- update to Thunderbird 52.8 (bsc#1092548)
MFSA 2018-13
* CVE-2018-5183 (bmo#1454692)
Backport critical security fixes in Skia
* CVE-2018-5184 (bmo#1411592, bsc#1093152)
Full plaintext recovery in S/MIME via chosen-ciphertext attack
* CVE-2018-5154 (bmo#1443092)
Use-after-free with SVG animations and clip paths
* CVE-2018-5155 (bmo#1448774)
Use-after-free with SVG animations and text paths
* CVE-2018-5159 (bmo#1441941)
Integer overflow and out-of-bounds write in Skia
* CVE-2018-5161 (bmo#1411720)
Hang via malformed headers
* CVE-2018-5162 (bmo#1457721, bsc#1093152)
Encrypted mail leaks plaintext through src attribute
* CVE-2018-5170 (bmo#1411732)
Filename spoofing for external attachments
* CVE-2018-5168 (bmo#1449548)
Lightweight themes can be installed without user interaction
* CVE-2018-5174 (bmo#1447080) (Windows only)
Windows Defender SmartScreen UI runs with less secure behavior
for downloaded files in Windows 10 April 2018 Update
* CVE-2018-5178 (bmo#1443891)
Buffer overflow during UTF-8 to Unicode string conversion
through legacy extension
* CVE-2018-5185 (bmo#1450345)
Leaking plaintext through HTML forms
* CVE-2018-5150 (bmo#1388020,bmo#1433609,bmo#1409440,bmo#1448705,
bmo#1451376,bmo#1452202,bmo#1444668,bmo#1393367,bmo#1411415,
OBS-URL: https://build.opensuse.org/request/show/610619
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=192
MFSA 2018-13
* CVE-2018-5183 (bmo#1454692)
Backport critical security fixes in Skia
* CVE-2018-5184 (bmo#1411592, bsc#1093152)
Full plaintext recovery in S/MIME via chosen-ciphertext attack
* CVE-2018-5154 (bmo#1443092)
Use-after-free with SVG animations and clip paths
* CVE-2018-5155 (bmo#1448774)
Use-after-free with SVG animations and text paths
* CVE-2018-5159 (bmo#1441941)
Integer overflow and out-of-bounds write in Skia
* CVE-2018-5161 (bmo#1411720)
Hang via malformed headers
* CVE-2018-5162 (bmo#1457721, bsc#1093152)
Encrypted mail leaks plaintext through src attribute
* CVE-2018-5170 (bmo#1411732)
Filename spoofing for external attachments
* CVE-2018-5168 (bmo#1449548)
Lightweight themes can be installed without user interaction
* CVE-2018-5174 (bmo#1447080) (Windows only)
Windows Defender SmartScreen UI runs with less secure behavior
for downloaded files in Windows 10 April 2018 Update
* CVE-2018-5178 (bmo#1443891)
Buffer overflow during UTF-8 to Unicode string conversion
through legacy extension
* CVE-2018-5185 (bmo#1450345)
Leaking plaintext through HTML forms
* CVE-2018-5150 (bmo#1388020,bmo#1433609,bmo#1409440,bmo#1448705,
bmo#1451376,bmo#1452202,bmo#1444668,bmo#1393367,bmo#1411415,
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=406
- update to Thunderbird 52.7
* Searching message bodies of messages in local folders, including
filter and quick filter operations, did not find content in
message attachments
* Better error handling for Yahoo accounts
- The following security fixes are included as part of the mozilla
platform. In general, these flaws cannot be exploited through
email in the Thunderbird product because scripting is disabled
when reading mail, but are potentially risks in browser or
browser-like contexts (MFSA 2018-09, bsc#1085130, bsc#1085671):
* CVE-2018-5127 (bmo#1430557)
Buffer overflow manipulating SVG animatedPathSegList
* CVE-2018-5129 (bmo#1428947)
Out-of-bounds write with malformed IPC messages
* CVE-2018-5144 (bmo#1440926)
Integer overflow during Unicode conversion
* CVE-2018-5146 (bmo#1446062)
Out of bounds memory write in libvorbis
* CVE-2018-5125 (bmo1416529,bmo#1434580,bmo#1434384,bmo#1437450,
bmo#1437507,bmo#1426988,bmo#1438425,bmo#1324042,bmo#1437087,
bmo#1443865,bmo#1425520)
Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7, and
Thunderbird 52.7
* CVE-2018-5145 (bmo#1261175,bmo#1348955)
Memory safety bugs fixed in Firefox ESR 52.7 and Thunderbird
52.7
OBS-URL: https://build.opensuse.org/request/show/591025
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=190
* Searching message bodies of messages in local folders, including
filter and quick filter operations, did not find content in
message attachments
* Better error handling for Yahoo accounts
MFSA 2018-08
* CVE-2018-5146 (bmo#1446062)
Out of bounds memory write in libvorbis
* CVE-2018-5147 (bmo#1446365)
Out of bounds memory write in libtremor
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=401
- update to Thunderbird 52.6 (bsc#1077291)
* Searching message bodies of messages in local folders, including
filter and quick filter operations, not working reliably: Content
not found in base64-encode message parts, non-ASCII text not found
and false positives found.
* Defective messages (without at least one expected header) not shown
in IMAP folders but shown on mobile devices
* Calendar: Unintended task deletion if numlock is enabled
* Mozilla platform security fixes
MFSA 2018-04
* CVE-2018-5095 (bmo#1418447)
Integer overflow in Skia library during edge builder allocation
* CVE-2018-5096 (bmo#1418922)
Use-after-free while editing form elements
* CVE-2018-5097 (bmo#1387427)
Use-after-free when source document is manipulated during XSLT
* CVE-2018-5098 (bmo#1399400)
Use-after-free while manipulating form input elements
* CVE-2018-5099 (bmo#1416878)
Use-after-free with widget listener
* CVE-2018-5102 (bmo#1419363)
Use-after-free in HTML media elements
* CVE-2018-5103 (bmo#1423159)
Use-after-free during mouse event handling
* CVE-2018-5104 (bmo#1425000)
Use-after-free during font face manipulation
* CVE-2018-5117 (bmo#1395508)
URL spoofing with right-to-left text aligned left-to-right
* CVE-2018-5089
Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
OBS-URL: https://build.opensuse.org/request/show/569795
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=188
* Searching message bodies of messages in local folders, including
filter and quick filter operations, not working reliably: Content
not found in base64-encode message parts, non-ASCII text not found
and false positives found.
* Defective messages (without at least one expected header) not shown
in IMAP folders but shown on mobile devices
* Calendar: Unintended task deletion if numlock is enabled
* Mozilla platform security fixes
MFSA 2018-04
* CVE-2018-5095 (bmo#1418447)
Integer overflow in Skia library during edge builder allocation
* CVE-2018-5096 (bmo#1418922)
Use-after-free while editing form elements
* CVE-2018-5097 (bmo#1387427)
Use-after-free when source document is manipulated during XSLT
* CVE-2018-5098 (bmo#1399400)
Use-after-free while manipulating form input elements
* CVE-2018-5099 (bmo#1416878)
Use-after-free with widget listener
* CVE-2018-5102 (bmo#1419363)
Use-after-free in HTML media elements
* CVE-2018-5103 (bmo#1423159)
Use-after-free during mouse event handling
* CVE-2018-5104 (bmo#1425000)
Use-after-free during font face manipulation
* CVE-2018-5117 (bmo#1395508)
URL spoofing with right-to-left text aligned left-to-right
* CVE-2018-5089
Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=397
* This releases fixes the "Mailsploit" vulnerability and other
vulnerabilities detected by the "Cure53" audit
MFSA 2017-30
* CVE-2017-7845 (bmo#1402372)
Buffer overflow when drawing and validating elements with ANGLE
library using Direct 3D 9
* CVE-2017-7846 (bmo#1411716)
JavaScript Execution via RSS in mailbox:// origin
* CVE-2017-7847 (bmo#1411708)
Local path string can be leaked from RSS feed
* CVE-2017-7848 (bmo#1411699)
RSS Feed vulnerable to new line Injection
* CVE-2017-7829 (bmo#1423432)
Mailsploit part 1: From address with encoded null character is
cut off in message header display
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=394
- update to Thunderbird 52.5.0 (bsc#1068101)
* Better support for Charter/Spectrum IMAP: Thunderbird will now
detect Charter's IMAP service and send an additional IMAP select
command to the server. Check the various preferences ending in
"force_select" to see whether auto-detection has discovered this case.
* In search folders spanning multiple base folders clicking on a
message sometimes marked another message as read
* IMAP alerts have been corrected and now show the correct server
name in case of connection problems
* POP alerts have been corrected and now indicate connection problems
in case the configured POP server cannot be found
MFSA 2017-26
* CVE-2017-7828 (bmo#1406750. bmo#1412252)
Use-after-free of PressShell while restyling layout
* CVE-2017-7830 (bmo#1408990)
Cross-origin URL information leak through Resource Timing API
* CVE-2017-7826
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
- Drop obsolete libgnomeui-devel BuildRequires: No longer needed.
- Add explicit pkgconfig(gconf-2.0), pkgconfig(gobject-2.0),
pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
pkgconfig(gdk-x11-2.0) BuildRequires: Previously pulled in by
libgnomeui-devel, and is what configure really checks for.
OBS-URL: https://build.opensuse.org/request/show/545445
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=185
detect Charter's IMAP service and send an additional IMAP select
command to the server. Check the various preferences ending in
"force_select" to see whether auto-detection has discovered this case.
* In search folders spanning multiple base folders clicking on a
message sometimes marked another message as read
* IMAP alerts have been corrected and now show the correct server
name in case of connection problems
* POP alerts have been corrected and now indicate connection problems
in case the configured POP server cannot be found
MFSA 2017-26
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=390
- Mozilla Thunderbird 52.4.0 (bsc#1060445)
* new behavior was introduced for replies to mailing list posts:
"When replying to a mailing list, reply will be sent to address
in From header ignoring Reply-to header". A new preference
mail.override_list_reply_to allows to restore the previous behavior.
* Under certain circumstances (image attachment and non-image
attachment), attached images were shown truncated in messages
stored in IMAP folders not synchronised for offline use.
* IMAP UIDs > 0x7FFFFFFF now handled properly
Security fixes from Gecko 52.4esr
* CVE-2017-7793 (bmo#1371889)
Use-after-free with Fetch API
* CVE-2017-7818 (bmo#1363723)
Use-after-free during ARIA array manipulation
* CVE-2017-7819 (bmo#1380292)
Use-after-free while resizing images in design mode
* CVE-2017-7824 (bmo#1398381)
Buffer overflow when drawing and validating elements with ANGLE
* CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
Use-after-free in TLS 1.2 generating handshake hashes
* CVE-2017-7814 (bmo#1376036)
Blob and data URLs bypass phishing and malware protection warnings
* CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
OS X fonts render some Tibetan and Arabic unicode characters as spaces
* CVE-2017-7823 (bmo#1396320)
CSP sandbox directive did not create a unique origin
* CVE-2017-7810
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
- Add alsa-devel BuildRequires: we care for ALSA support to be
OBS-URL: https://build.opensuse.org/request/show/532694
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=184
"When replying to a mailing list, reply will be sent to address
in From header ignoring Reply-to header". A new preference
mail.override_list_reply_to allows to restore the previous behavior.
* Under certain circumstances (image attachment and non-image
attachment), attached images were shown truncated in messages
stored in IMAP folders not synchronised for offline use.
* IMAP UIDs > 0x7FFFFFFF now handled properly
Security fixes from Gecko 52.4esr
* CVE-2017-7793 (bmo#1371889)
Use-after-free with Fetch API
* CVE-2017-7818 (bmo#1363723)
Use-after-free during ARIA array manipulation
* CVE-2017-7819 (bmo#1380292)
Use-after-free while resizing images in design mode
* CVE-2017-7824 (bmo#1398381)
Buffer overflow when drawing and validating elements with ANGLE
* CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
Use-after-free in TLS 1.2 generating handshake hashes
* CVE-2017-7814 (bmo#1376036)
Blob and data URLs bypass phishing and malware protection warnings
* CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
OS X fonts render some Tibetan and Arabic unicode characters as spaces
* CVE-2017-7823 (bmo#1396320)
CSP sandbox directive did not create a unique origin
* CVE-2017-7810
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=386
- update to Thunderbird 52.3 (boo#1052829)
Fixed issues:
* Unwanted inline images shown in rogue SPAM messages
* Deleting message from the POP3 server not working when maildir
storage was used
* Message disposition flag (replied / forwarded) lost when reply or
forwarded message was stored as draft and draft was sent later
* Inline images not scaled to fit when printing
* Selected text from another message sometimes included in a reply
* No authorisation prompt displayed when inserting image into email
body although image URL requires authentication
* Large attachments taking a long time to open under some circumstances
security
Security fixes from Gecko 52.3esr
* CVE-2017-7798 (bmo#1371586, bmo#1372112)
XUL injection in the style editor in devtools
* CVE-2017-7800 (bmo#1374047)
Use-after-free in WebSockets during disconnection
* CVE-2017-7801 (bmo#1371259)
Use-after-free with marquee during window resizing
* CVE-2017-7784 (bmo#1376087)
Use-after-free with image observers
* CVE-2017-7802 (bmo#1378147)
Use-after-free resizing image elements
* CVE-2017-7785 (bmo#1356985)
Buffer overflow manipulating ARIA attributes in DOM
* CVE-2017-7786 (bmo#1365189)
Buffer overflow while painting non-displayable SVG
* CVE-2017-7753 (bmo#1353312)
Out-of-bounds read with cached style data and pseudo-elements#
OBS-URL: https://build.opensuse.org/request/show/517268
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=183
Fixed issues:
* Unwanted inline images shown in rogue SPAM messages
* Deleting message from the POP3 server not working when maildir
storage was used
* Message disposition flag (replied / forwarded) lost when reply or
forwarded message was stored as draft and draft was sent later
* Inline images not scaled to fit when printing
* Selected text from another message sometimes included in a reply
* No authorisation prompt displayed when inserting image into email
body although image URL requires authentication
* Large attachments taking a long time to open under some circumstances
security
Security fixes from Gecko 52.3esr
* CVE-2017-7798 (bmo#1371586, bmo#1372112)
XUL injection in the style editor in devtools
* CVE-2017-7800 (bmo#1374047)
Use-after-free in WebSockets during disconnection
* CVE-2017-7801 (bmo#1371259)
Use-after-free with marquee during window resizing
* CVE-2017-7784 (bmo#1376087)
Use-after-free with image observers
* CVE-2017-7802 (bmo#1378147)
Use-after-free resizing image elements
* CVE-2017-7785 (bmo#1356985)
Buffer overflow manipulating ARIA attributes in DOM
* CVE-2017-7786 (bmo#1365189)
Buffer overflow while painting non-displayable SVG
* CVE-2017-7753 (bmo#1353312)
Out-of-bounds read with cached style data and pseudo-elements#
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=382
- update to Thunderbird 52.2 (boo#1043960)
* Embedded images not shown in email received from Hotmail/Outlook
webmailer
* Detection of non-ASCII font names in font selector
* Attachment not forwarded correctly under certain circumstances
* Multiple requests for master password when GMail OAuth2 is enabled
* Large number of blank pages being printed under certain
circumstances when invalid preferences were present
* Messages sent via the Simple MAPI interface are forced to HTML
* Calendar: Invitations can't be printed
* Mailing list (group) not accessible from macOS or Outlook address book
* Clicking on links with references/anchors where target doesn't
exist in the message not opening in external browser
MFSA 2017-17
* CVE-2017-5472 (bmo#1365602)
Use-after-free using destroyed node when regenerating trees
* CVE-2017-7749 (bmo#1355039)
Use-after-free during docshell reloading
* CVE-2017-7750 (bmo#1356558)
Use-after-free with track elements
* CVE-2017-7751 (bmo#1363396)
Use-after-free with content viewer listeners
* CVE-2017-7752 (bmo#1359547)
Use-after-free with IME input
* CVE-2017-7754 (bmo#1357090)
Out-of-bounds read in WebGL with ImageInfo object
* CVE-2017-7756 (bmo#1366595)
Use-after-free and use-after-scope logging XHR header errors
* CVE-2017-7757 (bmo#1356824)
Use-after-free in IndexedDB
OBS-URL: https://build.opensuse.org/request/show/503951
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=181
* Embedded images not shown in email received from Hotmail/Outlook
webmailer
* Detection of non-ASCII font names in font selector
* Attachment not forwarded correctly under certain circumstances
* Multiple requests for master password when GMail OAuth2 is enabled
* Large number of blank pages being printed under certain
circumstances when invalid preferences were present
* Messages sent via the Simple MAPI interface are forced to HTML
* Calendar: Invitations can't be printed
* Mailing list (group) not accessible from macOS or Outlook address book
* Clicking on links with references/anchors where target doesn't
exist in the message not opening in external browser
MFSA 2017-17
* CVE-2017-5472 (bmo#1365602)
Use-after-free using destroyed node when regenerating trees
* CVE-2017-7749 (bmo#1355039)
Use-after-free during docshell reloading
* CVE-2017-7750 (bmo#1356558)
Use-after-free with track elements
* CVE-2017-7751 (bmo#1363396)
Use-after-free with content viewer listeners
* CVE-2017-7752 (bmo#1359547)
Use-after-free with IME input
* CVE-2017-7754 (bmo#1357090)
Out-of-bounds read in WebGL with ImageInfo object
* CVE-2017-7756 (bmo#1366595)
Use-after-free and use-after-scope logging XHR header errors
* CVE-2017-7757 (bmo#1356824)
Use-after-free in IndexedDB
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=376
- update to Thunderbird 52.1.1
* fixed crash when compacting IMAP folder (boo#1038753)
* Some attachments could not be opened or saved if the message
body is empty
* Unable to load full message via POP if message was downloaded
partially (or only headers) before
* Large attachments may not be shown or saved correctly if the
message is stored in an IMAP folder which is not synchronized
for offline use
OBS-URL: https://build.opensuse.org/request/show/495327
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=178
* fixed crash when compacting IMAP folder (boo#1038753)
* Some attachments could not be opened or saved if the message
body is empty
* Unable to load full message via POP if message was downloaded
partially (or only headers) before
* Large attachments may not be shown or saved correctly if the
message is stored in an IMAP folder which is not synchronized
for offline use
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=367
- update to Thunderbird 52.1.0
* Background images not working and other issues related to
embedded images when composing email have been fixed
* Google Oauth setup can sometimes not progress to the next step
* requires NSS >= 3.28.4
- security fixes (boo#1035082), MFSA 2017-13
* CVE-2017-5443 (bmo#1342661)
Out-of-bounds write during BinHex decoding
* CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
Firefox ESR 52.1
* CVE-2017-5464 (bmo#1347075)
Memory corruption with accessibility and DOM manipulation
* CVE-2017-5465 (bmo#1347617)
Out-of-bounds read in ConvolvePixel
* CVE-2017-5466 (bmo#1353975)
Origin confusion when reloading isolated data:text/html URL
* CVE-2017-5467 (bmo#1347262)
Memory corruption when drawing Skia content
* CVE-2017-5460 (bmo#1343642)
Use-after-free in frame selection
* CVE-2017-5461 (bmo#1344380)
Out-of-bounds write in Base64 encoding in NSS
* CVE-2017-5449 (bmo#1340127)
Crash during bidirectional unicode manipulation with animation
* CVE-2017-5446 (bmo#1343505)
Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
* CVE-2017-5447 (bmo#1343552)
Out-of-bounds read during glyph processing
OBS-URL: https://build.opensuse.org/request/show/492468
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=177
* Background images not working and other issues related to
embedded images when composing email have been fixed
* Google Oauth setup can sometimes not progress to the next step
* requires NSS >= 3.28.4
- security fixes (boo#1035082), MFSA 2017-13
* CVE-2017-5443 (bmo#1342661)
Out-of-bounds write during BinHex decoding
* CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
Firefox ESR 52.1
* CVE-2017-5464 (bmo#1347075)
Memory corruption with accessibility and DOM manipulation
* CVE-2017-5465 (bmo#1347617)
Out-of-bounds read in ConvolvePixel
* CVE-2017-5466 (bmo#1353975)
Origin confusion when reloading isolated data:text/html URL
* CVE-2017-5467 (bmo#1347262)
Memory corruption when drawing Skia content
* CVE-2017-5460 (bmo#1343642)
Use-after-free in frame selection
* CVE-2017-5461 (bmo#1344380)
Out-of-bounds write in Base64 encoding in NSS
* CVE-2017-5449 (bmo#1340127)
Crash during bidirectional unicode manipulation with animation
* CVE-2017-5446 (bmo#1343505)
Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
* CVE-2017-5447 (bmo#1343552)
Out-of-bounds read during glyph processing
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=365
Adding changelog entries for 52:
- security fixes (bsc#1028391, MFSA 2017-09):
In general, these flaws cannot be exploited through email because
scripting is disabled when reading mail, but are potentially
risks in browser or browser-like contexts.
* CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933)
* CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861)
* CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876)
* CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186)
* CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138)
* CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890)
* CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622)
* CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687)
* CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711)
* CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
* CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504)
* CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370)
* CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
* CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361)
* CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876)
* CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243)
* CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699)
* CVE-2017-5421: Print preview spoofing (bmo#1301876)
* CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002)
* CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52
* CVE-2017-5398: Memory safety bugs fixed in Thunderbird 52 and Thunderbird 45.8
OBS-URL: https://build.opensuse.org/request/show/489077
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=363
* Optionally remove corresponding data files when removing an account
* Possibility to copy message filter
* Calendar: Event can now be created and edited in a tab
* Calendar: Processing of received invitation counter proposals
* Chat: Support Twitter Direct Messages
* Chat: Liking and favoriting in Twitter
* Chat: Removed Yahoo! Messenger support
* serveral bugfixes
- removed obsolete patches
* mozilla-aarch64-48bit-va.patch
* mozilla-binutils-visibility.patch
* mozilla-flex_buffer_overrun.patch
* mozilla-gcc6.patch
- added generic mozilla patches
* mozilla-aarch64-startup-crash.patch
- require newer versions of NSPR and NSS
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=358
