Bugfixes
* Issues with attachments in IMAP messages
* Gmail accounts ignored a non-standard trash folder selection
* Entering/pasting lists of recipients into the addressing widget or
mailing list not working reliably, especially when lists contained
multiple commas or semicolons
* Edit mailing list not working
* Various theme fixes, especially dark theme improvements for Calendar
* Contrast between tag label and background not optimal
* Account Central pane always loaded at start-up
* "Config Editor" button not removed if blocked by policy
* Calendar: Free/busy information in attendees dialog not scrolled
correctly. Note: Scroll arrows still not behaving correctly
- require nodejs8 instead of generic nodejs for better cross-distribution
support
- call desktop database update on install
- updated translations-other locale list
- build correct ICU for Big Endian
- remove kde.js since disabling instantApply breaks extensions and
is obsolete with the move to HTML views for preferences (boo#1151186)
- update create-tar.sh to latest revision and adjust tar_stamps
- added platform patches from Firefox 68esr
mozilla-bmo1005535.patch
mozilla-bmo1463035.patch
mozilla-bmo1504834-part1.patch
mozilla-bmo1504834-part2.patch
mozilla-bmo1504834-part3.patch
mozilla-bmo1511604.patch
mozilla-bmo1554971.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=490
- Mozilla Thunderbird 68.1.0
* Offer to configure Exchange accounts for Office365. A third-party
add-on is required for this account type. IMAP still exists as
alternative.
* several bugfixes
MFSA 2019-30
* CVE-2019-11739 (bmo#1571481)
Covert Content Attack on S/MIME encryption using a crafted
multipart/alternative message
* CVE-2019-11746 (bmo#1564449)
Use-after-free while manipulating video
* CVE-2019-11744 (bmo#1562033)
XSS by breaking out of title and textarea elements using innerHTML
* CVE-2019-11742 (bmo#1559715)
Same-origin policy violation with SVG filters and canvas to steal
cross-origin images
* CVE-2019-11752 (bmo#1501152)
Use-after-free while extracting a key value in IndexedDB
* CVE-2019-11743 (bmo#1560495)
Cross-origin access to unload event attributes
* CVE-2019-11740 (bmo#1563133,bmo#1573160)
Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox
ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9
- removed upstreamed fix-build-after-y2038-changes-in-glibc.patch
- added thunderbird-locale-build.patch to fix locale build
- Add -L flag to the stat call for checking file size of %{SOURCE4}.
- Add fix-missing-return-warning.patch to silence a compiler warning.
- Mozilla Thunderbird 68.0
OBS-URL: https://build.opensuse.org/request/show/730872
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=216
add-on is required for this account type. IMAP still exists as
alternative.
* several bugfixes
MFSA 2019-30
* CVE-2019-11739 (bmo#1571481)
Covert Content Attack on S/MIME encryption using a crafted
multipart/alternative message
* CVE-2019-11746 (bmo#1564449)
Use-after-free while manipulating video
* CVE-2019-11744 (bmo#1562033)
XSS by breaking out of title and textarea elements using innerHTML
* CVE-2019-11742 (bmo#1559715)
Same-origin policy violation with SVG filters and canvas to steal
* CVE-2019-11752 (bmo#1501152)
Use-after-free while extracting a key value in IndexedDB
* CVE-2019-11743 (bmo#1560495)
Cross-origin access to unload event attributes
* CVE-2019-11740 (bmo#1563133,bmo#1573160)
Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox
ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9
- removed upstreamed fix-build-after-y2038-changes-in-glibc.patch
- added thunderbird-locale-build.patch to fix locale build
- Add -L flag to the stat call for checking file size of %{SOURCE4}.
- Add fix-missing-return-warning.patch to silence a compiler warning.
- Mozilla Thunderbird 68.0
* based on Firefox ESR 68
* File link attachments can now be linked to again instead of
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=483
* Offer to configure Exchange accounts for Office365. A third-party
add-on is required for this account type. IMAP still exists as alternative.
MFSA 2019-27
* Use-after-free while manipulating video
CVE-2019-11746 (bmo#1564449)
* XSS by breaking out of title and textarea elements using innerHTML
CVE-2019-11744 (bmo#1562033)
* Same-origin policy violation with SVG filters and canvas to steal
cross-origin images
CVE-2019-11742 (bmo#1559715)
* Use-after-free while extracting a key value in IndexedDB
CVE-2019-11752 (bmo#1501152)
* Sandbox escape through Firefox Sync
CVE-2019-9812 (bmo#1538008, bmo#1538015)
* Cross-origin access to unload event attributes
CVE-2019-11743 (bmo#1560495)
Navigation-Timing Level 2 specification
* Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9
CVE-2019-11740 (bmo#1563133, bmo#1573160)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=482
- Generate langpacks sequentially to avoid file corruption
from racy file writes (boo#1137970)
- Mozilla Thunderbird 60.8.0
* Calendar: Problems when editing event times, some related to
AM/PM setting in non-English locales
MFSA 2019-23 (boo#1140868)
* CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
Sandbox escape via installation of malicious languagepack
* CVE-2019-11711 (bmo#1552541)
Script injection within domain through inner window reuse
* CVE-2019-11712 (bmo#1543804)
Cross-origin POST requests can be made with NPAPI plugins by
following 308 redirects
* CVE-2019-11713 (bmo#1528481)
Use-after-free with HTTP/2 cached stream
* CVE-2019-11729 (bmo#1515342)
Empty or malformed p256-ECDH public keys may trigger a segmentation fault
* CVE-2019-11715 (bmo#1555523)
HTML parsing error can contribute to content XSS
* CVE-2019-11717 (bmo#1548306)
Caret character improperly escaped in origins
* CVE-2019-11719 (bmo#1540541)
Out-of-bounds read when importing curve25519 private key
* CVE-2019-11730 (bmo#1558299)
Same-origin policy treats all files in a directory as having the
same-origin
* CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498
bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522)
Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 and
OBS-URL: https://build.opensuse.org/request/show/714774
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=214
* Calendar: Problems when editing event times, some related to
AM/PM setting in non-English locales
MFSA 2019-23 (boo#1140868)
* CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
Sandbox escape via installation of malicious languagepack
* CVE-2019-11711 (bmo#1552541)
Script injection within domain through inner window reuse
* CVE-2019-11712 (bmo#1543804)
Cross-origin POST requests can be made with NPAPI plugins by
following 308 redirects
* CVE-2019-11713 (bmo#1528481)
Use-after-free with HTTP/2 cached stream
* CVE-2019-11729 (bmo#1515342)
Empty or malformed p256-ECDH public keys may trigger a segmentation fault
* CVE-2019-11715 (bmo#1555523)
HTML parsing error can contribute to content XSS
* CVE-2019-11717 (bmo#1548306)
Caret character improperly escaped in origins
* CVE-2019-11719 (bmo#1540541)
Out-of-bounds read when importing curve25519 private key
* CVE-2019-11730 (bmo#1558299)
Same-origin policy treats all files in a directory as having the
same-origin
* CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498
bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522)
Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 and
Thunderbird 60.8
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=478
(also updated keyring)
- Mozilla Thunderbird 60.7.1
* fixed: No prompt for smartcard PIN when S/MIME signing is used
MFSA 2019-17 (boo#1137595)
* CVE-2019-11703 (bmo#1553820)
Heap buffer overflow in icalparser.c
* CVE-2019-11704 (bmo#1553814)
Heap buffer overflow in icalvalue.c
* CVE-2019-11705 (bmo#1553808)
Stack buffer overflow in icalrecur.c
* CVE-2019-11706 (bmo#1555646)
Type confusion in icalproperty.c
- Increase disk space requirements in _constraints.
OBS-URL: https://build.opensuse.org/request/show/709837
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=212
- Mozilla Thunderbird 60.7.0
* Attachment pane of Write window no longer focussed when attaching
files using a keyboard shortcut
MFSA 2019-15 (boo#1135824)
* CVE-2019-9815 (bmo#1546544)
Disable hyperthreading on content JavaScript threads on macOS
* CVE-2019-9816 (bmo#1536768)
Type confusion with object groups and UnboxedObjects
* CVE-2019-9817 (bmo#1540221)
Stealing of cross-domain images using canvas
* CVE-2019-9818 (bmo#1542581) (Windows only)
Use-after-free in crash generation server
* CVE-2019-9819 (bmo#1532553)
Compartment mismatch with fetch API
* CVE-2019-9820 (bmo#1536405)
Use-after-free of ChromeEventHandler by DocShell
* CVE-2019-11691 (bmo#1542465)
Use-after-free in XMLHttpRequest
* CVE-2019-11692 (bmo#1544670)
Use-after-free removing listeners in the event listener manager
* CVE-2019-11693 (bmo#1532525)
Buffer overflow in WebGL bufferdata on Linux
* CVE-2019-7317 (bmo#1542829)
Use-after-free in png_image_free of libpng library
* CVE-2019-9797 (bmo#1528909)
Cross-origin theft of images with createImageBitmap
* CVE-2018-18511 (bmo#1526218)
Cross-origin theft of images with ImageBitmapRenderingContext
* CVE-2019-11694 (bmo#1534196) (Windows only)
Uninitialized memory memory leakage in Windows sandbox
OBS-URL: https://build.opensuse.org/request/show/705454
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=211
* Attachment pane of Write window no longer focussed when attaching
files using a keyboard shortcut
MFSA 2019-15 (boo#1135824)
* CVE-2019-9815 (bmo#1546544)
Disable hyperthreading on content JavaScript threads on macOS
* CVE-2019-9816 (bmo#1536768)
Type confusion with object groups and UnboxedObjects
* CVE-2019-9817 (bmo#1540221)
Stealing of cross-domain images using canvas
* CVE-2019-9818 (bmo#1542581) (Windows only)
Use-after-free in crash generation server
* CVE-2019-9819 (bmo#1532553)
Compartment mismatch with fetch API
* CVE-2019-9820 (bmo#1536405)
Use-after-free of ChromeEventHandler by DocShell
* CVE-2019-11691 (bmo#1542465)
Use-after-free in XMLHttpRequest
* CVE-2019-11692 (bmo#1544670)
Use-after-free removing listeners in the event listener manager
* CVE-2019-11693 (bmo#1532525)
Buffer overflow in WebGL bufferdata on Linux
* CVE-2019-7317 (bmo#1542829)
Use-after-free in png_image_free of libpng library
* CVE-2019-9797 (bmo#1528909)
Cross-origin theft of images with createImageBitmap
* CVE-2018-18511 (bmo#1526218)
Cross-origin theft of images with ImageBitmapRenderingContext
* CVE-2019-11694 (bmo#1534196) (Windows only)
Uninitialized memory memory leakage in Windows sandbox
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=468
* Calendar: Can't create repeating event with end date when using
certain time zones, for example Europe/Minsk
* some minor bugfixes
* using 60.6.0esr Mozilla platform (bsc#1129821)
- Mozilla Thunderbird 60.5.3
* fixed a regression on the Windows platform:
Problem when using "Send to > Mail recipient" on Windows
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=458
- MozillaThunderbird 60.5.0:
* FileLink provider WeTransfer to upload large attachments
* Thunderbird now allows the addition of OpenSearch search engines
from a local XML file using a minimal user inferface: [+] button
to select a file an add, [-] to remove.
* More search engines: Google and DuckDuckGo available by default
in some locales
* During account creation, Thunderbird will now detect servers
using the Microsoft Exchange protocol. It will offer the
installation of a 3rd party add-on (Owl) which supports that
protocol.
* Thunderbird now compatible with other WebExtension-based
FileLink add-ons like the Dropbox add-on
MFSA 2019-03 (bsc#1122983)
* CVE-2018-18500 bmo#1510114
Use-after-free parsing HTML5 stream
* CVE-2018-18505 bmo#1497749
Privilege escalation through IPC channel messages
* CVE-2016-5824 bmo#1275400
DoS (use-after-free) via a crafted ics file
* CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619
bmo#1502871 bmo#1516738 bmo#1516514
Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
- requires NSS 3.36.7
- removed obsolete patch
mozilla-no-stdcxx-check.patch
- rebased patches
MFSA 2018-31
* CVE-2018-17466 bmo#1488295
OBS-URL: https://build.opensuse.org/request/show/669999
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=204
- MozillaThunderbird 60.5.0:
* FileLink provider WeTransfer to upload large attachments
* Thunderbird now allows the addition of OpenSearch search engines
from a local XML file using a minimal user inferface: [+] button
to select a file an add, [-] to remove.
* More search engines: Google and DuckDuckGo available by default
in some locales
* During account creation, Thunderbird will now detect servers
using the Microsoft Exchange protocol. It will offer the
installation of a 3rd party add-on (Owl) which supports that
protocol.
* Thunderbird now compatible with other WebExtension-based
FileLink add-ons like the Dropbox add-on
- requires NSS 3.36.7
- removed obsolete patch
mozilla-no-stdcxx-check.patch
- rebased patches
MFSA 2018-31
* CVE-2018-17466 bmo#1488295
Buffer overflow and out-of-bounds read in ANGLE library with
TextureStorage11
* CVE-2018-18492 bmo#1499861
Use-after-free with select element
* CVE-2018-18493 bmo#1504452
Buffer overflow in accelerated 2D canvas with Skia
* CVE-2018-18494 bmo#1487964
Same-origin policy violation using location attribute and
performance.getEntries to steal cross-origin URLs
* CVE-2018-18498 bmo#1500011
Integer overflow when calculating buffer sizes for images
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=451
- Mozilla Thunderbird 60.3.3
* Thunderbird 60 will migrate security databases (key3.db, cert8.db
to key4.db, cert9.db). Thunderbird 60.3.2 and earlier contained a
fault that potentially deleted saved passwords and private certificate
keys for users using a master password. Version 60.3.3 will prevent
the loss of data; affected users who have already upgraded to version
60.3.2 or earlier can restore the deleted key3.db file from backup
to complete the migration.
* Address book search and auto-complete slowness introduced in
Thunderbird 60.3.2
* Plain text markup with * for bold, / for italics, _ for underline
and | for code did not work when the enclosed text contained
non-ASCII characters
* While composing a message, a link not removed when link location
was removed in the link properties panel
OBS-URL: https://build.opensuse.org/request/show/655853
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=202
* Thunderbird 60 will migrate security databases (key3.db, cert8.db
to key4.db, cert9.db). Thunderbird 60.3.2 and earlier contained a
fault that potentially deleted saved passwords and private certificate
keys for users using a master password. Version 60.3.3 will prevent
the loss of data; affected users who have already upgraded to version
60.3.2 or earlier can restore the deleted key3.db file from backup
to complete the migration.
* Address book search and auto-complete slowness introduced in
Thunderbird 60.3.2
* Plain text markup with * for bold, / for italics, _ for underline
and | for code did not work when the enclosed text contained
non-ASCII characters
* While composing a message, a link not removed when link location
was removed in the link properties panel
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=445