Commit Graph

354 Commits

Author SHA256 Message Date
Wolfgang Rosenauer
82981dade8 - Mozilla Thunderbird 91.6.1
* generated views of meeting invitations are now expanded by default
  * Emails were not downloading at startup under some conditions
  * Port numbers were not shown in "Confirm Security Exception"
    dialog for CalDAV connections
  MFSA 2022-07
  * CVE-2022-0566 (bmo#1753094)
    Crafted email could trigger an out-of-bounds write

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=624
2022-02-16 07:53:13 +00:00
Wolfgang Rosenauer
5e8c474a19 - Mozilla Thunderbird 91.6.0
* TB will now offer to send large forwarded attachments via FileLink
  * Partially signed unencrypted messages displayed an incorrect
    "parrtially encrypted" notification
  * Attachments filenames were not sanitized before saving to disk
  * In the attachment bar, the "Import OpenPGP Key" item displayed
    for public keys displayed an error and did not import the key
  * "Open with" attachment dialog did not have a selected radio
    button option
  MFSA 2022-06 (bsc#1195682)
  * CVE-2022-22753 (bmo#1732435)
    Privilege Escalation to SYSTEM on Windows via Maintenance
    Service
  * CVE-2022-22754 (bmo#1750565)
    Extensions could have bypassed permission confirmation during
    update
  * CVE-2022-22756 (bmo#1317873)
    Drag and dropping an image could have resulted in the dropped
    object being an executable
  * CVE-2022-22759 (bmo#1739957)
    Sandboxed iframes could have executed script if the parent
    appended elements
  * CVE-2022-22760 (bmo#1740985, bmo#1748503)
    Cross-Origin responses could be distinguished between script
    and non-script content-types
  * CVE-2022-22761 (bmo#1745566)
    frame-ancestors Content Security Policy directive was not
    enforced for framed extension pages
  * CVE-2022-22763 (bmo#1740534)
    Script Execution during invalid object state

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=623
2022-02-11 22:30:53 +00:00
Wolfgang Rosenauer
c34bf76e06 - Mozilla Thunderbird 91.5.1
* JS LDAP implementation did not support self-signed SSL certificates
  * After saving a draft and subsequently sending a FileLink email,
    the original file was removed from disk
  * Chat OTR encryption did not work
  * OTR verification bar was not removed after completing verification
  * Various theme improvements

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=622
2022-01-26 22:00:35 +00:00
Wolfgang Rosenauer
2b26512461 Accepting request 947696 from home:marxin:branches:mozilla:Factory
- Enable -fimplicit-constexpr for GCC 12+.

OBS-URL: https://build.opensuse.org/request/show/947696
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=621
2022-01-21 22:40:32 +00:00
Wolfgang Rosenauer
ed5ea29202 - Mozilla Thunderbird 91.5.0
https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes
  MFSA 2022-03 (bsc#1194547)
  * CVE-2022-22746 (bmo#1735071)
    Calling into reportValidity could have lead to fullscreen
    window spoof
  * CVE-2022-22743 (bmo#1739220)
    Browser window spoof using fullscreen mode
  * CVE-2022-22742 (bmo#1739923)
    Out-of-bounds memory access when inserting text in edit mode
  * CVE-2022-22741 (bmo#1740389)
    Browser window spoof using fullscreen mode
  * CVE-2022-22740 (bmo#1742334)
    Use-after-free of ChannelEventQueue::mOwner
  * CVE-2022-22738 (bmo#1742382)
    Heap-buffer-overflow in blendGaussianBlur
  * CVE-2022-22737 (bmo#1745874)
    Race condition when playing audio files
  * CVE-2021-4140 (bmo#1746720)
    Iframe sandbox bypass with XSLT
  * CVE-2022-22748 (bmo#1705211)
    Spoofed origin on external protocol launch dialog
  * CVE-2022-22745 (bmo#1735856)
    Leaking cross-origin URLs through securitypolicyviolation event
  * CVE-2022-22744 (bmo#1737252)
    The 'Copy as curl' feature in DevTools did not fully escape
    website-controlled data, potentially leading to command injection
  * CVE-2022-22747 (bmo#1735028)
    Crash when handling empty pkcs7 sequence
  * CVE-2022-22739 (bmo#1744158)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=620
2022-01-11 22:11:21 +00:00
Wolfgang Rosenauer
794263a781 Accepting request 943031 from home:iznogood:branches:mozilla:Factory
- Add mozilla-bmo1745560.patch: Fix build against wayland 1.20.

OBS-URL: https://build.opensuse.org/request/show/943031
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=619
2021-12-29 09:35:12 +00:00
Wolfgang Rosenauer
0dadd2459b - Mozilla Thunderbird 91.4.1
* several fixes as outlined here
    https://www.thunderbird.net/en-US/thunderbird/91.4.1/releasenotes/
  MFSA 2021-55 (bsc#1193845)
  * CVE-2021-4126 (bmo#1732310)
    OpenPGP signature status doesn't consider additional message
    content
  * CVE-2021-44538 (bmo#1744056)
    Matrix chat library libolm bundled with Thunderbird
    vulnerable to a buffer overflow
- updated _constraints

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=618
2021-12-20 21:55:16 +00:00
Wolfgang Rosenauer
a14190f4f1 - Mozilla Thunderbird 91.4.0
* several fixes as outlined here
    https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes
  MFSA 2021-54 (bsc#1193485)
  * CVE-2021-43536 (bmo#1730120)
    URL leakage when navigating while executing asynchronous
    function
  * CVE-2021-43537 (bmo#1738237)
    Heap buffer overflow when using structured clone
  * CVE-2021-43538 (bmo#1739091)
    Missing fullscreen and pointer lock notification when
    requesting both
  * CVE-2021-43539 (bmo#1739683)
    GC rooting failure when calling wasm instance methods
  * CVE-2021-43541 (bmo#1696685)
    External protocol handler parameters were unescaped
  * CVE-2021-43542 (bmo#1723281)
    XMLHttpRequest error codes could have leaked the existence of
    an external protocol handler
  * CVE-2021-43543 (bmo#1738418)
    Bypass of CSP sandbox directive when embedding
  * CVE-2021-43545 (bmo#1720926)
    Denial of Service when using the Location API in a loop
  * CVE-2021-43546 (bmo#1737751)
    Cursor spoofing could overlay user interface when native
    cursor is zoomed
  * CVE-2021-43528 (bmo#1742579)
    JavaScript unexpectedly enabled for the composition area
  * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
    bmo#1737009, bmo#1739372, bmo#1739421)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=617
2021-12-07 21:16:26 +00:00
Wolfgang Rosenauer
38d59e02c4 Accepting request 934032 from home:iznogood:branches:mozilla:Factory
- Drop unused libidl-devel BuildRequires.

OBS-URL: https://build.opensuse.org/request/show/934032
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=615
2021-11-30 07:53:39 +00:00
Wolfgang Rosenauer
e5380b41d0 - Mozilla Thunderbird 91.3.2
* Date selection in Calendar print settings widget changed to use
    mini calendar widget
  * Bugfixes as outlined in release notes
    https://www.thunderbird.net/en-US/thunderbird/91.3.2/releasenotes/

- Mozilla Thunderbird 91.3.1
  * OpenPGP public keys will no longer count as an attachment in
    the message list
  * Adding a search engine via URL now supported
  * FileLink messages' template updated; Thunderbird advertisement
    removed
  * After an update, Thunderbird will now check installed addons
    for updates
  * Bugfixes as outlined in release notes
    https://www.thunderbird.net/en-US/thunderbird/91.3.1/releasenotes/

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=614
2021-11-20 22:24:01 +00:00
Wolfgang Rosenauer
7db3c542e4 - Mozilla Thunderbird 91.3.0
- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=612
2021-11-02 20:49:23 +00:00
Wolfgang Rosenauer
54d0229e37 Accepting request 927260 from home:Guillaume_G:branches:mozilla:Factory
- Increase memory required per threads for aarch64 to avoid OOM

OBS-URL: https://build.opensuse.org/request/show/927260
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=611
2021-10-25 12:09:26 +00:00
Wolfgang Rosenauer
d9c01b1222 - Mozilla Thunderbird 91.2.1
* Preference added to disable automatic pausing RSS feed updates
    after a fetch failure
  * several bugfixes as outlined in release notes
    https://www.thunderbird.net/en-US/thunderbird/91.2.1/releasenotes/

- add mozilla-bmo1724679.patch (bmo#1724679, boo#1182863)
  fix some env variables which are enabled for any value

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=610
2021-10-23 12:56:24 +00:00
Wolfgang Rosenauer
e41c1dbb9c Accepting request 926797 from home:marxin:branches:mozilla:Factory
- Enable LTO on Tumbleweed.

OBS-URL: https://build.opensuse.org/request/show/926797
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=609
2021-10-22 21:24:06 +00:00
Wolfgang Rosenauer
7ec63b2a47 - Mozilla Thunderbird 91.2.0
* Saving a single message as .eml now uses a unique filename
  * New mail notifications did not properly take subfolders into account
  * Decrypting binary attachments when using an external GnuPG
    configuration failed
  * Account name fields in the account manager were not big enough
    for long names
  * LDAP searches using an extensibleMatch filter returned no results
  * Read-only CalDAV calendars and CardDAV address books were not detected
  * Multipart messages containing a calendar invite did not display
    any of the human-readable alternatives
  * Some calendar days were displayed incorrectly or duplicated
    (eg. two "29th" days of a particular month)
  * Phantom event was shown at the end of each day in Calendar week view
  MFSA 2021-46 (bsc#1191332)
  * CVE-2021-38496 (bmo#1725335)
    Use-after-free in MessageTask
  * CVE-2021-38497 (bmo#1726621)
    Validation message could have been overlaid on another origin
  * CVE-2021-38498 (bmo#1729642)
    Use-after-free of nsLanguageAtomService object
  * CVE-2021-32810 (bmo#1729813,
    https://github.com/crossbeam-
    rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
    Data race in crossbeam-deque
  * CVE-2021-38500 (bmo#1725854, bmo#1728321)
    Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
    and Firefox ESR 91.2
  * CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
    Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=608
2021-10-10 19:56:50 +00:00
Wolfgang Rosenauer
6c2a252b2e - Mozilla Thunderbird 91.1.2
* Thunderbird will now warn if an S/MIME encrypted message includes
    BCC recipients
  * several bugfixes listed on
    https://www.thunderbird.net/en-US/thunderbird/91.1.2/releasenotes/

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=607
2021-09-29 08:09:48 +00:00
Wolfgang Rosenauer
109cc974e1 - Mozilla Thunderbird 91.1.1
* Menu item for disabling subject encryption for a single message added
  * Printing messages that are not currently displayed is no longer
    supported, including printing multiple messages at once
  * for bugfixes see
    https://www.thunderbird.net/en-US/thunderbird/91.1.1/releasenotes
- MOZ_ENABLE_WAYLAND env variable now overrides automatic detection
  if already set before startup

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=606
2021-09-17 08:26:48 +00:00
Wolfgang Rosenauer
d8aa64313d - Mozilla Thunderbird 91.1.0
* Thunderbird registered Accessibility Handlers using same GUIDs
    as Firefox, causing performance issues for NVDA users
  * Focus lost when reordering accounts by keyboard in the Account Manager
  * Account setup did not use provider display name for setting up
    calendars
  * Various theme and UX fixes
  MFSA 2021-XX (bsc#1190269)
- (re-)added mozilla-silence-no-return-type.patch
- add mozilla-bmo531915.patch to fix build for i586

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=604
2021-09-07 19:34:18 +00:00
Wolfgang Rosenauer
588265dc9f Accepting request 914700 from home:AndreasStieger:branches:mozilla:Factory
Mozilla Thunderbird 91.0.3

OBS-URL: https://build.opensuse.org/request/show/914700
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=603
2021-08-28 14:15:56 +00:00
Wolfgang Rosenauer
6c01889e00 - Mozilla Thunderbird 91.0.1
- appdate screenshot URL updated (by mailaender@opensuse.org)

- Mozilla Thunderbird 91.0
  * based on Mozilla's 91 ESR codebase
  * many new and changed features
    https://www.thunderbird.net/en-US/thunderbird/91.0/releasenotes/#whatsnew
  * Renamed "Add-ons" to "Add-ons and Themes" and "Options" to "Preferences"
  * Thunderbird now operates in multi-process (e10s) mode by default
  * New user interface for adding attachments
  * Enable redirect of messages
  * CardDAV address book support
- Removed obsolete patches:
  * mozilla-bmo1463035.patch
  * mozilla-ppc-altivec_static_inline.patch
  * mozilla-pipewire-0-3.patch
  * mozilla-bmo1554971.patch
- add mozilla-libavcodec58_91.patch
- removed obsolete BigEndian ICU build workaround
- updated build requirements
- build using clang

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=600
2021-08-19 07:16:16 +00:00
Wolfgang Rosenauer
aff12d5e4e - Mozilla Thunderbird 78.13.0
* removed WeTransfer integration package (not supported by vendor
    any longer)
  MFSA 2021-35 (bsc#1188891)
  * CVE-2021-29986 (bmo#1696138)
    Race condition when resolving DNS names could have led to
    memory corruption
  * CVE-2021-29988 (bmo#1717922)
    Memory corruption as a result of incorrect style treatment
  * CVE-2021-29984 (bmo#1720031)
    Incorrect instruction reordering during JIT optimization
  * CVE-2021-29980 (bmo#1722204)
    Uninitialized memory in a canvas object could have led to
    memory corruption
  * CVE-2021-29985 (bmo#1722083)
    Use-after-free media channels
  * CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
    bmo#1719998, bmo#1720568)
    Memory safety bugs fixed in Thunderbird 78.13

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=598
2021-08-11 20:23:07 +00:00
Wolfgang Rosenauer
423bce9730 - Mozilla Thunderbird 78.12.0
MFSA 2021-30 (bsc#1188275)
  * CVE-2021-29969 (bmo#1682370)
    IMAP server responses sent by a MITM prior to STARTTLS could be
    processed
  * CVE-2021-29970 (bmo#1709976)
    Use-after-free in accessibility features of a document
  * CVE-2021-30547 (bmo#1715766)
    Out of bounds write in ANGLE
  * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
    bmo#1711576, bmo#1714391)
    Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=597
2021-07-14 16:25:33 +00:00
Wolfgang Rosenauer
7c722ac821 - Mozilla Thunderbird 78.11.0
* OpenPGP could not be disabled for an account if a key was
    previously configured
  * Recipients were unable to decrypt some messages when the sender
    had changed the message encryption from OpenPGP to S/MIME
  * Contacts moved between CardDAV address books were not synced to
    the new server
  * CardDAV compatibility fixes for Google Contacts
  MFSA 2021-
- renewed expired mozilla.keyring

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=594
2021-06-02 20:13:57 +00:00
Wolfgang Rosenauer
fee04cb440 - do not rely on nodejs10 anymore
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=591
2021-05-19 06:20:51 +00:00
Wolfgang Rosenauer
7175336fc8 Accepting request 891138 from home:AndreasStieger:branches:mozilla:Factory
Mozilla Thunderbird 78.10.1

OBS-URL: https://build.opensuse.org/request/show/891138
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=589
2021-05-06 21:30:17 +00:00
Wolfgang Rosenauer
9e204516c2 - Mozilla Thunderbird 78.10.0
MFSA 2021-14 (bsc#1184960)
  * CVE-2021-23994 (bmo#1699077)
    Out of bound write due to lazy initialization
  * CVE-2021-23995 (bmo#1699835)
    Use-after-free in Responsive Design Mode
  * CVE-2021-23998 (bmo#1667456)
    Secure Lock icon could have been spoofed
  * CVE-2021-23961 (bmo#1677940)
    More internal network hosts could have been probed by a
    malicious webpage
  * CVE-2021-23999 (bmo#1691153)
    Blob URLs may have been granted additional privileges
  * CVE-2021-24002 (bmo#1702374)
    Arbitrary FTP command execution on FTP servers using an
    encoded URL
  * CVE-2021-29945 (bmo#1700690)
    Incorrect size computation in WebAssembly JIT could lead to
    null-reads
  * CVE-2021-29946 (bmo#1698503)
    Port blocking could be bypassed
  * CVE-2021-29948 (bmo#1692899)
    Race condition when reading from disk while verifying
    signatures
- recommend libotr5

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=586
2021-04-20 07:54:22 +00:00
Wolfgang Rosenauer
74378bcda4 - Mozilla Thunderbird 78.9.1
* Support recipient aliases for OpenPGP encryption
  * The key and signature parts of the message security popup on a
    received message could not be selected for copy/paste
  * Various UX and theme improvements
  MFSA 2021-13
  * CVE-2021-23991 (bmo#1673240)
    An attacker may use Thunderbird's OpenPGP key refresh mechanism
    to poison an existing key
  * MOZ-2021-23992 (bmo#1666236)
    A crafted OpenPGP key with an invalid user ID could be used to
    confuse the user
  * CVE-2021-23993 (bmo#1666360)
    Inability to send encrypted OpenPGP email after importing a
    crafted OpenPGP key

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=584
2021-04-10 16:21:27 +00:00
Wolfgang Rosenauer
9e317f3906 - Mozilla Thunderbird 78.9.0
* bugfixes:
    https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes
  MFSA 2021-12 (boo#1183942)
  * CVE-2021-23981 (bmo#1692832)
    Texture upload into an unbound backing buffer resulted in an
    out-of-bound read
  * MOZ-2021-0002 (bmo#1691547)
    Angle graphics library out of date
  * CVE-2021-23982 (bmo#1677046)
    Internal network hosts could have been probed by a malicious
    webpage
  * CVE-2021-23984 (bmo#1693664)
    Malicious extensions could have spoofed popup information
  * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718)
    Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
- cleaned up and fixed mozilla.sh.in for wayland (boo#1177542)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=582
2021-03-24 21:31:27 +00:00
Wolfgang Rosenauer
6c5e0317ac - Mozilla Thunderbird 78.8.1
* several bugfixes and improvements
  * https://www.thunderbird.net/en-US/thunderbird/78.8.1/releasenotes/
- updated create-tar.sh (bsc#1182357)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=580
2021-03-10 12:07:26 +00:00
Wolfgang Rosenauer
e40e7bf353 - Mozilla Thunderbird 78.8.0
* various bugfixes
  MFSA 2021-09 (bsc#1182614)
  * CVE-2021-23969 (bmo#1542194)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23968 (bmo#1687342)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23973 (bmo#1690976)
    MediaError message property could have leaked information
    about cross-origin resources
  * CVE-2021-23978 (bmo#786797, bmo#1682928, bmo#1687391,
    bmo#1687597)
    Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=578
2021-02-24 08:08:21 +00:00
Wolfgang Rosenauer
b79bfbd3a5 - Mozilla Thunderbird 78.7.1
* CardDAV address books now support OAuth2 and Google Contacts
  * Thunderbird will no longer allow installation of addons that
    use legacy APIs

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=576
2021-02-05 22:43:35 +00:00
Wolfgang Rosenauer
fa9e13d8e7 - Mozilla Thunderbird 78.7.0
MFSA 2021-05 (bsc#1181414)
  * CVE-2021-23953 (bmo#1683940)
    Cross-origin information leakage via redirected PDF requests
  * CVE-2021-23954 (bmo#1684020)
    Type confusion when using logical assignment operators in
    JavaScript switch statements
  * CVE-2020-15685 (bmo#1622640)
    IMAP Response Injection when using STARTTLS
  * CVE-2020-26976 (bmo#1674343)
    HTTPS pages could have been intercepted by a registered
    service worker when they should not have been
  * CVE-2021-23960 (bmo#1675755)
    Use-after-poison for incorrectly redeclared JavaScript
    variables during GC
  * CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526,
    bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844,
    bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410,
    bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736,
    bmo#1685260, bmo#1685925)
    Memory safety bugs fixed in Thunderbird 78.7

- MozillaThunderbird.spec: Don't abuse BUILDROOT during %build as newer
  rpm versions in TW remove everything there as the first action
  of %install

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=574
2021-01-26 21:46:33 +00:00
Wolfgang Rosenauer
5c0edfa8c6 revert previous change
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=572
2021-01-13 14:46:17 +00:00
Wolfgang Rosenauer
ff0ed7bc92 - Mozilla Thunderbird 78.6.1
MFSA 2021-02 (bsc#1180623)
  * CVE-2020-16044 (bmo#1683964)
    Use-after-free write when handling a malicious COOKIE-ECHO SCTP
    chunk

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=571
2021-01-11 22:06:38 +00:00
Wolfgang Rosenauer
a88987f6eb do not touch buildroot in %build
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=569
2020-12-16 13:32:05 +00:00
Wolfgang Rosenauer
d604cb9fa9 - Mozilla Thunderbird 78.6.0
* changes and additions in MailExtensions
  * several bugfixes
  * https://www.thunderbird.net/en-US/thunderbird/78.6.0/releasenotes/
  MFSA 2020-56 (bsc#1180039))
  * CVE-2020-16042 (bmo#1679003)
    Operations on a BigInt could have caused uninitialized memory
    to be exposed
  * CVE-2020-26971 (bmo#1663466)
    Heap buffer overflow in WebGL
  * CVE-2020-26973 (bmo#1680084)
    CSS Sanitizer performed incorrect sanitization
  * CVE-2020-26974 (bmo#1681022)
    Incorrect cast of StyleGenericFlexBasis resulted in a heap
    use-after-free
  * CVE-2020-26978 (bmo#1677047)
    Internal network hosts could have been probed by a malicious
    webpage
  * CVE-2020-35111 (bmo#1657916)
    The proxy.onRequest API did not catch view-source URLs
  * CVE-2020-35112 (bmo#1661365)
    Opening an extension-less download may have inadvertently
    launched an executable instead
  * CVE-2020-35113 (bmo#1664831, bmo#1673589)
    Memory safety bugs fixed in Thunderbird 78.6

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=568
2020-12-15 22:24:07 +00:00
Wolfgang Rosenauer
b0432050ce - Mozilla Thunderbird 78.5.1
MFSA 2020-53 (bsc#1179530)
  * CVE-2020-26970 (bmo#1677338)
    Stack overflow due to incorrect parsing of SMTP server response codes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=566
2020-12-02 16:28:42 +00:00
Wolfgang Rosenauer
4a95a320a3 - Mozilla Thunderbird 78.5.0
MFSA 2020-52 (bsc#1178894)
  * CVE-2020-26951 (bmo#1667113)
    Parsing mismatches could confuse and bypass security
    sanitizer for chrome privileged code
  * CVE-2020-16012 (bmo#1642028)
    Variable time processing of cross-origin images during
    drawImage calls
  * CVE-2020-26953 (bmo#1656741)
    Fullscreen could be enabled without displaying the security
    UI
  * CVE-2020-26956 (bmo#1666300)
    XSS through paste (manual and clipboard API)
  * CVE-2020-26958 (bmo#1669355)
    Requests intercepted through ServiceWorkers lacked MIME type
    restrictions
  * CVE-2020-26959 (bmo#1669466)
    Use-after-free in WebRequestService
  * CVE-2020-26960 (bmo#1670358)
    Potential use-after-free in uses of nsTArray
  * CVE-2020-15999 (bmo#1672223)
    Heap buffer overflow in freetype
  * CVE-2020-26961 (bmo#1672528)
    DoH did not filter IPv4 mapped IP Addresses
  * CVE-2020-26965 (bmo#1661617)
    Software keyboards may have remembered typed passwords
  * CVE-2020-26966 (bmo#1663571)
    Single-word search queries were also broadcast to local
    network
  * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=564
2020-11-17 14:20:30 +00:00
Wolfgang Rosenauer
007409f510 - Mozilla Thunderbird 78.4.3
- added mozilla-rust-1.47.patch to fix build with rust 1.47

- Mozilla Thunderbird 78.4.2
  MFSA 2020-49
  * CVE-2020-26950 (bmo#1675905)
    Write side effects in MCallGetProperty opcode not accounted for

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=561
2020-11-11 09:21:39 +00:00
Wolfgang Rosenauer
db081d1533 - Mozilla Thunderbird 78.4.1
* Bugfixes and minor features
    https://www.thunderbird.net/en-US/thunderbird/78.4.1/releasenotes/

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=560
2020-11-08 18:36:03 +00:00
Wolfgang Rosenauer
69e75a6f77 - Mozilla Thunderbird 78.4.0
* MailExtensions: browser.tabs.sendMessage API added
  * MailExtensions: messageDisplayScripts API added
  * Yahoo and AOL mail users using password authentication will be
    migrated to OAuth2
  * MailExtensions: messageDisplay APIs extended to support multiple
    selected messages
  * MailExtensions: compose.begin functions now support creating a
    message with attachments
  * multiple bugfixes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=557
2020-10-21 09:31:04 +00:00
Wolfgang Rosenauer
8d908f5892 - Mozilla Thunderbird 78.3.3
* OpenPGP: Improved support for encrypting with subkeys
  * OpenPGP message status icons were not visible in message header pane
  * OpenPGP Key Manager was missing from Tools menu on macOS
  * Creating a new calendar event did not require an event title
- remove python2 dependencies for TW
- support wayland mode/autodetection in startup wrapper
- replace some Requires to use requires_ge macro where appropriate
- improve langpack build (as already used for Firefox)
- add ccache statistics output to build

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=555
2020-10-16 13:01:17 +00:00
Wolfgang Rosenauer
3bdd2525c1 - remove python2 dependencies for Leap 15 and TW
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=554
2020-10-08 14:14:28 +00:00
Wolfgang Rosenauer
4a103ac86f - Mozilla Thunderbird 78.3.2
* OpenPGP: Improved support for encrypting with subkeys
  * OpenPGP: Encrypted messages with international characters were
    sometimes displayed incorrectly
  * Single-click deletion of recipient pills with middle mouse
    button restored
  * Searching an address book list did not display results
  * Dark mode, high contrast, and Windows theming fixes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=552
2020-10-07 09:44:38 +00:00
Wolfgang Rosenauer
c90bbb3be9 - Mozilla Thunderbird 78.3.1
* fix crash in nsImapProtocol::CreateNewLineFromSocket (bmo#1667120)

- Mozilla Thunderbird 78.3.0
  MFSA 2020-44 (bsc#1176756)
  * CVE-2020-15677 (bmo#1641487)
    Download origin spoofing via redirect
  * CVE-2020-15676 (bmo#1646140)
    XSS when pasting attacker-controlled data into a
    contenteditable element
  * CVE-2020-15678 (bmo#1660211)
    When recursing through layers while scrolling, an iterator
    may have become invalid, resulting in a potential use-after-
    free scenario
  * CVE-2020-15673 (bmo#1648493, bmo#1660800)
    Memory safety bugs fixed in Thunderbird 78.3
- requires NSPR >= 4.25.1
- removed obsolete thunderbird-bmo1664607.patch

- Mozilla Thunderbird 78.2.2
  https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes
- added thunderbird-bmo1664607.patch required for builds w/o updater
  (boo#1176384)

- Mozilla Thunderbird 78.2.1
  * based on Mozilla's 78 ESR codebase
  * many new and changed features
    https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/#whatsnew
  * built-in OpenPGP support (enigmail neither required nor supported)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=549
2020-09-25 06:32:50 +00:00
Wolfgang Rosenauer
85d782a0f4 - Mozilla Thunderbird 68.12.0
MFSA 2020-40 (bsc#1175686)
  * CVE-2020-15663 (bmo#1643199)
    Downgrade attack on the Mozilla Maintenance Service could have
    resulted in escalation of privilege
  * CVE-2020-15664 (bmo#1658214)
    Attacker-induced prompt for extension installation
  * CVE-2020-15669 (bmo#1656957)
    Use-After-Free when aborting an operation

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=547
2020-08-30 11:12:59 +00:00
Wolfgang Rosenauer
b774973e49 Accepting request 830280 from home:michel_mno:branches:mozilla:Factory
- Put back %limit_build macro usage to avoid build error PowerPC
  (remove memoryperjob constraint)

OBS-URL: https://build.opensuse.org/request/show/830280
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=546
2020-08-30 11:02:29 +00:00
Wolfgang Rosenauer
cfff8c3277 Accepting request 828067 from home:marxin:memory-constraint
Use memoryperjob constraint instead of %limit_build macro.

OBS-URL: https://build.opensuse.org/request/show/828067
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=544
2020-08-20 10:39:48 +00:00
Wolfgang Rosenauer
11aeb7fac9 Accepting request 823875 from home:AndreasStieger:branches:mozilla:Factory
Mozilla Thunderbird 68.11.0 - MFSA 2020-35 (bsc#1174538)

OBS-URL: https://build.opensuse.org/request/show/823875
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=541
2020-08-01 11:17:36 +00:00
Wolfgang Rosenauer
8146a35a9e Accepting request 818183 from home:AndreasStieger:branches:mozilla:Factory
Mozilla Thunderbird 68.10.0

OBS-URL: https://build.opensuse.org/request/show/818183
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=539
2020-07-02 06:27:27 +00:00