Commit Graph

459 Commits

Author SHA256 Message Date
Wolfgang Rosenauer
70aadd9160 MFSA 2022-42 (bsc#1203477)
* CVE-2022-40959 (bmo#1782211)
    Bypassing FeaturePolicy restrictions on transient pages
  * CVE-2022-40960 (bmo#1787633)
    Data-race when parsing non-UTF-8 URLs in threads
  * CVE-2022-40958 (bmo#1779993)
    Bypassing Secure Context restriction for cookies with __Host
    and __Secure prefix
  * CVE-2022-40956 (bmo#1770094)
    Content-Security-Policy base-uri bypass
  * CVE-2022-40957 (bmo#1777604)
    Incoherent instruction cache when building WASM on ARM64
  * CVE-2022-3155 (bmo#1789061)
    Attachment files saved to disk on macOS could be executed
    without warning
  * CVE-2022-40962 (bmo#1767360, bmo#1776655, bmo#1777574, bmo#1784835,
    bmo#1785109, bmo#1786502, bmo#1789440)
    Memory safety bugs fixed in Thunderbird 102.3

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=658
2022-09-21 21:04:50 +00:00
Wolfgang Rosenauer
b9d27af2da - Mozilla Thunderbird 102.3.0
https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/
  * Thunderbird will no longer attempt to import account passwords
    when importing from another Thunderbird profile in order to
    prevent profile corruption and permanent data loss. (bmo#1790605)
  * Devtools performance profile will use Thunderbird presets
    instead of Web Developer presets (bmo#1785954)
  * Thunderbird startup performance improvements (bmo#1785967)
  * Saving email source and images failed (bmo#1777323, bmo#1778804)
  * Error message was shown repeatedly when temporary disk
    space was full (bmo#1788580)
  * Attaching OpenPGP keys without a set size to non-encrypted
    messages briefly displayed a size of zero bytes (bmo#1788952)
  * Global Search entry box initially contained "undefined" (bmo#1780963)
  * Delete from POP Server mail filter rule intermittently
    failed to trigger (bmo#1789418)
  * Connections to POP3 servers without UIDL support failed (bmo#1789314)
  * Pop accounts with "Fetch headers only" set downloaded complete
    messages if server did not advertise TOP capability (bmo#1789356)
  * "File -> New -> Address Book Contact" from Compose window did
    not work (bmo#1782418)
  * Attach "My vCard" option in compose window was not available
    (bmo#1787614)
  * Improved performance of matching a contact to an email address
    (bmo#1782725)
  * Address book only recognized a contact's first two email
    addresses (bmo#1777156)
  * Address book search and autocomplete failed if a contact vCard
    could not be parsed (bmo#1789793)
  * Downloading NNTP messages for offline use failed (bmo#1785773)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=657
2022-09-20 21:03:11 +00:00
Wolfgang Rosenauer
247125c160 - Mozilla Thunderbird 102.2.2
https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/
  * Setting added to change Calendar event double-click action to
    open Edit Event dialog rather than view only;
    Set calendar.events.defaultActionEdit to true
  * Running Compact Folders on maildir folders caused a redownload
    of all messages in the folder
  * Accessing mail folders in profiles with many folders was slow
  * SMTP servers were not always properly initialized, and were not
    listed in Account Settings
  * APOP authentication unsupported when connecting to POP3 server
  * OpenPGP key discovery failed
  * POP accounts hosted by AOL were not able to authenticate using OAuth2
  * Unable to open context menu in newsgroups header for groups
    that are not subscribed

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=655
2022-09-08 09:47:43 +00:00
Wolfgang Rosenauer
bff7539280 - Mozilla Thunderbird 102.2.1
MFSA 2022-38 (bsc#1203007)
  * CVE-2022-3033 (bmo#1784838)
    Leaking of sensitive information when composing a response to
    an HTML email with a META refresh tag
  * CVE-2022-3032 (bmo#1783831)
    Remote content specified in an HTML document that was nested
    inside an iframe's srcdoc attribute was not blocked
  * CVE-2022-3034 (bmo#1745751)
    An iframe element in an HTML email could trigger a network
    request
  * CVE-2022-36059 (bmo#1787741)
    Matrix SDK bundled with Thunderbird vulnerable to denial-of-
    service attack

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=653
2022-09-01 07:38:48 +00:00
Wolfgang Rosenauer
eba6cdf4f5 - Mozilla Thunderbird 102.2.0
* https://www.thunderbird.net/en-US/thunderbird/102.2.0/releasenotes/
  MFSA 2022-36 (bsc#1202645)
  * CVE-2022-38472 (bmo#1769155)
    Address bar spoofing via XSLT error handling
  * CVE-2022-38473 (bmo#1771685)
    Cross-origin XSLT Documents would have inherited the parent's
    permissions
  * CVE-2022-38476 (bmo#1760998)
    Data race and potential use-after-free in PK11_ChangePW
  * CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363)
    Memory safety bugs fixed in Thunderbird 102.2
  * CVE-2022-38478 (bmo#1770630, bmo#1776658)
    Memory safety bugs fixed in Thunderbird 102.2, and
    Thunderbird 91.13
- disabled automatic usage of wayland because of known issues
  using MOZ_ENABLE_WAYLAND=1 in environment would still enable it
  (boo#1202606)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=651
2022-08-26 06:39:36 +00:00
Wolfgang Rosenauer
e0d42a0cfd - added mozilla-glibc236.patch (bmo#1782988, boo#1202323)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=649
2022-08-14 08:03:54 +00:00
Wolfgang Rosenauer
134f09dee2 - Mozilla Thunderbird 102.1.2
* fix for bmo#1777765 (no POP download progress bar) was backed
    out from this release to address broken POP message download
    with Fetch headers only selected in Account Settings (bmo#1783552)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=647
2022-08-09 06:35:46 +00:00
Wolfgang Rosenauer
ae8a4c4f39 - Mozilla Thunderbird 102.1.1
Bugfixes:
  * https://www.thunderbird.net/en-US/thunderbird/102.1.1/releasenotes/

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=646
2022-08-08 13:10:06 +00:00
Wolfgang Rosenauer
32ed6a10bb - added mozilla-pgo.patch to fix LTO builds with gcc
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=644
2022-08-01 14:43:32 +00:00
Wolfgang Rosenauer
982c2db4ff - Mozilla Thunderbird 102.1.0
* https://www.thunderbird.net/en-US/thunderbird/102.1.0/releasenotes
  MFSA 2022-32 (bsc#1201758)
  * CVE-2022-36319 (bmo#1737722)
    Mouse Position spoofing with CSS transforms
  * CVE-2022-36318 (bmo#1771774)
    Directory indexes for bundled resources reflected URL parameters
  * CVE-2022-36314 (bmo#1773894)
    Opening local <code>.lnk</code> files could cause unexpected
    network loads
  * CVE-2022-2505 (bmo#1769739, bmo#1772824)
    Memory safety bugs fixed in Thunderbird 102.1
- added mozilla-newer-cbindgen.patch to fix build with
  rust-cbindgen >= 0.24 (and also require that for build)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=643
2022-07-29 12:07:40 +00:00
Wolfgang Rosenauer
ebc8727216 - Mozilla Thunderbird 102.0.3
Bugfixes as in
  * https://www.thunderbird.net/en-US/thunderbird/102.0.3/releasenotes/

- Mozilla Thunderbird 102.0.2
  * https://www.thunderbird.net/en-US/thunderbird/102.0/releasenotes/
- removed obsolete patches
  mozilla-bmo1504834-part2.patch
  mozilla-bmo1504834-part4.patch
  mozilla-bmo1602730.patch
  mozilla-bmo1626236.patch
  mozilla-bmo1724679.patch
  mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
  mozilla-sandbox-fips.patch
- added patches inherited from FF 102
  one_swizzle_to_rule_them_all.patch
  svg-rendering.patch
- fix KDE detection (boo#1200987) in mozilla-kde.patch
- requires
  rust = 1.60
  NSPR >= 4.34
  NSS >= 3.79
  rust-cbindgen >= 0.23.0
- remove special breakpad debug symbol creation

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=642
2022-07-21 12:15:56 +00:00
Wolfgang Rosenauer
08ffa63092 - Mozilla Thunderbird 91.11.0
* CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work
    additional fix applied
  * "Save-As" attachment dialog did not have filename pre-populated
  MFSA 2022-26 (bsc#1200793)
  * CVE-2022-34479 (bmo#1745595)
    A popup window could be resized in a way to overlay the
    address bar with web content
  * CVE-2022-34470 (bmo#1765951)
    Use-after-free in nsSHistory
  * CVE-2022-34468 (bmo#1768537)
    CSP sandbox header without `allow-scripts` can be bypassed
    via retargeted javascript: URI
  * CVE-2022-2226 (bmo#1775441)
    An email with a mismatching OpenPGP signature date was
    accepted as valid
  * CVE-2022-34481 (bmo#1497246)
    Potential integer overflow in ReplaceElementsAt
  * CVE-2022-31744 (bmo#1757604)
    CSP bypass enabling stylesheet injection
  * CVE-2022-34472 (bmo#1770123)
    Unavailable PAC file resulted in OCSP requests being blocked
  * CVE-2022-34478 (bmo#1773717)
    Microsoft protocols can be attacked if a user accepts a prompt
  * CVE-2022-2200 (bmo#1771381)
    Undesired attributes could be set as part of prototype pollution
  * CVE-2022-34484 (bmo#1763634, bmo#1772651)
    Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=640
2022-06-29 08:52:40 +00:00
Wolfgang Rosenauer
5b920d1fa1 - Mozilla Thunderbird 91.10.0
* Various UX and theme improvements
  MFSA 2022-22 (bsc#1200027)
  * CVE-2022-31736 (bmo#1735923)
    Cross-Origin resource's length leaked
  * CVE-2022-31737 (bmo#1743767)
    Heap buffer overflow in WebGL
  * CVE-2022-31738 (bmo#1756388)
    Browser window spoof using fullscreen mode
  * CVE-2022-31739 (bmo#1765049)
    Attacker-influenced path traversal when saving downloaded
    files
  * CVE-2022-31740 (bmo#1766806)
    Register allocation problem in WASM on arm64
  * CVE-2022-31741 (bmo#1767590)
    Uninitialized variable leads to invalid memory read
  * CVE-2022-1834 (bmo#1767816)
    Braille space character caused incorrect sender email to be
    shown for a digitally signed email
  * CVE-2022-31742 (bmo#1730434)
    Querying a WebAuthn token with a large number of
    allowCredential entries may have leaked cross-origin
    information
  * CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
    bmo#1767365, bmo#1768559, bmo#1768734)
    Memory safety bugs fixed in Thunderbird 91.10

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=638
2022-05-31 19:36:16 +00:00
Wolfgang Rosenauer
71256c3fd4 - Mozilla Thunderbird 91.9.1
MFSA 2022-19 (bsc#1199768)
  * CVE-2022-1802 (bmo#1770137)
    Prototype pollution in Top-Level Await implementation
  * CVE-2022-1529 (bmo#1770048)
    Untrusted input used in JavaScript object indexing, leading
    to prototype pollution

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=636
2022-05-21 12:43:04 +00:00
Wolfgang Rosenauer
e48927244d - Mozilla Thunderbird 91.9.0
* A warning is now displayed if an OpenPGP key has unsafe
    attributes that are ignored
  * OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not
    allow SHA-1 key signatures
  * CalDAV calendars were marked read-only on startup
  MFSA 2022-18 (bsc#1198970)
  * CVE-2022-1520 (bmo#1745019)
    Incorrect security status shown after viewing an attached
    email
  * CVE-2022-29914 (bmo#1746448)
    Fullscreen notification bypass using popups
  * CVE-2022-29909 (bmo#1755081)
    Bypassing permission prompt in nested browsing contexts
  * CVE-2022-29916 (bmo#1760674)
    Leaking browser history with CSS variables
  * CVE-2022-29911 (bmo#1761981)
    iframe sandbox bypass
  * CVE-2022-29912 (bmo#1692655)
    Reader mode bypassed SameSite cookies
  * CVE-2022-29913 (bmo#1764778)
    Speech Synthesis feature not properly disabled
  * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
    bmo#1762614, bmo#1762620)
    Memory safety bugs fixed in Thunderbird 91.9

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=634
2022-05-05 13:20:25 +00:00
Wolfgang Rosenauer
485ca3d99f - Mozilla Thunderbird 91.8.1
* CLIENTID extension to SMTP was not supported by smtp-js#
  * Additional SMTP errors now propagated to user
  * OpenPGP was not able to use some previously supported key types
  * OpenPGP Key Manager did not always display correct information
    after importing additional IDs
  * Duplicate new mail notifications could be displayed when
    server-side filters were in use
  * Cancelling an SMTP password entry resulted in multiple failure
    dialogs being displayed
- Mozilla Thunderbird 91.8.0
  * Google accounts using password authentication will be migrated
    to OAuth2.
  * bugfixes
    https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes
  MFSA 2022- (bsc#1197903)
- update create-tar.sh

- skip slow workers, this is a tough build job

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=632
2022-04-19 15:06:55 +00:00
Wolfgang Rosenauer
f67dab94c7 Accepting request 969338 from home:marxin:branches:mozilla:Factory
- Set memory limits for DWZ to 4x.

OBS-URL: https://build.opensuse.org/request/show/969338
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=630
2022-04-12 08:22:14 +00:00
Wolfgang Rosenauer
dddae6adff Accepting request 962487 from home:dirkmueller:Factory
- skip slow workers, this is a tough build job

OBS-URL: https://build.opensuse.org/request/show/962487
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=628
2022-03-18 19:19:54 +00:00
Wolfgang Rosenauer
bcdb022bb0 - Mozilla Thunderbird 91.7.0
* Thunderbird will use the first occurrence of headers that should
    only appear once
  * Auto-complete incorrectly changed a pasted email address to the
    primary address of a contact
  * Attachments with filename extensions that were not registered in
    MIME types could not be opened
  * Copy/Cut/Paste actions not working in Thunderbird Preferences
  * Improved screen reader support of displayed message headers
  MFSA 2022-12 (bsc#1196900)
  * CVE-2022-26383 (bmo#1742421)
    Browser window spoof using fullscreen mode
  * CVE-2022-26384 (bmo#1744352)
    iframe allow-scripts sandbox bypass
  * CVE-2022-26387 (bmo#1752979)
    Time-of-check time-of-use bug when verifying add-on signatures
  * CVE-2022-26381 (bmo#1736243)
    Use-after-free in text reflows
  * CVE-2022-26386 (bmo#1752396)
    Temporary files downloaded to /tmp and accessible by other
    local users

- Mozilla Thunderbird 91.6.2
  MFSA 2022-09
  * CVE-2022-26485 (bmo#1758062)
    Use-after-free in XSLT parameter processing
  * CVE-2022-26486 (bmo#1758070)
    Use-after-free in WebGPU IPC Framework

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=626
2022-03-09 10:34:57 +00:00
Wolfgang Rosenauer
260a0409e1 MFSA 2022-07 (bsc#1196072)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=625
2022-02-17 09:38:37 +00:00
Wolfgang Rosenauer
82981dade8 - Mozilla Thunderbird 91.6.1
* generated views of meeting invitations are now expanded by default
  * Emails were not downloading at startup under some conditions
  * Port numbers were not shown in "Confirm Security Exception"
    dialog for CalDAV connections
  MFSA 2022-07
  * CVE-2022-0566 (bmo#1753094)
    Crafted email could trigger an out-of-bounds write

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=624
2022-02-16 07:53:13 +00:00
Wolfgang Rosenauer
5e8c474a19 - Mozilla Thunderbird 91.6.0
* TB will now offer to send large forwarded attachments via FileLink
  * Partially signed unencrypted messages displayed an incorrect
    "parrtially encrypted" notification
  * Attachments filenames were not sanitized before saving to disk
  * In the attachment bar, the "Import OpenPGP Key" item displayed
    for public keys displayed an error and did not import the key
  * "Open with" attachment dialog did not have a selected radio
    button option
  MFSA 2022-06 (bsc#1195682)
  * CVE-2022-22753 (bmo#1732435)
    Privilege Escalation to SYSTEM on Windows via Maintenance
    Service
  * CVE-2022-22754 (bmo#1750565)
    Extensions could have bypassed permission confirmation during
    update
  * CVE-2022-22756 (bmo#1317873)
    Drag and dropping an image could have resulted in the dropped
    object being an executable
  * CVE-2022-22759 (bmo#1739957)
    Sandboxed iframes could have executed script if the parent
    appended elements
  * CVE-2022-22760 (bmo#1740985, bmo#1748503)
    Cross-Origin responses could be distinguished between script
    and non-script content-types
  * CVE-2022-22761 (bmo#1745566)
    frame-ancestors Content Security Policy directive was not
    enforced for framed extension pages
  * CVE-2022-22763 (bmo#1740534)
    Script Execution during invalid object state

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=623
2022-02-11 22:30:53 +00:00
Wolfgang Rosenauer
c34bf76e06 - Mozilla Thunderbird 91.5.1
* JS LDAP implementation did not support self-signed SSL certificates
  * After saving a draft and subsequently sending a FileLink email,
    the original file was removed from disk
  * Chat OTR encryption did not work
  * OTR verification bar was not removed after completing verification
  * Various theme improvements

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=622
2022-01-26 22:00:35 +00:00
Wolfgang Rosenauer
2b26512461 Accepting request 947696 from home:marxin:branches:mozilla:Factory
- Enable -fimplicit-constexpr for GCC 12+.

OBS-URL: https://build.opensuse.org/request/show/947696
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=621
2022-01-21 22:40:32 +00:00
Wolfgang Rosenauer
ed5ea29202 - Mozilla Thunderbird 91.5.0
https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes
  MFSA 2022-03 (bsc#1194547)
  * CVE-2022-22746 (bmo#1735071)
    Calling into reportValidity could have lead to fullscreen
    window spoof
  * CVE-2022-22743 (bmo#1739220)
    Browser window spoof using fullscreen mode
  * CVE-2022-22742 (bmo#1739923)
    Out-of-bounds memory access when inserting text in edit mode
  * CVE-2022-22741 (bmo#1740389)
    Browser window spoof using fullscreen mode
  * CVE-2022-22740 (bmo#1742334)
    Use-after-free of ChannelEventQueue::mOwner
  * CVE-2022-22738 (bmo#1742382)
    Heap-buffer-overflow in blendGaussianBlur
  * CVE-2022-22737 (bmo#1745874)
    Race condition when playing audio files
  * CVE-2021-4140 (bmo#1746720)
    Iframe sandbox bypass with XSLT
  * CVE-2022-22748 (bmo#1705211)
    Spoofed origin on external protocol launch dialog
  * CVE-2022-22745 (bmo#1735856)
    Leaking cross-origin URLs through securitypolicyviolation event
  * CVE-2022-22744 (bmo#1737252)
    The 'Copy as curl' feature in DevTools did not fully escape
    website-controlled data, potentially leading to command injection
  * CVE-2022-22747 (bmo#1735028)
    Crash when handling empty pkcs7 sequence
  * CVE-2022-22739 (bmo#1744158)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=620
2022-01-11 22:11:21 +00:00
Wolfgang Rosenauer
794263a781 Accepting request 943031 from home:iznogood:branches:mozilla:Factory
- Add mozilla-bmo1745560.patch: Fix build against wayland 1.20.

OBS-URL: https://build.opensuse.org/request/show/943031
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=619
2021-12-29 09:35:12 +00:00
Wolfgang Rosenauer
0dadd2459b - Mozilla Thunderbird 91.4.1
* several fixes as outlined here
    https://www.thunderbird.net/en-US/thunderbird/91.4.1/releasenotes/
  MFSA 2021-55 (bsc#1193845)
  * CVE-2021-4126 (bmo#1732310)
    OpenPGP signature status doesn't consider additional message
    content
  * CVE-2021-44538 (bmo#1744056)
    Matrix chat library libolm bundled with Thunderbird
    vulnerable to a buffer overflow
- updated _constraints

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=618
2021-12-20 21:55:16 +00:00
Wolfgang Rosenauer
a14190f4f1 - Mozilla Thunderbird 91.4.0
* several fixes as outlined here
    https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes
  MFSA 2021-54 (bsc#1193485)
  * CVE-2021-43536 (bmo#1730120)
    URL leakage when navigating while executing asynchronous
    function
  * CVE-2021-43537 (bmo#1738237)
    Heap buffer overflow when using structured clone
  * CVE-2021-43538 (bmo#1739091)
    Missing fullscreen and pointer lock notification when
    requesting both
  * CVE-2021-43539 (bmo#1739683)
    GC rooting failure when calling wasm instance methods
  * CVE-2021-43541 (bmo#1696685)
    External protocol handler parameters were unescaped
  * CVE-2021-43542 (bmo#1723281)
    XMLHttpRequest error codes could have leaked the existence of
    an external protocol handler
  * CVE-2021-43543 (bmo#1738418)
    Bypass of CSP sandbox directive when embedding
  * CVE-2021-43545 (bmo#1720926)
    Denial of Service when using the Location API in a loop
  * CVE-2021-43546 (bmo#1737751)
    Cursor spoofing could overlay user interface when native
    cursor is zoomed
  * CVE-2021-43528 (bmo#1742579)
    JavaScript unexpectedly enabled for the composition area
  * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
    bmo#1737009, bmo#1739372, bmo#1739421)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=617
2021-12-07 21:16:26 +00:00
Wolfgang Rosenauer
2586d6fed9 Accepting request 935066 from home:AndreasStieger:branches:mozilla:Factory
* OpenPGP: Botan updated to 2.18.2; addresses CVE-2021-40529
    boo#1189244

OBS-URL: https://build.opensuse.org/request/show/935066
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=616
2021-12-02 08:34:58 +00:00
Wolfgang Rosenauer
38d59e02c4 Accepting request 934032 from home:iznogood:branches:mozilla:Factory
- Drop unused libidl-devel BuildRequires.

OBS-URL: https://build.opensuse.org/request/show/934032
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=615
2021-11-30 07:53:39 +00:00
Wolfgang Rosenauer
e5380b41d0 - Mozilla Thunderbird 91.3.2
* Date selection in Calendar print settings widget changed to use
    mini calendar widget
  * Bugfixes as outlined in release notes
    https://www.thunderbird.net/en-US/thunderbird/91.3.2/releasenotes/

- Mozilla Thunderbird 91.3.1
  * OpenPGP public keys will no longer count as an attachment in
    the message list
  * Adding a search engine via URL now supported
  * FileLink messages' template updated; Thunderbird advertisement
    removed
  * After an update, Thunderbird will now check installed addons
    for updates
  * Bugfixes as outlined in release notes
    https://www.thunderbird.net/en-US/thunderbird/91.3.1/releasenotes/

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=614
2021-11-20 22:24:01 +00:00
Wolfgang Rosenauer
9908ef8381 * several fixes as outlined here
https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/
  MFSA 2021-50  (bsc#1192250)
  * CVE-2021-38503 (bmo#1729517)
    iframe sandbox rules did not apply to XSLT stylesheets
  * CVE-2021-38504 (bmo#1730156)
    Use-after-free in file picker dialog
  * CVE-2021-38505 (bmo#1730194)
    Windows 10 Cloud Clipboard may have recorded sensitive user data
  * CVE-2021-38506 (bmo#1730750)
    Thunderbird could be coaxed into going into fullscreen mode
    without notification or warning
  * CVE-2021-38507 (bmo#1730935)
    Opportunistic Encryption in HTTP2 could be used to bypass the
    Same-Origin-Policy on services hosted on other ports
  * MOZ-2021-0008 (bmo#1667102)
    Use-after-free in HTTP2 Session object
  * CVE-2021-38508 (bmo#1366818)
    Permission Prompt could be overlaid, resulting in user
    confusion and potential spoofing
  * CVE-2021-38509 (bmo#1718571)
    Javascript alert box could have been spoofed onto an
    arbitrary domain
  * CVE-2021-38510 (bmo#1731779)
    Download Protections were bypassed by .inetloc files on Mac OS
  * MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048,
    bmo#1735152)
    Memory safety bugs fixed in Thunderbird ESR 91.3

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=613
2021-11-03 16:44:34 +00:00
Wolfgang Rosenauer
7db3c542e4 - Mozilla Thunderbird 91.3.0
- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=612
2021-11-02 20:49:23 +00:00
Wolfgang Rosenauer
54d0229e37 Accepting request 927260 from home:Guillaume_G:branches:mozilla:Factory
- Increase memory required per threads for aarch64 to avoid OOM

OBS-URL: https://build.opensuse.org/request/show/927260
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=611
2021-10-25 12:09:26 +00:00
Wolfgang Rosenauer
d9c01b1222 - Mozilla Thunderbird 91.2.1
* Preference added to disable automatic pausing RSS feed updates
    after a fetch failure
  * several bugfixes as outlined in release notes
    https://www.thunderbird.net/en-US/thunderbird/91.2.1/releasenotes/

- add mozilla-bmo1724679.patch (bmo#1724679, boo#1182863)
  fix some env variables which are enabled for any value

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=610
2021-10-23 12:56:24 +00:00
Wolfgang Rosenauer
e41c1dbb9c Accepting request 926797 from home:marxin:branches:mozilla:Factory
- Enable LTO on Tumbleweed.

OBS-URL: https://build.opensuse.org/request/show/926797
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=609
2021-10-22 21:24:06 +00:00
Wolfgang Rosenauer
7ec63b2a47 - Mozilla Thunderbird 91.2.0
* Saving a single message as .eml now uses a unique filename
  * New mail notifications did not properly take subfolders into account
  * Decrypting binary attachments when using an external GnuPG
    configuration failed
  * Account name fields in the account manager were not big enough
    for long names
  * LDAP searches using an extensibleMatch filter returned no results
  * Read-only CalDAV calendars and CardDAV address books were not detected
  * Multipart messages containing a calendar invite did not display
    any of the human-readable alternatives
  * Some calendar days were displayed incorrectly or duplicated
    (eg. two "29th" days of a particular month)
  * Phantom event was shown at the end of each day in Calendar week view
  MFSA 2021-46 (bsc#1191332)
  * CVE-2021-38496 (bmo#1725335)
    Use-after-free in MessageTask
  * CVE-2021-38497 (bmo#1726621)
    Validation message could have been overlaid on another origin
  * CVE-2021-38498 (bmo#1729642)
    Use-after-free of nsLanguageAtomService object
  * CVE-2021-32810 (bmo#1729813,
    https://github.com/crossbeam-
    rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
    Data race in crossbeam-deque
  * CVE-2021-38500 (bmo#1725854, bmo#1728321)
    Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
    and Firefox ESR 91.2
  * CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
    Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=608
2021-10-10 19:56:50 +00:00
Wolfgang Rosenauer
6c2a252b2e - Mozilla Thunderbird 91.1.2
* Thunderbird will now warn if an S/MIME encrypted message includes
    BCC recipients
  * several bugfixes listed on
    https://www.thunderbird.net/en-US/thunderbird/91.1.2/releasenotes/

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=607
2021-09-29 08:09:48 +00:00
Wolfgang Rosenauer
109cc974e1 - Mozilla Thunderbird 91.1.1
* Menu item for disabling subject encryption for a single message added
  * Printing messages that are not currently displayed is no longer
    supported, including printing multiple messages at once
  * for bugfixes see
    https://www.thunderbird.net/en-US/thunderbird/91.1.1/releasenotes
- MOZ_ENABLE_WAYLAND env variable now overrides automatic detection
  if already set before startup

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=606
2021-09-17 08:26:48 +00:00
Wolfgang Rosenauer
c5e3285967 MFSA 2021-41 (bsc#1190269)
* CVE-2021-38492 (bmo#1721107)
    Navigating to `mk:` URL scheme could load Internet Explorer
  * CVE-2021-38495 (bmo#1723391, bmo#1723920, bmo#1724101,
    bmo#1724107)
    Memory safety bugs fixed in Thunderbird 91.1

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=605
2021-09-09 10:23:08 +00:00
Wolfgang Rosenauer
d8aa64313d - Mozilla Thunderbird 91.1.0
* Thunderbird registered Accessibility Handlers using same GUIDs
    as Firefox, causing performance issues for NVDA users
  * Focus lost when reordering accounts by keyboard in the Account Manager
  * Account setup did not use provider display name for setting up
    calendars
  * Various theme and UX fixes
  MFSA 2021-XX (bsc#1190269)
- (re-)added mozilla-silence-no-return-type.patch
- add mozilla-bmo531915.patch to fix build for i586

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=604
2021-09-07 19:34:18 +00:00
Wolfgang Rosenauer
588265dc9f Accepting request 914700 from home:AndreasStieger:branches:mozilla:Factory
Mozilla Thunderbird 91.0.3

OBS-URL: https://build.opensuse.org/request/show/914700
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=603
2021-08-28 14:15:56 +00:00
Wolfgang Rosenauer
4416d70412 MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
    Header Splitting possible with HTTP/3 Responses

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=601
2021-08-19 07:29:26 +00:00
Wolfgang Rosenauer
6c01889e00 - Mozilla Thunderbird 91.0.1
- appdate screenshot URL updated (by mailaender@opensuse.org)

- Mozilla Thunderbird 91.0
  * based on Mozilla's 91 ESR codebase
  * many new and changed features
    https://www.thunderbird.net/en-US/thunderbird/91.0/releasenotes/#whatsnew
  * Renamed "Add-ons" to "Add-ons and Themes" and "Options" to "Preferences"
  * Thunderbird now operates in multi-process (e10s) mode by default
  * New user interface for adding attachments
  * Enable redirect of messages
  * CardDAV address book support
- Removed obsolete patches:
  * mozilla-bmo1463035.patch
  * mozilla-ppc-altivec_static_inline.patch
  * mozilla-pipewire-0-3.patch
  * mozilla-bmo1554971.patch
- add mozilla-libavcodec58_91.patch
- removed obsolete BigEndian ICU build workaround
- updated build requirements
- build using clang

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=600
2021-08-19 07:16:16 +00:00
Wolfgang Rosenauer
3e12a2f698 Accepting request 912581 from home:Mailaender:branches:mozilla:Factory
https://software.opensuse.org/package/MozillaThunderbird has a broken image link

OBS-URL: https://build.opensuse.org/request/show/912581
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=599
2021-08-19 07:13:22 +00:00
Wolfgang Rosenauer
aff12d5e4e - Mozilla Thunderbird 78.13.0
* removed WeTransfer integration package (not supported by vendor
    any longer)
  MFSA 2021-35 (bsc#1188891)
  * CVE-2021-29986 (bmo#1696138)
    Race condition when resolving DNS names could have led to
    memory corruption
  * CVE-2021-29988 (bmo#1717922)
    Memory corruption as a result of incorrect style treatment
  * CVE-2021-29984 (bmo#1720031)
    Incorrect instruction reordering during JIT optimization
  * CVE-2021-29980 (bmo#1722204)
    Uninitialized memory in a canvas object could have led to
    memory corruption
  * CVE-2021-29985 (bmo#1722083)
    Use-after-free media channels
  * CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
    bmo#1719998, bmo#1720568)
    Memory safety bugs fixed in Thunderbird 78.13

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=598
2021-08-11 20:23:07 +00:00
Wolfgang Rosenauer
423bce9730 - Mozilla Thunderbird 78.12.0
MFSA 2021-30 (bsc#1188275)
  * CVE-2021-29969 (bmo#1682370)
    IMAP server responses sent by a MITM prior to STARTTLS could be
    processed
  * CVE-2021-29970 (bmo#1709976)
    Use-after-free in accessibility features of a document
  * CVE-2021-30547 (bmo#1715766)
    Out of bounds write in ANGLE
  * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
    bmo#1711576, bmo#1714391)
    Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=597
2021-07-14 16:25:33 +00:00
Wolfgang Rosenauer
8929208551 MFSA 2021-26 (bsc#1186696)
* CVE-2021-29964 (bmo#1706501)
    Out of bounds-read when parsing a `WM_COPYDATA` message
  * CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
    bmo#1704722, bmo#1706041)
    Memory safety bugs fixed in Thunderbird 78.11

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=595
2021-06-03 21:22:55 +00:00
Wolfgang Rosenauer
7c722ac821 - Mozilla Thunderbird 78.11.0
* OpenPGP could not be disabled for an account if a key was
    previously configured
  * Recipients were unable to decrypt some messages when the sender
    had changed the message encryption from OpenPGP to S/MIME
  * Contacts moved between CardDAV address books were not synced to
    the new server
  * CardDAV compatibility fixes for Google Contacts
  MFSA 2021-
- renewed expired mozilla.keyring

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=594
2021-06-02 20:13:57 +00:00
Wolfgang Rosenauer
c697113980 Accepting request 895572 from home:AndreasStieger:branches:mozilla:Factory
add bugzilla IDs for 78.10.2 MFSA 2021-22
  * CVE-2021-29956 (boo#1186199, bmo#1710290)
  * CVE-2021-29957 (boo#1186198, bmo#1673241)

OBS-URL: https://build.opensuse.org/request/show/895572
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=593
2021-05-26 15:53:34 +00:00
Wolfgang Rosenauer
fee04cb440 - do not rely on nodejs10 anymore
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=591
2021-05-19 06:20:51 +00:00
Wolfgang Rosenauer
7175336fc8 Accepting request 891138 from home:AndreasStieger:branches:mozilla:Factory
Mozilla Thunderbird 78.10.1

OBS-URL: https://build.opensuse.org/request/show/891138
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=589
2021-05-06 21:30:17 +00:00
Wolfgang Rosenauer
9e204516c2 - Mozilla Thunderbird 78.10.0
MFSA 2021-14 (bsc#1184960)
  * CVE-2021-23994 (bmo#1699077)
    Out of bound write due to lazy initialization
  * CVE-2021-23995 (bmo#1699835)
    Use-after-free in Responsive Design Mode
  * CVE-2021-23998 (bmo#1667456)
    Secure Lock icon could have been spoofed
  * CVE-2021-23961 (bmo#1677940)
    More internal network hosts could have been probed by a
    malicious webpage
  * CVE-2021-23999 (bmo#1691153)
    Blob URLs may have been granted additional privileges
  * CVE-2021-24002 (bmo#1702374)
    Arbitrary FTP command execution on FTP servers using an
    encoded URL
  * CVE-2021-29945 (bmo#1700690)
    Incorrect size computation in WebAssembly JIT could lead to
    null-reads
  * CVE-2021-29946 (bmo#1698503)
    Port blocking could be bypassed
  * CVE-2021-29948 (bmo#1692899)
    Race condition when reading from disk while verifying
    signatures
- recommend libotr5

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=586
2021-04-20 07:54:22 +00:00
Wolfgang Rosenauer
74378bcda4 - Mozilla Thunderbird 78.9.1
* Support recipient aliases for OpenPGP encryption
  * The key and signature parts of the message security popup on a
    received message could not be selected for copy/paste
  * Various UX and theme improvements
  MFSA 2021-13
  * CVE-2021-23991 (bmo#1673240)
    An attacker may use Thunderbird's OpenPGP key refresh mechanism
    to poison an existing key
  * MOZ-2021-23992 (bmo#1666236)
    A crafted OpenPGP key with an invalid user ID could be used to
    confuse the user
  * CVE-2021-23993 (bmo#1666360)
    Inability to send encrypted OpenPGP email after importing a
    crafted OpenPGP key

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=584
2021-04-10 16:21:27 +00:00
Wolfgang Rosenauer
9e317f3906 - Mozilla Thunderbird 78.9.0
* bugfixes:
    https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes
  MFSA 2021-12 (boo#1183942)
  * CVE-2021-23981 (bmo#1692832)
    Texture upload into an unbound backing buffer resulted in an
    out-of-bound read
  * MOZ-2021-0002 (bmo#1691547)
    Angle graphics library out of date
  * CVE-2021-23982 (bmo#1677046)
    Internal network hosts could have been probed by a malicious
    webpage
  * CVE-2021-23984 (bmo#1693664)
    Malicious extensions could have spoofed popup information
  * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718)
    Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
- cleaned up and fixed mozilla.sh.in for wayland (boo#1177542)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=582
2021-03-24 21:31:27 +00:00
Wolfgang Rosenauer
6c5e0317ac - Mozilla Thunderbird 78.8.1
* several bugfixes and improvements
  * https://www.thunderbird.net/en-US/thunderbird/78.8.1/releasenotes/
- updated create-tar.sh (bsc#1182357)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=580
2021-03-10 12:07:26 +00:00
Wolfgang Rosenauer
e40e7bf353 - Mozilla Thunderbird 78.8.0
* various bugfixes
  MFSA 2021-09 (bsc#1182614)
  * CVE-2021-23969 (bmo#1542194)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23968 (bmo#1687342)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23973 (bmo#1690976)
    MediaError message property could have leaked information
    about cross-origin resources
  * CVE-2021-23978 (bmo#786797, bmo#1682928, bmo#1687391,
    bmo#1687597)
    Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=578
2021-02-24 08:08:21 +00:00
Wolfgang Rosenauer
b79bfbd3a5 - Mozilla Thunderbird 78.7.1
* CardDAV address books now support OAuth2 and Google Contacts
  * Thunderbird will no longer allow installation of addons that
    use legacy APIs

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=576
2021-02-05 22:43:35 +00:00
Wolfgang Rosenauer
fa9e13d8e7 - Mozilla Thunderbird 78.7.0
MFSA 2021-05 (bsc#1181414)
  * CVE-2021-23953 (bmo#1683940)
    Cross-origin information leakage via redirected PDF requests
  * CVE-2021-23954 (bmo#1684020)
    Type confusion when using logical assignment operators in
    JavaScript switch statements
  * CVE-2020-15685 (bmo#1622640)
    IMAP Response Injection when using STARTTLS
  * CVE-2020-26976 (bmo#1674343)
    HTTPS pages could have been intercepted by a registered
    service worker when they should not have been
  * CVE-2021-23960 (bmo#1675755)
    Use-after-poison for incorrectly redeclared JavaScript
    variables during GC
  * CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526,
    bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844,
    bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410,
    bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736,
    bmo#1685260, bmo#1685925)
    Memory safety bugs fixed in Thunderbird 78.7

- MozillaThunderbird.spec: Don't abuse BUILDROOT during %build as newer
  rpm versions in TW remove everything there as the first action
  of %install

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=574
2021-01-26 21:46:33 +00:00
Wolfgang Rosenauer
ff0ed7bc92 - Mozilla Thunderbird 78.6.1
MFSA 2021-02 (bsc#1180623)
  * CVE-2020-16044 (bmo#1683964)
    Use-after-free write when handling a malicious COOKIE-ECHO SCTP
    chunk

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=571
2021-01-11 22:06:38 +00:00
Wolfgang Rosenauer
d604cb9fa9 - Mozilla Thunderbird 78.6.0
* changes and additions in MailExtensions
  * several bugfixes
  * https://www.thunderbird.net/en-US/thunderbird/78.6.0/releasenotes/
  MFSA 2020-56 (bsc#1180039))
  * CVE-2020-16042 (bmo#1679003)
    Operations on a BigInt could have caused uninitialized memory
    to be exposed
  * CVE-2020-26971 (bmo#1663466)
    Heap buffer overflow in WebGL
  * CVE-2020-26973 (bmo#1680084)
    CSS Sanitizer performed incorrect sanitization
  * CVE-2020-26974 (bmo#1681022)
    Incorrect cast of StyleGenericFlexBasis resulted in a heap
    use-after-free
  * CVE-2020-26978 (bmo#1677047)
    Internal network hosts could have been probed by a malicious
    webpage
  * CVE-2020-35111 (bmo#1657916)
    The proxy.onRequest API did not catch view-source URLs
  * CVE-2020-35112 (bmo#1661365)
    Opening an extension-less download may have inadvertently
    launched an executable instead
  * CVE-2020-35113 (bmo#1664831, bmo#1673589)
    Memory safety bugs fixed in Thunderbird 78.6

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=568
2020-12-15 22:24:07 +00:00
Wolfgang Rosenauer
b0432050ce - Mozilla Thunderbird 78.5.1
MFSA 2020-53 (bsc#1179530)
  * CVE-2020-26970 (bmo#1677338)
    Stack overflow due to incorrect parsing of SMTP server response codes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=566
2020-12-02 16:28:42 +00:00
Wolfgang Rosenauer
4a95a320a3 - Mozilla Thunderbird 78.5.0
MFSA 2020-52 (bsc#1178894)
  * CVE-2020-26951 (bmo#1667113)
    Parsing mismatches could confuse and bypass security
    sanitizer for chrome privileged code
  * CVE-2020-16012 (bmo#1642028)
    Variable time processing of cross-origin images during
    drawImage calls
  * CVE-2020-26953 (bmo#1656741)
    Fullscreen could be enabled without displaying the security
    UI
  * CVE-2020-26956 (bmo#1666300)
    XSS through paste (manual and clipboard API)
  * CVE-2020-26958 (bmo#1669355)
    Requests intercepted through ServiceWorkers lacked MIME type
    restrictions
  * CVE-2020-26959 (bmo#1669466)
    Use-after-free in WebRequestService
  * CVE-2020-26960 (bmo#1670358)
    Potential use-after-free in uses of nsTArray
  * CVE-2020-15999 (bmo#1672223)
    Heap buffer overflow in freetype
  * CVE-2020-26961 (bmo#1672528)
    DoH did not filter IPv4 mapped IP Addresses
  * CVE-2020-26965 (bmo#1661617)
    Software keyboards may have remembered typed passwords
  * CVE-2020-26966 (bmo#1663571)
    Single-word search queries were also broadcast to local
    network
  * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=564
2020-11-17 14:20:30 +00:00
Wolfgang Rosenauer
808637d07c https://www.thunderbird.net/en-US/thunderbird/78.4.3/releasenotes/
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=562
2020-11-11 09:22:58 +00:00
Wolfgang Rosenauer
007409f510 - Mozilla Thunderbird 78.4.3
- added mozilla-rust-1.47.patch to fix build with rust 1.47

- Mozilla Thunderbird 78.4.2
  MFSA 2020-49
  * CVE-2020-26950 (bmo#1675905)
    Write side effects in MCallGetProperty opcode not accounted for

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=561
2020-11-11 09:21:39 +00:00
Wolfgang Rosenauer
db081d1533 - Mozilla Thunderbird 78.4.1
* Bugfixes and minor features
    https://www.thunderbird.net/en-US/thunderbird/78.4.1/releasenotes/

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=560
2020-11-08 18:36:03 +00:00
Wolfgang Rosenauer
63df217471 MFSA 2020-47 (bsc#1177872)
* CVE-2020-15969 (bmo#1666570)
    Use-after-free in usersctp
  * CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954, bmo#1662760,
    bmo#1663439, bmo#1666140)
    Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=558
2020-10-21 20:18:32 +00:00
Wolfgang Rosenauer
69e75a6f77 - Mozilla Thunderbird 78.4.0
* MailExtensions: browser.tabs.sendMessage API added
  * MailExtensions: messageDisplayScripts API added
  * Yahoo and AOL mail users using password authentication will be
    migrated to OAuth2
  * MailExtensions: messageDisplay APIs extended to support multiple
    selected messages
  * MailExtensions: compose.begin functions now support creating a
    message with attachments
  * multiple bugfixes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=557
2020-10-21 09:31:04 +00:00
Wolfgang Rosenauer
8d908f5892 - Mozilla Thunderbird 78.3.3
* OpenPGP: Improved support for encrypting with subkeys
  * OpenPGP message status icons were not visible in message header pane
  * OpenPGP Key Manager was missing from Tools menu on macOS
  * Creating a new calendar event did not require an event title
- remove python2 dependencies for TW
- support wayland mode/autodetection in startup wrapper
- replace some Requires to use requires_ge macro where appropriate
- improve langpack build (as already used for Firefox)
- add ccache statistics output to build

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=555
2020-10-16 13:01:17 +00:00
Wolfgang Rosenauer
3bdd2525c1 - remove python2 dependencies for Leap 15 and TW
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=554
2020-10-08 14:14:28 +00:00
Wolfgang Rosenauer
4a103ac86f - Mozilla Thunderbird 78.3.2
* OpenPGP: Improved support for encrypting with subkeys
  * OpenPGP: Encrypted messages with international characters were
    sometimes displayed incorrectly
  * Single-click deletion of recipient pills with middle mouse
    button restored
  * Searching an address book list did not display results
  * Dark mode, high contrast, and Windows theming fixes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=552
2020-10-07 09:44:38 +00:00
Wolfgang Rosenauer
04ffbb1d9e - added platform patches:
* mozilla-s390x-skia-gradient.patch
  * mozilla-pipewire-0-3.patch
  * mozilla-bmo1512162.patch
  * mozilla-bmo1626236.patch
  * mozilla-bmo998749.patch
  * mozilla-sandbox-fips.patch
- removed obsolete platform patches
  * mozilla-s390-bigendian.patch
  * mozilla-nestegg-big-endian.patch
  * mozilla-openaes-decl.patch
  * mozilla-cubeb-noreturn.patch

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=550
2020-09-25 09:39:00 +00:00
Wolfgang Rosenauer
c90bbb3be9 - Mozilla Thunderbird 78.3.1
* fix crash in nsImapProtocol::CreateNewLineFromSocket (bmo#1667120)

- Mozilla Thunderbird 78.3.0
  MFSA 2020-44 (bsc#1176756)
  * CVE-2020-15677 (bmo#1641487)
    Download origin spoofing via redirect
  * CVE-2020-15676 (bmo#1646140)
    XSS when pasting attacker-controlled data into a
    contenteditable element
  * CVE-2020-15678 (bmo#1660211)
    When recursing through layers while scrolling, an iterator
    may have become invalid, resulting in a potential use-after-
    free scenario
  * CVE-2020-15673 (bmo#1648493, bmo#1660800)
    Memory safety bugs fixed in Thunderbird 78.3
- requires NSPR >= 4.25.1
- removed obsolete thunderbird-bmo1664607.patch

- Mozilla Thunderbird 78.2.2
  https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes
- added thunderbird-bmo1664607.patch required for builds w/o updater
  (boo#1176384)

- Mozilla Thunderbird 78.2.1
  * based on Mozilla's 78 ESR codebase
  * many new and changed features
    https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/#whatsnew
  * built-in OpenPGP support (enigmail neither required nor supported)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=549
2020-09-25 06:32:50 +00:00
Wolfgang Rosenauer
85d782a0f4 - Mozilla Thunderbird 68.12.0
MFSA 2020-40 (bsc#1175686)
  * CVE-2020-15663 (bmo#1643199)
    Downgrade attack on the Mozilla Maintenance Service could have
    resulted in escalation of privilege
  * CVE-2020-15664 (bmo#1658214)
    Attacker-induced prompt for extension installation
  * CVE-2020-15669 (bmo#1656957)
    Use-After-Free when aborting an operation

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=547
2020-08-30 11:12:59 +00:00
Wolfgang Rosenauer
b774973e49 Accepting request 830280 from home:michel_mno:branches:mozilla:Factory
- Put back %limit_build macro usage to avoid build error PowerPC
  (remove memoryperjob constraint)

OBS-URL: https://build.opensuse.org/request/show/830280
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=546
2020-08-30 11:02:29 +00:00
Wolfgang Rosenauer
cfff8c3277 Accepting request 828067 from home:marxin:memory-constraint
Use memoryperjob constraint instead of %limit_build macro.

OBS-URL: https://build.opensuse.org/request/show/828067
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=544
2020-08-20 10:39:48 +00:00
Wolfgang Rosenauer
17467a5a91 Accepting request 823877 from home:AndreasStieger:branches:mozilla:Factory
some past changelog

OBS-URL: https://build.opensuse.org/request/show/823877
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=542
2020-08-01 11:37:02 +00:00
Wolfgang Rosenauer
11aeb7fac9 Accepting request 823875 from home:AndreasStieger:branches:mozilla:Factory
Mozilla Thunderbird 68.11.0 - MFSA 2020-35 (bsc#1174538)

OBS-URL: https://build.opensuse.org/request/show/823875
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=541
2020-08-01 11:17:36 +00:00
Wolfgang Rosenauer
8146a35a9e Accepting request 818183 from home:AndreasStieger:branches:mozilla:Factory
Mozilla Thunderbird 68.10.0

OBS-URL: https://build.opensuse.org/request/show/818183
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=539
2020-07-02 06:27:27 +00:00
Wolfgang Rosenauer
e65691f980 - updated create-tar.sh
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=537
2020-06-11 15:01:14 +00:00
Wolfgang Rosenauer
623455131b - build with nodejs10 to be able to drop nodejs8 from TW
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=536
2020-06-11 14:54:15 +00:00
Wolfgang Rosenauer
cde3667d7c Accepting request 812111 from home:AndreasStieger:branches:mozilla:Factory
Mozilla Thunderbird 68.9.0
MFSA 2020-22 (bsc#1172402)

OBS-URL: https://build.opensuse.org/request/show/812111
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=534
2020-06-06 22:07:29 +00:00
Wolfgang Rosenauer
52917cea5c Accepting request 808559 from home:AndreasStieger:branches:mozilla:Factory
Mozilla Thunderbird 68.8.1

OBS-URL: https://build.opensuse.org/request/show/808559
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=532
2020-05-25 06:47:34 +00:00
Wolfgang Rosenauer
472726a884 * Account Manager fixes and improvements
* https://www.thunderbird.net/en-US/thunderbird/68.8.0/releasenotes
  MFSA 2020-18 (bsc#1171186)
  * CVE-2020-12397 (bmo#1617370)
    Sender Email Address Spoofing using encoded Unicode characters
  * CVE-2020-12387 (bmo#1545345)
    Use-after-free during worker shutdown
  * CVE-2020-6831 (bmo#1632241)
    Buffer overflow in SCTP chunk input validation
  * CVE-2020-12392 (bmo#1614468)
    Arbitrary local file access with 'Copy as cURL'
  * CVE-2020-12393 (bmo#1615471)
    Devtools' 'Copy as cURL' feature did not fully escape
    website-controlled data, potentially leading to command injection
  * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098,
    bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508)
    Memory safety bugs fixed in Thunderbird 68.8.0
- removed obsolete patch mozilla-bmo1580963.patch
  (bmo#1580963)
  In general, these flaws cannot be exploited through email in

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=529
2020-05-06 07:22:35 +00:00
Wolfgang Rosenauer
f31294e41a - Mozilla Thunderbird 68.8.0
- Add mozilla-bmo1580963.patch to fix build with rust 1.43

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=528
2020-05-05 07:51:42 +00:00
Wolfgang Rosenauer
34187271c9 Accepting request 800249 from home:namtrac:branches:mozilla:Factory
- Add mozilla-bmo1580963.patch to fix build with rust 1.43

OBS-URL: https://build.opensuse.org/request/show/800249
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=527
2020-05-05 07:28:14 +00:00
Wolfgang Rosenauer
12132f7191 Accepting request 793228 from home:AndreasStieger:branches:mozilla:Factory
MFSA 2020-14 data

OBS-URL: https://build.opensuse.org/request/show/793228
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=525
2020-04-11 21:13:39 +00:00
Wolfgang Rosenauer
8f09505c5b Accepting request 792897 from home:AndreasStieger:branches:mozilla:Factory
Mozilla Thunderbird 68.7.0

OBS-URL: https://build.opensuse.org/request/show/792897
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=524
2020-04-10 08:30:57 +00:00
Wolfgang Rosenauer
56310e4a94 - Mozilla Thunderbird 68.6.0
MFSA 2020-10 (bsc#1166238)
  * CVE-2020-6805 (bmo#1610880)
    Use-after-free when removing data about origins
  * CVE-2020-6806 (bmo#1612308)
    BodyStream::OnInputStreamReady was missing protections against
    state confusion
  * CVE-2020-6807 (bmo#1614971)
    Use-after-free in cubeb during stream destruction
  * CVE-2020-6811 (bmo#1607742)
    Devtools' 'Copy as cURL' feature did not fully escape
    website-controlled data, potentially leading to command injection
  * CVE-2019-20503 (bmo#1613765)
    Out of bounds reads in sctp_load_addresses_from_init
  * CVE-2020-6812 (bmo#1616661)
    The names of AirPods with personally identifiable information
    were exposed to websites with camera or microphone permission
  * CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256, bmo#1612636,
    bmo#1614339)
    Memory safety bugs fixed in Thunderbird 68.6
- requires NSS >= 3.44.3

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=522
2020-03-14 13:26:42 +00:00
Wolfgang Rosenauer
b44fdf6e1e - Mozilla Thunderbird 68.5.0
New
  * Support for Client Identity IMAP/SMTP Service Extension
  * Support for OAuth 2.0 authentication for POP3 accounts
  Fixes
  * Status area goes blank during account setup
  * Calendar: Could not remove color for default categories
  * Calendar: Prevent calendar component loading multiple times
  * Calendar: Today pane did not retain width between sessions
  MFSA 2020-07 (bsc#1163368)
  * CVE-2020-6793 (bmo#1608539)
    Out-of-bounds read when processing certain email messages
  * CVE-2020-6794 (bmo#1606619)
    Setting a master password post-Thunderbird 52 does not delete
    unencrypted previously stored passwords
  * CVE-2020-6795 (bmo#1611105)
    Crash processing S/MIME messages with multiple signatures
  * CVE-2020-6797 (bmo#1596668) (Mac OSX only)
    Extensions granted downloads.open permission could open arbitrary
    applications on Mac OSX
  * CVE-2020-6798 (bmo#1602944)
    Incorrect parsing of template tag could result in JavaScript injection
  * CVE-2020-6792 (bmo#1609607)
    Message ID calculcation was based on uninitialized data
  * CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851,
    bmo#1608580,bmo#1608785,bmo#1605777)
    Memory safety bugs fixed in Thunderbird 68.5

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=520
2020-02-11 20:44:27 +00:00
Wolfgang Rosenauer
4f424022cb Accepting request 769375 from home:hellcp:branches:mozilla:Factory
- Use a symbolic icon from branding internals

OBS-URL: https://build.opensuse.org/request/show/769375
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=518
2020-02-02 19:22:31 +00:00
Wolfgang Rosenauer
88ea2f535a - Mozilla Thunderbird 68.4.2
* Calendar: Task and Event tree colours adjusted for the dark theme
  * Retrieval of S/MIME certificates from LDAP failed
  * Address-parsing crash on some IMAP servers when
    mail.imap.use_envelope_cmd is set
  * Incorrect forwarding of HTML messages caused SMTP servers to
    respond with a timeout
  * Calendar: Various parts of the calendar UI stopped working when
    a second Thunderbird window opened

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=516
2020-01-27 10:15:48 +00:00
Wolfgang Rosenauer
c3ae989234 - removed obsolete patch mozilla-bmo1511604.patch
- added mozilla-bmo1602730.patch to fix LE<->BE issues in the
  platform (bmo#1602730)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=514
2020-01-11 08:43:34 +00:00
Wolfgang Rosenauer
424175f38c MFSA 2020-04 (bsc#1160498, bsc#1160305)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=513
2020-01-11 08:36:41 +00:00
Wolfgang Rosenauer
5d0ef2ba91 - Mozilla Thunderbird 68.4.1
* Various improvements when setting up an account for a Microsoft
    Exchange server: Now offers IMAP/SMTP if available, better
    detection for Office 365 accounts; re-run configuration after
    password change
  Fixes:
  * After changing view layout, the message display pane showed
    garbled content under some circumstances
  * Various theme changes to achieve "pixel perfection": Unread icon,
    "no results" icon, paragraph format and font selector, background
    of folder summary tooltip
  * Tags were lost on messages in shared IMAP folders under some
    circumstances
  * Calendar: Event attendee dialog was not displayed correctly
  MFSA 2020-04  (bsc#1160498)
  * CVE-2019-17026 (bmo#1607443)
    IonMonkey type confusion with StoreElementHole and FallibleStoreElement
  * CVE-2019-17015 (bmo#1599005)
    Memory corruption in parent process during new content process
    initialization on Windows
  * CVE-2019-17016 (bmo#1599181)
    Bypass of @namespace CSS sanitization during pasting
  * CVE-2019-17017 (bmo#1603055)
    Type Confusion in XPCVariant.cpp
  * CVE-2019-17021 (bmo#1599008)
    Heap address disclosure in parent process during content process
    initialization on Windows
  * CVE-2019-17022 (bmo#1602843)
    CSS sanitization does not escape HTML tags
  * CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605, bmo#1601826)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=512
2020-01-10 15:53:07 +00:00
Wolfgang Rosenauer
1c4a233447 - add mozilla-bmo1583471.patch to allow building with rust 1.39
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=510
2019-12-27 17:27:22 +00:00
Wolfgang Rosenauer
8e55c5b577 - Mozilla Thunderbird 68.3.1
* In dark theme unread messages no longer shown in blue to
  Bugfixes
  * Message navigation with backward and forward buttons did not work
    in some circumstances

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=509
2019-12-20 22:23:27 +00:00
Wolfgang Rosenauer
82acc8435a Accepting request 758641 from home:AndreasStieger:branches:mozilla:Factory
Mozilla Thunderbird 68.3.1

OBS-URL: https://build.opensuse.org/request/show/758641
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=508
2019-12-20 22:19:58 +00:00
Wolfgang Rosenauer
7a99e99658 - Mozilla Thunderbird 68.3.0:
* Message display toolbar action WebExtension API
  * Navigation buttons are now available in content tabs, for example
    those opened via an add-on search
  * other bugfixes
  MFSA 2019-38
  * CVE-2019-17008 (bmo#1546331)
    Use-after-free in worker destruction
  * CVE-2019-13722 (bmo#1580156)
    Stack corruption due to incorrect number of arguments in WebRTC code
  * CVE-2019-17010 (bmo#1581084)
    Use-after-free when performing device orientation checks
  * CVE-2019-17005 (bmo#1584170)
    Buffer overflow in plain text serializer
  * CVE-2019-17011 (bmo#1591334)
    Use-after-free when retrieving a document in antitracking
  * CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209,
    bmo#1580288, bmo#1585760, bmo#1592502)
    Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
  * Various updates to improve performance and stability
- updated create-tar.sh to cover buildid and origin repo information
- changed locale building procedure
  * removed obsolete compare-locales.tar.xz and
    thunderbird-broken-locales-build.patch
- add mozilla-bmo849632.patch to fix color issues on big endian

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=505
2019-12-05 22:21:05 +00:00
Wolfgang Rosenauer
a87ea0756c Accepting request 747028 from home:AndreasStieger:branches:mozilla:Factory
Mozilla Thunderbird 68.2.2

OBS-URL: https://build.opensuse.org/request/show/747028
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=503
2019-11-09 21:30:38 +00:00