- Mozilla Thunderbird 91.11.0
* CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work
additional fix applied
* "Save-As" attachment dialog did not have filename pre-populated
MFSA 2022-26 (bsc#1200793)
* CVE-2022-34479 (bmo#1745595)
A popup window could be resized in a way to overlay the
address bar with web content
* CVE-2022-34470 (bmo#1765951)
Use-after-free in nsSHistory
* CVE-2022-34468 (bmo#1768537)
CSP sandbox header without `allow-scripts` can be bypassed
via retargeted javascript: URI
* CVE-2022-2226 (bmo#1775441)
An email with a mismatching OpenPGP signature date was
accepted as valid
* CVE-2022-34481 (bmo#1497246)
Potential integer overflow in ReplaceElementsAt
* CVE-2022-31744 (bmo#1757604)
CSP bypass enabling stylesheet injection
* CVE-2022-34472 (bmo#1770123)
Unavailable PAC file resulted in OCSP requests being blocked
* CVE-2022-34478 (bmo#1773717)
Microsoft protocols can be attacked if a user accepts a prompt
* CVE-2022-2200 (bmo#1771381)
Undesired attributes could be set as part of prototype pollution
* CVE-2022-34484 (bmo#1763634, bmo#1772651)
Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102
OBS-URL: https://build.opensuse.org/request/show/985736
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=282
* CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work
additional fix applied
* "Save-As" attachment dialog did not have filename pre-populated
MFSA 2022-26 (bsc#1200793)
* CVE-2022-34479 (bmo#1745595)
A popup window could be resized in a way to overlay the
address bar with web content
* CVE-2022-34470 (bmo#1765951)
Use-after-free in nsSHistory
* CVE-2022-34468 (bmo#1768537)
CSP sandbox header without `allow-scripts` can be bypassed
via retargeted javascript: URI
* CVE-2022-2226 (bmo#1775441)
An email with a mismatching OpenPGP signature date was
accepted as valid
* CVE-2022-34481 (bmo#1497246)
Potential integer overflow in ReplaceElementsAt
* CVE-2022-31744 (bmo#1757604)
CSP bypass enabling stylesheet injection
* CVE-2022-34472 (bmo#1770123)
Unavailable PAC file resulted in OCSP requests being blocked
* CVE-2022-34478 (bmo#1773717)
Microsoft protocols can be attacked if a user accepts a prompt
* CVE-2022-2200 (bmo#1771381)
Undesired attributes could be set as part of prototype pollution
* CVE-2022-34484 (bmo#1763634, bmo#1772651)
Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=640
- Mozilla Thunderbird 91.10.0
* Various UX and theme improvements
MFSA 2022-22 (bsc#1200027)
* CVE-2022-31736 (bmo#1735923)
Cross-Origin resource's length leaked
* CVE-2022-31737 (bmo#1743767)
Heap buffer overflow in WebGL
* CVE-2022-31738 (bmo#1756388)
Browser window spoof using fullscreen mode
* CVE-2022-31739 (bmo#1765049)
Attacker-influenced path traversal when saving downloaded
files
* CVE-2022-31740 (bmo#1766806)
Register allocation problem in WASM on arm64
* CVE-2022-31741 (bmo#1767590)
Uninitialized variable leads to invalid memory read
* CVE-2022-1834 (bmo#1767816)
Braille space character caused incorrect sender email to be
shown for a digitally signed email
* CVE-2022-31742 (bmo#1730434)
Querying a WebAuthn token with a large number of
allowCredential entries may have leaked cross-origin
information
* CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
bmo#1767365, bmo#1768559, bmo#1768734)
Memory safety bugs fixed in Thunderbird 91.10
OBS-URL: https://build.opensuse.org/request/show/980158
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=281
* Various UX and theme improvements
MFSA 2022-22 (bsc#1200027)
* CVE-2022-31736 (bmo#1735923)
Cross-Origin resource's length leaked
* CVE-2022-31737 (bmo#1743767)
Heap buffer overflow in WebGL
* CVE-2022-31738 (bmo#1756388)
Browser window spoof using fullscreen mode
* CVE-2022-31739 (bmo#1765049)
Attacker-influenced path traversal when saving downloaded
files
* CVE-2022-31740 (bmo#1766806)
Register allocation problem in WASM on arm64
* CVE-2022-31741 (bmo#1767590)
Uninitialized variable leads to invalid memory read
* CVE-2022-1834 (bmo#1767816)
Braille space character caused incorrect sender email to be
shown for a digitally signed email
* CVE-2022-31742 (bmo#1730434)
Querying a WebAuthn token with a large number of
allowCredential entries may have leaked cross-origin
information
* CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
bmo#1767365, bmo#1768559, bmo#1768734)
Memory safety bugs fixed in Thunderbird 91.10
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=638
- Mozilla Thunderbird 91.9.0
* A warning is now displayed if an OpenPGP key has unsafe
attributes that are ignored
* OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not
allow SHA-1 key signatures
* CalDAV calendars were marked read-only on startup
MFSA 2022-18 (bsc#1198970)
* CVE-2022-1520 (bmo#1745019)
Incorrect security status shown after viewing an attached
email
* CVE-2022-29914 (bmo#1746448)
Fullscreen notification bypass using popups
* CVE-2022-29909 (bmo#1755081)
Bypassing permission prompt in nested browsing contexts
* CVE-2022-29916 (bmo#1760674)
Leaking browser history with CSS variables
* CVE-2022-29911 (bmo#1761981)
iframe sandbox bypass
* CVE-2022-29912 (bmo#1692655)
Reader mode bypassed SameSite cookies
* CVE-2022-29913 (bmo#1764778)
Speech Synthesis feature not properly disabled
* CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
bmo#1762614, bmo#1762620)
Memory safety bugs fixed in Thunderbird 91.9
OBS-URL: https://build.opensuse.org/request/show/975202
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=279
* A warning is now displayed if an OpenPGP key has unsafe
attributes that are ignored
* OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not
allow SHA-1 key signatures
* CalDAV calendars were marked read-only on startup
MFSA 2022-18 (bsc#1198970)
* CVE-2022-1520 (bmo#1745019)
Incorrect security status shown after viewing an attached
email
* CVE-2022-29914 (bmo#1746448)
Fullscreen notification bypass using popups
* CVE-2022-29909 (bmo#1755081)
Bypassing permission prompt in nested browsing contexts
* CVE-2022-29916 (bmo#1760674)
Leaking browser history with CSS variables
* CVE-2022-29911 (bmo#1761981)
iframe sandbox bypass
* CVE-2022-29912 (bmo#1692655)
Reader mode bypassed SameSite cookies
* CVE-2022-29913 (bmo#1764778)
Speech Synthesis feature not properly disabled
* CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
bmo#1762614, bmo#1762620)
Memory safety bugs fixed in Thunderbird 91.9
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=634
- Mozilla Thunderbird 91.8.1
* CLIENTID extension to SMTP was not supported by smtp-js#
* Additional SMTP errors now propagated to user
* OpenPGP was not able to use some previously supported key types
* OpenPGP Key Manager did not always display correct information
after importing additional IDs
* Duplicate new mail notifications could be displayed when
server-side filters were in use
* Cancelling an SMTP password entry resulted in multiple failure
dialogs being displayed
- Mozilla Thunderbird 91.8.0
* Google accounts using password authentication will be migrated
to OAuth2.
* bugfixes
https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes
MFSA 2022- (bsc#1197903)
- update create-tar.sh
- skip slow workers, this is a tough build job
OBS-URL: https://build.opensuse.org/request/show/970866
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=278
* CLIENTID extension to SMTP was not supported by smtp-js#
* Additional SMTP errors now propagated to user
* OpenPGP was not able to use some previously supported key types
* OpenPGP Key Manager did not always display correct information
after importing additional IDs
* Duplicate new mail notifications could be displayed when
server-side filters were in use
* Cancelling an SMTP password entry resulted in multiple failure
dialogs being displayed
- Mozilla Thunderbird 91.8.0
* Google accounts using password authentication will be migrated
to OAuth2.
* bugfixes
https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes
MFSA 2022- (bsc#1197903)
- update create-tar.sh
- skip slow workers, this is a tough build job
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=632
- Mozilla Thunderbird 91.7.0
* Thunderbird will use the first occurrence of headers that should
only appear once
* Auto-complete incorrectly changed a pasted email address to the
primary address of a contact
* Attachments with filename extensions that were not registered in
MIME types could not be opened
* Copy/Cut/Paste actions not working in Thunderbird Preferences
* Improved screen reader support of displayed message headers
MFSA 2022-12 (bsc#1196900)
* CVE-2022-26383 (bmo#1742421)
Browser window spoof using fullscreen mode
* CVE-2022-26384 (bmo#1744352)
iframe allow-scripts sandbox bypass
* CVE-2022-26387 (bmo#1752979)
Time-of-check time-of-use bug when verifying add-on signatures
* CVE-2022-26381 (bmo#1736243)
Use-after-free in text reflows
* CVE-2022-26386 (bmo#1752396)
Temporary files downloaded to /tmp and accessible by other
local users
- Mozilla Thunderbird 91.6.2
MFSA 2022-09
* CVE-2022-26485 (bmo#1758062)
Use-after-free in XSLT parameter processing
* CVE-2022-26486 (bmo#1758070)
Use-after-free in WebGPU IPC Framework
OBS-URL: https://build.opensuse.org/request/show/960657
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=275
* Thunderbird will use the first occurrence of headers that should
only appear once
* Auto-complete incorrectly changed a pasted email address to the
primary address of a contact
* Attachments with filename extensions that were not registered in
MIME types could not be opened
* Copy/Cut/Paste actions not working in Thunderbird Preferences
* Improved screen reader support of displayed message headers
MFSA 2022-12 (bsc#1196900)
* CVE-2022-26383 (bmo#1742421)
Browser window spoof using fullscreen mode
* CVE-2022-26384 (bmo#1744352)
iframe allow-scripts sandbox bypass
* CVE-2022-26387 (bmo#1752979)
Time-of-check time-of-use bug when verifying add-on signatures
* CVE-2022-26381 (bmo#1736243)
Use-after-free in text reflows
* CVE-2022-26386 (bmo#1752396)
Temporary files downloaded to /tmp and accessible by other
local users
- Mozilla Thunderbird 91.6.2
MFSA 2022-09
* CVE-2022-26485 (bmo#1758062)
Use-after-free in XSLT parameter processing
* CVE-2022-26486 (bmo#1758070)
Use-after-free in WebGPU IPC Framework
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=626
just added the bsc bug security bug reference
- Mozilla Thunderbird 91.6.1
* generated views of meeting invitations are now expanded by default
* Emails were not downloading at startup under some conditions
* Port numbers were not shown in "Confirm Security Exception"
dialog for CalDAV connections
MFSA 2022-07 (bsc#1196072)
* CVE-2022-0566 (bmo#1753094)
Crafted email could trigger an out-of-bounds write
OBS-URL: https://build.opensuse.org/request/show/955596
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=274
* generated views of meeting invitations are now expanded by default
* Emails were not downloading at startup under some conditions
* Port numbers were not shown in "Confirm Security Exception"
dialog for CalDAV connections
MFSA 2022-07
* CVE-2022-0566 (bmo#1753094)
Crafted email could trigger an out-of-bounds write
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=624
- Mozilla Thunderbird 91.6.0
* TB will now offer to send large forwarded attachments via FileLink
* Partially signed unencrypted messages displayed an incorrect
"parrtially encrypted" notification
* Attachments filenames were not sanitized before saving to disk
* In the attachment bar, the "Import OpenPGP Key" item displayed
for public keys displayed an error and did not import the key
* "Open with" attachment dialog did not have a selected radio
button option
MFSA 2022-06 (bsc#1195682)
* CVE-2022-22753 (bmo#1732435)
Privilege Escalation to SYSTEM on Windows via Maintenance
Service
* CVE-2022-22754 (bmo#1750565)
Extensions could have bypassed permission confirmation during
update
* CVE-2022-22756 (bmo#1317873)
Drag and dropping an image could have resulted in the dropped
object being an executable
* CVE-2022-22759 (bmo#1739957)
Sandboxed iframes could have executed script if the parent
appended elements
* CVE-2022-22760 (bmo#1740985, bmo#1748503)
Cross-Origin responses could be distinguished between script
and non-script content-types
* CVE-2022-22761 (bmo#1745566)
frame-ancestors Content Security Policy directive was not
enforced for framed extension pages
* CVE-2022-22763 (bmo#1740534)
Script Execution during invalid object state
OBS-URL: https://build.opensuse.org/request/show/953831
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=273
* TB will now offer to send large forwarded attachments via FileLink
* Partially signed unencrypted messages displayed an incorrect
"parrtially encrypted" notification
* Attachments filenames were not sanitized before saving to disk
* In the attachment bar, the "Import OpenPGP Key" item displayed
for public keys displayed an error and did not import the key
* "Open with" attachment dialog did not have a selected radio
button option
MFSA 2022-06 (bsc#1195682)
* CVE-2022-22753 (bmo#1732435)
Privilege Escalation to SYSTEM on Windows via Maintenance
Service
* CVE-2022-22754 (bmo#1750565)
Extensions could have bypassed permission confirmation during
update
* CVE-2022-22756 (bmo#1317873)
Drag and dropping an image could have resulted in the dropped
object being an executable
* CVE-2022-22759 (bmo#1739957)
Sandboxed iframes could have executed script if the parent
appended elements
* CVE-2022-22760 (bmo#1740985, bmo#1748503)
Cross-Origin responses could be distinguished between script
and non-script content-types
* CVE-2022-22761 (bmo#1745566)
frame-ancestors Content Security Policy directive was not
enforced for framed extension pages
* CVE-2022-22763 (bmo#1740534)
Script Execution during invalid object state
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=623
* JS LDAP implementation did not support self-signed SSL certificates
* After saving a draft and subsequently sending a FileLink email,
the original file was removed from disk
* Chat OTR encryption did not work
* OTR verification bar was not removed after completing verification
* Various theme improvements
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=622
- Mozilla Thunderbird 91.4.0
* several fixes as outlined here
https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes
MFSA 2021-54 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120)
URL leakage when navigating while executing asynchronous
function
* CVE-2021-43537 (bmo#1738237)
Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091)
Missing fullscreen and pointer lock notification when
requesting both
* CVE-2021-43539 (bmo#1739683)
GC rooting failure when calling wasm instance methods
* CVE-2021-43541 (bmo#1696685)
External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281)
XMLHttpRequest error codes could have leaked the existence of
an external protocol handler
* CVE-2021-43543 (bmo#1738418)
Bypass of CSP sandbox directive when embedding
* CVE-2021-43545 (bmo#1720926)
Denial of Service when using the Location API in a loop
* CVE-2021-43546 (bmo#1737751)
Cursor spoofing could overlay user interface when native
cursor is zoomed
* CVE-2021-43528 (bmo#1742579)
JavaScript unexpectedly enabled for the composition area
* MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
bmo#1737009, bmo#1739372, bmo#1739421)
OBS-URL: https://build.opensuse.org/request/show/936365
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=268
* several fixes as outlined here
https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes
MFSA 2021-54 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120)
URL leakage when navigating while executing asynchronous
function
* CVE-2021-43537 (bmo#1738237)
Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091)
Missing fullscreen and pointer lock notification when
requesting both
* CVE-2021-43539 (bmo#1739683)
GC rooting failure when calling wasm instance methods
* CVE-2021-43541 (bmo#1696685)
External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281)
XMLHttpRequest error codes could have leaked the existence of
an external protocol handler
* CVE-2021-43543 (bmo#1738418)
Bypass of CSP sandbox directive when embedding
* CVE-2021-43545 (bmo#1720926)
Denial of Service when using the Location API in a loop
* CVE-2021-43546 (bmo#1737751)
Cursor spoofing could overlay user interface when native
cursor is zoomed
* CVE-2021-43528 (bmo#1742579)
JavaScript unexpectedly enabled for the composition area
* MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
bmo#1737009, bmo#1739372, bmo#1739421)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=617
- Mozilla Thunderbird 91.3.0
* several fixes as outlined here
https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/
MFSA 2021-50 (bsc#1192250)
* CVE-2021-38503 (bmo#1729517)
iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504 (bmo#1730156)
Use-after-free in file picker dialog
* CVE-2021-38505 (bmo#1730194)
Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506 (bmo#1730750)
Thunderbird could be coaxed into going into fullscreen mode
without notification or warning
* CVE-2021-38507 (bmo#1730935)
Opportunistic Encryption in HTTP2 could be used to bypass the
Same-Origin-Policy on services hosted on other ports
* MOZ-2021-0008 (bmo#1667102)
Use-after-free in HTTP2 Session object
* CVE-2021-38508 (bmo#1366818)
Permission Prompt could be overlaid, resulting in user
confusion and potential spoofing
* CVE-2021-38509 (bmo#1718571)
Javascript alert box could have been spoofed onto an
arbitrary domain
* CVE-2021-38510 (bmo#1731779)
Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048,
bmo#1735152)
Memory safety bugs fixed in Thunderbird ESR 91.3
- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires
OBS-URL: https://build.opensuse.org/request/show/929062
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=266
https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/
MFSA 2021-50 (bsc#1192250)
* CVE-2021-38503 (bmo#1729517)
iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504 (bmo#1730156)
Use-after-free in file picker dialog
* CVE-2021-38505 (bmo#1730194)
Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506 (bmo#1730750)
Thunderbird could be coaxed into going into fullscreen mode
without notification or warning
* CVE-2021-38507 (bmo#1730935)
Opportunistic Encryption in HTTP2 could be used to bypass the
Same-Origin-Policy on services hosted on other ports
* MOZ-2021-0008 (bmo#1667102)
Use-after-free in HTTP2 Session object
* CVE-2021-38508 (bmo#1366818)
Permission Prompt could be overlaid, resulting in user
confusion and potential spoofing
* CVE-2021-38509 (bmo#1718571)
Javascript alert box could have been spoofed onto an
arbitrary domain
* CVE-2021-38510 (bmo#1731779)
Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048,
bmo#1735152)
Memory safety bugs fixed in Thunderbird ESR 91.3
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=613