5835378f85- Mozilla Thunderbird 115.5.1 Bugfix release https://www.thunderbird.net/en-US/thunderbird/115.5.1/releasenotes * Advanced GnuPG keys may be protected with an unexpected passphrase * OpenPGP signatures rejected due to mismatched signature timestamp now display signature timestamp and clarifying message * Advanced address book search did not return results if display name was left blank * Clicking on attendee when inviting attendees added the attendee twice
Wolfgang Rosenauer
2023-11-29 07:32:44 +00:00
9e1f2838a9Accepting request 1128271 from mozilla:FactoryAna Guerrero2023-11-23 20:41:38 +00:00
480e0302f0MFSA 2023-52 (bsc#1217230)
Wolfgang Rosenauer
2023-11-23 08:16:17 +00:00
55bb2ec82a- Mozilla Thunderbird 115.5.0 https://www.thunderbird.net/en-US/thunderbird/115.5.0/releasenotes MFSA 2023-52 (bsc#) * CVE-2023-6204 (bmo#1841050) Out-of-bound memory access in WebGL2 blitFramebuffer * CVE-2023-6205 (bmo#1854076) Use-after-free in MessagePort::Entangled * CVE-2023-6206 (bmo#1857430) Clickjacking permission prompts using the fullscreen transition * CVE-2023-6207 (bmo#1861344) Use-after-free in ReadableByteStreamQueueEntry::Buffer * CVE-2023-6208 (bmo#1855345) Using Selection API would copy contents into X11 primary selection. * CVE-2023-6209 (bmo#1858570) Incorrect parsing of relative URLs starting with "///" * CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252, bmo#1856072, bmo#1856091, bmo#1859030, bmo#1860943, bmo#1862782) Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5
Wolfgang Rosenauer
2023-11-23 08:14:02 +00:00
bd0ee26f99Accepting request 1126791 from mozilla:FactoryAna Guerrero2023-11-16 19:28:43 +00:00
759308472eAccepting request 1120173 from mozilla:FactoryAna Guerrero2023-10-25 16:03:34 +00:00
62f65fe0ea- Mozilla Thunderbird 115.4.1 https://www.thunderbird.net/en-US/thunderbird/115.4.1/releasenoteshttps://www.thunderbird.net/en-US/thunderbird/115.4.0/releasenotes MFSA 2023-47 (bsc#1216338) * CVE-2023-5721 (bmo#1830820) Queued up rendering could have allowed websites to clickjack * CVE-2023-5732 (bmo#1690979, bmo#1836962) Address bar spoofing via bidirectional characters * CVE-2023-5724 (bmo#1836705) Large WebGL draw could have led to a crash * CVE-2023-5725 (bmo#1845739) WebExtensions could open arbitrary URLs * CVE-2023-5726 (bmo#1846205) Full screen notification obscured by file open dialog on macOS * CVE-2023-5727 (bmo#1847180) Download Protections were bypassed by .msix, .msixbundle, .appx, and .appxbundle files on Windows * CVE-2023-5728 (bmo#1852729) Improper object tracking during GC in the JavaScript engine could have led to a crash. * CVE-2023-5730 (bmo#1836607, bmo#1840918, bmo#1848694, bmo#1848833, bmo#1850191, bmo#1850259, bmo#1852596, bmo#1853201, bmo#1854002, bmo#1855306, bmo#1855640, bmo#1856695) Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4.1 - removed obsolete mozilla-bmo1846703.patch
Wolfgang Rosenauer
2023-10-25 06:36:45 +00:00
f4ecfaed93Accepting request 1120115 from home:AndreasStieger:branches:mozilla:Factory
Wolfgang Rosenauer
2023-10-24 21:00:55 +00:00
5356bd4c50Accepting request 1116802 from mozilla:FactoryAna Guerrero2023-10-11 21:54:45 +00:00
da50d4ab72- Mozilla Thunderbird 102.14.0 MFSA 2023-32 (bsc#1213746) * CVE-2023-4045 (bmo#1833876) Offscreen Canvas could have bypassed cross-origin restrictions * CVE-2023-4046 (bmo#1837686) Incorrect value used during WASM compilation * CVE-2023-4047 (bmo#1839073) Potential permissions request bypass via clickjacking * CVE-2023-4048 (bmo#1841368) Crash in DOMParser due to out-of-memory conditions * CVE-2023-4049 (bmo#1842658) Fix potential race conditions when releasing platform objects * CVE-2023-4050 (bmo#1843038) Stack buffer overflow in StorageManager * CVE-2023-4054 (bmo#1840777) Lack of warning when opening appref-ms files * CVE-2023-4055 (bmo#1782561) Cookie jar overflow caused unexpected cookie jar state * CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235, bmo#1842325, bmo#1843847) Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
Wolfgang Rosenauer
2023-08-03 04:29:56 +00:00
a858e257a4Accepting request 1101575 from home:AndreasStieger:branches:mozilla:Factory
Wolfgang Rosenauer
2023-07-31 18:28:50 +00:00
08933f69a0Accepting request 1100766 from mozilla:FactoryAna Guerrero2023-07-26 11:24:38 +00:00
c92ecfd31b- Mozilla Thunderbird 102.13.1 MFSA 2023-28 * CVE-2023-3417 (bmo#1835582) File Extension Spoofing using the Text Direction Override Character
Wolfgang Rosenauer
2023-07-26 07:30:19 +00:00
a450a78f9c- Mozilla Thunderbird 102.13.0 * Upstream RNP version numbers now recognized as official in about:support MFSA 2023-24 (bsc#1212438) * CVE-2023-37201 (bmo#1826002) Use-after-free in WebRTC certificate generation * CVE-2023-37202 (bmo#1834711) Potential use-after-free from compartment mismatch in SpiderMonkey * CVE-2023-37207 (bmo#1816287) Fullscreen notification obscured * CVE-2023-37208 (bmo#1837675) Lack of warning when opening Diagcab files * CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886, bmo#1836550, bmo#1837450) Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13 - mozilla-llvm16.patch has been applied upstream, remove it here
Wolfgang Rosenauer
2023-07-08 18:44:08 +00:00
376ac03b18* New messages will automatically select S/MIME if configured and OpenPGP is not * Calendar events with timezone America/Mexico_City incorrectly applied Daylight Savings Time MFSA 2023-15 (bsc#1210212) * CVE-2023-29531 (bmo#1794292) Out-of-bound memory access in WebGL on macOS * CVE-2023-29532 (bmo#1806394) Mozilla Maintenance Service Write-lock bypass * CVE-2023-29533 (bmo#1798219, bmo#1814597) Fullscreen notification obscured * MFSA-TMP-2023-0001 (bmo#1819244) Double-free in libwebp * CVE-2023-29535 (bmo#1820543) Potential Memory Corruption following Garbage Collector compaction * CVE-2023-29536 (bmo#1821959) Invalid free from JavaScript code * CVE-2023-0547 (bmo#1811298) Revocation status of S/Mime recipient certificates was not checked * CVE-2023-29479 (bmo#1824978) Hang when processing certain OpenPGP messages * CVE-2023-29539 (bmo#1784348) Content-Disposition filename truncation leads to Reflected File Download * CVE-2023-29541 (bmo#1810191) Files with malicious extensions could have been downloaded unsafely on Linux * CVE-2023-29542 (bmo#1810793, bmo#1815062) Bypass of file download extension restrictions * CVE-2023-29545 (bmo#1823077)
Wolfgang Rosenauer
2023-04-11 20:58:19 +00:00
7a75a56779- Mozilla Thunderbird 102.10.0 - add mozilla-llvm16.patch trying to fix build with LLVM16
Wolfgang Rosenauer
2023-04-06 13:55:17 +00:00
b695ba5251- Mozilla Thunderbird 102.9.1 MFSA 2023-12 * CVE-2023-28427 (bmo#1822595) Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack
Wolfgang Rosenauer
2023-03-29 12:48:43 +00:00
7e7b48d551- Mozilla Thunderbird 102.8.0 * https://www.thunderbird.net/en-US/thunderbird/102.8.0/releasenotes MFSA 2023-07 (bsc#1208144) * CVE-2023-0616 (bmo#1806507) User Interface lockup with messages combining S/MIME and OpenPGP * CVE-2023-25728 (bmo#1790345) Content security policy leak in violation reports using iframes * CVE-2023-25730 (bmo#1794622) Screen hijack via browser fullscreen mode * CVE-2023-0767 (bmo#1804640) Arbitrary memory write via PKCS 12 in NSS * CVE-2023-25735 (bmo#1810711) Potential use-after-free from compartment mismatch in SpiderMonkey * CVE-2023-25737 (bmo#1811464) Invalid downcast in SVGUtils::SetupStrokeGeometry * CVE-2023-25738 (bmo#1811852) Printing on Windows could potentially crash Thunderbird with some device drivers * CVE-2023-25739 (bmo#1811939) Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext * CVE-2023-25729 (bmo#1792138) Extensions could have opened external schemes without user knowledge * CVE-2023-25732 (bmo#1804564) Out of bounds memory write from EncodeInputStream * CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338) Opening local .url files could cause unexpected network loads * CVE-2023-25742 (bmo#1813424) Web Crypto ImportKey crashes tab * CVE-2023-25746 (bmo#1544127, bmo#1762368, bmo#1789449, bmo#1803628, bmo#1810536)
Wolfgang Rosenauer
2023-02-19 09:41:40 +00:00
2f400cc863- Mozilla Thunderbird 102.7.1 * Microsoft Office 365 accounts were unable to authenticate * https://www.thunderbird.net/en-US/thunderbird/102.7.1/releasenotes/ MFSA 2023-04 * CVE-2023-0430 (bmo#1769000) Revocation status of S/Mime signature certificates was not checked - update create-tar.sh
Wolfgang Rosenauer
2023-02-01 07:54:38 +00:00
6d02f7716c- Mozilla Thunderbird 102.6.1 * Remote content did not load in user-defined signatures * Addons that added new action buttons were not shown for addon upgrades, requiring removal and reinstall * Various stability improvements MFSA 2022-54 * CVE-2022-46874 (bmo#1746139) Drag and Dropped Filenames could have been truncated to malicious extensions
Wolfgang Rosenauer
2022-12-22 07:44:57 +00:00
16ebad9cce- Mozilla Thunderbird 102.6.0 https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/ MFSA 2022-53 (bsc#1206242) * CVE-2022-46880 (bmo#1749292) Use-after-free in WebGL * CVE-2022-46872 (bmo#1799156) Arbitrary file read from a compromised content process * CVE-2022-46881 (bmo#1770930) Memory corruption in WebGL * CVE-2022-46874 (bmo#1746139) Drag and Dropped Filenames could have been truncated to malicious extensions * CVE-2022-46875 (bmo#1786188) Download Protections were bypassed by .atloc and .ftploc files on Mac OS * CVE-2022-46882 (bmo#1789371) Use-after-free in WebGL * CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685, bmo#1801102, bmo#1801315, bmo#1802395) Memory safety bugs fixed in Thunderbird 102.6 - removed obsolete patches mozilla-newer-cbindgen.patch mozilla-glibc236.patch
Wolfgang Rosenauer
2022-12-13 21:35:47 +00:00
8e5a394a01- Mozilla Thunderbird 102.5.1 MFSA 2022-50 * CVE-2022-45414 (bmo#1788096) Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content
Wolfgang Rosenauer
2022-12-01 21:40:36 +00:00
9e67c8336c- Mozilla Thunderbird 102.4.1 * Thunderbird will now catch and report errors parsing vCards that contain incorrectly formatted dates * Dynamic language switching did not update interface when switched to right-to-left languages * Custom header data was discarded after messages were saved as draft and reopened * -remote command line argument did not work, affecting integration with various applications such as LibreOffice * Messages received via some SMS-to-email services could not display images * VCards with nickname field set could not be edited * Some recurring events were missing from Agenda on first load * Download requests for remote ICS calendars incorrectly set "Accept" header to text/xml * Monthly events created on the 31st of a month with <30 days placed first occurrence 1-2 days after the beginning of the following month * Various visual and UX improvements
Wolfgang Rosenauer
2022-10-26 20:45:06 +00:00
2d8a6701f6- Mozilla Thunderbird 102.3.3 * Option added to show containing address book for a contact when using All Address Books in vertical mode * Thunderbird will try to use POP NTLM authentication even if not advertised by server * Task List and Today Pane sidebars will no longer load when not visible * bugfixes as documented here https://www.thunderbird.net/en-US/thunderbird/102.3.3/releasenotes
Wolfgang Rosenauer
2022-10-12 12:12:47 +00:00
86b78c782bAccepting request 1009070 from mozilla:FactoryFabian Vogt2022-10-10 16:46:30 +00:00
87caf19955- Mozilla Thunderbird 102.3.1 * Compose window encryption options now only appear for encryption technologies that have already been configured * Number of contacts in currently selected address book now displayed at bottom of Address Book list column Fixes * Password prompt did not include server hostname for POP servers * Edit Contact was missing from Contacts sidebar context menus * Address Book contact lists cut off display of some characters, the result being unreadable MFSA 2022-43 * CVE-2022-39249 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators * CVE-2022-39250 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to a device verification attack * CVE-2022-39251 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack * CVE-2022-39236 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue
Wolfgang Rosenauer
2022-10-02 16:53:19 +00:00
70aadd9160MFSA 2022-42 (bsc#1203477) * CVE-2022-40959 (bmo#1782211) Bypassing FeaturePolicy restrictions on transient pages * CVE-2022-40960 (bmo#1787633) Data-race when parsing non-UTF-8 URLs in threads * CVE-2022-40958 (bmo#1779993) Bypassing Secure Context restriction for cookies with __Host and __Secure prefix * CVE-2022-40956 (bmo#1770094) Content-Security-Policy base-uri bypass * CVE-2022-40957 (bmo#1777604) Incoherent instruction cache when building WASM on ARM64 * CVE-2022-3155 (bmo#1789061) Attachment files saved to disk on macOS could be executed without warning * CVE-2022-40962 (bmo#1767360, bmo#1776655, bmo#1777574, bmo#1784835, bmo#1785109, bmo#1786502, bmo#1789440) Memory safety bugs fixed in Thunderbird 102.3
Wolfgang Rosenauer
2022-09-21 21:04:50 +00:00
b9d27af2da- Mozilla Thunderbird 102.3.0 https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/ * Thunderbird will no longer attempt to import account passwords when importing from another Thunderbird profile in order to prevent profile corruption and permanent data loss. (bmo#1790605) * Devtools performance profile will use Thunderbird presets instead of Web Developer presets (bmo#1785954) * Thunderbird startup performance improvements (bmo#1785967) * Saving email source and images failed (bmo#1777323, bmo#1778804) * Error message was shown repeatedly when temporary disk space was full (bmo#1788580) * Attaching OpenPGP keys without a set size to non-encrypted messages briefly displayed a size of zero bytes (bmo#1788952) * Global Search entry box initially contained "undefined" (bmo#1780963) * Delete from POP Server mail filter rule intermittently failed to trigger (bmo#1789418) * Connections to POP3 servers without UIDL support failed (bmo#1789314) * Pop accounts with "Fetch headers only" set downloaded complete messages if server did not advertise TOP capability (bmo#1789356) * "File -> New -> Address Book Contact" from Compose window did not work (bmo#1782418) * Attach "My vCard" option in compose window was not available (bmo#1787614) * Improved performance of matching a contact to an email address (bmo#1782725) * Address book only recognized a contact's first two email addresses (bmo#1777156) * Address book search and autocomplete failed if a contact vCard could not be parsed (bmo#1789793) * Downloading NNTP messages for offline use failed (bmo#1785773)
Wolfgang Rosenauer
2022-09-20 21:03:11 +00:00
247125c160- Mozilla Thunderbird 102.2.2 https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/ * Setting added to change Calendar event double-click action to open Edit Event dialog rather than view only; Set calendar.events.defaultActionEdit to true * Running Compact Folders on maildir folders caused a redownload of all messages in the folder * Accessing mail folders in profiles with many folders was slow * SMTP servers were not always properly initialized, and were not listed in Account Settings * APOP authentication unsupported when connecting to POP3 server * OpenPGP key discovery failed * POP accounts hosted by AOL were not able to authenticate using OAuth2 * Unable to open context menu in newsgroups header for groups that are not subscribed
Wolfgang Rosenauer
2022-09-08 09:47:43 +00:00
bff7539280- Mozilla Thunderbird 102.2.1 MFSA 2022-38 (bsc#1203007) * CVE-2022-3033 (bmo#1784838) Leaking of sensitive information when composing a response to an HTML email with a META refresh tag * CVE-2022-3032 (bmo#1783831) Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked * CVE-2022-3034 (bmo#1745751) An iframe element in an HTML email could trigger a network request * CVE-2022-36059 (bmo#1787741) Matrix SDK bundled with Thunderbird vulnerable to denial-of- service attack
Wolfgang Rosenauer
2022-09-01 07:38:48 +00:00
eba6cdf4f5- Mozilla Thunderbird 102.2.0 * https://www.thunderbird.net/en-US/thunderbird/102.2.0/releasenotes/ MFSA 2022-36 (bsc#1202645) * CVE-2022-38472 (bmo#1769155) Address bar spoofing via XSLT error handling * CVE-2022-38473 (bmo#1771685) Cross-origin XSLT Documents would have inherited the parent's permissions * CVE-2022-38476 (bmo#1760998) Data race and potential use-after-free in PK11_ChangePW * CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363) Memory safety bugs fixed in Thunderbird 102.2 * CVE-2022-38478 (bmo#1770630, bmo#1776658) Memory safety bugs fixed in Thunderbird 102.2, and Thunderbird 91.13 - disabled automatic usage of wayland because of known issues using MOZ_ENABLE_WAYLAND=1 in environment would still enable it (boo#1202606)
Wolfgang Rosenauer
2022-08-26 06:39:36 +00:00
134f09dee2- Mozilla Thunderbird 102.1.2 * fix for bmo#1777765 (no POP download progress bar) was backed out from this release to address broken POP message download with Fetch headers only selected in Account Settings (bmo#1783552)
Wolfgang Rosenauer
2022-08-09 06:35:46 +00:00
08ffa63092- Mozilla Thunderbird 91.11.0 * CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work additional fix applied * "Save-As" attachment dialog did not have filename pre-populated MFSA 2022-26 (bsc#1200793) * CVE-2022-34479 (bmo#1745595) A popup window could be resized in a way to overlay the address bar with web content * CVE-2022-34470 (bmo#1765951) Use-after-free in nsSHistory * CVE-2022-34468 (bmo#1768537) CSP sandbox header without allow-scripts can be bypassed via retargeted javascript: URI * CVE-2022-2226 (bmo#1775441) An email with a mismatching OpenPGP signature date was accepted as valid * CVE-2022-34481 (bmo#1497246) Potential integer overflow in ReplaceElementsAt * CVE-2022-31744 (bmo#1757604) CSP bypass enabling stylesheet injection * CVE-2022-34472 (bmo#1770123) Unavailable PAC file resulted in OCSP requests being blocked * CVE-2022-34478 (bmo#1773717) Microsoft protocols can be attacked if a user accepts a prompt * CVE-2022-2200 (bmo#1771381) Undesired attributes could be set as part of prototype pollution * CVE-2022-34484 (bmo#1763634, bmo#1772651) Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102
Wolfgang Rosenauer
2022-06-29 08:52:40 +00:00
5b920d1fa1- Mozilla Thunderbird 91.10.0 * Various UX and theme improvements MFSA 2022-22 (bsc#1200027) * CVE-2022-31736 (bmo#1735923) Cross-Origin resource's length leaked * CVE-2022-31737 (bmo#1743767) Heap buffer overflow in WebGL * CVE-2022-31738 (bmo#1756388) Browser window spoof using fullscreen mode * CVE-2022-31739 (bmo#1765049) Attacker-influenced path traversal when saving downloaded files * CVE-2022-31740 (bmo#1766806) Register allocation problem in WASM on arm64 * CVE-2022-31741 (bmo#1767590) Uninitialized variable leads to invalid memory read * CVE-2022-1834 (bmo#1767816) Braille space character caused incorrect sender email to be shown for a digitally signed email * CVE-2022-31742 (bmo#1730434) Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information * CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283, bmo#1767365, bmo#1768559, bmo#1768734) Memory safety bugs fixed in Thunderbird 91.10
Wolfgang Rosenauer
2022-05-31 19:36:16 +00:00
Wolfgang Rosenauer
Ana Guerrero
Dominique Leuenberger
Fabian Vogt
Richard Brown