* Offer to configure Exchange accounts for Office365. A third-party
add-on is required for this account type. IMAP still exists as alternative.
MFSA 2019-27
* Use-after-free while manipulating video
CVE-2019-11746 (bmo#1564449)
* XSS by breaking out of title and textarea elements using innerHTML
CVE-2019-11744 (bmo#1562033)
* Same-origin policy violation with SVG filters and canvas to steal
cross-origin images
CVE-2019-11742 (bmo#1559715)
* Use-after-free while extracting a key value in IndexedDB
CVE-2019-11752 (bmo#1501152)
* Sandbox escape through Firefox Sync
CVE-2019-9812 (bmo#1538008, bmo#1538015)
* Cross-origin access to unload event attributes
CVE-2019-11743 (bmo#1560495)
Navigation-Timing Level 2 specification
* Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9
CVE-2019-11740 (bmo#1563133, bmo#1573160)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=482
* Calendar: Problems when editing event times, some related to
AM/PM setting in non-English locales
MFSA 2019-23 (boo#1140868)
* CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
Sandbox escape via installation of malicious languagepack
* CVE-2019-11711 (bmo#1552541)
Script injection within domain through inner window reuse
* CVE-2019-11712 (bmo#1543804)
Cross-origin POST requests can be made with NPAPI plugins by
following 308 redirects
* CVE-2019-11713 (bmo#1528481)
Use-after-free with HTTP/2 cached stream
* CVE-2019-11729 (bmo#1515342)
Empty or malformed p256-ECDH public keys may trigger a segmentation fault
* CVE-2019-11715 (bmo#1555523)
HTML parsing error can contribute to content XSS
* CVE-2019-11717 (bmo#1548306)
Caret character improperly escaped in origins
* CVE-2019-11719 (bmo#1540541)
Out-of-bounds read when importing curve25519 private key
* CVE-2019-11730 (bmo#1558299)
Same-origin policy treats all files in a directory as having the
same-origin
* CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498
bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522)
Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 and
Thunderbird 60.8
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=478
* Attachment pane of Write window no longer focussed when attaching
files using a keyboard shortcut
MFSA 2019-15 (boo#1135824)
* CVE-2019-9815 (bmo#1546544)
Disable hyperthreading on content JavaScript threads on macOS
* CVE-2019-9816 (bmo#1536768)
Type confusion with object groups and UnboxedObjects
* CVE-2019-9817 (bmo#1540221)
Stealing of cross-domain images using canvas
* CVE-2019-9818 (bmo#1542581) (Windows only)
Use-after-free in crash generation server
* CVE-2019-9819 (bmo#1532553)
Compartment mismatch with fetch API
* CVE-2019-9820 (bmo#1536405)
Use-after-free of ChromeEventHandler by DocShell
* CVE-2019-11691 (bmo#1542465)
Use-after-free in XMLHttpRequest
* CVE-2019-11692 (bmo#1544670)
Use-after-free removing listeners in the event listener manager
* CVE-2019-11693 (bmo#1532525)
Buffer overflow in WebGL bufferdata on Linux
* CVE-2019-7317 (bmo#1542829)
Use-after-free in png_image_free of libpng library
* CVE-2019-9797 (bmo#1528909)
Cross-origin theft of images with createImageBitmap
* CVE-2018-18511 (bmo#1526218)
Cross-origin theft of images with ImageBitmapRenderingContext
* CVE-2019-11694 (bmo#1534196) (Windows only)
Uninitialized memory memory leakage in Windows sandbox
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=468
* Calendar: Can't create repeating event with end date when using
certain time zones, for example Europe/Minsk
* some minor bugfixes
* using 60.6.0esr Mozilla platform (bsc#1129821)
- Mozilla Thunderbird 60.5.3
* fixed a regression on the Windows platform:
Problem when using "Send to > Mail recipient" on Windows
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=458
- MozillaThunderbird 60.5.0:
* FileLink provider WeTransfer to upload large attachments
* Thunderbird now allows the addition of OpenSearch search engines
from a local XML file using a minimal user inferface: [+] button
to select a file an add, [-] to remove.
* More search engines: Google and DuckDuckGo available by default
in some locales
* During account creation, Thunderbird will now detect servers
using the Microsoft Exchange protocol. It will offer the
installation of a 3rd party add-on (Owl) which supports that
protocol.
* Thunderbird now compatible with other WebExtension-based
FileLink add-ons like the Dropbox add-on
- requires NSS 3.36.7
- removed obsolete patch
mozilla-no-stdcxx-check.patch
- rebased patches
MFSA 2018-31
* CVE-2018-17466 bmo#1488295
Buffer overflow and out-of-bounds read in ANGLE library with
TextureStorage11
* CVE-2018-18492 bmo#1499861
Use-after-free with select element
* CVE-2018-18493 bmo#1504452
Buffer overflow in accelerated 2D canvas with Skia
* CVE-2018-18494 bmo#1487964
Same-origin policy violation using location attribute and
performance.getEntries to steal cross-origin URLs
* CVE-2018-18498 bmo#1500011
Integer overflow when calculating buffer sizes for images
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=451
* Thunderbird 60 will migrate security databases (key3.db, cert8.db
to key4.db, cert9.db). Thunderbird 60.3.2 and earlier contained a
fault that potentially deleted saved passwords and private certificate
keys for users using a master password. Version 60.3.3 will prevent
the loss of data; affected users who have already upgraded to version
60.3.2 or earlier can restore the deleted key3.db file from backup
to complete the migration.
* Address book search and auto-complete slowness introduced in
Thunderbird 60.3.2
* Plain text markup with * for bold, / for italics, _ for underline
and | for code did not work when the enclosed text contained
non-ASCII characters
* While composing a message, a link not removed when link location
was removed in the link properties panel
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=445
* Encoding problems when exporting address books or messages using
the system charset. Messages are now always exported using the
UTF-8 encoding
* If the "Date" header of a message was invalid, Jan 1970 or Dec 1969
was displayed. Now using date from "Received" header instead.
* Body search/filtering didn't reliably ignore content of tags
* Inappropriate warning "Thunderbird prevented the site
(addons.thunderbird.net) from asking you to install software on
your computer" when installing add-ons
* Incorrect display of correspondents column since own email
address was not always detected
* Spurious 
 (encoded newline) inserted into drafts and sent email
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=442
* various theme fixes
* Shift+PageUp/PageDown in Write window
* Gloda attachment filtering
* Mailing list address auto-complete enter/return handling
* Thunderbird hung if HTML signature references non-existent image
* Filters not working for headers that appear more than once
- Security fixes for the Mozilla platform picked up from 60.3
(Firefox ESR release). In general, these flaws cannot be exploited
through email in Thunderbird because scripting is disabled when
reading mail, but are potentially risks in browser or browser-like
contexts (MFSA 2018-28) (bsc#1112852)
* CVE-2018-12391 (bmo#1478843) (Android only)
HTTP Live Stream audio data is accessible cross-origin
* CVE-2018-12392 (bmo#1492823)
Crash with nested event loops
* CVE-2018-12393 (bmo#1495011)
Integer overflow during Unicode conversion while loading JavaScript
* CVE-2018-12389 (bmo#1498460, bmo#1499198)
Memory safety bugs fixed in Firefox ESR 60.3
* CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159,
bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803,
bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699,
bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844)
Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
* Fix security info dialog in compose window not showing
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=437
* CVE-2018-12359 (bmo#1459162)
Buffer overflow using computed size of canvas element
* CVE-2018-12360 (bmo#1459693)
Use-after-free when using focus()
* CVE-2018-12372 (bmo#1419417)
S/MIME and PGP decryption oracles can be built with HTML emails
* CVE-2018-12373 (bmo#1464667, bmo#1464056)
S/MIME plaintext can be leaked through HTML reply/forward
* CVE-2018-12362 (bmo#1452375)
Integer overflow in SSSE3 scaler
* CVE-2018-12363 (bmo#1464784)
Use-after-free when appending DOM nodes
* CVE-2018-12364 (bmo#1436241)
CSRF attacks through 307 redirects and NPAPI plugins
* CVE-2018-12365 (bmo#1459206)
Compromised IPC child process can list local filenames
* CVE-2018-12366 (bmo#1464039)
Invalid data handling during QCMS transformations
* CVE-2018-12374 (bmo#1462910)
Using form to exfiltrate encrypted mail part by pressing enter in form field
* CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576,
bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829,
bmo#1464079,bmo#1463494,bmo#1458048)
Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=410