- Mozilla Thunderbird 60.7.0
* Attachment pane of Write window no longer focussed when attaching
files using a keyboard shortcut
MFSA 2019-15 (boo#1135824)
* CVE-2019-9815 (bmo#1546544)
Disable hyperthreading on content JavaScript threads on macOS
* CVE-2019-9816 (bmo#1536768)
Type confusion with object groups and UnboxedObjects
* CVE-2019-9817 (bmo#1540221)
Stealing of cross-domain images using canvas
* CVE-2019-9818 (bmo#1542581) (Windows only)
Use-after-free in crash generation server
* CVE-2019-9819 (bmo#1532553)
Compartment mismatch with fetch API
* CVE-2019-9820 (bmo#1536405)
Use-after-free of ChromeEventHandler by DocShell
* CVE-2019-11691 (bmo#1542465)
Use-after-free in XMLHttpRequest
* CVE-2019-11692 (bmo#1544670)
Use-after-free removing listeners in the event listener manager
* CVE-2019-11693 (bmo#1532525)
Buffer overflow in WebGL bufferdata on Linux
* CVE-2019-7317 (bmo#1542829)
Use-after-free in png_image_free of libpng library
* CVE-2019-9797 (bmo#1528909)
Cross-origin theft of images with createImageBitmap
* CVE-2018-18511 (bmo#1526218)
Cross-origin theft of images with ImageBitmapRenderingContext
* CVE-2019-11694 (bmo#1534196) (Windows only)
Uninitialized memory memory leakage in Windows sandbox
OBS-URL: https://build.opensuse.org/request/show/705454
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=211
* Attachment pane of Write window no longer focussed when attaching
files using a keyboard shortcut
MFSA 2019-15 (boo#1135824)
* CVE-2019-9815 (bmo#1546544)
Disable hyperthreading on content JavaScript threads on macOS
* CVE-2019-9816 (bmo#1536768)
Type confusion with object groups and UnboxedObjects
* CVE-2019-9817 (bmo#1540221)
Stealing of cross-domain images using canvas
* CVE-2019-9818 (bmo#1542581) (Windows only)
Use-after-free in crash generation server
* CVE-2019-9819 (bmo#1532553)
Compartment mismatch with fetch API
* CVE-2019-9820 (bmo#1536405)
Use-after-free of ChromeEventHandler by DocShell
* CVE-2019-11691 (bmo#1542465)
Use-after-free in XMLHttpRequest
* CVE-2019-11692 (bmo#1544670)
Use-after-free removing listeners in the event listener manager
* CVE-2019-11693 (bmo#1532525)
Buffer overflow in WebGL bufferdata on Linux
* CVE-2019-7317 (bmo#1542829)
Use-after-free in png_image_free of libpng library
* CVE-2019-9797 (bmo#1528909)
Cross-origin theft of images with createImageBitmap
* CVE-2018-18511 (bmo#1526218)
Cross-origin theft of images with ImageBitmapRenderingContext
* CVE-2019-11694 (bmo#1534196) (Windows only)
Uninitialized memory memory leakage in Windows sandbox
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=468
* Calendar: Can't create repeating event with end date when using
certain time zones, for example Europe/Minsk
* some minor bugfixes
* using 60.6.0esr Mozilla platform (bsc#1129821)
- Mozilla Thunderbird 60.5.3
* fixed a regression on the Windows platform:
Problem when using "Send to > Mail recipient" on Windows
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=458
- MozillaThunderbird 60.5.0:
* FileLink provider WeTransfer to upload large attachments
* Thunderbird now allows the addition of OpenSearch search engines
from a local XML file using a minimal user inferface: [+] button
to select a file an add, [-] to remove.
* More search engines: Google and DuckDuckGo available by default
in some locales
* During account creation, Thunderbird will now detect servers
using the Microsoft Exchange protocol. It will offer the
installation of a 3rd party add-on (Owl) which supports that
protocol.
* Thunderbird now compatible with other WebExtension-based
FileLink add-ons like the Dropbox add-on
MFSA 2019-03 (bsc#1122983)
* CVE-2018-18500 bmo#1510114
Use-after-free parsing HTML5 stream
* CVE-2018-18505 bmo#1497749
Privilege escalation through IPC channel messages
* CVE-2016-5824 bmo#1275400
DoS (use-after-free) via a crafted ics file
* CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619
bmo#1502871 bmo#1516738 bmo#1516514
Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
- requires NSS 3.36.7
- removed obsolete patch
mozilla-no-stdcxx-check.patch
- rebased patches
MFSA 2018-31
* CVE-2018-17466 bmo#1488295
OBS-URL: https://build.opensuse.org/request/show/669999
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=204
- MozillaThunderbird 60.5.0:
* FileLink provider WeTransfer to upload large attachments
* Thunderbird now allows the addition of OpenSearch search engines
from a local XML file using a minimal user inferface: [+] button
to select a file an add, [-] to remove.
* More search engines: Google and DuckDuckGo available by default
in some locales
* During account creation, Thunderbird will now detect servers
using the Microsoft Exchange protocol. It will offer the
installation of a 3rd party add-on (Owl) which supports that
protocol.
* Thunderbird now compatible with other WebExtension-based
FileLink add-ons like the Dropbox add-on
- requires NSS 3.36.7
- removed obsolete patch
mozilla-no-stdcxx-check.patch
- rebased patches
MFSA 2018-31
* CVE-2018-17466 bmo#1488295
Buffer overflow and out-of-bounds read in ANGLE library with
TextureStorage11
* CVE-2018-18492 bmo#1499861
Use-after-free with select element
* CVE-2018-18493 bmo#1504452
Buffer overflow in accelerated 2D canvas with Skia
* CVE-2018-18494 bmo#1487964
Same-origin policy violation using location attribute and
performance.getEntries to steal cross-origin URLs
* CVE-2018-18498 bmo#1500011
Integer overflow when calculating buffer sizes for images
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=451
- Mozilla Thunderbird 60.3.3
* Thunderbird 60 will migrate security databases (key3.db, cert8.db
to key4.db, cert9.db). Thunderbird 60.3.2 and earlier contained a
fault that potentially deleted saved passwords and private certificate
keys for users using a master password. Version 60.3.3 will prevent
the loss of data; affected users who have already upgraded to version
60.3.2 or earlier can restore the deleted key3.db file from backup
to complete the migration.
* Address book search and auto-complete slowness introduced in
Thunderbird 60.3.2
* Plain text markup with * for bold, / for italics, _ for underline
and | for code did not work when the enclosed text contained
non-ASCII characters
* While composing a message, a link not removed when link location
was removed in the link properties panel
OBS-URL: https://build.opensuse.org/request/show/655853
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=202
* Thunderbird 60 will migrate security databases (key3.db, cert8.db
to key4.db, cert9.db). Thunderbird 60.3.2 and earlier contained a
fault that potentially deleted saved passwords and private certificate
keys for users using a master password. Version 60.3.3 will prevent
the loss of data; affected users who have already upgraded to version
60.3.2 or earlier can restore the deleted key3.db file from backup
to complete the migration.
* Address book search and auto-complete slowness introduced in
Thunderbird 60.3.2
* Plain text markup with * for bold, / for italics, _ for underline
and | for code did not work when the enclosed text contained
non-ASCII characters
* While composing a message, a link not removed when link location
was removed in the link properties panel
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=445
* Encoding problems when exporting address books or messages using
the system charset. Messages are now always exported using the
UTF-8 encoding
* If the "Date" header of a message was invalid, Jan 1970 or Dec 1969
was displayed. Now using date from "Received" header instead.
* Body search/filtering didn't reliably ignore content of tags
* Inappropriate warning "Thunderbird prevented the site
(addons.thunderbird.net) from asking you to install software on
your computer" when installing add-ons
* Incorrect display of correspondents column since own email
address was not always detected
* Spurious 
 (encoded newline) inserted into drafts and sent email
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=442
- Mozilla Thunderbird 60.3.1:
* Double-clicking on a word in the Write window sometimes
launched the Advanced Property Editor or Link Properties dialog
* Fixe Cookie removal
* "Download rest of message" was not working if global inbox was
used
* Fix Encoding problems for users (especially in Poland) when a
file was sent via a folder using "Sent to > Mail recipient"
due to a problem in the Thunderbird MAPI interface
* According to RFC 4616 and RFC 5721, passwords containing
non-ASCII characters are encoded using UTF-8 which can lead to
problems with non-compliant providers, for example
office365.com. The SMTP LOGIN and POP3 USER/PASS
authentication methods are now using a Latin-1 encoding again
to work around this issue
* Fix shutdown crash/hang after entering an empty IMAP password
OBS-URL: https://build.opensuse.org/request/show/649480
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=200
- update to Thunderbird 60.3.0
* various theme fixes
* Shift+PageUp/PageDown in Write window
* Gloda attachment filtering
* Mailing list address auto-complete enter/return handling
* Thunderbird hung if HTML signature references non-existent image
* Filters not working for headers that appear more than once
- Security fixes for the Mozilla platform picked up from 60.3
(Firefox ESR release). In general, these flaws cannot be exploited
through email in Thunderbird because scripting is disabled when
reading mail, but are potentially risks in browser or browser-like
contexts (MFSA 2018-28) (bsc#1112852)
* CVE-2018-12391 (bmo#1478843) (Android only)
HTTP Live Stream audio data is accessible cross-origin
* CVE-2018-12392 (bmo#1492823)
Crash with nested event loops
* CVE-2018-12393 (bmo#1495011)
Integer overflow during Unicode conversion while loading JavaScript
* CVE-2018-12389 (bmo#1498460, bmo#1499198)
Memory safety bugs fixed in Firefox ESR 60.3
* CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159,
bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803,
bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699,
bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844)
Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
- Update _constraints for armv6/7
- Add patch to fix build on armv7:
* mozilla-bmo1463035.patch
OBS-URL: https://build.opensuse.org/request/show/645920
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=199
* various theme fixes
* Shift+PageUp/PageDown in Write window
* Gloda attachment filtering
* Mailing list address auto-complete enter/return handling
* Thunderbird hung if HTML signature references non-existent image
* Filters not working for headers that appear more than once
- Security fixes for the Mozilla platform picked up from 60.3
(Firefox ESR release). In general, these flaws cannot be exploited
through email in Thunderbird because scripting is disabled when
reading mail, but are potentially risks in browser or browser-like
contexts (MFSA 2018-28) (bsc#1112852)
* CVE-2018-12391 (bmo#1478843) (Android only)
HTTP Live Stream audio data is accessible cross-origin
* CVE-2018-12392 (bmo#1492823)
Crash with nested event loops
* CVE-2018-12393 (bmo#1495011)
Integer overflow during Unicode conversion while loading JavaScript
* CVE-2018-12389 (bmo#1498460, bmo#1499198)
Memory safety bugs fixed in Firefox ESR 60.3
* CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159,
bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803,
bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699,
bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844)
Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
* Fix security info dialog in compose window not showing
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=437