Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: MozillaThunderbird | Distribution: openSUSE Tumbleweed |
Version: 91.9.0 | Vendor: openSUSE |
Release: 1.1 | Build date: Fri May 6 23:08:08 2022 |
Group: Productivity/Networking/Email/Clients | Build host: obs-arm-10 |
Size: 208407882 | Source RPM: MozillaThunderbird-91.9.0-1.1.src.rpm |
Packager: http://bugs.opensuse.org | |
Url: https://www.thunderbird.net/ | |
Summary: An integrated email, news feeds, chat, and newsgroups client |
Thunderbird is a free, open-source, cross-platform application for managing email, news feeds, chat, and news groups. It is a local (rather than browser- or web-based) email application that is powerful yet easy to use.
MPL-2.0
* Mon May 02 2022 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.9.0 * A warning is now displayed if an OpenPGP key has unsafe attributes that are ignored * OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not allow SHA-1 key signatures * CalDAV calendars were marked read-only on startup MFSA 2022-18 (bsc#1198970) * CVE-2022-1520 (bmo#1745019) Incorrect security status shown after viewing an attached email * CVE-2022-29914 (bmo#1746448) Fullscreen notification bypass using popups * CVE-2022-29909 (bmo#1755081) Bypassing permission prompt in nested browsing contexts * CVE-2022-29916 (bmo#1760674) Leaking browser history with CSS variables * CVE-2022-29911 (bmo#1761981) iframe sandbox bypass * CVE-2022-29912 (bmo#1692655) Reader mode bypassed SameSite cookies * CVE-2022-29913 (bmo#1764778) Speech Synthesis feature not properly disabled * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298, bmo#1762614, bmo#1762620) Memory safety bugs fixed in Thunderbird 91.9 * Sat Apr 16 2022 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.8.1 * CLIENTID extension to SMTP was not supported by smtp-js# * Additional SMTP errors now propagated to user * OpenPGP was not able to use some previously supported key types * OpenPGP Key Manager did not always display correct information after importing additional IDs * Duplicate new mail notifications could be displayed when server-side filters were in use * Cancelling an SMTP password entry resulted in multiple failure dialogs being displayed * Tue Apr 12 2022 Martin Liška <mliska@suse.cz> - Set memory limits for DWZ to 4x. * Sat Apr 02 2022 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.8.0 * Google accounts using password authentication will be migrated to OAuth2. * bugfixes https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes MFSA 2022- (bsc#1197903) - update create-tar.sh * Thu Mar 17 2022 Dirk Müller <dmueller@suse.com> - skip slow workers, this is a tough build job * Sun Mar 06 2022 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.7.0 * Thunderbird will use the first occurrence of headers that should only appear once * Auto-complete incorrectly changed a pasted email address to the primary address of a contact * Attachments with filename extensions that were not registered in MIME types could not be opened * Copy/Cut/Paste actions not working in Thunderbird Preferences * Improved screen reader support of displayed message headers MFSA 2022-12 (bsc#1196900) * CVE-2022-26383 (bmo#1742421) Browser window spoof using fullscreen mode * CVE-2022-26384 (bmo#1744352) iframe allow-scripts sandbox bypass * CVE-2022-26387 (bmo#1752979) Time-of-check time-of-use bug when verifying add-on signatures * CVE-2022-26381 (bmo#1736243) Use-after-free in text reflows * CVE-2022-26386 (bmo#1752396) Temporary files downloaded to /tmp and accessible by other local users * Sun Mar 06 2022 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.6.2 MFSA 2022-09 * CVE-2022-26485 (bmo#1758062) Use-after-free in XSLT parameter processing * CVE-2022-26486 (bmo#1758070) Use-after-free in WebGPU IPC Framework * Tue Feb 15 2022 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.6.1 * generated views of meeting invitations are now expanded by default * Emails were not downloading at startup under some conditions * Port numbers were not shown in "Confirm Security Exception" dialog for CalDAV connections MFSA 2022-07 (bsc#1196072) * CVE-2022-0566 (bmo#1753094) Crafted email could trigger an out-of-bounds write * Sat Feb 05 2022 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.6.0 * TB will now offer to send large forwarded attachments via FileLink * Partially signed unencrypted messages displayed an incorrect "parrtially encrypted" notification * Attachments filenames were not sanitized before saving to disk * In the attachment bar, the "Import OpenPGP Key" item displayed for public keys displayed an error and did not import the key * "Open with" attachment dialog did not have a selected radio button option MFSA 2022-06 (bsc#1195682) * CVE-2022-22753 (bmo#1732435) Privilege Escalation to SYSTEM on Windows via Maintenance Service * CVE-2022-22754 (bmo#1750565) Extensions could have bypassed permission confirmation during update * CVE-2022-22756 (bmo#1317873) Drag and dropping an image could have resulted in the dropped object being an executable * CVE-2022-22759 (bmo#1739957) Sandboxed iframes could have executed script if the parent appended elements * CVE-2022-22760 (bmo#1740985, bmo#1748503) Cross-Origin responses could be distinguished between script and non-script content-types * CVE-2022-22761 (bmo#1745566) frame-ancestors Content Security Policy directive was not enforced for framed extension pages * CVE-2022-22763 (bmo#1740534) Script Execution during invalid object state * CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545, bmo#1748210, bmo#1748279) Memory safety bugs fixed in Thunderbird 91.6 - do not use ccache by default - removed obsolete mozilla-bmo1745560.patch * Sat Jan 22 2022 Manfred Hollstein <manfred.h@gmx.net> - Mozilla Thunderbird 91.5.1 * JS LDAP implementation did not support self-signed SSL certificates * After saving a draft and subsequently sending a FileLink email, the original file was removed from disk * Chat OTR encryption did not work * OTR verification bar was not removed after completing verification * Various theme improvements * Thu Jan 20 2022 Martin Liška <mliska@suse.cz> - Enable -fimplicit-constexpr for GCC 12+. * Fri Jan 07 2022 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.5.0 https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes MFSA 2022-03 (bsc#1194547) * CVE-2022-22746 (bmo#1735071) Calling into reportValidity could have lead to fullscreen window spoof * CVE-2022-22743 (bmo#1739220) Browser window spoof using fullscreen mode * CVE-2022-22742 (bmo#1739923) Out-of-bounds memory access when inserting text in edit mode * CVE-2022-22741 (bmo#1740389) Browser window spoof using fullscreen mode * CVE-2022-22740 (bmo#1742334) Use-after-free of ChannelEventQueue::mOwner * CVE-2022-22738 (bmo#1742382) Heap-buffer-overflow in blendGaussianBlur * CVE-2022-22737 (bmo#1745874) Race condition when playing audio files * CVE-2021-4140 (bmo#1746720) Iframe sandbox bypass with XSLT * CVE-2022-22748 (bmo#1705211) Spoofed origin on external protocol launch dialog * CVE-2022-22745 (bmo#1735856) Leaking cross-origin URLs through securitypolicyviolation event * CVE-2022-22744 (bmo#1737252) The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection * CVE-2022-22747 (bmo#1735028) Crash when handling empty pkcs7 sequence * CVE-2022-22739 (bmo#1744158) Missing throttling on external protocol launch dialog * CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366, bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869, bmo#1743221, bmo#1743515, bmo#1745373, bmo#1746011) Memory safety bugs fixed in Thunderbird 91.5 * Tue Dec 28 2021 Bjørn Lie <bjorn.lie@gmail.com> - Add mozilla-bmo1745560.patch: Fix build against wayland 1.20. * Fri Dec 17 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.4.1 * several fixes as outlined here https://www.thunderbird.net/en-US/thunderbird/91.4.1/releasenotes/ MFSA 2021-55 (bsc#1193845) * CVE-2021-4126 (bmo#1732310) OpenPGP signature status doesn't consider additional message content * CVE-2021-44538 (bmo#1744056) Matrix chat library libolm bundled with Thunderbird vulnerable to a buffer overflow - updated _constraints * Thu Dec 02 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.4.0 * several fixes as outlined here https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes MFSA 2021-54 (bsc#1193485) * CVE-2021-43536 (bmo#1730120) URL leakage when navigating while executing asynchronous function * CVE-2021-43537 (bmo#1738237) Heap buffer overflow when using structured clone * CVE-2021-43538 (bmo#1739091) Missing fullscreen and pointer lock notification when requesting both * CVE-2021-43539 (bmo#1739683) GC rooting failure when calling wasm instance methods * CVE-2021-43541 (bmo#1696685) External protocol handler parameters were unescaped * CVE-2021-43542 (bmo#1723281) XMLHttpRequest error codes could have leaked the existence of an external protocol handler * CVE-2021-43543 (bmo#1738418) Bypass of CSP sandbox directive when embedding * CVE-2021-43545 (bmo#1720926) Denial of Service when using the Location API in a loop * CVE-2021-43546 (bmo#1737751) Cursor spoofing could overlay user interface when native cursor is zoomed * CVE-2021-43528 (bmo#1742579) JavaScript unexpectedly enabled for the composition area * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751, bmo#1737009, bmo#1739372, bmo#1739421) Memory safety bugs fixed in Thunderbird 91.4.0 * Thu Nov 25 2021 Bjørn Lie <bjorn.lie@gmail.com> - Drop unused libidl-devel BuildRequires. * Sat Nov 20 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.3.2 * Date selection in Calendar print settings widget changed to use mini calendar widget * OpenPGP: Botan updated to 2.18.2; addresses CVE-2021-40529 boo#1189244 * Bugfixes as outlined in release notes https://www.thunderbird.net/en-US/thunderbird/91.3.2/releasenotes/ * Sat Nov 13 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.3.1 * OpenPGP public keys will no longer count as an attachment in the message list * Adding a search engine via URL now supported * FileLink messages' template updated; Thunderbird advertisement removed * After an update, Thunderbird will now check installed addons for updates * Bugfixes as outlined in release notes https://www.thunderbird.net/en-US/thunderbird/91.3.1/releasenotes/ * Sun Oct 31 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.3.0 * several fixes as outlined here https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/ MFSA 2021-50 (bsc#1192250) * CVE-2021-38503 (bmo#1729517) iframe sandbox rules did not apply to XSLT stylesheets * CVE-2021-38504 (bmo#1730156) Use-after-free in file picker dialog * CVE-2021-38505 (bmo#1730194) Windows 10 Cloud Clipboard may have recorded sensitive user data * CVE-2021-38506 (bmo#1730750) Thunderbird could be coaxed into going into fullscreen mode without notification or warning * CVE-2021-38507 (bmo#1730935) Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports * MOZ-2021-0008 (bmo#1667102) Use-after-free in HTTP2 Session object * CVE-2021-38508 (bmo#1366818) Permission Prompt could be overlaid, resulting in user confusion and potential spoofing * CVE-2021-38509 (bmo#1718571) Javascript alert box could have been spoofed onto an arbitrary domain * CVE-2021-38510 (bmo#1731779) Download Protections were bypassed by .inetloc files on Mac OS * MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048, bmo#1735152) Memory safety bugs fixed in Thunderbird ESR 91.3 - Drop unused pkgconfig(gdk-x11-2.0) BuildRequires * Fri Oct 22 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.2.1 * Preference added to disable automatic pausing RSS feed updates after a fetch failure * several bugfixes as outlined in release notes https://www.thunderbird.net/en-US/thunderbird/91.2.1/releasenotes/ * Fri Oct 22 2021 Guillaume GARDET <guillaume.gardet@opensuse.org> - Increase memory required per threads for aarch64 to avoid OOM * Thu Oct 21 2021 Martin Liška <mliska@suse.cz> - Enable LTO on Tumbleweed. * Fri Oct 15 2021 Wolfgang Rosenauer <wr@rosenauer.org> - add mozilla-bmo1724679.patch (bmo#1724679, boo#1182863) fix some env variables which are enabled for any value * Mon Oct 04 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.2.0 * Saving a single message as .eml now uses a unique filename * New mail notifications did not properly take subfolders into account * Decrypting binary attachments when using an external GnuPG configuration failed * Account name fields in the account manager were not big enough for long names * LDAP searches using an extensibleMatch filter returned no results * Read-only CalDAV calendars and CardDAV address books were not detected * Multipart messages containing a calendar invite did not display any of the human-readable alternatives * Some calendar days were displayed incorrectly or duplicated (eg. two "29th" days of a particular month) * Phantom event was shown at the end of each day in Calendar week view MFSA 2021-46 (bsc#1191332) * CVE-2021-38496 (bmo#1725335) Use-after-free in MessageTask * CVE-2021-38497 (bmo#1726621) Validation message could have been overlaid on another origin * CVE-2021-38498 (bmo#1729642) Use-after-free of nsLanguageAtomService object * CVE-2021-32810 (bmo#1729813, https://github.com/crossbeam- rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw) Data race in crossbeam-deque * CVE-2021-38500 (bmo#1725854, bmo#1728321) Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 * CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176) Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 * Sun Sep 26 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.1.2 * Thunderbird will now warn if an S/MIME encrypted message includes BCC recipients * several bugfixes listed on https://www.thunderbird.net/en-US/thunderbird/91.1.2/releasenotes/ * Wed Sep 15 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.1.1 * Menu item for disabling subject encryption for a single message added * Printing messages that are not currently displayed is no longer supported, including printing multiple messages at once * for bugfixes see https://www.thunderbird.net/en-US/thunderbird/91.1.1/releasenotes - MOZ_ENABLE_WAYLAND env variable now overrides automatic detection if already set before startup * Thu Sep 02 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.1.0 * Thunderbird registered Accessibility Handlers using same GUIDs as Firefox, causing performance issues for NVDA users * Focus lost when reordering accounts by keyboard in the Account Manager * Account setup did not use provider display name for setting up calendars * Various theme and UX fixes MFSA 2021-41 (bsc#1190269) * CVE-2021-38492 (bmo#1721107) Navigating to `mk:` URL scheme could load Internet Explorer * CVE-2021-38495 (bmo#1723391, bmo#1723920, bmo#1724101, bmo#1724107) Memory safety bugs fixed in Thunderbird 91.1 - (re-)added mozilla-silence-no-return-type.patch - add mozilla-bmo531915.patch to fix build for i586 * Fri Aug 27 2021 Andreas Stieger <andreas.stieger@gmx.de> - Mozilla Thunderbird 91.0.3: * fixed: Folder icons could be overridden by linked favicons in HTML messages * fixed: Unified folders showed no messages when underlying folders were removed * fixed: Folder pane toolbar did not always persist after restarting Thunderbird * fixed: Compose window attachment pane did not close when disabling signing of an OpenPGP message * fixed: Using "Reply to List" with some list emails incorrectly opened a "no-reply" warning * fixed: Account setup UX issues with Exchange autodiscover * fixed: Account settings did not display non-UTF-8 server descriptions correctly * fixed: Thunderbird sometimes sent an unnecessary "SMTPUTF8", causing some servers to reject mail * fixed: No mouseover pop was displayed with event details for non-all-day events in the Today Pane * fixed: Filtering tasks in the Today Pane did not work * fixed: Email based event scheduling displayed the date and time in a format unreadable by humans * Fri Aug 27 2021 Andreas Stieger <andreas.stieger@gmx.de> - Mozilla Thunderbird 91.0.2: * new: Tags are now colored in mail filter editor * changed: Context menu items related to OpenPGP and attachments are now hidden when not applicable * fixed: Creating a new account with manual setup failed * fixed: Recipient autocomplete always preferred the primary email address for a contact * fixed: LDAP performance improvements * fixed: Extensions listed on the Recommended Addons did not have a clear way to view details in a browser * fixed: Status checkmark on View > Calendar > Calendar Pane > Show Calendar Pane was reversed * fixed: mid: URLs in calendar invites did not open the linked mail message * fixed: Various theme and UX fixes * Tue Aug 17 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.0.1 MFSA 2021-37 (bsc#1189547) * CVE-2021-29991 (bmo#1724896) Header Splitting possible with HTTP/3 Responses - appdate screenshot URL updated (by mailaender@opensuse.org) * Sun Aug 15 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 91.0 * based on Mozilla's 91 ESR codebase * many new and changed features https://www.thunderbird.net/en-US/thunderbird/91.0/releasenotes/#whatsnew * Renamed "Add-ons" to "Add-ons and Themes" and "Options" to "Preferences" * Thunderbird now operates in multi-process (e10s) mode by default * New user interface for adding attachments * Enable redirect of messages * CardDAV address book support - Removed obsolete patches: * mozilla-bmo1463035.patch * mozilla-ppc-altivec_static_inline.patch * mozilla-pipewire-0-3.patch * mozilla-bmo1554971.patch - add mozilla-libavcodec58_91.patch - removed obsolete BigEndian ICU build workaround - updated build requirements - build using clang * Thu Aug 05 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.13.0 * removed WeTransfer integration package (not supported by vendor any longer) MFSA 2021-35 (bsc#1188891) * CVE-2021-29986 (bmo#1696138) Race condition when resolving DNS names could have led to memory corruption * CVE-2021-29988 (bmo#1717922) Memory corruption as a result of incorrect style treatment * CVE-2021-29984 (bmo#1720031) Incorrect instruction reordering during JIT optimization * CVE-2021-29980 (bmo#1722204) Uninitialized memory in a canvas object could have led to memory corruption * CVE-2021-29985 (bmo#1722083) Use-after-free media channels * CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178, bmo#1719998, bmo#1720568) Memory safety bugs fixed in Thunderbird 78.13 * Wed Jul 14 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.12.0 MFSA 2021-30 (bsc#1188275) * CVE-2021-29969 (bmo#1682370) IMAP server responses sent by a MITM prior to STARTTLS could be processed * CVE-2021-29970 (bmo#1709976) Use-after-free in accessibility features of a document * CVE-2021-30547 (bmo#1715766) Out of bounds write in ANGLE * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910, bmo#1711576, bmo#1714391) Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 * Sat May 29 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.11.0 * OpenPGP could not be disabled for an account if a key was previously configured * Recipients were unable to decrypt some messages when the sender had changed the message encryption from OpenPGP to S/MIME * Contacts moved between CardDAV address books were not synced to the new server * CardDAV compatibility fixes for Google Contacts MFSA 2021-26 (bsc#1186696) * CVE-2021-29964 (bmo#1706501) Out of bounds-read when parsing a `WM_COPYDATA` message * CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760, bmo#1704722, bmo#1706041) Memory safety bugs fixed in Thunderbird 78.11 - renewed expired mozilla.keyring * Fri May 14 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.10.2 * Added support for importing OpenPGP keys without a primary secret key * Add-ons manager displays a preferences icon for mail extensions that include an options page Fixed * OpenPGP messages with a high compression ratio (over 10x) could not be decrypted * Selected OpenPGP key was lost after opening the Key Properties dialog in Account Settings * Parsing some OpenPGP user IDs failed * Various improvements to OpenPGP partial encryption reminders * Mail toolbar buttons were too big when displaying both icons and text MFSA 2021-22 * CVE-2021-29956 (boo#1186199, bmo#1710290) Thunderbird stored OpenPGP secret keys without master password protection * CVE-2021-29957 (boo#1186198, bmo#1673241) Partial protection of inline OpenPGP message not indicated - do not rely on nodejs10 explicitely * Tue May 04 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.10.1 * Remove the fix for bmo#1689804 introduced in 78.9.0, restoring the previous behavior * MFSA 2021-19 (bsc#1185633) does not affect this platform * Sun Apr 18 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.10.0 MFSA 2021-14 (bsc#1184960) * CVE-2021-23994 (bmo#1699077) Out of bound write due to lazy initialization * CVE-2021-23995 (bmo#1699835) Use-after-free in Responsive Design Mode * CVE-2021-23998 (bmo#1667456) Secure Lock icon could have been spoofed * CVE-2021-23961 (bmo#1677940) More internal network hosts could have been probed by a malicious webpage * CVE-2021-23999 (bmo#1691153) Blob URLs may have been granted additional privileges * CVE-2021-24002 (bmo#1702374) Arbitrary FTP command execution on FTP servers using an encoded URL * CVE-2021-29945 (bmo#1700690) Incorrect size computation in WebAssembly JIT could lead to null-reads * CVE-2021-29946 (bmo#1698503) Port blocking could be bypassed * CVE-2021-29948 (bmo#1692899) Race condition when reading from disk while verifying signatures - recommend libotr5 * Sat Apr 10 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.9.1 * Support recipient aliases for OpenPGP encryption * The key and signature parts of the message security popup on a received message could not be selected for copy/paste * Various UX and theme improvements MFSA 2021-13 * CVE-2021-23991 (bmo#1673240) An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key * MOZ-2021-23992 (bmo#1666236) A crafted OpenPGP key with an invalid user ID could be used to confuse the user * CVE-2021-23993 (bmo#1666360) Inability to send encrypted OpenPGP email after importing a crafted OpenPGP key * Sat Mar 20 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.9.0 * bugfixes: https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes MFSA 2021-12 (boo#1183942) * CVE-2021-23981 (bmo#1692832) Texture upload into an unbound backing buffer resulted in an out-of-bound read * MOZ-2021-0002 (bmo#1691547) Angle graphics library out of date * CVE-2021-23982 (bmo#1677046) Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984 (bmo#1693664) Malicious extensions could have spoofed popup information * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718) Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9 - cleaned up and fixed mozilla.sh.in for wayland (boo#1177542) * Sun Mar 07 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.8.1 * several bugfixes and improvements * https://www.thunderbird.net/en-US/thunderbird/78.8.1/releasenotes/ - updated create-tar.sh (bsc#1182357) * Fri Feb 19 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.8.0 * various bugfixes MFSA 2021-09 (bsc#1182614) * CVE-2021-23969 (bmo#1542194) Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23968 (bmo#1687342) Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23973 (bmo#1690976) MediaError message property could have leaked information about cross-origin resources * CVE-2021-23978 (bmo#786797, bmo#1682928, bmo#1687391, bmo#1687597) Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 * Fri Feb 05 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.7.1 * CardDAV address books now support OAuth2 and Google Contacts * Thunderbird will no longer allow installation of addons that use legacy APIs * Tue Jan 26 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.7.0 MFSA 2021-05 (bsc#1181414) * CVE-2021-23953 (bmo#1683940) Cross-origin information leakage via redirected PDF requests * CVE-2021-23954 (bmo#1684020) Type confusion when using logical assignment operators in JavaScript switch statements * CVE-2020-15685 (bmo#1622640) IMAP Response Injection when using STARTTLS * CVE-2020-26976 (bmo#1674343) HTTPS pages could have been intercepted by a registered service worker when they should not have been * CVE-2021-23960 (bmo#1675755) Use-after-poison for incorrectly redeclared JavaScript variables during GC * CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526, bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844, bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410, bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736, bmo#1685260, bmo#1685925) Memory safety bugs fixed in Thunderbird 78.7 * Sun Jan 24 2021 Manfred Hollstein <manfred.h@gmx.net> - MozillaThunderbird.spec: Don't abuse BUILDROOT during %build as newer rpm versions in TW remove everything there as the first action of %install * Mon Jan 11 2021 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.6.1 MFSA 2021-02 (bsc#1180623) * CVE-2020-16044 (bmo#1683964) Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk * Sat Dec 12 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.6.0 * changes and additions in MailExtensions * several bugfixes * https://www.thunderbird.net/en-US/thunderbird/78.6.0/releasenotes/ MFSA 2020-56 (bsc#1180039)) * CVE-2020-16042 (bmo#1679003) Operations on a BigInt could have caused uninitialized memory to be exposed * CVE-2020-26971 (bmo#1663466) Heap buffer overflow in WebGL * CVE-2020-26973 (bmo#1680084) CSS Sanitizer performed incorrect sanitization * CVE-2020-26974 (bmo#1681022) Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free * CVE-2020-26978 (bmo#1677047) Internal network hosts could have been probed by a malicious webpage * CVE-2020-35111 (bmo#1657916) The proxy.onRequest API did not catch view-source URLs * CVE-2020-35112 (bmo#1661365) Opening an extension-less download may have inadvertently launched an executable instead * CVE-2020-35113 (bmo#1664831, bmo#1673589) Memory safety bugs fixed in Thunderbird 78.6 * Tue Dec 01 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.5.1 MFSA 2020-53 (bsc#1179530) * CVE-2020-26970 (bmo#1677338) Stack overflow due to incorrect parsing of SMTP server response codes * Mon Nov 16 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.5.0 MFSA 2020-52 (bsc#1178894) * CVE-2020-26951 (bmo#1667113) Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code * CVE-2020-16012 (bmo#1642028) Variable time processing of cross-origin images during drawImage calls * CVE-2020-26953 (bmo#1656741) Fullscreen could be enabled without displaying the security UI * CVE-2020-26956 (bmo#1666300) XSS through paste (manual and clipboard API) * CVE-2020-26958 (bmo#1669355) Requests intercepted through ServiceWorkers lacked MIME type restrictions * CVE-2020-26959 (bmo#1669466) Use-after-free in WebRequestService * CVE-2020-26960 (bmo#1670358) Potential use-after-free in uses of nsTArray * CVE-2020-15999 (bmo#1672223) Heap buffer overflow in freetype * CVE-2020-26961 (bmo#1672528) DoH did not filter IPv4 mapped IP Addresses * CVE-2020-26965 (bmo#1661617) Software keyboards may have remembered typed passwords * CVE-2020-26966 (bmo#1663571) Single-word search queries were also broadcast to local network * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479, bmo#1671923) Memory safety bugs fixed in Thunderbird 78.5 - removed obsolete mozilla-rust-1.47.patch * Wed Nov 11 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.4.3 https://www.thunderbird.net/en-US/thunderbird/78.4.3/releasenotes/ - added mozilla-rust-1.47.patch to fix build with rust 1.47 * Mon Nov 09 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.4.2 MFSA 2020-49 * CVE-2020-26950 (bmo#1675905) Write side effects in MCallGetProperty opcode not accounted for * Thu Nov 05 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.4.1 * Bugfixes and minor features https://www.thunderbird.net/en-US/thunderbird/78.4.1/releasenotes/ * Tue Oct 20 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.4.0 * MailExtensions: browser.tabs.sendMessage API added * MailExtensions: messageDisplayScripts API added * Yahoo and AOL mail users using password authentication will be migrated to OAuth2 * MailExtensions: messageDisplay APIs extended to support multiple selected messages * MailExtensions: compose.begin functions now support creating a message with attachments * multiple bugfixes MFSA 2020-47 (bsc#1177872) * CVE-2020-15969 (bmo#1666570) Use-after-free in usersctp * CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954, bmo#1662760, bmo#1663439, bmo#1666140) Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4 * Thu Oct 15 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.3.3 * OpenPGP: Improved support for encrypting with subkeys * OpenPGP message status icons were not visible in message header pane * OpenPGP Key Manager was missing from Tools menu on macOS * Creating a new calendar event did not require an event title - remove python2 dependencies for TW - support wayland mode/autodetection in startup wrapper - replace some Requires to use requires_ge macro where appropriate - improve langpack build (as already used for Firefox) - add ccache statistics output to build * Wed Oct 07 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.3.2 * OpenPGP: Improved support for encrypting with subkeys * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly * Single-click deletion of recipient pills with middle mouse button restored * Searching an address book list did not display results * Dark mode, high contrast, and Windows theming fixes * Fri Sep 25 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.3.1 * fix crash in nsImapProtocol::CreateNewLineFromSocket (bmo#1667120) * Wed Sep 23 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756) * CVE-2020-15677 (bmo#1641487) Download origin spoofing via redirect * CVE-2020-15676 (bmo#1646140) XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 (bmo#1660211) When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 (bmo#1648493, bmo#1660800) Memory safety bugs fixed in Thunderbird 78.3 - requires NSPR >= 4.25.1 - removed obsolete thunderbird-bmo1664607.patch * Sun Sep 13 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.2.2 https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes - added thunderbird-bmo1664607.patch required for builds w/o updater (boo#1176384) * Mon Aug 31 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 78.2.1 * based on Mozilla's 78 ESR codebase * many new and changed features https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/#whatsnew * built-in OpenPGP support (enigmail neither required nor supported) - added platform patches: * mozilla-s390x-skia-gradient.patch * mozilla-pipewire-0-3.patch * mozilla-bmo1512162.patch * mozilla-bmo1626236.patch * mozilla-bmo998749.patch * mozilla-sandbox-fips.patch - removed obsolete platform patches * mozilla-s390-bigendian.patch * mozilla-nestegg-big-endian.patch * mozilla-openaes-decl.patch * mozilla-cubeb-noreturn.patch * Sun Aug 30 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 68.12.0 MFSA 2020-40 (bsc#1175686) * CVE-2020-15663 (bmo#1643199) Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege * CVE-2020-15664 (bmo#1658214) Attacker-induced prompt for extension installation * CVE-2020-15669 (bmo#1656957) Use-After-Free when aborting an operation * Fri Aug 28 2020 Michel Normand <normand@linux.vnet.ibm.com> - Put back %limit_build macro usage to avoid build error PowerPC (remove memoryperjob constraint) * Thu Aug 20 2020 Martin Liška <mliska@suse.cz> - Use memoryperjob constraint instead of %limit_build macro. * Sat Aug 01 2020 Andreas Stieger <andreas.stieger@gmx.de> - Mozilla Thunderbird 68.11.0 * fixed: FileLink attachments included as a link and file when added from a network drive via drag & drop (bmo#793118) MFSA 2020-35 (bsc#1174538) * CVE-2020-15652 (bmo#1634872) Potential leak of redirect targets when loading scripts in a worker * CVE-2020-6514 (bmo#1642792) WebRTC data channel leaks internal address to peer * CVE-2020-6463 (bmo#1635293) Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture * CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1646787, bmo#1650811) Memory safety bugs fixed in Thunderbird 68.11 * Wed Jul 01 2020 Andreas Stieger <andreas.stieger@gmx.de> - Mozilla Thunderbird 68.10.0 * fixed: Chat: Topics displayed some characters improperly (bmo#1644024) * fixed: Calendar: Filtering tasks did not work when "Incomplete Tasks" was selected (bmo#1593711) MFSA 2020-26 (bsc#1173576) * CVE-2020-12417 (bmo#1640737) Memory corruption due to missing sign-extension for ValueTags on ARM64 * CVE-2020-12418 (bmo#1641303) Information disclosure due to manipulated URL object * CVE-2020-12419 (bmo#1643874) Use-after-free in nsGlobalWindowInner * CVE-2020-12420 (bmo#1643437) Use-After-Free when trying to connect to a STUN server * MFSA-2020-0001 (bmo#1606610) Automatic account setup leaks Microsoft Exchange login credentials * CVE-2020-12421 (bmo#1308251) Add-On updates did not respect the same certificate trust rules as software updates * Thu Jun 11 2020 Wolfgang Rosenauer <wr@rosenauer.org> - build with nodejs10 to be able to drop nodejs8 from TW - updated create-tar.sh * Sat Jun 06 2020 Andreas Stieger <andreas.stieger@gmx.de> - Mozilla Thunderbird 68.9.0 * fixed: Custom headers added for searching or filtering could not be removed (bmo#1631577) * fixed: Calendar: Today Pane updated prior to loading all data (bmo#1635613) * fixed: Stability improvements (bmo#1625677) MFSA 2020-22 (bsc#1172402) * CVE-2020-12405 (bmo#1631618) Use-after-free in SharedWorkerService * CVE-2020-12406 (bmo#1639590) JavaScript Type confusion with NativeTypes * CVE-2020-12410 (bmo#1619305, bmo#1632717) Memory safety bugs fixed in Thunderbird 68.9.0 * CVE-2020-12398 (bmo#1613623) Security downgrade with IMAP STARTTLS leads to information leakage * Sun May 24 2020 Andreas Stieger <andreas.stieger@gmx.de> - Mozilla Thunderbird 68.8.1 * fixed: IMAP stability improvements (bmo#1586494) * fixed: HTML tags in IRC topic changes were rendered incorrectly (bmo#1607097) * fixed: MailExtensions: Websockets could not be used (bmo#1627649) * Tue May 05 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 68.8.0 * Account Manager fixes and improvements * https://www.thunderbird.net/en-US/thunderbird/68.8.0/releasenotes MFSA 2020-18 (bsc#1171186) * CVE-2020-12397 (bmo#1617370) Sender Email Address Spoofing using encoded Unicode characters * CVE-2020-12387 (bmo#1545345) Use-after-free during worker shutdown * CVE-2020-6831 (bmo#1632241) Buffer overflow in SCTP chunk input validation * CVE-2020-12392 (bmo#1614468) Arbitrary local file access with 'Copy as cURL' * CVE-2020-12393 (bmo#1615471) Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508) Memory safety bugs fixed in Thunderbird 68.8.0 - removed obsolete patch mozilla-bmo1580963.patch * Tue May 05 2020 Ismail Dönmez <idonmez@suse.com> - Add mozilla-bmo1580963.patch to fix build with rust 1.43 (bmo#1580963) * Thu Apr 09 2020 Andreas Stieger <andreas.stieger@gmx.de> - Mozilla Thunderbird 68.7.0 * Updates to MailExtensions API * Various improvements to account setup when connecting to an Exchange server * Thread collapsed when opening news message in a new window * Fix Addons not automatically updated to compatible version after upgrade from Thunderbird 60 * Updating addons did not prompt when requesting new permissions * Extra recipients panel not keyboard-accessible * Accessibility: Status bar was not detected by screenreaders * Calendar: Invitations with embedded null bytes did not always decode correctly * Calendar: Cancelled events didn't show with a line-through * Various security fixes MFSA 2020-14 In general, these flaws cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. * CVE-2020-6819 (bmo#1620818, bsc#1168630) Use-after-free while running the nsDocShell destructor * CVE-2020-6820 (bmo#1626728, bsc#1168630) Use-after-free when handling a ReadableStream * CVE-2020-6821 (bmo#1625404, bsc#1168874) Uninitialized memory could be read when using the WebGL copyTexSubImage method * CVE-2020-6822 (bmo#1544181, bsc#1168874) Out of bounds write in GMPDecodeData when processing large images * CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203,bsc#1168874) Memory safety bugs fixed in Thunderbird 68.7.0 * Sat Mar 14 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 68.6.0 MFSA 2020-10 (bsc#1166238) * CVE-2020-6805 (bmo#1610880) Use-after-free when removing data about origins * CVE-2020-6806 (bmo#1612308) BodyStream::OnInputStreamReady was missing protections against state confusion * CVE-2020-6807 (bmo#1614971) Use-after-free in cubeb during stream destruction * CVE-2020-6811 (bmo#1607742) Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection * CVE-2019-20503 (bmo#1613765) Out of bounds reads in sctp_load_addresses_from_init * CVE-2020-6812 (bmo#1616661) The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission * CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256, bmo#1612636, bmo#1614339) Memory safety bugs fixed in Thunderbird 68.6 - requires NSS >= 3.44.3 * Mon Feb 10 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 68.5.0 New * Support for Client Identity IMAP/SMTP Service Extension * Support for OAuth 2.0 authentication for POP3 accounts Fixes * Status area goes blank during account setup * Calendar: Could not remove color for default categories * Calendar: Prevent calendar component loading multiple times * Calendar: Today pane did not retain width between sessions MFSA 2020-07 (bsc#1163368) * CVE-2020-6793 (bmo#1608539) Out-of-bounds read when processing certain email messages * CVE-2020-6794 (bmo#1606619) Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords * CVE-2020-6795 (bmo#1611105) Crash processing S/MIME messages with multiple signatures * CVE-2020-6797 (bmo#1596668) (Mac OSX only) Extensions granted downloads.open permission could open arbitrary applications on Mac OSX * CVE-2020-6798 (bmo#1602944) Incorrect parsing of template tag could result in JavaScript injection * CVE-2020-6792 (bmo#1609607) Message ID calculcation was based on uninitialized data * CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851, bmo#1608580,bmo#1608785,bmo#1605777) Memory safety bugs fixed in Thunderbird 68.5 * Tue Jan 28 2020 Stasiek Michalski <stasiek@michalski.cc> - Use a symbolic icon from branding internals * Fri Jan 24 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 68.4.2 * Calendar: Task and Event tree colours adjusted for the dark theme * Retrieval of S/MIME certificates from LDAP failed * Address-parsing crash on some IMAP servers when mail.imap.use_envelope_cmd is set * Incorrect forwarding of HTML messages caused SMTP servers to respond with a timeout * Calendar: Various parts of the calendar UI stopped working when a second Thunderbird window opened * Fri Jan 10 2020 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 68.4.1 * Various improvements when setting up an account for a Microsoft Exchange server: Now offers IMAP/SMTP if available, better detection for Office 365 accounts; re-run configuration after password change Fixes: * After changing view layout, the message display pane showed garbled content under some circumstances * Various theme changes to achieve "pixel perfection": Unread icon, "no results" icon, paragraph format and font selector, background of folder summary tooltip * Tags were lost on messages in shared IMAP folders under some circumstances * Calendar: Event attendee dialog was not displayed correctly MFSA 2020-04 (bsc#1160498, bsc#1160305) * CVE-2019-17026 (bmo#1607443) IonMonkey type confusion with StoreElementHole and FallibleStoreElement * CVE-2019-17015 (bmo#1599005) Memory corruption in parent process during new content process initialization on Windows * CVE-2019-17016 (bmo#1599181) Bypass of @namespace CSS sanitization during pasting * CVE-2019-17017 (bmo#1603055) Type Confusion in XPCVariant.cpp * CVE-2019-17021 (bmo#1599008) Heap address disclosure in parent process during content process initialization on Windows * CVE-2019-17022 (bmo#1602843) CSS sanitization does not escape HTML tags * CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605, bmo#1601826) Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 - removed obsolete patch mozilla-bmo1511604.patch - added mozilla-bmo1602730.patch to fix LE<->BE issues in the platform (bmo#1602730) * Fri Dec 27 2019 Wolfgang Rosenauer <wr@rosenauer.org> - add mozilla-bmo1583471.patch to allow building with rust 1.39 * Fri Dec 20 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 68.3.1 * In dark theme unread messages no longer shown in blue to distinguish from tagged messages * Account setup is now using client side DNS MX lookup instead of relying on a server Bugfixes * Searching LDAP address book crashed in some circumstances * Message navigation with backward and forward buttons did not work in some circumstances * WebExtension toolbar icons were displayed too small * Calendar: Tasks due today were not listed in bold * Calendar: Last day of long-running events was not shown * Thu Dec 05 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 68.3.0: * Message display toolbar action WebExtension API * Navigation buttons are now available in content tabs, for example those opened via an add-on search * other bugfixes MFSA 2019-38 * CVE-2019-17008 (bmo#1546331) Use-after-free in worker destruction * CVE-2019-13722 (bmo#1580156) Stack corruption due to incorrect number of arguments in WebRTC code * CVE-2019-17010 (bmo#1581084) Use-after-free when performing device orientation checks * CVE-2019-17005 (bmo#1584170) Buffer overflow in plain text serializer * CVE-2019-17011 (bmo#1591334) Use-after-free when retrieving a document in antitracking * CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209, bmo#1580288, bmo#1585760, bmo#1592502) Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 * Various updates to improve performance and stability - updated create-tar.sh to cover buildid and origin repo information - changed locale building procedure * removed obsolete compare-locales.tar.xz and thunderbird-broken-locales-build.patch - add mozilla-bmo849632.patch to fix color issues on big endian * Sat Nov 09 2019 Andreas Stieger <andreas.stieger@gmx.de> - Mozilla Thunderbird 68.2.2: * fix age calculation in address book (bmo#1592536) * fix column menu behavior in address book (bmo#1592393) * Fri Nov 01 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 68.2.1 * A language for the user interface can now be chosen in the advanced settings (multilingual UI) * Fixed problem with Google authentication (OAuth2) * Selected or unread messages were not shown in the correct color in the thread pane (message list) under some circumstances * When using a language pack, names of standard folders weren't localized (boo#1149126) * Address book default startup directory in preferences panel was not persisted * Chat: Extended context menu on Instant messaging status dialog (Show Accounts) - added mozilla-bmo1504834-part4.patch to fix some visual issues on big endian platforms * Tue Oct 22 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 68.2.0 * Message Display WebExtension API * Message Search WebExtension API * Better visual feedback for unread messages when using the dark theme * Fixed various issues when editing mailing list * Fixed application windows not maintaining their size after restart MFSA 2019-33 (bsc#1154738) * CVE-2019-15903 (bmo#1584907) Heap overflow in expat library in XML_GetCurrentLineNumber * CVE-2019-11757 (bmo#1577107) Use-after-free when creating index updates in IndexedDB * CVE-2019-11758 (bmo#1536227) Potentially exploitable crash due to 360 Total Security * CVE-2019-11759 (bmo#1577953) Stack buffer overflow in HKDF output * CVE-2019-11760 (bmo#1577719) Stack buffer overflow in WebRTC networking * CVE-2019-11761 (bmo#1561502) Unintended access to a privileged JSONView object * CVE-2019-11762 (bmo#1582857) document.domain-based origin isolation has same-origin-property violation * CVE-2019-11763 (bmo#1584216) Incorrect HTML parsing results in XSS bypass technique * CVE-2019-11764 (bmo#1558522, bmo#1577061, bmo#1548044, bmo#1571223, bmo#1573048, bmo#1578933, bmo#1575217, bmo#1583684, bmo#1586845, bmo#1581950, bmo#1583463, bmo#1586599) Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2 - removed obsolete patches mozilla-bmo1573381.patch mozilla-bmo1512162.patch mozilla-bmo1585099.patch * Thu Oct 10 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 68.1.2 Bugfixes * Some attachments couldn't be opened in messages originating from MS Outlook 2016 * Address book import from CSV * Performance problem in message body search * Ctrl+Enter to send a message would open an attachment if the attachment pane had focus * Calendar: Issues with "Today Pane" start-up * Calendar: Glitches with custom repeat and reminder number input * Calendar: Problems with WCAP provider - add mozilla-bmo1585099.patch to fix build with rust >= 1.38 * Wed Sep 25 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 68.1.1 Bugfixes * Issues with attachments in IMAP messages * Gmail accounts ignored a non-standard trash folder selection * Entering/pasting lists of recipients into the addressing widget or mailing list not working reliably, especially when lists contained multiple commas or semicolons * Edit mailing list not working * Various theme fixes, especially dark theme improvements for Calendar * Contrast between tag label and background not optimal * Account Central pane always loaded at start-up * "Config Editor" button not removed if blocked by policy * Calendar: Free/busy information in attendees dialog not scrolled correctly. Note: Scroll arrows still not behaving correctly MFSA 2019-32 * CVE-2019-11755 (bmo#1240290, boo#1152375) Spoofing a message author via a crafted S/MIME message - require nodejs8 instead of generic nodejs for better cross-distribution support - call desktop database update on install - updated translations-other locale list - build correct ICU for Big Endian - remove kde.js since disabling instantApply breaks extensions and is obsolete with the move to HTML views for preferences (boo#1151186) - update create-tar.sh to latest revision and adjust tar_stamps - added platform patches from Firefox 68esr mozilla-bmo1005535.patch mozilla-bmo1463035.patch mozilla-bmo1504834-part1.patch mozilla-bmo1504834-part2.patch mozilla-bmo1504834-part3.patch mozilla-bmo1511604.patch mozilla-bmo1554971.patch mozilla-bmo1573381.patch mozilla-cubeb-noreturn.patch mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch mozilla-fix-aarch64-libopus.patch mozilla-fix-top-level-asm.patch mozilla-nestegg-big-endian.patch mozilla-ntlm-full-path.patch mozilla-openaes-decl.patch mozilla-ppc-altivec_static_inline.patch mozilla-reduce-rust-debuginfo.patch mozilla-s390-bigendian.patch mozilla-s390-context.patch mozilla-bmo1512162.patch thunderbird-broken-locales-build.patch - removed renamed patches fix-missing-return-warning.patch fix-top-level-asm-issue.patch thunderbird-locale-build.patch * Fri Sep 20 2019 munix9@googlemail.com - repack the lightning xpi with all available locales (boo#939153) (lp#545778) * Fri Sep 20 2019 Martin Liška <mliska@suse.cz> - Add fix-top-level-asm-issue.patch in order to fix LTO build. - Enable LTO on TW on x86_64. - Use GCC. * Fri Sep 20 2019 Bernhard Wiedemann <bwiedemann@suse.com> - added mozilla-bmo1568145.patch to make builds reproducible (boo#1047218) * Tue Sep 10 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 68.1.0 * Offer to configure Exchange accounts for Office365. A third-party add-on is required for this account type. IMAP still exists as alternative. * several bugfixes MFSA 2019-30 * CVE-2019-11739 (bmo#1571481, boo#1150939) Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message * CVE-2019-11746 (bmo#1564449, boo#1149297) Use-after-free while manipulating video * CVE-2019-11744 (bmo#1562033, boo#1149304) XSS by breaking out of title and textarea elements using innerHTML * CVE-2019-11742 (bmo#1559715, boo#1149303) Same-origin policy violation with SVG filters and canvas to steal cross-origin images * CVE-2019-11752 (bmo#1501152, boo#1149296) Use-after-free while extracting a key value in IndexedDB * CVE-2019-11743 (bmo#1560495, boo#1149298) Cross-origin access to unload event attributes * CVE-2019-11740 (bmo#1563133,bmo#1573160, boo#1149299) Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9 - removed upstreamed fix-build-after-y2038-changes-in-glibc.patch - added thunderbird-locale-build.patch to fix locale build * Fri Aug 30 2019 Manfred Hollstein <manfred.h@gmx.net> - Add -L flag to the stat call for checking file size of %{SOURCE4}. - Add fix-missing-return-warning.patch to silence a compiler warning. * Wed Aug 28 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 68.0 * based on Firefox ESR 68 * File link attachments can now be linked to again instead of uploading them again * Mark all folders of an account as read * Run filters periodically. Improved filter logging * OAuth2 authentication for Yandex * Language packs can now be selected in the Advanced Options. Preference intl.multilingual.enabled needs to be set (and possily also extensions.langpacks.signatures.required needs to be set to false) * Added a policy engine that allows customized Thunderbird deployments in enterprise environments, using Windows Group Policy or a cross-platform JSON file * TCP keepalive for IMAP protocol * Full Unicode support for MAPI interfaces: New support for MAPISendMailW * Calendar: Time zone data can now include past and future changes. All known time zone changes from 2018 to 2022 are included. * Chat: In each conversation an individual spellcheck language can be selected now - removed obsolete patches * mozilla-bmo1463035.patch * mozilla-i586-domPrefs.patch * mozilla-bmo1464766.patch * mozilla-bmo1519629.patch * mozilla-i586-DecoderDoctorLogger.patch * mozilla-bmo1375074.patch - added fix-build-after-y2038-changes-in-glibc.patch to fix build in Tumbleweed (patch already upstream for next release) * Thu Aug 01 2019 Tristan Miller <psychonaut@nothingisreal.com> - Update package summary, description, and AppData using more informative and up-to-date text from the official Thunderbird FAQ, replacing obsolete references to the Mozilla Application Suite and Thunderbird's relation to the Mozilla organization * Wed Jul 10 2019 Bernhard Wiedemann <bwiedemann@suse.com> - Generate langpacks sequentially to avoid file corruption from racy file writes (boo#1137970) * Mon Jul 08 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 60.8.0 * Calendar: Problems when editing event times, some related to AM/PM setting in non-English locales MFSA 2019-23 (boo#1140868) * CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327) Sandbox escape via installation of malicious languagepack * CVE-2019-11711 (bmo#1552541) Script injection within domain through inner window reuse * CVE-2019-11712 (bmo#1543804) Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects * CVE-2019-11713 (bmo#1528481) Use-after-free with HTTP/2 cached stream * CVE-2019-11729 (bmo#1515342) Empty or malformed p256-ECDH public keys may trigger a segmentation fault * CVE-2019-11715 (bmo#1555523) HTML parsing error can contribute to content XSS * CVE-2019-11717 (bmo#1548306) Caret character improperly escaped in origins * CVE-2019-11719 (bmo#1540541) Out-of-bounds read when importing curve25519 private key * CVE-2019-11730 (bmo#1558299) Same-origin policy treats all files in a directory as having the same-origin * CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498 bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522) Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 and Thunderbird 60.8 * Thu Jun 20 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 60.7.2 MFSA 2019-20 (boo#1138872) * CVE-2019-11707 (bmo#1544386) Type confusion in Array.pop * CVE-2019-11708 (bmo#1559858) sandbox escape using Prompt:Open * Wed Jun 12 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 60.7.1 * fixed: No prompt for smartcard PIN when S/MIME signing is used MFSA 2019-17 (boo#1137595) * CVE-2019-11703 (bmo#1553820) Heap buffer overflow in icalparser.c * CVE-2019-11704 (bmo#1553814) Heap buffer overflow in icalvalue.c * CVE-2019-11705 (bmo#1553808) Stack buffer overflow in icalrecur.c * CVE-2019-11706 (bmo#1555646) Type confusion in icalproperty.c * Sat Jun 08 2019 Aaron Puchert <aaronpuchert@alice-dsl.net> - Increase disk space requirements in _constraints. * Fri May 24 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 60.7.0 * Attachment pane of Write window no longer focussed when attaching files using a keyboard shortcut MFSA 2019-15 (boo#1135824) * CVE-2019-9815 (bmo#1546544) Disable hyperthreading on content JavaScript threads on macOS * CVE-2019-9816 (bmo#1536768) Type confusion with object groups and UnboxedObjects * CVE-2019-9817 (bmo#1540221) Stealing of cross-domain images using canvas * CVE-2019-9818 (bmo#1542581) (Windows only) Use-after-free in crash generation server * CVE-2019-9819 (bmo#1532553) Compartment mismatch with fetch API * CVE-2019-9820 (bmo#1536405) Use-after-free of ChromeEventHandler by DocShell * CVE-2019-11691 (bmo#1542465) Use-after-free in XMLHttpRequest * CVE-2019-11692 (bmo#1544670) Use-after-free removing listeners in the event listener manager * CVE-2019-11693 (bmo#1532525) Buffer overflow in WebGL bufferdata on Linux * CVE-2019-7317 (bmo#1542829) Use-after-free in png_image_free of libpng library * CVE-2019-9797 (bmo#1528909) Cross-origin theft of images with createImageBitmap * CVE-2018-18511 (bmo#1526218) Cross-origin theft of images with ImageBitmapRenderingContext * CVE-2019-11694 (bmo#1534196) (Windows only) Uninitialized memory memory leakage in Windows sandbox * CVE-2019-11698 (bmo#1543191) Theft of user history data through drag and drop of hyperlinks to and from bookmarks * CVE-2019-5798 (bmo#1535518) Out-of-bounds read in Skia * CVE-2019-9800 (bmo#1540166, bmo#1534593, bmo#1546327, bmo#1540136, bmo#1538736, bmo#1538042, bmo#1535612, bmo#1499719, bmo#1499108, bmo#1538619, bmo#1535194, bmo#1516325, bmo#1542324, bmo#1542097, bmo#1532465, bmo#1533554, bmo#1541580) Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 * Wed Apr 24 2019 Martin Liška <mliska@suse.cz> - Disable LTO (boo#1133267). * Sat Mar 30 2019 Manfred Hollstein <manfred.h@gmx.net> - Add patch to fix build using rust-1.33: (boo#1130694) * mozilla-bmo1519629.patch (bmo#1519629) * Mon Mar 25 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 60.6.1 MFSA 2019-12 (bsc#1130262) * CVE-2019-9810 (bmo#1537924) IonMonkey MArraySlice has incorrect alias information * CVE-2019-9813 (bmo#1538006) Ionmonkey type confusion with __proto__ mutations * Wed Mar 20 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 60.6.0 * Calendar: Can't create repeating event with end date when using certain time zones, for example Europe/Minsk * some minor bugfixes * using 60.6.0esr Mozilla platform (bsc#1129821) * Thu Mar 07 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 60.5.3 * fixed a regression on the Windows platform: Problem when using "Send to > Mail recipient" on Windows * Sun Feb 24 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 60.5.2 * UTF-8 support for MAPISendMail * Problem with S/MIME certificate verification when receiving email from Outlook (issue introduced in version 60.5.1) * Thu Feb 14 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 60.5.1 * CalDav access to some servers not working MFSA 2019-06 (bsc#1125330) * CVE-2018-18356 bmo#1525817 Use-after-free in Skia * CVE-2019-5785 bmo#1525433 Integer overflow in Skia * CVE-2018-18335 bmo#1525815 Buffer overflow in Skia with accelerated Canvas 2D * CVE-2018-18509 bmo#1507218 S/MIME signature spoofing * Fri Jan 25 2019 Wolfgang Rosenauer <wr@rosenauer.org> - Mozilla Thunderbird 60.5.0: * FileLink provider WeTransfer to upload large attachments * Thunderbird now allows the addition of OpenSearch search engines from a local XML file using a minimal user inferface: [+] button to select a file an add, [-] to remove. * More search engines: Google and DuckDuckGo available by default in some locales * During account creation, Thunderbird will now detect servers using the Microsoft Exchange protocol. It will offer the installation of a 3rd party add-on (Owl) which supports that protocol. * Thunderbird now compatible with other WebExtension-based FileLink add-ons like the Dropbox add-on MFSA 2019-03 (bsc#1122983) * CVE-2018-18500 bmo#1510114 Use-after-free parsing HTML5 stream * CVE-2018-18505 bmo#1497749 Privilege escalation through IPC channel messages * CVE-2016-5824 bmo#1275400 DoS (use-after-free) via a crafted ics file * CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619 bmo#1502871 bmo#1516738 bmo#1516514 Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 - requires NSS 3.36.7 - removed obsolete patch mozilla-no-stdcxx-check.patch - rebased patches
/usr/bin/thunderbird /usr/lib/thunderbird /usr/lib/thunderbird/application.ini /usr/lib/thunderbird/chrome /usr/lib/thunderbird/chrome/icons /usr/lib/thunderbird/chrome/icons/default /usr/lib/thunderbird/chrome/icons/default/default128.png /usr/lib/thunderbird/chrome/icons/default/default16.png /usr/lib/thunderbird/chrome/icons/default/default22.png /usr/lib/thunderbird/chrome/icons/default/default24.png /usr/lib/thunderbird/chrome/icons/default/default256.png /usr/lib/thunderbird/chrome/icons/default/default32.png /usr/lib/thunderbird/chrome/icons/default/default48.png /usr/lib/thunderbird/chrome/icons/default/default64.png /usr/lib/thunderbird/defaults /usr/lib/thunderbird/defaults/messenger /usr/lib/thunderbird/defaults/messenger/mailViews.dat /usr/lib/thunderbird/defaults/pref /usr/lib/thunderbird/defaults/pref/all-l10n.js /usr/lib/thunderbird/defaults/pref/all-opensuse.js /usr/lib/thunderbird/defaults/pref/channel-prefs.js /usr/lib/thunderbird/dependentlibs.list /usr/lib/thunderbird/fonts /usr/lib/thunderbird/fonts/TwemojiMozilla.ttf /usr/lib/thunderbird/isp /usr/lib/thunderbird/isp/Bogofilter.sfd /usr/lib/thunderbird/isp/DSPAM.sfd /usr/lib/thunderbird/isp/POPFile.sfd /usr/lib/thunderbird/isp/SpamAssassin.sfd /usr/lib/thunderbird/isp/SpamPal.sfd /usr/lib/thunderbird/libldap60.so /usr/lib/thunderbird/libldif60.so /usr/lib/thunderbird/liblgpllibs.so /usr/lib/thunderbird/libmozgtk.so /usr/lib/thunderbird/libmozsandbox.so /usr/lib/thunderbird/libmozsqlite3.so /usr/lib/thunderbird/libmozwayland.so /usr/lib/thunderbird/libprldap60.so /usr/lib/thunderbird/librnp.so /usr/lib/thunderbird/libxul.so /usr/lib/thunderbird/omni.ja /usr/lib/thunderbird/pingsender /usr/lib/thunderbird/platform.ini /usr/lib/thunderbird/plugin-container /usr/lib/thunderbird/thunderbird-bin /usr/lib/thunderbird/thunderbird.sh /usr/share/appdata /usr/share/appdata/thunderbird.appdata.xml /usr/share/applications/thunderbird.desktop /usr/share/icons/hicolor/128x128/apps/thunderbird.png /usr/share/icons/hicolor/16x16/apps/thunderbird.png /usr/share/icons/hicolor/22x22/apps/thunderbird.png /usr/share/icons/hicolor/24x24/apps/thunderbird.png /usr/share/icons/hicolor/32x32/apps/thunderbird.png /usr/share/icons/hicolor/48x48/apps/thunderbird.png /usr/share/icons/hicolor/64x64/apps/thunderbird.png /usr/share/icons/hicolor/symbolic/apps/thunderbird-symbolic.svg
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Dec 10 23:44:39 2024