Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

MozillaThunderbird-openpgp-librnp-128.3.1-1.1 RPM for s390x

From OpenSuSE Ports Tumbleweed for s390x

Name: MozillaThunderbird-openpgp-librnp Distribution: openSUSE:Factory:zSystems
Version: 128.3.1 Vendor: openSUSE
Release: 1.1 Build date: Thu Oct 10 19:11:15 2024
Group: Productivity/Networking/Email/Clients Build host: reproducible
Size: 3260888 Source RPM: MozillaThunderbird-128.3.1-1.1.src.rpm
Packager: https://bugs.opensuse.org
Url: https://www.thunderbird.net/
Summary: Thunderbird's upstream OpenPGP implementation
Thunderbird's upstream OpenPGP implementation.

Provides

Requires

License

MPL-2.0

Changelog

* Thu Oct 10 2024 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 128.3.1
    https://www.thunderbird.net/en-US/thunderbird/128.0esr/releasenotes/
    and following release notes for minor version updates
    MFSA 2024-52  (bsc#1231413)
    * CVE-2024-9680 (bmo#1923344)
      Use-after-free in Animation timeline
    Mozilla Thunderbird 128.3.0
    MFSA 2024-32 (128.0)
    MFSA 2024-37 (128.1)
    MFSA 2024-43 (128.2)
    MFSA 2024-49 (128.3) (bsc#1230979)
    * CVE-2024-9392 (bmo#1899154, bmo#1905843)
      Compromised content process can bypass site isolation
    * CVE-2024-9393 (bmo#1918301)
      Cross-origin access to PDF contents through multipart responses
    * CVE-2024-9394 (bmo#1918874)
      Cross-origin access to JSON contents through multipart responses
    * CVE-2024-8900 (bmo#1872841)
      Clipboard write permission bypass
    * CVE-2024-9396 (bmo#1912471)
      Potential memory corruption may occur when cloning certain objects
    * CVE-2024-9397 (bmo#1916659)
      Potential directory upload bypass via clickjacking
    * CVE-2024-9398 (bmo#1881037)
      External protocol handlers could be enumerated via popups
    * CVE-2024-9399 (bmo#1907726)
      Specially crafted WebTransport requests could lead to denial
      of service
    * CVE-2024-9400 (bmo#1915249)
      Potential memory corruption during JIT compilation
    * CVE-2024-9401 (bmo#1872744, bmo#1897792, bmo#1911317, bmo#1916476)
      Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
      Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
    * CVE-2024-9402 (bmo#1872744, bmo#1897792, bmo#1911317, bmo#1913445,
      bmo#1914106, bmo#1914475, bmo#1914963, bmo#1915008, bmo#1916476)
      Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
      Thunderbird 131, and Thunderbird 128.3
  - removed obsolete patches
    mozilla-bmo1504834-part3.patch
    mozilla-bmo1512162.patch
    mozilla-bmo1775202.patch
    mozilla-bmo531915.patch
    mozilla-fix-aarch64-libopus.patch
    mozilla-fix-issues-with-llvm18.patch
    mozilla-fix-top-level-asm.patch
    mozilla-partial-revert-1768632.patch
    mozilla-rust-disable-future-incompat.patch
    thunderbird-fix-CVE-2024-34703.patch
  - new patch thunderbird-silence-no-return.patch
  - rebased
    mozilla-bmo1504834-part1.patch
    mozilla-kde.patch
    mozilla-libavcodec58_91.patch
    mozilla-silence-no-return-type.patch
* Fri Sep 06 2024 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.15.0
    MFSA 2024-44 (bsc#1229821)
    * CVE-2024-8381 (bmo#1912715)
      Type confusion when looking up a property name in a "with"
      block
    * CVE-2024-8382 (bmo#1906744)
      Internal event interfaces were exposed to web content when
      browser EventHandler listener callbacks ran
    * CVE-2024-8384 (bmo#1911288)
      Garbage collection could mis-color cross-compartment objects
      in OOM conditions
* Thu Aug 29 2024 Manfred Hollstein <manfred.h@gmx.net>
  - Use gcc13 on Tumbleweed and where it is available.
  - Don't use gcc14 as sources don't compile.
* Fri Aug 02 2024 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.14.0
    * When using an external installation of GnuPG, Thunderbird
      occassionally sent/received corrupted messages (bmo#1898832)
    * Users of external GnuPG were unable to decrypt incorrectly
      encoded messages (bmo#1906903)
    MFSA 2024-38 (bsc#1228648)
    * CVE-2024-7519 (bmo#1902307)
      Out of bounds memory access in graphics shared memory handling
    * CVE-2024-7521 (bmo#1904644)
      Incomplete WebAssembly exception handing
    * CVE-2024-7522 (bmo#1906727)
      Out of bounds read in editor component
    * CVE-2024-7525 (bmo#1909298)
      Missing permission check when creating a StreamFilter
    * CVE-2024-7526 (bmo#1910306)
      Uninitialized memory used by WebGL
    * CVE-2024-7527 (bmo#1871303)
      Use-after-free in JavaScript garbage collection
    * CVE-2024-7529 (bmo#1903187)
      Document content could partially obscure security prompts
* Wed Jul 10 2024 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.13.0
    * After starting Thunderbird, the message list position was
      sometimes set to an incorrect position
    MFSA 2024-30 (bsc#1226316)
    * CVE-2024-6600 (bmo#1888340)
      Memory corruption in WebGL API
    * CVE-2024-6601 (bmo#1890748)
      Race condition in permission assignment
    * CVE-2024-6602 (bmo#1895032)
      Memory corruption in NSS
    * CVE-2024-6603 (bmo#1895081)
      Memory corruption in thread creation
    * CVE-2024-6604 (bmo#1748105, bmo#1837550, bmo#1884266)
      Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13,
      and Thunderbird 115.13
* Tue Jul 02 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
  - Mozilla Thunderbird 115.12.2
    * fixed: Annual Thunderbird Beta appeal intended for
      Thunderbird 115.12.0 did not open as expected (bmo#1898084)
  - Mozilla Thunderbird 115.12.1
    * 115.12.0 got pulled because of upstream automation process errors
      and Windows installer signing changes.
      No code changes, changelog is the same as 115.12.0 (bsc#1226495)
  - Added thunderbird-fix-CVE-2024-34703.patch (bsc#1227239)
* Mon Jun 17 2024 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.12.0
    https://www.thunderbird.net/en-US/thunderbird/115.12.0/releasenotes
    MFSA 2024-28 (bsc#1226027)
    * CVE-2024-5702 (bmo#1193389)
      Use-after-free in networking
    * CVE-2024-5688 (bmo#1895086)
      Use-after-free in JavaScript object transplant
    * CVE-2024-5690 (bmo#1883693)
      External protocol handlers leaked by timing attack
    * CVE-2024-5691 (bmo#1888695)
      Sandboxed iframes were able to bypass sandbox restrictions to
      open a new window
    * CVE-2024-5692 (bmo#1891234)
      Bypass of file name restrictions during saving
    * CVE-2024-5693 (bmo#1891319)
      Cross-Origin Image leak via Offscreen Canvas
    * CVE-2024-5696 (bmo#1896555)
      Memory Corruption in Text Fragments
    * CVE-2024-5700 (bmo#1862809, bmo#1889355, bmo#1893388, bmo#1895123)
      Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12,
      and Thunderbird 115.12
* Wed May 29 2024 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.11.1
    * Added a short anonymous survey that a small number of users will
      be randomly asked to complete
* Tue May 14 2024 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.11.0
    MFSA 2024-23 (bsc#1224056)
    * CVE-2024-4367 (bmo#1893645)
      Arbitrary JavaScript execution in PDF.js
    * CVE-2024-4767 (bmo#1878577)
      IndexedDB files retained in private browsing mode
    * CVE-2024-4768 (bmo#1886082)
      Potential permissions request bypass via clickjacking
    * CVE-2024-4769 (bmo#1886108)
      Cross-origin responses could be distinguished between script
      and non-script content-types
    * CVE-2024-4770 (bmo#1893270)
      Use-after-free could occur when printing to PDF
    * CVE-2024-4777 (bmo#1878199, bmo#1893340)
      Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11,
      and Thunderbird 115.11
* Sat May 04 2024 Andreas Stieger <andreas.stieger@gmx.de>
  - Mozilla Thunderbird 115.10.2:
    https://www.thunderbird.net/en-US/thunderbird/115.10.2/releasenotes/
    This release is identical to 115.10.1, other than changing the
    Update channel for self-updating builds to ESR. (bmo#1893271)
* Fri Apr 19 2024 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.10.1
    https://www.thunderbird.net/en-US/thunderbird/115.10.1/releasenotes/
    * fixed hangup introduced with 115.10.0 (bmo#1891889)
* Sun Apr 14 2024 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.10.0
    https://www.thunderbird.net/en-US/thunderbird/115.10.0/releasenotes/
    MFSA 2024-20 (bsc#1222535)
    * CVE-2024-3852 (bmo#1883542)
      GetBoundName in the JIT returned the wrong object
    * CVE-2024-3854 (bmo#1884552)
      Out-of-bounds-read after mis-optimized switch statement
    * CVE-2024-3857 (bmo#1886683)
      Incorrect JITting of arguments led to use-after-free during
      garbage collection
    * CVE-2024-2609 (bmo#1866100)
      Permission prompt input delay could expire when not in focus
    * CVE-2024-3859 (bmo#1874489)
      Integer-overflow led to out-of-bounds-read in the OpenType sanitizer
    * CVE-2024-3861 (bmo#1883158)
      Potential use-after-free due to AlignedBuffer self-move
    * CVE-2024-3863 (bmo#1885855)
      Download Protections were bypassed by .xrm-ms files on Windows
    * CVE-2024-3302 (bmo#1881183)
      Denial of Service using HTTP/2 CONTINUATION frames
    * CVE-2024-3864 (bmo#1888333)
      Memory safety bug fixed in Firefox 125, Firefox ESR 115.10,
      and Thunderbird 115.10
* Wed Mar 20 2024 Manfred Hollstein <manfred.h@gmx.net>
  - LLVM18 breaks building Thunderbird on Tumbleweed; add
    * mozilla-fix-issues-with-llvm18.patch
* Sat Mar 16 2024 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.9.0
    https://www.thunderbird.net/en-US/thunderbird/115.9.0/releasenotes/
    MFSA 2024-14 (bsc#1221327)
    * CVE-2024-0743 (bmo#1867408)
      Crash in NSS TLS method
    * CVE-2024-2605 (bmo#1872920)
      Windows Error Reporter could be used as a Sandbox escape vector
    * CVE-2024-2607 (bmo#1879939)
      JIT code failed to save return registers on Armv7-A
    * CVE-2024-2608 (bmo#1880692)
      Integer overflow could have led to out of bounds write
    * CVE-2024-2616 (bmo#1846197)
      Improve handling of out-of-memory conditions in ICU
    * CVE-2023-5388 (bmo#1780432)
      NSS susceptible to timing attack against RSA decryption
    * CVE-2024-2610 (bmo#1871112)
      Improper handling of html and body tags enabled CSP nonce leakage
    * CVE-2024-2611 (bmo#1876675)
      Clickjacking vulnerability could have led to a user accidentally
      granting permissions
    * CVE-2024-2612 (bmo#1879444)
      Self referencing object could have potentially led to a use-
      after-free
    * CVE-2024-2614 (bmo#1685358, bmo#1861016, bmo#1880405, bmo#1881093)
      Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9,
      and Thunderbird 115.9
* Tue Mar 05 2024 Adam Mizerski <adam@mizerski.pl>
  - Create subpackage MozillaThunderbird-openpgp-librnp
* Tue Mar 05 2024 Wolfgang Rosenauer <wr@@rosenauer.org>
  - Mozilla Thunderbird 115.8.1
    https://www.thunderbird.net/en-US/thunderbird/115.8.1/releasenotes/
    MFSA 2024-11
    * CVE-2024-1936 (bmo#1860977)
      Leaking of encrypted email subjects to other conversations
* Mon Feb 19 2024 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.8.0
    MFSA 2024-07 (bsc#1220048)
    * CVE-2024-1546 (bmo#1843752)
      Out-of-bounds memory read in networking channels
    * CVE-2024-1547 (bmo#1877879)
      Alert dialog could have been spoofed on another site
    * CVE-2024-1548 (bmo#1832627)
      Fullscreen Notification could have been hidden by select
      element
    * CVE-2024-1549 (bmo#1833814)
      Custom cursor could obscure the permission dialog
    * CVE-2024-1550 (bmo#1860065)
      Mouse cursor re-positioned unexpectedly could have led to
      unintended permission grants
    * CVE-2024-1551 (bmo#1864385)
      Multipart HTTP Responses would accept the Set-Cookie header
      in response parts
    * CVE-2024-1552 (bmo#1874502)
      Incorrect code generation on 32-bit ARM devices
    * CVE-2024-1553 (bmo#1855686, bmo#1867982, bmo#1871498,
      bmo#1872296, bmo#1873521, bmo#1873577, bmo#1873597,
      bmo#1873866, bmo#1874080, bmo#1874740, bmo#1875795,
      bmo#1875906, bmo#1876425, bmo#1878211, bmo#1878286)
      Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8,
      and Thunderbird 115.8
    * new: Added option to show packet dump when OpenPGP fails to
      decrypt (bmo#1874504)
    * fixed: Thunderbird slowed down significantly when opening
      email files (.eml) (bmo#1863957)
    * fixed: Inbox view intermittently reverted to default view
      after moving or deleting messages (bmo#1725127)
    * fixed: Size of collapsed folders in folder pane did not
      include size of subfolders (bmo#1870641)
    * fixed: Hovering over folder does not always expand subfolders
      (bmo#1873101)
    * fixed: Switching to thread pane of a folder using keyboard
      navigation did not focus top message (bmo#1869557)
    * fixed: Clicking "Sent unsent messages" in Outbox context menu
      while in offline mode did not prompt user to go online
      (bmo#1873487)
    * fixed: Mail tab-specific Unified Toolbar buttons received
      focus incorrectly (bmo#1872239)
    * fixed: Quick Filter settings did not persist when Quick
      Filter bar was turned off (bmo#1850266)
    * fixed: Quick Filters were unusually slow (bmo#1849650)
    * fixed: OpenPGP Key Manager filtering did not work
      (bmo#1873655)
    * fixed: OpenPGP sometimes attempted to decrypt message with
      incorrect key (bmo#1865620)
    * fixed: Autoconfig failed on servers that did not support
      OAuth2 (bmo#1869122)
    * fixed: Opening different attachments with the same name in
      different messages could cause attachment files to become
      conflated (bmo#1873023)
    * fixed: Overflowed attachment list could not be scrolled
      (bmo#1871343)
    * fixed: Passwords disappeared from password manager list after
      applying and clearing filters (bmo#1874646)
    * fixed: Cookies in cookie manager list disappeared after
      applying and then clearing filters (bmo#1876733)
* Sun Jan 21 2024 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.7.0
    https://www.thunderbird.net/en-US/thunderbird/115.7.0/releasenotes/
    MFSA 2024-04 (bsc#1218955)
    * CVE-2024-0741 (bmo#1864587)
      Out of bounds write in ANGLE
    * CVE-2024-0742 (bmo#1867152)
      Failure to update user input timestamp
    * CVE-2024-0746 (bmo#1660223)
      Crash when listing printers on Linux
    * CVE-2024-0747 (bmo#1764343)
      Bypass of Content Security Policy when directive unsafe-inline was set
    * CVE-2024-0749 (bmo#1813463)
      Phishing site popup could show local origin in address bar
    * CVE-2024-0750 (bmo#1863083)
      Potential permissions request bypass via clickjacking
    * CVE-2024-0751 (bmo#1865689)
      Privilege escalation through devtools
    * CVE-2024-0753 (bmo#1870262)
      HSTS policy on subdomain could bypass policy of upper domain
    * CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701)
      Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7,
      and Thunderbird 115.7
* Wed Jan 10 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
  - Mozilla Thunderbird 115.6.1
    https://www.thunderbird.net/en-US/thunderbird/115.6.1/releasenotes/
    * new: OAuth2 now supported for comcast.net (bmo#1844810)
    * fixed: High CPU usage sometimes occurred with IMAP CONDSTORE
      (conditional STORE) enabled (bmo#1839256)
    * fixed: Replying to a collapsed thread via keyboard shortcut
      (Ctrl+R/Cmd+R) opened a reply for every message in the thread
      (bmo#1866819)
    * fixed: Enabling Grouped By view after reversing sort order of
      column header caused messages to be grouped incorrectly
      (bmo#1868794)
    * fixed: Opening thread pane context menu via keyboard did not
      always scroll view to selection (bmo#1867532)
    * fixed: New mail indicator for POP3 accounts did not indicate
      new messages ready to be downloaded (bmo#1870619)
    * fixed: Messages could not be moved to folders using Message >
      Move To if text or a link in the message had been clicked on
      first (bmo#1868474)
    * fixed: MIME part boundaries were not properly terminated
      (bmo#1805558)
* Sun Dec 17 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.6.0
    https://www.thunderbird.net/en-US/thunderbird/115.6.0/releasenotes/
    * Message selection misbehaved after selecting a sub-message in an
      expanded thread, collapsing the thread, then pressing up/down to
      move selection
    * Thunderbird now attempts to reconnect on a new connection after
      SMTP 4xx errors
    * HTML FileLink attachments used the wrong encoding
    MFSA 2023-55 (bsc#1217230)
    * CVE-2023-50762 (bmo#1862625)
      Truncated signed text was shown with a valid OpenPGP
      signature
    * CVE-2023-50761 (bmo#1865647)
      S/MIME signature accepted despite mismatching message date
    * CVE-2023-6856 (bmo#1843782)
      Heap-buffer-overflow affecting WebGL DrawElementsInstanced
      method with Mesa VM driver
    * CVE-2023-6857 (bmo#1796023)
      Symlinks may resolve to smaller than expected buffers
    * CVE-2023-6858 (bmo#1826791)
      Heap buffer overflow in nsTextFragment
    * CVE-2023-6859 (bmo#1840144)
      Use-after-free in PR_GetIdentitiesLayer
    * CVE-2023-6860 (bmo#1854669)
      Potential sandbox escape due to VideoBridge lack of texture
      validation
    * CVE-2023-6861 (bmo#1864118)
      Heap buffer overflow affected nsWindow::PickerOpen(void) in
      headless mode
    * CVE-2023-6862 (bmo#1868042)
      Use-after-free in nsDNSService
    * CVE-2023-6863 (bmo#1868901)
      Undefined behavior in ShutdownObserver()
    * CVE-2023-6864 (bmo#1736385, bmo#1810805, bmo#1846328,
      bmo#1856090, bmo#1858033, bmo#1858509, bmo#1862089,
      bmo#1862777, bmo#1864015)
      Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6,
      and Thunderbird 115.6
* Tue Dec 12 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.5.2
    Bugfix release
    https://www.thunderbird.net/en-US/thunderbird/115.5.2/releasenotes/
* Tue Nov 28 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.5.1
    Bugfix release
    https://www.thunderbird.net/en-US/thunderbird/115.5.1/releasenotes
    * Advanced GnuPG keys may be protected with an unexpected passphrase
    * OpenPGP signatures rejected due to mismatched signature timestamp
      now display signature timestamp and clarifying message
    * Advanced address book search did not return results if display name
      was left blank
    * Clicking on attendee when inviting attendees added the attendee twice
* Wed Nov 22 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.5.0
    https://www.thunderbird.net/en-US/thunderbird/115.5.0/releasenotes
    MFSA 2023-52 (bsc#1217230)
    * CVE-2023-6204 (bmo#1841050)
      Out-of-bound memory access in WebGL2 blitFramebuffer
    * CVE-2023-6205 (bmo#1854076)
      Use-after-free in MessagePort::Entangled
    * CVE-2023-6206 (bmo#1857430)
      Clickjacking permission prompts using the fullscreen transition
    * CVE-2023-6207 (bmo#1861344)
      Use-after-free in ReadableByteStreamQueueEntry::Buffer
    * CVE-2023-6208 (bmo#1855345)
      Using Selection API would copy contents into X11 primary
      selection.
    * CVE-2023-6209 (bmo#1858570)
      Incorrect parsing of relative URLs starting with "///"
    * CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252, bmo#1856072,
      bmo#1856091, bmo#1859030, bmo#1860943, bmo#1862782)
      Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5,
      and Thunderbird 115.5
* Wed Nov 15 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.4.3
    Bugfix release
    https://www.thunderbird.net/en-US/thunderbird/115.4.3/releasenotes
* Sat Nov 04 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.4.2
    https://www.thunderbird.net/en-US/thunderbird/115.4.2/releasenotes
  - build using rust/cargo 1.72 (1.69 about to be dropped from Factory)
* Tue Oct 24 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.4.1
    https://www.thunderbird.net/en-US/thunderbird/115.4.1/releasenotes
    https://www.thunderbird.net/en-US/thunderbird/115.4.0/releasenotes
    MFSA 2023-47 (bsc#1216338)
    * CVE-2023-5721 (bmo#1830820)
      Queued up rendering could have allowed websites to clickjack
    * CVE-2023-5732 (bmo#1690979, bmo#1836962)
      Address bar spoofing via bidirectional characters
    * CVE-2023-5724 (bmo#1836705)
      Large WebGL draw could have led to a crash
    * CVE-2023-5725 (bmo#1845739)
      WebExtensions could open arbitrary URLs
    * CVE-2023-5726 (bmo#1846205)
      Full screen notification obscured by file open dialog on macOS
    * CVE-2023-5727 (bmo#1847180)
      Download Protections were bypassed by .msix, .msixbundle,
      .appx, and .appxbundle files on Windows
    * CVE-2023-5728 (bmo#1852729)
      Improper object tracking during GC in the JavaScript engine
      could have led to a crash.
    * CVE-2023-5730 (bmo#1836607, bmo#1840918, bmo#1848694, bmo#1848833,
      bmo#1850191, bmo#1850259, bmo#1852596, bmo#1853201, bmo#1854002,
      bmo#1855306, bmo#1855640, bmo#1856695)
      Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4,
      and Thunderbird 115.4.1
  - removed obsolete mozilla-bmo1846703.patch
* Tue Oct 24 2023 Andreas Stieger <andreas.stieger@gmx.de>
  - Mozilla Thunderbird 115.3.3
    * fixed: "Folder Location" toolbar button did not work for
      local folders (bmo#1843979)
    * fixed: "Copy to <folder name> again" option disappeared from
      context menu after copying to Gmail folder with non-ASCII
      name (bmo#1856712)
    * fixed: Default reply identity did not use "Delivered-To"
      address when catch-all was active (bmo#1815559)
    * fixed: "View Headers All" did not work when selected in
      standalone message window (bmo#1855316)
    * fixed: Viewing the mail filter log displayed an error if no
      log file was present (bmo#1789244)
* Tue Oct 10 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.3.2
    Bugfix release
    https://www.thunderbird.net/en-US/thunderbird/115.3.2/releasenotes
* Fri Sep 29 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.3.1
    MFSA 2023-45 (bsc#1215814)
    * CVE-2023-5217 (bmo#1855550)
      Heap buffer overflow in libvpx
  - Add mozilla-bmo1846703.patch
* Tue Sep 26 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.3.0
    https://www.thunderbird.net/en-US/thunderbird/115.3.0/releasenotes
    MFSA 2023-43 (bsc#1215575)
    * CVE-2023-5168 (bmo#1846683)
      Out-of-bounds write in FilterNodeD2D1
    * CVE-2023-5169 (bmo#1846685)
      Out-of-bounds write in PathOps
    * CVE-2023-5171 (bmo#1851599)
      Use-after-free in Ion Compiler
    * CVE-2023-5174 (bmo#1848454)
      Double-free in process spawning on Windows
    * CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824,
      bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983,
      bmo#1851195)
      Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3,
      and Thunderbird 115.3
* Wed Sep 20 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.2.3
    Bugfix release:
    https://www.thunderbird.net/en-US/thunderbird/115.2.3/releasenotes
* Tue Sep 12 2023 Andreas Stieger <andreas.stieger@gmx.de>
  - Mozilla Thunderbird 115.2.2
    https://www.thunderbird.net/en-US/thunderbird/115.2.2/releasenotes
    MFSA 2023-40 (bsc#1215231)
    * CVE-2023-4863 (bmo# bmo#1852649)
      Heap buffer overflow in libwebp
* Tue Sep 12 2023 Andreas Stieger <andreas.stieger@gmx.de>
  - Mozilla Thunderbird 115.2.1
    https://www.thunderbird.net/en-US/thunderbird/115.2.1/releasenotes
    * new: Column separators are now shown between all columns in
      tree view (bmo#1847441)
    * fixed: New mail notification always opened message in message
      pane, even if pane was disabled (bmo#1840092)
    * fixed: After moving an IMAP message to another folder, the
      incorrect message was selected in the message list
      (bmo#1845376)
    * fixed: Adding a tag to an IMAP message opened in a tab failed
      (bmo#1844452)
    * fixed: Junk/Spam folders were not always shown in Unified
      Folders mode (bmo#1838672)
    * fixed: Middle-clicking a folder or message did not open it in
      a background tab, as in previous versions (bmo#1842482)
    * fixed: Settings tab visual improvements: Advanced Fonts
      dialog, Section headers hidden behind search box
      (bmo#1717382,bmo#1846751)
    * fixed: Various visual and style fixes
      (bmo#1843707,bmo#1849823)
* Sun Aug 27 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.2.0
    https://www.thunderbird.net/en-US/thunderbird/115.2.0/releasenotes
    MFSA 2023-38 (bsc#1214606)
    * CVE-2023-4573 (bmo#1846687)
      Memory corruption in IPC CanvasTranslator
    * CVE-2023-4574 (bmo#1846688)
      Memory corruption in IPC ColorPickerShownCallback
    * CVE-2023-4575 (bmo#1846689)
      Memory corruption in IPC FilePickerShownCallback
    * CVE-2023-4576 (bmo#1846694)
      Integer Overflow in RecordedSourceSurfaceCreation
    * CVE-2023-4577 (bmo#1847397)
      Memory corruption in JIT UpdateRegExpStatics
    * CVE-2023-4051 (bmo#1821884)
      Full screen notification obscured by file open dialog
    * CVE-2023-4578 (bmo#1839007)
      Error reporting methods in SpiderMonkey could have triggered
      an Out of Memory Exception
    * CVE-2023-4053 (bmo#1839079)
      Full screen notification obscured by external program
    * CVE-2023-4580 (bmo#1843046)
      Push notifications saved to disk unencrypted
    * CVE-2023-4581 (bmo#1843758)
      XLL file extensions were downloadable without warnings
    * CVE-2023-4582 (bmo#1773874)
      Buffer Overflow in WebGL glGetProgramiv
    * CVE-2023-4583 (bmo#1842030)
      Browsing Context potentially not cleared when closing Private
      Window
    * CVE-2023-4584 (bmo#1843968, bmo#1845205, bmo#1846080,
      bmo#1846526, bmo#1847529)
      Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15,
      Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2
    * CVE-2023-4585 (bmo#1751583, bmo#1833504, bmo#1841082,
      bmo#1847904, bmo#1848999)
      Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2,
      and Thunderbird 115.2
* Tue Aug 15 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.1.1
    bugfixes as documented here
    https://www.thunderbird.net/en-US/thunderbird/115.1.1/releasenotes
* Tue Aug 01 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 115.1.0
    New major release with Supernova UI
    Releasenotes for 115.0:
    https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes
    MFSA 2023-33 (bsc#1213746)
    * CVE-2023-4045 (bmo#1833876)
      Offscreen Canvas could have bypassed cross-origin restrictions
    * CVE-2023-4046 (bmo#1837686)
      Incorrect value used during WASM compilation
    * CVE-2023-4047 (bmo#1839073)
      Potential permissions request bypass via clickjacking
    * CVE-2023-4048 (bmo#1841368)
      Crash in DOMParser due to out-of-memory conditions
    * CVE-2023-4049 (bmo#1842658)
      Fix potential race conditions when releasing platform objects
    * CVE-2023-4050 (bmo#1843038)
      Stack buffer overflow in StorageManager
    * CVE-2023-4052 (bmo#1824420)
      File deletion and privilege escalation through Firefox uninstaller
    * CVE-2023-4054 (bmo#1840777)
      Lack of warning when opening appref-ms files
    * CVE-2023-4055 (bmo#1782561)
      Cookie jar overflow caused unexpected cookie jar state
    * CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235, bmo#1842325,
      bmo#1843847)
      Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
      Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
    * CVE-2023-4057 (bmo#1841682)
      Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
      and Thunderbird 115.1
  - requires NSS 3.90
  - add patches:
    mozilla-rust-disable-future-incompat.patch
    mozilla-partial-revert-1768632.patch
    mozilla-bmo1775202.patch
  - removed obsolete patches:
    gcc13-fix.patch
    mozilla-bmo1568145.patch
    mozilla-bmo1005535.patch
    mozilla-s390x-skia-gradient.patch
  - update create-tar.sh
* Tue Jul 25 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.13.1
    MFSA 2023-28
    * CVE-2023-3417 (bmo#1835582, boo#1213658)
      File Extension Spoofing using the Text Direction Override Character
* Fri Jul 07 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.13.0
    * Upstream RNP version numbers now recognized as official in about:support
    MFSA 2023-24 (bsc#1212438)
    * CVE-2023-37201 (bmo#1826002)
      Use-after-free in WebRTC certificate generation
    * CVE-2023-37202 (bmo#1834711)
      Potential use-after-free from compartment mismatch in
      SpiderMonkey
    * CVE-2023-37207 (bmo#1816287)
      Fullscreen notification obscured
    * CVE-2023-37208 (bmo#1837675)
      Lack of warning when opening Diagcab files
    * CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886,
      bmo#1836550, bmo#1837450)
      Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13,
      and Thunderbird 102.13
  - mozilla-llvm16.patch has been applied upstream, remove it here
* Sun Jun 04 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.12.0:
    MFSA 2023-21 (bsc#1211922)
    * CVE-2023-34414 (bmo#1695986)
      Click-jacking certificate exceptions through rendering lag
    * CVE-2023-34416 (bmo#1752703, bmo#1818394, bmo#1826875,
      bmo#1827340, bmo#1827655, bmo#1828065, bmo#1830190,
      bmo#1830206, bmo#1830795, bmo#1833339)
      Memory safety bugs fixed in Thunderbird 102.12
    * fixed: "Searching the directory for recipients certificates"
      popup could block compose window when "S/MIME reminder" was
      enabled and using an LDAP address book (bmo#1833651)
    * fixed: Some elements still used animations with "prefers-
      reduced-motion" set (bmo#1833353)
    * fixed: Visual and theme improvements
      (bmo#1832943,bmo#1832990)
* Sat May 27 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.11.2
    * fixed: Thunderbird 102.11.1 contained POP3 client regressions
      with offline mode and TLS certificate overrides
      (bmo#1801286,bmo#1816596,bmo#1798785)
  - Includes changes from Thunderbird 102.11.1
    * fixed: POP message retrieval stopped after a network error
      occurred and connectivity was restored (bmo#1798785)
    * fixed: Reused SMTP connections sometimes silently
      disconnected, causing timeouts (bmo#1766382)
    * fixed: Thunderbird could freeze if saving a sent message to
      IMAP failed (bmo#1745130)
    * fixed: Creating OpenPGP keys with no expiration was not
      possible (bmo#1830094)
    * fixed: News reader did not always issue GROUP command after
      authentication with remote server, preventing Thundebird from
      displaying or refreshing news from the server (bmo#1824377)
  - updated mozilla.keyring
* Thu May 11 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.11.0
    * https://www.thunderbird.net/en-US/thunderbird/102.11.0/releasenotes
    MFSA 2023-18 (bsc#1211175)
    * CVE-2023-32205 (bmo#1753339, bmo#1753341)
      Browser prompts could have been obscured by popups
    * CVE-2023-32206 (bmo#1824892)
      Crash in RLBox Expat driver
    * CVE-2023-32207 (bmo#1826116)
      Potential permissions request bypass via clickjacking
    * CVE-2023-32211 (bmo#1823379)
      Content process crash due to invalid wasm code
    * CVE-2023-32212 (bmo#1826622)
      Potential spoof due to obscured address bar
    * CVE-2023-32213 (bmo#1826666)
      Potential memory corruption in FileReader::DoReadData()
    * CVE-2023-32214 (bmo#1828716)
      Potential DoS via exposed protocol handlers
    * CVE-2023-32215 (bmo#1540883, bmo#1751943, bmo#1814856,
      bmo#1820210, bmo#1821480, bmo#1827019, bmo#1827024, bmo#1827144,
      bmo#1827359, bmo#1830186)
      Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11
* Sun Apr 23 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.10.1
    * https://www.thunderbird.net/en-US/thunderbird/102.10.1/releasenotes
* Wed Apr 05 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.10.0
    * New messages will automatically select S/MIME if configured and
      OpenPGP is not
    * Calendar events with timezone America/Mexico_City incorrectly
      applied Daylight Savings Time
    MFSA 2023-15 (bsc#1210212)
    * CVE-2023-29531 (bmo#1794292)
      Out-of-bound memory access in WebGL on macOS
    * CVE-2023-29532 (bmo#1806394)
      Mozilla Maintenance Service Write-lock bypass
    * CVE-2023-29533 (bmo#1798219, bmo#1814597)
      Fullscreen notification obscured
    * MFSA-TMP-2023-0001 (bmo#1819244)
      Double-free in libwebp
    * CVE-2023-29535 (bmo#1820543)
      Potential Memory Corruption following Garbage Collector compaction
    * CVE-2023-29536 (bmo#1821959)
      Invalid free from JavaScript code
    * CVE-2023-0547 (bmo#1811298)
      Revocation status of S/Mime recipient certificates was not checked
    * CVE-2023-29479 (bmo#1824978)
      Hang when processing certain OpenPGP messages
    * CVE-2023-29539 (bmo#1784348)
      Content-Disposition filename truncation leads to Reflected
      File Download
    * CVE-2023-29541 (bmo#1810191)
      Files with malicious extensions could have been downloaded
      unsafely on Linux
    * CVE-2023-29542 (bmo#1810793, bmo#1815062)
      Bypass of file download extension restrictions
    * CVE-2023-29545 (bmo#1823077)
      Windows Save As dialog resolved environment variables
    * CVE-2023-1945 (bmo#1777588)
      Memory Corruption in Safe Browsing Code
    * CVE-2023-29548 (bmo#1822754)
      Incorrect optimization result on ARM64
    * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, bmo#1814217,
      bmo#1818357, bmo#1818762, bmo#1819493, bmo#1820389, bmo#1820602,
      bmo#1821448, bmo#1822413, bmo#1824828)
      Memory safety bugs fixed in Thunderbird 102.10
  - add mozilla-llvm16.patch to fix build with LLVM16
* Wed Mar 29 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.9.1
    MFSA 2023-12
    * CVE-2023-28427 (bmo#1822595)
      Matrix SDK bundled with Thunderbird vulnerable to
      denial-of-service attack
* Sun Mar 26 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - add gcc13-fix.patch to support current Tumbleweed
* Sun Mar 12 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.9.0
    * https://www.thunderbird.net/en-US/thunderbird/102.9.0/releasenotes
    MFSA 2023-11 (bsc#1209173))
    * CVE-2023-25751 (bmo#1814899)
      Incorrect code generation during JIT compilation
    * CVE-2023-28164 (bmo#1809122)
      URL being dragged from a removed cross-origin iframe into the
      same tab triggered navigation
    * CVE-2023-28162 (bmo#1811327)
      Invalid downcast in Worklets
    * CVE-2023-25752 (bmo#1811627)
      Potential out-of-bounds when accessing throttled streams
    * CVE-2023-28163 (bmo#1817768)
      Windows Save As dialog resolved environment variables
    * CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904,
      bmo#1817442, bmo#1818674)
      Memory safety bugs fixed in Thunderbird 102.9
  - update create-tar.sh
  - build using rust 1.67
* Tue Mar 07 2023 Manfred Hollstein <manfred.h@gmx.net>
  - Ensure gcc11-c++ gets used on Leap 15.5, too.
* Wed Feb 15 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.8.0
    * https://www.thunderbird.net/en-US/thunderbird/102.8.0/releasenotes
    MFSA 2023-07 (bsc#1208144)
    * CVE-2023-0616 (bmo#1806507)
      User Interface lockup with messages combining S/MIME and OpenPGP
    * CVE-2023-25728 (bmo#1790345)
      Content security policy leak in violation reports using iframes
    * CVE-2023-25730 (bmo#1794622)
      Screen hijack via browser fullscreen mode
    * CVE-2023-0767 (bmo#1804640)
      Arbitrary memory write via PKCS 12 in NSS
    * CVE-2023-25735 (bmo#1810711)
      Potential use-after-free from compartment mismatch in SpiderMonkey
    * CVE-2023-25737 (bmo#1811464)
      Invalid downcast in SVGUtils::SetupStrokeGeometry
    * CVE-2023-25738 (bmo#1811852)
      Printing on Windows could potentially crash Thunderbird with
      some device drivers
    * CVE-2023-25739 (bmo#1811939)
      Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
    * CVE-2023-25729 (bmo#1792138)
      Extensions could have opened external schemes without user knowledge
    * CVE-2023-25732 (bmo#1804564)
      Out of bounds memory write from EncodeInputStream
    * CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338)
      Opening local .url files could cause unexpected network loads
    * CVE-2023-25742 (bmo#1813424)
      Web Crypto ImportKey crashes tab
    * CVE-2023-25746 (bmo#1544127, bmo#1762368, bmo#1789449, bmo#1803628,
      bmo#1810536)
      Memory safety bugs fixed in Thunderbird 102.8
  - requires
    NSPR >= 4.34.1
    NSS  >= 3.79.4
* Wed Feb 08 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.7.2
    * Various crash fixes
* Tue Jan 31 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.7.1
    * Microsoft Office 365 accounts were unable to authenticate
    * https://www.thunderbird.net/en-US/thunderbird/102.7.1/releasenotes/
    MFSA 2023-04
    * CVE-2023-0430 (bmo#1769000)
      Revocation status of S/Mime signature certificates was not checked
  - update create-tar.sh
* Tue Jan 17 2023 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.7.0
    https://www.thunderbird.net/en-US/thunderbird/102.7.0/releasenotes/
    MFSA 2023-03 (bsc#1207119)
    * CVE-2022-46871 (bmo#1795697)
      libusrsctp library out of date
    * CVE-2023-23598 (bmo#1800425)
      Arbitrary file read from GTK drag and drop on Linux
    * CVE-2023-23599 (bmo#1777800)
      Malicious command could be hidden in devtools output on
      Windows
    * CVE-2023-23601 (bmo#1794268)
      URL being dragged from cross-origin iframe into same tab
      triggers navigation
    * CVE-2023-23602 (bmo#1800890)
      Content Security Policy wasn't being correctly applied to
      WebSockets in WebWorkers
    * CVE-2022-46877 (bmo#1795139)
      Fullscreen notification bypass
    * CVE-2023-23603 (bmo#1800832)
      Calls to <code>console.log</code> allowed bypasing Content
      Security Policy via format directive
    * CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974)
      Memory safety bugs fixed in Thunderbird 102.7
* Tue Dec 20 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.6.1
    * Remote content did not load in user-defined signatures
    * Addons that added new action buttons were not shown for addon
      upgrades, requiring removal and reinstall
    * Various stability improvements
    MFSA 2022-54
    * CVE-2022-46874 (bmo#1746139)
      Drag and Dropped Filenames could have been truncated to
      malicious extensions
* Tue Dec 13 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.6.0
    https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/
    MFSA 2022-53 (bsc#1206242)
    * CVE-2022-46880 (bmo#1749292)
      Use-after-free in WebGL
    * CVE-2022-46872 (bmo#1799156)
      Arbitrary file read from a compromised content process
    * CVE-2022-46881 (bmo#1770930)
      Memory corruption in WebGL
    * CVE-2022-46874 (bmo#1746139)
      Drag and Dropped Filenames could have been truncated to
      malicious extensions
    * CVE-2022-46875 (bmo#1786188)
      Download Protections were bypassed by .atloc and .ftploc
      files on Mac OS
    * CVE-2022-46882 (bmo#1789371)
      Use-after-free in WebGL
    * CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685,
      bmo#1801102, bmo#1801315, bmo#1802395)
      Memory safety bugs fixed in Thunderbird 102.6
  - removed obsolete patches
    mozilla-newer-cbindgen.patch
    mozilla-glibc236.patch
* Wed Nov 30 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.5.1
    MFSA 2022-50
    * CVE-2022-45414 (bmo#1788096)
      Quoting from an HTML email with certain tags will trigger network
      requests and load remote content, regardless of a configuration
      to block remote content
* Sat Nov 12 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.5.0
    * changes and fixes as described here
      https://www.thunderbird.net/en-US/thunderbird/102.5.0/releasenotes
    MFSA 2022-49 (bsc#1205270)
    * CVE-2022-45403 (bmo#1762078)
      Service Workers might have learned size of cross-origin media files
    * CVE-2022-45404 (bmo#1790815)
      Fullscreen notification bypass
    * CVE-2022-45405 (bmo#1791314)
      Use-after-free in InputStream implementation
    * CVE-2022-45406 (bmo#1791975)
      Use-after-free of a JavaScript Realm
    * CVE-2022-45408 (bmo#1793829)
      Fullscreen notification bypass via windowName
    * CVE-2022-45409 (bmo#1796901)
      Use-after-free in Garbage Collection
    * CVE-2022-45410 (bmo#1658869)
      ServiceWorker-intercepted requests bypassed SameSite cookie policy
    * CVE-2022-45411 (bmo#1790311)
      Cross-Site Tracing was possible via non-standard override headers
    * CVE-2022-45412 (bmo#1791029)
      Symlinks may resolve to partially uninitialized buffers
    * CVE-2022-45416 (bmo#1793676)
      Keystroke Side-Channel Leakage
    * CVE-2022-45418 (bmo#1795815)
      Custom mouse cursor could have been drawn over browser UI
    * CVE-2022-45420 (bmo#1792643)
      Iframe contents could be rendered outside the iframe
    * CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061)
      Memory safety bugs fixed in Thunderbird 102.5
* Sat Nov 05 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.4.2
    * "Address Book" button in Account Central will now create a
      CardDAV address book instead of a local address book
    * Bugfixes as described here
      https://www.thunderbird.net/en-US/thunderbird/102.4.2/releasenotes
* Tue Oct 25 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.4.1
    * Thunderbird will now catch and report errors parsing vCards
      that contain incorrectly formatted dates
    * Dynamic language switching did not update interface when switched
      to right-to-left languages
    * Custom header data was discarded after messages were saved as
      draft and reopened
    * -remote command line argument did not work, affecting integration
      with various applications such as LibreOffice
    * Messages received via some SMS-to-email services could not
      display images
    * VCards with nickname field set could not be edited
    * Some recurring events were missing from Agenda on first load
    * Download requests for remote ICS calendars incorrectly set
      "Accept" header to text/xml
    * Monthly events created on the 31st of a month with <30 days placed
      first occurrence 1-2 days after the beginning of the following month
    * Various visual and UX improvements
* Fri Oct 14 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.4.0
    https://www.thunderbird.net/en-US/thunderbird/102.4.0/releasenotes
    MFSA 2022-46 (bsc#1203477)
    * CVE-2022-42927 (bmo#1789128)
      Same-origin policy violation could have leaked cross-origin URLs
    * CVE-2022-42928 (bmo#1791520)
      Memory Corruption in JS Engine
    * CVE-2022-42929 (bmo#1789439)
      Denial of Service via window.print
    * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041)
      Memory safety bugs fixed in Firefox 106, Firefox ESR 102.4 and
      Thunderbird 102.4.0
* Tue Oct 11 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.3.3
    * Option added to show containing address book for a contact when
      using All Address Books in vertical mode
    * Thunderbird will try to use POP NTLM authentication even if
      not advertised by server
    * Task List and Today Pane sidebars will no longer load when not visible
    * bugfixes as documented here
      https://www.thunderbird.net/en-US/thunderbird/102.3.3/releasenotes
* Thu Oct 06 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.3.2
    * Thunderbird will try to use POP CRAM-MD5 authentication even if
      not advertised by server
    * more bugfixes as in
      https://www.thunderbird.net/en-US/thunderbird/102.3.2/releasenotes
* Mon Oct 03 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - build using rust 1.63
* Wed Sep 28 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.3.1
    * Compose window encryption options now only appear for encryption
      technologies that have already been configured
    * Number of contacts in currently selected address book now
      displayed at bottom of Address Book list column
    Fixes
    * Password prompt did not include server hostname for POP servers
    * Edit Contact was missing from Contacts sidebar context menus
    * Address Book contact lists cut off display of some characters,
      the result being unreadable
    MFSA 2022-43
    * CVE-2022-39249 (bmo#1791765)
      Matrix SDK bundled with Thunderbird vulnerable to an
      impersonation attack by malicious server administrators
    * CVE-2022-39250 (bmo#1791765)
      Matrix SDK bundled with Thunderbird vulnerable to a device
      verification attack
    * CVE-2022-39251 (bmo#1791765)
      Matrix SDK bundled with Thunderbird vulnerable to an
      impersonation attack
    * CVE-2022-39236 (bmo#1791765)
      Matrix SDK bundled with Thunderbird vulnerable to a data
      corruption issue
* Fri Sep 16 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.3.0
    https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/
    * Thunderbird will no longer attempt to import account passwords
      when importing from another Thunderbird profile in order to
      prevent profile corruption and permanent data loss. (bmo#1790605)
    * Devtools performance profile will use Thunderbird presets
      instead of Web Developer presets (bmo#1785954)
    * Thunderbird startup performance improvements (bmo#1785967)
    * Saving email source and images failed (bmo#1777323, bmo#1778804)
    * Error message was shown repeatedly when temporary disk
      space was full (bmo#1788580)
    * Attaching OpenPGP keys without a set size to non-encrypted
      messages briefly displayed a size of zero bytes (bmo#1788952)
    * Global Search entry box initially contained "undefined" (bmo#1780963)
    * Delete from POP Server mail filter rule intermittently
      failed to trigger (bmo#1789418)
    * Connections to POP3 servers without UIDL support failed (bmo#1789314)
    * Pop accounts with "Fetch headers only" set downloaded complete
      messages if server did not advertise TOP capability (bmo#1789356)
    * "File -> New -> Address Book Contact" from Compose window did
      not work (bmo#1782418)
    * Attach "My vCard" option in compose window was not available
      (bmo#1787614)
    * Improved performance of matching a contact to an email address
      (bmo#1782725)
    * Address book only recognized a contact's first two email
      addresses (bmo#1777156)
    * Address book search and autocomplete failed if a contact vCard
      could not be parsed (bmo#1789793)
    * Downloading NNTP messages for offline use failed (bmo#1785773)
    * NNTP client became stuck when connecting to Public-Inbox servers
      (bmo#1786203, boo#1203554)
    * Various visual and UX improvements (bmo#1782235, bmo#1787448,
      bmo#1788725, bmo#1790324)
    * unresolved: No dedicated "Department" field in address book
      (bmo#1777780)
    MFSA 2022-42 (bsc#1203477)
    * CVE-2022-40959 (bmo#1782211)
      Bypassing FeaturePolicy restrictions on transient pages
    * CVE-2022-40960 (bmo#1787633)
      Data-race when parsing non-UTF-8 URLs in threads
    * CVE-2022-40958 (bmo#1779993)
      Bypassing Secure Context restriction for cookies with __Host
      and __Secure prefix
    * CVE-2022-40956 (bmo#1770094)
      Content-Security-Policy base-uri bypass
    * CVE-2022-40957 (bmo#1777604)
      Incoherent instruction cache when building WASM on ARM64
    * CVE-2022-3155 (bmo#1789061)
      Attachment files saved to disk on macOS could be executed
      without warning
    * CVE-2022-40962 (bmo#1767360, bmo#1776655, bmo#1777574, bmo#1784835,
      bmo#1785109, bmo#1786502, bmo#1789440)
      Memory safety bugs fixed in Thunderbird 102.3
* Thu Sep 08 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.2.2
    https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/
    * Setting added to change Calendar event double-click action to
      open Edit Event dialog rather than view only;
      Set calendar.events.defaultActionEdit to true
    * Running Compact Folders on maildir folders caused a redownload
      of all messages in the folder
    * Accessing mail folders in profiles with many folders was slow
    * SMTP servers were not always properly initialized, and were not
      listed in Account Settings
    * APOP authentication unsupported when connecting to POP3 server
    * OpenPGP key discovery failed
    * POP accounts hosted by AOL were not able to authenticate using OAuth2
    * Unable to open context menu in newsgroups header for groups
      that are not subscribed
* Thu Sep 08 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.2.2
    https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/
    * Setting added to change Calendar event double-click action to
      open Edit Event dialog rather than view only;
      Set calendar.events.defaultActionEdit to true
    * Running Compact Folders on maildir folders caused a redownload
      of all messages in the folder
    * Accessing mail folders in profiles with many folders was slow
    * SMTP servers were not always properly initialized, and were not
      listed in Account Settings
    * APOP authentication unsupported when connecting to POP3 server
    * OpenPGP key discovery failed
    * POP accounts hosted by AOL were not able to authenticate using OAuth2
    * Unable to open context menu in newsgroups header for groups
      that are not subscribed
* Thu Sep 01 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.2.1
    MFSA 2022-38 (bsc#1203007)
    * CVE-2022-3033 (bmo#1784838)
      Leaking of sensitive information when composing a response to
      an HTML email with a META refresh tag
    * CVE-2022-3032 (bmo#1783831)
      Remote content specified in an HTML document that was nested
      inside an iframe's srcdoc attribute was not blocked
    * CVE-2022-3034 (bmo#1745751)
      An iframe element in an HTML email could trigger a network
      request
    * CVE-2022-36059 (bmo#1787741)
      Matrix SDK bundled with Thunderbird vulnerable to denial-of-
      service attack
* Fri Aug 19 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.2.0
    * https://www.thunderbird.net/en-US/thunderbird/102.2.0/releasenotes/
    MFSA 2022-36 (bsc#1202645)
    * CVE-2022-38472 (bmo#1769155)
      Address bar spoofing via XSLT error handling
    * CVE-2022-38473 (bmo#1771685)
      Cross-origin XSLT Documents would have inherited the parent's
      permissions
    * CVE-2022-38476 (bmo#1760998)
      Data race and potential use-after-free in PK11_ChangePW
    * CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363)
      Memory safety bugs fixed in Thunderbird 102.2
    * CVE-2022-38478 (bmo#1770630, bmo#1776658)
      Memory safety bugs fixed in Thunderbird 102.2, and
      Thunderbird 91.13
  - disabled automatic usage of wayland because of known issues
    using MOZ_ENABLE_WAYLAND=1 in environment would still enable it
    (boo#1202606)
* Sun Aug 14 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - added mozilla-glibc236.patch (bmo#1782988, boo#1202323)
* Tue Aug 09 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.1.2
    * fix for bmo#1777765 (no POP download progress bar) was backed
      out from this release to address broken POP message download
      with Fetch headers only selected in Account Settings (bmo#1783552)
* Mon Aug 08 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.1.1
    Bugfixes:
    * https://www.thunderbird.net/en-US/thunderbird/102.1.1/releasenotes/
* Tue Jul 26 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.1.0
    * https://www.thunderbird.net/en-US/thunderbird/102.1.0/releasenotes
    MFSA 2022-32 (bsc#1201758)
    * CVE-2022-36319 (bmo#1737722)
      Mouse Position spoofing with CSS transforms
    * CVE-2022-36318 (bmo#1771774)
      Directory indexes for bundled resources reflected URL parameters
    * CVE-2022-36314 (bmo#1773894)
      Opening local <code>.lnk</code> files could cause unexpected
      network loads
    * CVE-2022-2505 (bmo#1769739, bmo#1772824)
      Memory safety bugs fixed in Thunderbird 102.1
  - added mozilla-newer-cbindgen.patch to fix build with
    rust-cbindgen >= 0.24 (and also require that for build)
  - added mozilla-pgo.patch to fix LTO builds with gcc
* Tue Jul 19 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.0.3
    Bugfixes as in
    * https://www.thunderbird.net/en-US/thunderbird/102.0.3/releasenotes/
* Sat Jul 09 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 102.0.2
    * https://www.thunderbird.net/en-US/thunderbird/102.0/releasenotes/
  - removed obsolete patches
    mozilla-bmo1504834-part2.patch
    mozilla-bmo1504834-part4.patch
    mozilla-bmo1602730.patch
    mozilla-bmo1626236.patch
    mozilla-bmo1724679.patch
    mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
    mozilla-sandbox-fips.patch
  - added patches inherited from FF 102
    one_swizzle_to_rule_them_all.patch
    svg-rendering.patch
  - fix KDE detection (boo#1200987) in mozilla-kde.patch
  - requires
    rust = 1.60
    NSPR >= 4.34
    NSS >= 3.79
    rust-cbindgen >= 0.23.0
  - remove special breakpad debug symbol creation
* Sun Jun 26 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.11.0
    * CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work
      additional fix applied
    * "Save-As" attachment dialog did not have filename pre-populated
    MFSA 2022-26 (bsc#1200793)
    * CVE-2022-34479 (bmo#1745595)
      A popup window could be resized in a way to overlay the
      address bar with web content
    * CVE-2022-34470 (bmo#1765951)
      Use-after-free in nsSHistory
    * CVE-2022-34468 (bmo#1768537)
      CSP sandbox header without `allow-scripts` can be bypassed
      via retargeted javascript: URI
    * CVE-2022-2226 (bmo#1775441)
      An email with a mismatching OpenPGP signature date was
      accepted as valid
    * CVE-2022-34481 (bmo#1497246)
      Potential integer overflow in ReplaceElementsAt
    * CVE-2022-31744 (bmo#1757604)
      CSP bypass enabling stylesheet injection
    * CVE-2022-34472 (bmo#1770123)
      Unavailable PAC file resulted in OCSP requests being blocked
    * CVE-2022-34478 (bmo#1773717)
      Microsoft protocols can be attacked if a user accepts a prompt
    * CVE-2022-2200 (bmo#1771381)
      Undesired attributes could be set as part of prototype pollution
    * CVE-2022-34484 (bmo#1763634, bmo#1772651)
      Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102
* Thu May 26 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.10.0
    * Various UX and theme improvements
    MFSA 2022-22 (bsc#1200027)
    * CVE-2022-31736 (bmo#1735923)
      Cross-Origin resource's length leaked
    * CVE-2022-31737 (bmo#1743767)
      Heap buffer overflow in WebGL
    * CVE-2022-31738 (bmo#1756388)
      Browser window spoof using fullscreen mode
    * CVE-2022-31739 (bmo#1765049)
      Attacker-influenced path traversal when saving downloaded
      files
    * CVE-2022-31740 (bmo#1766806)
      Register allocation problem in WASM on arm64
    * CVE-2022-31741 (bmo#1767590)
      Uninitialized variable leads to invalid memory read
    * CVE-2022-1834 (bmo#1767816)
      Braille space character caused incorrect sender email to be
      shown for a digitally signed email
    * CVE-2022-31742 (bmo#1730434)
      Querying a WebAuthn token with a large number of
      allowCredential entries may have leaked cross-origin
      information
    * CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
      bmo#1767365, bmo#1768559, bmo#1768734)
      Memory safety bugs fixed in Thunderbird 91.10
* Sat May 21 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.9.1
    MFSA 2022-19 (bsc#1199768)
    * CVE-2022-1802 (bmo#1770137)
      Prototype pollution in Top-Level Await implementation
    * CVE-2022-1529 (bmo#1770048)
      Untrusted input used in JavaScript object indexing, leading
      to prototype pollution
* Mon May 02 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.9.0
    * A warning is now displayed if an OpenPGP key has unsafe
      attributes that are ignored
    * OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not
      allow SHA-1 key signatures
    * CalDAV calendars were marked read-only on startup
    MFSA 2022-18 (bsc#1198970)
    * CVE-2022-1520 (bmo#1745019)
      Incorrect security status shown after viewing an attached
      email
    * CVE-2022-29914 (bmo#1746448)
      Fullscreen notification bypass using popups
    * CVE-2022-29909 (bmo#1755081)
      Bypassing permission prompt in nested browsing contexts
    * CVE-2022-29916 (bmo#1760674)
      Leaking browser history with CSS variables
    * CVE-2022-29911 (bmo#1761981)
      iframe sandbox bypass
    * CVE-2022-29912 (bmo#1692655)
      Reader mode bypassed SameSite cookies
    * CVE-2022-29913 (bmo#1764778)
      Speech Synthesis feature not properly disabled
    * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
      bmo#1762614, bmo#1762620)
      Memory safety bugs fixed in Thunderbird 91.9
* Sat Apr 16 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.8.1
    * CLIENTID extension to SMTP was not supported by smtp-js#
    * Additional SMTP errors now propagated to user
    * OpenPGP was not able to use some previously supported key types
    * OpenPGP Key Manager did not always display correct information
      after importing additional IDs
    * Duplicate new mail notifications could be displayed when
      server-side filters were in use
    * Cancelling an SMTP password entry resulted in multiple failure
      dialogs being displayed
* Tue Apr 12 2022 Martin Liška <mliska@suse.cz>
  - Set memory limits for DWZ to 4x.
* Sat Apr 02 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.8.0
    * Google accounts using password authentication will be migrated
      to OAuth2.
    * bugfixes
      https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes
    MFSA 2022- (bsc#1197903)
  - update create-tar.sh
* Thu Mar 17 2022 Dirk Müller <dmueller@suse.com>
  - skip slow workers, this is a tough build job
* Sun Mar 06 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.7.0
    * Thunderbird will use the first occurrence of headers that should
      only appear once
    * Auto-complete incorrectly changed a pasted email address to the
      primary address of a contact
    * Attachments with filename extensions that were not registered in
      MIME types could not be opened
    * Copy/Cut/Paste actions not working in Thunderbird Preferences
    * Improved screen reader support of displayed message headers
    MFSA 2022-12 (bsc#1196900)
    * CVE-2022-26383 (bmo#1742421)
      Browser window spoof using fullscreen mode
    * CVE-2022-26384 (bmo#1744352)
      iframe allow-scripts sandbox bypass
    * CVE-2022-26387 (bmo#1752979)
      Time-of-check time-of-use bug when verifying add-on signatures
    * CVE-2022-26381 (bmo#1736243)
      Use-after-free in text reflows
    * CVE-2022-26386 (bmo#1752396)
      Temporary files downloaded to /tmp and accessible by other
      local users
* Sun Mar 06 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.6.2
    MFSA 2022-09
    * CVE-2022-26485 (bmo#1758062)
      Use-after-free in XSLT parameter processing
    * CVE-2022-26486 (bmo#1758070)
      Use-after-free in WebGPU IPC Framework
* Tue Feb 15 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.6.1
    * generated views of meeting invitations are now expanded by default
    * Emails were not downloading at startup under some conditions
    * Port numbers were not shown in "Confirm Security Exception"
      dialog for CalDAV connections
    MFSA 2022-07 (bsc#1196072)
    * CVE-2022-0566 (bmo#1753094)
      Crafted email could trigger an out-of-bounds write
* Sat Feb 05 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.6.0
    * TB will now offer to send large forwarded attachments via FileLink
    * Partially signed unencrypted messages displayed an incorrect
      "parrtially encrypted" notification
    * Attachments filenames were not sanitized before saving to disk
    * In the attachment bar, the "Import OpenPGP Key" item displayed
      for public keys displayed an error and did not import the key
    * "Open with" attachment dialog did not have a selected radio
      button option
    MFSA 2022-06 (bsc#1195682)
    * CVE-2022-22753 (bmo#1732435)
      Privilege Escalation to SYSTEM on Windows via Maintenance
      Service
    * CVE-2022-22754 (bmo#1750565)
      Extensions could have bypassed permission confirmation during
      update
    * CVE-2022-22756 (bmo#1317873)
      Drag and dropping an image could have resulted in the dropped
      object being an executable
    * CVE-2022-22759 (bmo#1739957)
      Sandboxed iframes could have executed script if the parent
      appended elements
    * CVE-2022-22760 (bmo#1740985, bmo#1748503)
      Cross-Origin responses could be distinguished between script
      and non-script content-types
    * CVE-2022-22761 (bmo#1745566)
      frame-ancestors Content Security Policy directive was not
      enforced for framed extension pages
    * CVE-2022-22763 (bmo#1740534)
      Script Execution during invalid object state
    * CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545,
      bmo#1748210, bmo#1748279)
      Memory safety bugs fixed in Thunderbird 91.6
  - do not use ccache by default
  - removed obsolete mozilla-bmo1745560.patch
* Sat Jan 22 2022 Manfred Hollstein <manfred.h@gmx.net>
  - Mozilla Thunderbird 91.5.1
    * JS LDAP implementation did not support self-signed SSL certificates
    * After saving a draft and subsequently sending a FileLink email,
      the original file was removed from disk
    * Chat OTR encryption did not work
    * OTR verification bar was not removed after completing verification
    * Various theme improvements
* Thu Jan 20 2022 Martin Liška <mliska@suse.cz>
  - Enable -fimplicit-constexpr for GCC 12+.
* Fri Jan 07 2022 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.5.0
    https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes
    MFSA 2022-03 (bsc#1194547)
    * CVE-2022-22746 (bmo#1735071)
      Calling into reportValidity could have lead to fullscreen
      window spoof
    * CVE-2022-22743 (bmo#1739220)
      Browser window spoof using fullscreen mode
    * CVE-2022-22742 (bmo#1739923)
      Out-of-bounds memory access when inserting text in edit mode
    * CVE-2022-22741 (bmo#1740389)
      Browser window spoof using fullscreen mode
    * CVE-2022-22740 (bmo#1742334)
      Use-after-free of ChannelEventQueue::mOwner
    * CVE-2022-22738 (bmo#1742382)
      Heap-buffer-overflow in blendGaussianBlur
    * CVE-2022-22737 (bmo#1745874)
      Race condition when playing audio files
    * CVE-2021-4140 (bmo#1746720)
      Iframe sandbox bypass with XSLT
    * CVE-2022-22748 (bmo#1705211)
      Spoofed origin on external protocol launch dialog
    * CVE-2022-22745 (bmo#1735856)
      Leaking cross-origin URLs through securitypolicyviolation event
    * CVE-2022-22744 (bmo#1737252)
      The 'Copy as curl' feature in DevTools did not fully escape
      website-controlled data, potentially leading to command injection
    * CVE-2022-22747 (bmo#1735028)
      Crash when handling empty pkcs7 sequence
    * CVE-2022-22739 (bmo#1744158)
      Missing throttling on external protocol launch dialog
    * CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366,
      bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869, bmo#1743221,
      bmo#1743515, bmo#1745373, bmo#1746011)
      Memory safety bugs fixed in Thunderbird 91.5
* Tue Dec 28 2021 Bjørn Lie <bjorn.lie@gmail.com>
  - Add mozilla-bmo1745560.patch: Fix build against wayland 1.20.
* Fri Dec 17 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.4.1
    * several fixes as outlined here
      https://www.thunderbird.net/en-US/thunderbird/91.4.1/releasenotes/
    MFSA 2021-55 (bsc#1193845)
    * CVE-2021-4126 (bmo#1732310)
      OpenPGP signature status doesn't consider additional message
      content
    * CVE-2021-44538 (bmo#1744056)
      Matrix chat library libolm bundled with Thunderbird
      vulnerable to a buffer overflow
  - updated _constraints
* Thu Dec 02 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.4.0
    * several fixes as outlined here
      https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes
    MFSA 2021-54 (bsc#1193485)
    * CVE-2021-43536 (bmo#1730120)
      URL leakage when navigating while executing asynchronous
      function
    * CVE-2021-43537 (bmo#1738237)
      Heap buffer overflow when using structured clone
    * CVE-2021-43538 (bmo#1739091)
      Missing fullscreen and pointer lock notification when
      requesting both
    * CVE-2021-43539 (bmo#1739683)
      GC rooting failure when calling wasm instance methods
    * CVE-2021-43541 (bmo#1696685)
      External protocol handler parameters were unescaped
    * CVE-2021-43542 (bmo#1723281)
      XMLHttpRequest error codes could have leaked the existence of
      an external protocol handler
    * CVE-2021-43543 (bmo#1738418)
      Bypass of CSP sandbox directive when embedding
    * CVE-2021-43545 (bmo#1720926)
      Denial of Service when using the Location API in a loop
    * CVE-2021-43546 (bmo#1737751)
      Cursor spoofing could overlay user interface when native
      cursor is zoomed
    * CVE-2021-43528 (bmo#1742579)
      JavaScript unexpectedly enabled for the composition area
    * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
      bmo#1737009, bmo#1739372, bmo#1739421)
      Memory safety bugs fixed in Thunderbird 91.4.0
* Thu Nov 25 2021 Bjørn Lie <bjorn.lie@gmail.com>
  - Drop unused libidl-devel BuildRequires.
* Sat Nov 20 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.3.2
    * Date selection in Calendar print settings widget changed to use
      mini calendar widget
    * OpenPGP: Botan updated to 2.18.2; addresses CVE-2021-40529
      boo#1189244
    * Bugfixes as outlined in release notes
      https://www.thunderbird.net/en-US/thunderbird/91.3.2/releasenotes/
* Sat Nov 13 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.3.1
    * OpenPGP public keys will no longer count as an attachment in
      the message list
    * Adding a search engine via URL now supported
    * FileLink messages' template updated; Thunderbird advertisement
      removed
    * After an update, Thunderbird will now check installed addons
      for updates
    * Bugfixes as outlined in release notes
      https://www.thunderbird.net/en-US/thunderbird/91.3.1/releasenotes/
* Sun Oct 31 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.3.0
    * several fixes as outlined here
      https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/
    MFSA 2021-50  (bsc#1192250)
    * CVE-2021-38503 (bmo#1729517)
      iframe sandbox rules did not apply to XSLT stylesheets
    * CVE-2021-38504 (bmo#1730156)
      Use-after-free in file picker dialog
    * CVE-2021-38505 (bmo#1730194)
      Windows 10 Cloud Clipboard may have recorded sensitive user data
    * CVE-2021-38506 (bmo#1730750)
      Thunderbird could be coaxed into going into fullscreen mode
      without notification or warning
    * CVE-2021-38507 (bmo#1730935)
      Opportunistic Encryption in HTTP2 could be used to bypass the
      Same-Origin-Policy on services hosted on other ports
    * MOZ-2021-0008 (bmo#1667102)
      Use-after-free in HTTP2 Session object
    * CVE-2021-38508 (bmo#1366818)
      Permission Prompt could be overlaid, resulting in user
      confusion and potential spoofing
    * CVE-2021-38509 (bmo#1718571)
      Javascript alert box could have been spoofed onto an
      arbitrary domain
    * CVE-2021-38510 (bmo#1731779)
      Download Protections were bypassed by .inetloc files on Mac OS
    * MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048,
      bmo#1735152)
      Memory safety bugs fixed in Thunderbird ESR 91.3
  - Drop unused pkgconfig(gdk-x11-2.0) BuildRequires
* Fri Oct 22 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.2.1
    * Preference added to disable automatic pausing RSS feed updates
      after a fetch failure
    * several bugfixes as outlined in release notes
      https://www.thunderbird.net/en-US/thunderbird/91.2.1/releasenotes/
* Fri Oct 22 2021 Guillaume GARDET <guillaume.gardet@opensuse.org>
  - Increase memory required per threads for aarch64 to avoid OOM
* Thu Oct 21 2021 Martin Liška <mliska@suse.cz>
  - Enable LTO on Tumbleweed.
* Fri Oct 15 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - add mozilla-bmo1724679.patch (bmo#1724679, boo#1182863)
    fix some env variables which are enabled for any value
* Mon Oct 04 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.2.0
    * Saving a single message as .eml now uses a unique filename
    * New mail notifications did not properly take subfolders into account
    * Decrypting binary attachments when using an external GnuPG
      configuration failed
    * Account name fields in the account manager were not big enough
      for long names
    * LDAP searches using an extensibleMatch filter returned no results
    * Read-only CalDAV calendars and CardDAV address books were not detected
    * Multipart messages containing a calendar invite did not display
      any of the human-readable alternatives
    * Some calendar days were displayed incorrectly or duplicated
      (eg. two "29th" days of a particular month)
    * Phantom event was shown at the end of each day in Calendar week view
    MFSA 2021-46 (bsc#1191332)
    * CVE-2021-38496 (bmo#1725335)
      Use-after-free in MessageTask
    * CVE-2021-38497 (bmo#1726621)
      Validation message could have been overlaid on another origin
    * CVE-2021-38498 (bmo#1729642)
      Use-after-free of nsLanguageAtomService object
    * CVE-2021-32810 (bmo#1729813,
      https://github.com/crossbeam-
      rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
      Data race in crossbeam-deque
    * CVE-2021-38500 (bmo#1725854, bmo#1728321)
      Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
      and Firefox ESR 91.2
    * CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
      Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
* Sun Sep 26 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.1.2
    * Thunderbird will now warn if an S/MIME encrypted message includes
      BCC recipients
    * several bugfixes listed on
      https://www.thunderbird.net/en-US/thunderbird/91.1.2/releasenotes/
* Wed Sep 15 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.1.1
    * Menu item for disabling subject encryption for a single message added
    * Printing messages that are not currently displayed is no longer
      supported, including printing multiple messages at once
    * for bugfixes see
      https://www.thunderbird.net/en-US/thunderbird/91.1.1/releasenotes
  - MOZ_ENABLE_WAYLAND env variable now overrides automatic detection
    if already set before startup
* Thu Sep 02 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.1.0
    * Thunderbird registered Accessibility Handlers using same GUIDs
      as Firefox, causing performance issues for NVDA users
    * Focus lost when reordering accounts by keyboard in the Account Manager
    * Account setup did not use provider display name for setting up
      calendars
    * Various theme and UX fixes
    MFSA 2021-41 (bsc#1190269)
    * CVE-2021-38492 (bmo#1721107)
      Navigating to `mk:` URL scheme could load Internet Explorer
    * CVE-2021-38495 (bmo#1723391, bmo#1723920, bmo#1724101,
      bmo#1724107)
      Memory safety bugs fixed in Thunderbird 91.1
  - (re-)added mozilla-silence-no-return-type.patch
  - add mozilla-bmo531915.patch to fix build for i586
* Fri Aug 27 2021 Andreas Stieger <andreas.stieger@gmx.de>
  - Mozilla Thunderbird 91.0.3:
    * fixed: Folder icons could be overridden by linked favicons in
      HTML messages
    * fixed: Unified folders showed no messages when underlying
      folders were removed
    * fixed: Folder pane toolbar did not always persist after
      restarting Thunderbird
    * fixed: Compose window attachment pane did not close when
      disabling signing of an OpenPGP message
    * fixed: Using "Reply to List" with some list emails
      incorrectly opened a "no-reply" warning
    * fixed: Account setup UX issues with Exchange autodiscover
    * fixed: Account settings did not display non-UTF-8 server
      descriptions correctly
    * fixed: Thunderbird sometimes sent an unnecessary "SMTPUTF8",
      causing some servers to reject mail
    * fixed: No mouseover pop was displayed with event details for
      non-all-day events in the Today Pane
    * fixed: Filtering tasks in the Today Pane did not work
    * fixed: Email based event scheduling displayed the date and
      time in a format unreadable by humans
* Fri Aug 27 2021 Andreas Stieger <andreas.stieger@gmx.de>
  - Mozilla Thunderbird 91.0.2:
    * new: Tags are now colored in mail filter editor
    * changed: Context menu items related to OpenPGP and
      attachments are now hidden when not applicable
    * fixed: Creating a new account with manual setup failed
    * fixed: Recipient autocomplete always preferred the primary
      email address for a contact
    * fixed: LDAP performance improvements
    * fixed: Extensions listed on the Recommended Addons did not
      have a clear way to view details in a browser
    * fixed: Status checkmark on View > Calendar > Calendar Pane >
      Show Calendar Pane was reversed
    * fixed: mid: URLs in calendar invites did not open the linked
      mail message
    * fixed: Various theme and UX fixes
* Tue Aug 17 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.0.1
    MFSA 2021-37 (bsc#1189547)
    * CVE-2021-29991 (bmo#1724896)
      Header Splitting possible with HTTP/3 Responses
  - appdate screenshot URL updated (by mailaender@opensuse.org)
* Sun Aug 15 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 91.0
    * based on Mozilla's 91 ESR codebase
    * many new and changed features
      https://www.thunderbird.net/en-US/thunderbird/91.0/releasenotes/#whatsnew
    * Renamed "Add-ons" to "Add-ons and Themes" and "Options" to "Preferences"
    * Thunderbird now operates in multi-process (e10s) mode by default
    * New user interface for adding attachments
    * Enable redirect of messages
    * CardDAV address book support
  - Removed obsolete patches:
    * mozilla-bmo1463035.patch
    * mozilla-ppc-altivec_static_inline.patch
    * mozilla-pipewire-0-3.patch
    * mozilla-bmo1554971.patch
  - add mozilla-libavcodec58_91.patch
  - removed obsolete BigEndian ICU build workaround
  - updated build requirements
  - build using clang
* Thu Aug 05 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 78.13.0
    * removed WeTransfer integration package (not supported by vendor
      any longer)
    MFSA 2021-35 (bsc#1188891)
    * CVE-2021-29986 (bmo#1696138)
      Race condition when resolving DNS names could have led to
      memory corruption
    * CVE-2021-29988 (bmo#1717922)
      Memory corruption as a result of incorrect style treatment
    * CVE-2021-29984 (bmo#1720031)
      Incorrect instruction reordering during JIT optimization
    * CVE-2021-29980 (bmo#1722204)
      Uninitialized memory in a canvas object could have led to
      memory corruption
    * CVE-2021-29985 (bmo#1722083)
      Use-after-free media channels
    * CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
      bmo#1719998, bmo#1720568)
      Memory safety bugs fixed in Thunderbird 78.13
* Wed Jul 14 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 78.12.0
    MFSA 2021-30 (bsc#1188275)
    * CVE-2021-29969 (bmo#1682370)
      IMAP server responses sent by a MITM prior to STARTTLS could be
      processed
    * CVE-2021-29970 (bmo#1709976)
      Use-after-free in accessibility features of a document
    * CVE-2021-30547 (bmo#1715766)
      Out of bounds write in ANGLE
    * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
      bmo#1711576, bmo#1714391)
      Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
* Sat May 29 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 78.11.0
    * OpenPGP could not be disabled for an account if a key was
      previously configured
    * Recipients were unable to decrypt some messages when the sender
      had changed the message encryption from OpenPGP to S/MIME
    * Contacts moved between CardDAV address books were not synced to
      the new server
    * CardDAV compatibility fixes for Google Contacts
    MFSA 2021-26 (bsc#1186696)
    * CVE-2021-29964 (bmo#1706501)
      Out of bounds-read when parsing a `WM_COPYDATA` message
    * CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
      bmo#1704722, bmo#1706041)
      Memory safety bugs fixed in Thunderbird 78.11
  - renewed expired mozilla.keyring
* Fri May 14 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 78.10.2
    * Added support for importing OpenPGP keys without a primary
      secret key
    * Add-ons manager displays a preferences icon for mail extensions
      that include an options page
    Fixed
    * OpenPGP messages with a high compression ratio (over 10x) could
      not be decrypted
    * Selected OpenPGP key was lost after opening the Key Properties
      dialog in Account Settings
    * Parsing some OpenPGP user IDs failed
    * Various improvements to OpenPGP partial encryption reminders
    * Mail toolbar buttons were too big when displaying both icons
      and text
    MFSA 2021-22
    * CVE-2021-29956 (boo#1186199, bmo#1710290)
      Thunderbird stored OpenPGP secret keys without master password
      protection
    * CVE-2021-29957 (boo#1186198, bmo#1673241)
      Partial protection of inline OpenPGP message not indicated
  - do not rely on nodejs10 explicitely
* Tue May 04 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 78.10.1
    * Remove the fix for bmo#1689804 introduced in 78.9.0,
      restoring the previous behavior
    * MFSA 2021-19 (bsc#1185633) does not affect this platform
* Sun Apr 18 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 78.10.0
    MFSA 2021-14 (bsc#1184960)
    * CVE-2021-23994 (bmo#1699077)
      Out of bound write due to lazy initialization
    * CVE-2021-23995 (bmo#1699835)
      Use-after-free in Responsive Design Mode
    * CVE-2021-23998 (bmo#1667456)
      Secure Lock icon could have been spoofed
    * CVE-2021-23961 (bmo#1677940)
      More internal network hosts could have been probed by a
      malicious webpage
    * CVE-2021-23999 (bmo#1691153)
      Blob URLs may have been granted additional privileges
    * CVE-2021-24002 (bmo#1702374)
      Arbitrary FTP command execution on FTP servers using an
      encoded URL
    * CVE-2021-29945 (bmo#1700690)
      Incorrect size computation in WebAssembly JIT could lead to
      null-reads
    * CVE-2021-29946 (bmo#1698503)
      Port blocking could be bypassed
    * CVE-2021-29948 (bmo#1692899)
      Race condition when reading from disk while verifying
      signatures
  - recommend libotr5
* Sat Apr 10 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 78.9.1
    * Support recipient aliases for OpenPGP encryption
    * The key and signature parts of the message security popup on a
      received message could not be selected for copy/paste
    * Various UX and theme improvements
    MFSA 2021-13
    * CVE-2021-23991 (bmo#1673240)
      An attacker may use Thunderbird's OpenPGP key refresh mechanism
      to poison an existing key
    * MOZ-2021-23992 (bmo#1666236)
      A crafted OpenPGP key with an invalid user ID could be used to
      confuse the user
    * CVE-2021-23993 (bmo#1666360)
      Inability to send encrypted OpenPGP email after importing a
      crafted OpenPGP key
* Sat Mar 20 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 78.9.0
    * bugfixes:
      https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes
    MFSA 2021-12 (boo#1183942)
    * CVE-2021-23981 (bmo#1692832)
      Texture upload into an unbound backing buffer resulted in an
      out-of-bound read
    * MOZ-2021-0002 (bmo#1691547)
      Angle graphics library out of date
    * CVE-2021-23982 (bmo#1677046)
      Internal network hosts could have been probed by a malicious
      webpage
    * CVE-2021-23984 (bmo#1693664)
      Malicious extensions could have spoofed popup information
    * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718)
      Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
  - cleaned up and fixed mozilla.sh.in for wayland (boo#1177542)
* Sun Mar 07 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 78.8.1
    * several bugfixes and improvements
    * https://www.thunderbird.net/en-US/thunderbird/78.8.1/releasenotes/
  - updated create-tar.sh (bsc#1182357)
* Fri Feb 19 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 78.8.0
    * various bugfixes
    MFSA 2021-09 (bsc#1182614)
    * CVE-2021-23969 (bmo#1542194)
      Content Security Policy violation report could have contained
      the destination of a redirect
    * CVE-2021-23968 (bmo#1687342)
      Content Security Policy violation report could have contained
      the destination of a redirect
    * CVE-2021-23973 (bmo#1690976)
      MediaError message property could have leaked information
      about cross-origin resources
    * CVE-2021-23978 (bmo#786797, bmo#1682928, bmo#1687391,
      bmo#1687597)
      Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
* Fri Feb 05 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 78.7.1
    * CardDAV address books now support OAuth2 and Google Contacts
    * Thunderbird will no longer allow installation of addons that
      use legacy APIs
* Tue Jan 26 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 78.7.0
    MFSA 2021-05 (bsc#1181414)
    * CVE-2021-23953 (bmo#1683940)
      Cross-origin information leakage via redirected PDF requests
    * CVE-2021-23954 (bmo#1684020)
      Type confusion when using logical assignment operators in
      JavaScript switch statements
    * CVE-2020-15685 (bmo#1622640)
      IMAP Response Injection when using STARTTLS
    * CVE-2020-26976 (bmo#1674343)
      HTTPS pages could have been intercepted by a registered
      service worker when they should not have been
    * CVE-2021-23960 (bmo#1675755)
      Use-after-poison for incorrectly redeclared JavaScript
      variables during GC
    * CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526,
      bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844,
      bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410,
      bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736,
      bmo#1685260, bmo#1685925)
      Memory safety bugs fixed in Thunderbird 78.7
* Sun Jan 24 2021 Manfred Hollstein <manfred.h@gmx.net>
  - MozillaThunderbird.spec: Don't abuse BUILDROOT during %build as newer
    rpm versions in TW remove everything there as the first action
    of %install
* Mon Jan 11 2021 Wolfgang Rosenauer <wr@rosenauer.org>
  - Mozilla Thunderbird 78.6.1
    MFSA 2021-02 (bsc#1180623)
    * CVE-2020-16044 (bmo#1683964)
      Use-after-free write when handling a malicious COOKIE-ECHO SCTP
      chunk

Files

/usr/lib64/thunderbird/librnp.so


Generated by rpm2html 1.8.1

Fabrice Bellet, Thu Nov 7 00:51:36 2024