Commit Graph

430 Commits

Author SHA256 Message Date
Wolfgang Rosenauer
376ac03b18 * New messages will automatically select S/MIME if configured and
OpenPGP is not
  * Calendar events with timezone America/Mexico_City incorrectly
    applied Daylight Savings Time
  MFSA 2023-15 (bsc#1210212)
  * CVE-2023-29531 (bmo#1794292)
    Out-of-bound memory access in WebGL on macOS
  * CVE-2023-29532 (bmo#1806394)
    Mozilla Maintenance Service Write-lock bypass
  * CVE-2023-29533 (bmo#1798219, bmo#1814597)
    Fullscreen notification obscured
  * MFSA-TMP-2023-0001 (bmo#1819244)
    Double-free in libwebp
  * CVE-2023-29535 (bmo#1820543)
    Potential Memory Corruption following Garbage Collector compaction
  * CVE-2023-29536 (bmo#1821959)
    Invalid free from JavaScript code
  * CVE-2023-0547 (bmo#1811298)
    Revocation status of S/Mime recipient certificates was not checked
  * CVE-2023-29479 (bmo#1824978)
    Hang when processing certain OpenPGP messages
  * CVE-2023-29539 (bmo#1784348)
    Content-Disposition filename truncation leads to Reflected
    File Download
  * CVE-2023-29541 (bmo#1810191)
    Files with malicious extensions could have been downloaded
    unsafely on Linux
  * CVE-2023-29542 (bmo#1810793, bmo#1815062)
    Bypass of file download extension restrictions
  * CVE-2023-29545 (bmo#1823077)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=697
2023-04-11 20:58:19 +00:00
Wolfgang Rosenauer
7a75a56779 - Mozilla Thunderbird 102.10.0
- add mozilla-llvm16.patch trying to fix build with LLVM16

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=696
2023-04-06 13:55:17 +00:00
Wolfgang Rosenauer
b695ba5251 - Mozilla Thunderbird 102.9.1
MFSA 2023-12
  * CVE-2023-28427 (bmo#1822595)
    Matrix SDK bundled with Thunderbird vulnerable to
    denial-of-service attack

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=695
2023-03-29 12:48:43 +00:00
Wolfgang Rosenauer
3d74973d59 - add gcc13-fix.patch to support current Tumbleweed
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=693
2023-03-26 16:31:37 +00:00
Wolfgang Rosenauer
b8ddf94b52 - build using rust 1.67
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=691
2023-03-16 13:11:48 +00:00
Wolfgang Rosenauer
34b61a3e8e - Mozilla Thunderbird 102.9.0
* https://www.thunderbird.net/en-US/thunderbird/102.9.0/releasenotes
  MFSA 2023-11 (bsc#1209173))
  * CVE-2023-25751 (bmo#1814899)
    Incorrect code generation during JIT compilation
  * CVE-2023-28164 (bmo#1809122)
    URL being dragged from a removed cross-origin iframe into the
    same tab triggered navigation
  * CVE-2023-28162 (bmo#1811327)
    Invalid downcast in Worklets
  * CVE-2023-25752 (bmo#1811627)
    Potential out-of-bounds when accessing throttled streams
  * CVE-2023-28163 (bmo#1817768)
    Windows Save As dialog resolved environment variables
  * CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904,
    bmo#1817442, bmo#1818674)
    Memory safety bugs fixed in Thunderbird 102.9
- update create-tar.sh

- Ensure gcc11-c++ gets used on Leap 15.5, too.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=690
2023-03-16 10:35:50 +00:00
Wolfgang Rosenauer
7e7b48d551 - Mozilla Thunderbird 102.8.0
* https://www.thunderbird.net/en-US/thunderbird/102.8.0/releasenotes
  MFSA 2023-07 (bsc#1208144)
  * CVE-2023-0616 (bmo#1806507)
    User Interface lockup with messages combining S/MIME and OpenPGP
  * CVE-2023-25728 (bmo#1790345)
    Content security policy leak in violation reports using iframes
  * CVE-2023-25730 (bmo#1794622)
    Screen hijack via browser fullscreen mode
  * CVE-2023-0767 (bmo#1804640)
    Arbitrary memory write via PKCS 12 in NSS
  * CVE-2023-25735 (bmo#1810711)
    Potential use-after-free from compartment mismatch in SpiderMonkey
  * CVE-2023-25737 (bmo#1811464)
    Invalid downcast in SVGUtils::SetupStrokeGeometry
  * CVE-2023-25738 (bmo#1811852)
    Printing on Windows could potentially crash Thunderbird with
    some device drivers
  * CVE-2023-25739 (bmo#1811939)
    Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
  * CVE-2023-25729 (bmo#1792138)
    Extensions could have opened external schemes without user knowledge
  * CVE-2023-25732 (bmo#1804564)
    Out of bounds memory write from EncodeInputStream
  * CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338)
    Opening local .url files could cause unexpected network loads
  * CVE-2023-25742 (bmo#1813424)
    Web Crypto ImportKey crashes tab
  * CVE-2023-25746 (bmo#1544127, bmo#1762368, bmo#1789449, bmo#1803628,
    bmo#1810536)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=688
2023-02-19 09:41:40 +00:00
Wolfgang Rosenauer
c38dd3ccb4 - Mozilla Thunderbird 102.7.2
* Various crash fixes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=686
2023-02-08 08:58:24 +00:00
Wolfgang Rosenauer
2f400cc863 - Mozilla Thunderbird 102.7.1
* Microsoft Office 365 accounts were unable to authenticate
  * https://www.thunderbird.net/en-US/thunderbird/102.7.1/releasenotes/
  MFSA 2023-04
  * CVE-2023-0430 (bmo#1769000)
    Revocation status of S/Mime signature certificates was not checked
- update create-tar.sh

- Mozilla Thunderbird 102.7.0
  https://www.thunderbird.net/en-US/thunderbird/102.7.0/releasenotes/
  MFSA 2023-03 (bsc#1207119)
  * CVE-2022-46871 (bmo#1795697)
    libusrsctp library out of date
  * CVE-2023-23598 (bmo#1800425)
    Arbitrary file read from GTK drag and drop on Linux
  * CVE-2023-23599 (bmo#1777800)
    Malicious command could be hidden in devtools output on
    Windows
  * CVE-2023-23601 (bmo#1794268)
    URL being dragged from cross-origin iframe into same tab
    triggers navigation
  * CVE-2023-23602 (bmo#1800890)
    Content Security Policy wasn't being correctly applied to
    WebSockets in WebWorkers
  * CVE-2022-46877 (bmo#1795139)
    Fullscreen notification bypass
  * CVE-2023-23603 (bmo#1800832)
    Calls to <code>console.log</code> allowed bypasing Content
    Security Policy via format directive
  * CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=684
2023-02-01 07:54:38 +00:00
Wolfgang Rosenauer
6d02f7716c - Mozilla Thunderbird 102.6.1
* Remote content did not load in user-defined signatures
  * Addons that added new action buttons were not shown for addon
    upgrades, requiring removal and reinstall
  * Various stability improvements
  MFSA 2022-54
  * CVE-2022-46874 (bmo#1746139)
    Drag and Dropped Filenames could have been truncated to
    malicious extensions

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=682
2022-12-22 07:44:57 +00:00
Wolfgang Rosenauer
16ebad9cce - Mozilla Thunderbird 102.6.0
https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/
  MFSA 2022-53 (bsc#1206242)
  * CVE-2022-46880 (bmo#1749292)
    Use-after-free in WebGL
  * CVE-2022-46872 (bmo#1799156)
    Arbitrary file read from a compromised content process
  * CVE-2022-46881 (bmo#1770930)
    Memory corruption in WebGL
  * CVE-2022-46874 (bmo#1746139)
    Drag and Dropped Filenames could have been truncated to
    malicious extensions
  * CVE-2022-46875 (bmo#1786188)
    Download Protections were bypassed by .atloc and .ftploc
    files on Mac OS
  * CVE-2022-46882 (bmo#1789371)
    Use-after-free in WebGL
  * CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685,
    bmo#1801102, bmo#1801315, bmo#1802395)
    Memory safety bugs fixed in Thunderbird 102.6
- removed obsolete patches
  mozilla-newer-cbindgen.patch
  mozilla-glibc236.patch

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=680
2022-12-13 21:35:47 +00:00
Wolfgang Rosenauer
8e5a394a01 - Mozilla Thunderbird 102.5.1
MFSA 2022-50
  * CVE-2022-45414 (bmo#1788096)
    Quoting from an HTML email with certain tags will trigger network
    requests and load remote content, regardless of a configuration
    to block remote content

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=678
2022-12-01 21:40:36 +00:00
Wolfgang Rosenauer
d0799f3ab3 - Mozilla Thunderbird 102.5.0
* changes and fixes as described here
    https://www.thunderbird.net/en-US/thunderbird/102.5.0/releasenotes
  MFSA 2022-49 (bsc#1205270)
  * CVE-2022-45403 (bmo#1762078)
    Service Workers might have learned size of cross-origin media files
  * CVE-2022-45404 (bmo#1790815)
    Fullscreen notification bypass
  * CVE-2022-45405 (bmo#1791314)
    Use-after-free in InputStream implementation
  * CVE-2022-45406 (bmo#1791975)
    Use-after-free of a JavaScript Realm
  * CVE-2022-45408 (bmo#1793829)
    Fullscreen notification bypass via windowName
  * CVE-2022-45409 (bmo#1796901)
    Use-after-free in Garbage Collection
  * CVE-2022-45410 (bmo#1658869)
    ServiceWorker-intercepted requests bypassed SameSite cookie policy
  * CVE-2022-45411 (bmo#1790311)
    Cross-Site Tracing was possible via non-standard override headers
  * CVE-2022-45412 (bmo#1791029)
    Symlinks may resolve to partially uninitialized buffers
  * CVE-2022-45416 (bmo#1793676)
    Keystroke Side-Channel Leakage
  * CVE-2022-45418 (bmo#1795815)
    Custom mouse cursor could have been drawn over browser UI
  * CVE-2022-45420 (bmo#1792643)
    Iframe contents could be rendered outside the iframe
  * CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061)
    Memory safety bugs fixed in Thunderbird 102.5

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=676
2022-11-16 13:42:05 +00:00
Wolfgang Rosenauer
ed89d64079 - Mozilla Thunderbird 102.4.2
* "Address Book" button in Account Central will now create a
    CardDAV address book instead of a local address book
  * Bugfixes as described here
    https://www.thunderbird.net/en-US/thunderbird/102.4.2/releasenotes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=674
2022-11-05 16:23:19 +00:00
Wolfgang Rosenauer
9e67c8336c - Mozilla Thunderbird 102.4.1
* Thunderbird will now catch and report errors parsing vCards
    that contain incorrectly formatted dates
  * Dynamic language switching did not update interface when switched
    to right-to-left languages
  * Custom header data was discarded after messages were saved as
    draft and reopened
  * -remote command line argument did not work, affecting integration
    with various applications such as LibreOffice
  * Messages received via some SMS-to-email services could not
    display images
  * VCards with nickname field set could not be edited
  * Some recurring events were missing from Agenda on first load
  * Download requests for remote ICS calendars incorrectly set
    "Accept" header to text/xml
  * Monthly events created on the 31st of a month with <30 days placed
    first occurrence 1-2 days after the beginning of the following month
  * Various visual and UX improvements

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=672
2022-10-26 20:45:06 +00:00
Wolfgang Rosenauer
0268b45410 MFSA 2022-46 (bsc#1203477)
* CVE-2022-42927 (bmo#1789128)
    Same-origin policy violation could have leaked cross-origin URLs
  * CVE-2022-42928 (bmo#1791520)
    Memory Corruption in JS Engine
  * CVE-2022-42929 (bmo#1789439)
    Denial of Service via window.print
  * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041)
    Memory safety bugs fixed in Firefox 106, Firefox ESR 102.4 and
    Thunderbird 102.4.0

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=670
2022-10-23 08:54:57 +00:00
Wolfgang Rosenauer
3e0fc541fd - Mozilla Thunderbird 102.4.0
https://www.thunderbird.net/en-US/thunderbird/102.4.0/releasenotes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=668
2022-10-20 06:20:46 +00:00
Wolfgang Rosenauer
2d8a6701f6 - Mozilla Thunderbird 102.3.3
* Option added to show containing address book for a contact when
    using All Address Books in vertical mode
  * Thunderbird will try to use POP NTLM authentication even if
    not advertised by server
  * Task List and Today Pane sidebars will no longer load when not visible
  * bugfixes as documented here
    https://www.thunderbird.net/en-US/thunderbird/102.3.3/releasenotes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=666
2022-10-12 12:12:47 +00:00
Wolfgang Rosenauer
2465bafb74 - Mozilla Thunderbird 102.3.2
* Thunderbird will try to use POP CRAM-MD5 authentication even if
    not advertised by server
  * more bugfixes as in
    https://www.thunderbird.net/en-US/thunderbird/102.3.2/releasenotes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=664
2022-10-09 07:59:44 +00:00
Wolfgang Rosenauer
a9ff5c5ba4 - build using rust 1.63
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=662
2022-10-03 14:41:37 +00:00
Wolfgang Rosenauer
87caf19955 - Mozilla Thunderbird 102.3.1
* Compose window encryption options now only appear for encryption
    technologies that have already been configured
  * Number of contacts in currently selected address book now
    displayed at bottom of Address Book list column
  Fixes
  * Password prompt did not include server hostname for POP servers
  * Edit Contact was missing from Contacts sidebar context menus
  * Address Book contact lists cut off display of some characters,
    the result being unreadable
  MFSA 2022-43
  * CVE-2022-39249 (bmo#1791765)
    Matrix SDK bundled with Thunderbird vulnerable to an
    impersonation attack by malicious server administrators
  * CVE-2022-39250 (bmo#1791765)
    Matrix SDK bundled with Thunderbird vulnerable to a device
    verification attack
  * CVE-2022-39251 (bmo#1791765)
    Matrix SDK bundled with Thunderbird vulnerable to an
    impersonation attack
  * CVE-2022-39236 (bmo#1791765)
    Matrix SDK bundled with Thunderbird vulnerable to a data
    corruption issue

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=660
2022-10-02 16:53:19 +00:00
Wolfgang Rosenauer
70aadd9160 MFSA 2022-42 (bsc#1203477)
* CVE-2022-40959 (bmo#1782211)
    Bypassing FeaturePolicy restrictions on transient pages
  * CVE-2022-40960 (bmo#1787633)
    Data-race when parsing non-UTF-8 URLs in threads
  * CVE-2022-40958 (bmo#1779993)
    Bypassing Secure Context restriction for cookies with __Host
    and __Secure prefix
  * CVE-2022-40956 (bmo#1770094)
    Content-Security-Policy base-uri bypass
  * CVE-2022-40957 (bmo#1777604)
    Incoherent instruction cache when building WASM on ARM64
  * CVE-2022-3155 (bmo#1789061)
    Attachment files saved to disk on macOS could be executed
    without warning
  * CVE-2022-40962 (bmo#1767360, bmo#1776655, bmo#1777574, bmo#1784835,
    bmo#1785109, bmo#1786502, bmo#1789440)
    Memory safety bugs fixed in Thunderbird 102.3

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=658
2022-09-21 21:04:50 +00:00
Wolfgang Rosenauer
b9d27af2da - Mozilla Thunderbird 102.3.0
https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/
  * Thunderbird will no longer attempt to import account passwords
    when importing from another Thunderbird profile in order to
    prevent profile corruption and permanent data loss. (bmo#1790605)
  * Devtools performance profile will use Thunderbird presets
    instead of Web Developer presets (bmo#1785954)
  * Thunderbird startup performance improvements (bmo#1785967)
  * Saving email source and images failed (bmo#1777323, bmo#1778804)
  * Error message was shown repeatedly when temporary disk
    space was full (bmo#1788580)
  * Attaching OpenPGP keys without a set size to non-encrypted
    messages briefly displayed a size of zero bytes (bmo#1788952)
  * Global Search entry box initially contained "undefined" (bmo#1780963)
  * Delete from POP Server mail filter rule intermittently
    failed to trigger (bmo#1789418)
  * Connections to POP3 servers without UIDL support failed (bmo#1789314)
  * Pop accounts with "Fetch headers only" set downloaded complete
    messages if server did not advertise TOP capability (bmo#1789356)
  * "File -> New -> Address Book Contact" from Compose window did
    not work (bmo#1782418)
  * Attach "My vCard" option in compose window was not available
    (bmo#1787614)
  * Improved performance of matching a contact to an email address
    (bmo#1782725)
  * Address book only recognized a contact's first two email
    addresses (bmo#1777156)
  * Address book search and autocomplete failed if a contact vCard
    could not be parsed (bmo#1789793)
  * Downloading NNTP messages for offline use failed (bmo#1785773)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=657
2022-09-20 21:03:11 +00:00
Wolfgang Rosenauer
247125c160 - Mozilla Thunderbird 102.2.2
https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/
  * Setting added to change Calendar event double-click action to
    open Edit Event dialog rather than view only;
    Set calendar.events.defaultActionEdit to true
  * Running Compact Folders on maildir folders caused a redownload
    of all messages in the folder
  * Accessing mail folders in profiles with many folders was slow
  * SMTP servers were not always properly initialized, and were not
    listed in Account Settings
  * APOP authentication unsupported when connecting to POP3 server
  * OpenPGP key discovery failed
  * POP accounts hosted by AOL were not able to authenticate using OAuth2
  * Unable to open context menu in newsgroups header for groups
    that are not subscribed

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=655
2022-09-08 09:47:43 +00:00
Wolfgang Rosenauer
bff7539280 - Mozilla Thunderbird 102.2.1
MFSA 2022-38 (bsc#1203007)
  * CVE-2022-3033 (bmo#1784838)
    Leaking of sensitive information when composing a response to
    an HTML email with a META refresh tag
  * CVE-2022-3032 (bmo#1783831)
    Remote content specified in an HTML document that was nested
    inside an iframe's srcdoc attribute was not blocked
  * CVE-2022-3034 (bmo#1745751)
    An iframe element in an HTML email could trigger a network
    request
  * CVE-2022-36059 (bmo#1787741)
    Matrix SDK bundled with Thunderbird vulnerable to denial-of-
    service attack

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=653
2022-09-01 07:38:48 +00:00
Wolfgang Rosenauer
eba6cdf4f5 - Mozilla Thunderbird 102.2.0
* https://www.thunderbird.net/en-US/thunderbird/102.2.0/releasenotes/
  MFSA 2022-36 (bsc#1202645)
  * CVE-2022-38472 (bmo#1769155)
    Address bar spoofing via XSLT error handling
  * CVE-2022-38473 (bmo#1771685)
    Cross-origin XSLT Documents would have inherited the parent's
    permissions
  * CVE-2022-38476 (bmo#1760998)
    Data race and potential use-after-free in PK11_ChangePW
  * CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363)
    Memory safety bugs fixed in Thunderbird 102.2
  * CVE-2022-38478 (bmo#1770630, bmo#1776658)
    Memory safety bugs fixed in Thunderbird 102.2, and
    Thunderbird 91.13
- disabled automatic usage of wayland because of known issues
  using MOZ_ENABLE_WAYLAND=1 in environment would still enable it
  (boo#1202606)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=651
2022-08-26 06:39:36 +00:00
Wolfgang Rosenauer
e0d42a0cfd - added mozilla-glibc236.patch (bmo#1782988, boo#1202323)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=649
2022-08-14 08:03:54 +00:00
Wolfgang Rosenauer
134f09dee2 - Mozilla Thunderbird 102.1.2
* fix for bmo#1777765 (no POP download progress bar) was backed
    out from this release to address broken POP message download
    with Fetch headers only selected in Account Settings (bmo#1783552)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=647
2022-08-09 06:35:46 +00:00
Wolfgang Rosenauer
ae8a4c4f39 - Mozilla Thunderbird 102.1.1
Bugfixes:
  * https://www.thunderbird.net/en-US/thunderbird/102.1.1/releasenotes/

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=646
2022-08-08 13:10:06 +00:00
Wolfgang Rosenauer
32ed6a10bb - added mozilla-pgo.patch to fix LTO builds with gcc
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=644
2022-08-01 14:43:32 +00:00
Wolfgang Rosenauer
982c2db4ff - Mozilla Thunderbird 102.1.0
* https://www.thunderbird.net/en-US/thunderbird/102.1.0/releasenotes
  MFSA 2022-32 (bsc#1201758)
  * CVE-2022-36319 (bmo#1737722)
    Mouse Position spoofing with CSS transforms
  * CVE-2022-36318 (bmo#1771774)
    Directory indexes for bundled resources reflected URL parameters
  * CVE-2022-36314 (bmo#1773894)
    Opening local <code>.lnk</code> files could cause unexpected
    network loads
  * CVE-2022-2505 (bmo#1769739, bmo#1772824)
    Memory safety bugs fixed in Thunderbird 102.1
- added mozilla-newer-cbindgen.patch to fix build with
  rust-cbindgen >= 0.24 (and also require that for build)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=643
2022-07-29 12:07:40 +00:00
Wolfgang Rosenauer
ebc8727216 - Mozilla Thunderbird 102.0.3
Bugfixes as in
  * https://www.thunderbird.net/en-US/thunderbird/102.0.3/releasenotes/

- Mozilla Thunderbird 102.0.2
  * https://www.thunderbird.net/en-US/thunderbird/102.0/releasenotes/
- removed obsolete patches
  mozilla-bmo1504834-part2.patch
  mozilla-bmo1504834-part4.patch
  mozilla-bmo1602730.patch
  mozilla-bmo1626236.patch
  mozilla-bmo1724679.patch
  mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
  mozilla-sandbox-fips.patch
- added patches inherited from FF 102
  one_swizzle_to_rule_them_all.patch
  svg-rendering.patch
- fix KDE detection (boo#1200987) in mozilla-kde.patch
- requires
  rust = 1.60
  NSPR >= 4.34
  NSS >= 3.79
  rust-cbindgen >= 0.23.0
- remove special breakpad debug symbol creation

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=642
2022-07-21 12:15:56 +00:00
Wolfgang Rosenauer
08ffa63092 - Mozilla Thunderbird 91.11.0
* CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work
    additional fix applied
  * "Save-As" attachment dialog did not have filename pre-populated
  MFSA 2022-26 (bsc#1200793)
  * CVE-2022-34479 (bmo#1745595)
    A popup window could be resized in a way to overlay the
    address bar with web content
  * CVE-2022-34470 (bmo#1765951)
    Use-after-free in nsSHistory
  * CVE-2022-34468 (bmo#1768537)
    CSP sandbox header without `allow-scripts` can be bypassed
    via retargeted javascript: URI
  * CVE-2022-2226 (bmo#1775441)
    An email with a mismatching OpenPGP signature date was
    accepted as valid
  * CVE-2022-34481 (bmo#1497246)
    Potential integer overflow in ReplaceElementsAt
  * CVE-2022-31744 (bmo#1757604)
    CSP bypass enabling stylesheet injection
  * CVE-2022-34472 (bmo#1770123)
    Unavailable PAC file resulted in OCSP requests being blocked
  * CVE-2022-34478 (bmo#1773717)
    Microsoft protocols can be attacked if a user accepts a prompt
  * CVE-2022-2200 (bmo#1771381)
    Undesired attributes could be set as part of prototype pollution
  * CVE-2022-34484 (bmo#1763634, bmo#1772651)
    Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=640
2022-06-29 08:52:40 +00:00
Wolfgang Rosenauer
5b920d1fa1 - Mozilla Thunderbird 91.10.0
* Various UX and theme improvements
  MFSA 2022-22 (bsc#1200027)
  * CVE-2022-31736 (bmo#1735923)
    Cross-Origin resource's length leaked
  * CVE-2022-31737 (bmo#1743767)
    Heap buffer overflow in WebGL
  * CVE-2022-31738 (bmo#1756388)
    Browser window spoof using fullscreen mode
  * CVE-2022-31739 (bmo#1765049)
    Attacker-influenced path traversal when saving downloaded
    files
  * CVE-2022-31740 (bmo#1766806)
    Register allocation problem in WASM on arm64
  * CVE-2022-31741 (bmo#1767590)
    Uninitialized variable leads to invalid memory read
  * CVE-2022-1834 (bmo#1767816)
    Braille space character caused incorrect sender email to be
    shown for a digitally signed email
  * CVE-2022-31742 (bmo#1730434)
    Querying a WebAuthn token with a large number of
    allowCredential entries may have leaked cross-origin
    information
  * CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
    bmo#1767365, bmo#1768559, bmo#1768734)
    Memory safety bugs fixed in Thunderbird 91.10

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=638
2022-05-31 19:36:16 +00:00
Wolfgang Rosenauer
71256c3fd4 - Mozilla Thunderbird 91.9.1
MFSA 2022-19 (bsc#1199768)
  * CVE-2022-1802 (bmo#1770137)
    Prototype pollution in Top-Level Await implementation
  * CVE-2022-1529 (bmo#1770048)
    Untrusted input used in JavaScript object indexing, leading
    to prototype pollution

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=636
2022-05-21 12:43:04 +00:00
Wolfgang Rosenauer
e48927244d - Mozilla Thunderbird 91.9.0
* A warning is now displayed if an OpenPGP key has unsafe
    attributes that are ignored
  * OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not
    allow SHA-1 key signatures
  * CalDAV calendars were marked read-only on startup
  MFSA 2022-18 (bsc#1198970)
  * CVE-2022-1520 (bmo#1745019)
    Incorrect security status shown after viewing an attached
    email
  * CVE-2022-29914 (bmo#1746448)
    Fullscreen notification bypass using popups
  * CVE-2022-29909 (bmo#1755081)
    Bypassing permission prompt in nested browsing contexts
  * CVE-2022-29916 (bmo#1760674)
    Leaking browser history with CSS variables
  * CVE-2022-29911 (bmo#1761981)
    iframe sandbox bypass
  * CVE-2022-29912 (bmo#1692655)
    Reader mode bypassed SameSite cookies
  * CVE-2022-29913 (bmo#1764778)
    Speech Synthesis feature not properly disabled
  * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
    bmo#1762614, bmo#1762620)
    Memory safety bugs fixed in Thunderbird 91.9

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=634
2022-05-05 13:20:25 +00:00
Wolfgang Rosenauer
485ca3d99f - Mozilla Thunderbird 91.8.1
* CLIENTID extension to SMTP was not supported by smtp-js#
  * Additional SMTP errors now propagated to user
  * OpenPGP was not able to use some previously supported key types
  * OpenPGP Key Manager did not always display correct information
    after importing additional IDs
  * Duplicate new mail notifications could be displayed when
    server-side filters were in use
  * Cancelling an SMTP password entry resulted in multiple failure
    dialogs being displayed
- Mozilla Thunderbird 91.8.0
  * Google accounts using password authentication will be migrated
    to OAuth2.
  * bugfixes
    https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes
  MFSA 2022- (bsc#1197903)
- update create-tar.sh

- skip slow workers, this is a tough build job

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=632
2022-04-19 15:06:55 +00:00
Wolfgang Rosenauer
f67dab94c7 Accepting request 969338 from home:marxin:branches:mozilla:Factory
- Set memory limits for DWZ to 4x.

OBS-URL: https://build.opensuse.org/request/show/969338
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=630
2022-04-12 08:22:14 +00:00
Wolfgang Rosenauer
dddae6adff Accepting request 962487 from home:dirkmueller:Factory
- skip slow workers, this is a tough build job

OBS-URL: https://build.opensuse.org/request/show/962487
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=628
2022-03-18 19:19:54 +00:00
Wolfgang Rosenauer
bcdb022bb0 - Mozilla Thunderbird 91.7.0
* Thunderbird will use the first occurrence of headers that should
    only appear once
  * Auto-complete incorrectly changed a pasted email address to the
    primary address of a contact
  * Attachments with filename extensions that were not registered in
    MIME types could not be opened
  * Copy/Cut/Paste actions not working in Thunderbird Preferences
  * Improved screen reader support of displayed message headers
  MFSA 2022-12 (bsc#1196900)
  * CVE-2022-26383 (bmo#1742421)
    Browser window spoof using fullscreen mode
  * CVE-2022-26384 (bmo#1744352)
    iframe allow-scripts sandbox bypass
  * CVE-2022-26387 (bmo#1752979)
    Time-of-check time-of-use bug when verifying add-on signatures
  * CVE-2022-26381 (bmo#1736243)
    Use-after-free in text reflows
  * CVE-2022-26386 (bmo#1752396)
    Temporary files downloaded to /tmp and accessible by other
    local users

- Mozilla Thunderbird 91.6.2
  MFSA 2022-09
  * CVE-2022-26485 (bmo#1758062)
    Use-after-free in XSLT parameter processing
  * CVE-2022-26486 (bmo#1758070)
    Use-after-free in WebGPU IPC Framework

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=626
2022-03-09 10:34:57 +00:00
Wolfgang Rosenauer
260a0409e1 MFSA 2022-07 (bsc#1196072)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=625
2022-02-17 09:38:37 +00:00
Wolfgang Rosenauer
82981dade8 - Mozilla Thunderbird 91.6.1
* generated views of meeting invitations are now expanded by default
  * Emails were not downloading at startup under some conditions
  * Port numbers were not shown in "Confirm Security Exception"
    dialog for CalDAV connections
  MFSA 2022-07
  * CVE-2022-0566 (bmo#1753094)
    Crafted email could trigger an out-of-bounds write

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=624
2022-02-16 07:53:13 +00:00
Wolfgang Rosenauer
5e8c474a19 - Mozilla Thunderbird 91.6.0
* TB will now offer to send large forwarded attachments via FileLink
  * Partially signed unencrypted messages displayed an incorrect
    "parrtially encrypted" notification
  * Attachments filenames were not sanitized before saving to disk
  * In the attachment bar, the "Import OpenPGP Key" item displayed
    for public keys displayed an error and did not import the key
  * "Open with" attachment dialog did not have a selected radio
    button option
  MFSA 2022-06 (bsc#1195682)
  * CVE-2022-22753 (bmo#1732435)
    Privilege Escalation to SYSTEM on Windows via Maintenance
    Service
  * CVE-2022-22754 (bmo#1750565)
    Extensions could have bypassed permission confirmation during
    update
  * CVE-2022-22756 (bmo#1317873)
    Drag and dropping an image could have resulted in the dropped
    object being an executable
  * CVE-2022-22759 (bmo#1739957)
    Sandboxed iframes could have executed script if the parent
    appended elements
  * CVE-2022-22760 (bmo#1740985, bmo#1748503)
    Cross-Origin responses could be distinguished between script
    and non-script content-types
  * CVE-2022-22761 (bmo#1745566)
    frame-ancestors Content Security Policy directive was not
    enforced for framed extension pages
  * CVE-2022-22763 (bmo#1740534)
    Script Execution during invalid object state

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=623
2022-02-11 22:30:53 +00:00
Wolfgang Rosenauer
c34bf76e06 - Mozilla Thunderbird 91.5.1
* JS LDAP implementation did not support self-signed SSL certificates
  * After saving a draft and subsequently sending a FileLink email,
    the original file was removed from disk
  * Chat OTR encryption did not work
  * OTR verification bar was not removed after completing verification
  * Various theme improvements

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=622
2022-01-26 22:00:35 +00:00
Wolfgang Rosenauer
2b26512461 Accepting request 947696 from home:marxin:branches:mozilla:Factory
- Enable -fimplicit-constexpr for GCC 12+.

OBS-URL: https://build.opensuse.org/request/show/947696
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=621
2022-01-21 22:40:32 +00:00
Wolfgang Rosenauer
ed5ea29202 - Mozilla Thunderbird 91.5.0
https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes
  MFSA 2022-03 (bsc#1194547)
  * CVE-2022-22746 (bmo#1735071)
    Calling into reportValidity could have lead to fullscreen
    window spoof
  * CVE-2022-22743 (bmo#1739220)
    Browser window spoof using fullscreen mode
  * CVE-2022-22742 (bmo#1739923)
    Out-of-bounds memory access when inserting text in edit mode
  * CVE-2022-22741 (bmo#1740389)
    Browser window spoof using fullscreen mode
  * CVE-2022-22740 (bmo#1742334)
    Use-after-free of ChannelEventQueue::mOwner
  * CVE-2022-22738 (bmo#1742382)
    Heap-buffer-overflow in blendGaussianBlur
  * CVE-2022-22737 (bmo#1745874)
    Race condition when playing audio files
  * CVE-2021-4140 (bmo#1746720)
    Iframe sandbox bypass with XSLT
  * CVE-2022-22748 (bmo#1705211)
    Spoofed origin on external protocol launch dialog
  * CVE-2022-22745 (bmo#1735856)
    Leaking cross-origin URLs through securitypolicyviolation event
  * CVE-2022-22744 (bmo#1737252)
    The 'Copy as curl' feature in DevTools did not fully escape
    website-controlled data, potentially leading to command injection
  * CVE-2022-22747 (bmo#1735028)
    Crash when handling empty pkcs7 sequence
  * CVE-2022-22739 (bmo#1744158)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=620
2022-01-11 22:11:21 +00:00
Wolfgang Rosenauer
794263a781 Accepting request 943031 from home:iznogood:branches:mozilla:Factory
- Add mozilla-bmo1745560.patch: Fix build against wayland 1.20.

OBS-URL: https://build.opensuse.org/request/show/943031
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=619
2021-12-29 09:35:12 +00:00
Wolfgang Rosenauer
0dadd2459b - Mozilla Thunderbird 91.4.1
* several fixes as outlined here
    https://www.thunderbird.net/en-US/thunderbird/91.4.1/releasenotes/
  MFSA 2021-55 (bsc#1193845)
  * CVE-2021-4126 (bmo#1732310)
    OpenPGP signature status doesn't consider additional message
    content
  * CVE-2021-44538 (bmo#1744056)
    Matrix chat library libolm bundled with Thunderbird
    vulnerable to a buffer overflow
- updated _constraints

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=618
2021-12-20 21:55:16 +00:00
Wolfgang Rosenauer
a14190f4f1 - Mozilla Thunderbird 91.4.0
* several fixes as outlined here
    https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes
  MFSA 2021-54 (bsc#1193485)
  * CVE-2021-43536 (bmo#1730120)
    URL leakage when navigating while executing asynchronous
    function
  * CVE-2021-43537 (bmo#1738237)
    Heap buffer overflow when using structured clone
  * CVE-2021-43538 (bmo#1739091)
    Missing fullscreen and pointer lock notification when
    requesting both
  * CVE-2021-43539 (bmo#1739683)
    GC rooting failure when calling wasm instance methods
  * CVE-2021-43541 (bmo#1696685)
    External protocol handler parameters were unescaped
  * CVE-2021-43542 (bmo#1723281)
    XMLHttpRequest error codes could have leaked the existence of
    an external protocol handler
  * CVE-2021-43543 (bmo#1738418)
    Bypass of CSP sandbox directive when embedding
  * CVE-2021-43545 (bmo#1720926)
    Denial of Service when using the Location API in a loop
  * CVE-2021-43546 (bmo#1737751)
    Cursor spoofing could overlay user interface when native
    cursor is zoomed
  * CVE-2021-43528 (bmo#1742579)
    JavaScript unexpectedly enabled for the composition area
  * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
    bmo#1737009, bmo#1739372, bmo#1739421)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=617
2021-12-07 21:16:26 +00:00
Wolfgang Rosenauer
2586d6fed9 Accepting request 935066 from home:AndreasStieger:branches:mozilla:Factory
* OpenPGP: Botan updated to 2.18.2; addresses CVE-2021-40529
    boo#1189244

OBS-URL: https://build.opensuse.org/request/show/935066
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=616
2021-12-02 08:34:58 +00:00