* removed WeTransfer integration package (not supported by vendor
any longer)
MFSA 2021-35 (bsc#1188891)
* CVE-2021-29986 (bmo#1696138)
Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29988 (bmo#1717922)
Memory corruption as a result of incorrect style treatment
* CVE-2021-29984 (bmo#1720031)
Incorrect instruction reordering during JIT optimization
* CVE-2021-29980 (bmo#1722204)
Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29985 (bmo#1722083)
Use-after-free media channels
* CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
bmo#1719998, bmo#1720568)
Memory safety bugs fixed in Thunderbird 78.13
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=598
MFSA 2021-30 (bsc#1188275)
* CVE-2021-29969 (bmo#1682370)
IMAP server responses sent by a MITM prior to STARTTLS could be
processed
* CVE-2021-29970 (bmo#1709976)
Use-after-free in accessibility features of a document
* CVE-2021-30547 (bmo#1715766)
Out of bounds write in ANGLE
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
bmo#1711576, bmo#1714391)
Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=597
* OpenPGP could not be disabled for an account if a key was
previously configured
* Recipients were unable to decrypt some messages when the sender
had changed the message encryption from OpenPGP to S/MIME
* Contacts moved between CardDAV address books were not synced to
the new server
* CardDAV compatibility fixes for Google Contacts
MFSA 2021-
- renewed expired mozilla.keyring
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=594
MFSA 2021-14 (bsc#1184960)
* CVE-2021-23994 (bmo#1699077)
Out of bound write due to lazy initialization
* CVE-2021-23995 (bmo#1699835)
Use-after-free in Responsive Design Mode
* CVE-2021-23998 (bmo#1667456)
Secure Lock icon could have been spoofed
* CVE-2021-23961 (bmo#1677940)
More internal network hosts could have been probed by a
malicious webpage
* CVE-2021-23999 (bmo#1691153)
Blob URLs may have been granted additional privileges
* CVE-2021-24002 (bmo#1702374)
Arbitrary FTP command execution on FTP servers using an
encoded URL
* CVE-2021-29945 (bmo#1700690)
Incorrect size computation in WebAssembly JIT could lead to
null-reads
* CVE-2021-29946 (bmo#1698503)
Port blocking could be bypassed
* CVE-2021-29948 (bmo#1692899)
Race condition when reading from disk while verifying
signatures
- recommend libotr5
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=586
* Support recipient aliases for OpenPGP encryption
* The key and signature parts of the message security popup on a
received message could not be selected for copy/paste
* Various UX and theme improvements
MFSA 2021-13
* CVE-2021-23991 (bmo#1673240)
An attacker may use Thunderbird's OpenPGP key refresh mechanism
to poison an existing key
* MOZ-2021-23992 (bmo#1666236)
A crafted OpenPGP key with an invalid user ID could be used to
confuse the user
* CVE-2021-23993 (bmo#1666360)
Inability to send encrypted OpenPGP email after importing a
crafted OpenPGP key
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=584
* bugfixes:
https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes
MFSA 2021-12 (boo#1183942)
* CVE-2021-23981 (bmo#1692832)
Texture upload into an unbound backing buffer resulted in an
out-of-bound read
* MOZ-2021-0002 (bmo#1691547)
Angle graphics library out of date
* CVE-2021-23982 (bmo#1677046)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2021-23984 (bmo#1693664)
Malicious extensions could have spoofed popup information
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718)
Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
- cleaned up and fixed mozilla.sh.in for wayland (boo#1177542)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=582
* various bugfixes
MFSA 2021-09 (bsc#1182614)
* CVE-2021-23969 (bmo#1542194)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23968 (bmo#1687342)
Content Security Policy violation report could have contained
the destination of a redirect
* CVE-2021-23973 (bmo#1690976)
MediaError message property could have leaked information
about cross-origin resources
* CVE-2021-23978 (bmo#786797, bmo#1682928, bmo#1687391,
bmo#1687597)
Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=578
MFSA 2021-05 (bsc#1181414)
* CVE-2021-23953 (bmo#1683940)
Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954 (bmo#1684020)
Type confusion when using logical assignment operators in
JavaScript switch statements
* CVE-2020-15685 (bmo#1622640)
IMAP Response Injection when using STARTTLS
* CVE-2020-26976 (bmo#1674343)
HTTPS pages could have been intercepted by a registered
service worker when they should not have been
* CVE-2021-23960 (bmo#1675755)
Use-after-poison for incorrectly redeclared JavaScript
variables during GC
* CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526,
bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844,
bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410,
bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736,
bmo#1685260, bmo#1685925)
Memory safety bugs fixed in Thunderbird 78.7
- MozillaThunderbird.spec: Don't abuse BUILDROOT during %build as newer
rpm versions in TW remove everything there as the first action
of %install
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=574
* changes and additions in MailExtensions
* several bugfixes
* https://www.thunderbird.net/en-US/thunderbird/78.6.0/releasenotes/
MFSA 2020-56 (bsc#1180039))
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-35111 (bmo#1657916)
The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365)
Opening an extension-less download may have inadvertently
launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589)
Memory safety bugs fixed in Thunderbird 78.6
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=568
MFSA 2020-52 (bsc#1178894)
* CVE-2020-26951 (bmo#1667113)
Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
* CVE-2020-16012 (bmo#1642028)
Variable time processing of cross-origin images during
drawImage calls
* CVE-2020-26953 (bmo#1656741)
Fullscreen could be enabled without displaying the security
UI
* CVE-2020-26956 (bmo#1666300)
XSS through paste (manual and clipboard API)
* CVE-2020-26958 (bmo#1669355)
Requests intercepted through ServiceWorkers lacked MIME type
restrictions
* CVE-2020-26959 (bmo#1669466)
Use-after-free in WebRequestService
* CVE-2020-26960 (bmo#1670358)
Potential use-after-free in uses of nsTArray
* CVE-2020-15999 (bmo#1672223)
Heap buffer overflow in freetype
* CVE-2020-26961 (bmo#1672528)
DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965 (bmo#1661617)
Software keyboards may have remembered typed passwords
* CVE-2020-26966 (bmo#1663571)
Single-word search queries were also broadcast to local
network
* CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=564
* MailExtensions: browser.tabs.sendMessage API added
* MailExtensions: messageDisplayScripts API added
* Yahoo and AOL mail users using password authentication will be
migrated to OAuth2
* MailExtensions: messageDisplay APIs extended to support multiple
selected messages
* MailExtensions: compose.begin functions now support creating a
message with attachments
* multiple bugfixes
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=557
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP message status icons were not visible in message header pane
* OpenPGP Key Manager was missing from Tools menu on macOS
* Creating a new calendar event did not require an event title
- remove python2 dependencies for TW
- support wayland mode/autodetection in startup wrapper
- replace some Requires to use requires_ge macro where appropriate
- improve langpack build (as already used for Firefox)
- add ccache statistics output to build
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=555
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP: Encrypted messages with international characters were
sometimes displayed incorrectly
* Single-click deletion of recipient pills with middle mouse
button restored
* Searching an address book list did not display results
* Dark mode, high contrast, and Windows theming fixes
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=552
* fix crash in nsImapProtocol::CreateNewLineFromSocket (bmo#1667120)
- Mozilla Thunderbird 78.3.0
MFSA 2020-44 (bsc#1176756)
* CVE-2020-15677 (bmo#1641487)
Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140)
XSS when pasting attacker-controlled data into a
contenteditable element
* CVE-2020-15678 (bmo#1660211)
When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-
free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
Memory safety bugs fixed in Thunderbird 78.3
- requires NSPR >= 4.25.1
- removed obsolete thunderbird-bmo1664607.patch
- Mozilla Thunderbird 78.2.2
https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes
- added thunderbird-bmo1664607.patch required for builds w/o updater
(boo#1176384)
- Mozilla Thunderbird 78.2.1
* based on Mozilla's 78 ESR codebase
* many new and changed features
https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/#whatsnew
* built-in OpenPGP support (enigmail neither required nor supported)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=549
MFSA 2020-40 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could have
resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-15669 (bmo#1656957)
Use-After-Free when aborting an operation
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=547
MFSA 2020-10 (bsc#1166238)
* CVE-2020-6805 (bmo#1610880)
Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308)
BodyStream::OnInputStreamReady was missing protections against
state confusion
* CVE-2020-6807 (bmo#1614971)
Use-after-free in cubeb during stream destruction
* CVE-2020-6811 (bmo#1607742)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2019-20503 (bmo#1613765)
Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661)
The names of AirPods with personally identifiable information
were exposed to websites with camera or microphone permission
* CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256, bmo#1612636,
bmo#1614339)
Memory safety bugs fixed in Thunderbird 68.6
- requires NSS >= 3.44.3
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=522
New
* Support for Client Identity IMAP/SMTP Service Extension
* Support for OAuth 2.0 authentication for POP3 accounts
Fixes
* Status area goes blank during account setup
* Calendar: Could not remove color for default categories
* Calendar: Prevent calendar component loading multiple times
* Calendar: Today pane did not retain width between sessions
MFSA 2020-07 (bsc#1163368)
* CVE-2020-6793 (bmo#1608539)
Out-of-bounds read when processing certain email messages
* CVE-2020-6794 (bmo#1606619)
Setting a master password post-Thunderbird 52 does not delete
unencrypted previously stored passwords
* CVE-2020-6795 (bmo#1611105)
Crash processing S/MIME messages with multiple signatures
* CVE-2020-6797 (bmo#1596668) (Mac OSX only)
Extensions granted downloads.open permission could open arbitrary
applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6792 (bmo#1609607)
Message ID calculcation was based on uninitialized data
* CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851,
bmo#1608580,bmo#1608785,bmo#1605777)
Memory safety bugs fixed in Thunderbird 68.5
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=520