo#1777574, bmo#1784835, bmo#1785109, bmo#1786502, bmo#1789440) Memory safety bugs fixed in Thunderbird 102.3 * Thu Sep 08 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.2.2 https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/ * Setting added to change Calendar event double-click action to open Edit Event dialog rather than view only; Set calendar.events.defaultActionEdit to true * Running Compact Folders on maildir folders caused a redownload of all messages in the folder * Accessing mail folders in profiles with many folders was slow * SMTP servers were not always properly initialized, and were not listed in Account Settings * APOP authentication unsupported when connecting to POP3 server * OpenPGP key discovery failed * POP accounts hosted by AOL were not able to authenticate using OAuth2 * Unable to open context menu in newsgroups header for groups that are not subscribed * Thu Sep 08 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.2.2 https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/ * Setting added to change Calendar event double-click action to open Edit Event dialog rather than view only; Set calendar.events.defaultActionEdit to true * Running Compact Folders on maildir folders caused a redownload of all messages in the folder * Accessing mail folders in profiles with many folders was slow * SMTP servers were not always properly initialized, and were not listed in Account Settings * APOP authentication unsupported when connecting to POP3 server * OpenPGP key discovery failed * POP accounts hosted by AOL were not able to authenticate using OAuth2 * Unable to open context menu in newsgroups header for groups that are not subscribed * Thu Sep 01 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.2.1 MFSA 2022-38 (bsc#1203007) * CVE-2022-3033 (bmo#1784838) Leaking of sensitive information when composing a response to an HTML email with a META refresh tag * CVE-2022-3032 (bmo#1783831) Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked * CVE-2022-3034 (bmo#1745751) An iframe element in an HTML email could trigger a network request * CVE-2022-36059 (bmo#1787741) Matrix SDK bundled with Thunderbird vulnerable to denial-of- service attack * Fri Aug 19 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.2.0 * https://www.thunderbird.net/en-US/thunderbird/102.2.0/releasenotes/ MFSA 2022-36 (bsc#1202645) * CVE-2022-38472 (bmo#1769155) Address bar spoofing via XSLT error handling * CVE-2022-38473 (bmo#1771685) Cross-origin XSLT Documents would have inherited the parent's permissions * CVE-2022-38476 (bmo#1760998) Data race and potential use-after-free in PK11_ChangePW * CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363) Memory safety bugs fixed in Thunderbird 102.2 * CVE-2022-38478 (bmo#1770630, bmo#1776658) Memory safety bugs fixed in Thunderbird 102.2, and Thunderbird 91.13 - disabled automatic usage of wayland because of known issues using MOZ_ENABLE_WAYLAND=1 in environment would still enable it (boo#1202606) * Sun Aug 14 2022 Wolfgang Rosenauer <[email protected]> - added mozilla-glibc236.patch (bmo#1782988, boo#1202323) * Tue Aug 09 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.1.2 * fix for bmo#1777765 (no POP download progress bar) was backed out from this release to address broken POP message download with Fetch headers only selected in Account Settings (bmo#1783552) * Mon Aug 08 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.1.1 Bugfixes: * https://www.thunderbird.net/en-US/thunderbird/102.1.1/releasenotes/ * Tue Jul 26 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.1.0 * https://www.thunderbird.net/en-US/thunderbird/102.1.0/releasenotes MFSA 2022-32 (bsc#1201758) * CVE-2022-36319 (bmo#1737722) Mouse Position spoofing with CSS transforms * CVE-2022-36318 (bmo#1771774) Directory indexes for bundled resources reflected URL parameters * CVE-2022-36314 (bmo#1773894) Opening local <code>.lnk</code> files could cause unexpected network loads * CVE-2022-2505 (bmo#1769739, bmo#1772824) Memory safety bugs fixed in Thunderbird 102.1 - added mozilla-newer-cbindgen.patch to fix build with rust-cbindgen >= 0.24 (and also require that for build) - added mozilla-pgo.patch to fix LTO builds with gcc * Tue Jul 19 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.0.3 Bugfixes as in * https://www.thunderbird.net/en-US/thunderbird/102.0.3/releasenotes/ * Sat Jul 09 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 102.0.2 * https://www.thunderbird.net/en-US/thunderbird/102.0/releasenotes/ - removed obsolete patches mozilla-bmo1504834-part2.patch mozilla-bmo1504834-part4.patch mozilla-bmo1602730.patch mozilla-bmo1626236.patch mozilla-bmo1724679.patch mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch mozilla-sandbox-fips.patch - added patches inherited from FF 102 one_swizzle_to_rule_them_all.patch svg-rendering.patch - fix KDE detection (boo#1200987) in mozilla-kde.patch - requires rust = 1.60 NSPR >= 4.34 NSS >= 3.79 rust-cbindgen >= 0.23.0 - remove special breakpad debug symbol creation * Sun Jun 26 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.11.0 * CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work additional fix applied * "Save-As" attachment dialog did not have filename pre-populated MFSA 2022-26 (bsc#1200793) * CVE-2022-34479 (bmo#1745595) A popup window could be resized in a way to overlay the address bar with web content * CVE-2022-34470 (bmo#1765951) Use-after-free in nsSHistory * CVE-2022-34468 (bmo#1768537) CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI * CVE-2022-2226 (bmo#1775441) An email with a mismatching OpenPGP signature date was accepted as valid * CVE-2022-34481 (bmo#1497246) Potential integer overflow in ReplaceElementsAt * CVE-2022-31744 (bmo#1757604) CSP bypass enabling stylesheet injection * CVE-2022-34472 (bmo#1770123) Unavailable PAC file resulted in OCSP requests being blocked * CVE-2022-34478 (bmo#1773717) Microsoft protocols can be attacked if a user accepts a prompt * CVE-2022-2200 (bmo#1771381) Undesired attributes could be set as part of prototype pollution * CVE-2022-34484 (bmo#1763634, bmo#1772651) Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102 * Thu May 26 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.10.0 * Various UX and theme improvements MFSA 2022-22 (bsc#1200027) * CVE-2022-31736 (bmo#1735923) Cross-Origin resource's length leaked * CVE-2022-31737 (bmo#1743767) Heap buffer overflow in WebGL * CVE-2022-31738 (bmo#1756388) Browser window spoof using fullscreen mode * CVE-2022-31739 (bmo#1765049) Attacker-influenced path traversal when saving downloaded files * CVE-2022-31740 (bmo#1766806) Register allocation problem in WASM on arm64 * CVE-2022-31741 (bmo#1767590) Uninitialized variable leads to invalid memory read * CVE-2022-1834 (bmo#1767816) Braille space character caused incorrect sender email to be shown for a digitally signed email * CVE-2022-31742 (bmo#1730434) Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information * CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283, bmo#1767365, bmo#1768559, bmo#1768734) Memory safety bugs fixed in Thunderbird 91.10 * Sat May 21 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.9.1 MFSA 2022-19 (bsc#1199768) * CVE-2022-1802 (bmo#1770137) Prototype pollution in Top-Level Await implementation * CVE-2022-1529 (bmo#1770048) Untrusted input used in JavaScript object indexing, leading to prototype pollution * Mon May 02 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.9.0 * A warning is now displayed if an OpenPGP key has unsafe attributes that are ignored * OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not allow SHA-1 key signatures * CalDAV calendars were marked read-only on startup MFSA 2022-18 (bsc#1198970) * CVE-2022-1520 (bmo#1745019) Incorrect security status shown after viewing an attached email * CVE-2022-29914 (bmo#1746448) Fullscreen notification bypass using popups * CVE-2022-29909 (bmo#1755081) Bypassing permission prompt in nested browsing contexts * CVE-2022-29916 (bmo#1760674) Leaking browser history with CSS variables * CVE-2022-29911 (bmo#1761981) iframe sandbox bypass * CVE-2022-29912 (bmo#1692655) Reader mode bypassed SameSite cookies * CVE-2022-29913 (bmo#1764778) Speech Synthesis feature not properly disabled * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298, bmo#1762614, bmo#1762620) Memory safety bugs fixed in Thunderbird 91.9 * Sat Apr 16 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.8.1 * CLIENTID extension to SMTP was not supported by smtp-js# * Additional SMTP errors now propagated to user * OpenPGP was not able to use some previously supported key types * OpenPGP Key Manager did not always display correct information after importing additional IDs * Duplicate new mail notifications could be displayed when server-side filters were in use * Cancelling an SMTP password entry resulted in multiple failure dialogs being displayed * Tue Apr 12 2022 Martin Liška <[email protected]> - Set memory limits for DWZ to 4x. * Sat Apr 02 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.8.0 * Google accounts using password authentication will be migrated to OAuth2. * bugfixes https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes MFSA 2022- (bsc#1197903) - update create-tar.sh * Thu Mar 17 2022 Dirk Müller <[email protected]> - skip slow workers, this is a tough build job * Sun Mar 06 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.7.0 * Thunderbird will use the first occurrence of headers that should only appear once * Auto-complete incorrectly changed a pasted email address to the primary address of a contact * Attachments with filename extensions that were not registered in MIME types could not be opened * Copy/Cut/Paste actions not working in Thunderbird Preferences * Improved screen reader support of displayed message headers MFSA 2022-12 (bsc#1196900) * CVE-2022-26383 (bmo#1742421) Browser window spoof using fullscreen mode * CVE-2022-26384 (bmo#1744352) iframe allow-scripts sandbox bypass * CVE-2022-26387 (bmo#1752979) Time-of-check time-of-use bug when verifying add-on signatures * CVE-2022-26381 (bmo#1736243) Use-after-free in text reflows * CVE-2022-26386 (bmo#1752396) Temporary files downloaded to /tmp and accessible by other local users * Sun Mar 06 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.6.2 MFSA 2022-09 * CVE-2022-26485 (bmo#1758062) Use-after-free in XSLT parameter processing * CVE-2022-26486 (bmo#1758070) Use-after-free in WebGPU IPC Framework * Tue Feb 15 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.6.1 * generated views of meeting invitations are now expanded by default * Emails were not downloading at startup under some conditions * Port numbers were not shown in "Confirm Security Exception" dialog for CalDAV connections MFSA 2022-07 (bsc#1196072) * CVE-2022-0566 (bmo#1753094) Crafted email could trigger an out-of-bounds write * Sat Feb 05 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.6.0 * TB will now offer to send large forwarded attachments via FileLink * Partially signed unencrypted messages displayed an incorrect "parrtially encrypted" notification * Attachments filenames were not sanitized before saving to disk * In the attachment bar, the "Import OpenPGP Key" item displayed for public keys displayed an error and did not import the key * "Open with" attachment dialog did not have a selected radio button option MFSA 2022-06 (bsc#1195682) * CVE-2022-22753 (bmo#1732435) Privilege Escalation to SYSTEM on Windows via Maintenance Service * CVE-2022-22754 (bmo#1750565) Extensions could have bypassed permission confirmation during update * CVE-2022-22756 (bmo#1317873) Drag and dropping an image could have resulted in the dropped object being an executable * CVE-2022-22759 (bmo#1739957) Sandboxed iframes could have executed script if the parent appended elements * CVE-2022-22760 (bmo#1740985, bmo#1748503) Cross-Origin responses could be distinguished between script and non-script content-types * CVE-2022-22761 (bmo#1745566) frame-ancestors Content Security Policy directive was not enforced for framed extension pages * CVE-2022-22763 (bmo#1740534) Script Execution during invalid object state * CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545, bmo#1748210, bmo#1748279) Memory safety bugs fixed in Thunderbird 91.6 - do not use ccache by default - removed obsolete mozilla-bmo1745560.patch * Sat Jan 22 2022 Manfred Hollstein <[email protected]> - Mozilla Thunderbird 91.5.1 * JS LDAP implementation did not support self-signed SSL certificates * After saving a draft and subsequently sending a FileLink email, the original file was removed from disk * Chat OTR encryption did not work * OTR verification bar was not removed after completing verification * Various theme improvements * Thu Jan 20 2022 Martin Liška <[email protected]> - Enable -fimplicit-constexpr for GCC 12+. * Fri Jan 07 2022 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.5.0 https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes MFSA 2022-03 (bsc#1194547) * CVE-2022-22746 (bmo#1735071) Calling into reportValidity could have lead to fullscreen window spoof * CVE-2022-22743 (bmo#1739220) Browser window spoof using fullscreen mode * CVE-2022-22742 (bmo#1739923) Out-of-bounds memory access when inserting text in edit mode * CVE-2022-22741 (bmo#1740389) Browser window spoof using fullscreen mode * CVE-2022-22740 (bmo#1742334) Use-after-free of ChannelEventQueue::mOwner * CVE-2022-22738 (bmo#1742382) Heap-buffer-overflow in blendGaussianBlur * CVE-2022-22737 (bmo#1745874) Race condition when playing audio files * CVE-2021-4140 (bmo#1746720) Iframe sandbox bypass with XSLT * CVE-2022-22748 (bmo#1705211) Spoofed origin on external protocol launch dialog * CVE-2022-22745 (bmo#1735856) Leaking cross-origin URLs through securitypolicyviolation event * CVE-2022-22744 (bmo#1737252) The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection * CVE-2022-22747 (bmo#1735028) Crash when handling empty pkcs7 sequence * CVE-2022-22739 (bmo#1744158) Missing throttling on external protocol launch dialog * CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366, bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869, bmo#1743221, bmo#1743515, bmo#1745373, bmo#1746011) Memory safety bugs fixed in Thunderbird 91.5 * Tue Dec 28 2021 Bjørn Lie <[email protected]> - Add mozilla-bmo1745560.patch: Fix build against wayland 1.20. * Fri Dec 17 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.4.1 * several fixes as outlined here https://www.thunderbird.net/en-US/thunderbird/91.4.1/releasenotes/ MFSA 2021-55 (bsc#1193845) * CVE-2021-4126 (bmo#1732310) OpenPGP signature status doesn't consider additional message content * CVE-2021-44538 (bmo#1744056) Matrix chat library libolm bundled with Thunderbird vulnerable to a buffer overflow - updated _constraints * Thu Dec 02 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.4.0 * several fixes as outlined here https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes MFSA 2021-54 (bsc#1193485) * CVE-2021-43536 (bmo#1730120) URL leakage when navigating while executing asynchronous function * CVE-2021-43537 (bmo#1738237) Heap buffer overflow when using structured clone * CVE-2021-43538 (bmo#1739091) Missing fullscreen and pointer lock notification when requesting both * CVE-2021-43539 (bmo#1739683) GC rooting failure when calling wasm instance methods * CVE-2021-43541 (bmo#1696685) External protocol handler parameters were unescaped * CVE-2021-43542 (bmo#1723281) XMLHttpRequest error codes could have leaked the existence of an external protocol handler * CVE-2021-43543 (bmo#1738418) Bypass of CSP sandbox directive when embedding * CVE-2021-43545 (bmo#1720926) Denial of Service when using the Location API in a loop * CVE-2021-43546 (bmo#1737751) Cursor spoofing could overlay user interface when native cursor is zoomed * CVE-2021-43528 (bmo#1742579) JavaScript unexpectedly enabled for the composition area * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751, bmo#1737009, bmo#1739372, bmo#1739421) Memory safety bugs fixed in Thunderbird 91.4.0 * Thu Nov 25 2021 Bjørn Lie <[email protected]> - Drop unused libidl-devel BuildRequires. * Sat Nov 20 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.3.2 * Date selection in Calendar print settings widget changed to use mini calendar widget * OpenPGP: Botan updated to 2.18.2; addresses CVE-2021-40529 boo#1189244 * Bugfixes as outlined in release notes https://www.thunderbird.net/en-US/thunderbird/91.3.2/releasenotes/ * Sat Nov 13 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.3.1 * OpenPGP public keys will no longer count as an attachment in the message list * Adding a search engine via URL now supported * FileLink messages' template updated; Thunderbird advertisement removed * After an update, Thunderbird will now check installed addons for updates * Bugfixes as outlined in release notes https://www.thunderbird.net/en-US/thunderbird/91.3.1/releasenotes/ * Sun Oct 31 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.3.0 * several fixes as outlined here https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/ MFSA 2021-50 (bsc#1192250) * CVE-2021-38503 (bmo#1729517) iframe sandbox rules did not apply to XSLT stylesheets * CVE-2021-38504 (bmo#1730156) Use-after-free in file picker dialog * CVE-2021-38505 (bmo#1730194) Windows 10 Cloud Clipboard may have recorded sensitive user data * CVE-2021-38506 (bmo#1730750) Thunderbird could be coaxed into going into fullscreen mode without notification or warning * CVE-2021-38507 (bmo#1730935) Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports * MOZ-2021-0008 (bmo#1667102) Use-after-free in HTTP2 Session object * CVE-2021-38508 (bmo#1366818) Permission Prompt could be overlaid, resulting in user confusion and potential spoofing * CVE-2021-38509 (bmo#1718571) Javascript alert box could have been spoofed onto an arbitrary domain * CVE-2021-38510 (bmo#1731779) Download Protections were bypassed by .inetloc files on Mac OS * MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048, bmo#1735152) Memory safety bugs fixed in Thunderbird ESR 91.3 - Drop unused pkgconfig(gdk-x11-2.0) BuildRequires * Fri Oct 22 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.2.1 * Preference added to disable automatic pausing RSS feed updates after a fetch failure * several bugfixes as outlined in release notes https://www.thunderbird.net/en-US/thunderbird/91.2.1/releasenotes/ * Fri Oct 22 2021 Guillaume GARDET <[email protected]> - Increase memory required per threads for aarch64 to avoid OOM * Thu Oct 21 2021 Martin Liška <[email protected]> - Enable LTO on Tumbleweed. * Fri Oct 15 2021 Wolfgang Rosenauer <[email protected]> - add mozilla-bmo1724679.patch (bmo#1724679, boo#1182863) fix some env variables which are enabled for any value * Mon Oct 04 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.2.0 * Saving a single message as .eml now uses a unique filename * New mail notifications did not properly take subfolders into account * Decrypting binary attachments when using an external GnuPG configuration failed * Account name fields in the account manager were not big enough for long names * LDAP searches using an extensibleMatch filter returned no results * Read-only CalDAV calendars and CardDAV address books were not detected * Multipart messages containing a calendar invite did not display any of the human-readable alternatives * Some calendar days were displayed incorrectly or duplicated (eg. two "29th" days of a particular month) * Phantom event was shown at the end of each day in Calendar week view MFSA 2021-46 (bsc#1191332) * CVE-2021-38496 (bmo#1725335) Use-after-free in MessageTask * CVE-2021-38497 (bmo#1726621) Validation message could have been overlaid on another origin * CVE-2021-38498 (bmo#1729642) Use-after-free of nsLanguageAtomService object * CVE-2021-32810 (bmo#1729813, https://github.com/crossbeam- rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw) Data race in crossbeam-deque * CVE-2021-38500 (bmo#1725854, bmo#1728321) Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 * CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176) Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 * Sun Sep 26 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.1.2 * Thunderbird will now warn if an S/MIME encrypted message includes BCC recipients * several bugfixes listed on https://www.thunderbird.net/en-US/thunderbird/91.1.2/releasenotes/ * Wed Sep 15 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.1.1 * Menu item for disabling subject encryption for a single message added * Printing messages that are not currently displayed is no longer supported, including printing multiple messages at once * for bugfixes see https://www.thunderbird.net/en-US/thunderbird/91.1.1/releasenotes - MOZ_ENABLE_WAYLAND env variable now overrides automatic detection if already set before startup * Thu Sep 02 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.1.0 * Thunderbird registered Accessibility Handlers using same GUIDs as Firefox, causing performance issues for NVDA users * Focus lost when reordering accounts by keyboard in the Account Manager * Account setup did not use provider display name for setting up calendars * Various theme and UX fixes MFSA 2021-41 (bsc#1190269) * CVE-2021-38492 (bmo#1721107) Navigating to `mk:` URL scheme could load Internet Explorer * CVE-2021-38495 (bmo#1723391, bmo#1723920, bmo#1724101, bmo#1724107) Memory safety bugs fixed in Thunderbird 91.1 - (re-)added mozilla-silence-no-return-type.patch - add mozilla-bmo531915.patch to fix build for i586 * Fri Aug 27 2021 Andreas Stieger <[email protected]> - Mozilla Thunderbird 91.0.3: * fixed: Folder icons could be overridden by linked favicons in HTML messages * fixed: Unified folders showed no messages when underlying folders were removed * fixed: Folder pane toolbar did not always persist after restarting Thunderbird * fixed: Compose window attachment pane did not close when disabling signing of an OpenPGP message * fixed: Using "Reply to List" with some list emails incorrectly opened a "no-reply" warning * fixed: Account setup UX issues with Exchange autodiscover * fixed: Account settings did not display non-UTF-8 server descriptions correctly * fixed: Thunderbird sometimes sent an unnecessary "SMTPUTF8", causing some servers to reject mail * fixed: No mouseover pop was displayed with event details for non-all-day events in the Today Pane * fixed: Filtering tasks in the Today Pane did not work * fixed: Email based event scheduling displayed the date and time in a format unreadable by humans * Fri Aug 27 2021 Andreas Stieger <[email protected]> - Mozilla Thunderbird 91.0.2: * new: Tags are now colored in mail filter editor * changed: Context menu items related to OpenPGP and attachments are now hidden when not applicable * fixed: Creating a new account with manual setup failed * fixed: Recipient autocomplete always preferred the primary email address for a contact * fixed: LDAP performance improvements * fixed: Extensions listed on the Recommended Addons did not have a clear way to view details in a browser * fixed: Status checkmark on View > Calendar > Calendar Pane > Show Calendar Pane was reversed * fixed: mid: URLs in calendar invites did not open the linked mail message * fixed: Various theme and UX fixes * Tue Aug 17 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.0.1 MFSA 2021-37 (bsc#1189547) * CVE-2021-29991 (bmo#1724896) Header Splitting possible with HTTP/3 Responses - appdate screenshot URL updated (by [email protected]) * Sun Aug 15 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 91.0 * based on Mozilla's 91 ESR codebase * many new and changed features https://www.thunderbird.net/en-US/thunderbird/91.0/releasenotes/#whatsnew * Renamed "Add-ons" to "Add-ons and Themes" and "Options" to "Preferences" * Thunderbird now operates in multi-process (e10s) mode by default * New user interface for adding attachments * Enable redirect of messages * CardDAV address book support - Removed obsolete patches: * mozilla-bmo1463035.patch * mozilla-ppc-altivec_static_inline.patch * mozilla-pipewire-0-3.patch * mozilla-bmo1554971.patch - add mozilla-libavcodec58_91.patch - removed obsolete BigEndian ICU build workaround - updated build requirements - build using clang * Thu Aug 05 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 78.13.0 * removed WeTransfer integration package (not supported by vendor any longer) MFSA 2021-35 (bsc#1188891) * CVE-2021-29986 (bmo#1696138) Race condition when resolving DNS names could have led to memory corruption * CVE-2021-29988 (bmo#1717922) Memory corruption as a result of incorrect style treatment * CVE-2021-29984 (bmo#1720031) Incorrect instruction reordering during JIT optimization * CVE-2021-29980 (bmo#1722204) Uninitialized memory in a canvas object could have led to memory corruption * CVE-2021-29985 (bmo#1722083) Use-after-free media channels * CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178, bmo#1719998, bmo#1720568) Memory safety bugs fixed in Thunderbird 78.13 * Wed Jul 14 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 78.12.0 MFSA 2021-30 (bsc#1188275) * CVE-2021-29969 (bmo#1682370) IMAP server responses sent by a MITM prior to STARTTLS could be processed * CVE-2021-29970 (bmo#1709976) Use-after-free in accessibility features of a document * CVE-2021-30547 (bmo#1715766) Out of bounds write in ANGLE * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910, bmo#1711576, bmo#1714391) Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 * Sat May 29 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 78.11.0 * OpenPGP could not be disabled for an account if a key was previously configured * Recipients were unable to decrypt some messages when the sender had changed the message encryption from OpenPGP to S/MIME * Contacts moved between CardDAV address books were not synced to the new server * CardDAV compatibility fixes for Google Contacts MFSA 2021-26 (bsc#1186696) * CVE-2021-29964 (bmo#1706501) Out of bounds-read when parsing a `WM_COPYDATA` message * CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760, bmo#1704722, bmo#1706041) Memory safety bugs fixed in Thunderbird 78.11 - renewed expired mozilla.keyring * Fri May 14 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 78.10.2 * Added support for importing OpenPGP keys without a primary secret key * Add-ons manager displays a preferences icon for mail extensions that include an options page Fixed * OpenPGP messages with a high compression ratio (over 10x) could not be decrypted * Selected OpenPGP key was lost after opening the Key Properties dialog in Account Settings * Parsing some OpenPGP user IDs failed * Various improvements to OpenPGP partial encryption reminders * Mail toolbar buttons were too big when displaying both icons and text MFSA 2021-22 * CVE-2021-29956 (boo#1186199, bmo#1710290) Thunderbird stored OpenPGP secret keys without master password protection * CVE-2021-29957 (boo#1186198, bmo#1673241) Partial protection of inline OpenPGP message not indicated - do not rely on nodejs10 explicitely * Tue May 04 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 78.10.1 * Remove the fix for bmo#1689804 introduced in 78.9.0, restoring the previous behavior * MFSA 2021-19 (bsc#1185633) does not affect this platform * Sun Apr 18 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 78.10.0 MFSA 2021-14 (bsc#1184960) * CVE-2021-23994 (bmo#1699077) Out of bound write due to lazy initialization * CVE-2021-23995 (bmo#1699835) Use-after-free in Responsive Design Mode * CVE-2021-23998 (bmo#1667456) Secure Lock icon could have been spoofed * CVE-2021-23961 (bmo#1677940) More internal network hosts could have been probed by a malicious webpage * CVE-2021-23999 (bmo#1691153) Blob URLs may have been granted additional privileges * CVE-2021-24002 (bmo#1702374) Arbitrary FTP command execution on FTP servers using an encoded URL * CVE-2021-29945 (bmo#1700690) Incorrect size computation in WebAssembly JIT could lead to null-reads * CVE-2021-29946 (bmo#1698503) Port blocking could be bypassed * CVE-2021-29948 (bmo#1692899) Race condition when reading from disk while verifying signatures - recommend libotr5 * Sat Apr 10 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 78.9.1 * Support recipient aliases for OpenPGP encryption * The key and signature parts of the message security popup on a received message could not be selected for copy/paste * Various UX and theme improvements MFSA 2021-13 * CVE-2021-23991 (bmo#1673240) An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key * MOZ-2021-23992 (bmo#1666236) A crafted OpenPGP key with an invalid user ID could be used to confuse the user * CVE-2021-23993 (bmo#1666360) Inability to send encrypted OpenPGP email after importing a crafted OpenPGP key * Sat Mar 20 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 78.9.0 * bugfixes: https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes MFSA 2021-12 (boo#1183942) * CVE-2021-23981 (bmo#1692832) Texture upload into an unbound backing buffer resulted in an out-of-bound read * MOZ-2021-0002 (bmo#1691547) Angle graphics library out of date * CVE-2021-23982 (bmo#1677046) Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984 (bmo#1693664) Malicious extensions could have spoofed popup information * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718) Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9 - cleaned up and fixed mozilla.sh.in for wayland (boo#1177542) * Sun Mar 07 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 78.8.1 * several bugfixes and improvements * https://www.thunderbird.net/en-US/thunderbird/78.8.1/releasenotes/ - updated create-tar.sh (bsc#1182357) * Fri Feb 19 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 78.8.0 * various bugfixes MFSA 2021-09 (bsc#1182614) * CVE-2021-23969 (bmo#1542194) Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23968 (bmo#1687342) Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23973 (bmo#1690976) MediaError message property could have leaked information about cross-origin resources * CVE-2021-23978 (bmo#786797, bmo#1682928, bmo#1687391, bmo#1687597) Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 * Fri Feb 05 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 78.7.1 * CardDAV address books now support OAuth2 and Google Contacts * Thunderbird will no longer allow installation of addons that use legacy APIs * Tue Jan 26 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 78.7.0 MFSA 2021-05 (bsc#1181414) * CVE-2021-23953 (bmo#1683940) Cross-origin information leakage via redirected PDF requests * CVE-2021-23954 (bmo#1684020) Type confusion when using logical assignment operators in JavaScript switch statements * CVE-2020-15685 (bmo#1622640) IMAP Response Injection when using STARTTLS * CVE-2020-26976 (bmo#1674343) HTTPS pages could have been intercepted by a registered service worker when they should not have been * CVE-2021-23960 (bmo#1675755) Use-after-poison for incorrectly redeclared JavaScript variables during GC * CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526, bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844, bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410, bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736, bmo#1685260, bmo#1685925) Memory safety bugs fixed in Thunderbird 78.7 * Sun Jan 24 2021 Manfred Hollstein <[email protected]> - MozillaThunderbird.spec: Don't abuse BUILDROOT during %build as newer rpm versions in TW remove everything there as the first action of %install * Mon Jan 11 2021 Wolfgang Rosenauer <[email protected]> - Mozilla Thunderbird 78.6.1 MFSA 2021-02 (bsc#1180623) * CVE-2020-16044 (bmo#1683964) Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk
/usr/bin/thunderbird /usr/lib/thunderbird /usr/lib/thunderbird/application.ini /usr/lib/thunderbird/chrome /usr/lib/thunderbird/chrome/icons /usr/lib/thunderbird/chrome/icons/default /usr/lib/thunderbird/chrome/icons/default/calendar-alarm-dialog.png /usr/lib/thunderbird/chrome/icons/default/calendar-general-dialog.png /usr/lib/thunderbird/chrome/icons/default/default128.png /usr/lib/thunderbird/chrome/icons/default/default16.png /usr/lib/thunderbird/chrome/icons/default/default22.png /usr/lib/thunderbird/chrome/icons/default/default24.png /usr/lib/thunderbird/chrome/icons/default/default256.png /usr/lib/thunderbird/chrome/icons/default/default32.png /usr/lib/thunderbird/chrome/icons/default/default48.png /usr/lib/thunderbird/chrome/icons/default/default64.png /usr/lib/thunderbird/chrome/icons/default/msgcomposeWindow16.png /usr/lib/thunderbird/chrome/icons/default/msgcomposeWindow24.png /usr/lib/thunderbird/chrome/icons/default/msgcomposeWindow32.png /usr/lib/thunderbird/chrome/icons/default/msgcomposeWindow48.png /usr/lib/thunderbird/crashreporter /usr/lib/thunderbird/defaults /usr/lib/thunderbird/defaults/messenger /usr/lib/thunderbird/defaults/messenger/mailViews.dat /usr/lib/thunderbird/defaults/pref /usr/lib/thunderbird/defaults/pref/all-l10n.js /usr/lib/thunderbird/defaults/pref/all-opensuse.js /usr/lib/thunderbird/defaults/pref/channel-prefs.js /usr/lib/thunderbird/dependentlibs.list /usr/lib/thunderbird/fonts /usr/lib/thunderbird/fonts/TwemojiMozilla.ttf /usr/lib/thunderbird/glxtest /usr/lib/thunderbird/isp /usr/lib/thunderbird/isp/Bogofilter.sfd /usr/lib/thunderbird/isp/DSPAM.sfd /usr/lib/thunderbird/isp/POPFile.sfd /usr/lib/thunderbird/isp/SpamAssassin.sfd /usr/lib/thunderbird/isp/SpamPal.sfd /usr/lib/thunderbird/libgkcodecs.so /usr/lib/thunderbird/liblgpllibs.so /usr/lib/thunderbird/libmozavcodec.so /usr/lib/thunderbird/libmozavutil.so /usr/lib/thunderbird/libmozgtk.so /usr/lib/thunderbird/libmozsandbox.so /usr/lib/thunderbird/libmozsqlite3.so /usr/lib/thunderbird/libmozwayland.so /usr/lib/thunderbird/libxul.so /usr/lib/thunderbird/minidump-analyzer /usr/lib/thunderbird/omni.ja /usr/lib/thunderbird/pingsender /usr/lib/thunderbird/platform.ini /usr/lib/thunderbird/rnp-cli /usr/lib/thunderbird/rnpkeys /usr/lib/thunderbird/thunderbird-bin /usr/lib/thunderbird/thunderbird.sh /usr/lib/thunderbird/vaapitest /usr/share/appdata /usr/share/appdata/thunderbird-esr.appdata.xml /usr/share/applications/thunderbird-esr.desktop /usr/share/icons/hicolor/128x128/apps/thunderbird.png /usr/share/icons/hicolor/16x16/apps/thunderbird.png /usr/share/icons/hicolor/22x22/apps/thunderbird.png /usr/share/icons/hicolor/24x24/apps/thunderbird.png /usr/share/icons/hicolor/256x256/apps/thunderbird.png /usr/share/icons/hicolor/32x32/apps/thunderbird.png /usr/share/icons/hicolor/48x48/apps/thunderbird.png /usr/share/icons/hicolor/64x64/apps/thunderbird.png /usr/share/icons/hicolor/symbolic/apps/thunderbird-symbolic.svg
Generated by rpm2html 1.8.1
Fabrice Bellet, Fri Dec 6 23:50:52 2024