- Mozilla Thunderbird 78.5.0
MFSA 2020-52 (bsc#1178894)
* CVE-2020-26951 (bmo#1667113)
Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
* CVE-2020-16012 (bmo#1642028)
Variable time processing of cross-origin images during
drawImage calls
* CVE-2020-26953 (bmo#1656741)
Fullscreen could be enabled without displaying the security
UI
* CVE-2020-26956 (bmo#1666300)
XSS through paste (manual and clipboard API)
* CVE-2020-26958 (bmo#1669355)
Requests intercepted through ServiceWorkers lacked MIME type
restrictions
* CVE-2020-26959 (bmo#1669466)
Use-after-free in WebRequestService
* CVE-2020-26960 (bmo#1670358)
Potential use-after-free in uses of nsTArray
* CVE-2020-15999 (bmo#1672223)
Heap buffer overflow in freetype
* CVE-2020-26961 (bmo#1672528)
DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965 (bmo#1661617)
Software keyboards may have remembered typed passwords
* CVE-2020-26966 (bmo#1663571)
Single-word search queries were also broadcast to local
network
* CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,
OBS-URL: https://build.opensuse.org/request/show/849310
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=243
MFSA 2020-52 (bsc#1178894)
* CVE-2020-26951 (bmo#1667113)
Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
* CVE-2020-16012 (bmo#1642028)
Variable time processing of cross-origin images during
drawImage calls
* CVE-2020-26953 (bmo#1656741)
Fullscreen could be enabled without displaying the security
UI
* CVE-2020-26956 (bmo#1666300)
XSS through paste (manual and clipboard API)
* CVE-2020-26958 (bmo#1669355)
Requests intercepted through ServiceWorkers lacked MIME type
restrictions
* CVE-2020-26959 (bmo#1669466)
Use-after-free in WebRequestService
* CVE-2020-26960 (bmo#1670358)
Potential use-after-free in uses of nsTArray
* CVE-2020-15999 (bmo#1672223)
Heap buffer overflow in freetype
* CVE-2020-26961 (bmo#1672528)
DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965 (bmo#1661617)
Software keyboards may have remembered typed passwords
* CVE-2020-26966 (bmo#1663571)
Single-word search queries were also broadcast to local
network
* CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=564
- Mozilla Thunderbird 78.4.0
* MailExtensions: browser.tabs.sendMessage API added
* MailExtensions: messageDisplayScripts API added
* Yahoo and AOL mail users using password authentication will be
migrated to OAuth2
* MailExtensions: messageDisplay APIs extended to support multiple
selected messages
* MailExtensions: compose.begin functions now support creating a
message with attachments
* multiple bugfixes
MFSA 2020-47 (bsc#1177872)
* CVE-2020-15969 (bmo#1666570)
Use-after-free in usersctp
* CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954, bmo#1662760,
bmo#1663439, bmo#1666140)
Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
OBS-URL: https://build.opensuse.org/request/show/843275
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=241
* MailExtensions: browser.tabs.sendMessage API added
* MailExtensions: messageDisplayScripts API added
* Yahoo and AOL mail users using password authentication will be
migrated to OAuth2
* MailExtensions: messageDisplay APIs extended to support multiple
selected messages
* MailExtensions: compose.begin functions now support creating a
message with attachments
* multiple bugfixes
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=557
- Mozilla Thunderbird 78.3.3
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP message status icons were not visible in message header pane
* OpenPGP Key Manager was missing from Tools menu on macOS
* Creating a new calendar event did not require an event title
- remove python2 dependencies for TW
- support wayland mode/autodetection in startup wrapper
- replace some Requires to use requires_ge macro where appropriate
- improve langpack build (as already used for Firefox)
- add ccache statistics output to build
OBS-URL: https://build.opensuse.org/request/show/842109
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=240
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP message status icons were not visible in message header pane
* OpenPGP Key Manager was missing from Tools menu on macOS
* Creating a new calendar event did not require an event title
- remove python2 dependencies for TW
- support wayland mode/autodetection in startup wrapper
- replace some Requires to use requires_ge macro where appropriate
- improve langpack build (as already used for Firefox)
- add ccache statistics output to build
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=555
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP: Encrypted messages with international characters were
sometimes displayed incorrectly
* Single-click deletion of recipient pills with middle mouse
button restored
* Searching an address book list did not display results
* Dark mode, high contrast, and Windows theming fixes
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=552
- Mozilla Thunderbird 78.3.1
* fix crash in nsImapProtocol::CreateNewLineFromSocket (bmo#1667120)
- Mozilla Thunderbird 78.3.0
MFSA 2020-44 (bsc#1176756)
* CVE-2020-15677 (bmo#1641487)
Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140)
XSS when pasting attacker-controlled data into a
contenteditable element
* CVE-2020-15678 (bmo#1660211)
When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-
free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
Memory safety bugs fixed in Thunderbird 78.3
- requires NSPR >= 4.25.1
- removed obsolete thunderbird-bmo1664607.patch
- Mozilla Thunderbird 78.2.2
https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes
- added thunderbird-bmo1664607.patch required for builds w/o updater
(boo#1176384)
- Mozilla Thunderbird 78.2.1
* based on Mozilla's 78 ESR codebase
* many new and changed features
https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/#whatsnew
* built-in OpenPGP support (enigmail neither required nor supported)
- added platform patches:
OBS-URL: https://build.opensuse.org/request/show/838449
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=238
* fix crash in nsImapProtocol::CreateNewLineFromSocket (bmo#1667120)
- Mozilla Thunderbird 78.3.0
MFSA 2020-44 (bsc#1176756)
* CVE-2020-15677 (bmo#1641487)
Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140)
XSS when pasting attacker-controlled data into a
contenteditable element
* CVE-2020-15678 (bmo#1660211)
When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-
free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
Memory safety bugs fixed in Thunderbird 78.3
- requires NSPR >= 4.25.1
- removed obsolete thunderbird-bmo1664607.patch
- Mozilla Thunderbird 78.2.2
https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes
- added thunderbird-bmo1664607.patch required for builds w/o updater
(boo#1176384)
- Mozilla Thunderbird 78.2.1
* based on Mozilla's 78 ESR codebase
* many new and changed features
https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/#whatsnew
* built-in OpenPGP support (enigmail neither required nor supported)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=549
MFSA 2020-40 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could have
resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-15669 (bmo#1656957)
Use-After-Free when aborting an operation
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=547
MFSA 2020-10 (bsc#1166238)
* CVE-2020-6805 (bmo#1610880)
Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308)
BodyStream::OnInputStreamReady was missing protections against
state confusion
* CVE-2020-6807 (bmo#1614971)
Use-after-free in cubeb during stream destruction
* CVE-2020-6811 (bmo#1607742)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2019-20503 (bmo#1613765)
Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661)
The names of AirPods with personally identifiable information
were exposed to websites with camera or microphone permission
* CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256, bmo#1612636,
bmo#1614339)
Memory safety bugs fixed in Thunderbird 68.6
- requires NSS >= 3.44.3
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=522
- Mozilla Thunderbird 68.5.0
New
* Support for Client Identity IMAP/SMTP Service Extension
* Support for OAuth 2.0 authentication for POP3 accounts
Fixes
* Status area goes blank during account setup
* Calendar: Could not remove color for default categories
* Calendar: Prevent calendar component loading multiple times
* Calendar: Today pane did not retain width between sessions
MFSA 2020-07 (bsc#1163368)
* CVE-2020-6793 (bmo#1608539)
Out-of-bounds read when processing certain email messages
* CVE-2020-6794 (bmo#1606619)
Setting a master password post-Thunderbird 52 does not delete
unencrypted previously stored passwords
* CVE-2020-6795 (bmo#1611105)
Crash processing S/MIME messages with multiple signatures
* CVE-2020-6797 (bmo#1596668) (Mac OSX only)
Extensions granted downloads.open permission could open arbitrary
applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6792 (bmo#1609607)
Message ID calculcation was based on uninitialized data
* CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851,
bmo#1608580,bmo#1608785,bmo#1605777)
Memory safety bugs fixed in Thunderbird 68.5
OBS-URL: https://build.opensuse.org/request/show/773527
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=227
New
* Support for Client Identity IMAP/SMTP Service Extension
* Support for OAuth 2.0 authentication for POP3 accounts
Fixes
* Status area goes blank during account setup
* Calendar: Could not remove color for default categories
* Calendar: Prevent calendar component loading multiple times
* Calendar: Today pane did not retain width between sessions
MFSA 2020-07 (bsc#1163368)
* CVE-2020-6793 (bmo#1608539)
Out-of-bounds read when processing certain email messages
* CVE-2020-6794 (bmo#1606619)
Setting a master password post-Thunderbird 52 does not delete
unencrypted previously stored passwords
* CVE-2020-6795 (bmo#1611105)
Crash processing S/MIME messages with multiple signatures
* CVE-2020-6797 (bmo#1596668) (Mac OSX only)
Extensions granted downloads.open permission could open arbitrary
applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6792 (bmo#1609607)
Message ID calculcation was based on uninitialized data
* CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851,
bmo#1608580,bmo#1608785,bmo#1605777)
Memory safety bugs fixed in Thunderbird 68.5
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=520
- Mozilla Thunderbird 68.4.2
* Calendar: Task and Event tree colours adjusted for the dark theme
* Retrieval of S/MIME certificates from LDAP failed
* Address-parsing crash on some IMAP servers when
mail.imap.use_envelope_cmd is set
* Incorrect forwarding of HTML messages caused SMTP servers to
respond with a timeout
* Calendar: Various parts of the calendar UI stopped working when
a second Thunderbird window opened
OBS-URL: https://build.opensuse.org/request/show/767881
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=225
