Commit Graph

740 Commits

Author SHA256 Message Date
Dominique Leuenberger
712dc6d84c Accepting request 993911 from mozilla:Factory
- Mozilla Thunderbird 102.1.2
  * fix for bmo#1777765 (no POP download progress bar) was backed
    out from this release to address broken POP message download
    with Fetch headers only selected in Account Settings (bmo#1783552)

- Mozilla Thunderbird 102.1.1
  Bugfixes:
  * https://www.thunderbird.net/en-US/thunderbird/102.1.1/releasenotes/

OBS-URL: https://build.opensuse.org/request/show/993911
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=284
2022-08-10 15:12:30 +00:00
Wolfgang Rosenauer
134f09dee2 - Mozilla Thunderbird 102.1.2
* fix for bmo#1777765 (no POP download progress bar) was backed
    out from this release to address broken POP message download
    with Fetch headers only selected in Account Settings (bmo#1783552)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=647
2022-08-09 06:35:46 +00:00
Wolfgang Rosenauer
ae8a4c4f39 - Mozilla Thunderbird 102.1.1
Bugfixes:
  * https://www.thunderbird.net/en-US/thunderbird/102.1.1/releasenotes/

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=646
2022-08-08 13:10:06 +00:00
Dominique Leuenberger
8400e239db Accepting request 992051 from mozilla:Factory
- Mozilla Thunderbird 102.1.0
  * https://www.thunderbird.net/en-US/thunderbird/102.1.0/releasenotes
  MFSA 2022-32 (bsc#1201758)
  * CVE-2022-36319 (bmo#1737722)
    Mouse Position spoofing with CSS transforms
  * CVE-2022-36318 (bmo#1771774)
    Directory indexes for bundled resources reflected URL parameters
  * CVE-2022-36314 (bmo#1773894)
    Opening local <code>.lnk</code> files could cause unexpected
    network loads
  * CVE-2022-2505 (bmo#1769739, bmo#1772824)
    Memory safety bugs fixed in Thunderbird 102.1
- added mozilla-newer-cbindgen.patch to fix build with
  rust-cbindgen >= 0.24 (and also require that for build)
- added mozilla-pgo.patch to fix LTO builds with gcc

- Mozilla Thunderbird 102.0.3
  Bugfixes as in
  * https://www.thunderbird.net/en-US/thunderbird/102.0.3/releasenotes/

- Mozilla Thunderbird 102.0.2
  * https://www.thunderbird.net/en-US/thunderbird/102.0/releasenotes/
- removed obsolete patches
  mozilla-bmo1504834-part2.patch
  mozilla-bmo1504834-part4.patch
  mozilla-bmo1602730.patch
  mozilla-bmo1626236.patch
  mozilla-bmo1724679.patch
  mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
  mozilla-sandbox-fips.patch

OBS-URL: https://build.opensuse.org/request/show/992051
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=283
2022-08-03 19:16:01 +00:00
Wolfgang Rosenauer
32ed6a10bb - added mozilla-pgo.patch to fix LTO builds with gcc
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=644
2022-08-01 14:43:32 +00:00
Wolfgang Rosenauer
982c2db4ff - Mozilla Thunderbird 102.1.0
* https://www.thunderbird.net/en-US/thunderbird/102.1.0/releasenotes
  MFSA 2022-32 (bsc#1201758)
  * CVE-2022-36319 (bmo#1737722)
    Mouse Position spoofing with CSS transforms
  * CVE-2022-36318 (bmo#1771774)
    Directory indexes for bundled resources reflected URL parameters
  * CVE-2022-36314 (bmo#1773894)
    Opening local <code>.lnk</code> files could cause unexpected
    network loads
  * CVE-2022-2505 (bmo#1769739, bmo#1772824)
    Memory safety bugs fixed in Thunderbird 102.1
- added mozilla-newer-cbindgen.patch to fix build with
  rust-cbindgen >= 0.24 (and also require that for build)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=643
2022-07-29 12:07:40 +00:00
Wolfgang Rosenauer
ebc8727216 - Mozilla Thunderbird 102.0.3
Bugfixes as in
  * https://www.thunderbird.net/en-US/thunderbird/102.0.3/releasenotes/

- Mozilla Thunderbird 102.0.2
  * https://www.thunderbird.net/en-US/thunderbird/102.0/releasenotes/
- removed obsolete patches
  mozilla-bmo1504834-part2.patch
  mozilla-bmo1504834-part4.patch
  mozilla-bmo1602730.patch
  mozilla-bmo1626236.patch
  mozilla-bmo1724679.patch
  mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
  mozilla-sandbox-fips.patch
- added patches inherited from FF 102
  one_swizzle_to_rule_them_all.patch
  svg-rendering.patch
- fix KDE detection (boo#1200987) in mozilla-kde.patch
- requires
  rust = 1.60
  NSPR >= 4.34
  NSS >= 3.79
  rust-cbindgen >= 0.23.0
- remove special breakpad debug symbol creation

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=642
2022-07-21 12:15:56 +00:00
Dominique Leuenberger
bc74d05987 Accepting request 985736 from mozilla:Factory
- Mozilla Thunderbird 91.11.0
  * CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work
    additional fix applied
  * "Save-As" attachment dialog did not have filename pre-populated
  MFSA 2022-26 (bsc#1200793)
  * CVE-2022-34479 (bmo#1745595)
    A popup window could be resized in a way to overlay the
    address bar with web content
  * CVE-2022-34470 (bmo#1765951)
    Use-after-free in nsSHistory
  * CVE-2022-34468 (bmo#1768537)
    CSP sandbox header without `allow-scripts` can be bypassed
    via retargeted javascript: URI
  * CVE-2022-2226 (bmo#1775441)
    An email with a mismatching OpenPGP signature date was
    accepted as valid
  * CVE-2022-34481 (bmo#1497246)
    Potential integer overflow in ReplaceElementsAt
  * CVE-2022-31744 (bmo#1757604)
    CSP bypass enabling stylesheet injection
  * CVE-2022-34472 (bmo#1770123)
    Unavailable PAC file resulted in OCSP requests being blocked
  * CVE-2022-34478 (bmo#1773717)
    Microsoft protocols can be attacked if a user accepts a prompt
  * CVE-2022-2200 (bmo#1771381)
    Undesired attributes could be set as part of prototype pollution
  * CVE-2022-34484 (bmo#1763634, bmo#1772651)
    Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102

OBS-URL: https://build.opensuse.org/request/show/985736
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=282
2022-06-30 11:17:57 +00:00
Wolfgang Rosenauer
08ffa63092 - Mozilla Thunderbird 91.11.0
* CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work
    additional fix applied
  * "Save-As" attachment dialog did not have filename pre-populated
  MFSA 2022-26 (bsc#1200793)
  * CVE-2022-34479 (bmo#1745595)
    A popup window could be resized in a way to overlay the
    address bar with web content
  * CVE-2022-34470 (bmo#1765951)
    Use-after-free in nsSHistory
  * CVE-2022-34468 (bmo#1768537)
    CSP sandbox header without `allow-scripts` can be bypassed
    via retargeted javascript: URI
  * CVE-2022-2226 (bmo#1775441)
    An email with a mismatching OpenPGP signature date was
    accepted as valid
  * CVE-2022-34481 (bmo#1497246)
    Potential integer overflow in ReplaceElementsAt
  * CVE-2022-31744 (bmo#1757604)
    CSP bypass enabling stylesheet injection
  * CVE-2022-34472 (bmo#1770123)
    Unavailable PAC file resulted in OCSP requests being blocked
  * CVE-2022-34478 (bmo#1773717)
    Microsoft protocols can be attacked if a user accepts a prompt
  * CVE-2022-2200 (bmo#1771381)
    Undesired attributes could be set as part of prototype pollution
  * CVE-2022-34484 (bmo#1763634, bmo#1772651)
    Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=640
2022-06-29 08:52:40 +00:00
Dominique Leuenberger
8e765242f8 Accepting request 980158 from mozilla:Factory
- Mozilla Thunderbird 91.10.0
  * Various UX and theme improvements
  MFSA 2022-22 (bsc#1200027)
  * CVE-2022-31736 (bmo#1735923)
    Cross-Origin resource's length leaked
  * CVE-2022-31737 (bmo#1743767)
    Heap buffer overflow in WebGL
  * CVE-2022-31738 (bmo#1756388)
    Browser window spoof using fullscreen mode
  * CVE-2022-31739 (bmo#1765049)
    Attacker-influenced path traversal when saving downloaded
    files
  * CVE-2022-31740 (bmo#1766806)
    Register allocation problem in WASM on arm64
  * CVE-2022-31741 (bmo#1767590)
    Uninitialized variable leads to invalid memory read
  * CVE-2022-1834 (bmo#1767816)
    Braille space character caused incorrect sender email to be
    shown for a digitally signed email
  * CVE-2022-31742 (bmo#1730434)
    Querying a WebAuthn token with a large number of
    allowCredential entries may have leaked cross-origin
    information
  * CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
    bmo#1767365, bmo#1768559, bmo#1768734)
    Memory safety bugs fixed in Thunderbird 91.10

OBS-URL: https://build.opensuse.org/request/show/980158
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=281
2022-06-01 15:34:24 +00:00
Wolfgang Rosenauer
5b920d1fa1 - Mozilla Thunderbird 91.10.0
* Various UX and theme improvements
  MFSA 2022-22 (bsc#1200027)
  * CVE-2022-31736 (bmo#1735923)
    Cross-Origin resource's length leaked
  * CVE-2022-31737 (bmo#1743767)
    Heap buffer overflow in WebGL
  * CVE-2022-31738 (bmo#1756388)
    Browser window spoof using fullscreen mode
  * CVE-2022-31739 (bmo#1765049)
    Attacker-influenced path traversal when saving downloaded
    files
  * CVE-2022-31740 (bmo#1766806)
    Register allocation problem in WASM on arm64
  * CVE-2022-31741 (bmo#1767590)
    Uninitialized variable leads to invalid memory read
  * CVE-2022-1834 (bmo#1767816)
    Braille space character caused incorrect sender email to be
    shown for a digitally signed email
  * CVE-2022-31742 (bmo#1730434)
    Querying a WebAuthn token with a large number of
    allowCredential entries may have leaked cross-origin
    information
  * CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
    bmo#1767365, bmo#1768559, bmo#1768734)
    Memory safety bugs fixed in Thunderbird 91.10

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=638
2022-05-31 19:36:16 +00:00
Dominique Leuenberger
f91a02e718 Accepting request 978422 from mozilla:Factory
- Mozilla Thunderbird 91.9.1
  MFSA 2022-19 (bsc#1199768)
  * CVE-2022-1802 (bmo#1770137)
    Prototype pollution in Top-Level Await implementation
  * CVE-2022-1529 (bmo#1770048)
    Untrusted input used in JavaScript object indexing, leading
    to prototype pollution

OBS-URL: https://build.opensuse.org/request/show/978422
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=280
2022-05-23 13:51:30 +00:00
Wolfgang Rosenauer
71256c3fd4 - Mozilla Thunderbird 91.9.1
MFSA 2022-19 (bsc#1199768)
  * CVE-2022-1802 (bmo#1770137)
    Prototype pollution in Top-Level Await implementation
  * CVE-2022-1529 (bmo#1770048)
    Untrusted input used in JavaScript object indexing, leading
    to prototype pollution

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=636
2022-05-21 12:43:04 +00:00
Dominique Leuenberger
619a75083d Accepting request 975202 from mozilla:Factory
- Mozilla Thunderbird 91.9.0
  * A warning is now displayed if an OpenPGP key has unsafe
    attributes that are ignored
  * OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not
    allow SHA-1 key signatures
  * CalDAV calendars were marked read-only on startup
  MFSA 2022-18 (bsc#1198970)
  * CVE-2022-1520 (bmo#1745019)
    Incorrect security status shown after viewing an attached
    email
  * CVE-2022-29914 (bmo#1746448)
    Fullscreen notification bypass using popups
  * CVE-2022-29909 (bmo#1755081)
    Bypassing permission prompt in nested browsing contexts
  * CVE-2022-29916 (bmo#1760674)
    Leaking browser history with CSS variables
  * CVE-2022-29911 (bmo#1761981)
    iframe sandbox bypass
  * CVE-2022-29912 (bmo#1692655)
    Reader mode bypassed SameSite cookies
  * CVE-2022-29913 (bmo#1764778)
    Speech Synthesis feature not properly disabled
  * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
    bmo#1762614, bmo#1762620)
    Memory safety bugs fixed in Thunderbird 91.9

OBS-URL: https://build.opensuse.org/request/show/975202
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=279
2022-05-06 16:58:18 +00:00
Wolfgang Rosenauer
e48927244d - Mozilla Thunderbird 91.9.0
* A warning is now displayed if an OpenPGP key has unsafe
    attributes that are ignored
  * OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not
    allow SHA-1 key signatures
  * CalDAV calendars were marked read-only on startup
  MFSA 2022-18 (bsc#1198970)
  * CVE-2022-1520 (bmo#1745019)
    Incorrect security status shown after viewing an attached
    email
  * CVE-2022-29914 (bmo#1746448)
    Fullscreen notification bypass using popups
  * CVE-2022-29909 (bmo#1755081)
    Bypassing permission prompt in nested browsing contexts
  * CVE-2022-29916 (bmo#1760674)
    Leaking browser history with CSS variables
  * CVE-2022-29911 (bmo#1761981)
    iframe sandbox bypass
  * CVE-2022-29912 (bmo#1692655)
    Reader mode bypassed SameSite cookies
  * CVE-2022-29913 (bmo#1764778)
    Speech Synthesis feature not properly disabled
  * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
    bmo#1762614, bmo#1762620)
    Memory safety bugs fixed in Thunderbird 91.9

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=634
2022-05-05 13:20:25 +00:00
Dominique Leuenberger
aa055e1ac5 Accepting request 970866 from mozilla:Factory
- Mozilla Thunderbird 91.8.1
  * CLIENTID extension to SMTP was not supported by smtp-js#
  * Additional SMTP errors now propagated to user
  * OpenPGP was not able to use some previously supported key types
  * OpenPGP Key Manager did not always display correct information
    after importing additional IDs
  * Duplicate new mail notifications could be displayed when
    server-side filters were in use
  * Cancelling an SMTP password entry resulted in multiple failure
    dialogs being displayed

- Mozilla Thunderbird 91.8.0
  * Google accounts using password authentication will be migrated
    to OAuth2.
  * bugfixes
    https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes
  MFSA 2022- (bsc#1197903)
- update create-tar.sh

- skip slow workers, this is a tough build job

OBS-URL: https://build.opensuse.org/request/show/970866
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=278
2022-04-22 19:52:46 +00:00
Wolfgang Rosenauer
485ca3d99f - Mozilla Thunderbird 91.8.1
* CLIENTID extension to SMTP was not supported by smtp-js#
  * Additional SMTP errors now propagated to user
  * OpenPGP was not able to use some previously supported key types
  * OpenPGP Key Manager did not always display correct information
    after importing additional IDs
  * Duplicate new mail notifications could be displayed when
    server-side filters were in use
  * Cancelling an SMTP password entry resulted in multiple failure
    dialogs being displayed
- Mozilla Thunderbird 91.8.0
  * Google accounts using password authentication will be migrated
    to OAuth2.
  * bugfixes
    https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes
  MFSA 2022- (bsc#1197903)
- update create-tar.sh

- skip slow workers, this is a tough build job

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=632
2022-04-19 15:06:55 +00:00
Dominique Leuenberger
6031a905f5 Accepting request 969350 from mozilla:Factory
OBS-URL: https://build.opensuse.org/request/show/969350
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=277
2022-04-14 15:23:29 +00:00
Wolfgang Rosenauer
f67dab94c7 Accepting request 969338 from home:marxin:branches:mozilla:Factory
- Set memory limits for DWZ to 4x.

OBS-URL: https://build.opensuse.org/request/show/969338
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=630
2022-04-12 08:22:14 +00:00
Dominique Leuenberger
830dc226c0 Accepting request 964779 from mozilla:Factory
- skip slow workers, this is a tough build job

OBS-URL: https://build.opensuse.org/request/show/964779
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=276
2022-03-28 14:59:57 +00:00
Wolfgang Rosenauer
dddae6adff Accepting request 962487 from home:dirkmueller:Factory
- skip slow workers, this is a tough build job

OBS-URL: https://build.opensuse.org/request/show/962487
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=628
2022-03-18 19:19:54 +00:00
Dominique Leuenberger
c47788c2ac Accepting request 960657 from mozilla:Factory
- Mozilla Thunderbird 91.7.0
  * Thunderbird will use the first occurrence of headers that should
    only appear once
  * Auto-complete incorrectly changed a pasted email address to the
    primary address of a contact
  * Attachments with filename extensions that were not registered in
    MIME types could not be opened
  * Copy/Cut/Paste actions not working in Thunderbird Preferences
  * Improved screen reader support of displayed message headers
  MFSA 2022-12 (bsc#1196900)
  * CVE-2022-26383 (bmo#1742421)
    Browser window spoof using fullscreen mode
  * CVE-2022-26384 (bmo#1744352)
    iframe allow-scripts sandbox bypass
  * CVE-2022-26387 (bmo#1752979)
    Time-of-check time-of-use bug when verifying add-on signatures
  * CVE-2022-26381 (bmo#1736243)
    Use-after-free in text reflows
  * CVE-2022-26386 (bmo#1752396)
    Temporary files downloaded to /tmp and accessible by other
    local users

- Mozilla Thunderbird 91.6.2
  MFSA 2022-09
  * CVE-2022-26485 (bmo#1758062)
    Use-after-free in XSLT parameter processing
  * CVE-2022-26486 (bmo#1758070)
    Use-after-free in WebGPU IPC Framework

OBS-URL: https://build.opensuse.org/request/show/960657
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=275
2022-03-13 19:24:29 +00:00
Wolfgang Rosenauer
bcdb022bb0 - Mozilla Thunderbird 91.7.0
* Thunderbird will use the first occurrence of headers that should
    only appear once
  * Auto-complete incorrectly changed a pasted email address to the
    primary address of a contact
  * Attachments with filename extensions that were not registered in
    MIME types could not be opened
  * Copy/Cut/Paste actions not working in Thunderbird Preferences
  * Improved screen reader support of displayed message headers
  MFSA 2022-12 (bsc#1196900)
  * CVE-2022-26383 (bmo#1742421)
    Browser window spoof using fullscreen mode
  * CVE-2022-26384 (bmo#1744352)
    iframe allow-scripts sandbox bypass
  * CVE-2022-26387 (bmo#1752979)
    Time-of-check time-of-use bug when verifying add-on signatures
  * CVE-2022-26381 (bmo#1736243)
    Use-after-free in text reflows
  * CVE-2022-26386 (bmo#1752396)
    Temporary files downloaded to /tmp and accessible by other
    local users

- Mozilla Thunderbird 91.6.2
  MFSA 2022-09
  * CVE-2022-26485 (bmo#1758062)
    Use-after-free in XSLT parameter processing
  * CVE-2022-26486 (bmo#1758070)
    Use-after-free in WebGPU IPC Framework

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=626
2022-03-09 10:34:57 +00:00
Dominique Leuenberger
5c26ec22f2 Accepting request 955596 from mozilla:Factory
just added the bsc bug security bug reference

- Mozilla Thunderbird 91.6.1
  * generated views of meeting invitations are now expanded by default
  * Emails were not downloading at startup under some conditions
  * Port numbers were not shown in "Confirm Security Exception"
    dialog for CalDAV connections
  MFSA 2022-07 (bsc#1196072)
  * CVE-2022-0566 (bmo#1753094)
    Crafted email could trigger an out-of-bounds write

OBS-URL: https://build.opensuse.org/request/show/955596
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=274
2022-02-18 22:02:38 +00:00
Wolfgang Rosenauer
260a0409e1 MFSA 2022-07 (bsc#1196072)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=625
2022-02-17 09:38:37 +00:00
Wolfgang Rosenauer
82981dade8 - Mozilla Thunderbird 91.6.1
* generated views of meeting invitations are now expanded by default
  * Emails were not downloading at startup under some conditions
  * Port numbers were not shown in "Confirm Security Exception"
    dialog for CalDAV connections
  MFSA 2022-07
  * CVE-2022-0566 (bmo#1753094)
    Crafted email could trigger an out-of-bounds write

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=624
2022-02-16 07:53:13 +00:00
Dominique Leuenberger
cdf682b923 Accepting request 953831 from mozilla:Factory
- Mozilla Thunderbird 91.6.0
  * TB will now offer to send large forwarded attachments via FileLink
  * Partially signed unencrypted messages displayed an incorrect
    "parrtially encrypted" notification
  * Attachments filenames were not sanitized before saving to disk
  * In the attachment bar, the "Import OpenPGP Key" item displayed
    for public keys displayed an error and did not import the key
  * "Open with" attachment dialog did not have a selected radio
    button option
  MFSA 2022-06 (bsc#1195682)
  * CVE-2022-22753 (bmo#1732435)
    Privilege Escalation to SYSTEM on Windows via Maintenance
    Service
  * CVE-2022-22754 (bmo#1750565)
    Extensions could have bypassed permission confirmation during
    update
  * CVE-2022-22756 (bmo#1317873)
    Drag and dropping an image could have resulted in the dropped
    object being an executable
  * CVE-2022-22759 (bmo#1739957)
    Sandboxed iframes could have executed script if the parent
    appended elements
  * CVE-2022-22760 (bmo#1740985, bmo#1748503)
    Cross-Origin responses could be distinguished between script
    and non-script content-types
  * CVE-2022-22761 (bmo#1745566)
    frame-ancestors Content Security Policy directive was not
    enforced for framed extension pages
  * CVE-2022-22763 (bmo#1740534)
    Script Execution during invalid object state

OBS-URL: https://build.opensuse.org/request/show/953831
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=273
2022-02-13 18:50:37 +00:00
Wolfgang Rosenauer
5e8c474a19 - Mozilla Thunderbird 91.6.0
* TB will now offer to send large forwarded attachments via FileLink
  * Partially signed unencrypted messages displayed an incorrect
    "parrtially encrypted" notification
  * Attachments filenames were not sanitized before saving to disk
  * In the attachment bar, the "Import OpenPGP Key" item displayed
    for public keys displayed an error and did not import the key
  * "Open with" attachment dialog did not have a selected radio
    button option
  MFSA 2022-06 (bsc#1195682)
  * CVE-2022-22753 (bmo#1732435)
    Privilege Escalation to SYSTEM on Windows via Maintenance
    Service
  * CVE-2022-22754 (bmo#1750565)
    Extensions could have bypassed permission confirmation during
    update
  * CVE-2022-22756 (bmo#1317873)
    Drag and dropping an image could have resulted in the dropped
    object being an executable
  * CVE-2022-22759 (bmo#1739957)
    Sandboxed iframes could have executed script if the parent
    appended elements
  * CVE-2022-22760 (bmo#1740985, bmo#1748503)
    Cross-Origin responses could be distinguished between script
    and non-script content-types
  * CVE-2022-22761 (bmo#1745566)
    frame-ancestors Content Security Policy directive was not
    enforced for framed extension pages
  * CVE-2022-22763 (bmo#1740534)
    Script Execution during invalid object state

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=623
2022-02-11 22:30:53 +00:00
Dominique Leuenberger
581199f38e Accepting request 949349 from mozilla:Factory
- Mozilla Thunderbird 91.5.1
  * JS LDAP implementation did not support self-signed SSL certificates
  * After saving a draft and subsequently sending a FileLink email,
    the original file was removed from disk
  * Chat OTR encryption did not work
  * OTR verification bar was not removed after completing verification
  * Various theme improvements

- Enable -fimplicit-constexpr for GCC 12+.

OBS-URL: https://build.opensuse.org/request/show/949349
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=272
2022-01-29 20:01:01 +00:00
Wolfgang Rosenauer
c34bf76e06 - Mozilla Thunderbird 91.5.1
* JS LDAP implementation did not support self-signed SSL certificates
  * After saving a draft and subsequently sending a FileLink email,
    the original file was removed from disk
  * Chat OTR encryption did not work
  * OTR verification bar was not removed after completing verification
  * Various theme improvements

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=622
2022-01-26 22:00:35 +00:00
Wolfgang Rosenauer
2b26512461 Accepting request 947696 from home:marxin:branches:mozilla:Factory
- Enable -fimplicit-constexpr for GCC 12+.

OBS-URL: https://build.opensuse.org/request/show/947696
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=621
2022-01-21 22:40:32 +00:00
Dominique Leuenberger
84d0abbef4 Accepting request 945701 from mozilla:Factory
- Mozilla Thunderbird 91.5.0
  https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes
  MFSA 2022-03 (bsc#1194547)
  * CVE-2022-22746 (bmo#1735071)
    Calling into reportValidity could have lead to fullscreen
    window spoof
  * CVE-2022-22743 (bmo#1739220)
    Browser window spoof using fullscreen mode
  * CVE-2022-22742 (bmo#1739923)
    Out-of-bounds memory access when inserting text in edit mode
  * CVE-2022-22741 (bmo#1740389)
    Browser window spoof using fullscreen mode
  * CVE-2022-22740 (bmo#1742334)
    Use-after-free of ChannelEventQueue::mOwner
  * CVE-2022-22738 (bmo#1742382)
    Heap-buffer-overflow in blendGaussianBlur
  * CVE-2022-22737 (bmo#1745874)
    Race condition when playing audio files
  * CVE-2021-4140 (bmo#1746720)
    Iframe sandbox bypass with XSLT
  * CVE-2022-22748 (bmo#1705211)
    Spoofed origin on external protocol launch dialog
  * CVE-2022-22745 (bmo#1735856)
    Leaking cross-origin URLs through securitypolicyviolation event
  * CVE-2022-22744 (bmo#1737252)
    The 'Copy as curl' feature in DevTools did not fully escape
    website-controlled data, potentially leading to command injection
  * CVE-2022-22747 (bmo#1735028)
    Crash when handling empty pkcs7 sequence
  * CVE-2022-22739 (bmo#1744158)

OBS-URL: https://build.opensuse.org/request/show/945701
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=271
2022-01-12 23:22:14 +00:00
Wolfgang Rosenauer
ed5ea29202 - Mozilla Thunderbird 91.5.0
https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes
  MFSA 2022-03 (bsc#1194547)
  * CVE-2022-22746 (bmo#1735071)
    Calling into reportValidity could have lead to fullscreen
    window spoof
  * CVE-2022-22743 (bmo#1739220)
    Browser window spoof using fullscreen mode
  * CVE-2022-22742 (bmo#1739923)
    Out-of-bounds memory access when inserting text in edit mode
  * CVE-2022-22741 (bmo#1740389)
    Browser window spoof using fullscreen mode
  * CVE-2022-22740 (bmo#1742334)
    Use-after-free of ChannelEventQueue::mOwner
  * CVE-2022-22738 (bmo#1742382)
    Heap-buffer-overflow in blendGaussianBlur
  * CVE-2022-22737 (bmo#1745874)
    Race condition when playing audio files
  * CVE-2021-4140 (bmo#1746720)
    Iframe sandbox bypass with XSLT
  * CVE-2022-22748 (bmo#1705211)
    Spoofed origin on external protocol launch dialog
  * CVE-2022-22745 (bmo#1735856)
    Leaking cross-origin URLs through securitypolicyviolation event
  * CVE-2022-22744 (bmo#1737252)
    The 'Copy as curl' feature in DevTools did not fully escape
    website-controlled data, potentially leading to command injection
  * CVE-2022-22747 (bmo#1735028)
    Crash when handling empty pkcs7 sequence
  * CVE-2022-22739 (bmo#1744158)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=620
2022-01-11 22:11:21 +00:00
Dominique Leuenberger
4188f5049a Accepting request 943034 from mozilla:Factory
OBS-URL: https://build.opensuse.org/request/show/943034
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=270
2021-12-30 14:55:28 +00:00
Wolfgang Rosenauer
794263a781 Accepting request 943031 from home:iznogood:branches:mozilla:Factory
- Add mozilla-bmo1745560.patch: Fix build against wayland 1.20.

OBS-URL: https://build.opensuse.org/request/show/943031
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=619
2021-12-29 09:35:12 +00:00
Dominique Leuenberger
dea0b95075 Accepting request 941707 from mozilla:Factory
- Mozilla Thunderbird 91.4.1
  * several fixes as outlined here
    https://www.thunderbird.net/en-US/thunderbird/91.4.1/releasenotes/
  MFSA 2021-55 (bsc#1193845)
  * CVE-2021-4126 (bmo#1732310)
    OpenPGP signature status doesn't consider additional message
    content
  * CVE-2021-44538 (bmo#1744056)
    Matrix chat library libolm bundled with Thunderbird
    vulnerable to a buffer overflow
- updated _constraints

OBS-URL: https://build.opensuse.org/request/show/941707
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=269
2021-12-22 19:17:42 +00:00
Wolfgang Rosenauer
0dadd2459b - Mozilla Thunderbird 91.4.1
* several fixes as outlined here
    https://www.thunderbird.net/en-US/thunderbird/91.4.1/releasenotes/
  MFSA 2021-55 (bsc#1193845)
  * CVE-2021-4126 (bmo#1732310)
    OpenPGP signature status doesn't consider additional message
    content
  * CVE-2021-44538 (bmo#1744056)
    Matrix chat library libolm bundled with Thunderbird
    vulnerable to a buffer overflow
- updated _constraints

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=618
2021-12-20 21:55:16 +00:00
Dominique Leuenberger
0c16f1e785 Accepting request 936365 from mozilla:Factory
- Mozilla Thunderbird 91.4.0
  * several fixes as outlined here
    https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes
  MFSA 2021-54 (bsc#1193485)
  * CVE-2021-43536 (bmo#1730120)
    URL leakage when navigating while executing asynchronous
    function
  * CVE-2021-43537 (bmo#1738237)
    Heap buffer overflow when using structured clone
  * CVE-2021-43538 (bmo#1739091)
    Missing fullscreen and pointer lock notification when
    requesting both
  * CVE-2021-43539 (bmo#1739683)
    GC rooting failure when calling wasm instance methods
  * CVE-2021-43541 (bmo#1696685)
    External protocol handler parameters were unescaped
  * CVE-2021-43542 (bmo#1723281)
    XMLHttpRequest error codes could have leaked the existence of
    an external protocol handler
  * CVE-2021-43543 (bmo#1738418)
    Bypass of CSP sandbox directive when embedding
  * CVE-2021-43545 (bmo#1720926)
    Denial of Service when using the Location API in a loop
  * CVE-2021-43546 (bmo#1737751)
    Cursor spoofing could overlay user interface when native
    cursor is zoomed
  * CVE-2021-43528 (bmo#1742579)
    JavaScript unexpectedly enabled for the composition area
  * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
    bmo#1737009, bmo#1739372, bmo#1739421)

OBS-URL: https://build.opensuse.org/request/show/936365
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=268
2021-12-11 23:56:10 +00:00
Wolfgang Rosenauer
a14190f4f1 - Mozilla Thunderbird 91.4.0
* several fixes as outlined here
    https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes
  MFSA 2021-54 (bsc#1193485)
  * CVE-2021-43536 (bmo#1730120)
    URL leakage when navigating while executing asynchronous
    function
  * CVE-2021-43537 (bmo#1738237)
    Heap buffer overflow when using structured clone
  * CVE-2021-43538 (bmo#1739091)
    Missing fullscreen and pointer lock notification when
    requesting both
  * CVE-2021-43539 (bmo#1739683)
    GC rooting failure when calling wasm instance methods
  * CVE-2021-43541 (bmo#1696685)
    External protocol handler parameters were unescaped
  * CVE-2021-43542 (bmo#1723281)
    XMLHttpRequest error codes could have leaked the existence of
    an external protocol handler
  * CVE-2021-43543 (bmo#1738418)
    Bypass of CSP sandbox directive when embedding
  * CVE-2021-43545 (bmo#1720926)
    Denial of Service when using the Location API in a loop
  * CVE-2021-43546 (bmo#1737751)
    Cursor spoofing could overlay user interface when native
    cursor is zoomed
  * CVE-2021-43528 (bmo#1742579)
    JavaScript unexpectedly enabled for the composition area
  * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
    bmo#1737009, bmo#1739372, bmo#1739421)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=617
2021-12-07 21:16:26 +00:00
Wolfgang Rosenauer
2586d6fed9 Accepting request 935066 from home:AndreasStieger:branches:mozilla:Factory
* OpenPGP: Botan updated to 2.18.2; addresses CVE-2021-40529
    boo#1189244

OBS-URL: https://build.opensuse.org/request/show/935066
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=616
2021-12-02 08:34:58 +00:00
Wolfgang Rosenauer
38d59e02c4 Accepting request 934032 from home:iznogood:branches:mozilla:Factory
- Drop unused libidl-devel BuildRequires.

OBS-URL: https://build.opensuse.org/request/show/934032
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=615
2021-11-30 07:53:39 +00:00
Dominique Leuenberger
3f64f2e29a Accepting request 932690 from mozilla:Factory
- Mozilla Thunderbird 91.3.2
  * Date selection in Calendar print settings widget changed to use
    mini calendar widget
  * Bugfixes as outlined in release notes
    https://www.thunderbird.net/en-US/thunderbird/91.3.2/releasenotes/

- Mozilla Thunderbird 91.3.1
  * OpenPGP public keys will no longer count as an attachment in
    the message list
  * Adding a search engine via URL now supported
  * FileLink messages' template updated; Thunderbird advertisement
    removed
  * After an update, Thunderbird will now check installed addons
    for updates
  * Bugfixes as outlined in release notes
    https://www.thunderbird.net/en-US/thunderbird/91.3.1/releasenotes/

OBS-URL: https://build.opensuse.org/request/show/932690
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=267
2021-11-23 21:09:58 +00:00
Wolfgang Rosenauer
e5380b41d0 - Mozilla Thunderbird 91.3.2
* Date selection in Calendar print settings widget changed to use
    mini calendar widget
  * Bugfixes as outlined in release notes
    https://www.thunderbird.net/en-US/thunderbird/91.3.2/releasenotes/

- Mozilla Thunderbird 91.3.1
  * OpenPGP public keys will no longer count as an attachment in
    the message list
  * Adding a search engine via URL now supported
  * FileLink messages' template updated; Thunderbird advertisement
    removed
  * After an update, Thunderbird will now check installed addons
    for updates
  * Bugfixes as outlined in release notes
    https://www.thunderbird.net/en-US/thunderbird/91.3.1/releasenotes/

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=614
2021-11-20 22:24:01 +00:00
Dominique Leuenberger
0925e9ee97 Accepting request 929062 from mozilla:Factory
- Mozilla Thunderbird 91.3.0
  * several fixes as outlined here
    https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/
  MFSA 2021-50  (bsc#1192250)
  * CVE-2021-38503 (bmo#1729517)
    iframe sandbox rules did not apply to XSLT stylesheets
  * CVE-2021-38504 (bmo#1730156)
    Use-after-free in file picker dialog
  * CVE-2021-38505 (bmo#1730194)
    Windows 10 Cloud Clipboard may have recorded sensitive user data
  * CVE-2021-38506 (bmo#1730750)
    Thunderbird could be coaxed into going into fullscreen mode
    without notification or warning
  * CVE-2021-38507 (bmo#1730935)
    Opportunistic Encryption in HTTP2 could be used to bypass the
    Same-Origin-Policy on services hosted on other ports
  * MOZ-2021-0008 (bmo#1667102)
    Use-after-free in HTTP2 Session object
  * CVE-2021-38508 (bmo#1366818)
    Permission Prompt could be overlaid, resulting in user
    confusion and potential spoofing
  * CVE-2021-38509 (bmo#1718571)
    Javascript alert box could have been spoofed onto an
    arbitrary domain
  * CVE-2021-38510 (bmo#1731779)
    Download Protections were bypassed by .inetloc files on Mac OS
  * MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048,
    bmo#1735152)
    Memory safety bugs fixed in Thunderbird ESR 91.3
- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires

OBS-URL: https://build.opensuse.org/request/show/929062
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=266
2021-11-06 17:13:26 +00:00
Wolfgang Rosenauer
9908ef8381 * several fixes as outlined here
https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/
  MFSA 2021-50  (bsc#1192250)
  * CVE-2021-38503 (bmo#1729517)
    iframe sandbox rules did not apply to XSLT stylesheets
  * CVE-2021-38504 (bmo#1730156)
    Use-after-free in file picker dialog
  * CVE-2021-38505 (bmo#1730194)
    Windows 10 Cloud Clipboard may have recorded sensitive user data
  * CVE-2021-38506 (bmo#1730750)
    Thunderbird could be coaxed into going into fullscreen mode
    without notification or warning
  * CVE-2021-38507 (bmo#1730935)
    Opportunistic Encryption in HTTP2 could be used to bypass the
    Same-Origin-Policy on services hosted on other ports
  * MOZ-2021-0008 (bmo#1667102)
    Use-after-free in HTTP2 Session object
  * CVE-2021-38508 (bmo#1366818)
    Permission Prompt could be overlaid, resulting in user
    confusion and potential spoofing
  * CVE-2021-38509 (bmo#1718571)
    Javascript alert box could have been spoofed onto an
    arbitrary domain
  * CVE-2021-38510 (bmo#1731779)
    Download Protections were bypassed by .inetloc files on Mac OS
  * MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048,
    bmo#1735152)
    Memory safety bugs fixed in Thunderbird ESR 91.3

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=613
2021-11-03 16:44:34 +00:00
Wolfgang Rosenauer
7db3c542e4 - Mozilla Thunderbird 91.3.0
- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=612
2021-11-02 20:49:23 +00:00
Dominique Leuenberger
62fc14d3bc Accepting request 927299 from mozilla:Factory
OBS-URL: https://build.opensuse.org/request/show/927299
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=265
2021-10-26 18:13:32 +00:00
Wolfgang Rosenauer
54d0229e37 Accepting request 927260 from home:Guillaume_G:branches:mozilla:Factory
- Increase memory required per threads for aarch64 to avoid OOM

OBS-URL: https://build.opensuse.org/request/show/927260
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=611
2021-10-25 12:09:26 +00:00
Wolfgang Rosenauer
d9c01b1222 - Mozilla Thunderbird 91.2.1
* Preference added to disable automatic pausing RSS feed updates
    after a fetch failure
  * several bugfixes as outlined in release notes
    https://www.thunderbird.net/en-US/thunderbird/91.2.1/releasenotes/

- add mozilla-bmo1724679.patch (bmo#1724679, boo#1182863)
  fix some env variables which are enabled for any value

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=610
2021-10-23 12:56:24 +00:00
Wolfgang Rosenauer
e41c1dbb9c Accepting request 926797 from home:marxin:branches:mozilla:Factory
- Enable LTO on Tumbleweed.

OBS-URL: https://build.opensuse.org/request/show/926797
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=609
2021-10-22 21:24:06 +00:00