https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/
MFSA 2022-53 (bsc#1206242)
* CVE-2022-46880 (bmo#1749292)
Use-after-free in WebGL
* CVE-2022-46872 (bmo#1799156)
Arbitrary file read from a compromised content process
* CVE-2022-46881 (bmo#1770930)
Memory corruption in WebGL
* CVE-2022-46874 (bmo#1746139)
Drag and Dropped Filenames could have been truncated to
malicious extensions
* CVE-2022-46875 (bmo#1786188)
Download Protections were bypassed by .atloc and .ftploc
files on Mac OS
* CVE-2022-46882 (bmo#1789371)
Use-after-free in WebGL
* CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685,
bmo#1801102, bmo#1801315, bmo#1802395)
Memory safety bugs fixed in Thunderbird 102.6
- removed obsolete patches
mozilla-newer-cbindgen.patch
mozilla-glibc236.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=680
- Mozilla Thunderbird 102.4.1
* Thunderbird will now catch and report errors parsing vCards
that contain incorrectly formatted dates
* Dynamic language switching did not update interface when switched
to right-to-left languages
* Custom header data was discarded after messages were saved as
draft and reopened
* -remote command line argument did not work, affecting integration
with various applications such as LibreOffice
* Messages received via some SMS-to-email services could not
display images
* VCards with nickname field set could not be edited
* Some recurring events were missing from Agenda on first load
* Download requests for remote ICS calendars incorrectly set
"Accept" header to text/xml
* Monthly events created on the 31st of a month with <30 days placed
first occurrence 1-2 days after the beginning of the following month
* Various visual and UX improvements
OBS-URL: https://build.opensuse.org/request/show/1031395
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=296
* Thunderbird will now catch and report errors parsing vCards
that contain incorrectly formatted dates
* Dynamic language switching did not update interface when switched
to right-to-left languages
* Custom header data was discarded after messages were saved as
draft and reopened
* -remote command line argument did not work, affecting integration
with various applications such as LibreOffice
* Messages received via some SMS-to-email services could not
display images
* VCards with nickname field set could not be edited
* Some recurring events were missing from Agenda on first load
* Download requests for remote ICS calendars incorrectly set
"Accept" header to text/xml
* Monthly events created on the 31st of a month with <30 days placed
first occurrence 1-2 days after the beginning of the following month
* Various visual and UX improvements
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=672
- Mozilla Thunderbird 102.3.1
* Compose window encryption options now only appear for encryption
technologies that have already been configured
* Number of contacts in currently selected address book now
displayed at bottom of Address Book list column
Fixes
* Password prompt did not include server hostname for POP servers
* Edit Contact was missing from Contacts sidebar context menus
* Address Book contact lists cut off display of some characters,
the result being unreadable
MFSA 2022-43
* CVE-2022-39249 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to an
impersonation attack by malicious server administrators
* CVE-2022-39250 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to a device
verification attack
* CVE-2022-39251 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to an
impersonation attack
* CVE-2022-39236 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to a data
corruption issue
OBS-URL: https://build.opensuse.org/request/show/1007573
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=290
* Compose window encryption options now only appear for encryption
technologies that have already been configured
* Number of contacts in currently selected address book now
displayed at bottom of Address Book list column
Fixes
* Password prompt did not include server hostname for POP servers
* Edit Contact was missing from Contacts sidebar context menus
* Address Book contact lists cut off display of some characters,
the result being unreadable
MFSA 2022-43
* CVE-2022-39249 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to an
impersonation attack by malicious server administrators
* CVE-2022-39250 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to a device
verification attack
* CVE-2022-39251 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to an
impersonation attack
* CVE-2022-39236 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to a data
corruption issue
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=660
- Mozilla Thunderbird 102.3.0
https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/
* Thunderbird will no longer attempt to import account passwords
when importing from another Thunderbird profile in order to
prevent profile corruption and permanent data loss. (bmo#1790605)
* Devtools performance profile will use Thunderbird presets
instead of Web Developer presets (bmo#1785954)
* Thunderbird startup performance improvements (bmo#1785967)
* Saving email source and images failed (bmo#1777323, bmo#1778804)
* Error message was shown repeatedly when temporary disk
space was full (bmo#1788580)
* Attaching OpenPGP keys without a set size to non-encrypted
messages briefly displayed a size of zero bytes (bmo#1788952)
* Global Search entry box initially contained "undefined" (bmo#1780963)
* Delete from POP Server mail filter rule intermittently
failed to trigger (bmo#1789418)
* Connections to POP3 servers without UIDL support failed (bmo#1789314)
* Pop accounts with "Fetch headers only" set downloaded complete
messages if server did not advertise TOP capability (bmo#1789356)
* "File -> New -> Address Book Contact" from Compose window did
not work (bmo#1782418)
* Attach "My vCard" option in compose window was not available
(bmo#1787614)
* Improved performance of matching a contact to an email address
(bmo#1782725)
* Address book only recognized a contact's first two email
addresses (bmo#1777156)
* Address book search and autocomplete failed if a contact vCard
could not be parsed (bmo#1789793)
* Downloading NNTP messages for offline use failed (bmo#1785773)
OBS-URL: https://build.opensuse.org/request/show/1005289
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=289
* CVE-2022-40959 (bmo#1782211)
Bypassing FeaturePolicy restrictions on transient pages
* CVE-2022-40960 (bmo#1787633)
Data-race when parsing non-UTF-8 URLs in threads
* CVE-2022-40958 (bmo#1779993)
Bypassing Secure Context restriction for cookies with __Host
and __Secure prefix
* CVE-2022-40956 (bmo#1770094)
Content-Security-Policy base-uri bypass
* CVE-2022-40957 (bmo#1777604)
Incoherent instruction cache when building WASM on ARM64
* CVE-2022-3155 (bmo#1789061)
Attachment files saved to disk on macOS could be executed
without warning
* CVE-2022-40962 (bmo#1767360, bmo#1776655, bmo#1777574, bmo#1784835,
bmo#1785109, bmo#1786502, bmo#1789440)
Memory safety bugs fixed in Thunderbird 102.3
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=658
https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/
* Thunderbird will no longer attempt to import account passwords
when importing from another Thunderbird profile in order to
prevent profile corruption and permanent data loss. (bmo#1790605)
* Devtools performance profile will use Thunderbird presets
instead of Web Developer presets (bmo#1785954)
* Thunderbird startup performance improvements (bmo#1785967)
* Saving email source and images failed (bmo#1777323, bmo#1778804)
* Error message was shown repeatedly when temporary disk
space was full (bmo#1788580)
* Attaching OpenPGP keys without a set size to non-encrypted
messages briefly displayed a size of zero bytes (bmo#1788952)
* Global Search entry box initially contained "undefined" (bmo#1780963)
* Delete from POP Server mail filter rule intermittently
failed to trigger (bmo#1789418)
* Connections to POP3 servers without UIDL support failed (bmo#1789314)
* Pop accounts with "Fetch headers only" set downloaded complete
messages if server did not advertise TOP capability (bmo#1789356)
* "File -> New -> Address Book Contact" from Compose window did
not work (bmo#1782418)
* Attach "My vCard" option in compose window was not available
(bmo#1787614)
* Improved performance of matching a contact to an email address
(bmo#1782725)
* Address book only recognized a contact's first two email
addresses (bmo#1777156)
* Address book search and autocomplete failed if a contact vCard
could not be parsed (bmo#1789793)
* Downloading NNTP messages for offline use failed (bmo#1785773)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=657
- Mozilla Thunderbird 102.2.2
https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/
* Setting added to change Calendar event double-click action to
open Edit Event dialog rather than view only;
Set calendar.events.defaultActionEdit to true
* Running Compact Folders on maildir folders caused a redownload
of all messages in the folder
* Accessing mail folders in profiles with many folders was slow
* SMTP servers were not always properly initialized, and were not
listed in Account Settings
* APOP authentication unsupported when connecting to POP3 server
* OpenPGP key discovery failed
* POP accounts hosted by AOL were not able to authenticate using OAuth2
* Unable to open context menu in newsgroups header for groups
that are not subscribed
OBS-URL: https://build.opensuse.org/request/show/1001927
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=288
https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/
* Setting added to change Calendar event double-click action to
open Edit Event dialog rather than view only;
Set calendar.events.defaultActionEdit to true
* Running Compact Folders on maildir folders caused a redownload
of all messages in the folder
* Accessing mail folders in profiles with many folders was slow
* SMTP servers were not always properly initialized, and were not
listed in Account Settings
* APOP authentication unsupported when connecting to POP3 server
* OpenPGP key discovery failed
* POP accounts hosted by AOL were not able to authenticate using OAuth2
* Unable to open context menu in newsgroups header for groups
that are not subscribed
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=655
- Mozilla Thunderbird 102.2.1
MFSA 2022-38 (bsc#1203007)
* CVE-2022-3033 (bmo#1784838)
Leaking of sensitive information when composing a response to
an HTML email with a META refresh tag
* CVE-2022-3032 (bmo#1783831)
Remote content specified in an HTML document that was nested
inside an iframe's srcdoc attribute was not blocked
* CVE-2022-3034 (bmo#1745751)
An iframe element in an HTML email could trigger a network
request
* CVE-2022-36059 (bmo#1787741)
Matrix SDK bundled with Thunderbird vulnerable to denial-of-
service attack
OBS-URL: https://build.opensuse.org/request/show/1000596
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=287
MFSA 2022-38 (bsc#1203007)
* CVE-2022-3033 (bmo#1784838)
Leaking of sensitive information when composing a response to
an HTML email with a META refresh tag
* CVE-2022-3032 (bmo#1783831)
Remote content specified in an HTML document that was nested
inside an iframe's srcdoc attribute was not blocked
* CVE-2022-3034 (bmo#1745751)
An iframe element in an HTML email could trigger a network
request
* CVE-2022-36059 (bmo#1787741)
Matrix SDK bundled with Thunderbird vulnerable to denial-of-
service attack
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=653
- Mozilla Thunderbird 102.2.0
* https://www.thunderbird.net/en-US/thunderbird/102.2.0/releasenotes/
MFSA 2022-36 (bsc#1202645)
* CVE-2022-38472 (bmo#1769155)
Address bar spoofing via XSLT error handling
* CVE-2022-38473 (bmo#1771685)
Cross-origin XSLT Documents would have inherited the parent's
permissions
* CVE-2022-38476 (bmo#1760998)
Data race and potential use-after-free in PK11_ChangePW
* CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363)
Memory safety bugs fixed in Thunderbird 102.2
* CVE-2022-38478 (bmo#1770630, bmo#1776658)
Memory safety bugs fixed in Thunderbird 102.2, and
Thunderbird 91.13
- disabled automatic usage of wayland because of known issues
using MOZ_ENABLE_WAYLAND=1 in environment would still enable it
(boo#1202606)
OBS-URL: https://build.opensuse.org/request/show/999347
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=286
* https://www.thunderbird.net/en-US/thunderbird/102.2.0/releasenotes/
MFSA 2022-36 (bsc#1202645)
* CVE-2022-38472 (bmo#1769155)
Address bar spoofing via XSLT error handling
* CVE-2022-38473 (bmo#1771685)
Cross-origin XSLT Documents would have inherited the parent's
permissions
* CVE-2022-38476 (bmo#1760998)
Data race and potential use-after-free in PK11_ChangePW
* CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363)
Memory safety bugs fixed in Thunderbird 102.2
* CVE-2022-38478 (bmo#1770630, bmo#1776658)
Memory safety bugs fixed in Thunderbird 102.2, and
Thunderbird 91.13
- disabled automatic usage of wayland because of known issues
using MOZ_ENABLE_WAYLAND=1 in environment would still enable it
(boo#1202606)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=651
- Mozilla Thunderbird 91.11.0
* CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work
additional fix applied
* "Save-As" attachment dialog did not have filename pre-populated
MFSA 2022-26 (bsc#1200793)
* CVE-2022-34479 (bmo#1745595)
A popup window could be resized in a way to overlay the
address bar with web content
* CVE-2022-34470 (bmo#1765951)
Use-after-free in nsSHistory
* CVE-2022-34468 (bmo#1768537)
CSP sandbox header without `allow-scripts` can be bypassed
via retargeted javascript: URI
* CVE-2022-2226 (bmo#1775441)
An email with a mismatching OpenPGP signature date was
accepted as valid
* CVE-2022-34481 (bmo#1497246)
Potential integer overflow in ReplaceElementsAt
* CVE-2022-31744 (bmo#1757604)
CSP bypass enabling stylesheet injection
* CVE-2022-34472 (bmo#1770123)
Unavailable PAC file resulted in OCSP requests being blocked
* CVE-2022-34478 (bmo#1773717)
Microsoft protocols can be attacked if a user accepts a prompt
* CVE-2022-2200 (bmo#1771381)
Undesired attributes could be set as part of prototype pollution
* CVE-2022-34484 (bmo#1763634, bmo#1772651)
Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102
OBS-URL: https://build.opensuse.org/request/show/985736
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=282
* CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work
additional fix applied
* "Save-As" attachment dialog did not have filename pre-populated
MFSA 2022-26 (bsc#1200793)
* CVE-2022-34479 (bmo#1745595)
A popup window could be resized in a way to overlay the
address bar with web content
* CVE-2022-34470 (bmo#1765951)
Use-after-free in nsSHistory
* CVE-2022-34468 (bmo#1768537)
CSP sandbox header without `allow-scripts` can be bypassed
via retargeted javascript: URI
* CVE-2022-2226 (bmo#1775441)
An email with a mismatching OpenPGP signature date was
accepted as valid
* CVE-2022-34481 (bmo#1497246)
Potential integer overflow in ReplaceElementsAt
* CVE-2022-31744 (bmo#1757604)
CSP bypass enabling stylesheet injection
* CVE-2022-34472 (bmo#1770123)
Unavailable PAC file resulted in OCSP requests being blocked
* CVE-2022-34478 (bmo#1773717)
Microsoft protocols can be attacked if a user accepts a prompt
* CVE-2022-2200 (bmo#1771381)
Undesired attributes could be set as part of prototype pollution
* CVE-2022-34484 (bmo#1763634, bmo#1772651)
Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=640
- Mozilla Thunderbird 91.10.0
* Various UX and theme improvements
MFSA 2022-22 (bsc#1200027)
* CVE-2022-31736 (bmo#1735923)
Cross-Origin resource's length leaked
* CVE-2022-31737 (bmo#1743767)
Heap buffer overflow in WebGL
* CVE-2022-31738 (bmo#1756388)
Browser window spoof using fullscreen mode
* CVE-2022-31739 (bmo#1765049)
Attacker-influenced path traversal when saving downloaded
files
* CVE-2022-31740 (bmo#1766806)
Register allocation problem in WASM on arm64
* CVE-2022-31741 (bmo#1767590)
Uninitialized variable leads to invalid memory read
* CVE-2022-1834 (bmo#1767816)
Braille space character caused incorrect sender email to be
shown for a digitally signed email
* CVE-2022-31742 (bmo#1730434)
Querying a WebAuthn token with a large number of
allowCredential entries may have leaked cross-origin
information
* CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
bmo#1767365, bmo#1768559, bmo#1768734)
Memory safety bugs fixed in Thunderbird 91.10
OBS-URL: https://build.opensuse.org/request/show/980158
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=281
* Various UX and theme improvements
MFSA 2022-22 (bsc#1200027)
* CVE-2022-31736 (bmo#1735923)
Cross-Origin resource's length leaked
* CVE-2022-31737 (bmo#1743767)
Heap buffer overflow in WebGL
* CVE-2022-31738 (bmo#1756388)
Browser window spoof using fullscreen mode
* CVE-2022-31739 (bmo#1765049)
Attacker-influenced path traversal when saving downloaded
files
* CVE-2022-31740 (bmo#1766806)
Register allocation problem in WASM on arm64
* CVE-2022-31741 (bmo#1767590)
Uninitialized variable leads to invalid memory read
* CVE-2022-1834 (bmo#1767816)
Braille space character caused incorrect sender email to be
shown for a digitally signed email
* CVE-2022-31742 (bmo#1730434)
Querying a WebAuthn token with a large number of
allowCredential entries may have leaked cross-origin
information
* CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
bmo#1767365, bmo#1768559, bmo#1768734)
Memory safety bugs fixed in Thunderbird 91.10
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=638
- Mozilla Thunderbird 91.9.0
* A warning is now displayed if an OpenPGP key has unsafe
attributes that are ignored
* OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not
allow SHA-1 key signatures
* CalDAV calendars were marked read-only on startup
MFSA 2022-18 (bsc#1198970)
* CVE-2022-1520 (bmo#1745019)
Incorrect security status shown after viewing an attached
email
* CVE-2022-29914 (bmo#1746448)
Fullscreen notification bypass using popups
* CVE-2022-29909 (bmo#1755081)
Bypassing permission prompt in nested browsing contexts
* CVE-2022-29916 (bmo#1760674)
Leaking browser history with CSS variables
* CVE-2022-29911 (bmo#1761981)
iframe sandbox bypass
* CVE-2022-29912 (bmo#1692655)
Reader mode bypassed SameSite cookies
* CVE-2022-29913 (bmo#1764778)
Speech Synthesis feature not properly disabled
* CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
bmo#1762614, bmo#1762620)
Memory safety bugs fixed in Thunderbird 91.9
OBS-URL: https://build.opensuse.org/request/show/975202
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=279
* A warning is now displayed if an OpenPGP key has unsafe
attributes that are ignored
* OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not
allow SHA-1 key signatures
* CalDAV calendars were marked read-only on startup
MFSA 2022-18 (bsc#1198970)
* CVE-2022-1520 (bmo#1745019)
Incorrect security status shown after viewing an attached
email
* CVE-2022-29914 (bmo#1746448)
Fullscreen notification bypass using popups
* CVE-2022-29909 (bmo#1755081)
Bypassing permission prompt in nested browsing contexts
* CVE-2022-29916 (bmo#1760674)
Leaking browser history with CSS variables
* CVE-2022-29911 (bmo#1761981)
iframe sandbox bypass
* CVE-2022-29912 (bmo#1692655)
Reader mode bypassed SameSite cookies
* CVE-2022-29913 (bmo#1764778)
Speech Synthesis feature not properly disabled
* CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
bmo#1762614, bmo#1762620)
Memory safety bugs fixed in Thunderbird 91.9
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=634
- Mozilla Thunderbird 91.8.1
* CLIENTID extension to SMTP was not supported by smtp-js#
* Additional SMTP errors now propagated to user
* OpenPGP was not able to use some previously supported key types
* OpenPGP Key Manager did not always display correct information
after importing additional IDs
* Duplicate new mail notifications could be displayed when
server-side filters were in use
* Cancelling an SMTP password entry resulted in multiple failure
dialogs being displayed
- Mozilla Thunderbird 91.8.0
* Google accounts using password authentication will be migrated
to OAuth2.
* bugfixes
https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes
MFSA 2022- (bsc#1197903)
- update create-tar.sh
- skip slow workers, this is a tough build job
OBS-URL: https://build.opensuse.org/request/show/970866
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=278
* CLIENTID extension to SMTP was not supported by smtp-js#
* Additional SMTP errors now propagated to user
* OpenPGP was not able to use some previously supported key types
* OpenPGP Key Manager did not always display correct information
after importing additional IDs
* Duplicate new mail notifications could be displayed when
server-side filters were in use
* Cancelling an SMTP password entry resulted in multiple failure
dialogs being displayed
- Mozilla Thunderbird 91.8.0
* Google accounts using password authentication will be migrated
to OAuth2.
* bugfixes
https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes
MFSA 2022- (bsc#1197903)
- update create-tar.sh
- skip slow workers, this is a tough build job
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=632
