From 98a906a3723dc16d92da2a38480b735dc5664ab167fc24f343af216b23c8031f Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Tue, 26 Nov 2024 18:45:19 +0000 Subject: [PATCH] - Mozilla Thunderbird 128.5.0 * IMAP could crash when reading cached messages * Enabling "Show Folder Size" on Maildir profile could render Thunderbird unusable * Messages corrupted by folder compaction were only fixed by user intervention * Reading a message from past the end of an mbox file did not cause an error * View -> Folders had duplicate F access keys * Add-ons adding columns to the message list could fail and cause display issue * "Empty trash on exit" and "Expunge inbox on exit" did not always work * Selecting a display option in View -> Tasks did not apply in the Task interface MFSA 2024-68 (bsc#1233695) * CVE-2024-11691 (bmo#1914707, bmo#1924184) Memory corruption in Apple GPU drivers * CVE-2024-11692 (bmo#1909535) Select list elements could be shown over another site * CVE-2024-11693 (bmo#1921458) Download Protections were bypassed by .library-ms files on Windows * CVE-2024-11694 (bmo#1924167) CSP Bypass and XSS Exposure via Web Compatibility Shims * CVE-2024-11695 (bmo#1925496) URL Bar Spoofing via Manipulated Punycode and Whitespace Characters * CVE-2024-11696 (bmo#1929600) Unhandled Exception in Add-on Signature Verification * CVE-2024-11697 (bmo#1842187) Improper Keypress Handling in Executable File Confirmation Dialog OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=788 --- .gitattributes | 23 + .gitignore | 1 + MozillaThunderbird.changes | 6857 ++++++++++++++++++++ MozillaThunderbird.spec | 645 ++ _constraints | 60 + create-tar.sh | 575 ++ l10n-115.13.0.tar.xz | 3 + l10n-115.14.0.tar.xz | 3 + l10n-115.15.0.tar.xz | 3 + l10n-128.3.2esr.tar.xz | 3 + l10n-128.3.3esr.tar.xz | 3 + l10n-128.4.0esr.tar.xz | 3 + l10n-128.4.2esr.tar.xz | 3 + l10n-128.4.3esr.tar.xz | 3 + l10n-128.4.4esr.tar.xz | 3 + l10n-128.5.0esr.tar.xz | 3 + mozilla-aarch64-startup-crash.patch | 26 + mozilla-bmo1504834-part1.patch | 92 + mozilla-bmo1504834-part3.patch | 17 + mozilla-bmo1512162.patch | 35 + mozilla-bmo1775202.patch | 26 + mozilla-bmo531915.patch | 33 + mozilla-bmo849632.patch | 26 + mozilla-bmo998749.patch | 29 + mozilla-fix-aarch64-libopus.patch | 15 + mozilla-fix-issues-with-llvm18.patch | 94 + mozilla-fix-top-level-asm.patch | 66 + mozilla-kde.patch | 1774 +++++ mozilla-libavcodec58_91.patch | 16 + mozilla-nongnome-proxies.patch | 33 + mozilla-ntlm-full-path.patch | 18 + mozilla-partial-revert-1768632.patch | 13 + mozilla-pgo.patch | 124 + mozilla-reduce-rust-debuginfo.patch | 15 + mozilla-rust-disable-future-incompat.patch | 12 + mozilla-s390-context.patch | 33 + mozilla-silence-no-return-type.patch | 590 ++ mozilla.keyring | 405 ++ mozilla.sh.in | 210 + one_swizzle_to_rule_them_all.patch | 34 + spellcheck.js | 1 + suse-default-prefs.js | 24 + svg-rendering.patch | 29 + tar_stamps | 10 + thunderbird-115.13.0.source.tar.xz | 3 + thunderbird-115.13.0.source.tar.xz.asc | 16 + thunderbird-115.14.0.source.tar.xz | 3 + thunderbird-115.14.0.source.tar.xz.asc | 16 + thunderbird-115.15.0.source.tar.xz | 3 + thunderbird-115.15.0.source.tar.xz.asc | 16 + thunderbird-128.3.2esr.source.tar.xz | 3 + thunderbird-128.3.2esr.source.tar.xz.asc | 16 + thunderbird-128.3.3esr.source.tar.xz | 3 + thunderbird-128.3.3esr.source.tar.xz.asc | 16 + thunderbird-128.4.0esr.source.tar.xz | 3 + thunderbird-128.4.0esr.source.tar.xz.asc | 16 + thunderbird-128.4.2esr.source.tar.xz | 3 + thunderbird-128.4.2esr.source.tar.xz.asc | 16 + thunderbird-128.4.3esr.source.tar.xz | 3 + thunderbird-128.4.3esr.source.tar.xz.asc | 16 + thunderbird-128.4.4esr.source.tar.xz | 3 + thunderbird-128.4.4esr.source.tar.xz.asc | 16 + thunderbird-128.5.0esr.source.tar.xz | 3 + thunderbird-128.5.0esr.source.tar.xz.asc | 16 + thunderbird-fix-CVE-2024-34703.patch | 20 + thunderbird-rpmlintrc | 1 + thunderbird-silence-no-return.patch | 12 + thunderbird.appdata.xml | 22 + thunderbird.desktop | 12 + 69 files changed, 12248 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 MozillaThunderbird.changes create mode 100644 MozillaThunderbird.spec create mode 100644 _constraints create mode 100644 create-tar.sh create mode 100644 l10n-115.13.0.tar.xz create mode 100644 l10n-115.14.0.tar.xz create mode 100644 l10n-115.15.0.tar.xz create mode 100644 l10n-128.3.2esr.tar.xz create mode 100644 l10n-128.3.3esr.tar.xz create mode 100644 l10n-128.4.0esr.tar.xz create mode 100644 l10n-128.4.2esr.tar.xz create mode 100644 l10n-128.4.3esr.tar.xz create mode 100644 l10n-128.4.4esr.tar.xz create mode 100644 l10n-128.5.0esr.tar.xz create mode 100644 mozilla-aarch64-startup-crash.patch create mode 100644 mozilla-bmo1504834-part1.patch create mode 100644 mozilla-bmo1504834-part3.patch create mode 100644 mozilla-bmo1512162.patch create mode 100644 mozilla-bmo1775202.patch create mode 100644 mozilla-bmo531915.patch create mode 100644 mozilla-bmo849632.patch create mode 100644 mozilla-bmo998749.patch create mode 100644 mozilla-fix-aarch64-libopus.patch create mode 100644 mozilla-fix-issues-with-llvm18.patch create mode 100644 mozilla-fix-top-level-asm.patch create mode 100644 mozilla-kde.patch create mode 100644 mozilla-libavcodec58_91.patch create mode 100644 mozilla-nongnome-proxies.patch create mode 100644 mozilla-ntlm-full-path.patch create mode 100644 mozilla-partial-revert-1768632.patch create mode 100644 mozilla-pgo.patch create mode 100644 mozilla-reduce-rust-debuginfo.patch create mode 100644 mozilla-rust-disable-future-incompat.patch create mode 100644 mozilla-s390-context.patch create mode 100644 mozilla-silence-no-return-type.patch create mode 100644 mozilla.keyring create mode 100644 mozilla.sh.in create mode 100644 one_swizzle_to_rule_them_all.patch create mode 100644 spellcheck.js create mode 100644 suse-default-prefs.js create mode 100644 svg-rendering.patch create mode 100644 tar_stamps create mode 100644 thunderbird-115.13.0.source.tar.xz create mode 100644 thunderbird-115.13.0.source.tar.xz.asc create mode 100644 thunderbird-115.14.0.source.tar.xz create mode 100644 thunderbird-115.14.0.source.tar.xz.asc create mode 100644 thunderbird-115.15.0.source.tar.xz create mode 100644 thunderbird-115.15.0.source.tar.xz.asc create mode 100644 thunderbird-128.3.2esr.source.tar.xz create mode 100644 thunderbird-128.3.2esr.source.tar.xz.asc create mode 100644 thunderbird-128.3.3esr.source.tar.xz create mode 100644 thunderbird-128.3.3esr.source.tar.xz.asc create mode 100644 thunderbird-128.4.0esr.source.tar.xz create mode 100644 thunderbird-128.4.0esr.source.tar.xz.asc create mode 100644 thunderbird-128.4.2esr.source.tar.xz create mode 100644 thunderbird-128.4.2esr.source.tar.xz.asc create mode 100644 thunderbird-128.4.3esr.source.tar.xz create mode 100644 thunderbird-128.4.3esr.source.tar.xz.asc create mode 100644 thunderbird-128.4.4esr.source.tar.xz create mode 100644 thunderbird-128.4.4esr.source.tar.xz.asc create mode 100644 thunderbird-128.5.0esr.source.tar.xz create mode 100644 thunderbird-128.5.0esr.source.tar.xz.asc create mode 100644 thunderbird-fix-CVE-2024-34703.patch create mode 100644 thunderbird-rpmlintrc create mode 100644 thunderbird-silence-no-return.patch create mode 100644 thunderbird.appdata.xml create mode 100644 thunderbird.desktop diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/MozillaThunderbird.changes b/MozillaThunderbird.changes new file mode 100644 index 0000000..29590fa --- /dev/null +++ b/MozillaThunderbird.changes @@ -0,0 +1,6857 @@ +------------------------------------------------------------------- +Tue Nov 26 10:15:25 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 128.5.0 + * IMAP could crash when reading cached messages + * Enabling "Show Folder Size" on Maildir profile could render + Thunderbird unusable + * Messages corrupted by folder compaction were only fixed by user + intervention + * Reading a message from past the end of an mbox file did not + cause an error + * View -> Folders had duplicate F access keys + * Add-ons adding columns to the message list could fail and cause + display issue + * "Empty trash on exit" and "Expunge inbox on exit" did not + always work + * Selecting a display option in View -> Tasks did not apply in + the Task interface + MFSA 2024-68 (bsc#1233695) + * CVE-2024-11691 (bmo#1914707, bmo#1924184) + Memory corruption in Apple GPU drivers + * CVE-2024-11692 (bmo#1909535) + Select list elements could be shown over another site + * CVE-2024-11693 (bmo#1921458) + Download Protections were bypassed by .library-ms files on Windows + * CVE-2024-11694 (bmo#1924167) + CSP Bypass and XSS Exposure via Web Compatibility Shims + * CVE-2024-11695 (bmo#1925496) + URL Bar Spoofing via Manipulated Punycode and Whitespace Characters + * CVE-2024-11696 (bmo#1929600) + Unhandled Exception in Add-on Signature Verification + * CVE-2024-11697 (bmo#1842187) + Improper Keypress Handling in Executable File Confirmation Dialog + * CVE-2024-11698 (bmo#1916152) + Fullscreen Lock-Up When Modal Dialog Interrupts Transition on macOS + * CVE-2024-11699 (bmo#1880582, bmo#1929911) + Memory safety bugs fixed in Firefox 133, Thunderbird 133, + Firefox ESR 128.5, and Thunderbird 128.5 +- appid is thunderbird-esr currently; use the matching desktop + file name (boo#1233650) + +------------------------------------------------------------------- +Wed Nov 20 07:36:02 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 128.4.4 + * QR codes were not scannable by Android app when using most + high-contrast themes + * Primary password prompt cancellation during mobile export was + confusing +- revert using xdg-desktop-portal as some desktops have limited + support + +------------------------------------------------------------------- +Sat Nov 9 16:26:41 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 128.4.3 + Fixes: + * Folder corruption could cause Thunderbird to freeze and become unusable + * Message corruption could be propagated when reading mbox + * Folder compaction was not abandoned on shutdown + * Folder compaction did not clean up on failure + * Collapsed NNTP thread incorrectly indicated there were unread messages + * Navigating to next unread message did not wait for all messages + to be loaded + * Applying column view to folder and children could break if folder + error occurred + * Remote content notifications were broken with encrypted messages + * Updating criteria of a saved search resulted in poor search performance + * Drop-downs may not work in some places + MFSA 2024-61 + * CVE-2024-11159 (bmo#1925929) + Potential disclosure of plaintext in OpenPGP encrypted message +- remove kmozillahelper support (boo#1226112) + * removed mozilla-kde.patch + * requires xdg-desktop-portal instead + +------------------------------------------------------------------- +Wed Nov 6 19:54:16 UTC 2024 - Andreas Stieger + +- Mozilla Thunderbird 128.4.2 + * Increased the auto-compaction threshold to reduce the frequency + of compaction (bmo#1927656) + * fixed: New profile creation caused console errors (bmo#1912675) + * fixed: Repair folder could result in older messages showing + wrong date and time (bmo#1911916) + * fixed: Recently deleted messages could become undeleted if + message compaction failed (bmo#1924927) + * fixed: Visual and UX improvements + (bmo#1857413,bmo#1922934,bmo#1924437) + * fixed: Clicking on an HTML button could cause Thunderbird to + freeze (bmo#1879355) + * fixed: Messages could not be selected for dragging + (bmo#1887518) + * fixed: Could not open attached file in a MIME encrypted + message (bmo#1924637) + * fixed: Account creation "Setup Documentation" link was broken + (bmo#1925493) + * fixed: Unable to generate QR codes when exporting to mobile + in some cases (bmo#1928114) + * fixed: Operating system reauthentication was missing when + exporting QR codes for mobile (bmo#1928232) + * fixed: Could not drag all-day events from one day to another + in week view (bmo#1922944) + +------------------------------------------------------------------- +Sat Nov 2 09:01:15 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 128.4.1 + * Add the 20 year donation appeal (bmo#192538) + +------------------------------------------------------------------- +Wed Oct 30 13:51:30 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 128.4.0 + * Export Thunderbird account settings to Thunderbird Mobile via QRCode + Bugfixes: + * Unable to send an unencrypted response to an OpenPGP encrypted message + MFSA 2024-58 (bsc#1231879) + * CVE-2024-10458 (bmo#1921733) + Permission leak via embed or object elements + * CVE-2024-10459 (bmo#1919087) + Use-after-free in layout with accessibility + * CVE-2024-10460 (bmo#1912537) + Confusing display of origin for external protocol handler prompt + * CVE-2024-10461 (bmo#1914521) + XSS due to Content-Disposition being ignored in + multipart/x-mixed-replace response + * CVE-2024-10462 (bmo#1920423) + Origin of permission prompt could be spoofed by long URL + * CVE-2024-10463 (bmo#1920800) + Cross origin video frame leak + * CVE-2024-10464 (bmo#1913000) + History interface could have been used to cause a Denial of + Service condition in the browser + * CVE-2024-10465 (bmo#1918853) + Clipboard "paste" button persisted across tabs + * CVE-2024-10466 (bmo#1924154) + DOM push subscription message could hang Firefox + * CVE-2024-10467 (bmo#1829029, bmo#1888538, bmo#1900394, bmo#1904059, + bmo#1917742, bmo#1919809, bmo#1923706) + Memory safety bugs fixed in Firefox 132, Thunderbird 132, + Firefox ESR 128.4, and Thunderbird 128.4 + +------------------------------------------------------------------- +Wed Oct 23 06:45:00 UTC 2024 - Andreas Stieger + +- Mozilla Thunderbird 128.3.3 + * Files left over from failed folder compactions could use up + disk space (bmo#1878541) + * Message list returned to selected message after action on + another message (bmo#1917485) + * Some faulty messages were downloaded and never stored + (bmo#1923765) + * Messages could become corrupted during folder compaction + (bmo#1923747,bmo#1923541,bmo#1720047) + * Searching events by Location, Description, or URL failed + (bmo#1912710) + * "Remove All Shown" saved passwords deleted all logins if + filtered without results (bmo#601447) + * Calendar event updates were not always sent to attendees + (bmo#1877640) + +------------------------------------------------------------------- +Wed Oct 16 14:52:43 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 128.3.2 + bugfix release: + https://www.thunderbird.net/en-US/thunderbird/128.3.2esr/releasenotes +- bring back mozilla-bmo531915.patch to fix x86 + +------------------------------------------------------------------- +Thu Oct 10 17:11:15 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 128.3.1 + https://www.thunderbird.net/en-US/thunderbird/128.0esr/releasenotes/ + and following release notes for minor version updates + MFSA 2024-52 (bsc#1231413) + * CVE-2024-9680 (bmo#1923344) + Use-after-free in Animation timeline + Mozilla Thunderbird 128.3.0 + MFSA 2024-32 (128.0) + MFSA 2024-37 (128.1) + MFSA 2024-43 (128.2) + MFSA 2024-49 (128.3) (bsc#1230979) + * CVE-2024-9392 (bmo#1899154, bmo#1905843) + Compromised content process can bypass site isolation + * CVE-2024-9393 (bmo#1918301) + Cross-origin access to PDF contents through multipart responses + * CVE-2024-9394 (bmo#1918874) + Cross-origin access to JSON contents through multipart responses + * CVE-2024-8900 (bmo#1872841) + Clipboard write permission bypass + * CVE-2024-9396 (bmo#1912471) + Potential memory corruption may occur when cloning certain objects + * CVE-2024-9397 (bmo#1916659) + Potential directory upload bypass via clickjacking + * CVE-2024-9398 (bmo#1881037) + External protocol handlers could be enumerated via popups + * CVE-2024-9399 (bmo#1907726) + Specially crafted WebTransport requests could lead to denial + of service + * CVE-2024-9400 (bmo#1915249) + Potential memory corruption during JIT compilation + * CVE-2024-9401 (bmo#1872744, bmo#1897792, bmo#1911317, bmo#1916476) + Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, + Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 + * CVE-2024-9402 (bmo#1872744, bmo#1897792, bmo#1911317, bmo#1913445, + bmo#1914106, bmo#1914475, bmo#1914963, bmo#1915008, bmo#1916476) + Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, + Thunderbird 131, and Thunderbird 128.3 +- removed obsolete patches + mozilla-bmo1504834-part3.patch + mozilla-bmo1512162.patch + mozilla-bmo1775202.patch + mozilla-bmo531915.patch + mozilla-fix-aarch64-libopus.patch + mozilla-fix-issues-with-llvm18.patch + mozilla-fix-top-level-asm.patch + mozilla-partial-revert-1768632.patch + mozilla-rust-disable-future-incompat.patch + thunderbird-fix-CVE-2024-34703.patch +- new patch thunderbird-silence-no-return.patch +- rebased + mozilla-bmo1504834-part1.patch + mozilla-kde.patch + mozilla-libavcodec58_91.patch + mozilla-silence-no-return-type.patch + +------------------------------------------------------------------- +Fri Sep 6 08:55:26 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.15.0 + MFSA 2024-44 (bsc#1229821) + * CVE-2024-8381 (bmo#1912715) + Type confusion when looking up a property name in a "with" + block + * CVE-2024-8382 (bmo#1906744) + Internal event interfaces were exposed to web content when + browser EventHandler listener callbacks ran + * CVE-2024-8384 (bmo#1911288) + Garbage collection could mis-color cross-compartment objects + in OOM conditions + +------------------------------------------------------------------- +Thu Aug 29 06:26:14 UTC 2024 - Manfred Hollstein + +- Use gcc13 on Tumbleweed and where it is available. +- Don't use gcc14 as sources don't compile. + +------------------------------------------------------------------- +Fri Aug 2 07:08:03 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.14.0 + * When using an external installation of GnuPG, Thunderbird + occassionally sent/received corrupted messages (bmo#1898832) + * Users of external GnuPG were unable to decrypt incorrectly + encoded messages (bmo#1906903) + MFSA 2024-38 (bsc#1228648) + * CVE-2024-7519 (bmo#1902307) + Out of bounds memory access in graphics shared memory handling + * CVE-2024-7521 (bmo#1904644) + Incomplete WebAssembly exception handing + * CVE-2024-7522 (bmo#1906727) + Out of bounds read in editor component + * CVE-2024-7525 (bmo#1909298) + Missing permission check when creating a StreamFilter + * CVE-2024-7526 (bmo#1910306) + Uninitialized memory used by WebGL + * CVE-2024-7527 (bmo#1871303) + Use-after-free in JavaScript garbage collection + * CVE-2024-7529 (bmo#1903187) + Document content could partially obscure security prompts + +------------------------------------------------------------------- +Wed Jul 10 05:23:45 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.13.0 + * After starting Thunderbird, the message list position was + sometimes set to an incorrect position + MFSA 2024-30 (bsc#1226316) + * CVE-2024-6600 (bmo#1888340) + Memory corruption in WebGL API + * CVE-2024-6601 (bmo#1890748) + Race condition in permission assignment + * CVE-2024-6602 (bmo#1895032) + Memory corruption in NSS + * CVE-2024-6603 (bmo#1895081) + Memory corruption in thread creation + * CVE-2024-6604 (bmo#1748105, bmo#1837550, bmo#1884266) + Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13, + and Thunderbird 115.13 + +------------------------------------------------------------------- +Tue Jul 2 14:47:02 UTC 2024 - Martin Sirringhaus + +- Mozilla Thunderbird 115.12.2 + * fixed: Annual Thunderbird Beta appeal intended for + Thunderbird 115.12.0 did not open as expected (bmo#1898084) +- Mozilla Thunderbird 115.12.1 + * 115.12.0 got pulled because of upstream automation process errors + and Windows installer signing changes. + No code changes, changelog is the same as 115.12.0 (bsc#1226495) +- Added thunderbird-fix-CVE-2024-34703.patch (bsc#1227239) + +------------------------------------------------------------------- +Mon Jun 17 07:43:27 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.12.0 + https://www.thunderbird.net/en-US/thunderbird/115.12.0/releasenotes + MFSA 2024-28 (bsc#1226027) + * CVE-2024-5702 (bmo#1193389) + Use-after-free in networking + * CVE-2024-5688 (bmo#1895086) + Use-after-free in JavaScript object transplant + * CVE-2024-5690 (bmo#1883693) + External protocol handlers leaked by timing attack + * CVE-2024-5691 (bmo#1888695) + Sandboxed iframes were able to bypass sandbox restrictions to + open a new window + * CVE-2024-5692 (bmo#1891234) + Bypass of file name restrictions during saving + * CVE-2024-5693 (bmo#1891319) + Cross-Origin Image leak via Offscreen Canvas + * CVE-2024-5696 (bmo#1896555) + Memory Corruption in Text Fragments + * CVE-2024-5700 (bmo#1862809, bmo#1889355, bmo#1893388, bmo#1895123) + Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, + and Thunderbird 115.12 + +------------------------------------------------------------------- +Wed May 29 06:30:51 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.11.1 + * Added a short anonymous survey that a small number of users will + be randomly asked to complete + +------------------------------------------------------------------- +Tue May 14 21:57:55 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.11.0 + MFSA 2024-23 (bsc#1224056) + * CVE-2024-4367 (bmo#1893645) + Arbitrary JavaScript execution in PDF.js + * CVE-2024-4767 (bmo#1878577) + IndexedDB files retained in private browsing mode + * CVE-2024-4768 (bmo#1886082) + Potential permissions request bypass via clickjacking + * CVE-2024-4769 (bmo#1886108) + Cross-origin responses could be distinguished between script + and non-script content-types + * CVE-2024-4770 (bmo#1893270) + Use-after-free could occur when printing to PDF + * CVE-2024-4777 (bmo#1878199, bmo#1893340) + Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, + and Thunderbird 115.11 + +------------------------------------------------------------------- +Sat May 4 20:06:54 UTC 2024 - Andreas Stieger + +- Mozilla Thunderbird 115.10.2: + https://www.thunderbird.net/en-US/thunderbird/115.10.2/releasenotes/ + This release is identical to 115.10.1, other than changing the + Update channel for self-updating builds to ESR. (bmo#1893271) + +------------------------------------------------------------------- +Fri Apr 19 06:34:22 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.10.1 + https://www.thunderbird.net/en-US/thunderbird/115.10.1/releasenotes/ + * fixed hangup introduced with 115.10.0 (bmo#1891889) + +------------------------------------------------------------------- +Sun Apr 14 11:09:32 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.10.0 + https://www.thunderbird.net/en-US/thunderbird/115.10.0/releasenotes/ + MFSA 2024-20 (bsc#1222535) + * CVE-2024-3852 (bmo#1883542) + GetBoundName in the JIT returned the wrong object + * CVE-2024-3854 (bmo#1884552) + Out-of-bounds-read after mis-optimized switch statement + * CVE-2024-3857 (bmo#1886683) + Incorrect JITting of arguments led to use-after-free during + garbage collection + * CVE-2024-2609 (bmo#1866100) + Permission prompt input delay could expire when not in focus + * CVE-2024-3859 (bmo#1874489) + Integer-overflow led to out-of-bounds-read in the OpenType sanitizer + * CVE-2024-3861 (bmo#1883158) + Potential use-after-free due to AlignedBuffer self-move + * CVE-2024-3863 (bmo#1885855) + Download Protections were bypassed by .xrm-ms files on Windows + * CVE-2024-3302 (bmo#1881183) + Denial of Service using HTTP/2 CONTINUATION frames + * CVE-2024-3864 (bmo#1888333) + Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, + and Thunderbird 115.10 + +------------------------------------------------------------------- +Wed Mar 20 13:55:26 UTC 2024 - Manfred Hollstein + +- LLVM18 breaks building Thunderbird on Tumbleweed; add + * mozilla-fix-issues-with-llvm18.patch + +------------------------------------------------------------------- +Sat Mar 16 11:41:27 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.9.0 + https://www.thunderbird.net/en-US/thunderbird/115.9.0/releasenotes/ + MFSA 2024-14 (bsc#1221327) + * CVE-2024-0743 (bmo#1867408) + Crash in NSS TLS method + * CVE-2024-2605 (bmo#1872920) + Windows Error Reporter could be used as a Sandbox escape vector + * CVE-2024-2607 (bmo#1879939) + JIT code failed to save return registers on Armv7-A + * CVE-2024-2608 (bmo#1880692) + Integer overflow could have led to out of bounds write + * CVE-2024-2616 (bmo#1846197) + Improve handling of out-of-memory conditions in ICU + * CVE-2023-5388 (bmo#1780432) + NSS susceptible to timing attack against RSA decryption + * CVE-2024-2610 (bmo#1871112) + Improper handling of html and body tags enabled CSP nonce leakage + * CVE-2024-2611 (bmo#1876675) + Clickjacking vulnerability could have led to a user accidentally + granting permissions + * CVE-2024-2612 (bmo#1879444) + Self referencing object could have potentially led to a use- + after-free + * CVE-2024-2614 (bmo#1685358, bmo#1861016, bmo#1880405, bmo#1881093) + Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, + and Thunderbird 115.9 + +------------------------------------------------------------------- +Tue Mar 5 08:13:43 UTC 2024 - Adam Mizerski + +- Create subpackage MozillaThunderbird-openpgp-librnp + +------------------------------------------------------------------- +Tue Mar 5 09:09:34 CET 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.8.1 + https://www.thunderbird.net/en-US/thunderbird/115.8.1/releasenotes/ + MFSA 2024-11 + * CVE-2024-1936 (bmo#1860977) + Leaking of encrypted email subjects to other conversations + +------------------------------------------------------------------- +Mon Feb 19 22:01:04 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.8.0 + MFSA 2024-07 (bsc#1220048) + * CVE-2024-1546 (bmo#1843752) + Out-of-bounds memory read in networking channels + * CVE-2024-1547 (bmo#1877879) + Alert dialog could have been spoofed on another site + * CVE-2024-1548 (bmo#1832627) + Fullscreen Notification could have been hidden by select + element + * CVE-2024-1549 (bmo#1833814) + Custom cursor could obscure the permission dialog + * CVE-2024-1550 (bmo#1860065) + Mouse cursor re-positioned unexpectedly could have led to + unintended permission grants + * CVE-2024-1551 (bmo#1864385) + Multipart HTTP Responses would accept the Set-Cookie header + in response parts + * CVE-2024-1552 (bmo#1874502) + Incorrect code generation on 32-bit ARM devices + * CVE-2024-1553 (bmo#1855686, bmo#1867982, bmo#1871498, + bmo#1872296, bmo#1873521, bmo#1873577, bmo#1873597, + bmo#1873866, bmo#1874080, bmo#1874740, bmo#1875795, + bmo#1875906, bmo#1876425, bmo#1878211, bmo#1878286) + Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, + and Thunderbird 115.8 + * new: Added option to show packet dump when OpenPGP fails to + decrypt (bmo#1874504) + * fixed: Thunderbird slowed down significantly when opening + email files (.eml) (bmo#1863957) + * fixed: Inbox view intermittently reverted to default view + after moving or deleting messages (bmo#1725127) + * fixed: Size of collapsed folders in folder pane did not + include size of subfolders (bmo#1870641) + * fixed: Hovering over folder does not always expand subfolders + (bmo#1873101) + * fixed: Switching to thread pane of a folder using keyboard + navigation did not focus top message (bmo#1869557) + * fixed: Clicking "Sent unsent messages" in Outbox context menu + while in offline mode did not prompt user to go online + (bmo#1873487) + * fixed: Mail tab-specific Unified Toolbar buttons received + focus incorrectly (bmo#1872239) + * fixed: Quick Filter settings did not persist when Quick + Filter bar was turned off (bmo#1850266) + * fixed: Quick Filters were unusually slow (bmo#1849650) + * fixed: OpenPGP Key Manager filtering did not work + (bmo#1873655) + * fixed: OpenPGP sometimes attempted to decrypt message with + incorrect key (bmo#1865620) + * fixed: Autoconfig failed on servers that did not support + OAuth2 (bmo#1869122) + * fixed: Opening different attachments with the same name in + different messages could cause attachment files to become + conflated (bmo#1873023) + * fixed: Overflowed attachment list could not be scrolled + (bmo#1871343) + * fixed: Passwords disappeared from password manager list after + applying and clearing filters (bmo#1874646) + * fixed: Cookies in cookie manager list disappeared after + applying and then clearing filters (bmo#1876733) + +------------------------------------------------------------------- +Sun Jan 21 09:10:11 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.7.0 + https://www.thunderbird.net/en-US/thunderbird/115.7.0/releasenotes/ + MFSA 2024-04 (bsc#1218955) + * CVE-2024-0741 (bmo#1864587) + Out of bounds write in ANGLE + * CVE-2024-0742 (bmo#1867152) + Failure to update user input timestamp + * CVE-2024-0746 (bmo#1660223) + Crash when listing printers on Linux + * CVE-2024-0747 (bmo#1764343) + Bypass of Content Security Policy when directive unsafe-inline was set + * CVE-2024-0749 (bmo#1813463) + Phishing site popup could show local origin in address bar + * CVE-2024-0750 (bmo#1863083) + Potential permissions request bypass via clickjacking + * CVE-2024-0751 (bmo#1865689) + Privilege escalation through devtools + * CVE-2024-0753 (bmo#1870262) + HSTS policy on subdomain could bypass policy of upper domain + * CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701) + Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, + and Thunderbird 115.7 + +------------------------------------------------------------------- +Wed Jan 10 09:18:01 UTC 2024 - Martin Sirringhaus + +- Mozilla Thunderbird 115.6.1 + https://www.thunderbird.net/en-US/thunderbird/115.6.1/releasenotes/ + * new: OAuth2 now supported for comcast.net (bmo#1844810) + * fixed: High CPU usage sometimes occurred with IMAP CONDSTORE + (conditional STORE) enabled (bmo#1839256) + * fixed: Replying to a collapsed thread via keyboard shortcut + (Ctrl+R/Cmd+R) opened a reply for every message in the thread + (bmo#1866819) + * fixed: Enabling Grouped By view after reversing sort order of + column header caused messages to be grouped incorrectly + (bmo#1868794) + * fixed: Opening thread pane context menu via keyboard did not + always scroll view to selection (bmo#1867532) + * fixed: New mail indicator for POP3 accounts did not indicate + new messages ready to be downloaded (bmo#1870619) + * fixed: Messages could not be moved to folders using Message > + Move To if text or a link in the message had been clicked on + first (bmo#1868474) + * fixed: MIME part boundaries were not properly terminated + (bmo#1805558) + +------------------------------------------------------------------- +Sun Dec 17 12:33:37 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.6.0 + https://www.thunderbird.net/en-US/thunderbird/115.6.0/releasenotes/ + * Message selection misbehaved after selecting a sub-message in an + expanded thread, collapsing the thread, then pressing up/down to + move selection + * Thunderbird now attempts to reconnect on a new connection after + SMTP 4xx errors + * HTML FileLink attachments used the wrong encoding + MFSA 2023-55 (bsc#1217230) + * CVE-2023-50762 (bmo#1862625) + Truncated signed text was shown with a valid OpenPGP + signature + * CVE-2023-50761 (bmo#1865647) + S/MIME signature accepted despite mismatching message date + * CVE-2023-6856 (bmo#1843782) + Heap-buffer-overflow affecting WebGL DrawElementsInstanced + method with Mesa VM driver + * CVE-2023-6857 (bmo#1796023) + Symlinks may resolve to smaller than expected buffers + * CVE-2023-6858 (bmo#1826791) + Heap buffer overflow in nsTextFragment + * CVE-2023-6859 (bmo#1840144) + Use-after-free in PR_GetIdentitiesLayer + * CVE-2023-6860 (bmo#1854669) + Potential sandbox escape due to VideoBridge lack of texture + validation + * CVE-2023-6861 (bmo#1864118) + Heap buffer overflow affected nsWindow::PickerOpen(void) in + headless mode + * CVE-2023-6862 (bmo#1868042) + Use-after-free in nsDNSService + * CVE-2023-6863 (bmo#1868901) + Undefined behavior in ShutdownObserver() + * CVE-2023-6864 (bmo#1736385, bmo#1810805, bmo#1846328, + bmo#1856090, bmo#1858033, bmo#1858509, bmo#1862089, + bmo#1862777, bmo#1864015) + Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, + and Thunderbird 115.6 + +------------------------------------------------------------------- +Tue Dec 12 07:21:01 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.5.2 + Bugfix release + https://www.thunderbird.net/en-US/thunderbird/115.5.2/releasenotes/ + +------------------------------------------------------------------- +Tue Nov 28 22:07:44 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.5.1 + Bugfix release + https://www.thunderbird.net/en-US/thunderbird/115.5.1/releasenotes + * Advanced GnuPG keys may be protected with an unexpected passphrase + * OpenPGP signatures rejected due to mismatched signature timestamp + now display signature timestamp and clarifying message + * Advanced address book search did not return results if display name + was left blank + * Clicking on attendee when inviting attendees added the attendee twice + +------------------------------------------------------------------- +Wed Nov 22 06:28:54 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.5.0 + https://www.thunderbird.net/en-US/thunderbird/115.5.0/releasenotes + MFSA 2023-52 (bsc#1217230) + * CVE-2023-6204 (bmo#1841050) + Out-of-bound memory access in WebGL2 blitFramebuffer + * CVE-2023-6205 (bmo#1854076) + Use-after-free in MessagePort::Entangled + * CVE-2023-6206 (bmo#1857430) + Clickjacking permission prompts using the fullscreen transition + * CVE-2023-6207 (bmo#1861344) + Use-after-free in ReadableByteStreamQueueEntry::Buffer + * CVE-2023-6208 (bmo#1855345) + Using Selection API would copy contents into X11 primary + selection. + * CVE-2023-6209 (bmo#1858570) + Incorrect parsing of relative URLs starting with "///" + * CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252, bmo#1856072, + bmo#1856091, bmo#1859030, bmo#1860943, bmo#1862782) + Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, + and Thunderbird 115.5 + +------------------------------------------------------------------- +Wed Nov 15 13:28:03 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.4.3 + Bugfix release + https://www.thunderbird.net/en-US/thunderbird/115.4.3/releasenotes + +------------------------------------------------------------------- +Sat Nov 4 15:34:08 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.4.2 + https://www.thunderbird.net/en-US/thunderbird/115.4.2/releasenotes +- build using rust/cargo 1.72 (1.69 about to be dropped from Factory) + +------------------------------------------------------------------- +Tue Oct 24 20:52:32 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.4.1 + https://www.thunderbird.net/en-US/thunderbird/115.4.1/releasenotes + https://www.thunderbird.net/en-US/thunderbird/115.4.0/releasenotes + MFSA 2023-47 (bsc#1216338) + * CVE-2023-5721 (bmo#1830820) + Queued up rendering could have allowed websites to clickjack + * CVE-2023-5732 (bmo#1690979, bmo#1836962) + Address bar spoofing via bidirectional characters + * CVE-2023-5724 (bmo#1836705) + Large WebGL draw could have led to a crash + * CVE-2023-5725 (bmo#1845739) + WebExtensions could open arbitrary URLs + * CVE-2023-5726 (bmo#1846205) + Full screen notification obscured by file open dialog on macOS + * CVE-2023-5727 (bmo#1847180) + Download Protections were bypassed by .msix, .msixbundle, + .appx, and .appxbundle files on Windows + * CVE-2023-5728 (bmo#1852729) + Improper object tracking during GC in the JavaScript engine + could have led to a crash. + * CVE-2023-5730 (bmo#1836607, bmo#1840918, bmo#1848694, bmo#1848833, + bmo#1850191, bmo#1850259, bmo#1852596, bmo#1853201, bmo#1854002, + bmo#1855306, bmo#1855640, bmo#1856695) + Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, + and Thunderbird 115.4.1 +- removed obsolete mozilla-bmo1846703.patch + +------------------------------------------------------------------- +Tue Oct 24 16:58:42 UTC 2023 - Andreas Stieger + +- Mozilla Thunderbird 115.3.3 + * fixed: "Folder Location" toolbar button did not work for + local folders (bmo#1843979) + * fixed: "Copy to again" option disappeared from + context menu after copying to Gmail folder with non-ASCII + name (bmo#1856712) + * fixed: Default reply identity did not use "Delivered-To" + address when catch-all was active (bmo#1815559) + * fixed: "View Headers All" did not work when selected in + standalone message window (bmo#1855316) + * fixed: Viewing the mail filter log displayed an error if no + log file was present (bmo#1789244) + +------------------------------------------------------------------- +Tue Oct 10 07:23:52 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.3.2 + Bugfix release + https://www.thunderbird.net/en-US/thunderbird/115.3.2/releasenotes + +------------------------------------------------------------------- +Fri Sep 29 06:44:26 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.3.1 + MFSA 2023-45 (bsc#1215814) + * CVE-2023-5217 (bmo#1855550) + Heap buffer overflow in libvpx +- Add mozilla-bmo1846703.patch + +------------------------------------------------------------------- +Tue Sep 26 07:15:31 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.3.0 + https://www.thunderbird.net/en-US/thunderbird/115.3.0/releasenotes + MFSA 2023-43 (bsc#1215575) + * CVE-2023-5168 (bmo#1846683) + Out-of-bounds write in FilterNodeD2D1 + * CVE-2023-5169 (bmo#1846685) + Out-of-bounds write in PathOps + * CVE-2023-5171 (bmo#1851599) + Use-after-free in Ion Compiler + * CVE-2023-5174 (bmo#1848454) + Double-free in process spawning on Windows + * CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824, + bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983, + bmo#1851195) + Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, + and Thunderbird 115.3 + +------------------------------------------------------------------- +Wed Sep 20 06:27:29 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.2.3 + Bugfix release: + https://www.thunderbird.net/en-US/thunderbird/115.2.3/releasenotes + +------------------------------------------------------------------- +Tue Sep 12 21:08:50 UTC 2023 - Andreas Stieger + +- Mozilla Thunderbird 115.2.2 + https://www.thunderbird.net/en-US/thunderbird/115.2.2/releasenotes + MFSA 2023-40 (bsc#1215231) + * CVE-2023-4863 (bmo# bmo#1852649) + Heap buffer overflow in libwebp + +------------------------------------------------------------------- +Tue Sep 12 21:00:52 UTC 2023 - Andreas Stieger + +- Mozilla Thunderbird 115.2.1 + https://www.thunderbird.net/en-US/thunderbird/115.2.1/releasenotes + * new: Column separators are now shown between all columns in + tree view (bmo#1847441) + * fixed: New mail notification always opened message in message + pane, even if pane was disabled (bmo#1840092) + * fixed: After moving an IMAP message to another folder, the + incorrect message was selected in the message list + (bmo#1845376) + * fixed: Adding a tag to an IMAP message opened in a tab failed + (bmo#1844452) + * fixed: Junk/Spam folders were not always shown in Unified + Folders mode (bmo#1838672) + * fixed: Middle-clicking a folder or message did not open it in + a background tab, as in previous versions (bmo#1842482) + * fixed: Settings tab visual improvements: Advanced Fonts + dialog, Section headers hidden behind search box + (bmo#1717382,bmo#1846751) + * fixed: Various visual and style fixes + (bmo#1843707,bmo#1849823) + +------------------------------------------------------------------- +Sun Aug 27 08:17:34 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.2.0 + https://www.thunderbird.net/en-US/thunderbird/115.2.0/releasenotes + MFSA 2023-38 (bsc#1214606) + * CVE-2023-4573 (bmo#1846687) + Memory corruption in IPC CanvasTranslator + * CVE-2023-4574 (bmo#1846688) + Memory corruption in IPC ColorPickerShownCallback + * CVE-2023-4575 (bmo#1846689) + Memory corruption in IPC FilePickerShownCallback + * CVE-2023-4576 (bmo#1846694) + Integer Overflow in RecordedSourceSurfaceCreation + * CVE-2023-4577 (bmo#1847397) + Memory corruption in JIT UpdateRegExpStatics + * CVE-2023-4051 (bmo#1821884) + Full screen notification obscured by file open dialog + * CVE-2023-4578 (bmo#1839007) + Error reporting methods in SpiderMonkey could have triggered + an Out of Memory Exception + * CVE-2023-4053 (bmo#1839079) + Full screen notification obscured by external program + * CVE-2023-4580 (bmo#1843046) + Push notifications saved to disk unencrypted + * CVE-2023-4581 (bmo#1843758) + XLL file extensions were downloadable without warnings + * CVE-2023-4582 (bmo#1773874) + Buffer Overflow in WebGL glGetProgramiv + * CVE-2023-4583 (bmo#1842030) + Browsing Context potentially not cleared when closing Private + Window + * CVE-2023-4584 (bmo#1843968, bmo#1845205, bmo#1846080, + bmo#1846526, bmo#1847529) + Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, + Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2 + * CVE-2023-4585 (bmo#1751583, bmo#1833504, bmo#1841082, + bmo#1847904, bmo#1848999) + Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, + and Thunderbird 115.2 + +------------------------------------------------------------------- +Tue Aug 15 07:53:02 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.1.1 + bugfixes as documented here + https://www.thunderbird.net/en-US/thunderbird/115.1.1/releasenotes + +------------------------------------------------------------------- +Tue Aug 1 07:51:37 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.1.0 + New major release with Supernova UI + Releasenotes for 115.0: + https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes + MFSA 2023-33 (bsc#1213746) + * CVE-2023-4045 (bmo#1833876) + Offscreen Canvas could have bypassed cross-origin restrictions + * CVE-2023-4046 (bmo#1837686) + Incorrect value used during WASM compilation + * CVE-2023-4047 (bmo#1839073) + Potential permissions request bypass via clickjacking + * CVE-2023-4048 (bmo#1841368) + Crash in DOMParser due to out-of-memory conditions + * CVE-2023-4049 (bmo#1842658) + Fix potential race conditions when releasing platform objects + * CVE-2023-4050 (bmo#1843038) + Stack buffer overflow in StorageManager + * CVE-2023-4052 (bmo#1824420) + File deletion and privilege escalation through Firefox uninstaller + * CVE-2023-4054 (bmo#1840777) + Lack of warning when opening appref-ms files + * CVE-2023-4055 (bmo#1782561) + Cookie jar overflow caused unexpected cookie jar state + * CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235, bmo#1842325, + bmo#1843847) + Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, + Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14 + * CVE-2023-4057 (bmo#1841682) + Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, + and Thunderbird 115.1 +- requires NSS 3.90 +- add patches: + mozilla-rust-disable-future-incompat.patch + mozilla-partial-revert-1768632.patch + mozilla-bmo1775202.patch +- removed obsolete patches: + gcc13-fix.patch + mozilla-bmo1568145.patch + mozilla-bmo1005535.patch + mozilla-s390x-skia-gradient.patch +- update create-tar.sh + +------------------------------------------------------------------- +Tue Jul 25 06:56:46 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.13.1 + MFSA 2023-28 + * CVE-2023-3417 (bmo#1835582, boo#1213658) + File Extension Spoofing using the Text Direction Override Character + +------------------------------------------------------------------- +Fri Jul 7 12:47:11 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.13.0 + * Upstream RNP version numbers now recognized as official in about:support + MFSA 2023-24 (bsc#1212438) + * CVE-2023-37201 (bmo#1826002) + Use-after-free in WebRTC certificate generation + * CVE-2023-37202 (bmo#1834711) + Potential use-after-free from compartment mismatch in + SpiderMonkey + * CVE-2023-37207 (bmo#1816287) + Fullscreen notification obscured + * CVE-2023-37208 (bmo#1837675) + Lack of warning when opening Diagcab files + * CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886, + bmo#1836550, bmo#1837450) + Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, + and Thunderbird 102.13 +- mozilla-llvm16.patch has been applied upstream, remove it here + +------------------------------------------------------------------- +Sun Jun 4 08:22:58 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.12.0: + MFSA 2023-21 (bsc#1211922) + * CVE-2023-34414 (bmo#1695986) + Click-jacking certificate exceptions through rendering lag + * CVE-2023-34416 (bmo#1752703, bmo#1818394, bmo#1826875, + bmo#1827340, bmo#1827655, bmo#1828065, bmo#1830190, + bmo#1830206, bmo#1830795, bmo#1833339) + Memory safety bugs fixed in Thunderbird 102.12 + * fixed: "Searching the directory for recipients certificates" + popup could block compose window when "S/MIME reminder" was + enabled and using an LDAP address book (bmo#1833651) + * fixed: Some elements still used animations with "prefers- + reduced-motion" set (bmo#1833353) + * fixed: Visual and theme improvements + (bmo#1832943,bmo#1832990) + +------------------------------------------------------------------- +Sat May 27 07:46:10 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.11.2 + * fixed: Thunderbird 102.11.1 contained POP3 client regressions + with offline mode and TLS certificate overrides + (bmo#1801286,bmo#1816596,bmo#1798785) +- Includes changes from Thunderbird 102.11.1 + * fixed: POP message retrieval stopped after a network error + occurred and connectivity was restored (bmo#1798785) + * fixed: Reused SMTP connections sometimes silently + disconnected, causing timeouts (bmo#1766382) + * fixed: Thunderbird could freeze if saving a sent message to + IMAP failed (bmo#1745130) + * fixed: Creating OpenPGP keys with no expiration was not + possible (bmo#1830094) + * fixed: News reader did not always issue GROUP command after + authentication with remote server, preventing Thundebird from + displaying or refreshing news from the server (bmo#1824377) +- updated mozilla.keyring + +------------------------------------------------------------------- +Thu May 11 06:45:57 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.11.0 + * https://www.thunderbird.net/en-US/thunderbird/102.11.0/releasenotes + MFSA 2023-18 (bsc#1211175) + * CVE-2023-32205 (bmo#1753339, bmo#1753341) + Browser prompts could have been obscured by popups + * CVE-2023-32206 (bmo#1824892) + Crash in RLBox Expat driver + * CVE-2023-32207 (bmo#1826116) + Potential permissions request bypass via clickjacking + * CVE-2023-32211 (bmo#1823379) + Content process crash due to invalid wasm code + * CVE-2023-32212 (bmo#1826622) + Potential spoof due to obscured address bar + * CVE-2023-32213 (bmo#1826666) + Potential memory corruption in FileReader::DoReadData() + * CVE-2023-32214 (bmo#1828716) + Potential DoS via exposed protocol handlers + * CVE-2023-32215 (bmo#1540883, bmo#1751943, bmo#1814856, + bmo#1820210, bmo#1821480, bmo#1827019, bmo#1827024, bmo#1827144, + bmo#1827359, bmo#1830186) + Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11 + +------------------------------------------------------------------- +Sun Apr 23 07:54:15 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.10.1 + * https://www.thunderbird.net/en-US/thunderbird/102.10.1/releasenotes + +------------------------------------------------------------------- +Wed Apr 5 21:10:11 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.10.0 + * New messages will automatically select S/MIME if configured and + OpenPGP is not + * Calendar events with timezone America/Mexico_City incorrectly + applied Daylight Savings Time + MFSA 2023-15 (bsc#1210212) + * CVE-2023-29531 (bmo#1794292) + Out-of-bound memory access in WebGL on macOS + * CVE-2023-29532 (bmo#1806394) + Mozilla Maintenance Service Write-lock bypass + * CVE-2023-29533 (bmo#1798219, bmo#1814597) + Fullscreen notification obscured + * MFSA-TMP-2023-0001 (bmo#1819244) + Double-free in libwebp + * CVE-2023-29535 (bmo#1820543) + Potential Memory Corruption following Garbage Collector compaction + * CVE-2023-29536 (bmo#1821959) + Invalid free from JavaScript code + * CVE-2023-0547 (bmo#1811298) + Revocation status of S/Mime recipient certificates was not checked + * CVE-2023-29479 (bmo#1824978) + Hang when processing certain OpenPGP messages + * CVE-2023-29539 (bmo#1784348) + Content-Disposition filename truncation leads to Reflected + File Download + * CVE-2023-29541 (bmo#1810191) + Files with malicious extensions could have been downloaded + unsafely on Linux + * CVE-2023-29542 (bmo#1810793, bmo#1815062) + Bypass of file download extension restrictions + * CVE-2023-29545 (bmo#1823077) + Windows Save As dialog resolved environment variables + * CVE-2023-1945 (bmo#1777588) + Memory Corruption in Safe Browsing Code + * CVE-2023-29548 (bmo#1822754) + Incorrect optimization result on ARM64 + * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, bmo#1814217, + bmo#1818357, bmo#1818762, bmo#1819493, bmo#1820389, bmo#1820602, + bmo#1821448, bmo#1822413, bmo#1824828) + Memory safety bugs fixed in Thunderbird 102.10 +- add mozilla-llvm16.patch to fix build with LLVM16 + +------------------------------------------------------------------- +Wed Mar 29 10:50:35 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.9.1 + MFSA 2023-12 + * CVE-2023-28427 (bmo#1822595) + Matrix SDK bundled with Thunderbird vulnerable to + denial-of-service attack + +------------------------------------------------------------------- +Sun Mar 26 10:57:52 UTC 2023 - Wolfgang Rosenauer + +- add gcc13-fix.patch to support current Tumbleweed + +------------------------------------------------------------------- +Sun Mar 12 09:52:40 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.9.0 + * https://www.thunderbird.net/en-US/thunderbird/102.9.0/releasenotes + MFSA 2023-11 (bsc#1209173)) + * CVE-2023-25751 (bmo#1814899) + Incorrect code generation during JIT compilation + * CVE-2023-28164 (bmo#1809122) + URL being dragged from a removed cross-origin iframe into the + same tab triggered navigation + * CVE-2023-28162 (bmo#1811327) + Invalid downcast in Worklets + * CVE-2023-25752 (bmo#1811627) + Potential out-of-bounds when accessing throttled streams + * CVE-2023-28163 (bmo#1817768) + Windows Save As dialog resolved environment variables + * CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904, + bmo#1817442, bmo#1818674) + Memory safety bugs fixed in Thunderbird 102.9 +- update create-tar.sh +- build using rust 1.67 + +------------------------------------------------------------------- +Tue Mar 7 18:30:09 UTC 2023 - Manfred Hollstein + +- Ensure gcc11-c++ gets used on Leap 15.5, too. + +------------------------------------------------------------------- +Wed Feb 15 07:46:58 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.8.0 + * https://www.thunderbird.net/en-US/thunderbird/102.8.0/releasenotes + MFSA 2023-07 (bsc#1208144) + * CVE-2023-0616 (bmo#1806507) + User Interface lockup with messages combining S/MIME and OpenPGP + * CVE-2023-25728 (bmo#1790345) + Content security policy leak in violation reports using iframes + * CVE-2023-25730 (bmo#1794622) + Screen hijack via browser fullscreen mode + * CVE-2023-0767 (bmo#1804640) + Arbitrary memory write via PKCS 12 in NSS + * CVE-2023-25735 (bmo#1810711) + Potential use-after-free from compartment mismatch in SpiderMonkey + * CVE-2023-25737 (bmo#1811464) + Invalid downcast in SVGUtils::SetupStrokeGeometry + * CVE-2023-25738 (bmo#1811852) + Printing on Windows could potentially crash Thunderbird with + some device drivers + * CVE-2023-25739 (bmo#1811939) + Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext + * CVE-2023-25729 (bmo#1792138) + Extensions could have opened external schemes without user knowledge + * CVE-2023-25732 (bmo#1804564) + Out of bounds memory write from EncodeInputStream + * CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338) + Opening local .url files could cause unexpected network loads + * CVE-2023-25742 (bmo#1813424) + Web Crypto ImportKey crashes tab + * CVE-2023-25746 (bmo#1544127, bmo#1762368, bmo#1789449, bmo#1803628, + bmo#1810536) + Memory safety bugs fixed in Thunderbird 102.8 +- requires + NSPR >= 4.34.1 + NSS >= 3.79.4 + +------------------------------------------------------------------- +Wed Feb 8 07:59:46 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.7.2 + * Various crash fixes + +------------------------------------------------------------------- +Tue Jan 31 21:48:13 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.7.1 + * Microsoft Office 365 accounts were unable to authenticate + * https://www.thunderbird.net/en-US/thunderbird/102.7.1/releasenotes/ + MFSA 2023-04 + * CVE-2023-0430 (bmo#1769000) + Revocation status of S/Mime signature certificates was not checked +- update create-tar.sh + +------------------------------------------------------------------- +Tue Jan 17 13:27:01 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.7.0 + https://www.thunderbird.net/en-US/thunderbird/102.7.0/releasenotes/ + MFSA 2023-03 (bsc#1207119) + * CVE-2022-46871 (bmo#1795697) + libusrsctp library out of date + * CVE-2023-23598 (bmo#1800425) + Arbitrary file read from GTK drag and drop on Linux + * CVE-2023-23599 (bmo#1777800) + Malicious command could be hidden in devtools output on + Windows + * CVE-2023-23601 (bmo#1794268) + URL being dragged from cross-origin iframe into same tab + triggers navigation + * CVE-2023-23602 (bmo#1800890) + Content Security Policy wasn't being correctly applied to + WebSockets in WebWorkers + * CVE-2022-46877 (bmo#1795139) + Fullscreen notification bypass + * CVE-2023-23603 (bmo#1800832) + Calls to console.log allowed bypasing Content + Security Policy via format directive + * CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974) + Memory safety bugs fixed in Thunderbird 102.7 + +------------------------------------------------------------------- +Tue Dec 20 08:06:29 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.6.1 + * Remote content did not load in user-defined signatures + * Addons that added new action buttons were not shown for addon + upgrades, requiring removal and reinstall + * Various stability improvements + MFSA 2022-54 + * CVE-2022-46874 (bmo#1746139) + Drag and Dropped Filenames could have been truncated to + malicious extensions + +------------------------------------------------------------------- +Tue Dec 13 13:49:09 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.6.0 + https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/ + MFSA 2022-53 (bsc#1206242) + * CVE-2022-46880 (bmo#1749292) + Use-after-free in WebGL + * CVE-2022-46872 (bmo#1799156) + Arbitrary file read from a compromised content process + * CVE-2022-46881 (bmo#1770930) + Memory corruption in WebGL + * CVE-2022-46874 (bmo#1746139) + Drag and Dropped Filenames could have been truncated to + malicious extensions + * CVE-2022-46875 (bmo#1786188) + Download Protections were bypassed by .atloc and .ftploc + files on Mac OS + * CVE-2022-46882 (bmo#1789371) + Use-after-free in WebGL + * CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685, + bmo#1801102, bmo#1801315, bmo#1802395) + Memory safety bugs fixed in Thunderbird 102.6 +- removed obsolete patches + mozilla-newer-cbindgen.patch + mozilla-glibc236.patch + +------------------------------------------------------------------- +Wed Nov 30 20:49:28 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.5.1 + MFSA 2022-50 + * CVE-2022-45414 (bmo#1788096) + Quoting from an HTML email with certain tags will trigger network + requests and load remote content, regardless of a configuration + to block remote content + +------------------------------------------------------------------- +Sat Nov 12 22:48:04 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.5.0 + * changes and fixes as described here + https://www.thunderbird.net/en-US/thunderbird/102.5.0/releasenotes + MFSA 2022-49 (bsc#1205270) + * CVE-2022-45403 (bmo#1762078) + Service Workers might have learned size of cross-origin media files + * CVE-2022-45404 (bmo#1790815) + Fullscreen notification bypass + * CVE-2022-45405 (bmo#1791314) + Use-after-free in InputStream implementation + * CVE-2022-45406 (bmo#1791975) + Use-after-free of a JavaScript Realm + * CVE-2022-45408 (bmo#1793829) + Fullscreen notification bypass via windowName + * CVE-2022-45409 (bmo#1796901) + Use-after-free in Garbage Collection + * CVE-2022-45410 (bmo#1658869) + ServiceWorker-intercepted requests bypassed SameSite cookie policy + * CVE-2022-45411 (bmo#1790311) + Cross-Site Tracing was possible via non-standard override headers + * CVE-2022-45412 (bmo#1791029) + Symlinks may resolve to partially uninitialized buffers + * CVE-2022-45416 (bmo#1793676) + Keystroke Side-Channel Leakage + * CVE-2022-45418 (bmo#1795815) + Custom mouse cursor could have been drawn over browser UI + * CVE-2022-45420 (bmo#1792643) + Iframe contents could be rendered outside the iframe + * CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) + Memory safety bugs fixed in Thunderbird 102.5 + +------------------------------------------------------------------- +Sat Nov 5 16:19:55 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.4.2 + * "Address Book" button in Account Central will now create a + CardDAV address book instead of a local address book + * Bugfixes as described here + https://www.thunderbird.net/en-US/thunderbird/102.4.2/releasenotes + +------------------------------------------------------------------- +Tue Oct 25 20:42:11 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.4.1 + * Thunderbird will now catch and report errors parsing vCards + that contain incorrectly formatted dates + * Dynamic language switching did not update interface when switched + to right-to-left languages + * Custom header data was discarded after messages were saved as + draft and reopened + * -remote command line argument did not work, affecting integration + with various applications such as LibreOffice + * Messages received via some SMS-to-email services could not + display images + * VCards with nickname field set could not be edited + * Some recurring events were missing from Agenda on first load + * Download requests for remote ICS calendars incorrectly set + "Accept" header to text/xml + * Monthly events created on the 31st of a month with <30 days placed + first occurrence 1-2 days after the beginning of the following month + * Various visual and UX improvements + +------------------------------------------------------------------- +Fri Oct 14 19:54:03 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.4.0 + https://www.thunderbird.net/en-US/thunderbird/102.4.0/releasenotes + MFSA 2022-46 (bsc#1203477) + * CVE-2022-42927 (bmo#1789128) + Same-origin policy violation could have leaked cross-origin URLs + * CVE-2022-42928 (bmo#1791520) + Memory Corruption in JS Engine + * CVE-2022-42929 (bmo#1789439) + Denial of Service via window.print + * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) + Memory safety bugs fixed in Firefox 106, Firefox ESR 102.4 and + Thunderbird 102.4.0 + +------------------------------------------------------------------- +Tue Oct 11 20:40:12 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.3.3 + * Option added to show containing address book for a contact when + using All Address Books in vertical mode + * Thunderbird will try to use POP NTLM authentication even if + not advertised by server + * Task List and Today Pane sidebars will no longer load when not visible + * bugfixes as documented here + https://www.thunderbird.net/en-US/thunderbird/102.3.3/releasenotes + +------------------------------------------------------------------- +Thu Oct 6 07:28:32 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.3.2 + * Thunderbird will try to use POP CRAM-MD5 authentication even if + not advertised by server + * more bugfixes as in + https://www.thunderbird.net/en-US/thunderbird/102.3.2/releasenotes + +------------------------------------------------------------------- +Mon Oct 3 10:08:03 UTC 2022 - Wolfgang Rosenauer + +- build using rust 1.63 + +------------------------------------------------------------------- +Wed Sep 28 08:13:07 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.3.1 + * Compose window encryption options now only appear for encryption + technologies that have already been configured + * Number of contacts in currently selected address book now + displayed at bottom of Address Book list column + Fixes + * Password prompt did not include server hostname for POP servers + * Edit Contact was missing from Contacts sidebar context menus + * Address Book contact lists cut off display of some characters, + the result being unreadable + MFSA 2022-43 + * CVE-2022-39249 (bmo#1791765) + Matrix SDK bundled with Thunderbird vulnerable to an + impersonation attack by malicious server administrators + * CVE-2022-39250 (bmo#1791765) + Matrix SDK bundled with Thunderbird vulnerable to a device + verification attack + * CVE-2022-39251 (bmo#1791765) + Matrix SDK bundled with Thunderbird vulnerable to an + impersonation attack + * CVE-2022-39236 (bmo#1791765) + Matrix SDK bundled with Thunderbird vulnerable to a data + corruption issue + +------------------------------------------------------------------- +Fri Sep 16 08:17:49 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.3.0 + https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/ + * Thunderbird will no longer attempt to import account passwords + when importing from another Thunderbird profile in order to + prevent profile corruption and permanent data loss. (bmo#1790605) + * Devtools performance profile will use Thunderbird presets + instead of Web Developer presets (bmo#1785954) + * Thunderbird startup performance improvements (bmo#1785967) + * Saving email source and images failed (bmo#1777323, bmo#1778804) + * Error message was shown repeatedly when temporary disk + space was full (bmo#1788580) + * Attaching OpenPGP keys without a set size to non-encrypted + messages briefly displayed a size of zero bytes (bmo#1788952) + * Global Search entry box initially contained "undefined" (bmo#1780963) + * Delete from POP Server mail filter rule intermittently + failed to trigger (bmo#1789418) + * Connections to POP3 servers without UIDL support failed (bmo#1789314) + * Pop accounts with "Fetch headers only" set downloaded complete + messages if server did not advertise TOP capability (bmo#1789356) + * "File -> New -> Address Book Contact" from Compose window did + not work (bmo#1782418) + * Attach "My vCard" option in compose window was not available + (bmo#1787614) + * Improved performance of matching a contact to an email address + (bmo#1782725) + * Address book only recognized a contact's first two email + addresses (bmo#1777156) + * Address book search and autocomplete failed if a contact vCard + could not be parsed (bmo#1789793) + * Downloading NNTP messages for offline use failed (bmo#1785773) + * NNTP client became stuck when connecting to Public-Inbox servers + (bmo#1786203, boo#1203554) + * Various visual and UX improvements (bmo#1782235, bmo#1787448, + bmo#1788725, bmo#1790324) + * unresolved: No dedicated "Department" field in address book + (bmo#1777780) + MFSA 2022-42 (bsc#1203477) + * CVE-2022-40959 (bmo#1782211) + Bypassing FeaturePolicy restrictions on transient pages + * CVE-2022-40960 (bmo#1787633) + Data-race when parsing non-UTF-8 URLs in threads + * CVE-2022-40958 (bmo#1779993) + Bypassing Secure Context restriction for cookies with __Host + and __Secure prefix + * CVE-2022-40956 (bmo#1770094) + Content-Security-Policy base-uri bypass + * CVE-2022-40957 (bmo#1777604) + Incoherent instruction cache when building WASM on ARM64 + * CVE-2022-3155 (bmo#1789061) + Attachment files saved to disk on macOS could be executed + without warning + * CVE-2022-40962 (bmo#1767360, bmo#1776655, bmo#1777574, bmo#1784835, + bmo#1785109, bmo#1786502, bmo#1789440) + Memory safety bugs fixed in Thunderbird 102.3 + +------------------------------------------------------------------- +Thu Sep 8 06:31:58 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.2.2 + https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/ + * Setting added to change Calendar event double-click action to + open Edit Event dialog rather than view only; + Set calendar.events.defaultActionEdit to true + * Running Compact Folders on maildir folders caused a redownload + of all messages in the folder + * Accessing mail folders in profiles with many folders was slow + * SMTP servers were not always properly initialized, and were not + listed in Account Settings + * APOP authentication unsupported when connecting to POP3 server + * OpenPGP key discovery failed + * POP accounts hosted by AOL were not able to authenticate using OAuth2 + * Unable to open context menu in newsgroups header for groups + that are not subscribed + +------------------------------------------------------------------- +Thu Sep 8 06:31:58 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.2.2 + https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/ + * Setting added to change Calendar event double-click action to + open Edit Event dialog rather than view only; + Set calendar.events.defaultActionEdit to true + * Running Compact Folders on maildir folders caused a redownload + of all messages in the folder + * Accessing mail folders in profiles with many folders was slow + * SMTP servers were not always properly initialized, and were not + listed in Account Settings + * APOP authentication unsupported when connecting to POP3 server + * OpenPGP key discovery failed + * POP accounts hosted by AOL were not able to authenticate using OAuth2 + * Unable to open context menu in newsgroups header for groups + that are not subscribed + +------------------------------------------------------------------- +Thu Sep 1 06:48:28 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.2.1 + MFSA 2022-38 (bsc#1203007) + * CVE-2022-3033 (bmo#1784838) + Leaking of sensitive information when composing a response to + an HTML email with a META refresh tag + * CVE-2022-3032 (bmo#1783831) + Remote content specified in an HTML document that was nested + inside an iframe's srcdoc attribute was not blocked + * CVE-2022-3034 (bmo#1745751) + An iframe element in an HTML email could trigger a network + request + * CVE-2022-36059 (bmo#1787741) + Matrix SDK bundled with Thunderbird vulnerable to denial-of- + service attack + +------------------------------------------------------------------- +Fri Aug 19 18:24:06 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.2.0 + * https://www.thunderbird.net/en-US/thunderbird/102.2.0/releasenotes/ + MFSA 2022-36 (bsc#1202645) + * CVE-2022-38472 (bmo#1769155) + Address bar spoofing via XSLT error handling + * CVE-2022-38473 (bmo#1771685) + Cross-origin XSLT Documents would have inherited the parent's + permissions + * CVE-2022-38476 (bmo#1760998) + Data race and potential use-after-free in PK11_ChangePW + * CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363) + Memory safety bugs fixed in Thunderbird 102.2 + * CVE-2022-38478 (bmo#1770630, bmo#1776658) + Memory safety bugs fixed in Thunderbird 102.2, and + Thunderbird 91.13 +- disabled automatic usage of wayland because of known issues + using MOZ_ENABLE_WAYLAND=1 in environment would still enable it + (boo#1202606) + +------------------------------------------------------------------- +Sun Aug 14 08:03:00 UTC 2022 - Wolfgang Rosenauer + +- added mozilla-glibc236.patch (bmo#1782988, boo#1202323) + +------------------------------------------------------------------- +Tue Aug 9 06:24:56 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.1.2 + * fix for bmo#1777765 (no POP download progress bar) was backed + out from this release to address broken POP message download + with Fetch headers only selected in Account Settings (bmo#1783552) + +------------------------------------------------------------------- +Mon Aug 8 06:46:01 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.1.1 + Bugfixes: + * https://www.thunderbird.net/en-US/thunderbird/102.1.1/releasenotes/ + +------------------------------------------------------------------- +Tue Jul 26 09:03:40 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.1.0 + * https://www.thunderbird.net/en-US/thunderbird/102.1.0/releasenotes + MFSA 2022-32 (bsc#1201758) + * CVE-2022-36319 (bmo#1737722) + Mouse Position spoofing with CSS transforms + * CVE-2022-36318 (bmo#1771774) + Directory indexes for bundled resources reflected URL parameters + * CVE-2022-36314 (bmo#1773894) + Opening local .lnk files could cause unexpected + network loads + * CVE-2022-2505 (bmo#1769739, bmo#1772824) + Memory safety bugs fixed in Thunderbird 102.1 +- added mozilla-newer-cbindgen.patch to fix build with + rust-cbindgen >= 0.24 (and also require that for build) +- added mozilla-pgo.patch to fix LTO builds with gcc + +------------------------------------------------------------------- +Tue Jul 19 07:31:52 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.0.3 + Bugfixes as in + * https://www.thunderbird.net/en-US/thunderbird/102.0.3/releasenotes/ + +------------------------------------------------------------------- +Sat Jul 9 21:53:27 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.0.2 + * https://www.thunderbird.net/en-US/thunderbird/102.0/releasenotes/ +- removed obsolete patches + mozilla-bmo1504834-part2.patch + mozilla-bmo1504834-part4.patch + mozilla-bmo1602730.patch + mozilla-bmo1626236.patch + mozilla-bmo1724679.patch + mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch + mozilla-sandbox-fips.patch +- added patches inherited from FF 102 + one_swizzle_to_rule_them_all.patch + svg-rendering.patch +- fix KDE detection (boo#1200987) in mozilla-kde.patch +- requires + rust = 1.60 + NSPR >= 4.34 + NSS >= 3.79 + rust-cbindgen >= 0.23.0 +- remove special breakpad debug symbol creation + +------------------------------------------------------------------- +Sun Jun 26 08:53:26 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.11.0 + * CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work + additional fix applied + * "Save-As" attachment dialog did not have filename pre-populated + MFSA 2022-26 (bsc#1200793) + * CVE-2022-34479 (bmo#1745595) + A popup window could be resized in a way to overlay the + address bar with web content + * CVE-2022-34470 (bmo#1765951) + Use-after-free in nsSHistory + * CVE-2022-34468 (bmo#1768537) + CSP sandbox header without `allow-scripts` can be bypassed + via retargeted javascript: URI + * CVE-2022-2226 (bmo#1775441) + An email with a mismatching OpenPGP signature date was + accepted as valid + * CVE-2022-34481 (bmo#1497246) + Potential integer overflow in ReplaceElementsAt + * CVE-2022-31744 (bmo#1757604) + CSP bypass enabling stylesheet injection + * CVE-2022-34472 (bmo#1770123) + Unavailable PAC file resulted in OCSP requests being blocked + * CVE-2022-34478 (bmo#1773717) + Microsoft protocols can be attacked if a user accepts a prompt + * CVE-2022-2200 (bmo#1771381) + Undesired attributes could be set as part of prototype pollution + * CVE-2022-34484 (bmo#1763634, bmo#1772651) + Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102 + +------------------------------------------------------------------- +Thu May 26 07:56:09 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.10.0 + * Various UX and theme improvements + MFSA 2022-22 (bsc#1200027) + * CVE-2022-31736 (bmo#1735923) + Cross-Origin resource's length leaked + * CVE-2022-31737 (bmo#1743767) + Heap buffer overflow in WebGL + * CVE-2022-31738 (bmo#1756388) + Browser window spoof using fullscreen mode + * CVE-2022-31739 (bmo#1765049) + Attacker-influenced path traversal when saving downloaded + files + * CVE-2022-31740 (bmo#1766806) + Register allocation problem in WASM on arm64 + * CVE-2022-31741 (bmo#1767590) + Uninitialized variable leads to invalid memory read + * CVE-2022-1834 (bmo#1767816) + Braille space character caused incorrect sender email to be + shown for a digitally signed email + * CVE-2022-31742 (bmo#1730434) + Querying a WebAuthn token with a large number of + allowCredential entries may have leaked cross-origin + information + * CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283, + bmo#1767365, bmo#1768559, bmo#1768734) + Memory safety bugs fixed in Thunderbird 91.10 + +------------------------------------------------------------------- +Sat May 21 06:36:17 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.9.1 + MFSA 2022-19 (bsc#1199768) + * CVE-2022-1802 (bmo#1770137) + Prototype pollution in Top-Level Await implementation + * CVE-2022-1529 (bmo#1770048) + Untrusted input used in JavaScript object indexing, leading + to prototype pollution + +------------------------------------------------------------------- +Mon May 2 06:34:51 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.9.0 + * A warning is now displayed if an OpenPGP key has unsafe + attributes that are ignored + * OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not + allow SHA-1 key signatures + * CalDAV calendars were marked read-only on startup + MFSA 2022-18 (bsc#1198970) + * CVE-2022-1520 (bmo#1745019) + Incorrect security status shown after viewing an attached + email + * CVE-2022-29914 (bmo#1746448) + Fullscreen notification bypass using popups + * CVE-2022-29909 (bmo#1755081) + Bypassing permission prompt in nested browsing contexts + * CVE-2022-29916 (bmo#1760674) + Leaking browser history with CSS variables + * CVE-2022-29911 (bmo#1761981) + iframe sandbox bypass + * CVE-2022-29912 (bmo#1692655) + Reader mode bypassed SameSite cookies + * CVE-2022-29913 (bmo#1764778) + Speech Synthesis feature not properly disabled + * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298, + bmo#1762614, bmo#1762620) + Memory safety bugs fixed in Thunderbird 91.9 + +------------------------------------------------------------------- +Sat Apr 16 11:36:34 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.8.1 + * CLIENTID extension to SMTP was not supported by smtp-js# + * Additional SMTP errors now propagated to user + * OpenPGP was not able to use some previously supported key types + * OpenPGP Key Manager did not always display correct information + after importing additional IDs + * Duplicate new mail notifications could be displayed when + server-side filters were in use + * Cancelling an SMTP password entry resulted in multiple failure + dialogs being displayed + +------------------------------------------------------------------- +Tue Apr 12 07:30:18 UTC 2022 - Martin Liška + +- Set memory limits for DWZ to 4x. + +------------------------------------------------------------------- +Sat Apr 2 17:39:15 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.8.0 + * Google accounts using password authentication will be migrated + to OAuth2. + * bugfixes + https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes + MFSA 2022- (bsc#1197903) +- update create-tar.sh + +------------------------------------------------------------------- +Thu Mar 17 14:39:51 UTC 2022 - Dirk Müller + +- skip slow workers, this is a tough build job + +------------------------------------------------------------------- +Sun Mar 6 13:02:02 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.7.0 + * Thunderbird will use the first occurrence of headers that should + only appear once + * Auto-complete incorrectly changed a pasted email address to the + primary address of a contact + * Attachments with filename extensions that were not registered in + MIME types could not be opened + * Copy/Cut/Paste actions not working in Thunderbird Preferences + * Improved screen reader support of displayed message headers + MFSA 2022-12 (bsc#1196900) + * CVE-2022-26383 (bmo#1742421) + Browser window spoof using fullscreen mode + * CVE-2022-26384 (bmo#1744352) + iframe allow-scripts sandbox bypass + * CVE-2022-26387 (bmo#1752979) + Time-of-check time-of-use bug when verifying add-on signatures + * CVE-2022-26381 (bmo#1736243) + Use-after-free in text reflows + * CVE-2022-26386 (bmo#1752396) + Temporary files downloaded to /tmp and accessible by other + local users + +------------------------------------------------------------------- +Sun Mar 6 12:49:36 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.6.2 + MFSA 2022-09 + * CVE-2022-26485 (bmo#1758062) + Use-after-free in XSLT parameter processing + * CVE-2022-26486 (bmo#1758070) + Use-after-free in WebGPU IPC Framework + +------------------------------------------------------------------- +Tue Feb 15 09:13:06 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.6.1 + * generated views of meeting invitations are now expanded by default + * Emails were not downloading at startup under some conditions + * Port numbers were not shown in "Confirm Security Exception" + dialog for CalDAV connections + MFSA 2022-07 (bsc#1196072) + * CVE-2022-0566 (bmo#1753094) + Crafted email could trigger an out-of-bounds write + +------------------------------------------------------------------- +Sat Feb 5 14:11:31 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.6.0 + * TB will now offer to send large forwarded attachments via FileLink + * Partially signed unencrypted messages displayed an incorrect + "parrtially encrypted" notification + * Attachments filenames were not sanitized before saving to disk + * In the attachment bar, the "Import OpenPGP Key" item displayed + for public keys displayed an error and did not import the key + * "Open with" attachment dialog did not have a selected radio + button option + MFSA 2022-06 (bsc#1195682) + * CVE-2022-22753 (bmo#1732435) + Privilege Escalation to SYSTEM on Windows via Maintenance + Service + * CVE-2022-22754 (bmo#1750565) + Extensions could have bypassed permission confirmation during + update + * CVE-2022-22756 (bmo#1317873) + Drag and dropping an image could have resulted in the dropped + object being an executable + * CVE-2022-22759 (bmo#1739957) + Sandboxed iframes could have executed script if the parent + appended elements + * CVE-2022-22760 (bmo#1740985, bmo#1748503) + Cross-Origin responses could be distinguished between script + and non-script content-types + * CVE-2022-22761 (bmo#1745566) + frame-ancestors Content Security Policy directive was not + enforced for framed extension pages + * CVE-2022-22763 (bmo#1740534) + Script Execution during invalid object state + * CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545, + bmo#1748210, bmo#1748279) + Memory safety bugs fixed in Thunderbird 91.6 +- do not use ccache by default +- removed obsolete mozilla-bmo1745560.patch + +------------------------------------------------------------------- +Sat Jan 22 09:57:59 UTC 2022 - Manfred Hollstein + +- Mozilla Thunderbird 91.5.1 + * JS LDAP implementation did not support self-signed SSL certificates + * After saving a draft and subsequently sending a FileLink email, + the original file was removed from disk + * Chat OTR encryption did not work + * OTR verification bar was not removed after completing verification + * Various theme improvements + +------------------------------------------------------------------- +Thu Jan 20 13:10:00 UTC 2022 - Martin Liška + +- Enable -fimplicit-constexpr for GCC 12+. + +------------------------------------------------------------------- +Fri Jan 7 16:13:57 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.5.0 + https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes + MFSA 2022-03 (bsc#1194547) + * CVE-2022-22746 (bmo#1735071) + Calling into reportValidity could have lead to fullscreen + window spoof + * CVE-2022-22743 (bmo#1739220) + Browser window spoof using fullscreen mode + * CVE-2022-22742 (bmo#1739923) + Out-of-bounds memory access when inserting text in edit mode + * CVE-2022-22741 (bmo#1740389) + Browser window spoof using fullscreen mode + * CVE-2022-22740 (bmo#1742334) + Use-after-free of ChannelEventQueue::mOwner + * CVE-2022-22738 (bmo#1742382) + Heap-buffer-overflow in blendGaussianBlur + * CVE-2022-22737 (bmo#1745874) + Race condition when playing audio files + * CVE-2021-4140 (bmo#1746720) + Iframe sandbox bypass with XSLT + * CVE-2022-22748 (bmo#1705211) + Spoofed origin on external protocol launch dialog + * CVE-2022-22745 (bmo#1735856) + Leaking cross-origin URLs through securitypolicyviolation event + * CVE-2022-22744 (bmo#1737252) + The 'Copy as curl' feature in DevTools did not fully escape + website-controlled data, potentially leading to command injection + * CVE-2022-22747 (bmo#1735028) + Crash when handling empty pkcs7 sequence + * CVE-2022-22739 (bmo#1744158) + Missing throttling on external protocol launch dialog + * CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366, + bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869, bmo#1743221, + bmo#1743515, bmo#1745373, bmo#1746011) + Memory safety bugs fixed in Thunderbird 91.5 + +------------------------------------------------------------------- +Tue Dec 28 20:20:30 UTC 2021 - Bjørn Lie + +- Add mozilla-bmo1745560.patch: Fix build against wayland 1.20. + +------------------------------------------------------------------- +Fri Dec 17 14:19:48 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.4.1 + * several fixes as outlined here + https://www.thunderbird.net/en-US/thunderbird/91.4.1/releasenotes/ + MFSA 2021-55 (bsc#1193845) + * CVE-2021-4126 (bmo#1732310) + OpenPGP signature status doesn't consider additional message + content + * CVE-2021-44538 (bmo#1744056) + Matrix chat library libolm bundled with Thunderbird + vulnerable to a buffer overflow +- updated _constraints + +------------------------------------------------------------------- +Thu Dec 2 08:55:33 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.4.0 + * several fixes as outlined here + https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes + MFSA 2021-54 (bsc#1193485) + * CVE-2021-43536 (bmo#1730120) + URL leakage when navigating while executing asynchronous + function + * CVE-2021-43537 (bmo#1738237) + Heap buffer overflow when using structured clone + * CVE-2021-43538 (bmo#1739091) + Missing fullscreen and pointer lock notification when + requesting both + * CVE-2021-43539 (bmo#1739683) + GC rooting failure when calling wasm instance methods + * CVE-2021-43541 (bmo#1696685) + External protocol handler parameters were unescaped + * CVE-2021-43542 (bmo#1723281) + XMLHttpRequest error codes could have leaked the existence of + an external protocol handler + * CVE-2021-43543 (bmo#1738418) + Bypass of CSP sandbox directive when embedding + * CVE-2021-43545 (bmo#1720926) + Denial of Service when using the Location API in a loop + * CVE-2021-43546 (bmo#1737751) + Cursor spoofing could overlay user interface when native + cursor is zoomed + * CVE-2021-43528 (bmo#1742579) + JavaScript unexpectedly enabled for the composition area + * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751, + bmo#1737009, bmo#1739372, bmo#1739421) + Memory safety bugs fixed in Thunderbird 91.4.0 + +------------------------------------------------------------------- +Thu Nov 25 20:25:29 UTC 2021 - Bjørn Lie + +- Drop unused libidl-devel BuildRequires. + +------------------------------------------------------------------- +Sat Nov 20 18:57:39 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.3.2 + * Date selection in Calendar print settings widget changed to use + mini calendar widget + * OpenPGP: Botan updated to 2.18.2; addresses CVE-2021-40529 + boo#1189244 + * Bugfixes as outlined in release notes + https://www.thunderbird.net/en-US/thunderbird/91.3.2/releasenotes/ + +------------------------------------------------------------------- +Sat Nov 13 11:52:30 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.3.1 + * OpenPGP public keys will no longer count as an attachment in + the message list + * Adding a search engine via URL now supported + * FileLink messages' template updated; Thunderbird advertisement + removed + * After an update, Thunderbird will now check installed addons + for updates + * Bugfixes as outlined in release notes + https://www.thunderbird.net/en-US/thunderbird/91.3.1/releasenotes/ + +------------------------------------------------------------------- +Sun Oct 31 17:49:23 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.3.0 + * several fixes as outlined here + https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/ + MFSA 2021-50 (bsc#1192250) + * CVE-2021-38503 (bmo#1729517) + iframe sandbox rules did not apply to XSLT stylesheets + * CVE-2021-38504 (bmo#1730156) + Use-after-free in file picker dialog + * CVE-2021-38505 (bmo#1730194) + Windows 10 Cloud Clipboard may have recorded sensitive user data + * CVE-2021-38506 (bmo#1730750) + Thunderbird could be coaxed into going into fullscreen mode + without notification or warning + * CVE-2021-38507 (bmo#1730935) + Opportunistic Encryption in HTTP2 could be used to bypass the + Same-Origin-Policy on services hosted on other ports + * MOZ-2021-0008 (bmo#1667102) + Use-after-free in HTTP2 Session object + * CVE-2021-38508 (bmo#1366818) + Permission Prompt could be overlaid, resulting in user + confusion and potential spoofing + * CVE-2021-38509 (bmo#1718571) + Javascript alert box could have been spoofed onto an + arbitrary domain + * CVE-2021-38510 (bmo#1731779) + Download Protections were bypassed by .inetloc files on Mac OS + * MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048, + bmo#1735152) + Memory safety bugs fixed in Thunderbird ESR 91.3 +- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires + +------------------------------------------------------------------- +Fri Oct 22 21:27:02 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.2.1 + * Preference added to disable automatic pausing RSS feed updates + after a fetch failure + * several bugfixes as outlined in release notes + https://www.thunderbird.net/en-US/thunderbird/91.2.1/releasenotes/ + +------------------------------------------------------------------- +Fri Oct 22 09:16:01 UTC 2021 - Guillaume GARDET + +- Increase memory required per threads for aarch64 to avoid OOM + +------------------------------------------------------------------- +Thu Oct 21 13:23:29 UTC 2021 - Martin Liška + +- Enable LTO on Tumbleweed. + +------------------------------------------------------------------- +Fri Oct 15 20:29:41 UTC 2021 - Wolfgang Rosenauer + +- add mozilla-bmo1724679.patch (bmo#1724679, boo#1182863) + fix some env variables which are enabled for any value + +------------------------------------------------------------------- +Mon Oct 4 19:55:48 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.2.0 + * Saving a single message as .eml now uses a unique filename + * New mail notifications did not properly take subfolders into account + * Decrypting binary attachments when using an external GnuPG + configuration failed + * Account name fields in the account manager were not big enough + for long names + * LDAP searches using an extensibleMatch filter returned no results + * Read-only CalDAV calendars and CardDAV address books were not detected + * Multipart messages containing a calendar invite did not display + any of the human-readable alternatives + * Some calendar days were displayed incorrectly or duplicated + (eg. two "29th" days of a particular month) + * Phantom event was shown at the end of each day in Calendar week view + MFSA 2021-46 (bsc#1191332) + * CVE-2021-38496 (bmo#1725335) + Use-after-free in MessageTask + * CVE-2021-38497 (bmo#1726621) + Validation message could have been overlaid on another origin + * CVE-2021-38498 (bmo#1729642) + Use-after-free of nsLanguageAtomService object + * CVE-2021-32810 (bmo#1729813, + https://github.com/crossbeam- + rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw) + Data race in crossbeam-deque + * CVE-2021-38500 (bmo#1725854, bmo#1728321) + Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, + and Firefox ESR 91.2 + * CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176) + Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 + +------------------------------------------------------------------- +Sun Sep 26 16:01:35 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.1.2 + * Thunderbird will now warn if an S/MIME encrypted message includes + BCC recipients + * several bugfixes listed on + https://www.thunderbird.net/en-US/thunderbird/91.1.2/releasenotes/ + +------------------------------------------------------------------- +Wed Sep 15 15:37:55 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.1.1 + * Menu item for disabling subject encryption for a single message added + * Printing messages that are not currently displayed is no longer + supported, including printing multiple messages at once + * for bugfixes see + https://www.thunderbird.net/en-US/thunderbird/91.1.1/releasenotes +- MOZ_ENABLE_WAYLAND env variable now overrides automatic detection + if already set before startup + +------------------------------------------------------------------- +Thu Sep 2 07:03:59 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.1.0 + * Thunderbird registered Accessibility Handlers using same GUIDs + as Firefox, causing performance issues for NVDA users + * Focus lost when reordering accounts by keyboard in the Account Manager + * Account setup did not use provider display name for setting up + calendars + * Various theme and UX fixes + MFSA 2021-41 (bsc#1190269) + * CVE-2021-38492 (bmo#1721107) + Navigating to `mk:` URL scheme could load Internet Explorer + * CVE-2021-38495 (bmo#1723391, bmo#1723920, bmo#1724101, + bmo#1724107) + Memory safety bugs fixed in Thunderbird 91.1 +- (re-)added mozilla-silence-no-return-type.patch +- add mozilla-bmo531915.patch to fix build for i586 + +------------------------------------------------------------------- +Fri Aug 27 21:01:34 UTC 2021 - Andreas Stieger + +- Mozilla Thunderbird 91.0.3: + * fixed: Folder icons could be overridden by linked favicons in + HTML messages + * fixed: Unified folders showed no messages when underlying + folders were removed + * fixed: Folder pane toolbar did not always persist after + restarting Thunderbird + * fixed: Compose window attachment pane did not close when + disabling signing of an OpenPGP message + * fixed: Using "Reply to List" with some list emails + incorrectly opened a "no-reply" warning + * fixed: Account setup UX issues with Exchange autodiscover + * fixed: Account settings did not display non-UTF-8 server + descriptions correctly + * fixed: Thunderbird sometimes sent an unnecessary "SMTPUTF8", + causing some servers to reject mail + * fixed: No mouseover pop was displayed with event details for + non-all-day events in the Today Pane + * fixed: Filtering tasks in the Today Pane did not work + * fixed: Email based event scheduling displayed the date and + time in a format unreadable by humans + +------------------------------------------------------------------- +Fri Aug 27 20:07:49 UTC 2021 - Andreas Stieger + +- Mozilla Thunderbird 91.0.2: + * new: Tags are now colored in mail filter editor + * changed: Context menu items related to OpenPGP and + attachments are now hidden when not applicable + * fixed: Creating a new account with manual setup failed + * fixed: Recipient autocomplete always preferred the primary + email address for a contact + * fixed: LDAP performance improvements + * fixed: Extensions listed on the Recommended Addons did not + have a clear way to view details in a browser + * fixed: Status checkmark on View > Calendar > Calendar Pane > + Show Calendar Pane was reversed + * fixed: mid: URLs in calendar invites did not open the linked + mail message + * fixed: Various theme and UX fixes + +------------------------------------------------------------------- +Tue Aug 17 07:19:15 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.0.1 + MFSA 2021-37 (bsc#1189547) + * CVE-2021-29991 (bmo#1724896) + Header Splitting possible with HTTP/3 Responses +- appdate screenshot URL updated (by mailaender@opensuse.org) + +------------------------------------------------------------------- +Sun Aug 15 17:21:46 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.0 + * based on Mozilla's 91 ESR codebase + * many new and changed features + https://www.thunderbird.net/en-US/thunderbird/91.0/releasenotes/#whatsnew + * Renamed "Add-ons" to "Add-ons and Themes" and "Options" to "Preferences" + * Thunderbird now operates in multi-process (e10s) mode by default + * New user interface for adding attachments + * Enable redirect of messages + * CardDAV address book support +- Removed obsolete patches: + * mozilla-bmo1463035.patch + * mozilla-ppc-altivec_static_inline.patch + * mozilla-pipewire-0-3.patch + * mozilla-bmo1554971.patch +- add mozilla-libavcodec58_91.patch +- removed obsolete BigEndian ICU build workaround +- updated build requirements +- build using clang + +------------------------------------------------------------------- +Thu Aug 5 15:47:34 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.13.0 + * removed WeTransfer integration package (not supported by vendor + any longer) + MFSA 2021-35 (bsc#1188891) + * CVE-2021-29986 (bmo#1696138) + Race condition when resolving DNS names could have led to + memory corruption + * CVE-2021-29988 (bmo#1717922) + Memory corruption as a result of incorrect style treatment + * CVE-2021-29984 (bmo#1720031) + Incorrect instruction reordering during JIT optimization + * CVE-2021-29980 (bmo#1722204) + Uninitialized memory in a canvas object could have led to + memory corruption + * CVE-2021-29985 (bmo#1722083) + Use-after-free media channels + * CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178, + bmo#1719998, bmo#1720568) + Memory safety bugs fixed in Thunderbird 78.13 + +------------------------------------------------------------------- +Wed Jul 14 06:34:13 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.12.0 + MFSA 2021-30 (bsc#1188275) + * CVE-2021-29969 (bmo#1682370) + IMAP server responses sent by a MITM prior to STARTTLS could be + processed + * CVE-2021-29970 (bmo#1709976) + Use-after-free in accessibility features of a document + * CVE-2021-30547 (bmo#1715766) + Out of bounds write in ANGLE + * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910, + bmo#1711576, bmo#1714391) + Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 + +------------------------------------------------------------------- +Sat May 29 08:14:38 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.11.0 + * OpenPGP could not be disabled for an account if a key was + previously configured + * Recipients were unable to decrypt some messages when the sender + had changed the message encryption from OpenPGP to S/MIME + * Contacts moved between CardDAV address books were not synced to + the new server + * CardDAV compatibility fixes for Google Contacts + MFSA 2021-26 (bsc#1186696) + * CVE-2021-29964 (bmo#1706501) + Out of bounds-read when parsing a `WM_COPYDATA` message + * CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760, + bmo#1704722, bmo#1706041) + Memory safety bugs fixed in Thunderbird 78.11 +- renewed expired mozilla.keyring + +------------------------------------------------------------------- +Fri May 14 08:58:19 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.10.2 + * Added support for importing OpenPGP keys without a primary + secret key + * Add-ons manager displays a preferences icon for mail extensions + that include an options page + Fixed + * OpenPGP messages with a high compression ratio (over 10x) could + not be decrypted + * Selected OpenPGP key was lost after opening the Key Properties + dialog in Account Settings + * Parsing some OpenPGP user IDs failed + * Various improvements to OpenPGP partial encryption reminders + * Mail toolbar buttons were too big when displaying both icons + and text + MFSA 2021-22 + * CVE-2021-29956 (boo#1186199, bmo#1710290) + Thunderbird stored OpenPGP secret keys without master password + protection + * CVE-2021-29957 (boo#1186198, bmo#1673241) + Partial protection of inline OpenPGP message not indicated +- do not rely on nodejs10 explicitely + +------------------------------------------------------------------- +Tue May 4 15:39:28 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.10.1 + * Remove the fix for bmo#1689804 introduced in 78.9.0, + restoring the previous behavior + * MFSA 2021-19 (bsc#1185633) does not affect this platform + +------------------------------------------------------------------- +Sun Apr 18 07:21:01 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.10.0 + MFSA 2021-14 (bsc#1184960) + * CVE-2021-23994 (bmo#1699077) + Out of bound write due to lazy initialization + * CVE-2021-23995 (bmo#1699835) + Use-after-free in Responsive Design Mode + * CVE-2021-23998 (bmo#1667456) + Secure Lock icon could have been spoofed + * CVE-2021-23961 (bmo#1677940) + More internal network hosts could have been probed by a + malicious webpage + * CVE-2021-23999 (bmo#1691153) + Blob URLs may have been granted additional privileges + * CVE-2021-24002 (bmo#1702374) + Arbitrary FTP command execution on FTP servers using an + encoded URL + * CVE-2021-29945 (bmo#1700690) + Incorrect size computation in WebAssembly JIT could lead to + null-reads + * CVE-2021-29946 (bmo#1698503) + Port blocking could be bypassed + * CVE-2021-29948 (bmo#1692899) + Race condition when reading from disk while verifying + signatures +- recommend libotr5 + +------------------------------------------------------------------- +Sat Apr 10 11:39:37 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.9.1 + * Support recipient aliases for OpenPGP encryption + * The key and signature parts of the message security popup on a + received message could not be selected for copy/paste + * Various UX and theme improvements + MFSA 2021-13 + * CVE-2021-23991 (bmo#1673240) + An attacker may use Thunderbird's OpenPGP key refresh mechanism + to poison an existing key + * MOZ-2021-23992 (bmo#1666236) + A crafted OpenPGP key with an invalid user ID could be used to + confuse the user + * CVE-2021-23993 (bmo#1666360) + Inability to send encrypted OpenPGP email after importing a + crafted OpenPGP key + +------------------------------------------------------------------- +Sat Mar 20 09:20:00 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.9.0 + * bugfixes: + https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes + MFSA 2021-12 (boo#1183942) + * CVE-2021-23981 (bmo#1692832) + Texture upload into an unbound backing buffer resulted in an + out-of-bound read + * MOZ-2021-0002 (bmo#1691547) + Angle graphics library out of date + * CVE-2021-23982 (bmo#1677046) + Internal network hosts could have been probed by a malicious + webpage + * CVE-2021-23984 (bmo#1693664) + Malicious extensions could have spoofed popup information + * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718) + Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9 +- cleaned up and fixed mozilla.sh.in for wayland (boo#1177542) + +------------------------------------------------------------------- +Sun Mar 7 09:27:49 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.8.1 + * several bugfixes and improvements + * https://www.thunderbird.net/en-US/thunderbird/78.8.1/releasenotes/ +- updated create-tar.sh (bsc#1182357) + +------------------------------------------------------------------- +Fri Feb 19 21:39:32 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.8.0 + * various bugfixes + MFSA 2021-09 (bsc#1182614) + * CVE-2021-23969 (bmo#1542194) + Content Security Policy violation report could have contained + the destination of a redirect + * CVE-2021-23968 (bmo#1687342) + Content Security Policy violation report could have contained + the destination of a redirect + * CVE-2021-23973 (bmo#1690976) + MediaError message property could have leaked information + about cross-origin resources + * CVE-2021-23978 (bmo#786797, bmo#1682928, bmo#1687391, + bmo#1687597) + Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 + +------------------------------------------------------------------- +Fri Feb 5 22:23:03 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.7.1 + * CardDAV address books now support OAuth2 and Google Contacts + * Thunderbird will no longer allow installation of addons that + use legacy APIs + +------------------------------------------------------------------- +Tue Jan 26 07:47:13 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.7.0 + MFSA 2021-05 (bsc#1181414) + * CVE-2021-23953 (bmo#1683940) + Cross-origin information leakage via redirected PDF requests + * CVE-2021-23954 (bmo#1684020) + Type confusion when using logical assignment operators in + JavaScript switch statements + * CVE-2020-15685 (bmo#1622640) + IMAP Response Injection when using STARTTLS + * CVE-2020-26976 (bmo#1674343) + HTTPS pages could have been intercepted by a registered + service worker when they should not have been + * CVE-2021-23960 (bmo#1675755) + Use-after-poison for incorrectly redeclared JavaScript + variables during GC + * CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526, + bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844, + bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410, + bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736, + bmo#1685260, bmo#1685925) + Memory safety bugs fixed in Thunderbird 78.7 + +------------------------------------------------------------------- +Sun Jan 24 09:33:04 UTC 2021 - Manfred Hollstein + +- MozillaThunderbird.spec: Don't abuse BUILDROOT during %build as newer + rpm versions in TW remove everything there as the first action + of %install + +------------------------------------------------------------------- +Mon Jan 11 16:35:00 UTC 2021 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.6.1 + MFSA 2021-02 (bsc#1180623) + * CVE-2020-16044 (bmo#1683964) + Use-after-free write when handling a malicious COOKIE-ECHO SCTP + chunk + +------------------------------------------------------------------- +Sat Dec 12 10:25:08 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.6.0 + * changes and additions in MailExtensions + * several bugfixes + * https://www.thunderbird.net/en-US/thunderbird/78.6.0/releasenotes/ + MFSA 2020-56 (bsc#1180039)) + * CVE-2020-16042 (bmo#1679003) + Operations on a BigInt could have caused uninitialized memory + to be exposed + * CVE-2020-26971 (bmo#1663466) + Heap buffer overflow in WebGL + * CVE-2020-26973 (bmo#1680084) + CSS Sanitizer performed incorrect sanitization + * CVE-2020-26974 (bmo#1681022) + Incorrect cast of StyleGenericFlexBasis resulted in a heap + use-after-free + * CVE-2020-26978 (bmo#1677047) + Internal network hosts could have been probed by a malicious + webpage + * CVE-2020-35111 (bmo#1657916) + The proxy.onRequest API did not catch view-source URLs + * CVE-2020-35112 (bmo#1661365) + Opening an extension-less download may have inadvertently + launched an executable instead + * CVE-2020-35113 (bmo#1664831, bmo#1673589) + Memory safety bugs fixed in Thunderbird 78.6 + +------------------------------------------------------------------- +Tue Dec 1 21:34:15 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.5.1 + MFSA 2020-53 (bsc#1179530) + * CVE-2020-26970 (bmo#1677338) + Stack overflow due to incorrect parsing of SMTP server response codes + +------------------------------------------------------------------- +Mon Nov 16 20:13:34 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.5.0 + MFSA 2020-52 (bsc#1178894) + * CVE-2020-26951 (bmo#1667113) + Parsing mismatches could confuse and bypass security + sanitizer for chrome privileged code + * CVE-2020-16012 (bmo#1642028) + Variable time processing of cross-origin images during + drawImage calls + * CVE-2020-26953 (bmo#1656741) + Fullscreen could be enabled without displaying the security + UI + * CVE-2020-26956 (bmo#1666300) + XSS through paste (manual and clipboard API) + * CVE-2020-26958 (bmo#1669355) + Requests intercepted through ServiceWorkers lacked MIME type + restrictions + * CVE-2020-26959 (bmo#1669466) + Use-after-free in WebRequestService + * CVE-2020-26960 (bmo#1670358) + Potential use-after-free in uses of nsTArray + * CVE-2020-15999 (bmo#1672223) + Heap buffer overflow in freetype + * CVE-2020-26961 (bmo#1672528) + DoH did not filter IPv4 mapped IP Addresses + * CVE-2020-26965 (bmo#1661617) + Software keyboards may have remembered typed passwords + * CVE-2020-26966 (bmo#1663571) + Single-word search queries were also broadcast to local + network + * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, + bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479, + bmo#1671923) + Memory safety bugs fixed in Thunderbird 78.5 +- removed obsolete mozilla-rust-1.47.patch + +------------------------------------------------------------------- +Wed Nov 11 09:04:51 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.4.3 + https://www.thunderbird.net/en-US/thunderbird/78.4.3/releasenotes/ +- added mozilla-rust-1.47.patch to fix build with rust 1.47 + +------------------------------------------------------------------- +Mon Nov 9 21:43:37 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.4.2 + MFSA 2020-49 + * CVE-2020-26950 (bmo#1675905) + Write side effects in MCallGetProperty opcode not accounted for + +------------------------------------------------------------------- +Thu Nov 5 08:52:51 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.4.1 + * Bugfixes and minor features + https://www.thunderbird.net/en-US/thunderbird/78.4.1/releasenotes/ + +------------------------------------------------------------------- +Tue Oct 20 11:54:05 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.4.0 + * MailExtensions: browser.tabs.sendMessage API added + * MailExtensions: messageDisplayScripts API added + * Yahoo and AOL mail users using password authentication will be + migrated to OAuth2 + * MailExtensions: messageDisplay APIs extended to support multiple + selected messages + * MailExtensions: compose.begin functions now support creating a + message with attachments + * multiple bugfixes + MFSA 2020-47 (bsc#1177872) + * CVE-2020-15969 (bmo#1666570) + Use-after-free in usersctp + * CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954, bmo#1662760, + bmo#1663439, bmo#1666140) + Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4 + +------------------------------------------------------------------- +Thu Oct 15 14:31:39 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.3.3 + * OpenPGP: Improved support for encrypting with subkeys + * OpenPGP message status icons were not visible in message header pane + * OpenPGP Key Manager was missing from Tools menu on macOS + * Creating a new calendar event did not require an event title +- remove python2 dependencies for TW +- support wayland mode/autodetection in startup wrapper +- replace some Requires to use requires_ge macro where appropriate +- improve langpack build (as already used for Firefox) +- add ccache statistics output to build + +------------------------------------------------------------------- +Wed Oct 7 07:02:03 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.3.2 + * OpenPGP: Improved support for encrypting with subkeys + * OpenPGP: Encrypted messages with international characters were + sometimes displayed incorrectly + * Single-click deletion of recipient pills with middle mouse + button restored + * Searching an address book list did not display results + * Dark mode, high contrast, and Windows theming fixes + +------------------------------------------------------------------- +Fri Sep 25 06:25:54 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.3.1 + * fix crash in nsImapProtocol::CreateNewLineFromSocket (bmo#1667120) + +------------------------------------------------------------------- +Wed Sep 23 21:04:45 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.3.0 + MFSA 2020-44 (bsc#1176756) + * CVE-2020-15677 (bmo#1641487) + Download origin spoofing via redirect + * CVE-2020-15676 (bmo#1646140) + XSS when pasting attacker-controlled data into a + contenteditable element + * CVE-2020-15678 (bmo#1660211) + When recursing through layers while scrolling, an iterator + may have become invalid, resulting in a potential use-after- + free scenario + * CVE-2020-15673 (bmo#1648493, bmo#1660800) + Memory safety bugs fixed in Thunderbird 78.3 +- requires NSPR >= 4.25.1 +- removed obsolete thunderbird-bmo1664607.patch + +------------------------------------------------------------------- +Sun Sep 13 20:10:39 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.2.2 + https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes +- added thunderbird-bmo1664607.patch required for builds w/o updater + (boo#1176384) + +------------------------------------------------------------------- +Mon Aug 31 12:08:25 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 78.2.1 + * based on Mozilla's 78 ESR codebase + * many new and changed features + https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/#whatsnew + * built-in OpenPGP support (enigmail neither required nor supported) +- added platform patches: + * mozilla-s390x-skia-gradient.patch + * mozilla-pipewire-0-3.patch + * mozilla-bmo1512162.patch + * mozilla-bmo1626236.patch + * mozilla-bmo998749.patch + * mozilla-sandbox-fips.patch +- removed obsolete platform patches + * mozilla-s390-bigendian.patch + * mozilla-nestegg-big-endian.patch + * mozilla-openaes-decl.patch + * mozilla-cubeb-noreturn.patch + +------------------------------------------------------------------- +Sun Aug 30 11:05:01 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 68.12.0 + MFSA 2020-40 (bsc#1175686) + * CVE-2020-15663 (bmo#1643199) + Downgrade attack on the Mozilla Maintenance Service could have + resulted in escalation of privilege + * CVE-2020-15664 (bmo#1658214) + Attacker-induced prompt for extension installation + * CVE-2020-15669 (bmo#1656957) + Use-After-Free when aborting an operation + +------------------------------------------------------------------- +Fri Aug 28 09:04:11 UTC 2020 - Michel Normand + +- Put back %limit_build macro usage to avoid build error PowerPC + (remove memoryperjob constraint) + +------------------------------------------------------------------- +Thu Aug 20 08:57:15 UTC 2020 - Martin Liška + +- Use memoryperjob constraint instead of %limit_build macro. + +------------------------------------------------------------------- +Sat Aug 1 09:54:53 UTC 2020 - Andreas Stieger + +- Mozilla Thunderbird 68.11.0 + * fixed: FileLink attachments included as a link and file when + added from a network drive via drag & drop (bmo#793118) + MFSA 2020-35 (bsc#1174538) + * CVE-2020-15652 (bmo#1634872) + Potential leak of redirect targets when loading scripts in a + worker + * CVE-2020-6514 (bmo#1642792) + WebRTC data channel leaks internal address to peer + * CVE-2020-6463 (bmo#1635293) + Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture + * CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1646787, + bmo#1650811) + Memory safety bugs fixed in Thunderbird 68.11 + +------------------------------------------------------------------- +Wed Jul 1 21:00:23 UTC 2020 - Andreas Stieger + +- Mozilla Thunderbird 68.10.0 + * fixed: Chat: Topics displayed some characters improperly + (bmo#1644024) + * fixed: Calendar: Filtering tasks did not work when + "Incomplete Tasks" was selected (bmo#1593711) + MFSA 2020-26 (bsc#1173576) + * CVE-2020-12417 (bmo#1640737) + Memory corruption due to missing sign-extension for ValueTags + on ARM64 + * CVE-2020-12418 (bmo#1641303) + Information disclosure due to manipulated URL object + * CVE-2020-12419 (bmo#1643874) + Use-after-free in nsGlobalWindowInner + * CVE-2020-12420 (bmo#1643437) + Use-After-Free when trying to connect to a STUN server + * MFSA-2020-0001 (bmo#1606610) + Automatic account setup leaks Microsoft Exchange login + credentials + * CVE-2020-12421 (bmo#1308251) + Add-On updates did not respect the same certificate trust + rules as software updates + +------------------------------------------------------------------- +Thu Jun 11 14:52:51 UTC 2020 - Wolfgang Rosenauer + +- build with nodejs10 to be able to drop nodejs8 from TW +- updated create-tar.sh + +------------------------------------------------------------------- +Sat Jun 6 21:05:07 UTC 2020 - Andreas Stieger + +- Mozilla Thunderbird 68.9.0 + * fixed: Custom headers added for searching or filtering could + not be removed (bmo#1631577) + * fixed: Calendar: Today Pane updated prior to loading all data + (bmo#1635613) + * fixed: Stability improvements (bmo#1625677) + MFSA 2020-22 (bsc#1172402) + * CVE-2020-12405 (bmo#1631618) + Use-after-free in SharedWorkerService + * CVE-2020-12406 (bmo#1639590) + JavaScript Type confusion with NativeTypes + * CVE-2020-12410 (bmo#1619305, bmo#1632717) + Memory safety bugs fixed in Thunderbird 68.9.0 + * CVE-2020-12398 (bmo#1613623) + Security downgrade with IMAP STARTTLS leads to information + leakage + +------------------------------------------------------------------- +Sun May 24 20:46:21 UTC 2020 - Andreas Stieger + +- Mozilla Thunderbird 68.8.1 + * fixed: IMAP stability improvements (bmo#1586494) + * fixed: HTML tags in IRC topic changes were rendered + incorrectly (bmo#1607097) + * fixed: MailExtensions: Websockets could not be used + (bmo#1627649) + +------------------------------------------------------------------- +Tue May 5 07:49:33 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 68.8.0 + * Account Manager fixes and improvements + * https://www.thunderbird.net/en-US/thunderbird/68.8.0/releasenotes + MFSA 2020-18 (bsc#1171186) + * CVE-2020-12397 (bmo#1617370) + Sender Email Address Spoofing using encoded Unicode characters + * CVE-2020-12387 (bmo#1545345) + Use-after-free during worker shutdown + * CVE-2020-6831 (bmo#1632241) + Buffer overflow in SCTP chunk input validation + * CVE-2020-12392 (bmo#1614468) + Arbitrary local file access with 'Copy as cURL' + * CVE-2020-12393 (bmo#1615471) + Devtools' 'Copy as cURL' feature did not fully escape + website-controlled data, potentially leading to command injection + * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098, + bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508) + Memory safety bugs fixed in Thunderbird 68.8.0 +- removed obsolete patch mozilla-bmo1580963.patch + +------------------------------------------------------------------- +Tue May 5 07:00:36 UTC 2020 - Ismail Dönmez + +- Add mozilla-bmo1580963.patch to fix build with rust 1.43 + (bmo#1580963) + +------------------------------------------------------------------- +Thu Apr 9 17:27:50 UTC 2020 - Andreas Stieger + +- Mozilla Thunderbird 68.7.0 + * Updates to MailExtensions API + * Various improvements to account setup when connecting to an + Exchange server + * Thread collapsed when opening news message in a new window + * Fix Addons not automatically updated to compatible version after + upgrade from Thunderbird 60 + * Updating addons did not prompt when requesting new permissions + * Extra recipients panel not keyboard-accessible + * Accessibility: Status bar was not detected by screenreaders + * Calendar: Invitations with embedded null bytes did not always decode correctly + * Calendar: Cancelled events didn't show with a line-through + * Various security fixes + MFSA 2020-14 + In general, these flaws cannot be exploited through email in + Thunderbird because scripting is disabled when reading mail, but + are potentially risks in browser or browser-like contexts. + * CVE-2020-6819 (bmo#1620818, bsc#1168630) + Use-after-free while running the nsDocShell destructor + * CVE-2020-6820 (bmo#1626728, bsc#1168630) + Use-after-free when handling a ReadableStream + * CVE-2020-6821 (bmo#1625404, bsc#1168874) + Uninitialized memory could be read when using the WebGL + copyTexSubImage method + * CVE-2020-6822 (bmo#1544181, bsc#1168874) + Out of bounds write in GMPDecodeData when processing large images + * CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203,bsc#1168874) + Memory safety bugs fixed in Thunderbird 68.7.0 + +------------------------------------------------------------------- +Sat Mar 14 13:16:23 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 68.6.0 + MFSA 2020-10 (bsc#1166238) + * CVE-2020-6805 (bmo#1610880) + Use-after-free when removing data about origins + * CVE-2020-6806 (bmo#1612308) + BodyStream::OnInputStreamReady was missing protections against + state confusion + * CVE-2020-6807 (bmo#1614971) + Use-after-free in cubeb during stream destruction + * CVE-2020-6811 (bmo#1607742) + Devtools' 'Copy as cURL' feature did not fully escape + website-controlled data, potentially leading to command injection + * CVE-2019-20503 (bmo#1613765) + Out of bounds reads in sctp_load_addresses_from_init + * CVE-2020-6812 (bmo#1616661) + The names of AirPods with personally identifiable information + were exposed to websites with camera or microphone permission + * CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256, bmo#1612636, + bmo#1614339) + Memory safety bugs fixed in Thunderbird 68.6 +- requires NSS >= 3.44.3 + +------------------------------------------------------------------- +Mon Feb 10 21:55:19 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 68.5.0 + New + * Support for Client Identity IMAP/SMTP Service Extension + * Support for OAuth 2.0 authentication for POP3 accounts + Fixes + * Status area goes blank during account setup + * Calendar: Could not remove color for default categories + * Calendar: Prevent calendar component loading multiple times + * Calendar: Today pane did not retain width between sessions + MFSA 2020-07 (bsc#1163368) + * CVE-2020-6793 (bmo#1608539) + Out-of-bounds read when processing certain email messages + * CVE-2020-6794 (bmo#1606619) + Setting a master password post-Thunderbird 52 does not delete + unencrypted previously stored passwords + * CVE-2020-6795 (bmo#1611105) + Crash processing S/MIME messages with multiple signatures + * CVE-2020-6797 (bmo#1596668) (Mac OSX only) + Extensions granted downloads.open permission could open arbitrary + applications on Mac OSX + * CVE-2020-6798 (bmo#1602944) + Incorrect parsing of template tag could result in JavaScript injection + * CVE-2020-6792 (bmo#1609607) + Message ID calculcation was based on uninitialized data + * CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851, + bmo#1608580,bmo#1608785,bmo#1605777) + Memory safety bugs fixed in Thunderbird 68.5 + +------------------------------------------------------------------- +Tue Jan 28 08:26:02 UTC 2020 - Stasiek Michalski + +- Use a symbolic icon from branding internals + +------------------------------------------------------------------- +Fri Jan 24 19:47:53 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 68.4.2 + * Calendar: Task and Event tree colours adjusted for the dark theme + * Retrieval of S/MIME certificates from LDAP failed + * Address-parsing crash on some IMAP servers when + mail.imap.use_envelope_cmd is set + * Incorrect forwarding of HTML messages caused SMTP servers to + respond with a timeout + * Calendar: Various parts of the calendar UI stopped working when + a second Thunderbird window opened + +------------------------------------------------------------------- +Fri Jan 10 13:08:55 UTC 2020 - Wolfgang Rosenauer + +- Mozilla Thunderbird 68.4.1 + * Various improvements when setting up an account for a Microsoft + Exchange server: Now offers IMAP/SMTP if available, better + detection for Office 365 accounts; re-run configuration after + password change + Fixes: + * After changing view layout, the message display pane showed + garbled content under some circumstances + * Various theme changes to achieve "pixel perfection": Unread icon, + "no results" icon, paragraph format and font selector, background + of folder summary tooltip + * Tags were lost on messages in shared IMAP folders under some + circumstances + * Calendar: Event attendee dialog was not displayed correctly + MFSA 2020-04 (bsc#1160498, bsc#1160305) + * CVE-2019-17026 (bmo#1607443) + IonMonkey type confusion with StoreElementHole and FallibleStoreElement + * CVE-2019-17015 (bmo#1599005) + Memory corruption in parent process during new content process + initialization on Windows + * CVE-2019-17016 (bmo#1599181) + Bypass of @namespace CSS sanitization during pasting + * CVE-2019-17017 (bmo#1603055) + Type Confusion in XPCVariant.cpp + * CVE-2019-17021 (bmo#1599008) + Heap address disclosure in parent process during content process + initialization on Windows + * CVE-2019-17022 (bmo#1602843) + CSS sanitization does not escape HTML tags + * CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605, bmo#1601826) + Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 +- removed obsolete patch mozilla-bmo1511604.patch +- added mozilla-bmo1602730.patch to fix LE<->BE issues in the + platform (bmo#1602730) + +------------------------------------------------------------------- +Fri Dec 27 17:23:35 UTC 2019 - Wolfgang Rosenauer + +- add mozilla-bmo1583471.patch to allow building with rust 1.39 + +------------------------------------------------------------------- +Fri Dec 20 16:02:55 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 68.3.1 + * In dark theme unread messages no longer shown in blue to + distinguish from tagged messages + * Account setup is now using client side DNS MX lookup instead of + relying on a server + Bugfixes + * Searching LDAP address book crashed in some circumstances + * Message navigation with backward and forward buttons did not work + in some circumstances + * WebExtension toolbar icons were displayed too small + * Calendar: Tasks due today were not listed in bold + * Calendar: Last day of long-running events was not shown + +------------------------------------------------------------------- +Thu Dec 5 10:29:18 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 68.3.0: + * Message display toolbar action WebExtension API + * Navigation buttons are now available in content tabs, for example + those opened via an add-on search + * other bugfixes + MFSA 2019-38 + * CVE-2019-17008 (bmo#1546331) + Use-after-free in worker destruction + * CVE-2019-13722 (bmo#1580156) + Stack corruption due to incorrect number of arguments in WebRTC code + * CVE-2019-17010 (bmo#1581084) + Use-after-free when performing device orientation checks + * CVE-2019-17005 (bmo#1584170) + Buffer overflow in plain text serializer + * CVE-2019-17011 (bmo#1591334) + Use-after-free when retrieving a document in antitracking + * CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209, + bmo#1580288, bmo#1585760, bmo#1592502) + Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 + * Various updates to improve performance and stability +- updated create-tar.sh to cover buildid and origin repo information +- changed locale building procedure + * removed obsolete compare-locales.tar.xz and + thunderbird-broken-locales-build.patch +- add mozilla-bmo849632.patch to fix color issues on big endian + +------------------------------------------------------------------- +Sat Nov 9 20:13:17 UTC 2019 - Andreas Stieger + +- Mozilla Thunderbird 68.2.2: + * fix age calculation in address book (bmo#1592536) + * fix column menu behavior in address book (bmo#1592393) + +------------------------------------------------------------------- +Fri Nov 1 11:16:39 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 68.2.1 + * A language for the user interface can now be chosen in the + advanced settings (multilingual UI) + * Fixed problem with Google authentication (OAuth2) + * Selected or unread messages were not shown in the correct color + in the thread pane (message list) under some circumstances + * When using a language pack, names of standard folders weren't + localized (boo#1149126) + * Address book default startup directory in preferences panel was + not persisted + * Chat: Extended context menu on Instant messaging status dialog + (Show Accounts) +- added mozilla-bmo1504834-part4.patch to fix some visual issues on + big endian platforms + +------------------------------------------------------------------- +Tue Oct 22 06:43:32 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 68.2.0 + * Message Display WebExtension API + * Message Search WebExtension API + * Better visual feedback for unread messages when using the dark theme + * Fixed various issues when editing mailing list + * Fixed application windows not maintaining their size after restart + MFSA 2019-33 (bsc#1154738) + * CVE-2019-15903 (bmo#1584907) + Heap overflow in expat library in XML_GetCurrentLineNumber + * CVE-2019-11757 (bmo#1577107) + Use-after-free when creating index updates in IndexedDB + * CVE-2019-11758 (bmo#1536227) + Potentially exploitable crash due to 360 Total Security + * CVE-2019-11759 (bmo#1577953) + Stack buffer overflow in HKDF output + * CVE-2019-11760 (bmo#1577719) + Stack buffer overflow in WebRTC networking + * CVE-2019-11761 (bmo#1561502) + Unintended access to a privileged JSONView object + * CVE-2019-11762 (bmo#1582857) + document.domain-based origin isolation has same-origin-property violation + * CVE-2019-11763 (bmo#1584216) + Incorrect HTML parsing results in XSS bypass technique + * CVE-2019-11764 (bmo#1558522, bmo#1577061, bmo#1548044, bmo#1571223, + bmo#1573048, bmo#1578933, bmo#1575217, bmo#1583684, bmo#1586845, + bmo#1581950, bmo#1583463, bmo#1586599) + Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2 +- removed obsolete patches + mozilla-bmo1573381.patch + mozilla-bmo1512162.patch + mozilla-bmo1585099.patch + +------------------------------------------------------------------- +Thu Oct 10 14:30:09 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 68.1.2 + Bugfixes + * Some attachments couldn't be opened in messages originating from + MS Outlook 2016 + * Address book import from CSV + * Performance problem in message body search + * Ctrl+Enter to send a message would open an attachment if the + attachment pane had focus + * Calendar: Issues with "Today Pane" start-up + * Calendar: Glitches with custom repeat and reminder number input + * Calendar: Problems with WCAP provider +- add mozilla-bmo1585099.patch to fix build with rust >= 1.38 + +------------------------------------------------------------------- +Wed Sep 25 11:46:51 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 68.1.1 + Bugfixes + * Issues with attachments in IMAP messages + * Gmail accounts ignored a non-standard trash folder selection + * Entering/pasting lists of recipients into the addressing widget or + mailing list not working reliably, especially when lists contained + multiple commas or semicolons + * Edit mailing list not working + * Various theme fixes, especially dark theme improvements for Calendar + * Contrast between tag label and background not optimal + * Account Central pane always loaded at start-up + * "Config Editor" button not removed if blocked by policy + * Calendar: Free/busy information in attendees dialog not scrolled + correctly. Note: Scroll arrows still not behaving correctly + MFSA 2019-32 + * CVE-2019-11755 (bmo#1240290, boo#1152375) + Spoofing a message author via a crafted S/MIME message +- require nodejs8 instead of generic nodejs for better cross-distribution + support +- call desktop database update on install +- updated translations-other locale list +- build correct ICU for Big Endian +- remove kde.js since disabling instantApply breaks extensions and + is obsolete with the move to HTML views for preferences (boo#1151186) +- update create-tar.sh to latest revision and adjust tar_stamps +- added platform patches from Firefox 68esr + mozilla-bmo1005535.patch + mozilla-bmo1463035.patch + mozilla-bmo1504834-part1.patch + mozilla-bmo1504834-part2.patch + mozilla-bmo1504834-part3.patch + mozilla-bmo1511604.patch + mozilla-bmo1554971.patch + mozilla-bmo1573381.patch + mozilla-cubeb-noreturn.patch + mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch + mozilla-fix-aarch64-libopus.patch + mozilla-fix-top-level-asm.patch + mozilla-nestegg-big-endian.patch + mozilla-ntlm-full-path.patch + mozilla-openaes-decl.patch + mozilla-ppc-altivec_static_inline.patch + mozilla-reduce-rust-debuginfo.patch + mozilla-s390-bigendian.patch + mozilla-s390-context.patch + mozilla-bmo1512162.patch + thunderbird-broken-locales-build.patch +- removed renamed patches + fix-missing-return-warning.patch + fix-top-level-asm-issue.patch + thunderbird-locale-build.patch + +------------------------------------------------------------------- +Fri Sep 20 15:59:25 UTC 2019 - munix9@googlemail.com + +- repack the lightning xpi with all available locales (boo#939153) (lp#545778) + +------------------------------------------------------------------- +Fri Sep 20 09:49:41 UTC 2019 - Martin Liška + +- Add fix-top-level-asm-issue.patch in order to fix LTO build. +- Enable LTO on TW on x86_64. +- Use GCC. + +------------------------------------------------------------------- +Fri Sep 20 08:24:23 UTC 2019 - Bernhard Wiedemann + +- added mozilla-bmo1568145.patch to make builds reproducible (boo#1047218) + +------------------------------------------------------------------- +Tue Sep 10 07:33:52 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 68.1.0 + * Offer to configure Exchange accounts for Office365. A third-party + add-on is required for this account type. IMAP still exists as + alternative. + * several bugfixes + MFSA 2019-30 + * CVE-2019-11739 (bmo#1571481, boo#1150939) + Covert Content Attack on S/MIME encryption using a crafted + multipart/alternative message + * CVE-2019-11746 (bmo#1564449, boo#1149297) + Use-after-free while manipulating video + * CVE-2019-11744 (bmo#1562033, boo#1149304) + XSS by breaking out of title and textarea elements using innerHTML + * CVE-2019-11742 (bmo#1559715, boo#1149303) + Same-origin policy violation with SVG filters and canvas to steal + cross-origin images + * CVE-2019-11752 (bmo#1501152, boo#1149296) + Use-after-free while extracting a key value in IndexedDB + * CVE-2019-11743 (bmo#1560495, boo#1149298) + Cross-origin access to unload event attributes + * CVE-2019-11740 (bmo#1563133,bmo#1573160, boo#1149299) + Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox + ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9 +- removed upstreamed fix-build-after-y2038-changes-in-glibc.patch +- added thunderbird-locale-build.patch to fix locale build + +------------------------------------------------------------------- +Fri Aug 30 07:25:15 UTC 2019 - Manfred Hollstein + +- Add -L flag to the stat call for checking file size of %{SOURCE4}. +- Add fix-missing-return-warning.patch to silence a compiler warning. + +------------------------------------------------------------------- +Wed Aug 28 12:27:34 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 68.0 + * based on Firefox ESR 68 + * File link attachments can now be linked to again instead of + uploading them again + * Mark all folders of an account as read + * Run filters periodically. Improved filter logging + * OAuth2 authentication for Yandex + * Language packs can now be selected in the Advanced Options. + Preference intl.multilingual.enabled needs to be set (and possily + also extensions.langpacks.signatures.required needs to be set to false) + * Added a policy engine that allows customized Thunderbird deployments + in enterprise environments, using Windows Group Policy or a + cross-platform JSON file + * TCP keepalive for IMAP protocol + * Full Unicode support for MAPI interfaces: New support for MAPISendMailW + * Calendar: Time zone data can now include past and future changes. + All known time zone changes from 2018 to 2022 are included. + * Chat: In each conversation an individual spellcheck language can + be selected now +- removed obsolete patches + * mozilla-bmo1463035.patch + * mozilla-i586-domPrefs.patch + * mozilla-bmo1464766.patch + * mozilla-bmo1519629.patch + * mozilla-i586-DecoderDoctorLogger.patch + * mozilla-bmo1375074.patch +- added fix-build-after-y2038-changes-in-glibc.patch to fix build + in Tumbleweed (patch already upstream for next release) + +------------------------------------------------------------------- +Thu Aug 1 11:12:05 UTC 2019 - Tristan Miller + +- Update package summary, description, and AppData using more informative + and up-to-date text from the official Thunderbird FAQ, replacing obsolete + references to the Mozilla Application Suite and Thunderbird's relation to + the Mozilla organization + +------------------------------------------------------------------- +Wed Jul 10 13:47:41 UTC 2019 - Bernhard Wiedemann + +- Generate langpacks sequentially to avoid file corruption + from racy file writes (boo#1137970) + +------------------------------------------------------------------- +Mon Jul 8 10:25:24 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 60.8.0 + * Calendar: Problems when editing event times, some related to + AM/PM setting in non-English locales + MFSA 2019-23 (boo#1140868) + * CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327) + Sandbox escape via installation of malicious languagepack + * CVE-2019-11711 (bmo#1552541) + Script injection within domain through inner window reuse + * CVE-2019-11712 (bmo#1543804) + Cross-origin POST requests can be made with NPAPI plugins by + following 308 redirects + * CVE-2019-11713 (bmo#1528481) + Use-after-free with HTTP/2 cached stream + * CVE-2019-11729 (bmo#1515342) + Empty or malformed p256-ECDH public keys may trigger a segmentation fault + * CVE-2019-11715 (bmo#1555523) + HTML parsing error can contribute to content XSS + * CVE-2019-11717 (bmo#1548306) + Caret character improperly escaped in origins + * CVE-2019-11719 (bmo#1540541) + Out-of-bounds read when importing curve25519 private key + * CVE-2019-11730 (bmo#1558299) + Same-origin policy treats all files in a directory as having the + same-origin + * CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498 + bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522) + Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 and + Thunderbird 60.8 + +------------------------------------------------------------------- +Thu Jun 20 22:15:46 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 60.7.2 + MFSA 2019-20 (boo#1138872) + * CVE-2019-11707 (bmo#1544386) + Type confusion in Array.pop + * CVE-2019-11708 (bmo#1559858) + sandbox escape using Prompt:Open + +------------------------------------------------------------------- +Wed Jun 12 06:23:28 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 60.7.1 + * fixed: No prompt for smartcard PIN when S/MIME signing is used + MFSA 2019-17 (boo#1137595) + * CVE-2019-11703 (bmo#1553820) + Heap buffer overflow in icalparser.c + * CVE-2019-11704 (bmo#1553814) + Heap buffer overflow in icalvalue.c + * CVE-2019-11705 (bmo#1553808) + Stack buffer overflow in icalrecur.c + * CVE-2019-11706 (bmo#1555646) + Type confusion in icalproperty.c + +------------------------------------------------------------------- +Sat Jun 8 16:35:04 UTC 2019 - Aaron Puchert + +- Increase disk space requirements in _constraints. + +------------------------------------------------------------------- +Fri May 24 08:53:57 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 60.7.0 + * Attachment pane of Write window no longer focussed when attaching + files using a keyboard shortcut + MFSA 2019-15 (boo#1135824) + * CVE-2019-9815 (bmo#1546544) + Disable hyperthreading on content JavaScript threads on macOS + * CVE-2019-9816 (bmo#1536768) + Type confusion with object groups and UnboxedObjects + * CVE-2019-9817 (bmo#1540221) + Stealing of cross-domain images using canvas + * CVE-2019-9818 (bmo#1542581) (Windows only) + Use-after-free in crash generation server + * CVE-2019-9819 (bmo#1532553) + Compartment mismatch with fetch API + * CVE-2019-9820 (bmo#1536405) + Use-after-free of ChromeEventHandler by DocShell + * CVE-2019-11691 (bmo#1542465) + Use-after-free in XMLHttpRequest + * CVE-2019-11692 (bmo#1544670) + Use-after-free removing listeners in the event listener manager + * CVE-2019-11693 (bmo#1532525) + Buffer overflow in WebGL bufferdata on Linux + * CVE-2019-7317 (bmo#1542829) + Use-after-free in png_image_free of libpng library + * CVE-2019-9797 (bmo#1528909) + Cross-origin theft of images with createImageBitmap + * CVE-2018-18511 (bmo#1526218) + Cross-origin theft of images with ImageBitmapRenderingContext + * CVE-2019-11694 (bmo#1534196) (Windows only) + Uninitialized memory memory leakage in Windows sandbox + * CVE-2019-11698 (bmo#1543191) + Theft of user history data through drag and drop of hyperlinks + to and from bookmarks + * CVE-2019-5798 (bmo#1535518) + Out-of-bounds read in Skia + * CVE-2019-9800 (bmo#1540166, bmo#1534593, bmo#1546327, bmo#1540136, + bmo#1538736, bmo#1538042, bmo#1535612, bmo#1499719, bmo#1499108, + bmo#1538619, bmo#1535194, bmo#1516325, bmo#1542324, bmo#1542097, + bmo#1532465, bmo#1533554, bmo#1541580) + Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 + +------------------------------------------------------------------- +Wed Apr 24 17:26:44 UTC 2019 - Martin Liška + +- Disable LTO (boo#1133267). + +------------------------------------------------------------------- +Sat Mar 30 11:36:41 UTC 2019 - Manfred Hollstein + +- Add patch to fix build using rust-1.33: (boo#1130694) + * mozilla-bmo1519629.patch (bmo#1519629) + +------------------------------------------------------------------- +Mon Mar 25 12:08:23 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 60.6.1 + MFSA 2019-12 (bsc#1130262) + * CVE-2019-9810 (bmo#1537924) + IonMonkey MArraySlice has incorrect alias information + * CVE-2019-9813 (bmo#1538006) + Ionmonkey type confusion with __proto__ mutations + +------------------------------------------------------------------- +Wed Mar 20 15:33:14 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 60.6.0 + * Calendar: Can't create repeating event with end date when using + certain time zones, for example Europe/Minsk + * some minor bugfixes + * using 60.6.0esr Mozilla platform (bsc#1129821) + +------------------------------------------------------------------- +Thu Mar 7 08:28:56 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 60.5.3 + * fixed a regression on the Windows platform: + Problem when using "Send to > Mail recipient" on Windows + +------------------------------------------------------------------- +Sun Feb 24 19:15:06 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 60.5.2 + * UTF-8 support for MAPISendMail + * Problem with S/MIME certificate verification when receiving email + from Outlook (issue introduced in version 60.5.1) + +------------------------------------------------------------------- +Thu Feb 14 21:46:45 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 60.5.1 + * CalDav access to some servers not working + MFSA 2019-06 (bsc#1125330) + * CVE-2018-18356 bmo#1525817 + Use-after-free in Skia + * CVE-2019-5785 bmo#1525433 + Integer overflow in Skia + * CVE-2018-18335 bmo#1525815 + Buffer overflow in Skia with accelerated Canvas 2D + * CVE-2018-18509 bmo#1507218 + S/MIME signature spoofing + +------------------------------------------------------------------- +Fri Jan 25 14:40:21 UTC 2019 - Wolfgang Rosenauer + +- Mozilla Thunderbird 60.5.0: + * FileLink provider WeTransfer to upload large attachments + * Thunderbird now allows the addition of OpenSearch search engines + from a local XML file using a minimal user inferface: [+] button + to select a file an add, [-] to remove. + * More search engines: Google and DuckDuckGo available by default + in some locales + * During account creation, Thunderbird will now detect servers + using the Microsoft Exchange protocol. It will offer the + installation of a 3rd party add-on (Owl) which supports that + protocol. + * Thunderbird now compatible with other WebExtension-based + FileLink add-ons like the Dropbox add-on + MFSA 2019-03 (bsc#1122983) + * CVE-2018-18500 bmo#1510114 + Use-after-free parsing HTML5 stream + * CVE-2018-18505 bmo#1497749 + Privilege escalation through IPC channel messages + * CVE-2016-5824 bmo#1275400 + DoS (use-after-free) via a crafted ics file + * CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619 + bmo#1502871 bmo#1516738 bmo#1516514 + Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 +- requires NSS 3.36.7 +- removed obsolete patch + mozilla-no-stdcxx-check.patch +- rebased patches + +------------------------------------------------------------------- +Fri Dec 21 19:50:56 UTC 2018 - astieger@suse.com + +- Mozilla Thunderbird 60.4.0: + * New WebExtensions FileLink API to facilitate add-ons + * Fix decoding problems for messages with less common charsets + (cp932, cp936) + * New messages in the drafts folder (and other special or virtual + folders) will no longer be included in the new messages + notification + MFSA 2018-31 + * CVE-2018-17466 bmo#1488295 + Buffer overflow and out-of-bounds read in ANGLE library with + TextureStorage11 + * CVE-2018-18492 bmo#1499861 + Use-after-free with select element + * CVE-2018-18493 bmo#1504452 + Buffer overflow in accelerated 2D canvas with Skia + * CVE-2018-18494 bmo#1487964 + Same-origin policy violation using location attribute and + performance.getEntries to steal cross-origin URLs + * CVE-2018-18498 bmo#1500011 + Integer overflow when calculating buffer sizes for images + * CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759 + bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471 + Memory safety bugs fixed in Firefox 64, 60.4, and Thunderbird 60.4 +- requires NSS 3.36.6 + + +------------------------------------------------------------------- +Tue Dec 4 21:04:50 UTC 2018 - Wolfgang Rosenauer + +- Mozilla Thunderbird 60.3.3 + * Thunderbird 60 will migrate security databases (key3.db, cert8.db + to key4.db, cert9.db). Thunderbird 60.3.2 and earlier contained a + fault that potentially deleted saved passwords and private certificate + keys for users using a master password. Version 60.3.3 will prevent + the loss of data; affected users who have already upgraded to version + 60.3.2 or earlier can restore the deleted key3.db file from backup + to complete the migration. + * Address book search and auto-complete slowness introduced in + Thunderbird 60.3.2 + * Plain text markup with * for bold, / for italics, _ for underline + and | for code did not work when the enclosed text contained + non-ASCII characters + * While composing a message, a link not removed when link location + was removed in the link properties panel + +------------------------------------------------------------------- +Mon Dec 3 12:57:01 UTC 2018 - astieger@suse.com + +- Fix build on openSUSE Leap 15.x w.r.t. rust-std requirement + +------------------------------------------------------------------- +Thu Nov 29 08:47:10 UTC 2018 - Wolfgang Rosenauer + +- Mozilla Thunderbird 60.3.2 + * Encoding problems when exporting address books or messages using + the system charset. Messages are now always exported using the + UTF-8 encoding + * If the "Date" header of a message was invalid, Jan 1970 or Dec 1969 + was displayed. Now using date from "Received" header instead. + * Body search/filtering didn't reliably ignore content of tags + * Inappropriate warning "Thunderbird prevented the site + (addons.thunderbird.net) from asking you to install software on + your computer" when installing add-ons + * Incorrect display of correspondents column since own email + address was not always detected + * Spurious (encoded newline) inserted into drafts and sent email + +------------------------------------------------------------------- +Thu Nov 15 16:33:49 UTC 2018 - astieger@suse.com + +- Mozilla Thunderbird 60.3.1: + * Double-clicking on a word in the Write window sometimes + launched the Advanced Property Editor or Link Properties dialog + * Fixe Cookie removal + * "Download rest of message" was not working if global inbox was + used + * Fix Encoding problems for users (especially in Poland) when a + file was sent via a folder using "Sent to > Mail recipient" + due to a problem in the Thunderbird MAPI interface + * According to RFC 4616 and RFC 5721, passwords containing + non-ASCII characters are encoded using UTF-8 which can lead to + problems with non-compliant providers, for example + office365.com. The SMTP LOGIN and POP3 USER/PASS + authentication methods are now using a Latin-1 encoding again + to work around this issue + * Fix shutdown crash/hang after entering an empty IMAP password + +------------------------------------------------------------------- +Tue Oct 30 08:18:23 UTC 2018 - wr@rosenauer.org + +- update to Thunderbird 60.3.0 + * various theme fixes + * Shift+PageUp/PageDown in Write window + * Gloda attachment filtering + * Mailing list address auto-complete enter/return handling + * Thunderbird hung if HTML signature references non-existent image + * Filters not working for headers that appear more than once +- Security fixes for the Mozilla platform picked up from 60.3 + (Firefox ESR release). In general, these flaws cannot be exploited + through email in Thunderbird because scripting is disabled when + reading mail, but are potentially risks in browser or browser-like + contexts (MFSA 2018-28) (bsc#1112852) + * CVE-2018-12391 (bmo#1478843) (Android only) + HTTP Live Stream audio data is accessible cross-origin + * CVE-2018-12392 (bmo#1492823) + Crash with nested event loops + * CVE-2018-12393 (bmo#1495011) + Integer overflow during Unicode conversion while loading JavaScript + * CVE-2018-12389 (bmo#1498460, bmo#1499198) + Memory safety bugs fixed in Firefox ESR 60.3 + * CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159, + bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803, + bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699, + bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844) + Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 + +------------------------------------------------------------------- +Thu Oct 25 14:40:14 UTC 2018 - guillaume.gardet@opensuse.org + +- Update _constraints for armv6/7 + +------------------------------------------------------------------- +Thu Oct 25 08:26:12 UTC 2018 - guillaume.gardet@opensuse.org + +- Add patch to fix build on armv7: + * mozilla-bmo1463035.patch + +------------------------------------------------------------------- +Thu Oct 25 08:25:52 UTC 2018 - guillaume.gardet@opensuse.org + +- Add memory-constraints to avoid OOM errors + +------------------------------------------------------------------- +Fri Oct 12 14:26:17 UTC 2018 - meissner@suse.com + +- provide / obsolete MozillaThunderbird-devel as this is no longer + shipped to allow migration scenarios + +------------------------------------------------------------------- +Tue Oct 2 10:08:00 UTC 2018 - wr@rosenauer.org + +- update to Thunderbird 60.2.1: + * Calendar: Default values for the first day of the week and + working days are now derived from the selected datetime + formatting locale + * Calendar: Switch to a Photon-style icon set for all platforms + * Fix multiple requests for master password when Google Mail or + Calendar OAuth2 is enabled + * Fix scrollbar of the address entry auto-complete popup + * Fix security info dialog in compose window not showing + certificate status + * Fix links in the Add-on Manager's search results and theme + browsing tabs that opened in external browser + * Fix localization not showing the localized name for the + "Drafts" and "Sent" folders for certain IMAP providers + * Fix replying to a message with an empty subject which + inserted Re: twice + * Fix spellcheck marks disappeaing erroneously for words with + an apostrophe + * Calendar: First day of the week can now be set + * Calendar: Several fixes related to cutting/deleting of events + and email schedulin + * Fix date display issues (bsc#1109379) + * Fix start-up crash due to folder name with special characters + (bsc#1107772) +- Security fixes for the Mozilla platform picked up from 60.1 and + 60.2 (Firefox ESR releases). In general, these flaws + cannot be exploited through email in Thunderbird because + scripting is disabled when reading mail, but are potentially + risks in browser or browser-like contexts (MFSA 2018-25): + * CVE-2018-12377 (bsc#1107343, bmo#1470260) + Use-after-free in refresh driver timers + * CVE-2018-12378 (bsc#1107343, bmo#1459383) + Use-after-free in IndexedDB + * CVE-2017-16541 (bsc#1066489, bmo#1412081) + Proxy bypass using automount and autofs + * CVE-2018-12376 (bmo#69309,bmo#69914,bmo#50989,bmo#80092, + bmo#80517,bmo#81093,bmo#78575,bmo#71953,bmo#73161,bmo#66991, + bmo#68738,bmo#83120,bmo#67363,bmo#72925,bmo#66577,bmo#67889, + bmo#80521,bsc#1107343) + Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 + * CVE-2018-12385 (bsc#1109363, bmo#1490585) + Crash in TransportSecurityInfo due to cached data + * CVE-2018-12383 (bsc#1107343, bmo#1475775) + Setting a master password did not delete unencrypted + previously stored passwords + +------------------------------------------------------------------- +Tue Sep 11 09:59:08 UTC 2018 - Guillaume GARDET + +- Update file list since minidump-analyzer is only available when + crashreporter is enabled + +------------------------------------------------------------------- +Sat Aug 25 18:59:41 UTC 2018 - astieger@suse.com + +- remove non-free untar licenced code from distributed tarball + +------------------------------------------------------------------- +Wed Aug 15 09:09:03 UTC 2018 - bjorn.lie@gmail.com + +- Add conditional for pkgconfig(gconf-2.0) BuildRequires, and pass + conditional --disable-gconf to configure: no longer pull in + obsolete gconf2 for Tumbleweed. + +------------------------------------------------------------------- +Fri Aug 3 06:02:53 UTC 2018 - wr@rosenauer.org + +- update to Thunderbird 60.0: + https://www.thunderbird.net/en-US/thunderbird/60.0/releasenotes/ + * Improved message handling and composing + * Improved handling of message templates + * Support for OAuth2 and FIDO U2F + * Various Calendar improvements + * Various fixes and changes to e-mail workflow + * Various IMAP fixes + * Native desktop notifications +- Security fixes which can not, in general, be exploited through + email, but are potential risks in browser or browser-like contexts: + MFSA 2018-19 (bsc#1098998) + * CVE-2018-12359 (bmo#1459162) + Buffer overflow using computed size of canvas element + * CVE-2018-12360 (bmo#1459693) + Use-after-free when using focus() + * CVE-2018-12361 (bmo#1463244) + Integer overflow in SwizzleData + * CVE-2018-12362 (bmo#1452375) + Integer overflow in SSSE3 scaler + * CVE-2018-5156 (bmo#1453127) + Media recorder segmentation fault when track type is changed + during capture + * CVE-2018-12363 (bmo#1464784) + Use-after-free when appending DOM nodes + * CVE-2018-12364 (bmo#1436241) + CSRF attacks through 307 redirects and NPAPI plugins + * CVE-2018-12365 (bmo#1459206) + Compromised IPC child process can list local filenames + * CVE-2018-12371 (bmo#1465686) + Integer overflow in Skia library during edge builder allocation + * CVE-2018-12366 (bmo#1464039) + Invalid data handling during QCMS transformations + * CVE-2018-12367 (bmo#1462891) + Timing attack mitigation of PerformanceNavigationTiming + * CVE-2018-5187 (bmo#1461324,bmo#1414829,bmo#1395246,bmo#1467938, + bmo#1461619,bmo#1425930,bmo#1438556,bmo#1454285,bmo#1459568, + bmo#1463884) + Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and + Thunderbird 60 + * CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739, + bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576, + bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829, + bmo#1464079,bmo#1463494,bmo#1458048) + Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox + ESR 52.9, and Thunderbird 60 +- requires NSPR 4.19 and NSS 3.36.4 +- source archives are now signed directly + (removed checksum signature check) +- imported patches from Firefox 60 + * mozilla-bmo1375074.patch + * mozilla-bmo1464766.patch + * mozilla-i586-DecoderDoctorLogger.patch + * mozilla-i586-domPrefs.patch +- removed obsolete patches + * mozilla-language.patch + * tb-ssldap.patch + * mozilla-develdirs.patch +- removed -devel subpackage as old-style extensions are mainly gone +- storing of remote content settings fixed (boo#1084603) + +------------------------------------------------------------------- +Tue Jul 10 06:29:59 UTC 2018 - wr@rosenauer.org + +- update to Thunderbird 52.9.1 + * Deleting or detaching attachments corrupted messages under certain + circumstances (bmo#1473893, bsc#1100780) + +------------------------------------------------------------------- +Mon Jul 2 12:36:32 UTC 2018 - wr@rosenauer.org + +- update to Thunderbird 52.9.0: + MFSA 2018-16 (bsc#1098998) + * CVE-2018-12359 (bmo#1459162) + Buffer overflow using computed size of canvas element + * CVE-2018-12360 (bmo#1459693) + Use-after-free when using focus() + * CVE-2018-12372 (bmo#1419417, bsc#1100082) + S/MIME and PGP decryption oracles can be built with HTML emails + * CVE-2018-12373 (bmo#1464667, bmo#1464056, bsc#1100079) + S/MIME plaintext can be leaked through HTML reply/forward + * CVE-2018-12362 (bmo#1452375) + Integer overflow in SSSE3 scaler + * CVE-2018-12363 (bmo#1464784) + Use-after-free when appending DOM nodes + * CVE-2018-12364 (bmo#1436241) + CSRF attacks through 307 redirects and NPAPI plugins + * CVE-2018-12365 (bmo#1459206) + Compromised IPC child process can list local filenames + * CVE-2018-12366 (bmo#1464039) + Invalid data handling during QCMS transformations + * CVE-2018-12374 (bmo#1462910, bsc#1100081) + Using form to exfiltrate encrypted mail part by pressing enter in form field + * CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739, + bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576, + bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829, + bmo#1464079,bmo#1463494,bmo#1458048) + Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9 + * Thunderbird will now prompt to compact IMAP folders even if the + account is online + * Option for not decrypting subordinate message parts that + otherwise might reveal decryted content to the attacker. + Preference mailnews.p7m_subparts_external needs to be set to + true for added security. + * Fix various problems when forwarding messages inline when using + "simple" HTML view +- correct requires and provides handling (boo#1076907) +- reduce memory footprint with %ix86 at linking time via additional + compiler flags (boo#1091376) + +------------------------------------------------------------------- +Sun Jul 1 12:23:45 UTC 2018 - astieger@suse.com + +- Build from upstream source archive and verify source signature + (boo#1085780) + +------------------------------------------------------------------- +Sat May 19 06:16:58 UTC 2018 - wr@rosenauer.org + +- update to Thunderbird 52.8 (bsc#1092548) + MFSA 2018-13 + * CVE-2018-5183 (bmo#1454692) + Backport critical security fixes in Skia + * CVE-2018-5184 (bmo#1411592, bsc#1093152) + Full plaintext recovery in S/MIME via chosen-ciphertext attack + * CVE-2018-5154 (bmo#1443092) + Use-after-free with SVG animations and clip paths + * CVE-2018-5155 (bmo#1448774) + Use-after-free with SVG animations and text paths + * CVE-2018-5159 (bmo#1441941) + Integer overflow and out-of-bounds write in Skia + * CVE-2018-5161 (bmo#1411720) + Hang via malformed headers + * CVE-2018-5162 (bmo#1457721, bsc#1093152) + Encrypted mail leaks plaintext through src attribute + * CVE-2018-5170 (bmo#1411732) + Filename spoofing for external attachments + * CVE-2018-5168 (bmo#1449548) + Lightweight themes can be installed without user interaction + * CVE-2018-5174 (bmo#1447080) (Windows only) + Windows Defender SmartScreen UI runs with less secure behavior + for downloaded files in Windows 10 April 2018 Update + * CVE-2018-5178 (bmo#1443891) + Buffer overflow during UTF-8 to Unicode string conversion + through legacy extension + * CVE-2018-5185 (bmo#1450345) + Leaking plaintext through HTML forms + * CVE-2018-5150 (bmo#1388020,bmo#1433609,bmo#1409440,bmo#1448705, + bmo#1451376,bmo#1452202,bmo#1444668,bmo#1393367,bmo#1411415, + bmo#1426129) + Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8 and + Thunderbird 52.8 + +------------------------------------------------------------------- +Wed Mar 28 01:31:17 CEST 2018 - ro@suse.de + +- Exclude bigendian archs for now, have not built + since version 45.8.0 + ExcludeArch: ppc ppc64 s390 s390x + +------------------------------------------------------------------- +Fri Mar 23 09:39:40 UTC 2018 - wr@rosenauer.org + +- update to Thunderbird 52.7 + * Searching message bodies of messages in local folders, including + filter and quick filter operations, did not find content in + message attachments + * Better error handling for Yahoo accounts +- The following security fixes are included as part of the mozilla + platform. In general, these flaws cannot be exploited through + email in the Thunderbird product because scripting is disabled + when reading mail, but are potentially risks in browser or + browser-like contexts (MFSA 2018-09, bsc#1085130, bsc#1085671): + * CVE-2018-5127 (bmo#1430557) + Buffer overflow manipulating SVG animatedPathSegList + * CVE-2018-5129 (bmo#1428947) + Out-of-bounds write with malformed IPC messages + * CVE-2018-5144 (bmo#1440926) + Integer overflow during Unicode conversion + * CVE-2018-5146 (bmo#1446062) + Out of bounds memory write in libvorbis + * CVE-2018-5125 (bmo1416529,bmo#1434580,bmo#1434384,bmo#1437450, + bmo#1437507,bmo#1426988,bmo#1438425,bmo#1324042,bmo#1437087, + bmo#1443865,bmo#1425520) + Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7, and + Thunderbird 52.7 + * CVE-2018-5145 (bmo#1261175,bmo#1348955) + Memory safety bugs fixed in Firefox ESR 52.7 and Thunderbird + 52.7 + +------------------------------------------------------------------- +Wed Jan 24 11:40:38 UTC 2018 - wr@rosenauer.org + +- update to Thunderbird 52.6 (bsc#1077291) + * Searching message bodies of messages in local folders, including + filter and quick filter operations, not working reliably: Content + not found in base64-encode message parts, non-ASCII text not found + and false positives found. + * Defective messages (without at least one expected header) not shown + in IMAP folders but shown on mobile devices + * Calendar: Unintended task deletion if numlock is enabled + * Mozilla platform security fixes + MFSA 2018-04 + * CVE-2018-5095 (bmo#1418447) + Integer overflow in Skia library during edge builder allocation + * CVE-2018-5096 (bmo#1418922) + Use-after-free while editing form elements + * CVE-2018-5097 (bmo#1387427) + Use-after-free when source document is manipulated during XSLT + * CVE-2018-5098 (bmo#1399400) + Use-after-free while manipulating form input elements + * CVE-2018-5099 (bmo#1416878) + Use-after-free with widget listener + * CVE-2018-5102 (bmo#1419363) + Use-after-free in HTML media elements + * CVE-2018-5103 (bmo#1423159) + Use-after-free during mouse event handling + * CVE-2018-5104 (bmo#1425000) + Use-after-free during font face manipulation + * CVE-2018-5117 (bmo#1395508) + URL spoofing with right-to-left text aligned left-to-right + * CVE-2018-5089 + Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6 +- dropped obsolete mozilla-ucontext.patch + +------------------------------------------------------------------- +Sat Dec 23 18:36:42 UTC 2017 - wr@rosenauer.org + +- update to Thunderbird 52.5.2 + * This releases fixes the "Mailsploit" vulnerability and other + vulnerabilities detected by the "Cure53" audit + MFSA 2017-30 + * CVE-2017-7845 (bmo#1402372) + Buffer overflow when drawing and validating elements with ANGLE + library using Direct 3D 9 + * CVE-2017-7846 (bmo#1411716, bsc#1074043) + JavaScript Execution via RSS in mailbox:// origin + * CVE-2017-7847 (bmo#1411708, bsc#1074044) + Local path string can be leaked from RSS feed + * CVE-2017-7848 (bmo#1411699, bsc#1074045) + RSS Feed vulnerable to new line Injection + * CVE-2017-7829 (bmo#1423432, bsc#1074046) + Mailsploit part 1: From address with encoded null character is + cut off in message header display + +------------------------------------------------------------------- +Fri Dec 8 15:53:30 UTC 2017 - dimstar@opensuse.org + +- Explicitly buildrequires python2-xml: The build system relies on + it. We wrongly relied on other packages pulling it in for us. + +------------------------------------------------------------------- +Thu Dec 7 11:13:41 UTC 2017 - dimstar@opensuse.org + +- Escape the usage of %{VERSION} when calling out to rpm. + RPM 4.14 has %{VERSION} defined as 'the main packages version'. + +------------------------------------------------------------------- +Wed Nov 22 10:02:35 UTC 2017 - wr@rosenauer.org + +- update to Thunderbird 52.5.0 (bsc#1068101) + * Better support for Charter/Spectrum IMAP: Thunderbird will now + detect Charter's IMAP service and send an additional IMAP select + command to the server. Check the various preferences ending in + "force_select" to see whether auto-detection has discovered this case. + * In search folders spanning multiple base folders clicking on a + message sometimes marked another message as read + * IMAP alerts have been corrected and now show the correct server + name in case of connection problems + * POP alerts have been corrected and now indicate connection problems + in case the configured POP server cannot be found + MFSA 2017-26 + * CVE-2017-7828 (bmo#1406750. bmo#1412252) + Use-after-free of PressShell while restyling layout + * CVE-2017-7830 (bmo#1408990) + Cross-origin URL information leak through Resource Timing API + * CVE-2017-7826 + Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5 + +------------------------------------------------------------------- +Fri Nov 10 22:12:18 UTC 2017 - zaitor@opensuse.org + +- Drop obsolete libgnomeui-devel BuildRequires: No longer needed. +- Add explicit pkgconfig(gconf-2.0), pkgconfig(gobject-2.0), + pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0), + pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and + pkgconfig(gdk-x11-2.0) BuildRequires: Previously pulled in by + libgnomeui-devel, and is what configure really checks for. + +------------------------------------------------------------------- +Wed Oct 4 09:18:39 UTC 2017 - astieger@suse.com + +- Mozilla Thunderbird 52.4.0 (bsc#1060445) + * new behavior was introduced for replies to mailing list posts: + "When replying to a mailing list, reply will be sent to address + in From header ignoring Reply-to header". A new preference + mail.override_list_reply_to allows to restore the previous behavior. + * Under certain circumstances (image attachment and non-image + attachment), attached images were shown truncated in messages + stored in IMAP folders not synchronised for offline use. + * IMAP UIDs > 0x7FFFFFFF now handled properly + Security fixes from Gecko 52.4esr + * CVE-2017-7793 (bmo#1371889) + Use-after-free with Fetch API + * CVE-2017-7818 (bmo#1363723) + Use-after-free during ARIA array manipulation + * CVE-2017-7819 (bmo#1380292) + Use-after-free while resizing images in design mode + * CVE-2017-7824 (bmo#1398381) + Buffer overflow when drawing and validating elements with ANGLE + * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement) + Use-after-free in TLS 1.2 generating handshake hashes + * CVE-2017-7814 (bmo#1376036) + Blob and data URLs bypass phishing and malware protection warnings + * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only) + OS X fonts render some Tibetan and Arabic unicode characters as spaces + * CVE-2017-7823 (bmo#1396320) + CSP sandbox directive did not create a unique origin + * CVE-2017-7810 + Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 + +------------------------------------------------------------------- +Thu Sep 28 07:56:22 UTC 2017 - dimstar@opensuse.org + +- Add alsa-devel BuildRequires: we care for ALSA support to be + built and thus need to ensure we get the dependencies in place. + In the past, alsa-devel was pulled in by accident: we + buildrequire libgnome-devel. This required esound-devel and that + in turn pulled in alsa-devel for us. libgnome is being fixed to + no longer require esound-devel. + +------------------------------------------------------------------- +Tue Aug 15 12:48:43 UTC 2017 - wr@rosenauer.org + +- update to Thunderbird 52.3 (boo#1052829) + Fixed issues: + * Unwanted inline images shown in rogue SPAM messages + * Deleting message from the POP3 server not working when maildir + storage was used + * Message disposition flag (replied / forwarded) lost when reply or + forwarded message was stored as draft and draft was sent later + * Inline images not scaled to fit when printing + * Selected text from another message sometimes included in a reply + * No authorisation prompt displayed when inserting image into email + body although image URL requires authentication + * Large attachments taking a long time to open under some circumstances + security + Security fixes from Gecko 52.3esr + * CVE-2017-7798 (bmo#1371586, bmo#1372112) + XUL injection in the style editor in devtools + * CVE-2017-7800 (bmo#1374047) + Use-after-free in WebSockets during disconnection + * CVE-2017-7801 (bmo#1371259) + Use-after-free with marquee during window resizing + * CVE-2017-7784 (bmo#1376087) + Use-after-free with image observers + * CVE-2017-7802 (bmo#1378147) + Use-after-free resizing image elements + * CVE-2017-7785 (bmo#1356985) + Buffer overflow manipulating ARIA attributes in DOM + * CVE-2017-7786 (bmo#1365189) + Buffer overflow while painting non-displayable SVG + * CVE-2017-7753 (bmo#1353312) + Out-of-bounds read with cached style data and pseudo-elements# + * CVE-2017-7787 (bmo#1322896) + Same-origin policy bypass with iframes through page reloads + * CVE-2017-7807 (bmo#1376459) + Domain hijacking through AppCache fallback + * CVE-2017-7792 (bmo#1368652) + Buffer overflow viewing certificates with an extremely long OID + * CVE-2017-7804 (bmo#1372849) + Memory protection bypass through WindowsDllDetourPatcher + * CVE-2017-7791 (bmo#1365875) + Spoofing following page navigation with data: protocol and modal alerts + * CVE-2017-7782 (bmo#1344034) + WindowsDllDetourPatcher allocates memory without DEP protections + * CVE-2017-7803 (bmo#1377426) + CSP containing 'sandbox' improperly applied + * CVE-2017-7779 + Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 + +------------------------------------------------------------------- +Wed Aug 9 09:47:39 UTC 2017 - schwab@suse.de + +- mozilla-ucontext.patch: use ucontext_t instead of struct ucontext + +------------------------------------------------------------------- +Wed Jun 28 13:57:13 UTC 2017 - guillaume@opensuse.org + +- mozilla-disable-neon-option.patch has been dropped silently, so + remove the --disable-neon option as it is not available anymore. + +------------------------------------------------------------------- +Sun Jun 25 06:55:13 UTC 2017 - wr@rosenauer.org + +- update to Thunderbird 52.2.1 + * Problems with Gmail fixed (folders not showing, repeated email + download, etc.) introduced in version 52.2.0. (boo#1045895) + +------------------------------------------------------------------- +Wed Jun 14 11:34:58 UTC 2017 - wr@rosenauer.org + +- update to Thunderbird 52.2 (boo#1043960) + * Embedded images not shown in email received from Hotmail/Outlook + webmailer + * Detection of non-ASCII font names in font selector + * Attachment not forwarded correctly under certain circumstances + * Multiple requests for master password when GMail OAuth2 is enabled + * Large number of blank pages being printed under certain + circumstances when invalid preferences were present + * Messages sent via the Simple MAPI interface are forced to HTML + * Calendar: Invitations can't be printed + * Mailing list (group) not accessible from macOS or Outlook address book + * Clicking on links with references/anchors where target doesn't + exist in the message not opening in external browser + MFSA 2017-17 + * CVE-2017-5472 (bmo#1365602) + Use-after-free using destroyed node when regenerating trees + * CVE-2017-7749 (bmo#1355039) + Use-after-free during docshell reloading + * CVE-2017-7750 (bmo#1356558) + Use-after-free with track elements + * CVE-2017-7751 (bmo#1363396) + Use-after-free with content viewer listeners + * CVE-2017-7752 (bmo#1359547) + Use-after-free with IME input + * CVE-2017-7754 (bmo#1357090) + Out-of-bounds read in WebGL with ImageInfo object + * CVE-2017-7756 (bmo#1366595) + Use-after-free and use-after-scope logging XHR header errors + * CVE-2017-7757 (bmo#1356824) + Use-after-free in IndexedDB + * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, + CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, + CVE-2017-7777 + Vulnerabilities in the Graphite 2 library + * CVE-2017-7758 (bmo#1368490) + Out-of-bounds read in Opus encoder + * CVE-2017-7763 (bmo#1360309) + Mac fonts render some unicode characters as spaces (MacOS only) + * CVE-2017-7764 (bmo#1364283) + Domain spoofing with combination of Canadian Syllabics and other + unicode blocks + * CVE-2017-7765 (bmo#1273265) + Mark of the Web bypass when saving executable files (Windows only) + * CVE-2017-5470 + Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2 +- requires NSS 3.28.5 + +------------------------------------------------------------------- +Sun Jun 4 07:31:01 UTC 2017 - wr@rosenauer.org + +- remove legacy -Os optimization breaking gcc7/i586 (boo#1042090) + +------------------------------------------------------------------- +Thu Jun 1 06:09:23 UTC 2017 - wr@rosenauer.org + +- explicitely optimize with -O2 for openSUSE > 13.2/Leap 42 to work + with gcc7 (boo#1040105, boo#1042090) + +------------------------------------------------------------------- +Thu May 11 21:16:41 UTC 2017 - wr@rosenauer.org + +- update to Thunderbird 52.1.1 + * fixed crash when compacting IMAP folder (boo#1038753) + * Some attachments could not be opened or saved if the message + body is empty + * Unable to load full message via POP if message was downloaded + partially (or only headers) before + * Large attachments may not be shown or saved correctly if the + message is stored in an IMAP folder which is not synchronized + for offline use + +------------------------------------------------------------------- +Mon May 1 08:52:52 UTC 2017 - wr@rosenauer.org + +- update to Thunderbird 52.1.0 + * Background images not working and other issues related to + embedded images when composing email have been fixed + * Google Oauth setup can sometimes not progress to the next step + * requires NSS >= 3.28.4 +- security fixes (boo#1035082), MFSA 2017-13 + * CVE-2017-5443 (bmo#1342661) + Out-of-bounds write during BinHex decoding + * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894, + bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088) + Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and + Firefox ESR 52.1 + * CVE-2017-5464 (bmo#1347075) + Memory corruption with accessibility and DOM manipulation + * CVE-2017-5465 (bmo#1347617) + Out-of-bounds read in ConvolvePixel + * CVE-2017-5466 (bmo#1353975) + Origin confusion when reloading isolated data:text/html URL + * CVE-2017-5467 (bmo#1347262) + Memory corruption when drawing Skia content + * CVE-2017-5460 (bmo#1343642) + Use-after-free in frame selection + * CVE-2017-5461 (bmo#1344380) + Out-of-bounds write in Base64 encoding in NSS + * CVE-2017-5449 (bmo#1340127) + Crash during bidirectional unicode manipulation with animation + * CVE-2017-5446 (bmo#1343505) + Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data + * CVE-2017-5447 (bmo#1343552) + Out-of-bounds read during glyph processing + * CVE-2017-5444 (bmo#1344461) + Buffer overflow while parsing application/http-index-format content + * CVE-2017-5445 (bmo#1344467) + Uninitialized values used while parsing application/http-index-format + content + * CVE-2017-5442 (bmo#1347979) + Use-after-free during style changes + * CVE-2017-5469 (bmo#1292534) + Potential Buffer overflow in flex-generated code + * CVE-2017-5440 (bmo#1336832) + Use-after-free in txExecutionState destructor during XSLT processing + * CVE-2017-5441 (bmo#1343795) + Use-after-free with selection during scroll events + * CVE-2017-5439 (bmo#1336830) + Use-after-free in nsTArray Length() during XSLT processing + * CVE-2017-5438 (bmo#1336828) + Use-after-free in nsAutoPtr during XSLT processing + * CVE-2017-5437 (bmo#1343453) + Vulnerabilities in Libevent library + * CVE-2017-5436 (bmo#1345461) + Out-of-bounds write with malicious font in Graphite 2 + * CVE-2017-5435 (bmo#1350683) + Use-after-free during transaction processing in the editor + * CVE-2017-5434 (bmo#1349946) + Use-after-free during focus handling + * CVE-2017-5433 (bmo#1347168) + Use-after-free in SMIL animation functions + * CVE-2017-5432 (bmo#1346654) + Use-after-free in text input selection + * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482, + bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140, + bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476) + Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 + * CVE-2017-5459 (bmo#1333858) + Buffer overflow in WebGL + * CVE-2017-5462 (bmo#1345089) + DRBG flaw in NSS + * CVE-2017-5454 (bmo#1349276) + Sandbox escape allowing file system read access through file + picker + * CVE-2017-5451 (bmo#1273537) + Addressbar spoofing with onblur event + +------------------------------------------------------------------- +Mon Apr 17 12:43:48 UTC 2017 - wr@rosenauer.org + +- update to Thunderbird 52.0.1 + * Clicking on a link in an email may not open this link in the + external browser + * addon blocklist updates +- enable ALSA for systems w/o PA +- require libffi explicitely to fix PPC64LE build where a system + library is required + +------------------------------------------------------------------- +Sat Mar 18 21:06:01 UTC 2017 - wr@rosenauer.org + +- update to Thunderbird 52.0 + * Optionally remove corresponding data files when removing an account + * Possibility to copy message filter + * Calendar: Event can now be created and edited in a tab + * Calendar: Processing of received invitation counter proposals + * Chat: Support Twitter Direct Messages + * Chat: Liking and favoriting in Twitter + * Chat: Removed Yahoo! Messenger support + * serveral bugfixes +- security fixes (bsc#1028391, MFSA 2017-09): + In general, these flaws cannot be exploited through email because + scripting is disabled when reading mail, but are potentially + risks in browser or browser-like contexts. + * CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933) + * CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861) + * CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876) + * CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186) + * CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138) + * CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890) + * CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622) + * CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687) + * CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711) + * CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323) + * CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504) + * CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370) + * CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121) + * CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361) + * CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876) + * CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243) + * CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699) + * CVE-2017-5421: Print preview spoofing (bmo#1301876) + * CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002) + * CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52 + * CVE-2017-5398: Memory safety bugs fixed in Thunderbird 52 and Thunderbird 45.8 +- removed obsolete patches + * mozilla-aarch64-48bit-va.patch + * mozilla-binutils-visibility.patch + * mozilla-flex_buffer_overrun.patch + * mozilla-gcc6.patch +- added generic mozilla patches + * mozilla-aarch64-startup-crash.patch +- require newer versions of NSPR and NSS +- use Gtk3 for Tumbleweed + +------------------------------------------------------------------- +Tue Mar 7 15:08:23 UTC 2017 - wr@rosenauer.org + +- update to Thunderbird 45.8.0 (boo#1028391) + * MFSA 2017-07 + CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP + (bmo#1334933) + CVE-2017-5401: Memory Corruption when handling ErrorResult + (bmo#1328861) + CVE-2017-5402: Use-after-free working with events in FontFace + objects (bmo#1334876) + CVE-2017-5404: Use-after-free working with ranges in selections + (bmo#1340138) + CVE-2017-5407: Pixel and history stealing via floating-point + timing side channel with SVG filters (bmo#1336622) + CVE-2017-5410: Memory corruption during JavaScript garbage + collection incremental sweeping (bmo#1330687) + CVE-2017-5408: Cross-origin reading of video captions in violation + of CORS (bmo#1313711) + CVE-2017-5405: FTP response codes can cause use of + uninitialized values for ports (bmo#1336699) + CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and + Firefox ESR 45.8 + +------------------------------------------------------------------- +Thu Feb 9 07:49:54 UTC 2017 - wr@rosenauer.org + +- update to Thunderbird 45.7.1 + * fixed Crash when viewing certain IMAP messages (introduced in 45.7.0) + +------------------------------------------------------------------- +Tue Jan 24 20:43:57 UTC 2017 - wr@rosenauer.org + +- update to Thunderbird 45.7.0 + * Message preview pane non-functional after IMAP folder was renamed + or moved + * "Move To" button on "Search Messages" panel not working + * Message sent to "undisclosed recipients" shows no recipient + (non-functional since Thunderbird version 38) + * Security updates from MFSA 2017-03 (Gecko 45.7.0) boo#1021991. + In general, these flaws cannot be exploited through email in + Thunderbird because scripting is disabled when reading mail, + but are potentially risks in browser or browser-like contexts: + CVE-2017-5375: Excessive JIT code allocation allows bypass of + ASLR and DEP (bmo#1325200, boo#1021814) + CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817) + CVE-2017-5378: Pointer and frame data leakage of Javascript objects + (bmo#1312001, bmo#1330769, boo#1021818) + CVE-2017-5380: Potential use-after-free during DOM manipulations + (bmo#1322107, boo#1021819) + CVE-2017-5390: Insecure communication methods in Developer Tools + JSON viewer (bmo#1297361, boo#1021820) + CVE-2017-5396: Use-after-free with Media Decoder + (bmo#1329403, boo#1021821) + CVE-2017-5383: Location bar spoofing with unicode characters + (bmo#1323338, bmo#1324716, boo#1021822) + CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7 + (boo#1021824) + +------------------------------------------------------------------- +Thu Dec 29 08:33:21 UTC 2016 - wr@rosenauer.org + +- update to Thunderbird 45.6.0 (boo#1015422) + * The system integration dialog was shown every time when starting + Thunderbird + * MFSA 2016-96 + CVE-2016-9899: Use-after-free while manipulating DOM events and + audio elements (bmo#1317409) + CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272) + CVE-2016-9897: Memory corruption in libGLES (bmo#1301381) + CVE-2016-9898: Use-after-free in Editor while manipulating DOM + subtrees (bmo#1314442) + CVE-2016-9900: Restricted external resources can be loaded by + SVG images through data URLs (bmo#1319122) + CVE-2016-9904: Cross-origin information leak in shared atoms + (bmo#1317936) + CVE-2016-9905: Crash in EnumerateSubDocuments (bmo#1293985) + CVE-2016-9893: Memory safety bugs fixed in Thunderbird 45.6 + +------------------------------------------------------------------- +Thu Dec 1 09:58:57 UTC 2016 - astieger@suse.com + +- Mozilla Thunderbird 45.5.1: + * CVE-2016-9079: SVG Animation Remote Code Execution + (MFSA 2016-92, bsc#1012964, bmo#1321066) + +------------------------------------------------------------------- +Sat Nov 19 14:20:05 UTC 2016 - astieger@suse.com + +- Mozilla Thunderbird 45.5.0 (boo#1009026) + * Fixes for security flaws that cannot be exploited through email + because scripting is disabled when reading mail, but are + potentially risks in browser or browser-like contexts: + CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 + (bsc#1010411) + CVE-2016-5297: Incorrect argument length checking in Javascript + (bsc#1010401) + CVE-2016-9066: Integer overflow leading to a buffer overflow in + nsScriptLoadHandler (bsc#1010404) + CVE-2016-5291: Same-origin policy violation using local HTML file + and saved shortcut file (bsc#1010410) + CVE-2016-5290: Memory safety bugs fixed in Thunderbird ESR 45.5 + (bsc#1010427) +- Changed behavior: + * Changed recipient address entry: Arrow-keys now copy the pop-up + value to the input field. Mouse-hovered pop-up value can no + longer be confirmed with tab or enter key. This restores the + behavior of Thunderbird 24. + * Support changes to character limit in Twitter +- Bugs fixed: + * Reply with selected text containing quote resulted in wrong + quoting level indication + * Email invitation might not be displayed when description + contains non-ASCII characters + * Attempting to sort messages on the Date field whilst a quick + filter is applied got stuck on sort descending + * Mail address display at header pane displayed incorrectly if + the address contains UTF-8 according to RFC 6532 + +------------------------------------------------------------------- +Sat Oct 1 07:12:08 UTC 2016 - wr@rosenauer.org + +- update to Thunderbird 45.4.0 (boo#999701) + * Display name was truncated if no separating space before email + address. + * Recipient addresses were shown in wrong color in some circumstances. + * Additional spaces were inserted when drafts were edited. + * Mail saved as template copied In-Reply-To and References from + original email. + * Threading broken when editing message draft, due to loss of Message-ID + * "Apply columns to..." did not honor special folders + +------------------------------------------------------------------- +Tue Aug 30 06:55:14 UTC 2016 - wr@rosenauer.org + +- update to Thunderbird 45.3.0 (boo#991809) + * Disposition-Notification-To could not be used in + mail.compose.other.header + * "edit as new message" on a received message pre-filled the sender + as the composing identity. + * Certain messages caused corruption of the drafts summary database. + security fixes: + * MFSA 2016-62/CVE-2016-2836 + Miscellaneous memory safety hazards + * MFSA 2016-63/CVE-2016-2830 (bmo#1255270) + Favicon network connection can persist when page is closed + * MFSA 2016-64/CVE-2016-2838 (bmo#1279814) + Buffer overflow rendering SVG with bidirectional content + * MFSA 2016-65/CVE-2016-2839 (bmo#1275339) + Cairo rendering crash due to memory allocation issue with FFmpeg 0.10 + * MFSA 2016-67/CVE-2016-5252 (bmo#1268854) + Stack underflow during 2D graphics rendering + * MFSA 2016-70/CVE-2016-5254 (bmo#1266963) + Use-after-free when using alt key and toplevel menus + * MFSA 2016-72/CVE-2016-5258 (bmo#1279146) + Use-after-free in DTLS during WebRTC session shutdown + * MFSA 2016-73/CVE-2016-5259 (bmo#1282992) + Use-after-free in service workers with nested sync events + * MFSA 2016-76/CVE-2016-5262 (bmo#1277475) + Scripts on marquee tag can execute in sandboxed iframes + * MFSA 2016-77/CVE-2016-2837 (bmo#1274637) + Buffer overflow in ClearKey Content Decryption Module (CDM) + during video playback + * MFSA 2016-78/CVE-2016-5263 (bmo#1276897) + Type confusion in display transformation + * MFSA 2016-79/CVE-2016-5264 (bmo#1286183) + Use-after-free when applying SVG effects + * MFSA 2016-80/CVE-2016-5265 (bmo#1278013) + Same-origin policy violation using local HTML file and saved shortcut file + +------------------------------------------------------------------- +Fri Aug 5 13:47:12 UTC 2016 - pcerny@suse.com + +- Fix for possible buffer overrun (bsc#990856) + CVE-2016-6354 (bmo#1292534) + [mozilla-flex_buffer_overrun.patch] + +------------------------------------------------------------------- +Thu Jul 21 11:50:27 UTC 2016 - mailaender@opensuse.org + +- add a screenshot to appdata.xml + +------------------------------------------------------------------- +Thu Jun 30 09:18:14 UTC 2016 - wr@rosenauer.org + +- update to Thunderbird 45.2 (boo#983549) + Security fixes: + * CVE-2016-2818, CVE-2016-2815: Memory safety bugs (MFSA2016-49) +- drop mozilla-flexible-array-member-in-union.patch, upstream + +------------------------------------------------------------------- +Fri Jun 24 14:10:58 UTC 2016 - wr@rosenauer.org + +- mozilla-binutils-visibility.patch to fix build issues with + gcc/binutils combination used in Leap 42.2 (boo#984637) + +------------------------------------------------------------------- +Thu Jun 23 10:15:51 UTC 2016 - wr@rosenauer.org + +- build with -fno-delete-null-pointer-checks for Tumbleweed/gcc6 + as long as underlying issues have been addressed upstream + (boo#986162) + +------------------------------------------------------------------- +Mon Jun 13 20:28:01 UTC 2016 - agraf@suse.com + +- Fix running on 48bit va aarch64 (bsc#984126) + - Add patch mozilla-aarch64-48bit-va.patch + +------------------------------------------------------------------- +Fri May 27 12:51:23 UTC 2016 - wr@rosenauer.org + +- update to Thunderbird 45.1.1 + * When entering members into a mailing list, the enter key + dismissed the panel instead of just moving onto the next line + * Email without HTML elements was sent as HTML, despite + "Delivery Format: Auto-detect" option + * Options applied to a template were lost when the template was used + * Contacts could not be deleted when they were found through a search + * Views from global searches did not respect + "mail.threadpane.use_correspondents" + +------------------------------------------------------------------- +Wed May 25 18:20:24 UTC 2016 - badshah400@gmail.com + +- The conditional testing for gcc was failing for different + openSUSE versions, drop it and apply patches unconditionally. + +------------------------------------------------------------------- +Tue May 24 18:28:31 UTC 2016 - badshah400@gmail.com + +- Add patches to fix building with gcc >= 6: + + mozilla-gcc6.patch: patch taken from fedora's git and is + essentially identical to upstream firefox patch: + https://hg.mozilla.org/mozilla-central/rev/55212130f19d. + + mozilla-flexible-array-member-in-union.patch: patch taken + from upstream bmo#1272649. + +------------------------------------------------------------------- +Thu May 12 15:21:45 UTC 2016 - dimstar@opensuse.org + +- Copy the icons to /usr/share/icons instead of symlinking them: + in preparation for containerized apps (e.g. xdg-app) as well as + AppStream metadata extraction, there are a couple locations that + need to be real files for system integration (.desktop files, + icons, mime-type info). + +------------------------------------------------------------------- +Sat May 7 22:19:09 UTC 2016 - wr@rosenauer.org + +- update to Thunderbird 45.1.0 (boo#977333) + * MFSA 2016-39/CVE-2016-2806/CVE-2016-2807 (boo#977375, boo#977376) + Miscellaneous memory safety hazards + +------------------------------------------------------------------- +Wed Apr 27 04:26:56 UTC 2016 - badshah400@gmail.com + +- For openSUSE > 13.2, the build fails for i586 as it goes out of + memory. Prevent this from happening by disabing parallel build + in this particular case (i.e. do not pass + mk_add_options MOZ_MAKE_FLAGS%{?jobs:-j%jobs}). + +------------------------------------------------------------------- +Sat Apr 16 08:11:14 UTC 2016 - wr@rosenauer.org + +- update to Thunderbird 45.0 (boo#969894) + * Add a Correspondents column combining Sender and Recipient + * Much better support for XMPP chatrooms and commands + * Remote content exceptions: Improved options to add exceptions + * Implement option to always use HTML formatting to prevent + unexpected format loss when converting messages to plain text + * Use OpenStreetmap for maps (even allow the user to choose from + list of map services) + * Allow spell checking and dictionary selection in the subject line + * Allow editing of From when composing a message + * Add dropdown in compose to allow specific setting of font size + * Return/Enter in composer will now insert a new paragraph by + default (shift-Enter will insert a line break) + * Allow copying of name and email address from the message header + of an email + * Mail.ru supports OAuth authentication + * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953 + Miscellaneous memory safety hazards + * MFSA 2016-17/CVE-2016-1954 (bmo#1243178) + Local file overwriting and potential privilege escalation through + CSP reports + * MFSA 2016-18/CVE-2016-1955 (bmo#1208946) + CSP reports fail to strip location information for embedded iframe pages + * MFSA 2016-19/CVE-2016-1956 (bmo#1199923) + Linux video memory DOS with Intel drivers + * MFSA 2016-20/CVE-2016-1957 (bmo#1227052) + Memory leak in libstagefright when deleting an array during MP4 + processing + * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014) + Use-after-free in HTML5 string parser + * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377) + Use-after-free in SetBody + * MFSA 2016-27/CVE-2016-1964 (bmo#1243335) + Use-after-free during XML transformations + * MFSA 2016-34/CVE-2016-1974 (bmo#1228103) + Out-of-bounds read in HTML parser following a failed allocation + * MFSA 2016-35/CVE-2016-1950 (bmo#1245528) + Buffer overflow during ASN.1 decoding in NSS + (fixed by requiring 3.21.1) + * MFSA 2016-36/CVE-2016-1979 (bmo#1185033) + Use-after-free during processing of DER encoded keys in NSS + (fixed by requiring 3.21.1) + * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/ + CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/ + CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/ + CVE-2016-2800/CVE-2016-2801/CVE-2016-2802 + Font vulnerabilities in the Graphite 2 library +- remove obsolete patches: + * mozilla-arm-disable-edsp.patch + * mozilla-icu-strncat.patch + * mozilla-arm64-libjpeg-turbo.patch +- added required mozilla platform patches: + * mozilla-no-stdcxx-check.patch + +------------------------------------------------------------------- +Wed Apr 6 21:54:09 UTC 2016 - astieger@suse.com + +- update to Thunderbird 38.7.2 + * disable Graphite font shaping library (same upstream changelog + as 38.7.1) + +------------------------------------------------------------------- +Fri Mar 25 09:40:09 UTC 2016 - wr@rosenauer.org + +- update to Thunderbird 38.7.1 + * disabled Graphite font shaping library + +------------------------------------------------------------------- +Fri Mar 11 12:57:25 UTC 2016 - wr@rosenauer.org + +- update to Thunderbird 38.7.0 (boo#969894) + * MFSA 2015-81/CVE-2015-4477 (bmo#1179484) + Use-after-free in MediaStream playback + * MFSA 2015-136/CVE-2015-7207 (bmo#1185256) + Same-origin policy violation using performance.getEntries and + history navigation + * MFSA 2016-16/CVE-2016-1952 + Miscellaneous memory safety hazards + * MFSA 2016-17/CVE-2016-1954 (bmo#1243178) + Local file overwriting and potential privilege escalation through + CSP reports + * MFSA 2016-20/CVE-2016-1957 (bmo#1227052) + Memory leak in libstagefright when deleting an array during MP4 + processing + * MFSA 2016-21/CVE-2016-1958 (bmo#1228754) + Displayed page address can be overridden + * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014) + Use-after-free in HTML5 string parser + * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377) + Use-after-free in SetBody + * MFSA 2016-25/CVE-2016-1962 (bmo#1240760) + Use-after-free when using multiple WebRTC data channels + * MFSA 2016-27/CVE-2016-1964 (bmo#1243335) + Use-after-free during XML transformations + * MFSA 2016-28/CVE-2016-1965 (bmo#1245264) + Addressbar spoofing though history navigation and Location protocol + property + * MFSA 2016-31/CVE-2016-1966 (bmo#1246054) + Memory corruption with malicious NPAPI plugin + * MFSA 2016-34/CVE-2016-1974 (bmo#1228103) + Out-of-bounds read in HTML parser following a failed allocation + * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/ + CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/ + CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/ + CVE-2016-2800/CVE-2016-2801/CVE-2016-2802 + Font vulnerabilities in the Graphite 2 library + +------------------------------------------------------------------- +Fri Feb 26 15:45:19 UTC 2016 - astieger@suse.com + +- adjust _constraints to current peak build memory and disk usage + +------------------------------------------------------------------- +Sat Feb 13 08:32:09 UTC 2016 - wr@rosenauer.org + +- update to Thunderbird 38.6.0 (boo#963520) + * Filters ran on a different folder than selected + * MFSA 2016-01/CVE-2016-1930 + Miscellaneous memory safety hazards + * MFSA 2016-03/CVE-2016-1935 (bmo#1220450) + Buffer overflow in WebGL after out of memory allocation + +------------------------------------------------------------------- +Mon Jan 25 10:39:23 UTC 2016 - olaf@aepfle.de + +- Using -g for CFLAGS is controlled via project settings, it should + not be enforced by the mozilla buildsystem. + +------------------------------------------------------------------- +Mon Jan 18 07:32:51 UTC 2016 - olaf@aepfle.de + +- Add build conditionals for valgrind and -Os +- Convert existing conditions for kde to bcond + +------------------------------------------------------------------- +Tue Dec 29 20:30:59 UTC 2015 - wr@rosenauer.org + +- update to Thunderbird 38.5.1 + * requires NSS 3.20.2 to fix + MFSA 2015-150/CVE-2015-7575 (bmo#1158489) + MD5 signatures accepted within TLS 1.2 ServerKeyExchange in + server signature +- explicitely require libXcomposite-devel + +------------------------------------------------------------------- +Wed Dec 23 10:13:38 UTC 2015 - wr@rosenauer.org + +- update to Thunderbird 38.5.0 (bnc#959277) + * MFSA 2015-134/CVE-2015-7201 + Miscellaneous memory safety hazards + * MFSA 2015-138/CVE-2015-7210 (bmo#1218326) + Use-after-free in WebRTC when datachannel is used after being + destroyed + * MFSA 2015-139/CVE-2015-7212 (bmo#1222809) + Integer overflow allocating extremely large textures + * MFSA 2015-145/CVE-2015-7205 (bmo#1220493) + Underflow through code inspection + * MFSA 2015-146/CVE-2015-7213 (bmo#1206211) + Integer overflow in MP4 playback in 64-bit versions + * MFSA 2015-147/CVE-2015-7222 (bmo#1216748) + Integer underflow and buffer overflow processing MP4 metadata in + libstagefright + * MFSA 2015-149/CVE-2015-7214 (bmo#1228950) + Cross-site reading attack through data and view-source URIs + +------------------------------------------------------------------- +Tue Nov 17 07:58:43 UTC 2015 - wr@rosenauer.org + +- update to Thunderbird 38.4.0 (bnc#952810) + * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514 + Miscellaneous memory safety hazards + * MFSA 2015-122/CVE-2015-7188 (bmo#1199430) + Trailing whitespace in IP address hostnames can bypass same-origin policy + * MFSA 2015-123/CVE-2015-7189 (bmo#1205900) + Buffer overflow during image interactions in canvas + * MFSA 2015-127/CVE-2015-7193 (bmo#1210302) + CORS preflight is bypassed when non-standard Content-Type headers + are received + * MFSA 2015-128/CVE-2015-7194 (bmo#1211262) + Memory corruption in libjar through zip files + * MFSA 2015-130/CVE-2015-7196 (bmo#1140616) + JavaScript garbage collection crash with Java applet + * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200 + (bmo#1188010, bmo#1204061, bmo#1204155) + Vulnerabilities found through code inspection + * MFSA 2015-132/CVE-2015-7197 (bmo#1204269) + Mixed content WebSocket policy bypass through workers + * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183 + (bmo#1202868, bmo#1205157) + NSS and NSPR memory corruption issues + (fixed in mozilla-nspr and mozilla-nss packages) +- requires NSPR 4.10.10 and NSS 3.19.2.1 +- added explicit appdata provides (bnc#952325) + +------------------------------------------------------------------- +Mon Oct 5 12:44:39 UTC 2015 - dmueller@suse.com + +- fix build on aarch64 by reusing the crashreporter conditional + from MozillaFirefox + +------------------------------------------------------------------- +Mon Sep 28 18:00:50 UTC 2015 - wr@rosenauer.org + +- update to Thunderbird 38.3.0 (bnc#947003) + * MFSA 2015-96/CVE-2015-4500 + Miscellaneous memory safety hazards + * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only) + Arbitrary file manipulation by local user through Mozilla updater + * MFSA 2015-101/CVE-2015-4506 (bmo#1192226) + Buffer overflow in libvpx while parsing vp9 format video + * MFSA 2015-105/CVE-2015-4511 (bmo#1200148) + Buffer overflow while decoding WebM video + * MFSA 2015-106/CVE-2015-4509 (bmo#1198435) + Use-after-free while manipulating HTML media content + * MFSA 2015-110/CVE-2015-4519 (bmo#1189814) + Dragging and dropping images exposes final URL after redirects + * MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869) + Errors in the handling of CORS preflight request headers + * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/ + CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/ + CVE-2015-7180 + Vulnerabilities found through code inspection + * MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860, + bmo#1190526) (Windows only) + Memory safety errors in libGLES in the ANGLE graphics library +- rebased patches + +------------------------------------------------------------------- +Sat Aug 15 11:41:30 UTC 2015 - wr@rosenauer.org + +- update to Thunderbird 38.2.0 (bnc#940806) + * MFSA 2015-79/CVE-2015-4473 + Miscellaneous memory safety hazards + * MFSA 2015-80/CVE-2015-4475 (bmo#1175396) + Out-of-bounds read with malformed MP3 file + * MFSA 2015-82/CVE-2015-4478 (bmo#1105914) + Redefinition of non-configurable JavaScript object properties + * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 + Overflow issues in libstagefright + * MFSA 2015-84/CVE-2015-4481 (bmo1171518) + Arbitrary file overwriting through Mozilla Maintenance Service + with hard links (only affected Windows) + * MFSA 2015-85/CVE-2015-4482 (bmo#1184500) + Out-of-bounds write with Updater and malicious MAR file + (does not affect openSUSE RPM packages which do not ship the + updater) + * MFSA 2015-87/CVE-2015-4484 (bmo#1171540) + Crash when using shared memory in JavaScript + * MFSA 2015-88/CVE-2015-4491 (bmo#1184009) + Heap overflow in gdk-pixbuf when scaling bitmap images + * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148) + Buffer overflows on Libvpx when decoding WebM video + * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 + Vulnerabilities found through code inspection + * MFSA 2015-92/CVE-2015-4492 (bmo#1185820) + Use-after-free in XMLHttpRequest with shared workers + +------------------------------------------------------------------- +Wed Jul 8 07:10:59 UTC 2015 - wr@rosenauer.org + +- update to Thunderbird 38.1.0 (bnc#935979) + * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725 + Miscellaneous memory safety hazards + * MFSA 2015-60/CVE-2015-2727 (bmo#1163422) + Local files or privileged URLs in pages can be opened into new tabs + * MFSA 2015-61/CVE-2015-2728 (bmo#1142210) + Type confusion in Indexed Database Manager + * MFSA 2015-62/CVE-2015-2729 (bmo#1122218) + Out-of-bound read while computing an oscillator rendering range in Web Audio + * MFSA 2015-63/CVE-2015-2731 (bmo#1149891) + Use-after-free in Content Policy due to microtask execution error + * MFSA 2015-64/CVE-2015-2730 (bmo#1125025) + ECDSA signature validation fails to handle some signatures correctly + (this fix is shipped by NSS 3.19.1 externally) + * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867) + Use-after-free in workers while using XMLHttpRequest + * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737 + CVE-2015-2738/CVE-2015-2739/CVE-2015-2740 + Vulnerabilities found through code inspection + * MFSA 2015-67/CVE-2015-2741 (bmo#1147497) + Key pinning is ignored when overridable errors are encountered + * MFSA 2015-69/CVE-2015-2743 (bmo#1163109) + Privilege escalation in PDF.js + * MFSA 2015-70/CVE-2015-4000 (bmo#1138554) + NSS accepts export-length DHE keys with regular DHE cipher suites + (this fix is shipped by NSS 3.19.1 externally) + * MFSA 2015-71/CVE-2015-2721 (bmo#1086145) + NSS incorrectly permits skipping of ServerKeyExchange + (this fix is shipped by NSS 3.19.1 externally) +- requires NSS 3.19.2 + +------------------------------------------------------------------- +Fri Jun 19 17:00:11 UTC 2015 - wr@rosenauer.org + +- update to Thunderbird 38.0.1 + * includes Lightning as default extension +- rebased patches +- removed obsolete patches: + * mozilla-ppc.patch + * mozilla-nullptr-gcc45.patch + * mozilla-bug1024492.patch +- dropped openSUSE specific patches + * thunderbird-shared-nss-db.patch + * mozilla-shared-nss-db.patch + the provided feature seems not to be used and its maintenance + is not worth the ongoing efforts +- tb-develdirs.patch is now mozilla-develdirs.patch as it is a + platform configuration now + +-------------------------------------------------------------------- +Thu Jun 18 10:30:18 UTC 2015 - schwab@suse.de + +- mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration + +------------------------------------------------------------------- +Thu May 28 10:28:13 UTC 2015 - dmueller@suse.com + +- add mozilla-bug1024492.patch: + * Fixes build against GCC 5.x + +------------------------------------------------------------------- +Sat May 9 07:22:49 UTC 2015 - wr@rosenauer.org + +- update to Thunderbird 31.7.0 (bnc#930622) + * MFSA 2015-46/CVE-2015-2708 + Miscellaneous memory safety hazards + * MFSA 2015-47/VE-2015-0797 (bmo#1080995) + Buffer overflow parsing H.264 video with Linux Gstreamer + * MFSA 2015-48/CVE-2015-2710 (bmo#1149542) + Buffer overflow with SVG content and CSS + * MFSA 2015-51/CVE-2015-2713 (bmo#1153478) + Use-after-free during text processing with vertical text enabled + * MFSA 2015-54/CVE-2015-2716 (bmo#1140537) + Buffer overflow when parsing compressed XML + * MFSA 2015-57/CVE-2011-3079 (bmo#1087565) + Privilege escalation through IPC channel messages + +------------------------------------------------------------------- +Tue Mar 31 05:02:16 UTC 2015 - wr@rosenauer.org + +- update to Thunderbird 31.6.0 (bnc#925368) + * MFSA 2015-30/CVE-2015-0815 + Miscellaneous memory safety hazards + * MFSA 2015-31/CVE-2015-0813 (bmo#1106596)) + Use-after-free when using the Fluendo MP3 GStreamer plugin + * MFSA 2015-33/CVE-2015-0816 (bmo#1144991) + resource:// documents can load privileged pages + * MFSA-2015-37/CVE-2015-0807 (bmo#1111834) + CORS requests should not follow 30x redirections after preflight + * MFSA-2015-40/CVE-2015-0801 (bmo#1146339) + Same-origin bypass through anchor navigation + +------------------------------------------------------------------- +Mon Feb 23 12:42:57 UTC 2015 - wr@rosenauer.org + +- update to Thunderbird 31.5.0 (bnc#917597) + * MFSA 2015-11/CVE-2015-0836 + Miscellaneous memory safety hazards + * MFSA 2015-12/CVE-2015-0833 (bmo#945192) + Invoking Mozilla updater will load locally stored DLL files + (Windows only) + * MFSA 2015-16/CVE-2015-0831 (bmo#1130514) + Use-after-free in IndexedDB + * MFSA 2015-19/CVE-2015-0827 (bmo#1117304) + Out-of-bounds read and write while rendering SVG content + * MFSA 2015-24/CVE-2015-0822 (bmo#1110557) + Reading of local files through manipulation of form autocomplete + +------------------------------------------------------------------- +Sat Jan 10 18:33:52 UTC 2015 - wr@rosenauer.org + +- update to Thunderbird 31.4.0 (bnc#910669) + * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635 + Miscellaneous memory safety hazards + * MFSA 2015-03/CVE-2014-8638 (bmo#1080987) + sendBeacon requests lack an Origin header + * MFSA 2015-04/CVE-2014-8639 (bmo#1095859) + Cookie injection through Proxy Authenticate responses +- added mozilla-icu-strncat.patch to fix post build checks + +------------------------------------------------------------------- +Sun Nov 30 08:37:33 UTC 2014 - wr@rosenauer.org + +- update to Thunderbird 31.3.0 (bnc#908009) + * MFSA 2014-83/CVE-2014-1587 + Miscellaneous memory safety hazards + * MFSA 2014-85/CVE-2014-1590 (bmo#1087633) + XMLHttpRequest crashes with some input streams + * MFSA 2014-87/CVE-2014-1592 (bmo#1088635) + Use-after-free during HTML5 parsing + * MFSA 2014-88/CVE-2014-1593 (bmo#1085175) + Buffer overflow while parsing media content + * MFSA 2014-89/CVE-2014-1594 (bmo#1074280) + Bad casting from the BasicThebesLayer to BasicContainerLayer + +------------------------------------------------------------------- +Sun Nov 16 21:22:00 UTC 2014 - Led + +- fix bashism in mozilla.sh script + +------------------------------------------------------------------- +Tue Nov 4 08:16:43 UTC 2014 - guillaume@opensuse.org + +- Limit RAM usage during link for ARM + +------------------------------------------------------------------- +Sat Oct 25 18:41:27 UTC 2014 - wr@rosenauer.org + +- remove add-plugins.sh and use /usr/share/myspell directly + (bnc#900639) + +------------------------------------------------------------------- +Sun Oct 12 22:47:42 UTC 2014 - wr@rosenauer.org + +- update to Thunderbird 31.2.0 (bnc#900941) + * MFSA 2014-74/CVE-2014-1574 + Miscellaneous memory safety hazards + * MFSA 2014-75/CVE-2014-1576 (bmo#1041512) + Buffer overflow during CSS manipulation + * MFSA 2014-76/CVE-2014-1577 (bmo#1012609) + Web Audio memory corruption issues with custom waveforms + * MFSA 2014-77/CVE-2014-1578 (bmo#1063327) + Out-of-bounds write with WebM video + * MFSA 2014-79/CVE-2014-1581 (bmo#1068218) + Use-after-free interacting with text directionality + * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) + Inconsistent video sharing within iframe +- added basic appdata definition + +------------------------------------------------------------------- +Wed Sep 24 09:15:02 UTC 2014 - wr@rosenauer.org + +- update to Thunderbird 31.1.2 + +------------------------------------------------------------------- +Tue Sep 9 12:53:41 UTC 2014 - wolfgang@rosenauer.org + +- update to Thunderbird 31.1.1 + * Fixed an issue where mailing lists with spaces in their names + couldn't be autocompleted (bmo#1060901) + * Fixed an occasional startup crash (bmo#1005336) + +------------------------------------------------------------------- +Fri Aug 29 13:02:19 UTC 2014 - wr@rosenauer.org + +- update to Thunderbird 31.1.0 (bnc#894370) + * MFSA 2014-67/CVE-2014-1553/CVE-2014-1562 + Miscellaneous memory safety hazards + * MFSA 2014-68/CVE-2014-1563 (bmo#1018524) + Use-after-free during DOM interactions with SVG + * MFSA 2014-69/CVE-2014-1564 (bmo#1045977) + Uninitialized memory use during GIF rendering + * MFSA 2014-70/CVE-2014-1565 (bmo#1047831) + Out-of-bounds read in Web Audio audio timeline + * MFSA 2014-72/CVE-2014-1567 (bmo#1037641) + Use-after-free setting text directionality +- added mozilla-nullptr-gcc45.patch to build on gcc 4.5 dists + (e.g. openSUSE 11.4) + +------------------------------------------------------------------- +Sun Jul 27 20:25:46 UTC 2014 - wr@rosenauer.org + +- update to Thunderbird 31.0 + * based on Gecko 31 + * Autocompleting email addresses now matches against any part of + the name or email + * Composing a mail to a newsgroup will now autocomplete newsgroup + names + * Insecure NTLM (pre-NTLMv2) authentication disabled +- rebased patches +- removed enigmail entirely from source package +- removed obsolete patches + * libffi-ppc64le.patch + * ppc64le-support.patch + * xpcom-ppc64le.patch +- use GStreamer 1.0 after 13.1 +- switched source archives to use xz instead of bz2 + +------------------------------------------------------------------- +Sun Jul 20 15:59:49 UTC 2014 - wr@rosenauer.org + +- update to Thunderbird 24.7.0 (bnc#887746) + * MFSA 2014-56/CVE-2014-1547/CVE-2014-1548 + Miscellaneous memory safety hazards + * MFSA 2014-61/CVE-2014-1555 (bmo#1023121) + Use-after-free with FireOnStateChange event + * MFSA 2014-62/CVE-2014-1556 (bmo#1028891) + Exploitable WebGL crash with Cesium JavaScript library + * MFSA 2014-63/CVE-2014-1544 (bmo#963150) + Use-after-free while when manipulating certificates in the trusted cache + (solved with NSS 3.16.2 requirement) + * MFSA 2014-64/CVE-2014-1557 (bmo#913805) + Crash in Skia library when scaling high quality images +- disabled enigmail build as with version 1.7 it's a standalone + source package + +------------------------------------------------------------------- +Sat Jun 7 09:07:06 UTC 2014 - wr@rosenauer.org + +- update to Thunderbird 24.6.0 (bnc#881874) + * MFSA 2014-48/CVE-2014-1533/CVE-2014-1534 + (bmo#921622, bmo#967354, bmo#969517, bmo#969549, bmo#973874, + bmo#978652, bmo#978811, bmo#988719, bmo#990868, bmo#991981, + bmo#992274, bmo#994907, bmo#995679, bmo#995816, bmo#995817, + bmo#996536, bmo#996715, bmo#999651, bmo#1000598, + bmo#1000960, bmo#1002340, bmo#1005578, bmo#1007223, + bmo#1009952, bmo#1011007) + Miscellaneous memory safety hazards (rv:30.0 / rv:24.6) + * MFSA 2014-49/CVE-2014-1536/CVE-2014-1537/CVE-2014-1538 + (bmo#989994, bmo#999274, bmo#1005584) + Use-after-free and out of bounds issues found using Address Sanitizer + * MFSA 2014-52/CVE-2014-1541 (bmo#1000185) + Use-after-free with SMIL Animation Controller + * MFSA 2014-55/CVE-2014-1545 (bmo#1018783) + Out of bounds write in NSPR +- require NSPR 4.10.6 because of MFSA 2014-55/CVE-2014-1545 + +------------------------------------------------------------------- +Fri Apr 25 09:41:14 UTC 2014 - wr@rosenauer.org + +- update to Thunderbird 24.5.0 (bnc#875378) + * MFSA 2014-34/CVE-2014-1518 + Miscellaneous memory safety hazards + * MFSA 2014-37/CVE-2014-1523 (bmo#969226) + Out of bounds read while decoding JPG images + * MFSA 2014-38/CVE-2014-1524 (bmo#989183) + Buffer overflow when using non-XBL object as XBL + * MFSA 2014-42/CVE-2014-1529 (bmo#987003) + Privilege escalation through Web Notification API + * MFSA 2014-43/CVE-2014-1530 (bmo#895557) + Cross-site scripting (XSS) using history navigations + * MFSA 2014-44/CVE-2014-1531 (bmo#987140) + Use-after-free in imgLoader while resizing images + * MFSA 2014-46/CVE-2014-1532 (bmo#966006) + Use-after-free in nsHostResolver +- use shipped-locales as the authoritative source for supported + locales (some unsupported locales disappear from -other package) + +------------------------------------------------------------------- +Tue Mar 18 21:45:43 UTC 2014 - wr@rosenauer.org + +- update to Thunderbird 24.4.0 (bnc#868603) + * MFSA 2014-15/CVE-2014-1493/CVE-2014-1494 + Miscellaneous memory safety hazards + * MFSA 2014-17/CVE-2014-1497 (bmo#966311) + Out of bounds read during WAV file decoding + * MFSA 2014-26/CVE-2014-1508 (bmo#963198) + Information disclosure through polygon rendering in MathML + * MFSA 2014-27/CVE-2014-1509 (bmo#966021) + Memory corruption in Cairo during PDF font rendering + * MFSA 2014-28/CVE-2014-1505 (bmo#941887) + SVG filters information disclosure through feDisplacementMap + * MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909) + Privilege escalation using WebIDL-implemented APIs + * MFSA 2014-30/CVE-2014-1512 (bmo#982957) + Use-after-free in TypeObject + * MFSA 2014-31/CVE-2014-1513 (bmo#982974) + Out-of-bounds read/write through neutering ArrayBuffer objects + * MFSA 2014-32/CVE-2014-1514 (bmo#983344) + Out-of-bounds write through TypedArrayObject after neutering + +------------------------------------------------------------------- +Mon Feb 3 16:07:28 UTC 2014 - wr@rosenauer.org + +- update to Thunderbird 24.3.0 (bnc#861847) + * MFSA 2014-01/CVE-2014-1477/CVE-2014-1478 + Miscellaneous memory safety hazards (rv:27.0 / rv:24.3) + * MFSA 2014-02/CVE-2014-1479 (bmo#911864) + Clone protected content with XBL scopes + * MFSA 2014-04/CVE-2014-1482 (bmo#943803) + Incorrect use of discarded images by RasterImage + * MFSA 2014-08/CVE-2014-1486 (bmo#942164) + Use-after-free with imgRequestProxy and image proccessing + * MFSA 2014-09/CVE-2014-1487 (bmo#947592) + Cross-origin information leak through web workers + * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 + (bmo#934545, bmo#930874, bmo#930857) + NSS ticket handling issues + * MFSA 2014-13/CVE-2014-1481(bmo#936056) + Inconsistent JavaScript handling of access to Window objects +- requires NSS 3.15.4 +- renamed ppc64le patches to streamline with Firefox package + +------------------------------------------------------------------- +Fri Dec 13 21:29:16 UTC 2013 - uweigand@de.ibm.com + +- Add support for powerpc64le-linux. + * ppc64le-support.patch: general support + * libffi-ppc64le.patch: libffi backport + * xpcom-ppc64le.patch: port xpcom + +------------------------------------------------------------------- +Sun Dec 8 10:18:03 UTC 2013 - wr@rosenauer.org + +- update to Thunderbird 24.2.0 (bnc#854370) + * requires NSS 3.15.3.1 or higher + * MFSA 2013-104/CVE-2013-5609/CVE-2013-5610 + Miscellaneous memory safety hazards + * MFSA 2013-108/CVE-2013-5616 (bmo#938341) + Use-after-free in event listeners + * MFSA 2013-109/CVE-2013-5618 (bmo#926361) + Use-after-free during Table Editing + * MFSA 2013-111/CVE-2013-6671 (bmo#930281) + Segmentation violation when replacing ordered list elements + * MFSA 2013-113/CVE-2013-6673 (bmo#970380) + Trust settings for built-in roots ignored during EV certificate + validation + * MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449) + Use-after-free in synthetic mouse movement + * MFSA 2013-115/CVE-2013-5615 (bmo#929261) + GetElementIC typed array stubs can be generated outside observed + typesets + * MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693) + JPEG information leak + * MFSA 2013-117 (bmo#946351) + Mis-issued ANSSI/DCSSI certificate + (fixed via NSS 3.15.3.1) + +------------------------------------------------------------------- +Tue Nov 19 08:08:00 UTC 2013 - wr@rosenauer.org + +- update to Thunderbird 24.1.1 + * requires NSPR 4.10.2 and NSS 3.15.3 for security reasons + * fix binary compatibility issues for patch level updates + (bmo#927073) + +------------------------------------------------------------------- +Thu Oct 24 17:18:23 UTC 2013 - wr@rosenauer.org + +- update to Thunderbird 24.1.0 (bnc#847708) + * requires NSS 3.15.2 or above + * MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592 + Miscellaneous memory safety hazards + * MFSA 2013-94/CVE-2013-5593 (bmo#868327) + Spoofing addressbar through SELECT element + * MFSA 2013-95/CVE-2013-5604 (bmo#914017) + Access violation with XSLT and uninitialized data + * MFSA 2013-96/CVE-2013-5595 (bmo#916580) + Improperly initialized memory and overflows in some JavaScript + functions + * MFSA 2013-97/CVE-2013-5596 (bmo#910881) + Writing to cycle collected object during image decoding + * MFSA 2013-98/CVE-2013-5597 (bmo#918864) + Use-after-free when updating offline cache + * MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601 + (bmo#915210, bmo#915576, bmo#916685) + Miscellaneous use-after-free issues found through ASAN fuzzing + * MFSA 2013-101/CVE-2013-5602 (bmo#897678) + Memory corruption in workers + * MFSA 2013-102/CVE-2013-5603 (bmo#916404) + Use-after-free in HTML document templates + +------------------------------------------------------------------- +Thu Oct 10 14:43:22 UTC 2013 - wr@rosenauer.org + +- update to Thunderbird 24.0.1 + * fqdn for smtp server name was not accepted (bmo#913785) + * fixed crash in PL_strncasecmp (bmo#917955) +- update Enigmail to 1.6 + * The passphrase timeout configuration in Enigmail is now read and + written from/to gpg-agent. + * New dialog to change the expiry date of keys + * New function to search for the OpenPGP keys of all Address Book + entries on a keyserver + * removed obsolete enigmail-build.patch + +------------------------------------------------------------------- +Sat Sep 14 20:32:28 UTC 2013 - wr@rosenauer.org + +- update to Thunderbird 24.0 (bnc#840485) + * MFSA 2013-76/CVE-2013-1718/CVE-2013-1719 + Miscellaneous memory safety hazards + * MFSA 2013-77/CVE-2013-1720 (bmo#888820) + Improper state in HTML5 Tree Builder with templates + * MFSA 2013-79/CVE-2013-1722 (bmo#893308) + Use-after-free in Animation Manager during stylesheet cloning + * MFSA 2013-80/CVE-2013-1723 (bmo#891292) + NativeKey continues handling key messages after widget is destroyed + * MFSA 2013-81/CVE-2013-1724 (bmo#894137) + Use-after-free with select element + * MFSA 2013-82/CVE-2013-1725 (bmo#876762) + Calling scope for new Javascript objects can lead to memory corruption + * MFSA 2013-85/CVE-2013-1728 (bmo#883686) + Uninitialized data in IonMonkey + * MFSA 2013-88/CVE-2013-1730 (bmo#851353) + Compartment mismatch re-attaching XBL-backed nodes + * MFSA 2013-89/CVE-2013-1732 (bmo#883514) + Buffer overflow with multi-column, lists, and floats + * MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301) + Memory corruption involving scrolling + * MFSA 2013-91/CVE-2013-1737 (bmo#907727) + User-defined properties on DOM proxies get the wrong "this" object + * MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897) + GC hazard with default compartments and frame chain restoration +- moved greek to common translation package +- require NSPR 4.10 and NSS 3.15.1 +- add GStreamer build requirements for Gecko +- added enigmail-build.patch to fix TB packaging (bmo#886095) +- removed obsolete patches: + * enigmail-old-gcc.patch + * mozilla-gcc43-enums.patch + * mozilla-gcc43-template_hacks.patch + * mozilla-gcc43-templates_instantiation.patch + * ppc-xpcshell.patch + +------------------------------------------------------------------- +Fri Aug 2 06:01:03 UTC 2013 - wr@rosenauer.org + +- update to Thunderbird 17.0.8 (bnc#833389) + * MFSA 2013-63/CVE-2013-1701 + Miscellaneous memory safety hazards + * MFSA 2013-68/CVE-2013-1709 (bmo#838253) + Document URI misrepresentation and masquerading + * MFSA 2013-69/CVE-2013-1710 (bmo#871368) + CRMF requests allow for code execution and XSS attacks + * MFSA 2013-72/CVE-2013-1713 (bmo#887098) + Wrong principal used for validating URI for some Javascript + components + * MFSA 2013-73/CVE-2013-1714 (bmo#879787) + Same-origin bypass with web workers and XMLHttpRequest + * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) + Local Java applets may read contents of local file system + +------------------------------------------------------------------- +Wed Jul 17 17:28:39 UTC 2013 - wr@rosenauer.org + +- update Enigmail to 1.5.2 + * bugfix release + +------------------------------------------------------------------- +Mon Jun 24 10:17:22 UTC 2013 - wr@rosenauer.org + +- update to Thunderbird 17.0.7 (bnc#825935) + * MFSA 2013-49/CVE-2013-1682 + Miscellaneous memory safety hazards + * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686 + Memory corruption found using Address Sanitizer + * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823) + Privileged content access and execution via XBL + * MFSA 2013-53/CVE-2013-1690 (bmo#857883) + Execution of unmapped memory through onreadystatechange event + * MFSA 2013-54/CVE-2013-1692 (bmo#866915) + Data in the body of XHR HEAD requests leads to CSRF attacks + * MFSA 2013-55/CVE-2013-1693 (bmo#711043) + SVG filters can lead to information disclosure + * MFSA 2013-56/CVE-2013-1694 (bmo#848535) + PreserveWrapper has inconsistent behavior + * MFSA 2013-59/CVE-2013-1697 (bmo#858101) + XrayWrappers can be bypassed to run user defined methods in a + privileged context + +------------------------------------------------------------------- +Tue Jun 4 20:41:42 UTC 2013 - dvaleev@suse.com + +- prevent xpc-shell crashing on powerpc + ppc-xpcshell.patch + +------------------------------------------------------------------- +Sat May 11 08:46:37 UTC 2013 - wr@rosenauer.org + +- update to Thunderbird 17.0.6 (bnc#819204) + * MFSA 2013-41/CVE-2013-0801/CVE-2013-1669 + Miscellaneous memory safety hazards + * MFSA 2013-42/CVE-2013-1670 (bmo#853709) + Privileged access for content level constructor + * MFSA 2013-46/CVE-2013-1674 (bmo#860971) + Use-after-free with video and onresize event + * MFSA 2013-47/CVE-2013-1675 (bmo#866825) + Uninitialized functions in DOMSVGZoomEvent + * MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/ + CVE-2013-1679/CVE-2013-1680/CVE-2013-1681 + Memory corruption found using Address Sanitizer + +------------------------------------------------------------------- +Fri Mar 29 18:25:38 UTC 2013 - wr@rosenauer.org + +- update to Thunderbird 17.0.5 (bnc#813026) + * requires NSPR 4.9.5 and NSS 3.14.3 + * MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 + Miscellaneous memory safety hazards + * MFSA 2013-31/CVE-2013-0800 (bmo#825721) + Out-of-bounds write in Cairo library + * MFSA 2013-35/CVE-2013-0796 (bmo#827106) + WebGL crash with Mesa graphics driver on Linux + * MFSA 2013-36/CVE-2013-0795 (bmo#825697) + Bypass of SOW protections allows cloning of protected nodes + * MFSA 2013-38/CVE-2013-0793 (bmo#803870) + Cross-site scripting (XSS) using timed history navigations + +------------------------------------------------------------------- +Fri Mar 8 10:35:29 UTC 2013 - wr@rosenauer.org + +- update to Thunderbird 17.0.4 (bnc#808243) + * MFSA 2013-29/CVE-2013-0787 (bmo#848644) + Use-after-free in HTML Editor + +------------------------------------------------------------------- +Sun Feb 17 12:09:06 UTC 2013 - wr@rosenauer.org + +- update to Thunderbird 17.0.3 (bnc#804248) + * MFSA 2013-21/CVE-2013-0783 + Miscellaneous memory safety hazards + * MFSA 2013-24/CVE-2013-0773 (bmo#809652) + Web content bypass of COW and SOW security wrappers + * MFSA 2013-25/CVE-2013-0774 (bmo#827193) + Privacy leak in JavaScript Workers + * MFSA 2013-26/CVE-2013-0775 (bmo#831095) + Use-after-free in nsImageLoadingContent + * MFSA 2013-27/CVE-2013-0776 (bmo#796475) + Phishing on HTTPS connection through malicious proxy + * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782 + Use-after-free, out of bounds read, and buffer overflow issues + found using Address Sanitizer + +------------------------------------------------------------------- +Mon Feb 11 08:25:24 UTC 2013 - wr@rosenauer.org + +- update Enigmail to 1.5.1 + * The release fixes the regressions found in the past few + weeks + +------------------------------------------------------------------- +Sat Jan 5 12:40:00 UTC 2013 - wr@rosenauer.org + +- update to Thunderbird 17.0.2 (bnc#796895) + * MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770 + Miscellaneous memory safety hazards + * MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767 + CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829 + Use-after-free and buffer overflow issues found using Address Sanitizer + * MFSA 2013-03/CVE-2013-0768 (bmo#815795) + Buffer Overflow in Canvas + * MFSA 2013-04/CVE-2012-0759 (bmo#802026) + URL spoofing in addressbar during page loads + * MFSA 2013-05/CVE-2013-0744 (bmo#814713) + Use-after-free when displaying table with many columns and column groups + * MFSA 2013-07/CVE-2013-0764 (bmo#804237) + Crash due to handling of SSL on threads + * MFSA 2013-08/CVE-2013-0745 (bmo#794158) + AutoWrapperChanger fails to keep objects alive during garbage collection + * MFSA 2013-09/CVE-2013-0746 (bmo#816842) + Compartment mismatch with quickstubs returned values + * MFSA 2013-10/CVE-2013-0747 (bmo#733305) + Event manipulation in plugin handler to bypass same-origin policy + * MFSA 2013-11/CVE-2013-0748 (bmo#806031) + Address space layout leaked in XBL objects + * MFSA 2013-12/CVE-2013-0750 (bmo#805121) + Buffer overflow in Javascript string concatenation + * MFSA 2013-13/CVE-2013-0752 (bmo#805024) + Memory corruption in XBL with XML bindings containing SVG + * MFSA 2013-14/CVE-2013-0757 (bmo#813901) + Chrome Object Wrapper (COW) bypass through changing prototype + * MFSA 2013-15/CVE-2013-0758 (bmo#813906) + Privilege escalation through plugin objects + * MFSA 2013-16/CVE-2013-0753 (bmo#814001) + Use-after-free in serializeToStream + * MFSA 2013-17/CVE-2013-0754 (bmo#814026) + Use-after-free in ListenerManager + * MFSA 2013-18/CVE-2013-0755 (bmo#814027) + Use-after-free in Vibrate + * MFSA 2013-19/CVE-2013-0756 (bmo#814029) + Use-after-free in Javascript Proxy objects +- requires NSS 3.14.1 (MFSA 2013-20, CVE-2013-0743) +- update Enigmail to 1.5.0 + +------------------------------------------------------------------- +Mon Nov 26 11:10:11 UTC 2012 - wr@rosenauer.org + +- fix KDE integration for file dialogs +- fix some rpmlint warnings (mkdir.done files) +- build on SLE11 + * mozilla-gcc43-enums.patch + * mozilla-gcc43-template_hacks.patch + * mozilla-gcc43-templates_instantiation.patch + +------------------------------------------------------------------- +Tue Nov 20 20:42:04 UTC 2012 - wr@rosenauer.org + +- update to Thunderbird 17.0 (bnc#790140) + * MFSA 2012-91/CVE-2012-5842/CVE-2012-5843 + Miscellaneous memory safety hazards + * MFSA 2012-92/CVE-2012-4202 (bmo#758200) + Buffer overflow while rendering GIF images + * MFSA 2012-93/CVE-2012-4201 (bmo#747607) + evalInSanbox location context incorrectly applied + * MFSA 2012-94/CVE-2012-5836 (bmo#792857) + Crash when combining SVG text on path with CSS + * MFSA 2012-96/CVE-2012-4204 (bmo#778603) + Memory corruption in str_unescape + * MFSA 2012-97/CVE-2012-4205 (bmo#779821) + XMLHttpRequest inherits incorrect principal within sandbox + * MFSA 2012-99/CVE-2012-4208 (bmo#798264) + XrayWrappers exposes chrome-only properties when not in chrome + compartment + * MFSA 2012-100/CVE-2012-5841 (bmo#805807) + Improper security filtering for cross-origin wrappers + * MFSA 2012-101/CVE-2012-4207 (bmo#801681) + Improper character decoding in HZ-GB-2312 charset + * MFSA 2012-102/CVE-2012-5837 (bmo#800363) + Script entered into Developer Toolbar runs with chrome privileges + * MFSA 2012-103/CVE-2012-4209 (bmo#792405) + Frames can shadow top.location + * MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/ + CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/ + CVE-2012-4213/CVE-2012-4217/CVE-2012-4218 + Use-after-free and buffer overflow issues found using Address + Sanitizer + * MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2012-5838 + Use-after-free, buffer overflow, and memory corruption issues + found using Address Sanitizer +- rebased patches +- disabled WebRTC since build is broken (bmo#776877) +- update Enigmail to 1.4.6 + +------------------------------------------------------------------- +Sat Oct 27 08:58:22 UTC 2012 - wr@rosenauer.org + +- update to Thunderbird 16.0.2 (bnc#786522) + * MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196 + (bmo#800666, bmo#793121, bmo#802557) + Fixes for Location object issues + +------------------------------------------------------------------- +Thu Oct 11 03:16:52 UTC 2012 - wr@rosenauer.org + +- update to Thunderbird 16.0.1 (bnc#783533) + * MFSA 2012-88/CVE-2012-4191 (bmo#798045) + Miscellaneous memory safety hazards + * MFSA 2012-89/CVE-2012-4192/CVE-2012-4193 (bmo#799952, bmo#720619) + defaultValue security checks not applied + +------------------------------------------------------------------- +Mon Oct 8 13:27:10 UTC 2012 - wr@rosenauer.org + +- update to Thunderbird 16.0 (bnc#783533) + * MFSA 2012-74/CVE-2012-3982/CVE-2012-3983 + Miscellaneous memory safety hazards + * MFSA 2012-75/CVE-2012-3984 (bmo#575294) + select element persistance allows for attacks + * MFSA 2012-76/CVE-2012-3985 (bmo#655649) + Continued access to initial origin after setting document.domain + * MFSA 2012-77/CVE-2012-3986 (bmo#775868) + Some DOMWindowUtils methods bypass security checks + * MFSA 2012-79/CVE-2012-3988 (bmo#725770) + DOS and crash with full screen and history navigation + * MFSA 2012-80/CVE-2012-3989 (bmo#783867) + Crash with invalid cast when using instanceof operator + * MFSA 2012-81/CVE-2012-3991 (bmo#783260) + GetProperty function can bypass security checks + * MFSA 2012-82/CVE-2012-3994 (bmo#765527) + top object and location property accessible by plugins + * MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370) + Chrome Object Wrapper (COW) does not disallow acces to privileged + functions or properties + * MFSA 2012-84/CVE-2012-3992 (bmo#775009) + Spoofing and script injection through location.hash + * MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/ + CVE-2012-4181/CVE-2012-4182/CVE-2012-4183 + Use-after-free, buffer overflow, and out of bounds read issues + found using Address Sanitizer + * MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/ + CVE-2012-4188 + Heap memory corruption issues found using Address Sanitizer + * MFSA 2012-87/CVE-2012-3990 (bmo#787704) + Use-after-free in the IME State Manager +- update Enigmail to version 1.4.5 + +------------------------------------------------------------------- +Sun Aug 26 14:59:20 UTC 2012 - wr@rosenauer.org + +- update to Thunderbird 15.0 (bnc#777588) + * MFSA 2012-57/CVE-2012-1970 + Miscellaneous memory safety hazards + * MFSA 2012-58/CVE-2012-1972/CVE-2012-1973/CVE-2012-1974/CVE-2012-1975 + CVE-2012-1976/CVE-2012-3956/CVE-2012-3957/CVE-2012-3958/CVE-2012-3959 + CVE-2012-3960/CVE-2012-3961/CVE-2012-3962/CVE-2012-3963/CVE-2012-3964 + Use-after-free issues found using Address Sanitizer + * MFSA 2012-59/CVE-2012-1956 (bmo#756719) + Location object can be shadowed using Object.defineProperty + * MFSA 2012-61/CVE-2012-3966 (bmo#775794, bmo#775793) + Memory corruption with bitmap format images with negative height + * MFSA 2012-62/CVE-2012-3967/CVE-2012-3968 + WebGL use-after-free and memory corruption + * MFSA 2012-63/CVE-2012-3969/CVE-2012-3970 + SVG buffer overflow and use-after-free issues + * MFSA 2012-64/CVE-2012-3971 + Graphite 2 memory corruption + * MFSA 2012-65/CVE-2012-3972 (bmo#746855) + Out-of-bounds read in format-number in XSLT + * MFSA 2012-68/CVE-2012-3975 (bmo#770684) + DOMParser loads linked resources in extensions when parsing + text/html + * MFSA 2012-70/CVE-2012-3978 (bmo#770429) + Location object security checks bypassed by chrome code + * MFSA 2012-72/CVE-2012-3980 (bmo#771859) + Web console eval capable of executing chrome-privileged code +- update Enigmail to 1.4.4 + +------------------------------------------------------------------- +Sun Jul 29 07:22:19 UTC 2012 - aj@suse.de + +- Fix mozilla-kde.patch to include sys/resource.h for getrlimit etc (glibc 2.16) + +------------------------------------------------------------------- +Sun Jul 15 08:06:50 UTC 2012 - wr@rosenauer.org + +- update to Thunderbird 14.0 (bnc#771583) + * MFSA 2012-42/CVE-2012-1949/CVE-2012-1948 + Miscellaneous memory safety hazards + * MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1952 + Gecko memory corruption + * MFSA 2012-45/CVE-2012-1955 (bmo#757376) + Spoofing issue with location + * MFSA 2012-47/CVE-2012-1957 (bmo#750096) + Improper filtering of javascript in HTML feed-view + * MFSA 2012-48/CVE-2012-1958 (bmo#750820) + use-after-free in nsGlobalWindow::PageHidden + * MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559) + Same-compartment Security Wrappers can be bypassed + * MFSA 2012-50/CVE-2012-1960 (bmo#761014) + Out of bounds read in QCMS + * MFSA 2012-51/CVE-2012-1961 (bmo#761655) + X-Frame-Options header ignored when duplicated + * MFSA 2012-52/CVE-2012-1962 (bmo#764296) + JSDependentString::undepend string conversion results in memory + corruption + * MFSA 2012-53/CVE-2012-1963 (bmo#767778) + Content Security Policy 1.0 implementation errors cause data + leakage + * MFSA 2012-56/CVE-2012-1967 (bmo#758344) + Code execution through javascript: URLs + * relicensed to MPL-2.0 +- update Enigmail to 1.4.3 + +------------------------------------------------------------------- +Thu Jul 5 09:58:15 UTC 2012 - adrian@suse.de + +- no crashreport on %arm, fixing build + +------------------------------------------------------------------- +Fri Jun 15 07:00:43 UTC 2012 - wr@rosenauer.org + +- update to Thunderbird 13.0.1 + * bugfix release + +------------------------------------------------------------------- +Sat Jun 2 12:41:08 UTC 2012 - wr@rosenauer.org + +- update to Thunderbird 13.0 (bnc#765204) + * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101 + Miscellaneous memory safety hazards + * MFSA 2012-36/CVE-2012-1944 (bmo#751422) + Content Security Policy inline-script bypass + * MFSA 2012-37/CVE-2012-1945 (bmo#670514) + Information disclosure though Windows file shares and shortcut + files + * MFSA 2012-38/CVE-2012-1946 (bmo#750109) + Use-after-free while replacing/inserting a node in a document + * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941 + Buffer overflow and use-after-free issues found using Address + Sanitizer +- require NSS 3.13.4 + * MFSA 2012-39/CVE-2012-0441 (bmo#715073) +- fix build with system NSPR (mozilla-system-nspr.patch) +- add dependentlibs.list for improved XRE startup +- update enigmail to 1.4.2 + +------------------------------------------------------------------- +Wed May 16 05:38:46 UTC 2012 - wr@rosenauer.org + +- reenabled crashreporter for Factory/12.2 + (fix in mozilla-gcc47.patch) + +------------------------------------------------------------------- +Mon Apr 30 06:43:26 UTC 2012 - wr@rosenauer.org + +- update to Thunderbird 12.0.1 + * fix regressions + - POP3 filters (bmo#748090) + - Message Body not loaded when using "Fetch Headers Only" + (bmo#748865) + - Received messages contain parts of other messages with + movemail account (bmo#748726) + - New mail notification issue (bmo#748997) + - crash in nsMsgDatabase::MatchDbName (bmo#748432) + +------------------------------------------------------------------- +Fri Apr 27 10:22:49 UTC 2012 - wr@rosenauer.org + +- fixed build with gcc 4.7 + +------------------------------------------------------------------- +Sat Apr 21 07:39:28 UTC 2012 - wr@rosenauer.org + +- update to Thunderbird 12.0 (bnc#758408) + * MFSA 2012-20/CVE-2012-0467/CVE-2012-0468 + Miscellaneous memory safety hazards + * MFSA 2012-22/CVE-2012-0469 (bmo#738985) + use-after-free in IDBKeyRange + * MFSA 2012-23/CVE-2012-0470 (bmo#734288) + Invalid frees causes heap corruption in gfxImageSurface + * MFSA 2012-24/CVE-2012-0471 (bmo#715319) + Potential XSS via multibyte content processing errors + * MFSA 2012-25/CVE-2012-0472 (bmo#744480) + Potential memory corruption during font rendering using cairo-dwrite + * MFSA 2012-26/CVE-2012-0473 (bmo#743475) + WebGL.drawElements may read illegal video memory due to + FindMaxUshortElement error + * MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307) + Page load short-circuit can lead to XSS + * MFSA 2012-28/CVE-2012-0475 (bmo#694576) + Ambiguous IPv6 in Origin headers may bypass webserver access + restrictions + * MFSA 2012-29/CVE-2012-0477 (bmo#718573) + Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues + * MFSA 2012-30/CVE-2012-0478 (bmo#727547) + Crash with WebGL content using textImage2D + * MFSA 2012-31/CVE-2011-3062 (bmo#739925) + Off-by-one error in OpenType Sanitizer + * MFSA 2012-32/CVE-2011-1187 (bmo#624621) + HTTP Redirections and remote content can be read by javascript errors + * MFSA 2012-33/CVE-2012-0479 (bmo#714631) + Potential site identity spoofing when loading RSS and Atom feeds +- update Enigmail to 1.4.1 +- added mozilla-revert_621446.patch +- added mozilla-libnotify.patch (bmo#737646) +- added mailnew-showalert.patch (bmo#739146) +- added mozilla-gcc47.patch and mailnews-literals.patch to fix + compilation issues with recent gcc 4.7 +- disabled crashreporter temporarily for Factory (gcc 4.7 issue) + +------------------------------------------------------------------- +Tue Mar 27 22:17:05 UTC 2012 - wr@rosenauer.org + +- update to Thunderbird 11.0.1 (bnc#755060) + * Fixing an issue where filters can get messed up (bmo#735940) + * Fixes a hang when switching IMAP folders, or doing other + imap functions (bmo#733731) + +------------------------------------------------------------------- +Fri Mar 9 20:42:21 UTC 2012 - wr@rosenauer.org + +- update to Thunderbird 11.0 (bnc#750044) + * MFSA 2012-13/CVE-2012-0455 (bmo#704354) + XSS with Drag and Drop and Javascript: URL + * MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103) + SVG issues found with Address Sanitizer + * MFSA 2012-15/CVE-2012-0451 (bmo#717511) + XSS with multiple Content Security Policy headers + * MFSA 2012-16/CVE-2012-0458 + Escalation of privilege with Javascript: URL as home page + * MFSA 2012-17/CVE-2012-0459 (bmo#723446) + Crash when accessing keyframe cssText after dynamic modification + * MFSA 2012-18/CVE-2012-0460 (bmo#727303) + window.fullScreen writeable by untrusted content + * MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/ + CVE-2012-0463 + Miscellaneous memory safety hazards +- update enigmail to 1.4 +- added KDE integration patches (bnc#749440) + +------------------------------------------------------------------- +Mon Feb 27 17:15:05 CET 2012 - jslaby@suse.de + +- update enigmail to 1.3.99 (1.4a1pre) + +------------------------------------------------------------------- +Thu Feb 16 10:54:42 UTC 2012 - wr@rosenauer.org + +- update to Thunderbird 10.0.2 (bnc#747328) + * CVE-2011-3026 (bmo#727401) + libpng: integer overflow leading to heap-buffer overflow + +------------------------------------------------------------------- +Thu Feb 9 08:10:32 UTC 2012 - wr@rosenauer.org + +- update to version 10.0.1 (bnc#746616) + * MFSA 2012-10/CVE-2012-0452 (bmo#724284) + use after free in nsXBLDocumentInfo::ReadPrototypeBindings +- Use YARR interpreter instead of PCRE on platforms where YARR JIT + is not supported, since PCRE doesnt build (bmo#691898) +- fix ppc64 build (bmo#703534) + +------------------------------------------------------------------- +Sun Jan 29 17:31:32 UTC 2012 - wr@rosenauer.org + +- update to version 10.0 (bnc#744275) + * MFSA 2012-01/CVE-2012-0442/CVE-2012-0443 + Miscellaneous memory safety hazards + * MFSA 2012-03/CVE-2012-0445 (bmo#701071) +