MFSA 2021-05 (bsc#1181414)
* CVE-2021-23953 (bmo#1683940)
Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954 (bmo#1684020)
Type confusion when using logical assignment operators in
JavaScript switch statements
* CVE-2020-15685 (bmo#1622640)
IMAP Response Injection when using STARTTLS
* CVE-2020-26976 (bmo#1674343)
HTTPS pages could have been intercepted by a registered
service worker when they should not have been
* CVE-2021-23960 (bmo#1675755)
Use-after-poison for incorrectly redeclared JavaScript
variables during GC
* CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526,
bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844,
bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410,
bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736,
bmo#1685260, bmo#1685925)
Memory safety bugs fixed in Thunderbird 78.7
- MozillaThunderbird.spec: Don't abuse BUILDROOT during %build as newer
rpm versions in TW remove everything there as the first action
of %install
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=574
* changes and additions in MailExtensions
* several bugfixes
* https://www.thunderbird.net/en-US/thunderbird/78.6.0/releasenotes/
MFSA 2020-56 (bsc#1180039))
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-35111 (bmo#1657916)
The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365)
Opening an extension-less download may have inadvertently
launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589)
Memory safety bugs fixed in Thunderbird 78.6
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=568
MFSA 2020-52 (bsc#1178894)
* CVE-2020-26951 (bmo#1667113)
Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
* CVE-2020-16012 (bmo#1642028)
Variable time processing of cross-origin images during
drawImage calls
* CVE-2020-26953 (bmo#1656741)
Fullscreen could be enabled without displaying the security
UI
* CVE-2020-26956 (bmo#1666300)
XSS through paste (manual and clipboard API)
* CVE-2020-26958 (bmo#1669355)
Requests intercepted through ServiceWorkers lacked MIME type
restrictions
* CVE-2020-26959 (bmo#1669466)
Use-after-free in WebRequestService
* CVE-2020-26960 (bmo#1670358)
Potential use-after-free in uses of nsTArray
* CVE-2020-15999 (bmo#1672223)
Heap buffer overflow in freetype
* CVE-2020-26961 (bmo#1672528)
DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965 (bmo#1661617)
Software keyboards may have remembered typed passwords
* CVE-2020-26966 (bmo#1663571)
Single-word search queries were also broadcast to local
network
* CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=564
* MailExtensions: browser.tabs.sendMessage API added
* MailExtensions: messageDisplayScripts API added
* Yahoo and AOL mail users using password authentication will be
migrated to OAuth2
* MailExtensions: messageDisplay APIs extended to support multiple
selected messages
* MailExtensions: compose.begin functions now support creating a
message with attachments
* multiple bugfixes
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=557
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP message status icons were not visible in message header pane
* OpenPGP Key Manager was missing from Tools menu on macOS
* Creating a new calendar event did not require an event title
- remove python2 dependencies for TW
- support wayland mode/autodetection in startup wrapper
- replace some Requires to use requires_ge macro where appropriate
- improve langpack build (as already used for Firefox)
- add ccache statistics output to build
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=555
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP: Encrypted messages with international characters were
sometimes displayed incorrectly
* Single-click deletion of recipient pills with middle mouse
button restored
* Searching an address book list did not display results
* Dark mode, high contrast, and Windows theming fixes
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=552
* fix crash in nsImapProtocol::CreateNewLineFromSocket (bmo#1667120)
- Mozilla Thunderbird 78.3.0
MFSA 2020-44 (bsc#1176756)
* CVE-2020-15677 (bmo#1641487)
Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140)
XSS when pasting attacker-controlled data into a
contenteditable element
* CVE-2020-15678 (bmo#1660211)
When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-
free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
Memory safety bugs fixed in Thunderbird 78.3
- requires NSPR >= 4.25.1
- removed obsolete thunderbird-bmo1664607.patch
- Mozilla Thunderbird 78.2.2
https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes
- added thunderbird-bmo1664607.patch required for builds w/o updater
(boo#1176384)
- Mozilla Thunderbird 78.2.1
* based on Mozilla's 78 ESR codebase
* many new and changed features
https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/#whatsnew
* built-in OpenPGP support (enigmail neither required nor supported)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=549
MFSA 2020-40 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could have
resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-15669 (bmo#1656957)
Use-After-Free when aborting an operation
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=547
MFSA 2020-10 (bsc#1166238)
* CVE-2020-6805 (bmo#1610880)
Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308)
BodyStream::OnInputStreamReady was missing protections against
state confusion
* CVE-2020-6807 (bmo#1614971)
Use-after-free in cubeb during stream destruction
* CVE-2020-6811 (bmo#1607742)
Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2019-20503 (bmo#1613765)
Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661)
The names of AirPods with personally identifiable information
were exposed to websites with camera or microphone permission
* CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256, bmo#1612636,
bmo#1614339)
Memory safety bugs fixed in Thunderbird 68.6
- requires NSS >= 3.44.3
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=522
New
* Support for Client Identity IMAP/SMTP Service Extension
* Support for OAuth 2.0 authentication for POP3 accounts
Fixes
* Status area goes blank during account setup
* Calendar: Could not remove color for default categories
* Calendar: Prevent calendar component loading multiple times
* Calendar: Today pane did not retain width between sessions
MFSA 2020-07 (bsc#1163368)
* CVE-2020-6793 (bmo#1608539)
Out-of-bounds read when processing certain email messages
* CVE-2020-6794 (bmo#1606619)
Setting a master password post-Thunderbird 52 does not delete
unencrypted previously stored passwords
* CVE-2020-6795 (bmo#1611105)
Crash processing S/MIME messages with multiple signatures
* CVE-2020-6797 (bmo#1596668) (Mac OSX only)
Extensions granted downloads.open permission could open arbitrary
applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6792 (bmo#1609607)
Message ID calculcation was based on uninitialized data
* CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851,
bmo#1608580,bmo#1608785,bmo#1605777)
Memory safety bugs fixed in Thunderbird 68.5
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=520
* Calendar: Task and Event tree colours adjusted for the dark theme
* Retrieval of S/MIME certificates from LDAP failed
* Address-parsing crash on some IMAP servers when
mail.imap.use_envelope_cmd is set
* Incorrect forwarding of HTML messages caused SMTP servers to
respond with a timeout
* Calendar: Various parts of the calendar UI stopped working when
a second Thunderbird window opened
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=516
* Various improvements when setting up an account for a Microsoft
Exchange server: Now offers IMAP/SMTP if available, better
detection for Office 365 accounts; re-run configuration after
password change
Fixes:
* After changing view layout, the message display pane showed
garbled content under some circumstances
* Various theme changes to achieve "pixel perfection": Unread icon,
"no results" icon, paragraph format and font selector, background
of folder summary tooltip
* Tags were lost on messages in shared IMAP folders under some
circumstances
* Calendar: Event attendee dialog was not displayed correctly
MFSA 2020-04 (bsc#1160498)
* CVE-2019-17026 (bmo#1607443)
IonMonkey type confusion with StoreElementHole and FallibleStoreElement
* CVE-2019-17015 (bmo#1599005)
Memory corruption in parent process during new content process
initialization on Windows
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17021 (bmo#1599008)
Heap address disclosure in parent process during content process
initialization on Windows
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605, bmo#1601826)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=512
* Message display toolbar action WebExtension API
* Navigation buttons are now available in content tabs, for example
those opened via an add-on search
* other bugfixes
MFSA 2019-38
* CVE-2019-17008 (bmo#1546331)
Use-after-free in worker destruction
* CVE-2019-13722 (bmo#1580156)
Stack corruption due to incorrect number of arguments in WebRTC code
* CVE-2019-17010 (bmo#1581084)
Use-after-free when performing device orientation checks
* CVE-2019-17005 (bmo#1584170)
Buffer overflow in plain text serializer
* CVE-2019-17011 (bmo#1591334)
Use-after-free when retrieving a document in antitracking
* CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209,
bmo#1580288, bmo#1585760, bmo#1592502)
Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
* Various updates to improve performance and stability
- updated create-tar.sh to cover buildid and origin repo information
- changed locale building procedure
* removed obsolete compare-locales.tar.xz and
thunderbird-broken-locales-build.patch
- add mozilla-bmo849632.patch to fix color issues on big endian
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=505
* A language for the user interface can now be chosen in the
advanced settings (multilingual UI)
* Fixed problem with Google authentication (OAuth2)
* Selected or unread messages were not shown in the correct color
in the thread pane (message list) under some circumstances
* When using a language pack, names of standard folders weren't
localized (boo#1149126)
* Address book default startup directory in preferences panel was
not persisted
* Chat: Extended context menu on Instant messaging status dialog
(Show Accounts)
- added mozilla-bmo1504834-part4.patch to fix some visual issues on
big endian platforms
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=501
* Message Display WebExtension API
* Message Search WebExtension API
* Better visual feedback for unread messages when using the dark theme
* Fixed various issues when editing mailing list
* Fixed application windows not maintaining their size after restart
MFSA 2019-33 (bsc#1154738)
* CVE-2019-15903 (bmo#1584907)
Heap overflow in expat library in XML_GetCurrentLineNumber
* CVE-2019-11757 (bmo#1577107)
Use-after-free when creating index updates in IndexedDB
* CVE-2019-11758 (bmo#1536227)
Potentially exploitable crash due to 360 Total Security
* CVE-2019-11759 (bmo#1577953)
Stack buffer overflow in HKDF output
* CVE-2019-11760 (bmo#1577719)
Stack buffer overflow in WebRTC networking
* CVE-2019-11761 (bmo#1561502)
Unintended access to a privileged JSONView object
* CVE-2019-11762 (bmo#1582857)
document.domain-based origin isolation has same-origin-property violation
* CVE-2019-11763 (bmo#1584216)
Incorrect HTML parsing results in XSS bypass technique
* CVE-2019-11764 (bmo#1558522, bmo#1577061, bmo#1548044, bmo#1571223,
bmo#1573048, bmo#1578933, bmo#1575217, bmo#1583684, bmo#1586845,
bmo#1581950, bmo#1583463, bmo#1586599)
Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
- removed obsolete patches
mozilla-bmo1573381.patch
mozilla-bmo1512162.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=499
Bugfixes
* Some attachments couldn't be opened in messages originating from
MS Outlook 2016
* Address book import from CSV
* Performance problem in message body search
* Ctrl+Enter to send a message would open an attachment if the
attachment pane had focus
* Calendar: Issues with "Today Pane" start-up
* Calendar: Glitches with custom repeat and reminder number input
* Calendar: Problems with WCAP provider
- add mozilla-bmo1585099.patch to fix build with rust >= 1.38
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=496
Bugfixes
* Issues with attachments in IMAP messages
* Gmail accounts ignored a non-standard trash folder selection
* Entering/pasting lists of recipients into the addressing widget or
mailing list not working reliably, especially when lists contained
multiple commas or semicolons
* Edit mailing list not working
* Various theme fixes, especially dark theme improvements for Calendar
* Contrast between tag label and background not optimal
* Account Central pane always loaded at start-up
* "Config Editor" button not removed if blocked by policy
* Calendar: Free/busy information in attendees dialog not scrolled
correctly. Note: Scroll arrows still not behaving correctly
- require nodejs8 instead of generic nodejs for better cross-distribution
support
- call desktop database update on install
- updated translations-other locale list
- build correct ICU for Big Endian
- remove kde.js since disabling instantApply breaks extensions and
is obsolete with the move to HTML views for preferences (boo#1151186)
- update create-tar.sh to latest revision and adjust tar_stamps
- added platform patches from Firefox 68esr
mozilla-bmo1005535.patch
mozilla-bmo1463035.patch
mozilla-bmo1504834-part1.patch
mozilla-bmo1504834-part2.patch
mozilla-bmo1504834-part3.patch
mozilla-bmo1511604.patch
mozilla-bmo1554971.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=490
add-on is required for this account type. IMAP still exists as
alternative.
* several bugfixes
MFSA 2019-30
* CVE-2019-11739 (bmo#1571481)
Covert Content Attack on S/MIME encryption using a crafted
multipart/alternative message
* CVE-2019-11746 (bmo#1564449)
Use-after-free while manipulating video
* CVE-2019-11744 (bmo#1562033)
XSS by breaking out of title and textarea elements using innerHTML
* CVE-2019-11742 (bmo#1559715)
Same-origin policy violation with SVG filters and canvas to steal
* CVE-2019-11752 (bmo#1501152)
Use-after-free while extracting a key value in IndexedDB
* CVE-2019-11743 (bmo#1560495)
Cross-origin access to unload event attributes
* CVE-2019-11740 (bmo#1563133,bmo#1573160)
Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox
ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9
- removed upstreamed fix-build-after-y2038-changes-in-glibc.patch
- added thunderbird-locale-build.patch to fix locale build
- Add -L flag to the stat call for checking file size of %{SOURCE4}.
- Add fix-missing-return-warning.patch to silence a compiler warning.
- Mozilla Thunderbird 68.0
* based on Firefox ESR 68
* File link attachments can now be linked to again instead of
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=483