c1979ea7d9
MFSA 2023-45 (bsc#1215814) * CVE-2023-5217 (bmo#1855550) Heap buffer overflow in libvpx - Add mozilla-bmo1846703.patch OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=723
6143 lines
248 KiB
Plaintext
6143 lines
248 KiB
Plaintext
-------------------------------------------------------------------
|
|
Fri Sep 29 06:44:26 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 115.3.1
|
|
MFSA 2023-45 (bsc#1215814)
|
|
* CVE-2023-5217 (bmo#1855550)
|
|
Heap buffer overflow in libvpx
|
|
- Add mozilla-bmo1846703.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 26 07:15:31 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 115.3.0
|
|
https://www.thunderbird.net/en-US/thunderbird/115.3.0/releasenotes
|
|
MFSA 2023-43 (bsc#1215575)
|
|
* CVE-2023-5168 (bmo#1846683)
|
|
Out-of-bounds write in FilterNodeD2D1
|
|
* CVE-2023-5169 (bmo#1846685)
|
|
Out-of-bounds write in PathOps
|
|
* CVE-2023-5171 (bmo#1851599)
|
|
Use-after-free in Ion Compiler
|
|
* CVE-2023-5174 (bmo#1848454)
|
|
Double-free in process spawning on Windows
|
|
* CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824,
|
|
bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983,
|
|
bmo#1851195)
|
|
Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3,
|
|
and Thunderbird 115.3
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 20 06:27:29 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 115.2.3
|
|
Bugfix release:
|
|
https://www.thunderbird.net/en-US/thunderbird/115.2.3/releasenotes
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 12 21:08:50 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
|
|
|
|
- Mozilla Thunderbird 115.2.2
|
|
https://www.thunderbird.net/en-US/thunderbird/115.2.2/releasenotes
|
|
MFSA 2023-40 (bsc#1215231)
|
|
* CVE-2023-4863 (bmo# bmo#1852649)
|
|
Heap buffer overflow in libwebp
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 12 21:00:52 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
|
|
|
|
- Mozilla Thunderbird 115.2.1
|
|
https://www.thunderbird.net/en-US/thunderbird/115.2.1/releasenotes
|
|
* new: Column separators are now shown between all columns in
|
|
tree view (bmo#1847441)
|
|
* fixed: New mail notification always opened message in message
|
|
pane, even if pane was disabled (bmo#1840092)
|
|
* fixed: After moving an IMAP message to another folder, the
|
|
incorrect message was selected in the message list
|
|
(bmo#1845376)
|
|
* fixed: Adding a tag to an IMAP message opened in a tab failed
|
|
(bmo#1844452)
|
|
* fixed: Junk/Spam folders were not always shown in Unified
|
|
Folders mode (bmo#1838672)
|
|
* fixed: Middle-clicking a folder or message did not open it in
|
|
a background tab, as in previous versions (bmo#1842482)
|
|
* fixed: Settings tab visual improvements: Advanced Fonts
|
|
dialog, Section headers hidden behind search box
|
|
(bmo#1717382,bmo#1846751)
|
|
* fixed: Various visual and style fixes
|
|
(bmo#1843707,bmo#1849823)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Aug 27 08:17:34 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 115.2.0
|
|
https://www.thunderbird.net/en-US/thunderbird/115.2.0/releasenotes
|
|
MFSA 2023-38 (bsc#1214606)
|
|
* CVE-2023-4573 (bmo#1846687)
|
|
Memory corruption in IPC CanvasTranslator
|
|
* CVE-2023-4574 (bmo#1846688)
|
|
Memory corruption in IPC ColorPickerShownCallback
|
|
* CVE-2023-4575 (bmo#1846689)
|
|
Memory corruption in IPC FilePickerShownCallback
|
|
* CVE-2023-4576 (bmo#1846694)
|
|
Integer Overflow in RecordedSourceSurfaceCreation
|
|
* CVE-2023-4577 (bmo#1847397)
|
|
Memory corruption in JIT UpdateRegExpStatics
|
|
* CVE-2023-4051 (bmo#1821884)
|
|
Full screen notification obscured by file open dialog
|
|
* CVE-2023-4578 (bmo#1839007)
|
|
Error reporting methods in SpiderMonkey could have triggered
|
|
an Out of Memory Exception
|
|
* CVE-2023-4053 (bmo#1839079)
|
|
Full screen notification obscured by external program
|
|
* CVE-2023-4580 (bmo#1843046)
|
|
Push notifications saved to disk unencrypted
|
|
* CVE-2023-4581 (bmo#1843758)
|
|
XLL file extensions were downloadable without warnings
|
|
* CVE-2023-4582 (bmo#1773874)
|
|
Buffer Overflow in WebGL glGetProgramiv
|
|
* CVE-2023-4583 (bmo#1842030)
|
|
Browsing Context potentially not cleared when closing Private
|
|
Window
|
|
* CVE-2023-4584 (bmo#1843968, bmo#1845205, bmo#1846080,
|
|
bmo#1846526, bmo#1847529)
|
|
Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15,
|
|
Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2
|
|
* CVE-2023-4585 (bmo#1751583, bmo#1833504, bmo#1841082,
|
|
bmo#1847904, bmo#1848999)
|
|
Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2,
|
|
and Thunderbird 115.2
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 15 07:53:02 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 115.1.1
|
|
bugfixes as documented here
|
|
https://www.thunderbird.net/en-US/thunderbird/115.1.1/releasenotes
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 1 07:51:37 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 115.1.0
|
|
New major release with Supernova UI
|
|
Releasenotes for 115.0:
|
|
https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes
|
|
MFSA 2023-33 (bsc#1213746)
|
|
* CVE-2023-4045 (bmo#1833876)
|
|
Offscreen Canvas could have bypassed cross-origin restrictions
|
|
* CVE-2023-4046 (bmo#1837686)
|
|
Incorrect value used during WASM compilation
|
|
* CVE-2023-4047 (bmo#1839073)
|
|
Potential permissions request bypass via clickjacking
|
|
* CVE-2023-4048 (bmo#1841368)
|
|
Crash in DOMParser due to out-of-memory conditions
|
|
* CVE-2023-4049 (bmo#1842658)
|
|
Fix potential race conditions when releasing platform objects
|
|
* CVE-2023-4050 (bmo#1843038)
|
|
Stack buffer overflow in StorageManager
|
|
* CVE-2023-4052 (bmo#1824420)
|
|
File deletion and privilege escalation through Firefox uninstaller
|
|
* CVE-2023-4054 (bmo#1840777)
|
|
Lack of warning when opening appref-ms files
|
|
* CVE-2023-4055 (bmo#1782561)
|
|
Cookie jar overflow caused unexpected cookie jar state
|
|
* CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235, bmo#1842325,
|
|
bmo#1843847)
|
|
Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
|
|
Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
|
|
* CVE-2023-4057 (bmo#1841682)
|
|
Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
|
|
and Thunderbird 115.1
|
|
- requires NSS 3.90
|
|
- add patches:
|
|
mozilla-rust-disable-future-incompat.patch
|
|
mozilla-partial-revert-1768632.patch
|
|
mozilla-bmo1775202.patch
|
|
- removed obsolete patches:
|
|
gcc13-fix.patch
|
|
mozilla-bmo1568145.patch
|
|
mozilla-bmo1005535.patch
|
|
mozilla-s390x-skia-gradient.patch
|
|
- update create-tar.sh
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 25 06:56:46 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.13.1
|
|
MFSA 2023-28
|
|
* CVE-2023-3417 (bmo#1835582, boo#1213658)
|
|
File Extension Spoofing using the Text Direction Override Character
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 7 12:47:11 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.13.0
|
|
* Upstream RNP version numbers now recognized as official in about:support
|
|
MFSA 2023-24 (bsc#1212438)
|
|
* CVE-2023-37201 (bmo#1826002)
|
|
Use-after-free in WebRTC certificate generation
|
|
* CVE-2023-37202 (bmo#1834711)
|
|
Potential use-after-free from compartment mismatch in
|
|
SpiderMonkey
|
|
* CVE-2023-37207 (bmo#1816287)
|
|
Fullscreen notification obscured
|
|
* CVE-2023-37208 (bmo#1837675)
|
|
Lack of warning when opening Diagcab files
|
|
* CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886,
|
|
bmo#1836550, bmo#1837450)
|
|
Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13,
|
|
and Thunderbird 102.13
|
|
- mozilla-llvm16.patch has been applied upstream, remove it here
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jun 4 08:22:58 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.12.0:
|
|
MFSA 2023-21 (bsc#1211922)
|
|
* CVE-2023-34414 (bmo#1695986)
|
|
Click-jacking certificate exceptions through rendering lag
|
|
* CVE-2023-34416 (bmo#1752703, bmo#1818394, bmo#1826875,
|
|
bmo#1827340, bmo#1827655, bmo#1828065, bmo#1830190,
|
|
bmo#1830206, bmo#1830795, bmo#1833339)
|
|
Memory safety bugs fixed in Thunderbird 102.12
|
|
* fixed: "Searching the directory for recipients certificates"
|
|
popup could block compose window when "S/MIME reminder" was
|
|
enabled and using an LDAP address book (bmo#1833651)
|
|
* fixed: Some elements still used animations with "prefers-
|
|
reduced-motion" set (bmo#1833353)
|
|
* fixed: Visual and theme improvements
|
|
(bmo#1832943,bmo#1832990)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat May 27 07:46:10 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.11.2
|
|
* fixed: Thunderbird 102.11.1 contained POP3 client regressions
|
|
with offline mode and TLS certificate overrides
|
|
(bmo#1801286,bmo#1816596,bmo#1798785)
|
|
- Includes changes from Thunderbird 102.11.1
|
|
* fixed: POP message retrieval stopped after a network error
|
|
occurred and connectivity was restored (bmo#1798785)
|
|
* fixed: Reused SMTP connections sometimes silently
|
|
disconnected, causing timeouts (bmo#1766382)
|
|
* fixed: Thunderbird could freeze if saving a sent message to
|
|
IMAP failed (bmo#1745130)
|
|
* fixed: Creating OpenPGP keys with no expiration was not
|
|
possible (bmo#1830094)
|
|
* fixed: News reader did not always issue GROUP command after
|
|
authentication with remote server, preventing Thundebird from
|
|
displaying or refreshing news from the server (bmo#1824377)
|
|
- updated mozilla.keyring
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 11 06:45:57 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.11.0
|
|
* https://www.thunderbird.net/en-US/thunderbird/102.11.0/releasenotes
|
|
MFSA 2023-18 (bsc#1211175)
|
|
* CVE-2023-32205 (bmo#1753339, bmo#1753341)
|
|
Browser prompts could have been obscured by popups
|
|
* CVE-2023-32206 (bmo#1824892)
|
|
Crash in RLBox Expat driver
|
|
* CVE-2023-32207 (bmo#1826116)
|
|
Potential permissions request bypass via clickjacking
|
|
* CVE-2023-32211 (bmo#1823379)
|
|
Content process crash due to invalid wasm code
|
|
* CVE-2023-32212 (bmo#1826622)
|
|
Potential spoof due to obscured address bar
|
|
* CVE-2023-32213 (bmo#1826666)
|
|
Potential memory corruption in FileReader::DoReadData()
|
|
* CVE-2023-32214 (bmo#1828716)
|
|
Potential DoS via exposed protocol handlers
|
|
* CVE-2023-32215 (bmo#1540883, bmo#1751943, bmo#1814856,
|
|
bmo#1820210, bmo#1821480, bmo#1827019, bmo#1827024, bmo#1827144,
|
|
bmo#1827359, bmo#1830186)
|
|
Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Apr 23 07:54:15 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.10.1
|
|
* https://www.thunderbird.net/en-US/thunderbird/102.10.1/releasenotes
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 5 21:10:11 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.10.0
|
|
* New messages will automatically select S/MIME if configured and
|
|
OpenPGP is not
|
|
* Calendar events with timezone America/Mexico_City incorrectly
|
|
applied Daylight Savings Time
|
|
MFSA 2023-15 (bsc#1210212)
|
|
* CVE-2023-29531 (bmo#1794292)
|
|
Out-of-bound memory access in WebGL on macOS
|
|
* CVE-2023-29532 (bmo#1806394)
|
|
Mozilla Maintenance Service Write-lock bypass
|
|
* CVE-2023-29533 (bmo#1798219, bmo#1814597)
|
|
Fullscreen notification obscured
|
|
* MFSA-TMP-2023-0001 (bmo#1819244)
|
|
Double-free in libwebp
|
|
* CVE-2023-29535 (bmo#1820543)
|
|
Potential Memory Corruption following Garbage Collector compaction
|
|
* CVE-2023-29536 (bmo#1821959)
|
|
Invalid free from JavaScript code
|
|
* CVE-2023-0547 (bmo#1811298)
|
|
Revocation status of S/Mime recipient certificates was not checked
|
|
* CVE-2023-29479 (bmo#1824978)
|
|
Hang when processing certain OpenPGP messages
|
|
* CVE-2023-29539 (bmo#1784348)
|
|
Content-Disposition filename truncation leads to Reflected
|
|
File Download
|
|
* CVE-2023-29541 (bmo#1810191)
|
|
Files with malicious extensions could have been downloaded
|
|
unsafely on Linux
|
|
* CVE-2023-29542 (bmo#1810793, bmo#1815062)
|
|
Bypass of file download extension restrictions
|
|
* CVE-2023-29545 (bmo#1823077)
|
|
Windows Save As dialog resolved environment variables
|
|
* CVE-2023-1945 (bmo#1777588)
|
|
Memory Corruption in Safe Browsing Code
|
|
* CVE-2023-29548 (bmo#1822754)
|
|
Incorrect optimization result on ARM64
|
|
* CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, bmo#1814217,
|
|
bmo#1818357, bmo#1818762, bmo#1819493, bmo#1820389, bmo#1820602,
|
|
bmo#1821448, bmo#1822413, bmo#1824828)
|
|
Memory safety bugs fixed in Thunderbird 102.10
|
|
- add mozilla-llvm16.patch to fix build with LLVM16
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 29 10:50:35 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.9.1
|
|
MFSA 2023-12
|
|
* CVE-2023-28427 (bmo#1822595)
|
|
Matrix SDK bundled with Thunderbird vulnerable to
|
|
denial-of-service attack
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Mar 26 10:57:52 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- add gcc13-fix.patch to support current Tumbleweed
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Mar 12 09:52:40 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.9.0
|
|
* https://www.thunderbird.net/en-US/thunderbird/102.9.0/releasenotes
|
|
MFSA 2023-11 (bsc#1209173))
|
|
* CVE-2023-25751 (bmo#1814899)
|
|
Incorrect code generation during JIT compilation
|
|
* CVE-2023-28164 (bmo#1809122)
|
|
URL being dragged from a removed cross-origin iframe into the
|
|
same tab triggered navigation
|
|
* CVE-2023-28162 (bmo#1811327)
|
|
Invalid downcast in Worklets
|
|
* CVE-2023-25752 (bmo#1811627)
|
|
Potential out-of-bounds when accessing throttled streams
|
|
* CVE-2023-28163 (bmo#1817768)
|
|
Windows Save As dialog resolved environment variables
|
|
* CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904,
|
|
bmo#1817442, bmo#1818674)
|
|
Memory safety bugs fixed in Thunderbird 102.9
|
|
- update create-tar.sh
|
|
- build using rust 1.67
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 7 18:30:09 UTC 2023 - Manfred Hollstein <manfred.h@gmx.net>
|
|
|
|
- Ensure gcc11-c++ gets used on Leap 15.5, too.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 15 07:46:58 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.8.0
|
|
* https://www.thunderbird.net/en-US/thunderbird/102.8.0/releasenotes
|
|
MFSA 2023-07 (bsc#1208144)
|
|
* CVE-2023-0616 (bmo#1806507)
|
|
User Interface lockup with messages combining S/MIME and OpenPGP
|
|
* CVE-2023-25728 (bmo#1790345)
|
|
Content security policy leak in violation reports using iframes
|
|
* CVE-2023-25730 (bmo#1794622)
|
|
Screen hijack via browser fullscreen mode
|
|
* CVE-2023-0767 (bmo#1804640)
|
|
Arbitrary memory write via PKCS 12 in NSS
|
|
* CVE-2023-25735 (bmo#1810711)
|
|
Potential use-after-free from compartment mismatch in SpiderMonkey
|
|
* CVE-2023-25737 (bmo#1811464)
|
|
Invalid downcast in SVGUtils::SetupStrokeGeometry
|
|
* CVE-2023-25738 (bmo#1811852)
|
|
Printing on Windows could potentially crash Thunderbird with
|
|
some device drivers
|
|
* CVE-2023-25739 (bmo#1811939)
|
|
Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
|
|
* CVE-2023-25729 (bmo#1792138)
|
|
Extensions could have opened external schemes without user knowledge
|
|
* CVE-2023-25732 (bmo#1804564)
|
|
Out of bounds memory write from EncodeInputStream
|
|
* CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338)
|
|
Opening local .url files could cause unexpected network loads
|
|
* CVE-2023-25742 (bmo#1813424)
|
|
Web Crypto ImportKey crashes tab
|
|
* CVE-2023-25746 (bmo#1544127, bmo#1762368, bmo#1789449, bmo#1803628,
|
|
bmo#1810536)
|
|
Memory safety bugs fixed in Thunderbird 102.8
|
|
- requires
|
|
NSPR >= 4.34.1
|
|
NSS >= 3.79.4
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 8 07:59:46 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.7.2
|
|
* Various crash fixes
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 31 21:48:13 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.7.1
|
|
* Microsoft Office 365 accounts were unable to authenticate
|
|
* https://www.thunderbird.net/en-US/thunderbird/102.7.1/releasenotes/
|
|
MFSA 2023-04
|
|
* CVE-2023-0430 (bmo#1769000)
|
|
Revocation status of S/Mime signature certificates was not checked
|
|
- update create-tar.sh
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 17 13:27:01 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.7.0
|
|
https://www.thunderbird.net/en-US/thunderbird/102.7.0/releasenotes/
|
|
MFSA 2023-03 (bsc#1207119)
|
|
* CVE-2022-46871 (bmo#1795697)
|
|
libusrsctp library out of date
|
|
* CVE-2023-23598 (bmo#1800425)
|
|
Arbitrary file read from GTK drag and drop on Linux
|
|
* CVE-2023-23599 (bmo#1777800)
|
|
Malicious command could be hidden in devtools output on
|
|
Windows
|
|
* CVE-2023-23601 (bmo#1794268)
|
|
URL being dragged from cross-origin iframe into same tab
|
|
triggers navigation
|
|
* CVE-2023-23602 (bmo#1800890)
|
|
Content Security Policy wasn't being correctly applied to
|
|
WebSockets in WebWorkers
|
|
* CVE-2022-46877 (bmo#1795139)
|
|
Fullscreen notification bypass
|
|
* CVE-2023-23603 (bmo#1800832)
|
|
Calls to <code>console.log</code> allowed bypasing Content
|
|
Security Policy via format directive
|
|
* CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974)
|
|
Memory safety bugs fixed in Thunderbird 102.7
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 20 08:06:29 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.6.1
|
|
* Remote content did not load in user-defined signatures
|
|
* Addons that added new action buttons were not shown for addon
|
|
upgrades, requiring removal and reinstall
|
|
* Various stability improvements
|
|
MFSA 2022-54
|
|
* CVE-2022-46874 (bmo#1746139)
|
|
Drag and Dropped Filenames could have been truncated to
|
|
malicious extensions
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 13 13:49:09 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.6.0
|
|
https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/
|
|
MFSA 2022-53 (bsc#1206242)
|
|
* CVE-2022-46880 (bmo#1749292)
|
|
Use-after-free in WebGL
|
|
* CVE-2022-46872 (bmo#1799156)
|
|
Arbitrary file read from a compromised content process
|
|
* CVE-2022-46881 (bmo#1770930)
|
|
Memory corruption in WebGL
|
|
* CVE-2022-46874 (bmo#1746139)
|
|
Drag and Dropped Filenames could have been truncated to
|
|
malicious extensions
|
|
* CVE-2022-46875 (bmo#1786188)
|
|
Download Protections were bypassed by .atloc and .ftploc
|
|
files on Mac OS
|
|
* CVE-2022-46882 (bmo#1789371)
|
|
Use-after-free in WebGL
|
|
* CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685,
|
|
bmo#1801102, bmo#1801315, bmo#1802395)
|
|
Memory safety bugs fixed in Thunderbird 102.6
|
|
- removed obsolete patches
|
|
mozilla-newer-cbindgen.patch
|
|
mozilla-glibc236.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 30 20:49:28 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.5.1
|
|
MFSA 2022-50
|
|
* CVE-2022-45414 (bmo#1788096)
|
|
Quoting from an HTML email with certain tags will trigger network
|
|
requests and load remote content, regardless of a configuration
|
|
to block remote content
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Nov 12 22:48:04 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.5.0
|
|
* changes and fixes as described here
|
|
https://www.thunderbird.net/en-US/thunderbird/102.5.0/releasenotes
|
|
MFSA 2022-49 (bsc#1205270)
|
|
* CVE-2022-45403 (bmo#1762078)
|
|
Service Workers might have learned size of cross-origin media files
|
|
* CVE-2022-45404 (bmo#1790815)
|
|
Fullscreen notification bypass
|
|
* CVE-2022-45405 (bmo#1791314)
|
|
Use-after-free in InputStream implementation
|
|
* CVE-2022-45406 (bmo#1791975)
|
|
Use-after-free of a JavaScript Realm
|
|
* CVE-2022-45408 (bmo#1793829)
|
|
Fullscreen notification bypass via windowName
|
|
* CVE-2022-45409 (bmo#1796901)
|
|
Use-after-free in Garbage Collection
|
|
* CVE-2022-45410 (bmo#1658869)
|
|
ServiceWorker-intercepted requests bypassed SameSite cookie policy
|
|
* CVE-2022-45411 (bmo#1790311)
|
|
Cross-Site Tracing was possible via non-standard override headers
|
|
* CVE-2022-45412 (bmo#1791029)
|
|
Symlinks may resolve to partially uninitialized buffers
|
|
* CVE-2022-45416 (bmo#1793676)
|
|
Keystroke Side-Channel Leakage
|
|
* CVE-2022-45418 (bmo#1795815)
|
|
Custom mouse cursor could have been drawn over browser UI
|
|
* CVE-2022-45420 (bmo#1792643)
|
|
Iframe contents could be rendered outside the iframe
|
|
* CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061)
|
|
Memory safety bugs fixed in Thunderbird 102.5
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Nov 5 16:19:55 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.4.2
|
|
* "Address Book" button in Account Central will now create a
|
|
CardDAV address book instead of a local address book
|
|
* Bugfixes as described here
|
|
https://www.thunderbird.net/en-US/thunderbird/102.4.2/releasenotes
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 25 20:42:11 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.4.1
|
|
* Thunderbird will now catch and report errors parsing vCards
|
|
that contain incorrectly formatted dates
|
|
* Dynamic language switching did not update interface when switched
|
|
to right-to-left languages
|
|
* Custom header data was discarded after messages were saved as
|
|
draft and reopened
|
|
* -remote command line argument did not work, affecting integration
|
|
with various applications such as LibreOffice
|
|
* Messages received via some SMS-to-email services could not
|
|
display images
|
|
* VCards with nickname field set could not be edited
|
|
* Some recurring events were missing from Agenda on first load
|
|
* Download requests for remote ICS calendars incorrectly set
|
|
"Accept" header to text/xml
|
|
* Monthly events created on the 31st of a month with <30 days placed
|
|
first occurrence 1-2 days after the beginning of the following month
|
|
* Various visual and UX improvements
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 14 19:54:03 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.4.0
|
|
https://www.thunderbird.net/en-US/thunderbird/102.4.0/releasenotes
|
|
MFSA 2022-46 (bsc#1203477)
|
|
* CVE-2022-42927 (bmo#1789128)
|
|
Same-origin policy violation could have leaked cross-origin URLs
|
|
* CVE-2022-42928 (bmo#1791520)
|
|
Memory Corruption in JS Engine
|
|
* CVE-2022-42929 (bmo#1789439)
|
|
Denial of Service via window.print
|
|
* CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041)
|
|
Memory safety bugs fixed in Firefox 106, Firefox ESR 102.4 and
|
|
Thunderbird 102.4.0
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 11 20:40:12 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.3.3
|
|
* Option added to show containing address book for a contact when
|
|
using All Address Books in vertical mode
|
|
* Thunderbird will try to use POP NTLM authentication even if
|
|
not advertised by server
|
|
* Task List and Today Pane sidebars will no longer load when not visible
|
|
* bugfixes as documented here
|
|
https://www.thunderbird.net/en-US/thunderbird/102.3.3/releasenotes
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 6 07:28:32 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.3.2
|
|
* Thunderbird will try to use POP CRAM-MD5 authentication even if
|
|
not advertised by server
|
|
* more bugfixes as in
|
|
https://www.thunderbird.net/en-US/thunderbird/102.3.2/releasenotes
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 3 10:08:03 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- build using rust 1.63
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 28 08:13:07 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.3.1
|
|
* Compose window encryption options now only appear for encryption
|
|
technologies that have already been configured
|
|
* Number of contacts in currently selected address book now
|
|
displayed at bottom of Address Book list column
|
|
Fixes
|
|
* Password prompt did not include server hostname for POP servers
|
|
* Edit Contact was missing from Contacts sidebar context menus
|
|
* Address Book contact lists cut off display of some characters,
|
|
the result being unreadable
|
|
MFSA 2022-43
|
|
* CVE-2022-39249 (bmo#1791765)
|
|
Matrix SDK bundled with Thunderbird vulnerable to an
|
|
impersonation attack by malicious server administrators
|
|
* CVE-2022-39250 (bmo#1791765)
|
|
Matrix SDK bundled with Thunderbird vulnerable to a device
|
|
verification attack
|
|
* CVE-2022-39251 (bmo#1791765)
|
|
Matrix SDK bundled with Thunderbird vulnerable to an
|
|
impersonation attack
|
|
* CVE-2022-39236 (bmo#1791765)
|
|
Matrix SDK bundled with Thunderbird vulnerable to a data
|
|
corruption issue
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 16 08:17:49 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.3.0
|
|
https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/
|
|
* Thunderbird will no longer attempt to import account passwords
|
|
when importing from another Thunderbird profile in order to
|
|
prevent profile corruption and permanent data loss. (bmo#1790605)
|
|
* Devtools performance profile will use Thunderbird presets
|
|
instead of Web Developer presets (bmo#1785954)
|
|
* Thunderbird startup performance improvements (bmo#1785967)
|
|
* Saving email source and images failed (bmo#1777323, bmo#1778804)
|
|
* Error message was shown repeatedly when temporary disk
|
|
space was full (bmo#1788580)
|
|
* Attaching OpenPGP keys without a set size to non-encrypted
|
|
messages briefly displayed a size of zero bytes (bmo#1788952)
|
|
* Global Search entry box initially contained "undefined" (bmo#1780963)
|
|
* Delete from POP Server mail filter rule intermittently
|
|
failed to trigger (bmo#1789418)
|
|
* Connections to POP3 servers without UIDL support failed (bmo#1789314)
|
|
* Pop accounts with "Fetch headers only" set downloaded complete
|
|
messages if server did not advertise TOP capability (bmo#1789356)
|
|
* "File -> New -> Address Book Contact" from Compose window did
|
|
not work (bmo#1782418)
|
|
* Attach "My vCard" option in compose window was not available
|
|
(bmo#1787614)
|
|
* Improved performance of matching a contact to an email address
|
|
(bmo#1782725)
|
|
* Address book only recognized a contact's first two email
|
|
addresses (bmo#1777156)
|
|
* Address book search and autocomplete failed if a contact vCard
|
|
could not be parsed (bmo#1789793)
|
|
* Downloading NNTP messages for offline use failed (bmo#1785773)
|
|
* NNTP client became stuck when connecting to Public-Inbox servers
|
|
(bmo#1786203, boo#1203554)
|
|
* Various visual and UX improvements (bmo#1782235, bmo#1787448,
|
|
bmo#1788725, bmo#1790324)
|
|
* unresolved: No dedicated "Department" field in address book
|
|
(bmo#1777780)
|
|
MFSA 2022-42 (bsc#1203477)
|
|
* CVE-2022-40959 (bmo#1782211)
|
|
Bypassing FeaturePolicy restrictions on transient pages
|
|
* CVE-2022-40960 (bmo#1787633)
|
|
Data-race when parsing non-UTF-8 URLs in threads
|
|
* CVE-2022-40958 (bmo#1779993)
|
|
Bypassing Secure Context restriction for cookies with __Host
|
|
and __Secure prefix
|
|
* CVE-2022-40956 (bmo#1770094)
|
|
Content-Security-Policy base-uri bypass
|
|
* CVE-2022-40957 (bmo#1777604)
|
|
Incoherent instruction cache when building WASM on ARM64
|
|
* CVE-2022-3155 (bmo#1789061)
|
|
Attachment files saved to disk on macOS could be executed
|
|
without warning
|
|
* CVE-2022-40962 (bmo#1767360, bmo#1776655, bmo#1777574, bmo#1784835,
|
|
bmo#1785109, bmo#1786502, bmo#1789440)
|
|
Memory safety bugs fixed in Thunderbird 102.3
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 8 06:31:58 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.2.2
|
|
https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/
|
|
* Setting added to change Calendar event double-click action to
|
|
open Edit Event dialog rather than view only;
|
|
Set calendar.events.defaultActionEdit to true
|
|
* Running Compact Folders on maildir folders caused a redownload
|
|
of all messages in the folder
|
|
* Accessing mail folders in profiles with many folders was slow
|
|
* SMTP servers were not always properly initialized, and were not
|
|
listed in Account Settings
|
|
* APOP authentication unsupported when connecting to POP3 server
|
|
* OpenPGP key discovery failed
|
|
* POP accounts hosted by AOL were not able to authenticate using OAuth2
|
|
* Unable to open context menu in newsgroups header for groups
|
|
that are not subscribed
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 8 06:31:58 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.2.2
|
|
https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/
|
|
* Setting added to change Calendar event double-click action to
|
|
open Edit Event dialog rather than view only;
|
|
Set calendar.events.defaultActionEdit to true
|
|
* Running Compact Folders on maildir folders caused a redownload
|
|
of all messages in the folder
|
|
* Accessing mail folders in profiles with many folders was slow
|
|
* SMTP servers were not always properly initialized, and were not
|
|
listed in Account Settings
|
|
* APOP authentication unsupported when connecting to POP3 server
|
|
* OpenPGP key discovery failed
|
|
* POP accounts hosted by AOL were not able to authenticate using OAuth2
|
|
* Unable to open context menu in newsgroups header for groups
|
|
that are not subscribed
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 1 06:48:28 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.2.1
|
|
MFSA 2022-38 (bsc#1203007)
|
|
* CVE-2022-3033 (bmo#1784838)
|
|
Leaking of sensitive information when composing a response to
|
|
an HTML email with a META refresh tag
|
|
* CVE-2022-3032 (bmo#1783831)
|
|
Remote content specified in an HTML document that was nested
|
|
inside an iframe's srcdoc attribute was not blocked
|
|
* CVE-2022-3034 (bmo#1745751)
|
|
An iframe element in an HTML email could trigger a network
|
|
request
|
|
* CVE-2022-36059 (bmo#1787741)
|
|
Matrix SDK bundled with Thunderbird vulnerable to denial-of-
|
|
service attack
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 19 18:24:06 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.2.0
|
|
* https://www.thunderbird.net/en-US/thunderbird/102.2.0/releasenotes/
|
|
MFSA 2022-36 (bsc#1202645)
|
|
* CVE-2022-38472 (bmo#1769155)
|
|
Address bar spoofing via XSLT error handling
|
|
* CVE-2022-38473 (bmo#1771685)
|
|
Cross-origin XSLT Documents would have inherited the parent's
|
|
permissions
|
|
* CVE-2022-38476 (bmo#1760998)
|
|
Data race and potential use-after-free in PK11_ChangePW
|
|
* CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363)
|
|
Memory safety bugs fixed in Thunderbird 102.2
|
|
* CVE-2022-38478 (bmo#1770630, bmo#1776658)
|
|
Memory safety bugs fixed in Thunderbird 102.2, and
|
|
Thunderbird 91.13
|
|
- disabled automatic usage of wayland because of known issues
|
|
using MOZ_ENABLE_WAYLAND=1 in environment would still enable it
|
|
(boo#1202606)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Aug 14 08:03:00 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- added mozilla-glibc236.patch (bmo#1782988, boo#1202323)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 9 06:24:56 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.1.2
|
|
* fix for bmo#1777765 (no POP download progress bar) was backed
|
|
out from this release to address broken POP message download
|
|
with Fetch headers only selected in Account Settings (bmo#1783552)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 8 06:46:01 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.1.1
|
|
Bugfixes:
|
|
* https://www.thunderbird.net/en-US/thunderbird/102.1.1/releasenotes/
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 26 09:03:40 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.1.0
|
|
* https://www.thunderbird.net/en-US/thunderbird/102.1.0/releasenotes
|
|
MFSA 2022-32 (bsc#1201758)
|
|
* CVE-2022-36319 (bmo#1737722)
|
|
Mouse Position spoofing with CSS transforms
|
|
* CVE-2022-36318 (bmo#1771774)
|
|
Directory indexes for bundled resources reflected URL parameters
|
|
* CVE-2022-36314 (bmo#1773894)
|
|
Opening local <code>.lnk</code> files could cause unexpected
|
|
network loads
|
|
* CVE-2022-2505 (bmo#1769739, bmo#1772824)
|
|
Memory safety bugs fixed in Thunderbird 102.1
|
|
- added mozilla-newer-cbindgen.patch to fix build with
|
|
rust-cbindgen >= 0.24 (and also require that for build)
|
|
- added mozilla-pgo.patch to fix LTO builds with gcc
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 19 07:31:52 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.0.3
|
|
Bugfixes as in
|
|
* https://www.thunderbird.net/en-US/thunderbird/102.0.3/releasenotes/
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jul 9 21:53:27 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 102.0.2
|
|
* https://www.thunderbird.net/en-US/thunderbird/102.0/releasenotes/
|
|
- removed obsolete patches
|
|
mozilla-bmo1504834-part2.patch
|
|
mozilla-bmo1504834-part4.patch
|
|
mozilla-bmo1602730.patch
|
|
mozilla-bmo1626236.patch
|
|
mozilla-bmo1724679.patch
|
|
mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
|
|
mozilla-sandbox-fips.patch
|
|
- added patches inherited from FF 102
|
|
one_swizzle_to_rule_them_all.patch
|
|
svg-rendering.patch
|
|
- fix KDE detection (boo#1200987) in mozilla-kde.patch
|
|
- requires
|
|
rust = 1.60
|
|
NSPR >= 4.34
|
|
NSS >= 3.79
|
|
rust-cbindgen >= 0.23.0
|
|
- remove special breakpad debug symbol creation
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jun 26 08:53:26 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.11.0
|
|
* CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work
|
|
additional fix applied
|
|
* "Save-As" attachment dialog did not have filename pre-populated
|
|
MFSA 2022-26 (bsc#1200793)
|
|
* CVE-2022-34479 (bmo#1745595)
|
|
A popup window could be resized in a way to overlay the
|
|
address bar with web content
|
|
* CVE-2022-34470 (bmo#1765951)
|
|
Use-after-free in nsSHistory
|
|
* CVE-2022-34468 (bmo#1768537)
|
|
CSP sandbox header without `allow-scripts` can be bypassed
|
|
via retargeted javascript: URI
|
|
* CVE-2022-2226 (bmo#1775441)
|
|
An email with a mismatching OpenPGP signature date was
|
|
accepted as valid
|
|
* CVE-2022-34481 (bmo#1497246)
|
|
Potential integer overflow in ReplaceElementsAt
|
|
* CVE-2022-31744 (bmo#1757604)
|
|
CSP bypass enabling stylesheet injection
|
|
* CVE-2022-34472 (bmo#1770123)
|
|
Unavailable PAC file resulted in OCSP requests being blocked
|
|
* CVE-2022-34478 (bmo#1773717)
|
|
Microsoft protocols can be attacked if a user accepts a prompt
|
|
* CVE-2022-2200 (bmo#1771381)
|
|
Undesired attributes could be set as part of prototype pollution
|
|
* CVE-2022-34484 (bmo#1763634, bmo#1772651)
|
|
Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 26 07:56:09 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.10.0
|
|
* Various UX and theme improvements
|
|
MFSA 2022-22 (bsc#1200027)
|
|
* CVE-2022-31736 (bmo#1735923)
|
|
Cross-Origin resource's length leaked
|
|
* CVE-2022-31737 (bmo#1743767)
|
|
Heap buffer overflow in WebGL
|
|
* CVE-2022-31738 (bmo#1756388)
|
|
Browser window spoof using fullscreen mode
|
|
* CVE-2022-31739 (bmo#1765049)
|
|
Attacker-influenced path traversal when saving downloaded
|
|
files
|
|
* CVE-2022-31740 (bmo#1766806)
|
|
Register allocation problem in WASM on arm64
|
|
* CVE-2022-31741 (bmo#1767590)
|
|
Uninitialized variable leads to invalid memory read
|
|
* CVE-2022-1834 (bmo#1767816)
|
|
Braille space character caused incorrect sender email to be
|
|
shown for a digitally signed email
|
|
* CVE-2022-31742 (bmo#1730434)
|
|
Querying a WebAuthn token with a large number of
|
|
allowCredential entries may have leaked cross-origin
|
|
information
|
|
* CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
|
|
bmo#1767365, bmo#1768559, bmo#1768734)
|
|
Memory safety bugs fixed in Thunderbird 91.10
|
|
|
|
-------------------------------------------------------------------
|
|
Sat May 21 06:36:17 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.9.1
|
|
MFSA 2022-19 (bsc#1199768)
|
|
* CVE-2022-1802 (bmo#1770137)
|
|
Prototype pollution in Top-Level Await implementation
|
|
* CVE-2022-1529 (bmo#1770048)
|
|
Untrusted input used in JavaScript object indexing, leading
|
|
to prototype pollution
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 2 06:34:51 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.9.0
|
|
* A warning is now displayed if an OpenPGP key has unsafe
|
|
attributes that are ignored
|
|
* OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not
|
|
allow SHA-1 key signatures
|
|
* CalDAV calendars were marked read-only on startup
|
|
MFSA 2022-18 (bsc#1198970)
|
|
* CVE-2022-1520 (bmo#1745019)
|
|
Incorrect security status shown after viewing an attached
|
|
email
|
|
* CVE-2022-29914 (bmo#1746448)
|
|
Fullscreen notification bypass using popups
|
|
* CVE-2022-29909 (bmo#1755081)
|
|
Bypassing permission prompt in nested browsing contexts
|
|
* CVE-2022-29916 (bmo#1760674)
|
|
Leaking browser history with CSS variables
|
|
* CVE-2022-29911 (bmo#1761981)
|
|
iframe sandbox bypass
|
|
* CVE-2022-29912 (bmo#1692655)
|
|
Reader mode bypassed SameSite cookies
|
|
* CVE-2022-29913 (bmo#1764778)
|
|
Speech Synthesis feature not properly disabled
|
|
* CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
|
|
bmo#1762614, bmo#1762620)
|
|
Memory safety bugs fixed in Thunderbird 91.9
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 16 11:36:34 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.8.1
|
|
* CLIENTID extension to SMTP was not supported by smtp-js#
|
|
* Additional SMTP errors now propagated to user
|
|
* OpenPGP was not able to use some previously supported key types
|
|
* OpenPGP Key Manager did not always display correct information
|
|
after importing additional IDs
|
|
* Duplicate new mail notifications could be displayed when
|
|
server-side filters were in use
|
|
* Cancelling an SMTP password entry resulted in multiple failure
|
|
dialogs being displayed
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 12 07:30:18 UTC 2022 - Martin Liška <mliska@suse.cz>
|
|
|
|
- Set memory limits for DWZ to 4x.
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 2 17:39:15 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.8.0
|
|
* Google accounts using password authentication will be migrated
|
|
to OAuth2.
|
|
* bugfixes
|
|
https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes
|
|
MFSA 2022- (bsc#1197903)
|
|
- update create-tar.sh
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 17 14:39:51 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
|
|
|
- skip slow workers, this is a tough build job
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Mar 6 13:02:02 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.7.0
|
|
* Thunderbird will use the first occurrence of headers that should
|
|
only appear once
|
|
* Auto-complete incorrectly changed a pasted email address to the
|
|
primary address of a contact
|
|
* Attachments with filename extensions that were not registered in
|
|
MIME types could not be opened
|
|
* Copy/Cut/Paste actions not working in Thunderbird Preferences
|
|
* Improved screen reader support of displayed message headers
|
|
MFSA 2022-12 (bsc#1196900)
|
|
* CVE-2022-26383 (bmo#1742421)
|
|
Browser window spoof using fullscreen mode
|
|
* CVE-2022-26384 (bmo#1744352)
|
|
iframe allow-scripts sandbox bypass
|
|
* CVE-2022-26387 (bmo#1752979)
|
|
Time-of-check time-of-use bug when verifying add-on signatures
|
|
* CVE-2022-26381 (bmo#1736243)
|
|
Use-after-free in text reflows
|
|
* CVE-2022-26386 (bmo#1752396)
|
|
Temporary files downloaded to /tmp and accessible by other
|
|
local users
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Mar 6 12:49:36 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.6.2
|
|
MFSA 2022-09
|
|
* CVE-2022-26485 (bmo#1758062)
|
|
Use-after-free in XSLT parameter processing
|
|
* CVE-2022-26486 (bmo#1758070)
|
|
Use-after-free in WebGPU IPC Framework
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 15 09:13:06 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.6.1
|
|
* generated views of meeting invitations are now expanded by default
|
|
* Emails were not downloading at startup under some conditions
|
|
* Port numbers were not shown in "Confirm Security Exception"
|
|
dialog for CalDAV connections
|
|
MFSA 2022-07 (bsc#1196072)
|
|
* CVE-2022-0566 (bmo#1753094)
|
|
Crafted email could trigger an out-of-bounds write
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Feb 5 14:11:31 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.6.0
|
|
* TB will now offer to send large forwarded attachments via FileLink
|
|
* Partially signed unencrypted messages displayed an incorrect
|
|
"parrtially encrypted" notification
|
|
* Attachments filenames were not sanitized before saving to disk
|
|
* In the attachment bar, the "Import OpenPGP Key" item displayed
|
|
for public keys displayed an error and did not import the key
|
|
* "Open with" attachment dialog did not have a selected radio
|
|
button option
|
|
MFSA 2022-06 (bsc#1195682)
|
|
* CVE-2022-22753 (bmo#1732435)
|
|
Privilege Escalation to SYSTEM on Windows via Maintenance
|
|
Service
|
|
* CVE-2022-22754 (bmo#1750565)
|
|
Extensions could have bypassed permission confirmation during
|
|
update
|
|
* CVE-2022-22756 (bmo#1317873)
|
|
Drag and dropping an image could have resulted in the dropped
|
|
object being an executable
|
|
* CVE-2022-22759 (bmo#1739957)
|
|
Sandboxed iframes could have executed script if the parent
|
|
appended elements
|
|
* CVE-2022-22760 (bmo#1740985, bmo#1748503)
|
|
Cross-Origin responses could be distinguished between script
|
|
and non-script content-types
|
|
* CVE-2022-22761 (bmo#1745566)
|
|
frame-ancestors Content Security Policy directive was not
|
|
enforced for framed extension pages
|
|
* CVE-2022-22763 (bmo#1740534)
|
|
Script Execution during invalid object state
|
|
* CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545,
|
|
bmo#1748210, bmo#1748279)
|
|
Memory safety bugs fixed in Thunderbird 91.6
|
|
- do not use ccache by default
|
|
- removed obsolete mozilla-bmo1745560.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jan 22 09:57:59 UTC 2022 - Manfred Hollstein <manfred.h@gmx.net>
|
|
|
|
- Mozilla Thunderbird 91.5.1
|
|
* JS LDAP implementation did not support self-signed SSL certificates
|
|
* After saving a draft and subsequently sending a FileLink email,
|
|
the original file was removed from disk
|
|
* Chat OTR encryption did not work
|
|
* OTR verification bar was not removed after completing verification
|
|
* Various theme improvements
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 20 13:10:00 UTC 2022 - Martin Liška <mliska@suse.cz>
|
|
|
|
- Enable -fimplicit-constexpr for GCC 12+.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 7 16:13:57 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.5.0
|
|
https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes
|
|
MFSA 2022-03 (bsc#1194547)
|
|
* CVE-2022-22746 (bmo#1735071)
|
|
Calling into reportValidity could have lead to fullscreen
|
|
window spoof
|
|
* CVE-2022-22743 (bmo#1739220)
|
|
Browser window spoof using fullscreen mode
|
|
* CVE-2022-22742 (bmo#1739923)
|
|
Out-of-bounds memory access when inserting text in edit mode
|
|
* CVE-2022-22741 (bmo#1740389)
|
|
Browser window spoof using fullscreen mode
|
|
* CVE-2022-22740 (bmo#1742334)
|
|
Use-after-free of ChannelEventQueue::mOwner
|
|
* CVE-2022-22738 (bmo#1742382)
|
|
Heap-buffer-overflow in blendGaussianBlur
|
|
* CVE-2022-22737 (bmo#1745874)
|
|
Race condition when playing audio files
|
|
* CVE-2021-4140 (bmo#1746720)
|
|
Iframe sandbox bypass with XSLT
|
|
* CVE-2022-22748 (bmo#1705211)
|
|
Spoofed origin on external protocol launch dialog
|
|
* CVE-2022-22745 (bmo#1735856)
|
|
Leaking cross-origin URLs through securitypolicyviolation event
|
|
* CVE-2022-22744 (bmo#1737252)
|
|
The 'Copy as curl' feature in DevTools did not fully escape
|
|
website-controlled data, potentially leading to command injection
|
|
* CVE-2022-22747 (bmo#1735028)
|
|
Crash when handling empty pkcs7 sequence
|
|
* CVE-2022-22739 (bmo#1744158)
|
|
Missing throttling on external protocol launch dialog
|
|
* CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366,
|
|
bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869, bmo#1743221,
|
|
bmo#1743515, bmo#1745373, bmo#1746011)
|
|
Memory safety bugs fixed in Thunderbird 91.5
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 28 20:20:30 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
|
|
|
|
- Add mozilla-bmo1745560.patch: Fix build against wayland 1.20.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Dec 17 14:19:48 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.4.1
|
|
* several fixes as outlined here
|
|
https://www.thunderbird.net/en-US/thunderbird/91.4.1/releasenotes/
|
|
MFSA 2021-55 (bsc#1193845)
|
|
* CVE-2021-4126 (bmo#1732310)
|
|
OpenPGP signature status doesn't consider additional message
|
|
content
|
|
* CVE-2021-44538 (bmo#1744056)
|
|
Matrix chat library libolm bundled with Thunderbird
|
|
vulnerable to a buffer overflow
|
|
- updated _constraints
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 2 08:55:33 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.4.0
|
|
* several fixes as outlined here
|
|
https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes
|
|
MFSA 2021-54 (bsc#1193485)
|
|
* CVE-2021-43536 (bmo#1730120)
|
|
URL leakage when navigating while executing asynchronous
|
|
function
|
|
* CVE-2021-43537 (bmo#1738237)
|
|
Heap buffer overflow when using structured clone
|
|
* CVE-2021-43538 (bmo#1739091)
|
|
Missing fullscreen and pointer lock notification when
|
|
requesting both
|
|
* CVE-2021-43539 (bmo#1739683)
|
|
GC rooting failure when calling wasm instance methods
|
|
* CVE-2021-43541 (bmo#1696685)
|
|
External protocol handler parameters were unescaped
|
|
* CVE-2021-43542 (bmo#1723281)
|
|
XMLHttpRequest error codes could have leaked the existence of
|
|
an external protocol handler
|
|
* CVE-2021-43543 (bmo#1738418)
|
|
Bypass of CSP sandbox directive when embedding
|
|
* CVE-2021-43545 (bmo#1720926)
|
|
Denial of Service when using the Location API in a loop
|
|
* CVE-2021-43546 (bmo#1737751)
|
|
Cursor spoofing could overlay user interface when native
|
|
cursor is zoomed
|
|
* CVE-2021-43528 (bmo#1742579)
|
|
JavaScript unexpectedly enabled for the composition area
|
|
* MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
|
|
bmo#1737009, bmo#1739372, bmo#1739421)
|
|
Memory safety bugs fixed in Thunderbird 91.4.0
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 25 20:25:29 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
|
|
|
|
- Drop unused libidl-devel BuildRequires.
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Nov 20 18:57:39 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.3.2
|
|
* Date selection in Calendar print settings widget changed to use
|
|
mini calendar widget
|
|
* OpenPGP: Botan updated to 2.18.2; addresses CVE-2021-40529
|
|
boo#1189244
|
|
* Bugfixes as outlined in release notes
|
|
https://www.thunderbird.net/en-US/thunderbird/91.3.2/releasenotes/
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Nov 13 11:52:30 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.3.1
|
|
* OpenPGP public keys will no longer count as an attachment in
|
|
the message list
|
|
* Adding a search engine via URL now supported
|
|
* FileLink messages' template updated; Thunderbird advertisement
|
|
removed
|
|
* After an update, Thunderbird will now check installed addons
|
|
for updates
|
|
* Bugfixes as outlined in release notes
|
|
https://www.thunderbird.net/en-US/thunderbird/91.3.1/releasenotes/
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Oct 31 17:49:23 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.3.0
|
|
* several fixes as outlined here
|
|
https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/
|
|
MFSA 2021-50 (bsc#1192250)
|
|
* CVE-2021-38503 (bmo#1729517)
|
|
iframe sandbox rules did not apply to XSLT stylesheets
|
|
* CVE-2021-38504 (bmo#1730156)
|
|
Use-after-free in file picker dialog
|
|
* CVE-2021-38505 (bmo#1730194)
|
|
Windows 10 Cloud Clipboard may have recorded sensitive user data
|
|
* CVE-2021-38506 (bmo#1730750)
|
|
Thunderbird could be coaxed into going into fullscreen mode
|
|
without notification or warning
|
|
* CVE-2021-38507 (bmo#1730935)
|
|
Opportunistic Encryption in HTTP2 could be used to bypass the
|
|
Same-Origin-Policy on services hosted on other ports
|
|
* MOZ-2021-0008 (bmo#1667102)
|
|
Use-after-free in HTTP2 Session object
|
|
* CVE-2021-38508 (bmo#1366818)
|
|
Permission Prompt could be overlaid, resulting in user
|
|
confusion and potential spoofing
|
|
* CVE-2021-38509 (bmo#1718571)
|
|
Javascript alert box could have been spoofed onto an
|
|
arbitrary domain
|
|
* CVE-2021-38510 (bmo#1731779)
|
|
Download Protections were bypassed by .inetloc files on Mac OS
|
|
* MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048,
|
|
bmo#1735152)
|
|
Memory safety bugs fixed in Thunderbird ESR 91.3
|
|
- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 22 21:27:02 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.2.1
|
|
* Preference added to disable automatic pausing RSS feed updates
|
|
after a fetch failure
|
|
* several bugfixes as outlined in release notes
|
|
https://www.thunderbird.net/en-US/thunderbird/91.2.1/releasenotes/
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 22 09:16:01 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
|
|
|
|
- Increase memory required per threads for aarch64 to avoid OOM
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 21 13:23:29 UTC 2021 - Martin Liška <mliska@suse.cz>
|
|
|
|
- Enable LTO on Tumbleweed.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 15 20:29:41 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- add mozilla-bmo1724679.patch (bmo#1724679, boo#1182863)
|
|
fix some env variables which are enabled for any value
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 4 19:55:48 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.2.0
|
|
* Saving a single message as .eml now uses a unique filename
|
|
* New mail notifications did not properly take subfolders into account
|
|
* Decrypting binary attachments when using an external GnuPG
|
|
configuration failed
|
|
* Account name fields in the account manager were not big enough
|
|
for long names
|
|
* LDAP searches using an extensibleMatch filter returned no results
|
|
* Read-only CalDAV calendars and CardDAV address books were not detected
|
|
* Multipart messages containing a calendar invite did not display
|
|
any of the human-readable alternatives
|
|
* Some calendar days were displayed incorrectly or duplicated
|
|
(eg. two "29th" days of a particular month)
|
|
* Phantom event was shown at the end of each day in Calendar week view
|
|
MFSA 2021-46 (bsc#1191332)
|
|
* CVE-2021-38496 (bmo#1725335)
|
|
Use-after-free in MessageTask
|
|
* CVE-2021-38497 (bmo#1726621)
|
|
Validation message could have been overlaid on another origin
|
|
* CVE-2021-38498 (bmo#1729642)
|
|
Use-after-free of nsLanguageAtomService object
|
|
* CVE-2021-32810 (bmo#1729813,
|
|
https://github.com/crossbeam-
|
|
rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
|
|
Data race in crossbeam-deque
|
|
* CVE-2021-38500 (bmo#1725854, bmo#1728321)
|
|
Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
|
|
and Firefox ESR 91.2
|
|
* CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
|
|
Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Sep 26 16:01:35 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.1.2
|
|
* Thunderbird will now warn if an S/MIME encrypted message includes
|
|
BCC recipients
|
|
* several bugfixes listed on
|
|
https://www.thunderbird.net/en-US/thunderbird/91.1.2/releasenotes/
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 15 15:37:55 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.1.1
|
|
* Menu item for disabling subject encryption for a single message added
|
|
* Printing messages that are not currently displayed is no longer
|
|
supported, including printing multiple messages at once
|
|
* for bugfixes see
|
|
https://www.thunderbird.net/en-US/thunderbird/91.1.1/releasenotes
|
|
- MOZ_ENABLE_WAYLAND env variable now overrides automatic detection
|
|
if already set before startup
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 2 07:03:59 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.1.0
|
|
* Thunderbird registered Accessibility Handlers using same GUIDs
|
|
as Firefox, causing performance issues for NVDA users
|
|
* Focus lost when reordering accounts by keyboard in the Account Manager
|
|
* Account setup did not use provider display name for setting up
|
|
calendars
|
|
* Various theme and UX fixes
|
|
MFSA 2021-41 (bsc#1190269)
|
|
* CVE-2021-38492 (bmo#1721107)
|
|
Navigating to `mk:` URL scheme could load Internet Explorer
|
|
* CVE-2021-38495 (bmo#1723391, bmo#1723920, bmo#1724101,
|
|
bmo#1724107)
|
|
Memory safety bugs fixed in Thunderbird 91.1
|
|
- (re-)added mozilla-silence-no-return-type.patch
|
|
- add mozilla-bmo531915.patch to fix build for i586
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 27 21:01:34 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
|
|
|
|
- Mozilla Thunderbird 91.0.3:
|
|
* fixed: Folder icons could be overridden by linked favicons in
|
|
HTML messages
|
|
* fixed: Unified folders showed no messages when underlying
|
|
folders were removed
|
|
* fixed: Folder pane toolbar did not always persist after
|
|
restarting Thunderbird
|
|
* fixed: Compose window attachment pane did not close when
|
|
disabling signing of an OpenPGP message
|
|
* fixed: Using "Reply to List" with some list emails
|
|
incorrectly opened a "no-reply" warning
|
|
* fixed: Account setup UX issues with Exchange autodiscover
|
|
* fixed: Account settings did not display non-UTF-8 server
|
|
descriptions correctly
|
|
* fixed: Thunderbird sometimes sent an unnecessary "SMTPUTF8",
|
|
causing some servers to reject mail
|
|
* fixed: No mouseover pop was displayed with event details for
|
|
non-all-day events in the Today Pane
|
|
* fixed: Filtering tasks in the Today Pane did not work
|
|
* fixed: Email based event scheduling displayed the date and
|
|
time in a format unreadable by humans
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 27 20:07:49 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
|
|
|
|
- Mozilla Thunderbird 91.0.2:
|
|
* new: Tags are now colored in mail filter editor
|
|
* changed: Context menu items related to OpenPGP and
|
|
attachments are now hidden when not applicable
|
|
* fixed: Creating a new account with manual setup failed
|
|
* fixed: Recipient autocomplete always preferred the primary
|
|
email address for a contact
|
|
* fixed: LDAP performance improvements
|
|
* fixed: Extensions listed on the Recommended Addons did not
|
|
have a clear way to view details in a browser
|
|
* fixed: Status checkmark on View > Calendar > Calendar Pane >
|
|
Show Calendar Pane was reversed
|
|
* fixed: mid: URLs in calendar invites did not open the linked
|
|
mail message
|
|
* fixed: Various theme and UX fixes
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 17 07:19:15 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.0.1
|
|
MFSA 2021-37 (bsc#1189547)
|
|
* CVE-2021-29991 (bmo#1724896)
|
|
Header Splitting possible with HTTP/3 Responses
|
|
- appdate screenshot URL updated (by mailaender@opensuse.org)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Aug 15 17:21:46 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 91.0
|
|
* based on Mozilla's 91 ESR codebase
|
|
* many new and changed features
|
|
https://www.thunderbird.net/en-US/thunderbird/91.0/releasenotes/#whatsnew
|
|
* Renamed "Add-ons" to "Add-ons and Themes" and "Options" to "Preferences"
|
|
* Thunderbird now operates in multi-process (e10s) mode by default
|
|
* New user interface for adding attachments
|
|
* Enable redirect of messages
|
|
* CardDAV address book support
|
|
- Removed obsolete patches:
|
|
* mozilla-bmo1463035.patch
|
|
* mozilla-ppc-altivec_static_inline.patch
|
|
* mozilla-pipewire-0-3.patch
|
|
* mozilla-bmo1554971.patch
|
|
- add mozilla-libavcodec58_91.patch
|
|
- removed obsolete BigEndian ICU build workaround
|
|
- updated build requirements
|
|
- build using clang
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 5 15:47:34 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.13.0
|
|
* removed WeTransfer integration package (not supported by vendor
|
|
any longer)
|
|
MFSA 2021-35 (bsc#1188891)
|
|
* CVE-2021-29986 (bmo#1696138)
|
|
Race condition when resolving DNS names could have led to
|
|
memory corruption
|
|
* CVE-2021-29988 (bmo#1717922)
|
|
Memory corruption as a result of incorrect style treatment
|
|
* CVE-2021-29984 (bmo#1720031)
|
|
Incorrect instruction reordering during JIT optimization
|
|
* CVE-2021-29980 (bmo#1722204)
|
|
Uninitialized memory in a canvas object could have led to
|
|
memory corruption
|
|
* CVE-2021-29985 (bmo#1722083)
|
|
Use-after-free media channels
|
|
* CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
|
|
bmo#1719998, bmo#1720568)
|
|
Memory safety bugs fixed in Thunderbird 78.13
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 14 06:34:13 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.12.0
|
|
MFSA 2021-30 (bsc#1188275)
|
|
* CVE-2021-29969 (bmo#1682370)
|
|
IMAP server responses sent by a MITM prior to STARTTLS could be
|
|
processed
|
|
* CVE-2021-29970 (bmo#1709976)
|
|
Use-after-free in accessibility features of a document
|
|
* CVE-2021-30547 (bmo#1715766)
|
|
Out of bounds write in ANGLE
|
|
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
|
|
bmo#1711576, bmo#1714391)
|
|
Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
|
|
|
|
-------------------------------------------------------------------
|
|
Sat May 29 08:14:38 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.11.0
|
|
* OpenPGP could not be disabled for an account if a key was
|
|
previously configured
|
|
* Recipients were unable to decrypt some messages when the sender
|
|
had changed the message encryption from OpenPGP to S/MIME
|
|
* Contacts moved between CardDAV address books were not synced to
|
|
the new server
|
|
* CardDAV compatibility fixes for Google Contacts
|
|
MFSA 2021-26 (bsc#1186696)
|
|
* CVE-2021-29964 (bmo#1706501)
|
|
Out of bounds-read when parsing a `WM_COPYDATA` message
|
|
* CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
|
|
bmo#1704722, bmo#1706041)
|
|
Memory safety bugs fixed in Thunderbird 78.11
|
|
- renewed expired mozilla.keyring
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 14 08:58:19 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.10.2
|
|
* Added support for importing OpenPGP keys without a primary
|
|
secret key
|
|
* Add-ons manager displays a preferences icon for mail extensions
|
|
that include an options page
|
|
Fixed
|
|
* OpenPGP messages with a high compression ratio (over 10x) could
|
|
not be decrypted
|
|
* Selected OpenPGP key was lost after opening the Key Properties
|
|
dialog in Account Settings
|
|
* Parsing some OpenPGP user IDs failed
|
|
* Various improvements to OpenPGP partial encryption reminders
|
|
* Mail toolbar buttons were too big when displaying both icons
|
|
and text
|
|
MFSA 2021-22
|
|
* CVE-2021-29956 (boo#1186199, bmo#1710290)
|
|
Thunderbird stored OpenPGP secret keys without master password
|
|
protection
|
|
* CVE-2021-29957 (boo#1186198, bmo#1673241)
|
|
Partial protection of inline OpenPGP message not indicated
|
|
- do not rely on nodejs10 explicitely
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 4 15:39:28 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.10.1
|
|
* Remove the fix for bmo#1689804 introduced in 78.9.0,
|
|
restoring the previous behavior
|
|
* MFSA 2021-19 (bsc#1185633) does not affect this platform
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Apr 18 07:21:01 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.10.0
|
|
MFSA 2021-14 (bsc#1184960)
|
|
* CVE-2021-23994 (bmo#1699077)
|
|
Out of bound write due to lazy initialization
|
|
* CVE-2021-23995 (bmo#1699835)
|
|
Use-after-free in Responsive Design Mode
|
|
* CVE-2021-23998 (bmo#1667456)
|
|
Secure Lock icon could have been spoofed
|
|
* CVE-2021-23961 (bmo#1677940)
|
|
More internal network hosts could have been probed by a
|
|
malicious webpage
|
|
* CVE-2021-23999 (bmo#1691153)
|
|
Blob URLs may have been granted additional privileges
|
|
* CVE-2021-24002 (bmo#1702374)
|
|
Arbitrary FTP command execution on FTP servers using an
|
|
encoded URL
|
|
* CVE-2021-29945 (bmo#1700690)
|
|
Incorrect size computation in WebAssembly JIT could lead to
|
|
null-reads
|
|
* CVE-2021-29946 (bmo#1698503)
|
|
Port blocking could be bypassed
|
|
* CVE-2021-29948 (bmo#1692899)
|
|
Race condition when reading from disk while verifying
|
|
signatures
|
|
- recommend libotr5
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 10 11:39:37 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.9.1
|
|
* Support recipient aliases for OpenPGP encryption
|
|
* The key and signature parts of the message security popup on a
|
|
received message could not be selected for copy/paste
|
|
* Various UX and theme improvements
|
|
MFSA 2021-13
|
|
* CVE-2021-23991 (bmo#1673240)
|
|
An attacker may use Thunderbird's OpenPGP key refresh mechanism
|
|
to poison an existing key
|
|
* MOZ-2021-23992 (bmo#1666236)
|
|
A crafted OpenPGP key with an invalid user ID could be used to
|
|
confuse the user
|
|
* CVE-2021-23993 (bmo#1666360)
|
|
Inability to send encrypted OpenPGP email after importing a
|
|
crafted OpenPGP key
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Mar 20 09:20:00 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.9.0
|
|
* bugfixes:
|
|
https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes
|
|
MFSA 2021-12 (boo#1183942)
|
|
* CVE-2021-23981 (bmo#1692832)
|
|
Texture upload into an unbound backing buffer resulted in an
|
|
out-of-bound read
|
|
* MOZ-2021-0002 (bmo#1691547)
|
|
Angle graphics library out of date
|
|
* CVE-2021-23982 (bmo#1677046)
|
|
Internal network hosts could have been probed by a malicious
|
|
webpage
|
|
* CVE-2021-23984 (bmo#1693664)
|
|
Malicious extensions could have spoofed popup information
|
|
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718)
|
|
Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
|
|
- cleaned up and fixed mozilla.sh.in for wayland (boo#1177542)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Mar 7 09:27:49 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.8.1
|
|
* several bugfixes and improvements
|
|
* https://www.thunderbird.net/en-US/thunderbird/78.8.1/releasenotes/
|
|
- updated create-tar.sh (bsc#1182357)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 19 21:39:32 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.8.0
|
|
* various bugfixes
|
|
MFSA 2021-09 (bsc#1182614)
|
|
* CVE-2021-23969 (bmo#1542194)
|
|
Content Security Policy violation report could have contained
|
|
the destination of a redirect
|
|
* CVE-2021-23968 (bmo#1687342)
|
|
Content Security Policy violation report could have contained
|
|
the destination of a redirect
|
|
* CVE-2021-23973 (bmo#1690976)
|
|
MediaError message property could have leaked information
|
|
about cross-origin resources
|
|
* CVE-2021-23978 (bmo#786797, bmo#1682928, bmo#1687391,
|
|
bmo#1687597)
|
|
Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 5 22:23:03 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.7.1
|
|
* CardDAV address books now support OAuth2 and Google Contacts
|
|
* Thunderbird will no longer allow installation of addons that
|
|
use legacy APIs
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 26 07:47:13 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.7.0
|
|
MFSA 2021-05 (bsc#1181414)
|
|
* CVE-2021-23953 (bmo#1683940)
|
|
Cross-origin information leakage via redirected PDF requests
|
|
* CVE-2021-23954 (bmo#1684020)
|
|
Type confusion when using logical assignment operators in
|
|
JavaScript switch statements
|
|
* CVE-2020-15685 (bmo#1622640)
|
|
IMAP Response Injection when using STARTTLS
|
|
* CVE-2020-26976 (bmo#1674343)
|
|
HTTPS pages could have been intercepted by a registered
|
|
service worker when they should not have been
|
|
* CVE-2021-23960 (bmo#1675755)
|
|
Use-after-poison for incorrectly redeclared JavaScript
|
|
variables during GC
|
|
* CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526,
|
|
bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844,
|
|
bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410,
|
|
bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736,
|
|
bmo#1685260, bmo#1685925)
|
|
Memory safety bugs fixed in Thunderbird 78.7
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jan 24 09:33:04 UTC 2021 - Manfred Hollstein <manfred.h@gmx.net>
|
|
|
|
- MozillaThunderbird.spec: Don't abuse BUILDROOT during %build as newer
|
|
rpm versions in TW remove everything there as the first action
|
|
of %install
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 11 16:35:00 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.6.1
|
|
MFSA 2021-02 (bsc#1180623)
|
|
* CVE-2020-16044 (bmo#1683964)
|
|
Use-after-free write when handling a malicious COOKIE-ECHO SCTP
|
|
chunk
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Dec 12 10:25:08 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.6.0
|
|
* changes and additions in MailExtensions
|
|
* several bugfixes
|
|
* https://www.thunderbird.net/en-US/thunderbird/78.6.0/releasenotes/
|
|
MFSA 2020-56 (bsc#1180039))
|
|
* CVE-2020-16042 (bmo#1679003)
|
|
Operations on a BigInt could have caused uninitialized memory
|
|
to be exposed
|
|
* CVE-2020-26971 (bmo#1663466)
|
|
Heap buffer overflow in WebGL
|
|
* CVE-2020-26973 (bmo#1680084)
|
|
CSS Sanitizer performed incorrect sanitization
|
|
* CVE-2020-26974 (bmo#1681022)
|
|
Incorrect cast of StyleGenericFlexBasis resulted in a heap
|
|
use-after-free
|
|
* CVE-2020-26978 (bmo#1677047)
|
|
Internal network hosts could have been probed by a malicious
|
|
webpage
|
|
* CVE-2020-35111 (bmo#1657916)
|
|
The proxy.onRequest API did not catch view-source URLs
|
|
* CVE-2020-35112 (bmo#1661365)
|
|
Opening an extension-less download may have inadvertently
|
|
launched an executable instead
|
|
* CVE-2020-35113 (bmo#1664831, bmo#1673589)
|
|
Memory safety bugs fixed in Thunderbird 78.6
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 1 21:34:15 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.5.1
|
|
MFSA 2020-53 (bsc#1179530)
|
|
* CVE-2020-26970 (bmo#1677338)
|
|
Stack overflow due to incorrect parsing of SMTP server response codes
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Nov 16 20:13:34 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.5.0
|
|
MFSA 2020-52 (bsc#1178894)
|
|
* CVE-2020-26951 (bmo#1667113)
|
|
Parsing mismatches could confuse and bypass security
|
|
sanitizer for chrome privileged code
|
|
* CVE-2020-16012 (bmo#1642028)
|
|
Variable time processing of cross-origin images during
|
|
drawImage calls
|
|
* CVE-2020-26953 (bmo#1656741)
|
|
Fullscreen could be enabled without displaying the security
|
|
UI
|
|
* CVE-2020-26956 (bmo#1666300)
|
|
XSS through paste (manual and clipboard API)
|
|
* CVE-2020-26958 (bmo#1669355)
|
|
Requests intercepted through ServiceWorkers lacked MIME type
|
|
restrictions
|
|
* CVE-2020-26959 (bmo#1669466)
|
|
Use-after-free in WebRequestService
|
|
* CVE-2020-26960 (bmo#1670358)
|
|
Potential use-after-free in uses of nsTArray
|
|
* CVE-2020-15999 (bmo#1672223)
|
|
Heap buffer overflow in freetype
|
|
* CVE-2020-26961 (bmo#1672528)
|
|
DoH did not filter IPv4 mapped IP Addresses
|
|
* CVE-2020-26965 (bmo#1661617)
|
|
Software keyboards may have remembered typed passwords
|
|
* CVE-2020-26966 (bmo#1663571)
|
|
Single-word search queries were also broadcast to local
|
|
network
|
|
* CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,
|
|
bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479,
|
|
bmo#1671923)
|
|
Memory safety bugs fixed in Thunderbird 78.5
|
|
- removed obsolete mozilla-rust-1.47.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 11 09:04:51 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.4.3
|
|
https://www.thunderbird.net/en-US/thunderbird/78.4.3/releasenotes/
|
|
- added mozilla-rust-1.47.patch to fix build with rust 1.47
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Nov 9 21:43:37 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.4.2
|
|
MFSA 2020-49
|
|
* CVE-2020-26950 (bmo#1675905)
|
|
Write side effects in MCallGetProperty opcode not accounted for
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 5 08:52:51 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.4.1
|
|
* Bugfixes and minor features
|
|
https://www.thunderbird.net/en-US/thunderbird/78.4.1/releasenotes/
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 20 11:54:05 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.4.0
|
|
* MailExtensions: browser.tabs.sendMessage API added
|
|
* MailExtensions: messageDisplayScripts API added
|
|
* Yahoo and AOL mail users using password authentication will be
|
|
migrated to OAuth2
|
|
* MailExtensions: messageDisplay APIs extended to support multiple
|
|
selected messages
|
|
* MailExtensions: compose.begin functions now support creating a
|
|
message with attachments
|
|
* multiple bugfixes
|
|
MFSA 2020-47 (bsc#1177872)
|
|
* CVE-2020-15969 (bmo#1666570)
|
|
Use-after-free in usersctp
|
|
* CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954, bmo#1662760,
|
|
bmo#1663439, bmo#1666140)
|
|
Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 15 14:31:39 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.3.3
|
|
* OpenPGP: Improved support for encrypting with subkeys
|
|
* OpenPGP message status icons were not visible in message header pane
|
|
* OpenPGP Key Manager was missing from Tools menu on macOS
|
|
* Creating a new calendar event did not require an event title
|
|
- remove python2 dependencies for TW
|
|
- support wayland mode/autodetection in startup wrapper
|
|
- replace some Requires to use requires_ge macro where appropriate
|
|
- improve langpack build (as already used for Firefox)
|
|
- add ccache statistics output to build
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 7 07:02:03 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.3.2
|
|
* OpenPGP: Improved support for encrypting with subkeys
|
|
* OpenPGP: Encrypted messages with international characters were
|
|
sometimes displayed incorrectly
|
|
* Single-click deletion of recipient pills with middle mouse
|
|
button restored
|
|
* Searching an address book list did not display results
|
|
* Dark mode, high contrast, and Windows theming fixes
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 25 06:25:54 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.3.1
|
|
* fix crash in nsImapProtocol::CreateNewLineFromSocket (bmo#1667120)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 23 21:04:45 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.3.0
|
|
MFSA 2020-44 (bsc#1176756)
|
|
* CVE-2020-15677 (bmo#1641487)
|
|
Download origin spoofing via redirect
|
|
* CVE-2020-15676 (bmo#1646140)
|
|
XSS when pasting attacker-controlled data into a
|
|
contenteditable element
|
|
* CVE-2020-15678 (bmo#1660211)
|
|
When recursing through layers while scrolling, an iterator
|
|
may have become invalid, resulting in a potential use-after-
|
|
free scenario
|
|
* CVE-2020-15673 (bmo#1648493, bmo#1660800)
|
|
Memory safety bugs fixed in Thunderbird 78.3
|
|
- requires NSPR >= 4.25.1
|
|
- removed obsolete thunderbird-bmo1664607.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Sep 13 20:10:39 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.2.2
|
|
https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes
|
|
- added thunderbird-bmo1664607.patch required for builds w/o updater
|
|
(boo#1176384)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 31 12:08:25 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 78.2.1
|
|
* based on Mozilla's 78 ESR codebase
|
|
* many new and changed features
|
|
https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/#whatsnew
|
|
* built-in OpenPGP support (enigmail neither required nor supported)
|
|
- added platform patches:
|
|
* mozilla-s390x-skia-gradient.patch
|
|
* mozilla-pipewire-0-3.patch
|
|
* mozilla-bmo1512162.patch
|
|
* mozilla-bmo1626236.patch
|
|
* mozilla-bmo998749.patch
|
|
* mozilla-sandbox-fips.patch
|
|
- removed obsolete platform patches
|
|
* mozilla-s390-bigendian.patch
|
|
* mozilla-nestegg-big-endian.patch
|
|
* mozilla-openaes-decl.patch
|
|
* mozilla-cubeb-noreturn.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Aug 30 11:05:01 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 68.12.0
|
|
MFSA 2020-40 (bsc#1175686)
|
|
* CVE-2020-15663 (bmo#1643199)
|
|
Downgrade attack on the Mozilla Maintenance Service could have
|
|
resulted in escalation of privilege
|
|
* CVE-2020-15664 (bmo#1658214)
|
|
Attacker-induced prompt for extension installation
|
|
* CVE-2020-15669 (bmo#1656957)
|
|
Use-After-Free when aborting an operation
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 28 09:04:11 UTC 2020 - Michel Normand <normand@linux.vnet.ibm.com>
|
|
|
|
- Put back %limit_build macro usage to avoid build error PowerPC
|
|
(remove memoryperjob constraint)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 20 08:57:15 UTC 2020 - Martin Liška <mliska@suse.cz>
|
|
|
|
- Use memoryperjob constraint instead of %limit_build macro.
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Aug 1 09:54:53 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
|
|
|
|
- Mozilla Thunderbird 68.11.0
|
|
* fixed: FileLink attachments included as a link and file when
|
|
added from a network drive via drag & drop (bmo#793118)
|
|
MFSA 2020-35 (bsc#1174538)
|
|
* CVE-2020-15652 (bmo#1634872)
|
|
Potential leak of redirect targets when loading scripts in a
|
|
worker
|
|
* CVE-2020-6514 (bmo#1642792)
|
|
WebRTC data channel leaks internal address to peer
|
|
* CVE-2020-6463 (bmo#1635293)
|
|
Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
|
|
* CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1646787,
|
|
bmo#1650811)
|
|
Memory safety bugs fixed in Thunderbird 68.11
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 1 21:00:23 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
|
|
|
|
- Mozilla Thunderbird 68.10.0
|
|
* fixed: Chat: Topics displayed some characters improperly
|
|
(bmo#1644024)
|
|
* fixed: Calendar: Filtering tasks did not work when
|
|
"Incomplete Tasks" was selected (bmo#1593711)
|
|
MFSA 2020-26 (bsc#1173576)
|
|
* CVE-2020-12417 (bmo#1640737)
|
|
Memory corruption due to missing sign-extension for ValueTags
|
|
on ARM64
|
|
* CVE-2020-12418 (bmo#1641303)
|
|
Information disclosure due to manipulated URL object
|
|
* CVE-2020-12419 (bmo#1643874)
|
|
Use-after-free in nsGlobalWindowInner
|
|
* CVE-2020-12420 (bmo#1643437)
|
|
Use-After-Free when trying to connect to a STUN server
|
|
* MFSA-2020-0001 (bmo#1606610)
|
|
Automatic account setup leaks Microsoft Exchange login
|
|
credentials
|
|
* CVE-2020-12421 (bmo#1308251)
|
|
Add-On updates did not respect the same certificate trust
|
|
rules as software updates
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 11 14:52:51 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- build with nodejs10 to be able to drop nodejs8 from TW
|
|
- updated create-tar.sh
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jun 6 21:05:07 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
|
|
|
|
- Mozilla Thunderbird 68.9.0
|
|
* fixed: Custom headers added for searching or filtering could
|
|
not be removed (bmo#1631577)
|
|
* fixed: Calendar: Today Pane updated prior to loading all data
|
|
(bmo#1635613)
|
|
* fixed: Stability improvements (bmo#1625677)
|
|
MFSA 2020-22 (bsc#1172402)
|
|
* CVE-2020-12405 (bmo#1631618)
|
|
Use-after-free in SharedWorkerService
|
|
* CVE-2020-12406 (bmo#1639590)
|
|
JavaScript Type confusion with NativeTypes
|
|
* CVE-2020-12410 (bmo#1619305, bmo#1632717)
|
|
Memory safety bugs fixed in Thunderbird 68.9.0
|
|
* CVE-2020-12398 (bmo#1613623)
|
|
Security downgrade with IMAP STARTTLS leads to information
|
|
leakage
|
|
|
|
-------------------------------------------------------------------
|
|
Sun May 24 20:46:21 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
|
|
|
|
- Mozilla Thunderbird 68.8.1
|
|
* fixed: IMAP stability improvements (bmo#1586494)
|
|
* fixed: HTML tags in IRC topic changes were rendered
|
|
incorrectly (bmo#1607097)
|
|
* fixed: MailExtensions: Websockets could not be used
|
|
(bmo#1627649)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 5 07:49:33 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 68.8.0
|
|
* Account Manager fixes and improvements
|
|
* https://www.thunderbird.net/en-US/thunderbird/68.8.0/releasenotes
|
|
MFSA 2020-18 (bsc#1171186)
|
|
* CVE-2020-12397 (bmo#1617370)
|
|
Sender Email Address Spoofing using encoded Unicode characters
|
|
* CVE-2020-12387 (bmo#1545345)
|
|
Use-after-free during worker shutdown
|
|
* CVE-2020-6831 (bmo#1632241)
|
|
Buffer overflow in SCTP chunk input validation
|
|
* CVE-2020-12392 (bmo#1614468)
|
|
Arbitrary local file access with 'Copy as cURL'
|
|
* CVE-2020-12393 (bmo#1615471)
|
|
Devtools' 'Copy as cURL' feature did not fully escape
|
|
website-controlled data, potentially leading to command injection
|
|
* CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098,
|
|
bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508)
|
|
Memory safety bugs fixed in Thunderbird 68.8.0
|
|
- removed obsolete patch mozilla-bmo1580963.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 5 07:00:36 UTC 2020 - Ismail Dönmez <idonmez@suse.com>
|
|
|
|
- Add mozilla-bmo1580963.patch to fix build with rust 1.43
|
|
(bmo#1580963)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 9 17:27:50 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
|
|
|
|
- Mozilla Thunderbird 68.7.0
|
|
* Updates to MailExtensions API
|
|
* Various improvements to account setup when connecting to an
|
|
Exchange server
|
|
* Thread collapsed when opening news message in a new window
|
|
* Fix Addons not automatically updated to compatible version after
|
|
upgrade from Thunderbird 60
|
|
* Updating addons did not prompt when requesting new permissions
|
|
* Extra recipients panel not keyboard-accessible
|
|
* Accessibility: Status bar was not detected by screenreaders
|
|
* Calendar: Invitations with embedded null bytes did not always decode correctly
|
|
* Calendar: Cancelled events didn't show with a line-through
|
|
* Various security fixes
|
|
MFSA 2020-14
|
|
In general, these flaws cannot be exploited through email in
|
|
Thunderbird because scripting is disabled when reading mail, but
|
|
are potentially risks in browser or browser-like contexts.
|
|
* CVE-2020-6819 (bmo#1620818, bsc#1168630)
|
|
Use-after-free while running the nsDocShell destructor
|
|
* CVE-2020-6820 (bmo#1626728, bsc#1168630)
|
|
Use-after-free when handling a ReadableStream
|
|
* CVE-2020-6821 (bmo#1625404, bsc#1168874)
|
|
Uninitialized memory could be read when using the WebGL
|
|
copyTexSubImage method
|
|
* CVE-2020-6822 (bmo#1544181, bsc#1168874)
|
|
Out of bounds write in GMPDecodeData when processing large images
|
|
* CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203,bsc#1168874)
|
|
Memory safety bugs fixed in Thunderbird 68.7.0
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Mar 14 13:16:23 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 68.6.0
|
|
MFSA 2020-10 (bsc#1166238)
|
|
* CVE-2020-6805 (bmo#1610880)
|
|
Use-after-free when removing data about origins
|
|
* CVE-2020-6806 (bmo#1612308)
|
|
BodyStream::OnInputStreamReady was missing protections against
|
|
state confusion
|
|
* CVE-2020-6807 (bmo#1614971)
|
|
Use-after-free in cubeb during stream destruction
|
|
* CVE-2020-6811 (bmo#1607742)
|
|
Devtools' 'Copy as cURL' feature did not fully escape
|
|
website-controlled data, potentially leading to command injection
|
|
* CVE-2019-20503 (bmo#1613765)
|
|
Out of bounds reads in sctp_load_addresses_from_init
|
|
* CVE-2020-6812 (bmo#1616661)
|
|
The names of AirPods with personally identifiable information
|
|
were exposed to websites with camera or microphone permission
|
|
* CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256, bmo#1612636,
|
|
bmo#1614339)
|
|
Memory safety bugs fixed in Thunderbird 68.6
|
|
- requires NSS >= 3.44.3
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 10 21:55:19 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 68.5.0
|
|
New
|
|
* Support for Client Identity IMAP/SMTP Service Extension
|
|
* Support for OAuth 2.0 authentication for POP3 accounts
|
|
Fixes
|
|
* Status area goes blank during account setup
|
|
* Calendar: Could not remove color for default categories
|
|
* Calendar: Prevent calendar component loading multiple times
|
|
* Calendar: Today pane did not retain width between sessions
|
|
MFSA 2020-07 (bsc#1163368)
|
|
* CVE-2020-6793 (bmo#1608539)
|
|
Out-of-bounds read when processing certain email messages
|
|
* CVE-2020-6794 (bmo#1606619)
|
|
Setting a master password post-Thunderbird 52 does not delete
|
|
unencrypted previously stored passwords
|
|
* CVE-2020-6795 (bmo#1611105)
|
|
Crash processing S/MIME messages with multiple signatures
|
|
* CVE-2020-6797 (bmo#1596668) (Mac OSX only)
|
|
Extensions granted downloads.open permission could open arbitrary
|
|
applications on Mac OSX
|
|
* CVE-2020-6798 (bmo#1602944)
|
|
Incorrect parsing of template tag could result in JavaScript injection
|
|
* CVE-2020-6792 (bmo#1609607)
|
|
Message ID calculcation was based on uninitialized data
|
|
* CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851,
|
|
bmo#1608580,bmo#1608785,bmo#1605777)
|
|
Memory safety bugs fixed in Thunderbird 68.5
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 28 08:26:02 UTC 2020 - Stasiek Michalski <stasiek@michalski.cc>
|
|
|
|
- Use a symbolic icon from branding internals
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 24 19:47:53 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 68.4.2
|
|
* Calendar: Task and Event tree colours adjusted for the dark theme
|
|
* Retrieval of S/MIME certificates from LDAP failed
|
|
* Address-parsing crash on some IMAP servers when
|
|
mail.imap.use_envelope_cmd is set
|
|
* Incorrect forwarding of HTML messages caused SMTP servers to
|
|
respond with a timeout
|
|
* Calendar: Various parts of the calendar UI stopped working when
|
|
a second Thunderbird window opened
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 10 13:08:55 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 68.4.1
|
|
* Various improvements when setting up an account for a Microsoft
|
|
Exchange server: Now offers IMAP/SMTP if available, better
|
|
detection for Office 365 accounts; re-run configuration after
|
|
password change
|
|
Fixes:
|
|
* After changing view layout, the message display pane showed
|
|
garbled content under some circumstances
|
|
* Various theme changes to achieve "pixel perfection": Unread icon,
|
|
"no results" icon, paragraph format and font selector, background
|
|
of folder summary tooltip
|
|
* Tags were lost on messages in shared IMAP folders under some
|
|
circumstances
|
|
* Calendar: Event attendee dialog was not displayed correctly
|
|
MFSA 2020-04 (bsc#1160498, bsc#1160305)
|
|
* CVE-2019-17026 (bmo#1607443)
|
|
IonMonkey type confusion with StoreElementHole and FallibleStoreElement
|
|
* CVE-2019-17015 (bmo#1599005)
|
|
Memory corruption in parent process during new content process
|
|
initialization on Windows
|
|
* CVE-2019-17016 (bmo#1599181)
|
|
Bypass of @namespace CSS sanitization during pasting
|
|
* CVE-2019-17017 (bmo#1603055)
|
|
Type Confusion in XPCVariant.cpp
|
|
* CVE-2019-17021 (bmo#1599008)
|
|
Heap address disclosure in parent process during content process
|
|
initialization on Windows
|
|
* CVE-2019-17022 (bmo#1602843)
|
|
CSS sanitization does not escape HTML tags
|
|
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605, bmo#1601826)
|
|
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
|
|
- removed obsolete patch mozilla-bmo1511604.patch
|
|
- added mozilla-bmo1602730.patch to fix LE<->BE issues in the
|
|
platform (bmo#1602730)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Dec 27 17:23:35 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- add mozilla-bmo1583471.patch to allow building with rust 1.39
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Dec 20 16:02:55 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 68.3.1
|
|
* In dark theme unread messages no longer shown in blue to
|
|
distinguish from tagged messages
|
|
* Account setup is now using client side DNS MX lookup instead of
|
|
relying on a server
|
|
Bugfixes
|
|
* Searching LDAP address book crashed in some circumstances
|
|
* Message navigation with backward and forward buttons did not work
|
|
in some circumstances
|
|
* WebExtension toolbar icons were displayed too small
|
|
* Calendar: Tasks due today were not listed in bold
|
|
* Calendar: Last day of long-running events was not shown
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 5 10:29:18 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 68.3.0:
|
|
* Message display toolbar action WebExtension API
|
|
* Navigation buttons are now available in content tabs, for example
|
|
those opened via an add-on search
|
|
* other bugfixes
|
|
MFSA 2019-38
|
|
* CVE-2019-17008 (bmo#1546331)
|
|
Use-after-free in worker destruction
|
|
* CVE-2019-13722 (bmo#1580156)
|
|
Stack corruption due to incorrect number of arguments in WebRTC code
|
|
* CVE-2019-17010 (bmo#1581084)
|
|
Use-after-free when performing device orientation checks
|
|
* CVE-2019-17005 (bmo#1584170)
|
|
Buffer overflow in plain text serializer
|
|
* CVE-2019-17011 (bmo#1591334)
|
|
Use-after-free when retrieving a document in antitracking
|
|
* CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209,
|
|
bmo#1580288, bmo#1585760, bmo#1592502)
|
|
Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
|
|
* Various updates to improve performance and stability
|
|
- updated create-tar.sh to cover buildid and origin repo information
|
|
- changed locale building procedure
|
|
* removed obsolete compare-locales.tar.xz and
|
|
thunderbird-broken-locales-build.patch
|
|
- add mozilla-bmo849632.patch to fix color issues on big endian
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Nov 9 20:13:17 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de>
|
|
|
|
- Mozilla Thunderbird 68.2.2:
|
|
* fix age calculation in address book (bmo#1592536)
|
|
* fix column menu behavior in address book (bmo#1592393)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 1 11:16:39 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 68.2.1
|
|
* A language for the user interface can now be chosen in the
|
|
advanced settings (multilingual UI)
|
|
* Fixed problem with Google authentication (OAuth2)
|
|
* Selected or unread messages were not shown in the correct color
|
|
in the thread pane (message list) under some circumstances
|
|
* When using a language pack, names of standard folders weren't
|
|
localized (boo#1149126)
|
|
* Address book default startup directory in preferences panel was
|
|
not persisted
|
|
* Chat: Extended context menu on Instant messaging status dialog
|
|
(Show Accounts)
|
|
- added mozilla-bmo1504834-part4.patch to fix some visual issues on
|
|
big endian platforms
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 22 06:43:32 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 68.2.0
|
|
* Message Display WebExtension API
|
|
* Message Search WebExtension API
|
|
* Better visual feedback for unread messages when using the dark theme
|
|
* Fixed various issues when editing mailing list
|
|
* Fixed application windows not maintaining their size after restart
|
|
MFSA 2019-33 (bsc#1154738)
|
|
* CVE-2019-15903 (bmo#1584907)
|
|
Heap overflow in expat library in XML_GetCurrentLineNumber
|
|
* CVE-2019-11757 (bmo#1577107)
|
|
Use-after-free when creating index updates in IndexedDB
|
|
* CVE-2019-11758 (bmo#1536227)
|
|
Potentially exploitable crash due to 360 Total Security
|
|
* CVE-2019-11759 (bmo#1577953)
|
|
Stack buffer overflow in HKDF output
|
|
* CVE-2019-11760 (bmo#1577719)
|
|
Stack buffer overflow in WebRTC networking
|
|
* CVE-2019-11761 (bmo#1561502)
|
|
Unintended access to a privileged JSONView object
|
|
* CVE-2019-11762 (bmo#1582857)
|
|
document.domain-based origin isolation has same-origin-property violation
|
|
* CVE-2019-11763 (bmo#1584216)
|
|
Incorrect HTML parsing results in XSS bypass technique
|
|
* CVE-2019-11764 (bmo#1558522, bmo#1577061, bmo#1548044, bmo#1571223,
|
|
bmo#1573048, bmo#1578933, bmo#1575217, bmo#1583684, bmo#1586845,
|
|
bmo#1581950, bmo#1583463, bmo#1586599)
|
|
Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
|
|
- removed obsolete patches
|
|
mozilla-bmo1573381.patch
|
|
mozilla-bmo1512162.patch
|
|
mozilla-bmo1585099.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 10 14:30:09 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 68.1.2
|
|
Bugfixes
|
|
* Some attachments couldn't be opened in messages originating from
|
|
MS Outlook 2016
|
|
* Address book import from CSV
|
|
* Performance problem in message body search
|
|
* Ctrl+Enter to send a message would open an attachment if the
|
|
attachment pane had focus
|
|
* Calendar: Issues with "Today Pane" start-up
|
|
* Calendar: Glitches with custom repeat and reminder number input
|
|
* Calendar: Problems with WCAP provider
|
|
- add mozilla-bmo1585099.patch to fix build with rust >= 1.38
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 25 11:46:51 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 68.1.1
|
|
Bugfixes
|
|
* Issues with attachments in IMAP messages
|
|
* Gmail accounts ignored a non-standard trash folder selection
|
|
* Entering/pasting lists of recipients into the addressing widget or
|
|
mailing list not working reliably, especially when lists contained
|
|
multiple commas or semicolons
|
|
* Edit mailing list not working
|
|
* Various theme fixes, especially dark theme improvements for Calendar
|
|
* Contrast between tag label and background not optimal
|
|
* Account Central pane always loaded at start-up
|
|
* "Config Editor" button not removed if blocked by policy
|
|
* Calendar: Free/busy information in attendees dialog not scrolled
|
|
correctly. Note: Scroll arrows still not behaving correctly
|
|
MFSA 2019-32
|
|
* CVE-2019-11755 (bmo#1240290, boo#1152375)
|
|
Spoofing a message author via a crafted S/MIME message
|
|
- require nodejs8 instead of generic nodejs for better cross-distribution
|
|
support
|
|
- call desktop database update on install
|
|
- updated translations-other locale list
|
|
- build correct ICU for Big Endian
|
|
- remove kde.js since disabling instantApply breaks extensions and
|
|
is obsolete with the move to HTML views for preferences (boo#1151186)
|
|
- update create-tar.sh to latest revision and adjust tar_stamps
|
|
- added platform patches from Firefox 68esr
|
|
mozilla-bmo1005535.patch
|
|
mozilla-bmo1463035.patch
|
|
mozilla-bmo1504834-part1.patch
|
|
mozilla-bmo1504834-part2.patch
|
|
mozilla-bmo1504834-part3.patch
|
|
mozilla-bmo1511604.patch
|
|
mozilla-bmo1554971.patch
|
|
mozilla-bmo1573381.patch
|
|
mozilla-cubeb-noreturn.patch
|
|
mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
|
|
mozilla-fix-aarch64-libopus.patch
|
|
mozilla-fix-top-level-asm.patch
|
|
mozilla-nestegg-big-endian.patch
|
|
mozilla-ntlm-full-path.patch
|
|
mozilla-openaes-decl.patch
|
|
mozilla-ppc-altivec_static_inline.patch
|
|
mozilla-reduce-rust-debuginfo.patch
|
|
mozilla-s390-bigendian.patch
|
|
mozilla-s390-context.patch
|
|
mozilla-bmo1512162.patch
|
|
thunderbird-broken-locales-build.patch
|
|
- removed renamed patches
|
|
fix-missing-return-warning.patch
|
|
fix-top-level-asm-issue.patch
|
|
thunderbird-locale-build.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 20 15:59:25 UTC 2019 - munix9@googlemail.com
|
|
|
|
- repack the lightning xpi with all available locales (boo#939153) (lp#545778)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 20 09:49:41 UTC 2019 - Martin Liška <mliska@suse.cz>
|
|
|
|
- Add fix-top-level-asm-issue.patch in order to fix LTO build.
|
|
- Enable LTO on TW on x86_64.
|
|
- Use GCC.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 20 08:24:23 UTC 2019 - Bernhard Wiedemann <bwiedemann@suse.com>
|
|
|
|
- added mozilla-bmo1568145.patch to make builds reproducible (boo#1047218)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 10 07:33:52 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 68.1.0
|
|
* Offer to configure Exchange accounts for Office365. A third-party
|
|
add-on is required for this account type. IMAP still exists as
|
|
alternative.
|
|
* several bugfixes
|
|
MFSA 2019-30
|
|
* CVE-2019-11739 (bmo#1571481, boo#1150939)
|
|
Covert Content Attack on S/MIME encryption using a crafted
|
|
multipart/alternative message
|
|
* CVE-2019-11746 (bmo#1564449, boo#1149297)
|
|
Use-after-free while manipulating video
|
|
* CVE-2019-11744 (bmo#1562033, boo#1149304)
|
|
XSS by breaking out of title and textarea elements using innerHTML
|
|
* CVE-2019-11742 (bmo#1559715, boo#1149303)
|
|
Same-origin policy violation with SVG filters and canvas to steal
|
|
cross-origin images
|
|
* CVE-2019-11752 (bmo#1501152, boo#1149296)
|
|
Use-after-free while extracting a key value in IndexedDB
|
|
* CVE-2019-11743 (bmo#1560495, boo#1149298)
|
|
Cross-origin access to unload event attributes
|
|
* CVE-2019-11740 (bmo#1563133,bmo#1573160, boo#1149299)
|
|
Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox
|
|
ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9
|
|
- removed upstreamed fix-build-after-y2038-changes-in-glibc.patch
|
|
- added thunderbird-locale-build.patch to fix locale build
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 30 07:25:15 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net>
|
|
|
|
- Add -L flag to the stat call for checking file size of %{SOURCE4}.
|
|
- Add fix-missing-return-warning.patch to silence a compiler warning.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 28 12:27:34 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 68.0
|
|
* based on Firefox ESR 68
|
|
* File link attachments can now be linked to again instead of
|
|
uploading them again
|
|
* Mark all folders of an account as read
|
|
* Run filters periodically. Improved filter logging
|
|
* OAuth2 authentication for Yandex
|
|
* Language packs can now be selected in the Advanced Options.
|
|
Preference intl.multilingual.enabled needs to be set (and possily
|
|
also extensions.langpacks.signatures.required needs to be set to false)
|
|
* Added a policy engine that allows customized Thunderbird deployments
|
|
in enterprise environments, using Windows Group Policy or a
|
|
cross-platform JSON file
|
|
* TCP keepalive for IMAP protocol
|
|
* Full Unicode support for MAPI interfaces: New support for MAPISendMailW
|
|
* Calendar: Time zone data can now include past and future changes.
|
|
All known time zone changes from 2018 to 2022 are included.
|
|
* Chat: In each conversation an individual spellcheck language can
|
|
be selected now
|
|
- removed obsolete patches
|
|
* mozilla-bmo1463035.patch
|
|
* mozilla-i586-domPrefs.patch
|
|
* mozilla-bmo1464766.patch
|
|
* mozilla-bmo1519629.patch
|
|
* mozilla-i586-DecoderDoctorLogger.patch
|
|
* mozilla-bmo1375074.patch
|
|
- added fix-build-after-y2038-changes-in-glibc.patch to fix build
|
|
in Tumbleweed (patch already upstream for next release)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 1 11:12:05 UTC 2019 - Tristan Miller <psychonaut@nothingisreal.com>
|
|
|
|
- Update package summary, description, and AppData using more informative
|
|
and up-to-date text from the official Thunderbird FAQ, replacing obsolete
|
|
references to the Mozilla Application Suite and Thunderbird's relation to
|
|
the Mozilla organization
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 10 13:47:41 UTC 2019 - Bernhard Wiedemann <bwiedemann@suse.com>
|
|
|
|
- Generate langpacks sequentially to avoid file corruption
|
|
from racy file writes (boo#1137970)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 8 10:25:24 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 60.8.0
|
|
* Calendar: Problems when editing event times, some related to
|
|
AM/PM setting in non-English locales
|
|
MFSA 2019-23 (boo#1140868)
|
|
* CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
|
|
Sandbox escape via installation of malicious languagepack
|
|
* CVE-2019-11711 (bmo#1552541)
|
|
Script injection within domain through inner window reuse
|
|
* CVE-2019-11712 (bmo#1543804)
|
|
Cross-origin POST requests can be made with NPAPI plugins by
|
|
following 308 redirects
|
|
* CVE-2019-11713 (bmo#1528481)
|
|
Use-after-free with HTTP/2 cached stream
|
|
* CVE-2019-11729 (bmo#1515342)
|
|
Empty or malformed p256-ECDH public keys may trigger a segmentation fault
|
|
* CVE-2019-11715 (bmo#1555523)
|
|
HTML parsing error can contribute to content XSS
|
|
* CVE-2019-11717 (bmo#1548306)
|
|
Caret character improperly escaped in origins
|
|
* CVE-2019-11719 (bmo#1540541)
|
|
Out-of-bounds read when importing curve25519 private key
|
|
* CVE-2019-11730 (bmo#1558299)
|
|
Same-origin policy treats all files in a directory as having the
|
|
same-origin
|
|
* CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498
|
|
bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522)
|
|
Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 and
|
|
Thunderbird 60.8
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 20 22:15:46 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 60.7.2
|
|
MFSA 2019-20 (boo#1138872)
|
|
* CVE-2019-11707 (bmo#1544386)
|
|
Type confusion in Array.pop
|
|
* CVE-2019-11708 (bmo#1559858)
|
|
sandbox escape using Prompt:Open
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 12 06:23:28 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 60.7.1
|
|
* fixed: No prompt for smartcard PIN when S/MIME signing is used
|
|
MFSA 2019-17 (boo#1137595)
|
|
* CVE-2019-11703 (bmo#1553820)
|
|
Heap buffer overflow in icalparser.c
|
|
* CVE-2019-11704 (bmo#1553814)
|
|
Heap buffer overflow in icalvalue.c
|
|
* CVE-2019-11705 (bmo#1553808)
|
|
Stack buffer overflow in icalrecur.c
|
|
* CVE-2019-11706 (bmo#1555646)
|
|
Type confusion in icalproperty.c
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jun 8 16:35:04 UTC 2019 - Aaron Puchert <aaronpuchert@alice-dsl.net>
|
|
|
|
- Increase disk space requirements in _constraints.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 24 08:53:57 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 60.7.0
|
|
* Attachment pane of Write window no longer focussed when attaching
|
|
files using a keyboard shortcut
|
|
MFSA 2019-15 (boo#1135824)
|
|
* CVE-2019-9815 (bmo#1546544)
|
|
Disable hyperthreading on content JavaScript threads on macOS
|
|
* CVE-2019-9816 (bmo#1536768)
|
|
Type confusion with object groups and UnboxedObjects
|
|
* CVE-2019-9817 (bmo#1540221)
|
|
Stealing of cross-domain images using canvas
|
|
* CVE-2019-9818 (bmo#1542581) (Windows only)
|
|
Use-after-free in crash generation server
|
|
* CVE-2019-9819 (bmo#1532553)
|
|
Compartment mismatch with fetch API
|
|
* CVE-2019-9820 (bmo#1536405)
|
|
Use-after-free of ChromeEventHandler by DocShell
|
|
* CVE-2019-11691 (bmo#1542465)
|
|
Use-after-free in XMLHttpRequest
|
|
* CVE-2019-11692 (bmo#1544670)
|
|
Use-after-free removing listeners in the event listener manager
|
|
* CVE-2019-11693 (bmo#1532525)
|
|
Buffer overflow in WebGL bufferdata on Linux
|
|
* CVE-2019-7317 (bmo#1542829)
|
|
Use-after-free in png_image_free of libpng library
|
|
* CVE-2019-9797 (bmo#1528909)
|
|
Cross-origin theft of images with createImageBitmap
|
|
* CVE-2018-18511 (bmo#1526218)
|
|
Cross-origin theft of images with ImageBitmapRenderingContext
|
|
* CVE-2019-11694 (bmo#1534196) (Windows only)
|
|
Uninitialized memory memory leakage in Windows sandbox
|
|
* CVE-2019-11698 (bmo#1543191)
|
|
Theft of user history data through drag and drop of hyperlinks
|
|
to and from bookmarks
|
|
* CVE-2019-5798 (bmo#1535518)
|
|
Out-of-bounds read in Skia
|
|
* CVE-2019-9800 (bmo#1540166, bmo#1534593, bmo#1546327, bmo#1540136,
|
|
bmo#1538736, bmo#1538042, bmo#1535612, bmo#1499719, bmo#1499108,
|
|
bmo#1538619, bmo#1535194, bmo#1516325, bmo#1542324, bmo#1542097,
|
|
bmo#1532465, bmo#1533554, bmo#1541580)
|
|
Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 24 17:26:44 UTC 2019 - Martin Liška <mliska@suse.cz>
|
|
|
|
- Disable LTO (boo#1133267).
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Mar 30 11:36:41 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net>
|
|
|
|
- Add patch to fix build using rust-1.33: (boo#1130694)
|
|
* mozilla-bmo1519629.patch (bmo#1519629)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 25 12:08:23 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 60.6.1
|
|
MFSA 2019-12 (bsc#1130262)
|
|
* CVE-2019-9810 (bmo#1537924)
|
|
IonMonkey MArraySlice has incorrect alias information
|
|
* CVE-2019-9813 (bmo#1538006)
|
|
Ionmonkey type confusion with __proto__ mutations
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 20 15:33:14 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 60.6.0
|
|
* Calendar: Can't create repeating event with end date when using
|
|
certain time zones, for example Europe/Minsk
|
|
* some minor bugfixes
|
|
* using 60.6.0esr Mozilla platform (bsc#1129821)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 7 08:28:56 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 60.5.3
|
|
* fixed a regression on the Windows platform:
|
|
Problem when using "Send to > Mail recipient" on Windows
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Feb 24 19:15:06 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 60.5.2
|
|
* UTF-8 support for MAPISendMail
|
|
* Problem with S/MIME certificate verification when receiving email
|
|
from Outlook (issue introduced in version 60.5.1)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 14 21:46:45 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 60.5.1
|
|
* CalDav access to some servers not working
|
|
MFSA 2019-06 (bsc#1125330)
|
|
* CVE-2018-18356 bmo#1525817
|
|
Use-after-free in Skia
|
|
* CVE-2019-5785 bmo#1525433
|
|
Integer overflow in Skia
|
|
* CVE-2018-18335 bmo#1525815
|
|
Buffer overflow in Skia with accelerated Canvas 2D
|
|
* CVE-2018-18509 bmo#1507218
|
|
S/MIME signature spoofing
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 25 14:40:21 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 60.5.0:
|
|
* FileLink provider WeTransfer to upload large attachments
|
|
* Thunderbird now allows the addition of OpenSearch search engines
|
|
from a local XML file using a minimal user inferface: [+] button
|
|
to select a file an add, [-] to remove.
|
|
* More search engines: Google and DuckDuckGo available by default
|
|
in some locales
|
|
* During account creation, Thunderbird will now detect servers
|
|
using the Microsoft Exchange protocol. It will offer the
|
|
installation of a 3rd party add-on (Owl) which supports that
|
|
protocol.
|
|
* Thunderbird now compatible with other WebExtension-based
|
|
FileLink add-ons like the Dropbox add-on
|
|
MFSA 2019-03 (bsc#1122983)
|
|
* CVE-2018-18500 bmo#1510114
|
|
Use-after-free parsing HTML5 stream
|
|
* CVE-2018-18505 bmo#1497749
|
|
Privilege escalation through IPC channel messages
|
|
* CVE-2016-5824 bmo#1275400
|
|
DoS (use-after-free) via a crafted ics file
|
|
* CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619
|
|
bmo#1502871 bmo#1516738 bmo#1516514
|
|
Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
|
|
- requires NSS 3.36.7
|
|
- removed obsolete patch
|
|
mozilla-no-stdcxx-check.patch
|
|
- rebased patches
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Dec 21 19:50:56 UTC 2018 - astieger@suse.com
|
|
|
|
- Mozilla Thunderbird 60.4.0:
|
|
* New WebExtensions FileLink API to facilitate add-ons
|
|
* Fix decoding problems for messages with less common charsets
|
|
(cp932, cp936)
|
|
* New messages in the drafts folder (and other special or virtual
|
|
folders) will no longer be included in the new messages
|
|
notification
|
|
MFSA 2018-31
|
|
* CVE-2018-17466 bmo#1488295
|
|
Buffer overflow and out-of-bounds read in ANGLE library with
|
|
TextureStorage11
|
|
* CVE-2018-18492 bmo#1499861
|
|
Use-after-free with select element
|
|
* CVE-2018-18493 bmo#1504452
|
|
Buffer overflow in accelerated 2D canvas with Skia
|
|
* CVE-2018-18494 bmo#1487964
|
|
Same-origin policy violation using location attribute and
|
|
performance.getEntries to steal cross-origin URLs
|
|
* CVE-2018-18498 bmo#1500011
|
|
Integer overflow when calculating buffer sizes for images
|
|
* CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759
|
|
bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471
|
|
Memory safety bugs fixed in Firefox 64, 60.4, and Thunderbird 60.4
|
|
- requires NSS 3.36.6
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 4 21:04:50 UTC 2018 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 60.3.3
|
|
* Thunderbird 60 will migrate security databases (key3.db, cert8.db
|
|
to key4.db, cert9.db). Thunderbird 60.3.2 and earlier contained a
|
|
fault that potentially deleted saved passwords and private certificate
|
|
keys for users using a master password. Version 60.3.3 will prevent
|
|
the loss of data; affected users who have already upgraded to version
|
|
60.3.2 or earlier can restore the deleted key3.db file from backup
|
|
to complete the migration.
|
|
* Address book search and auto-complete slowness introduced in
|
|
Thunderbird 60.3.2
|
|
* Plain text markup with * for bold, / for italics, _ for underline
|
|
and | for code did not work when the enclosed text contained
|
|
non-ASCII characters
|
|
* While composing a message, a link not removed when link location
|
|
was removed in the link properties panel
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 3 12:57:01 UTC 2018 - astieger@suse.com
|
|
|
|
- Fix build on openSUSE Leap 15.x w.r.t. rust-std requirement
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 29 08:47:10 UTC 2018 - Wolfgang Rosenauer <wr@rosenauer.org>
|
|
|
|
- Mozilla Thunderbird 60.3.2
|
|
* Encoding problems when exporting address books or messages using
|
|
the system charset. Messages are now always exported using the
|
|
UTF-8 encoding
|
|
* If the "Date" header of a message was invalid, Jan 1970 or Dec 1969
|
|
was displayed. Now using date from "Received" header instead.
|
|
* Body search/filtering didn't reliably ignore content of tags
|
|
* Inappropriate warning "Thunderbird prevented the site
|
|
(addons.thunderbird.net) from asking you to install software on
|
|
your computer" when installing add-ons
|
|
* Incorrect display of correspondents column since own email
|
|
address was not always detected
|
|
* Spurious 
 (encoded newline) inserted into drafts and sent email
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 15 16:33:49 UTC 2018 - astieger@suse.com
|
|
|
|
- Mozilla Thunderbird 60.3.1:
|
|
* Double-clicking on a word in the Write window sometimes
|
|
launched the Advanced Property Editor or Link Properties dialog
|
|
* Fixe Cookie removal
|
|
* "Download rest of message" was not working if global inbox was
|
|
used
|
|
* Fix Encoding problems for users (especially in Poland) when a
|
|
file was sent via a folder using "Sent to > Mail recipient"
|
|
due to a problem in the Thunderbird MAPI interface
|
|
* According to RFC 4616 and RFC 5721, passwords containing
|
|
non-ASCII characters are encoded using UTF-8 which can lead to
|
|
problems with non-compliant providers, for example
|
|
office365.com. The SMTP LOGIN and POP3 USER/PASS
|
|
authentication methods are now using a Latin-1 encoding again
|
|
to work around this issue
|
|
* Fix shutdown crash/hang after entering an empty IMAP password
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 30 08:18:23 UTC 2018 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 60.3.0
|
|
* various theme fixes
|
|
* Shift+PageUp/PageDown in Write window
|
|
* Gloda attachment filtering
|
|
* Mailing list address auto-complete enter/return handling
|
|
* Thunderbird hung if HTML signature references non-existent image
|
|
* Filters not working for headers that appear more than once
|
|
- Security fixes for the Mozilla platform picked up from 60.3
|
|
(Firefox ESR release). In general, these flaws cannot be exploited
|
|
through email in Thunderbird because scripting is disabled when
|
|
reading mail, but are potentially risks in browser or browser-like
|
|
contexts (MFSA 2018-28) (bsc#1112852)
|
|
* CVE-2018-12391 (bmo#1478843) (Android only)
|
|
HTTP Live Stream audio data is accessible cross-origin
|
|
* CVE-2018-12392 (bmo#1492823)
|
|
Crash with nested event loops
|
|
* CVE-2018-12393 (bmo#1495011)
|
|
Integer overflow during Unicode conversion while loading JavaScript
|
|
* CVE-2018-12389 (bmo#1498460, bmo#1499198)
|
|
Memory safety bugs fixed in Firefox ESR 60.3
|
|
* CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159,
|
|
bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803,
|
|
bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699,
|
|
bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844)
|
|
Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 25 14:40:14 UTC 2018 - guillaume.gardet@opensuse.org
|
|
|
|
- Update _constraints for armv6/7
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 25 08:26:12 UTC 2018 - guillaume.gardet@opensuse.org
|
|
|
|
- Add patch to fix build on armv7:
|
|
* mozilla-bmo1463035.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 25 08:25:52 UTC 2018 - guillaume.gardet@opensuse.org
|
|
|
|
- Add memory-constraints to avoid OOM errors
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 12 14:26:17 UTC 2018 - meissner@suse.com
|
|
|
|
- provide / obsolete MozillaThunderbird-devel as this is no longer
|
|
shipped to allow migration scenarios
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 2 10:08:00 UTC 2018 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 60.2.1:
|
|
* Calendar: Default values for the first day of the week and
|
|
working days are now derived from the selected datetime
|
|
formatting locale
|
|
* Calendar: Switch to a Photon-style icon set for all platforms
|
|
* Fix multiple requests for master password when Google Mail or
|
|
Calendar OAuth2 is enabled
|
|
* Fix scrollbar of the address entry auto-complete popup
|
|
* Fix security info dialog in compose window not showing
|
|
certificate status
|
|
* Fix links in the Add-on Manager's search results and theme
|
|
browsing tabs that opened in external browser
|
|
* Fix localization not showing the localized name for the
|
|
"Drafts" and "Sent" folders for certain IMAP providers
|
|
* Fix replying to a message with an empty subject which
|
|
inserted Re: twice
|
|
* Fix spellcheck marks disappeaing erroneously for words with
|
|
an apostrophe
|
|
* Calendar: First day of the week can now be set
|
|
* Calendar: Several fixes related to cutting/deleting of events
|
|
and email schedulin
|
|
* Fix date display issues (bsc#1109379)
|
|
* Fix start-up crash due to folder name with special characters
|
|
(bsc#1107772)
|
|
- Security fixes for the Mozilla platform picked up from 60.1 and
|
|
60.2 (Firefox ESR releases). In general, these flaws
|
|
cannot be exploited through email in Thunderbird because
|
|
scripting is disabled when reading mail, but are potentially
|
|
risks in browser or browser-like contexts (MFSA 2018-25):
|
|
* CVE-2018-12377 (bsc#1107343, bmo#1470260)
|
|
Use-after-free in refresh driver timers
|
|
* CVE-2018-12378 (bsc#1107343, bmo#1459383)
|
|
Use-after-free in IndexedDB
|
|
* CVE-2017-16541 (bsc#1066489, bmo#1412081)
|
|
Proxy bypass using automount and autofs
|
|
* CVE-2018-12376 (bmo#69309,bmo#69914,bmo#50989,bmo#80092,
|
|
bmo#80517,bmo#81093,bmo#78575,bmo#71953,bmo#73161,bmo#66991,
|
|
bmo#68738,bmo#83120,bmo#67363,bmo#72925,bmo#66577,bmo#67889,
|
|
bmo#80521,bsc#1107343)
|
|
Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
|
|
* CVE-2018-12385 (bsc#1109363, bmo#1490585)
|
|
Crash in TransportSecurityInfo due to cached data
|
|
* CVE-2018-12383 (bsc#1107343, bmo#1475775)
|
|
Setting a master password did not delete unencrypted
|
|
previously stored passwords
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 11 09:59:08 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org>
|
|
|
|
- Update file list since minidump-analyzer is only available when
|
|
crashreporter is enabled
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Aug 25 18:59:41 UTC 2018 - astieger@suse.com
|
|
|
|
- remove non-free untar licenced code from distributed tarball
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 15 09:09:03 UTC 2018 - bjorn.lie@gmail.com
|
|
|
|
- Add conditional for pkgconfig(gconf-2.0) BuildRequires, and pass
|
|
conditional --disable-gconf to configure: no longer pull in
|
|
obsolete gconf2 for Tumbleweed.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 3 06:02:53 UTC 2018 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 60.0:
|
|
https://www.thunderbird.net/en-US/thunderbird/60.0/releasenotes/
|
|
* Improved message handling and composing
|
|
* Improved handling of message templates
|
|
* Support for OAuth2 and FIDO U2F
|
|
* Various Calendar improvements
|
|
* Various fixes and changes to e-mail workflow
|
|
* Various IMAP fixes
|
|
* Native desktop notifications
|
|
- Security fixes which can not, in general, be exploited through
|
|
email, but are potential risks in browser or browser-like contexts:
|
|
MFSA 2018-19 (bsc#1098998)
|
|
* CVE-2018-12359 (bmo#1459162)
|
|
Buffer overflow using computed size of canvas element
|
|
* CVE-2018-12360 (bmo#1459693)
|
|
Use-after-free when using focus()
|
|
* CVE-2018-12361 (bmo#1463244)
|
|
Integer overflow in SwizzleData
|
|
* CVE-2018-12362 (bmo#1452375)
|
|
Integer overflow in SSSE3 scaler
|
|
* CVE-2018-5156 (bmo#1453127)
|
|
Media recorder segmentation fault when track type is changed
|
|
during capture
|
|
* CVE-2018-12363 (bmo#1464784)
|
|
Use-after-free when appending DOM nodes
|
|
* CVE-2018-12364 (bmo#1436241)
|
|
CSRF attacks through 307 redirects and NPAPI plugins
|
|
* CVE-2018-12365 (bmo#1459206)
|
|
Compromised IPC child process can list local filenames
|
|
* CVE-2018-12371 (bmo#1465686)
|
|
Integer overflow in Skia library during edge builder allocation
|
|
* CVE-2018-12366 (bmo#1464039)
|
|
Invalid data handling during QCMS transformations
|
|
* CVE-2018-12367 (bmo#1462891)
|
|
Timing attack mitigation of PerformanceNavigationTiming
|
|
* CVE-2018-5187 (bmo#1461324,bmo#1414829,bmo#1395246,bmo#1467938,
|
|
bmo#1461619,bmo#1425930,bmo#1438556,bmo#1454285,bmo#1459568,
|
|
bmo#1463884)
|
|
Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and
|
|
Thunderbird 60
|
|
* CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
|
|
bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576,
|
|
bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829,
|
|
bmo#1464079,bmo#1463494,bmo#1458048)
|
|
Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox
|
|
ESR 52.9, and Thunderbird 60
|
|
- requires NSPR 4.19 and NSS 3.36.4
|
|
- source archives are now signed directly
|
|
(removed checksum signature check)
|
|
- imported patches from Firefox 60
|
|
* mozilla-bmo1375074.patch
|
|
* mozilla-bmo1464766.patch
|
|
* mozilla-i586-DecoderDoctorLogger.patch
|
|
* mozilla-i586-domPrefs.patch
|
|
- removed obsolete patches
|
|
* mozilla-language.patch
|
|
* tb-ssldap.patch
|
|
* mozilla-develdirs.patch
|
|
- removed -devel subpackage as old-style extensions are mainly gone
|
|
- storing of remote content settings fixed (boo#1084603)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 10 06:29:59 UTC 2018 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 52.9.1
|
|
* Deleting or detaching attachments corrupted messages under certain
|
|
circumstances (bmo#1473893, bsc#1100780)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 2 12:36:32 UTC 2018 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 52.9.0:
|
|
MFSA 2018-16 (bsc#1098998)
|
|
* CVE-2018-12359 (bmo#1459162)
|
|
Buffer overflow using computed size of canvas element
|
|
* CVE-2018-12360 (bmo#1459693)
|
|
Use-after-free when using focus()
|
|
* CVE-2018-12372 (bmo#1419417, bsc#1100082)
|
|
S/MIME and PGP decryption oracles can be built with HTML emails
|
|
* CVE-2018-12373 (bmo#1464667, bmo#1464056, bsc#1100079)
|
|
S/MIME plaintext can be leaked through HTML reply/forward
|
|
* CVE-2018-12362 (bmo#1452375)
|
|
Integer overflow in SSSE3 scaler
|
|
* CVE-2018-12363 (bmo#1464784)
|
|
Use-after-free when appending DOM nodes
|
|
* CVE-2018-12364 (bmo#1436241)
|
|
CSRF attacks through 307 redirects and NPAPI plugins
|
|
* CVE-2018-12365 (bmo#1459206)
|
|
Compromised IPC child process can list local filenames
|
|
* CVE-2018-12366 (bmo#1464039)
|
|
Invalid data handling during QCMS transformations
|
|
* CVE-2018-12374 (bmo#1462910, bsc#1100081)
|
|
Using form to exfiltrate encrypted mail part by pressing enter in form field
|
|
* CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
|
|
bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576,
|
|
bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829,
|
|
bmo#1464079,bmo#1463494,bmo#1458048)
|
|
Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
|
|
* Thunderbird will now prompt to compact IMAP folders even if the
|
|
account is online
|
|
* Option for not decrypting subordinate message parts that
|
|
otherwise might reveal decryted content to the attacker.
|
|
Preference mailnews.p7m_subparts_external needs to be set to
|
|
true for added security.
|
|
* Fix various problems when forwarding messages inline when using
|
|
"simple" HTML view
|
|
- correct requires and provides handling (boo#1076907)
|
|
- reduce memory footprint with %ix86 at linking time via additional
|
|
compiler flags (boo#1091376)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jul 1 12:23:45 UTC 2018 - astieger@suse.com
|
|
|
|
- Build from upstream source archive and verify source signature
|
|
(boo#1085780)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat May 19 06:16:58 UTC 2018 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 52.8 (bsc#1092548)
|
|
MFSA 2018-13
|
|
* CVE-2018-5183 (bmo#1454692)
|
|
Backport critical security fixes in Skia
|
|
* CVE-2018-5184 (bmo#1411592, bsc#1093152)
|
|
Full plaintext recovery in S/MIME via chosen-ciphertext attack
|
|
* CVE-2018-5154 (bmo#1443092)
|
|
Use-after-free with SVG animations and clip paths
|
|
* CVE-2018-5155 (bmo#1448774)
|
|
Use-after-free with SVG animations and text paths
|
|
* CVE-2018-5159 (bmo#1441941)
|
|
Integer overflow and out-of-bounds write in Skia
|
|
* CVE-2018-5161 (bmo#1411720)
|
|
Hang via malformed headers
|
|
* CVE-2018-5162 (bmo#1457721, bsc#1093152)
|
|
Encrypted mail leaks plaintext through src attribute
|
|
* CVE-2018-5170 (bmo#1411732)
|
|
Filename spoofing for external attachments
|
|
* CVE-2018-5168 (bmo#1449548)
|
|
Lightweight themes can be installed without user interaction
|
|
* CVE-2018-5174 (bmo#1447080) (Windows only)
|
|
Windows Defender SmartScreen UI runs with less secure behavior
|
|
for downloaded files in Windows 10 April 2018 Update
|
|
* CVE-2018-5178 (bmo#1443891)
|
|
Buffer overflow during UTF-8 to Unicode string conversion
|
|
through legacy extension
|
|
* CVE-2018-5185 (bmo#1450345)
|
|
Leaking plaintext through HTML forms
|
|
* CVE-2018-5150 (bmo#1388020,bmo#1433609,bmo#1409440,bmo#1448705,
|
|
bmo#1451376,bmo#1452202,bmo#1444668,bmo#1393367,bmo#1411415,
|
|
bmo#1426129)
|
|
Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8 and
|
|
Thunderbird 52.8
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 28 01:31:17 CEST 2018 - ro@suse.de
|
|
|
|
- Exclude bigendian archs for now, have not built
|
|
since version 45.8.0
|
|
ExcludeArch: ppc ppc64 s390 s390x
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 23 09:39:40 UTC 2018 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 52.7
|
|
* Searching message bodies of messages in local folders, including
|
|
filter and quick filter operations, did not find content in
|
|
message attachments
|
|
* Better error handling for Yahoo accounts
|
|
- The following security fixes are included as part of the mozilla
|
|
platform. In general, these flaws cannot be exploited through
|
|
email in the Thunderbird product because scripting is disabled
|
|
when reading mail, but are potentially risks in browser or
|
|
browser-like contexts (MFSA 2018-09, bsc#1085130, bsc#1085671):
|
|
* CVE-2018-5127 (bmo#1430557)
|
|
Buffer overflow manipulating SVG animatedPathSegList
|
|
* CVE-2018-5129 (bmo#1428947)
|
|
Out-of-bounds write with malformed IPC messages
|
|
* CVE-2018-5144 (bmo#1440926)
|
|
Integer overflow during Unicode conversion
|
|
* CVE-2018-5146 (bmo#1446062)
|
|
Out of bounds memory write in libvorbis
|
|
* CVE-2018-5125 (bmo1416529,bmo#1434580,bmo#1434384,bmo#1437450,
|
|
bmo#1437507,bmo#1426988,bmo#1438425,bmo#1324042,bmo#1437087,
|
|
bmo#1443865,bmo#1425520)
|
|
Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7, and
|
|
Thunderbird 52.7
|
|
* CVE-2018-5145 (bmo#1261175,bmo#1348955)
|
|
Memory safety bugs fixed in Firefox ESR 52.7 and Thunderbird
|
|
52.7
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 24 11:40:38 UTC 2018 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 52.6 (bsc#1077291)
|
|
* Searching message bodies of messages in local folders, including
|
|
filter and quick filter operations, not working reliably: Content
|
|
not found in base64-encode message parts, non-ASCII text not found
|
|
and false positives found.
|
|
* Defective messages (without at least one expected header) not shown
|
|
in IMAP folders but shown on mobile devices
|
|
* Calendar: Unintended task deletion if numlock is enabled
|
|
* Mozilla platform security fixes
|
|
MFSA 2018-04
|
|
* CVE-2018-5095 (bmo#1418447)
|
|
Integer overflow in Skia library during edge builder allocation
|
|
* CVE-2018-5096 (bmo#1418922)
|
|
Use-after-free while editing form elements
|
|
* CVE-2018-5097 (bmo#1387427)
|
|
Use-after-free when source document is manipulated during XSLT
|
|
* CVE-2018-5098 (bmo#1399400)
|
|
Use-after-free while manipulating form input elements
|
|
* CVE-2018-5099 (bmo#1416878)
|
|
Use-after-free with widget listener
|
|
* CVE-2018-5102 (bmo#1419363)
|
|
Use-after-free in HTML media elements
|
|
* CVE-2018-5103 (bmo#1423159)
|
|
Use-after-free during mouse event handling
|
|
* CVE-2018-5104 (bmo#1425000)
|
|
Use-after-free during font face manipulation
|
|
* CVE-2018-5117 (bmo#1395508)
|
|
URL spoofing with right-to-left text aligned left-to-right
|
|
* CVE-2018-5089
|
|
Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
|
|
- dropped obsolete mozilla-ucontext.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Dec 23 18:36:42 UTC 2017 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 52.5.2
|
|
* This releases fixes the "Mailsploit" vulnerability and other
|
|
vulnerabilities detected by the "Cure53" audit
|
|
MFSA 2017-30
|
|
* CVE-2017-7845 (bmo#1402372)
|
|
Buffer overflow when drawing and validating elements with ANGLE
|
|
library using Direct 3D 9
|
|
* CVE-2017-7846 (bmo#1411716, bsc#1074043)
|
|
JavaScript Execution via RSS in mailbox:// origin
|
|
* CVE-2017-7847 (bmo#1411708, bsc#1074044)
|
|
Local path string can be leaked from RSS feed
|
|
* CVE-2017-7848 (bmo#1411699, bsc#1074045)
|
|
RSS Feed vulnerable to new line Injection
|
|
* CVE-2017-7829 (bmo#1423432, bsc#1074046)
|
|
Mailsploit part 1: From address with encoded null character is
|
|
cut off in message header display
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Dec 8 15:53:30 UTC 2017 - dimstar@opensuse.org
|
|
|
|
- Explicitly buildrequires python2-xml: The build system relies on
|
|
it. We wrongly relied on other packages pulling it in for us.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 7 11:13:41 UTC 2017 - dimstar@opensuse.org
|
|
|
|
- Escape the usage of %{VERSION} when calling out to rpm.
|
|
RPM 4.14 has %{VERSION} defined as 'the main packages version'.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 22 10:02:35 UTC 2017 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 52.5.0 (bsc#1068101)
|
|
* Better support for Charter/Spectrum IMAP: Thunderbird will now
|
|
detect Charter's IMAP service and send an additional IMAP select
|
|
command to the server. Check the various preferences ending in
|
|
"force_select" to see whether auto-detection has discovered this case.
|
|
* In search folders spanning multiple base folders clicking on a
|
|
message sometimes marked another message as read
|
|
* IMAP alerts have been corrected and now show the correct server
|
|
name in case of connection problems
|
|
* POP alerts have been corrected and now indicate connection problems
|
|
in case the configured POP server cannot be found
|
|
MFSA 2017-26
|
|
* CVE-2017-7828 (bmo#1406750. bmo#1412252)
|
|
Use-after-free of PressShell while restyling layout
|
|
* CVE-2017-7830 (bmo#1408990)
|
|
Cross-origin URL information leak through Resource Timing API
|
|
* CVE-2017-7826
|
|
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 10 22:12:18 UTC 2017 - zaitor@opensuse.org
|
|
|
|
- Drop obsolete libgnomeui-devel BuildRequires: No longer needed.
|
|
- Add explicit pkgconfig(gconf-2.0), pkgconfig(gobject-2.0),
|
|
pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
|
|
pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
|
|
pkgconfig(gdk-x11-2.0) BuildRequires: Previously pulled in by
|
|
libgnomeui-devel, and is what configure really checks for.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 4 09:18:39 UTC 2017 - astieger@suse.com
|
|
|
|
- Mozilla Thunderbird 52.4.0 (bsc#1060445)
|
|
* new behavior was introduced for replies to mailing list posts:
|
|
"When replying to a mailing list, reply will be sent to address
|
|
in From header ignoring Reply-to header". A new preference
|
|
mail.override_list_reply_to allows to restore the previous behavior.
|
|
* Under certain circumstances (image attachment and non-image
|
|
attachment), attached images were shown truncated in messages
|
|
stored in IMAP folders not synchronised for offline use.
|
|
* IMAP UIDs > 0x7FFFFFFF now handled properly
|
|
Security fixes from Gecko 52.4esr
|
|
* CVE-2017-7793 (bmo#1371889)
|
|
Use-after-free with Fetch API
|
|
* CVE-2017-7818 (bmo#1363723)
|
|
Use-after-free during ARIA array manipulation
|
|
* CVE-2017-7819 (bmo#1380292)
|
|
Use-after-free while resizing images in design mode
|
|
* CVE-2017-7824 (bmo#1398381)
|
|
Buffer overflow when drawing and validating elements with ANGLE
|
|
* CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
|
|
Use-after-free in TLS 1.2 generating handshake hashes
|
|
* CVE-2017-7814 (bmo#1376036)
|
|
Blob and data URLs bypass phishing and malware protection warnings
|
|
* CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
|
|
OS X fonts render some Tibetan and Arabic unicode characters as spaces
|
|
* CVE-2017-7823 (bmo#1396320)
|
|
CSP sandbox directive did not create a unique origin
|
|
* CVE-2017-7810
|
|
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 28 07:56:22 UTC 2017 - dimstar@opensuse.org
|
|
|
|
- Add alsa-devel BuildRequires: we care for ALSA support to be
|
|
built and thus need to ensure we get the dependencies in place.
|
|
In the past, alsa-devel was pulled in by accident: we
|
|
buildrequire libgnome-devel. This required esound-devel and that
|
|
in turn pulled in alsa-devel for us. libgnome is being fixed to
|
|
no longer require esound-devel.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 15 12:48:43 UTC 2017 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 52.3 (boo#1052829)
|
|
Fixed issues:
|
|
* Unwanted inline images shown in rogue SPAM messages
|
|
* Deleting message from the POP3 server not working when maildir
|
|
storage was used
|
|
* Message disposition flag (replied / forwarded) lost when reply or
|
|
forwarded message was stored as draft and draft was sent later
|
|
* Inline images not scaled to fit when printing
|
|
* Selected text from another message sometimes included in a reply
|
|
* No authorisation prompt displayed when inserting image into email
|
|
body although image URL requires authentication
|
|
* Large attachments taking a long time to open under some circumstances
|
|
security
|
|
Security fixes from Gecko 52.3esr
|
|
* CVE-2017-7798 (bmo#1371586, bmo#1372112)
|
|
XUL injection in the style editor in devtools
|
|
* CVE-2017-7800 (bmo#1374047)
|
|
Use-after-free in WebSockets during disconnection
|
|
* CVE-2017-7801 (bmo#1371259)
|
|
Use-after-free with marquee during window resizing
|
|
* CVE-2017-7784 (bmo#1376087)
|
|
Use-after-free with image observers
|
|
* CVE-2017-7802 (bmo#1378147)
|
|
Use-after-free resizing image elements
|
|
* CVE-2017-7785 (bmo#1356985)
|
|
Buffer overflow manipulating ARIA attributes in DOM
|
|
* CVE-2017-7786 (bmo#1365189)
|
|
Buffer overflow while painting non-displayable SVG
|
|
* CVE-2017-7753 (bmo#1353312)
|
|
Out-of-bounds read with cached style data and pseudo-elements#
|
|
* CVE-2017-7787 (bmo#1322896)
|
|
Same-origin policy bypass with iframes through page reloads
|
|
* CVE-2017-7807 (bmo#1376459)
|
|
Domain hijacking through AppCache fallback
|
|
* CVE-2017-7792 (bmo#1368652)
|
|
Buffer overflow viewing certificates with an extremely long OID
|
|
* CVE-2017-7804 (bmo#1372849)
|
|
Memory protection bypass through WindowsDllDetourPatcher
|
|
* CVE-2017-7791 (bmo#1365875)
|
|
Spoofing following page navigation with data: protocol and modal alerts
|
|
* CVE-2017-7782 (bmo#1344034)
|
|
WindowsDllDetourPatcher allocates memory without DEP protections
|
|
* CVE-2017-7803 (bmo#1377426)
|
|
CSP containing 'sandbox' improperly applied
|
|
* CVE-2017-7779
|
|
Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 9 09:47:39 UTC 2017 - schwab@suse.de
|
|
|
|
- mozilla-ucontext.patch: use ucontext_t instead of struct ucontext
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 28 13:57:13 UTC 2017 - guillaume@opensuse.org
|
|
|
|
- mozilla-disable-neon-option.patch has been dropped silently, so
|
|
remove the --disable-neon option as it is not available anymore.
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jun 25 06:55:13 UTC 2017 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 52.2.1
|
|
* Problems with Gmail fixed (folders not showing, repeated email
|
|
download, etc.) introduced in version 52.2.0. (boo#1045895)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 14 11:34:58 UTC 2017 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 52.2 (boo#1043960)
|
|
* Embedded images not shown in email received from Hotmail/Outlook
|
|
webmailer
|
|
* Detection of non-ASCII font names in font selector
|
|
* Attachment not forwarded correctly under certain circumstances
|
|
* Multiple requests for master password when GMail OAuth2 is enabled
|
|
* Large number of blank pages being printed under certain
|
|
circumstances when invalid preferences were present
|
|
* Messages sent via the Simple MAPI interface are forced to HTML
|
|
* Calendar: Invitations can't be printed
|
|
* Mailing list (group) not accessible from macOS or Outlook address book
|
|
* Clicking on links with references/anchors where target doesn't
|
|
exist in the message not opening in external browser
|
|
MFSA 2017-17
|
|
* CVE-2017-5472 (bmo#1365602)
|
|
Use-after-free using destroyed node when regenerating trees
|
|
* CVE-2017-7749 (bmo#1355039)
|
|
Use-after-free during docshell reloading
|
|
* CVE-2017-7750 (bmo#1356558)
|
|
Use-after-free with track elements
|
|
* CVE-2017-7751 (bmo#1363396)
|
|
Use-after-free with content viewer listeners
|
|
* CVE-2017-7752 (bmo#1359547)
|
|
Use-after-free with IME input
|
|
* CVE-2017-7754 (bmo#1357090)
|
|
Out-of-bounds read in WebGL with ImageInfo object
|
|
* CVE-2017-7756 (bmo#1366595)
|
|
Use-after-free and use-after-scope logging XHR header errors
|
|
* CVE-2017-7757 (bmo#1356824)
|
|
Use-after-free in IndexedDB
|
|
* CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,
|
|
CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,
|
|
CVE-2017-7777
|
|
Vulnerabilities in the Graphite 2 library
|
|
* CVE-2017-7758 (bmo#1368490)
|
|
Out-of-bounds read in Opus encoder
|
|
* CVE-2017-7763 (bmo#1360309)
|
|
Mac fonts render some unicode characters as spaces (MacOS only)
|
|
* CVE-2017-7764 (bmo#1364283)
|
|
Domain spoofing with combination of Canadian Syllabics and other
|
|
unicode blocks
|
|
* CVE-2017-7765 (bmo#1273265)
|
|
Mark of the Web bypass when saving executable files (Windows only)
|
|
* CVE-2017-5470
|
|
Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
|
|
- requires NSS 3.28.5
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jun 4 07:31:01 UTC 2017 - wr@rosenauer.org
|
|
|
|
- remove legacy -Os optimization breaking gcc7/i586 (boo#1042090)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 1 06:09:23 UTC 2017 - wr@rosenauer.org
|
|
|
|
- explicitely optimize with -O2 for openSUSE > 13.2/Leap 42 to work
|
|
with gcc7 (boo#1040105, boo#1042090)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 11 21:16:41 UTC 2017 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 52.1.1
|
|
* fixed crash when compacting IMAP folder (boo#1038753)
|
|
* Some attachments could not be opened or saved if the message
|
|
body is empty
|
|
* Unable to load full message via POP if message was downloaded
|
|
partially (or only headers) before
|
|
* Large attachments may not be shown or saved correctly if the
|
|
message is stored in an IMAP folder which is not synchronized
|
|
for offline use
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 1 08:52:52 UTC 2017 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 52.1.0
|
|
* Background images not working and other issues related to
|
|
embedded images when composing email have been fixed
|
|
* Google Oauth setup can sometimes not progress to the next step
|
|
* requires NSS >= 3.28.4
|
|
- security fixes (boo#1035082), MFSA 2017-13
|
|
* CVE-2017-5443 (bmo#1342661)
|
|
Out-of-bounds write during BinHex decoding
|
|
* CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
|
|
bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
|
|
Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
|
|
Firefox ESR 52.1
|
|
* CVE-2017-5464 (bmo#1347075)
|
|
Memory corruption with accessibility and DOM manipulation
|
|
* CVE-2017-5465 (bmo#1347617)
|
|
Out-of-bounds read in ConvolvePixel
|
|
* CVE-2017-5466 (bmo#1353975)
|
|
Origin confusion when reloading isolated data:text/html URL
|
|
* CVE-2017-5467 (bmo#1347262)
|
|
Memory corruption when drawing Skia content
|
|
* CVE-2017-5460 (bmo#1343642)
|
|
Use-after-free in frame selection
|
|
* CVE-2017-5461 (bmo#1344380)
|
|
Out-of-bounds write in Base64 encoding in NSS
|
|
* CVE-2017-5449 (bmo#1340127)
|
|
Crash during bidirectional unicode manipulation with animation
|
|
* CVE-2017-5446 (bmo#1343505)
|
|
Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
|
|
* CVE-2017-5447 (bmo#1343552)
|
|
Out-of-bounds read during glyph processing
|
|
* CVE-2017-5444 (bmo#1344461)
|
|
Buffer overflow while parsing application/http-index-format content
|
|
* CVE-2017-5445 (bmo#1344467)
|
|
Uninitialized values used while parsing application/http-index-format
|
|
content
|
|
* CVE-2017-5442 (bmo#1347979)
|
|
Use-after-free during style changes
|
|
* CVE-2017-5469 (bmo#1292534)
|
|
Potential Buffer overflow in flex-generated code
|
|
* CVE-2017-5440 (bmo#1336832)
|
|
Use-after-free in txExecutionState destructor during XSLT processing
|
|
* CVE-2017-5441 (bmo#1343795)
|
|
Use-after-free with selection during scroll events
|
|
* CVE-2017-5439 (bmo#1336830)
|
|
Use-after-free in nsTArray Length() during XSLT processing
|
|
* CVE-2017-5438 (bmo#1336828)
|
|
Use-after-free in nsAutoPtr during XSLT processing
|
|
* CVE-2017-5437 (bmo#1343453)
|
|
Vulnerabilities in Libevent library
|
|
* CVE-2017-5436 (bmo#1345461)
|
|
Out-of-bounds write with malicious font in Graphite 2
|
|
* CVE-2017-5435 (bmo#1350683)
|
|
Use-after-free during transaction processing in the editor
|
|
* CVE-2017-5434 (bmo#1349946)
|
|
Use-after-free during focus handling
|
|
* CVE-2017-5433 (bmo#1347168)
|
|
Use-after-free in SMIL animation functions
|
|
* CVE-2017-5432 (bmo#1346654)
|
|
Use-after-free in text input selection
|
|
* CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
|
|
bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140,
|
|
bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476)
|
|
Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
|
|
* CVE-2017-5459 (bmo#1333858)
|
|
Buffer overflow in WebGL
|
|
* CVE-2017-5462 (bmo#1345089)
|
|
DRBG flaw in NSS
|
|
* CVE-2017-5454 (bmo#1349276)
|
|
Sandbox escape allowing file system read access through file
|
|
picker
|
|
* CVE-2017-5451 (bmo#1273537)
|
|
Addressbar spoofing with onblur event
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 17 12:43:48 UTC 2017 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 52.0.1
|
|
* Clicking on a link in an email may not open this link in the
|
|
external browser
|
|
* addon blocklist updates
|
|
- enable ALSA for systems w/o PA
|
|
- require libffi explicitely to fix PPC64LE build where a system
|
|
library is required
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Mar 18 21:06:01 UTC 2017 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 52.0
|
|
* Optionally remove corresponding data files when removing an account
|
|
* Possibility to copy message filter
|
|
* Calendar: Event can now be created and edited in a tab
|
|
* Calendar: Processing of received invitation counter proposals
|
|
* Chat: Support Twitter Direct Messages
|
|
* Chat: Liking and favoriting in Twitter
|
|
* Chat: Removed Yahoo! Messenger support
|
|
* serveral bugfixes
|
|
- security fixes (bsc#1028391, MFSA 2017-09):
|
|
In general, these flaws cannot be exploited through email because
|
|
scripting is disabled when reading mail, but are potentially
|
|
risks in browser or browser-like contexts.
|
|
* CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933)
|
|
* CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861)
|
|
* CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876)
|
|
* CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186)
|
|
* CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138)
|
|
* CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890)
|
|
* CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622)
|
|
* CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687)
|
|
* CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711)
|
|
* CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
|
|
* CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504)
|
|
* CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370)
|
|
* CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
|
|
* CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361)
|
|
* CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876)
|
|
* CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243)
|
|
* CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699)
|
|
* CVE-2017-5421: Print preview spoofing (bmo#1301876)
|
|
* CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002)
|
|
* CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52
|
|
* CVE-2017-5398: Memory safety bugs fixed in Thunderbird 52 and Thunderbird 45.8
|
|
- removed obsolete patches
|
|
* mozilla-aarch64-48bit-va.patch
|
|
* mozilla-binutils-visibility.patch
|
|
* mozilla-flex_buffer_overrun.patch
|
|
* mozilla-gcc6.patch
|
|
- added generic mozilla patches
|
|
* mozilla-aarch64-startup-crash.patch
|
|
- require newer versions of NSPR and NSS
|
|
- use Gtk3 for Tumbleweed
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 7 15:08:23 UTC 2017 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 45.8.0 (boo#1028391)
|
|
* MFSA 2017-07
|
|
CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
|
|
(bmo#1334933)
|
|
CVE-2017-5401: Memory Corruption when handling ErrorResult
|
|
(bmo#1328861)
|
|
CVE-2017-5402: Use-after-free working with events in FontFace
|
|
objects (bmo#1334876)
|
|
CVE-2017-5404: Use-after-free working with ranges in selections
|
|
(bmo#1340138)
|
|
CVE-2017-5407: Pixel and history stealing via floating-point
|
|
timing side channel with SVG filters (bmo#1336622)
|
|
CVE-2017-5410: Memory corruption during JavaScript garbage
|
|
collection incremental sweeping (bmo#1330687)
|
|
CVE-2017-5408: Cross-origin reading of video captions in violation
|
|
of CORS (bmo#1313711)
|
|
CVE-2017-5405: FTP response codes can cause use of
|
|
uninitialized values for ports (bmo#1336699)
|
|
CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and
|
|
Firefox ESR 45.8
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 9 07:49:54 UTC 2017 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 45.7.1
|
|
* fixed Crash when viewing certain IMAP messages (introduced in 45.7.0)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 24 20:43:57 UTC 2017 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 45.7.0
|
|
* Message preview pane non-functional after IMAP folder was renamed
|
|
or moved
|
|
* "Move To" button on "Search Messages" panel not working
|
|
* Message sent to "undisclosed recipients" shows no recipient
|
|
(non-functional since Thunderbird version 38)
|
|
* Security updates from MFSA 2017-03 (Gecko 45.7.0) boo#1021991.
|
|
In general, these flaws cannot be exploited through email in
|
|
Thunderbird because scripting is disabled when reading mail,
|
|
but are potentially risks in browser or browser-like contexts:
|
|
CVE-2017-5375: Excessive JIT code allocation allows bypass of
|
|
ASLR and DEP (bmo#1325200, boo#1021814)
|
|
CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
|
|
CVE-2017-5378: Pointer and frame data leakage of Javascript objects
|
|
(bmo#1312001, bmo#1330769, boo#1021818)
|
|
CVE-2017-5380: Potential use-after-free during DOM manipulations
|
|
(bmo#1322107, boo#1021819)
|
|
CVE-2017-5390: Insecure communication methods in Developer Tools
|
|
JSON viewer (bmo#1297361, boo#1021820)
|
|
CVE-2017-5396: Use-after-free with Media Decoder
|
|
(bmo#1329403, boo#1021821)
|
|
CVE-2017-5383: Location bar spoofing with unicode characters
|
|
(bmo#1323338, bmo#1324716, boo#1021822)
|
|
CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7
|
|
(boo#1021824)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 29 08:33:21 UTC 2016 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 45.6.0 (boo#1015422)
|
|
* The system integration dialog was shown every time when starting
|
|
Thunderbird
|
|
* MFSA 2016-96
|
|
CVE-2016-9899: Use-after-free while manipulating DOM events and
|
|
audio elements (bmo#1317409)
|
|
CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272)
|
|
CVE-2016-9897: Memory corruption in libGLES (bmo#1301381)
|
|
CVE-2016-9898: Use-after-free in Editor while manipulating DOM
|
|
subtrees (bmo#1314442)
|
|
CVE-2016-9900: Restricted external resources can be loaded by
|
|
SVG images through data URLs (bmo#1319122)
|
|
CVE-2016-9904: Cross-origin information leak in shared atoms
|
|
(bmo#1317936)
|
|
CVE-2016-9905: Crash in EnumerateSubDocuments (bmo#1293985)
|
|
CVE-2016-9893: Memory safety bugs fixed in Thunderbird 45.6
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 1 09:58:57 UTC 2016 - astieger@suse.com
|
|
|
|
- Mozilla Thunderbird 45.5.1:
|
|
* CVE-2016-9079: SVG Animation Remote Code Execution
|
|
(MFSA 2016-92, bsc#1012964, bmo#1321066)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Nov 19 14:20:05 UTC 2016 - astieger@suse.com
|
|
|
|
- Mozilla Thunderbird 45.5.0 (boo#1009026)
|
|
* Fixes for security flaws that cannot be exploited through email
|
|
because scripting is disabled when reading mail, but are
|
|
potentially risks in browser or browser-like contexts:
|
|
CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
|
|
(bsc#1010411)
|
|
CVE-2016-5297: Incorrect argument length checking in Javascript
|
|
(bsc#1010401)
|
|
CVE-2016-9066: Integer overflow leading to a buffer overflow in
|
|
nsScriptLoadHandler (bsc#1010404)
|
|
CVE-2016-5291: Same-origin policy violation using local HTML file
|
|
and saved shortcut file (bsc#1010410)
|
|
CVE-2016-5290: Memory safety bugs fixed in Thunderbird ESR 45.5
|
|
(bsc#1010427)
|
|
- Changed behavior:
|
|
* Changed recipient address entry: Arrow-keys now copy the pop-up
|
|
value to the input field. Mouse-hovered pop-up value can no
|
|
longer be confirmed with tab or enter key. This restores the
|
|
behavior of Thunderbird 24.
|
|
* Support changes to character limit in Twitter
|
|
- Bugs fixed:
|
|
* Reply with selected text containing quote resulted in wrong
|
|
quoting level indication
|
|
* Email invitation might not be displayed when description
|
|
contains non-ASCII characters
|
|
* Attempting to sort messages on the Date field whilst a quick
|
|
filter is applied got stuck on sort descending
|
|
* Mail address display at header pane displayed incorrectly if
|
|
the address contains UTF-8 according to RFC 6532
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Oct 1 07:12:08 UTC 2016 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 45.4.0 (boo#999701)
|
|
* Display name was truncated if no separating space before email
|
|
address.
|
|
* Recipient addresses were shown in wrong color in some circumstances.
|
|
* Additional spaces were inserted when drafts were edited.
|
|
* Mail saved as template copied In-Reply-To and References from
|
|
original email.
|
|
* Threading broken when editing message draft, due to loss of Message-ID
|
|
* "Apply columns to..." did not honor special folders
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 30 06:55:14 UTC 2016 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 45.3.0 (boo#991809)
|
|
* Disposition-Notification-To could not be used in
|
|
mail.compose.other.header
|
|
* "edit as new message" on a received message pre-filled the sender
|
|
as the composing identity.
|
|
* Certain messages caused corruption of the drafts summary database.
|
|
security fixes:
|
|
* MFSA 2016-62/CVE-2016-2836
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2016-63/CVE-2016-2830 (bmo#1255270)
|
|
Favicon network connection can persist when page is closed
|
|
* MFSA 2016-64/CVE-2016-2838 (bmo#1279814)
|
|
Buffer overflow rendering SVG with bidirectional content
|
|
* MFSA 2016-65/CVE-2016-2839 (bmo#1275339)
|
|
Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
|
|
* MFSA 2016-67/CVE-2016-5252 (bmo#1268854)
|
|
Stack underflow during 2D graphics rendering
|
|
* MFSA 2016-70/CVE-2016-5254 (bmo#1266963)
|
|
Use-after-free when using alt key and toplevel menus
|
|
* MFSA 2016-72/CVE-2016-5258 (bmo#1279146)
|
|
Use-after-free in DTLS during WebRTC session shutdown
|
|
* MFSA 2016-73/CVE-2016-5259 (bmo#1282992)
|
|
Use-after-free in service workers with nested sync events
|
|
* MFSA 2016-76/CVE-2016-5262 (bmo#1277475)
|
|
Scripts on marquee tag can execute in sandboxed iframes
|
|
* MFSA 2016-77/CVE-2016-2837 (bmo#1274637)
|
|
Buffer overflow in ClearKey Content Decryption Module (CDM)
|
|
during video playback
|
|
* MFSA 2016-78/CVE-2016-5263 (bmo#1276897)
|
|
Type confusion in display transformation
|
|
* MFSA 2016-79/CVE-2016-5264 (bmo#1286183)
|
|
Use-after-free when applying SVG effects
|
|
* MFSA 2016-80/CVE-2016-5265 (bmo#1278013)
|
|
Same-origin policy violation using local HTML file and saved shortcut file
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 5 13:47:12 UTC 2016 - pcerny@suse.com
|
|
|
|
- Fix for possible buffer overrun (bsc#990856)
|
|
CVE-2016-6354 (bmo#1292534)
|
|
[mozilla-flex_buffer_overrun.patch]
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 21 11:50:27 UTC 2016 - mailaender@opensuse.org
|
|
|
|
- add a screenshot to appdata.xml
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 30 09:18:14 UTC 2016 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 45.2 (boo#983549)
|
|
Security fixes:
|
|
* CVE-2016-2818, CVE-2016-2815: Memory safety bugs (MFSA2016-49)
|
|
- drop mozilla-flexible-array-member-in-union.patch, upstream
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 24 14:10:58 UTC 2016 - wr@rosenauer.org
|
|
|
|
- mozilla-binutils-visibility.patch to fix build issues with
|
|
gcc/binutils combination used in Leap 42.2 (boo#984637)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 23 10:15:51 UTC 2016 - wr@rosenauer.org
|
|
|
|
- build with -fno-delete-null-pointer-checks for Tumbleweed/gcc6
|
|
as long as underlying issues have been addressed upstream
|
|
(boo#986162)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 13 20:28:01 UTC 2016 - agraf@suse.com
|
|
|
|
- Fix running on 48bit va aarch64 (bsc#984126)
|
|
- Add patch mozilla-aarch64-48bit-va.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 27 12:51:23 UTC 2016 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 45.1.1
|
|
* When entering members into a mailing list, the enter key
|
|
dismissed the panel instead of just moving onto the next line
|
|
* Email without HTML elements was sent as HTML, despite
|
|
"Delivery Format: Auto-detect" option
|
|
* Options applied to a template were lost when the template was used
|
|
* Contacts could not be deleted when they were found through a search
|
|
* Views from global searches did not respect
|
|
"mail.threadpane.use_correspondents"
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 25 18:20:24 UTC 2016 - badshah400@gmail.com
|
|
|
|
- The conditional testing for gcc was failing for different
|
|
openSUSE versions, drop it and apply patches unconditionally.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 24 18:28:31 UTC 2016 - badshah400@gmail.com
|
|
|
|
- Add patches to fix building with gcc >= 6:
|
|
+ mozilla-gcc6.patch: patch taken from fedora's git and is
|
|
essentially identical to upstream firefox patch:
|
|
https://hg.mozilla.org/mozilla-central/rev/55212130f19d.
|
|
+ mozilla-flexible-array-member-in-union.patch: patch taken
|
|
from upstream bmo#1272649.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 12 15:21:45 UTC 2016 - dimstar@opensuse.org
|
|
|
|
- Copy the icons to /usr/share/icons instead of symlinking them:
|
|
in preparation for containerized apps (e.g. xdg-app) as well as
|
|
AppStream metadata extraction, there are a couple locations that
|
|
need to be real files for system integration (.desktop files,
|
|
icons, mime-type info).
|
|
|
|
-------------------------------------------------------------------
|
|
Sat May 7 22:19:09 UTC 2016 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 45.1.0 (boo#977333)
|
|
* MFSA 2016-39/CVE-2016-2806/CVE-2016-2807 (boo#977375, boo#977376)
|
|
Miscellaneous memory safety hazards
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 27 04:26:56 UTC 2016 - badshah400@gmail.com
|
|
|
|
- For openSUSE > 13.2, the build fails for i586 as it goes out of
|
|
memory. Prevent this from happening by disabing parallel build
|
|
in this particular case (i.e. do not pass
|
|
mk_add_options MOZ_MAKE_FLAGS%{?jobs:-j%jobs}).
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 16 08:11:14 UTC 2016 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 45.0 (boo#969894)
|
|
* Add a Correspondents column combining Sender and Recipient
|
|
* Much better support for XMPP chatrooms and commands
|
|
* Remote content exceptions: Improved options to add exceptions
|
|
* Implement option to always use HTML formatting to prevent
|
|
unexpected format loss when converting messages to plain text
|
|
* Use OpenStreetmap for maps (even allow the user to choose from
|
|
list of map services)
|
|
* Allow spell checking and dictionary selection in the subject line
|
|
* Allow editing of From when composing a message
|
|
* Add dropdown in compose to allow specific setting of font size
|
|
* Return/Enter in composer will now insert a new paragraph by
|
|
default (shift-Enter will insert a line break)
|
|
* Allow copying of name and email address from the message header
|
|
of an email
|
|
* Mail.ru supports OAuth authentication
|
|
* MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
|
|
Local file overwriting and potential privilege escalation through
|
|
CSP reports
|
|
* MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
|
|
CSP reports fail to strip location information for embedded iframe pages
|
|
* MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
|
|
Linux video memory DOS with Intel drivers
|
|
* MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
|
|
Memory leak in libstagefright when deleting an array during MP4
|
|
processing
|
|
* MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
|
|
Use-after-free in HTML5 string parser
|
|
* MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
|
|
Use-after-free in SetBody
|
|
* MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
|
|
Use-after-free during XML transformations
|
|
* MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
|
|
Out-of-bounds read in HTML parser following a failed allocation
|
|
* MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
|
|
Buffer overflow during ASN.1 decoding in NSS
|
|
(fixed by requiring 3.21.1)
|
|
* MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
|
|
Use-after-free during processing of DER encoded keys in NSS
|
|
(fixed by requiring 3.21.1)
|
|
* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
|
|
CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
|
|
CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
|
|
CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
|
|
Font vulnerabilities in the Graphite 2 library
|
|
- remove obsolete patches:
|
|
* mozilla-arm-disable-edsp.patch
|
|
* mozilla-icu-strncat.patch
|
|
* mozilla-arm64-libjpeg-turbo.patch
|
|
- added required mozilla platform patches:
|
|
* mozilla-no-stdcxx-check.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 6 21:54:09 UTC 2016 - astieger@suse.com
|
|
|
|
- update to Thunderbird 38.7.2
|
|
* disable Graphite font shaping library (same upstream changelog
|
|
as 38.7.1)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 25 09:40:09 UTC 2016 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 38.7.1
|
|
* disabled Graphite font shaping library
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 11 12:57:25 UTC 2016 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 38.7.0 (boo#969894)
|
|
* MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
|
|
Use-after-free in MediaStream playback
|
|
* MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
|
|
Same-origin policy violation using performance.getEntries and
|
|
history navigation
|
|
* MFSA 2016-16/CVE-2016-1952
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
|
|
Local file overwriting and potential privilege escalation through
|
|
CSP reports
|
|
* MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
|
|
Memory leak in libstagefright when deleting an array during MP4
|
|
processing
|
|
* MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
|
|
Displayed page address can be overridden
|
|
* MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
|
|
Use-after-free in HTML5 string parser
|
|
* MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
|
|
Use-after-free in SetBody
|
|
* MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
|
|
Use-after-free when using multiple WebRTC data channels
|
|
* MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
|
|
Use-after-free during XML transformations
|
|
* MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
|
|
Addressbar spoofing though history navigation and Location protocol
|
|
property
|
|
* MFSA 2016-31/CVE-2016-1966 (bmo#1246054)
|
|
Memory corruption with malicious NPAPI plugin
|
|
* MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
|
|
Out-of-bounds read in HTML parser following a failed allocation
|
|
* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
|
|
CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
|
|
CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
|
|
CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
|
|
Font vulnerabilities in the Graphite 2 library
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 26 15:45:19 UTC 2016 - astieger@suse.com
|
|
|
|
- adjust _constraints to current peak build memory and disk usage
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Feb 13 08:32:09 UTC 2016 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 38.6.0 (boo#963520)
|
|
* Filters ran on a different folder than selected
|
|
* MFSA 2016-01/CVE-2016-1930
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2016-03/CVE-2016-1935 (bmo#1220450)
|
|
Buffer overflow in WebGL after out of memory allocation
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 25 10:39:23 UTC 2016 - olaf@aepfle.de
|
|
|
|
- Using -g for CFLAGS is controlled via project settings, it should
|
|
not be enforced by the mozilla buildsystem.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 18 07:32:51 UTC 2016 - olaf@aepfle.de
|
|
|
|
- Add build conditionals for valgrind and -Os
|
|
- Convert existing conditions for kde to bcond
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 29 20:30:59 UTC 2015 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 38.5.1
|
|
* requires NSS 3.20.2 to fix
|
|
MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
|
|
MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
|
|
server signature
|
|
- explicitely require libXcomposite-devel
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 23 10:13:38 UTC 2015 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 38.5.0 (bnc#959277)
|
|
* MFSA 2015-134/CVE-2015-7201
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
|
|
Use-after-free in WebRTC when datachannel is used after being
|
|
destroyed
|
|
* MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
|
|
Integer overflow allocating extremely large textures
|
|
* MFSA 2015-145/CVE-2015-7205 (bmo#1220493)
|
|
Underflow through code inspection
|
|
* MFSA 2015-146/CVE-2015-7213 (bmo#1206211)
|
|
Integer overflow in MP4 playback in 64-bit versions
|
|
* MFSA 2015-147/CVE-2015-7222 (bmo#1216748)
|
|
Integer underflow and buffer overflow processing MP4 metadata in
|
|
libstagefright
|
|
* MFSA 2015-149/CVE-2015-7214 (bmo#1228950)
|
|
Cross-site reading attack through data and view-source URIs
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 17 07:58:43 UTC 2015 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 38.4.0 (bnc#952810)
|
|
* MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
|
|
Trailing whitespace in IP address hostnames can bypass same-origin policy
|
|
* MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
|
|
Buffer overflow during image interactions in canvas
|
|
* MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
|
|
CORS preflight is bypassed when non-standard Content-Type headers
|
|
are received
|
|
* MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
|
|
Memory corruption in libjar through zip files
|
|
* MFSA 2015-130/CVE-2015-7196 (bmo#1140616)
|
|
JavaScript garbage collection crash with Java applet
|
|
* MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
|
|
(bmo#1188010, bmo#1204061, bmo#1204155)
|
|
Vulnerabilities found through code inspection
|
|
* MFSA 2015-132/CVE-2015-7197 (bmo#1204269)
|
|
Mixed content WebSocket policy bypass through workers
|
|
* MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
|
|
(bmo#1202868, bmo#1205157)
|
|
NSS and NSPR memory corruption issues
|
|
(fixed in mozilla-nspr and mozilla-nss packages)
|
|
- requires NSPR 4.10.10 and NSS 3.19.2.1
|
|
- added explicit appdata provides (bnc#952325)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 5 12:44:39 UTC 2015 - dmueller@suse.com
|
|
|
|
- fix build on aarch64 by reusing the crashreporter conditional
|
|
from MozillaFirefox
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 28 18:00:50 UTC 2015 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 38.3.0 (bnc#947003)
|
|
* MFSA 2015-96/CVE-2015-4500
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
|
|
Arbitrary file manipulation by local user through Mozilla updater
|
|
* MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
|
|
Buffer overflow in libvpx while parsing vp9 format video
|
|
* MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
|
|
Buffer overflow while decoding WebM video
|
|
* MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
|
|
Use-after-free while manipulating HTML media content
|
|
* MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
|
|
Dragging and dropping images exposes final URL after redirects
|
|
* MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
|
|
Errors in the handling of CORS preflight request headers
|
|
* MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
|
|
CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/
|
|
CVE-2015-7180
|
|
Vulnerabilities found through code inspection
|
|
* MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
|
|
bmo#1190526) (Windows only)
|
|
Memory safety errors in libGLES in the ANGLE graphics library
|
|
- rebased patches
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Aug 15 11:41:30 UTC 2015 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 38.2.0 (bnc#940806)
|
|
* MFSA 2015-79/CVE-2015-4473
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
|
|
Out-of-bounds read with malformed MP3 file
|
|
* MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
|
|
Redefinition of non-configurable JavaScript object properties
|
|
* MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
|
|
Overflow issues in libstagefright
|
|
* MFSA 2015-84/CVE-2015-4481 (bmo1171518)
|
|
Arbitrary file overwriting through Mozilla Maintenance Service
|
|
with hard links (only affected Windows)
|
|
* MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
|
|
Out-of-bounds write with Updater and malicious MAR file
|
|
(does not affect openSUSE RPM packages which do not ship the
|
|
updater)
|
|
* MFSA 2015-87/CVE-2015-4484 (bmo#1171540)
|
|
Crash when using shared memory in JavaScript
|
|
* MFSA 2015-88/CVE-2015-4491 (bmo#1184009)
|
|
Heap overflow in gdk-pixbuf when scaling bitmap images
|
|
* MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
|
|
Buffer overflows on Libvpx when decoding WebM video
|
|
* MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
|
|
Vulnerabilities found through code inspection
|
|
* MFSA 2015-92/CVE-2015-4492 (bmo#1185820)
|
|
Use-after-free in XMLHttpRequest with shared workers
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 8 07:10:59 UTC 2015 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 38.1.0 (bnc#935979)
|
|
* MFSA 2015-59/CVE-2015-2724/CVE-2015-2725
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
|
|
Local files or privileged URLs in pages can be opened into new tabs
|
|
* MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
|
|
Type confusion in Indexed Database Manager
|
|
* MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
|
|
Out-of-bound read while computing an oscillator rendering range in Web Audio
|
|
* MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
|
|
Use-after-free in Content Policy due to microtask execution error
|
|
* MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
|
|
ECDSA signature validation fails to handle some signatures correctly
|
|
(this fix is shipped by NSS 3.19.1 externally)
|
|
* MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
|
|
Use-after-free in workers while using XMLHttpRequest
|
|
* MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
|
|
CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
|
|
Vulnerabilities found through code inspection
|
|
* MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
|
|
Key pinning is ignored when overridable errors are encountered
|
|
* MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
|
|
Privilege escalation in PDF.js
|
|
* MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
|
|
NSS accepts export-length DHE keys with regular DHE cipher suites
|
|
(this fix is shipped by NSS 3.19.1 externally)
|
|
* MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
|
|
NSS incorrectly permits skipping of ServerKeyExchange
|
|
(this fix is shipped by NSS 3.19.1 externally)
|
|
- requires NSS 3.19.2
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 19 17:00:11 UTC 2015 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 38.0.1
|
|
* includes Lightning as default extension
|
|
- rebased patches
|
|
- removed obsolete patches:
|
|
* mozilla-ppc.patch
|
|
* mozilla-nullptr-gcc45.patch
|
|
* mozilla-bug1024492.patch
|
|
- dropped openSUSE specific patches
|
|
* thunderbird-shared-nss-db.patch
|
|
* mozilla-shared-nss-db.patch
|
|
the provided feature seems not to be used and its maintenance
|
|
is not worth the ongoing efforts
|
|
- tb-develdirs.patch is now mozilla-develdirs.patch as it is a
|
|
platform configuration now
|
|
|
|
--------------------------------------------------------------------
|
|
Thu Jun 18 10:30:18 UTC 2015 - schwab@suse.de
|
|
|
|
- mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 28 10:28:13 UTC 2015 - dmueller@suse.com
|
|
|
|
- add mozilla-bug1024492.patch:
|
|
* Fixes build against GCC 5.x
|
|
|
|
-------------------------------------------------------------------
|
|
Sat May 9 07:22:49 UTC 2015 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 31.7.0 (bnc#930622)
|
|
* MFSA 2015-46/CVE-2015-2708
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2015-47/VE-2015-0797 (bmo#1080995)
|
|
Buffer overflow parsing H.264 video with Linux Gstreamer
|
|
* MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
|
|
Buffer overflow with SVG content and CSS
|
|
* MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
|
|
Use-after-free during text processing with vertical text enabled
|
|
* MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
|
|
Buffer overflow when parsing compressed XML
|
|
* MFSA 2015-57/CVE-2011-3079 (bmo#1087565)
|
|
Privilege escalation through IPC channel messages
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 31 05:02:16 UTC 2015 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 31.6.0 (bnc#925368)
|
|
* MFSA 2015-30/CVE-2015-0815
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
|
|
Use-after-free when using the Fluendo MP3 GStreamer plugin
|
|
* MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
|
|
resource:// documents can load privileged pages
|
|
* MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
|
|
CORS requests should not follow 30x redirections after preflight
|
|
* MFSA-2015-40/CVE-2015-0801 (bmo#1146339)
|
|
Same-origin bypass through anchor navigation
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 23 12:42:57 UTC 2015 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 31.5.0 (bnc#917597)
|
|
* MFSA 2015-11/CVE-2015-0836
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2015-12/CVE-2015-0833 (bmo#945192)
|
|
Invoking Mozilla updater will load locally stored DLL files
|
|
(Windows only)
|
|
* MFSA 2015-16/CVE-2015-0831 (bmo#1130514)
|
|
Use-after-free in IndexedDB
|
|
* MFSA 2015-19/CVE-2015-0827 (bmo#1117304)
|
|
Out-of-bounds read and write while rendering SVG content
|
|
* MFSA 2015-24/CVE-2015-0822 (bmo#1110557)
|
|
Reading of local files through manipulation of form autocomplete
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jan 10 18:33:52 UTC 2015 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 31.4.0 (bnc#910669)
|
|
* MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2015-03/CVE-2014-8638 (bmo#1080987)
|
|
sendBeacon requests lack an Origin header
|
|
* MFSA 2015-04/CVE-2014-8639 (bmo#1095859)
|
|
Cookie injection through Proxy Authenticate responses
|
|
- added mozilla-icu-strncat.patch to fix post build checks
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Nov 30 08:37:33 UTC 2014 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 31.3.0 (bnc#908009)
|
|
* MFSA 2014-83/CVE-2014-1587
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2014-85/CVE-2014-1590 (bmo#1087633)
|
|
XMLHttpRequest crashes with some input streams
|
|
* MFSA 2014-87/CVE-2014-1592 (bmo#1088635)
|
|
Use-after-free during HTML5 parsing
|
|
* MFSA 2014-88/CVE-2014-1593 (bmo#1085175)
|
|
Buffer overflow while parsing media content
|
|
* MFSA 2014-89/CVE-2014-1594 (bmo#1074280)
|
|
Bad casting from the BasicThebesLayer to BasicContainerLayer
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Nov 16 21:22:00 UTC 2014 - Led <ledest@gmail.com>
|
|
|
|
- fix bashism in mozilla.sh script
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 4 08:16:43 UTC 2014 - guillaume@opensuse.org
|
|
|
|
- Limit RAM usage during link for ARM
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Oct 25 18:41:27 UTC 2014 - wr@rosenauer.org
|
|
|
|
- remove add-plugins.sh and use /usr/share/myspell directly
|
|
(bnc#900639)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Oct 12 22:47:42 UTC 2014 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 31.2.0 (bnc#900941)
|
|
* MFSA 2014-74/CVE-2014-1574
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2014-75/CVE-2014-1576 (bmo#1041512)
|
|
Buffer overflow during CSS manipulation
|
|
* MFSA 2014-76/CVE-2014-1577 (bmo#1012609)
|
|
Web Audio memory corruption issues with custom waveforms
|
|
* MFSA 2014-77/CVE-2014-1578 (bmo#1063327)
|
|
Out-of-bounds write with WebM video
|
|
* MFSA 2014-79/CVE-2014-1581 (bmo#1068218)
|
|
Use-after-free interacting with text directionality
|
|
* MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
|
|
Inconsistent video sharing within iframe
|
|
- added basic appdata definition
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 24 09:15:02 UTC 2014 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 31.1.2
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 9 12:53:41 UTC 2014 - wolfgang@rosenauer.org
|
|
|
|
- update to Thunderbird 31.1.1
|
|
* Fixed an issue where mailing lists with spaces in their names
|
|
couldn't be autocompleted (bmo#1060901)
|
|
* Fixed an occasional startup crash (bmo#1005336)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 29 13:02:19 UTC 2014 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 31.1.0 (bnc#894370)
|
|
* MFSA 2014-67/CVE-2014-1553/CVE-2014-1562
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2014-68/CVE-2014-1563 (bmo#1018524)
|
|
Use-after-free during DOM interactions with SVG
|
|
* MFSA 2014-69/CVE-2014-1564 (bmo#1045977)
|
|
Uninitialized memory use during GIF rendering
|
|
* MFSA 2014-70/CVE-2014-1565 (bmo#1047831)
|
|
Out-of-bounds read in Web Audio audio timeline
|
|
* MFSA 2014-72/CVE-2014-1567 (bmo#1037641)
|
|
Use-after-free setting text directionality
|
|
- added mozilla-nullptr-gcc45.patch to build on gcc 4.5 dists
|
|
(e.g. openSUSE 11.4)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jul 27 20:25:46 UTC 2014 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 31.0
|
|
* based on Gecko 31
|
|
* Autocompleting email addresses now matches against any part of
|
|
the name or email
|
|
* Composing a mail to a newsgroup will now autocomplete newsgroup
|
|
names
|
|
* Insecure NTLM (pre-NTLMv2) authentication disabled
|
|
- rebased patches
|
|
- removed enigmail entirely from source package
|
|
- removed obsolete patches
|
|
* libffi-ppc64le.patch
|
|
* ppc64le-support.patch
|
|
* xpcom-ppc64le.patch
|
|
- use GStreamer 1.0 after 13.1
|
|
- switched source archives to use xz instead of bz2
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jul 20 15:59:49 UTC 2014 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 24.7.0 (bnc#887746)
|
|
* MFSA 2014-56/CVE-2014-1547/CVE-2014-1548
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2014-61/CVE-2014-1555 (bmo#1023121)
|
|
Use-after-free with FireOnStateChange event
|
|
* MFSA 2014-62/CVE-2014-1556 (bmo#1028891)
|
|
Exploitable WebGL crash with Cesium JavaScript library
|
|
* MFSA 2014-63/CVE-2014-1544 (bmo#963150)
|
|
Use-after-free while when manipulating certificates in the trusted cache
|
|
(solved with NSS 3.16.2 requirement)
|
|
* MFSA 2014-64/CVE-2014-1557 (bmo#913805)
|
|
Crash in Skia library when scaling high quality images
|
|
- disabled enigmail build as with version 1.7 it's a standalone
|
|
source package
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jun 7 09:07:06 UTC 2014 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 24.6.0 (bnc#881874)
|
|
* MFSA 2014-48/CVE-2014-1533/CVE-2014-1534
|
|
(bmo#921622, bmo#967354, bmo#969517, bmo#969549, bmo#973874,
|
|
bmo#978652, bmo#978811, bmo#988719, bmo#990868, bmo#991981,
|
|
bmo#992274, bmo#994907, bmo#995679, bmo#995816, bmo#995817,
|
|
bmo#996536, bmo#996715, bmo#999651, bmo#1000598,
|
|
bmo#1000960, bmo#1002340, bmo#1005578, bmo#1007223,
|
|
bmo#1009952, bmo#1011007)
|
|
Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)
|
|
* MFSA 2014-49/CVE-2014-1536/CVE-2014-1537/CVE-2014-1538
|
|
(bmo#989994, bmo#999274, bmo#1005584)
|
|
Use-after-free and out of bounds issues found using Address Sanitizer
|
|
* MFSA 2014-52/CVE-2014-1541 (bmo#1000185)
|
|
Use-after-free with SMIL Animation Controller
|
|
* MFSA 2014-55/CVE-2014-1545 (bmo#1018783)
|
|
Out of bounds write in NSPR
|
|
- require NSPR 4.10.6 because of MFSA 2014-55/CVE-2014-1545
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 25 09:41:14 UTC 2014 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 24.5.0 (bnc#875378)
|
|
* MFSA 2014-34/CVE-2014-1518
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2014-37/CVE-2014-1523 (bmo#969226)
|
|
Out of bounds read while decoding JPG images
|
|
* MFSA 2014-38/CVE-2014-1524 (bmo#989183)
|
|
Buffer overflow when using non-XBL object as XBL
|
|
* MFSA 2014-42/CVE-2014-1529 (bmo#987003)
|
|
Privilege escalation through Web Notification API
|
|
* MFSA 2014-43/CVE-2014-1530 (bmo#895557)
|
|
Cross-site scripting (XSS) using history navigations
|
|
* MFSA 2014-44/CVE-2014-1531 (bmo#987140)
|
|
Use-after-free in imgLoader while resizing images
|
|
* MFSA 2014-46/CVE-2014-1532 (bmo#966006)
|
|
Use-after-free in nsHostResolver
|
|
- use shipped-locales as the authoritative source for supported
|
|
locales (some unsupported locales disappear from -other package)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 18 21:45:43 UTC 2014 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 24.4.0 (bnc#868603)
|
|
* MFSA 2014-15/CVE-2014-1493/CVE-2014-1494
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2014-17/CVE-2014-1497 (bmo#966311)
|
|
Out of bounds read during WAV file decoding
|
|
* MFSA 2014-26/CVE-2014-1508 (bmo#963198)
|
|
Information disclosure through polygon rendering in MathML
|
|
* MFSA 2014-27/CVE-2014-1509 (bmo#966021)
|
|
Memory corruption in Cairo during PDF font rendering
|
|
* MFSA 2014-28/CVE-2014-1505 (bmo#941887)
|
|
SVG filters information disclosure through feDisplacementMap
|
|
* MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909)
|
|
Privilege escalation using WebIDL-implemented APIs
|
|
* MFSA 2014-30/CVE-2014-1512 (bmo#982957)
|
|
Use-after-free in TypeObject
|
|
* MFSA 2014-31/CVE-2014-1513 (bmo#982974)
|
|
Out-of-bounds read/write through neutering ArrayBuffer objects
|
|
* MFSA 2014-32/CVE-2014-1514 (bmo#983344)
|
|
Out-of-bounds write through TypedArrayObject after neutering
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 3 16:07:28 UTC 2014 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 24.3.0 (bnc#861847)
|
|
* MFSA 2014-01/CVE-2014-1477/CVE-2014-1478
|
|
Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
|
|
* MFSA 2014-02/CVE-2014-1479 (bmo#911864)
|
|
Clone protected content with XBL scopes
|
|
* MFSA 2014-04/CVE-2014-1482 (bmo#943803)
|
|
Incorrect use of discarded images by RasterImage
|
|
* MFSA 2014-08/CVE-2014-1486 (bmo#942164)
|
|
Use-after-free with imgRequestProxy and image proccessing
|
|
* MFSA 2014-09/CVE-2014-1487 (bmo#947592)
|
|
Cross-origin information leak through web workers
|
|
* MFSA 2014-12/CVE-2014-1490/CVE-2014-1491
|
|
(bmo#934545, bmo#930874, bmo#930857)
|
|
NSS ticket handling issues
|
|
* MFSA 2014-13/CVE-2014-1481(bmo#936056)
|
|
Inconsistent JavaScript handling of access to Window objects
|
|
- requires NSS 3.15.4
|
|
- renamed ppc64le patches to streamline with Firefox package
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Dec 13 21:29:16 UTC 2013 - uweigand@de.ibm.com
|
|
|
|
- Add support for powerpc64le-linux.
|
|
* ppc64le-support.patch: general support
|
|
* libffi-ppc64le.patch: libffi backport
|
|
* xpcom-ppc64le.patch: port xpcom
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Dec 8 10:18:03 UTC 2013 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 24.2.0 (bnc#854370)
|
|
* requires NSS 3.15.3.1 or higher
|
|
* MFSA 2013-104/CVE-2013-5609/CVE-2013-5610
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2013-108/CVE-2013-5616 (bmo#938341)
|
|
Use-after-free in event listeners
|
|
* MFSA 2013-109/CVE-2013-5618 (bmo#926361)
|
|
Use-after-free during Table Editing
|
|
* MFSA 2013-111/CVE-2013-6671 (bmo#930281)
|
|
Segmentation violation when replacing ordered list elements
|
|
* MFSA 2013-113/CVE-2013-6673 (bmo#970380)
|
|
Trust settings for built-in roots ignored during EV certificate
|
|
validation
|
|
* MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449)
|
|
Use-after-free in synthetic mouse movement
|
|
* MFSA 2013-115/CVE-2013-5615 (bmo#929261)
|
|
GetElementIC typed array stubs can be generated outside observed
|
|
typesets
|
|
* MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693)
|
|
JPEG information leak
|
|
* MFSA 2013-117 (bmo#946351)
|
|
Mis-issued ANSSI/DCSSI certificate
|
|
(fixed via NSS 3.15.3.1)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 19 08:08:00 UTC 2013 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 24.1.1
|
|
* requires NSPR 4.10.2 and NSS 3.15.3 for security reasons
|
|
* fix binary compatibility issues for patch level updates
|
|
(bmo#927073)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 24 17:18:23 UTC 2013 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 24.1.0 (bnc#847708)
|
|
* requires NSS 3.15.2 or above
|
|
* MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2013-94/CVE-2013-5593 (bmo#868327)
|
|
Spoofing addressbar through SELECT element
|
|
* MFSA 2013-95/CVE-2013-5604 (bmo#914017)
|
|
Access violation with XSLT and uninitialized data
|
|
* MFSA 2013-96/CVE-2013-5595 (bmo#916580)
|
|
Improperly initialized memory and overflows in some JavaScript
|
|
functions
|
|
* MFSA 2013-97/CVE-2013-5596 (bmo#910881)
|
|
Writing to cycle collected object during image decoding
|
|
* MFSA 2013-98/CVE-2013-5597 (bmo#918864)
|
|
Use-after-free when updating offline cache
|
|
* MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601
|
|
(bmo#915210, bmo#915576, bmo#916685)
|
|
Miscellaneous use-after-free issues found through ASAN fuzzing
|
|
* MFSA 2013-101/CVE-2013-5602 (bmo#897678)
|
|
Memory corruption in workers
|
|
* MFSA 2013-102/CVE-2013-5603 (bmo#916404)
|
|
Use-after-free in HTML document templates
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 10 14:43:22 UTC 2013 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 24.0.1
|
|
* fqdn for smtp server name was not accepted (bmo#913785)
|
|
* fixed crash in PL_strncasecmp (bmo#917955)
|
|
- update Enigmail to 1.6
|
|
* The passphrase timeout configuration in Enigmail is now read and
|
|
written from/to gpg-agent.
|
|
* New dialog to change the expiry date of keys
|
|
* New function to search for the OpenPGP keys of all Address Book
|
|
entries on a keyserver
|
|
* removed obsolete enigmail-build.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Sep 14 20:32:28 UTC 2013 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 24.0 (bnc#840485)
|
|
* MFSA 2013-76/CVE-2013-1718/CVE-2013-1719
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2013-77/CVE-2013-1720 (bmo#888820)
|
|
Improper state in HTML5 Tree Builder with templates
|
|
* MFSA 2013-79/CVE-2013-1722 (bmo#893308)
|
|
Use-after-free in Animation Manager during stylesheet cloning
|
|
* MFSA 2013-80/CVE-2013-1723 (bmo#891292)
|
|
NativeKey continues handling key messages after widget is destroyed
|
|
* MFSA 2013-81/CVE-2013-1724 (bmo#894137)
|
|
Use-after-free with select element
|
|
* MFSA 2013-82/CVE-2013-1725 (bmo#876762)
|
|
Calling scope for new Javascript objects can lead to memory corruption
|
|
* MFSA 2013-85/CVE-2013-1728 (bmo#883686)
|
|
Uninitialized data in IonMonkey
|
|
* MFSA 2013-88/CVE-2013-1730 (bmo#851353)
|
|
Compartment mismatch re-attaching XBL-backed nodes
|
|
* MFSA 2013-89/CVE-2013-1732 (bmo#883514)
|
|
Buffer overflow with multi-column, lists, and floats
|
|
* MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301)
|
|
Memory corruption involving scrolling
|
|
* MFSA 2013-91/CVE-2013-1737 (bmo#907727)
|
|
User-defined properties on DOM proxies get the wrong "this" object
|
|
* MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897)
|
|
GC hazard with default compartments and frame chain restoration
|
|
- moved greek to common translation package
|
|
- require NSPR 4.10 and NSS 3.15.1
|
|
- add GStreamer build requirements for Gecko
|
|
- added enigmail-build.patch to fix TB packaging (bmo#886095)
|
|
- removed obsolete patches:
|
|
* enigmail-old-gcc.patch
|
|
* mozilla-gcc43-enums.patch
|
|
* mozilla-gcc43-template_hacks.patch
|
|
* mozilla-gcc43-templates_instantiation.patch
|
|
* ppc-xpcshell.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 2 06:01:03 UTC 2013 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 17.0.8 (bnc#833389)
|
|
* MFSA 2013-63/CVE-2013-1701
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2013-68/CVE-2013-1709 (bmo#838253)
|
|
Document URI misrepresentation and masquerading
|
|
* MFSA 2013-69/CVE-2013-1710 (bmo#871368)
|
|
CRMF requests allow for code execution and XSS attacks
|
|
* MFSA 2013-72/CVE-2013-1713 (bmo#887098)
|
|
Wrong principal used for validating URI for some Javascript
|
|
components
|
|
* MFSA 2013-73/CVE-2013-1714 (bmo#879787)
|
|
Same-origin bypass with web workers and XMLHttpRequest
|
|
* MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
|
|
Local Java applets may read contents of local file system
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 17 17:28:39 UTC 2013 - wr@rosenauer.org
|
|
|
|
- update Enigmail to 1.5.2
|
|
* bugfix release
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 24 10:17:22 UTC 2013 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 17.0.7 (bnc#825935)
|
|
* MFSA 2013-49/CVE-2013-1682
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686
|
|
Memory corruption found using Address Sanitizer
|
|
* MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)
|
|
Privileged content access and execution via XBL
|
|
* MFSA 2013-53/CVE-2013-1690 (bmo#857883)
|
|
Execution of unmapped memory through onreadystatechange event
|
|
* MFSA 2013-54/CVE-2013-1692 (bmo#866915)
|
|
Data in the body of XHR HEAD requests leads to CSRF attacks
|
|
* MFSA 2013-55/CVE-2013-1693 (bmo#711043)
|
|
SVG filters can lead to information disclosure
|
|
* MFSA 2013-56/CVE-2013-1694 (bmo#848535)
|
|
PreserveWrapper has inconsistent behavior
|
|
* MFSA 2013-59/CVE-2013-1697 (bmo#858101)
|
|
XrayWrappers can be bypassed to run user defined methods in a
|
|
privileged context
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 4 20:41:42 UTC 2013 - dvaleev@suse.com
|
|
|
|
- prevent xpc-shell crashing on powerpc
|
|
ppc-xpcshell.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Sat May 11 08:46:37 UTC 2013 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 17.0.6 (bnc#819204)
|
|
* MFSA 2013-41/CVE-2013-0801/CVE-2013-1669
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2013-42/CVE-2013-1670 (bmo#853709)
|
|
Privileged access for content level constructor
|
|
* MFSA 2013-46/CVE-2013-1674 (bmo#860971)
|
|
Use-after-free with video and onresize event
|
|
* MFSA 2013-47/CVE-2013-1675 (bmo#866825)
|
|
Uninitialized functions in DOMSVGZoomEvent
|
|
* MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/
|
|
CVE-2013-1679/CVE-2013-1680/CVE-2013-1681
|
|
Memory corruption found using Address Sanitizer
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 29 18:25:38 UTC 2013 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 17.0.5 (bnc#813026)
|
|
* requires NSPR 4.9.5 and NSS 3.14.3
|
|
* MFSA 2013-30/CVE-2013-0788/CVE-2013-0789
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2013-31/CVE-2013-0800 (bmo#825721)
|
|
Out-of-bounds write in Cairo library
|
|
* MFSA 2013-35/CVE-2013-0796 (bmo#827106)
|
|
WebGL crash with Mesa graphics driver on Linux
|
|
* MFSA 2013-36/CVE-2013-0795 (bmo#825697)
|
|
Bypass of SOW protections allows cloning of protected nodes
|
|
* MFSA 2013-38/CVE-2013-0793 (bmo#803870)
|
|
Cross-site scripting (XSS) using timed history navigations
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 8 10:35:29 UTC 2013 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 17.0.4 (bnc#808243)
|
|
* MFSA 2013-29/CVE-2013-0787 (bmo#848644)
|
|
Use-after-free in HTML Editor
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Feb 17 12:09:06 UTC 2013 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 17.0.3 (bnc#804248)
|
|
* MFSA 2013-21/CVE-2013-0783
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2013-24/CVE-2013-0773 (bmo#809652)
|
|
Web content bypass of COW and SOW security wrappers
|
|
* MFSA 2013-25/CVE-2013-0774 (bmo#827193)
|
|
Privacy leak in JavaScript Workers
|
|
* MFSA 2013-26/CVE-2013-0775 (bmo#831095)
|
|
Use-after-free in nsImageLoadingContent
|
|
* MFSA 2013-27/CVE-2013-0776 (bmo#796475)
|
|
Phishing on HTTPS connection through malicious proxy
|
|
* MFSA 2013-28/CVE-2013-0780/CVE-2013-0782
|
|
Use-after-free, out of bounds read, and buffer overflow issues
|
|
found using Address Sanitizer
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 11 08:25:24 UTC 2013 - wr@rosenauer.org
|
|
|
|
- update Enigmail to 1.5.1
|
|
* The release fixes the regressions found in the past few
|
|
weeks
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jan 5 12:40:00 UTC 2013 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 17.0.2 (bnc#796895)
|
|
* MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767
|
|
CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829
|
|
Use-after-free and buffer overflow issues found using Address Sanitizer
|
|
* MFSA 2013-03/CVE-2013-0768 (bmo#815795)
|
|
Buffer Overflow in Canvas
|
|
* MFSA 2013-04/CVE-2012-0759 (bmo#802026)
|
|
URL spoofing in addressbar during page loads
|
|
* MFSA 2013-05/CVE-2013-0744 (bmo#814713)
|
|
Use-after-free when displaying table with many columns and column groups
|
|
* MFSA 2013-07/CVE-2013-0764 (bmo#804237)
|
|
Crash due to handling of SSL on threads
|
|
* MFSA 2013-08/CVE-2013-0745 (bmo#794158)
|
|
AutoWrapperChanger fails to keep objects alive during garbage collection
|
|
* MFSA 2013-09/CVE-2013-0746 (bmo#816842)
|
|
Compartment mismatch with quickstubs returned values
|
|
* MFSA 2013-10/CVE-2013-0747 (bmo#733305)
|
|
Event manipulation in plugin handler to bypass same-origin policy
|
|
* MFSA 2013-11/CVE-2013-0748 (bmo#806031)
|
|
Address space layout leaked in XBL objects
|
|
* MFSA 2013-12/CVE-2013-0750 (bmo#805121)
|
|
Buffer overflow in Javascript string concatenation
|
|
* MFSA 2013-13/CVE-2013-0752 (bmo#805024)
|
|
Memory corruption in XBL with XML bindings containing SVG
|
|
* MFSA 2013-14/CVE-2013-0757 (bmo#813901)
|
|
Chrome Object Wrapper (COW) bypass through changing prototype
|
|
* MFSA 2013-15/CVE-2013-0758 (bmo#813906)
|
|
Privilege escalation through plugin objects
|
|
* MFSA 2013-16/CVE-2013-0753 (bmo#814001)
|
|
Use-after-free in serializeToStream
|
|
* MFSA 2013-17/CVE-2013-0754 (bmo#814026)
|
|
Use-after-free in ListenerManager
|
|
* MFSA 2013-18/CVE-2013-0755 (bmo#814027)
|
|
Use-after-free in Vibrate
|
|
* MFSA 2013-19/CVE-2013-0756 (bmo#814029)
|
|
Use-after-free in Javascript Proxy objects
|
|
- requires NSS 3.14.1 (MFSA 2013-20, CVE-2013-0743)
|
|
- update Enigmail to 1.5.0
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Nov 26 11:10:11 UTC 2012 - wr@rosenauer.org
|
|
|
|
- fix KDE integration for file dialogs
|
|
- fix some rpmlint warnings (mkdir.done files)
|
|
- build on SLE11
|
|
* mozilla-gcc43-enums.patch
|
|
* mozilla-gcc43-template_hacks.patch
|
|
* mozilla-gcc43-templates_instantiation.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 20 20:42:04 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 17.0 (bnc#790140)
|
|
* MFSA 2012-91/CVE-2012-5842/CVE-2012-5843
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2012-92/CVE-2012-4202 (bmo#758200)
|
|
Buffer overflow while rendering GIF images
|
|
* MFSA 2012-93/CVE-2012-4201 (bmo#747607)
|
|
evalInSanbox location context incorrectly applied
|
|
* MFSA 2012-94/CVE-2012-5836 (bmo#792857)
|
|
Crash when combining SVG text on path with CSS
|
|
* MFSA 2012-96/CVE-2012-4204 (bmo#778603)
|
|
Memory corruption in str_unescape
|
|
* MFSA 2012-97/CVE-2012-4205 (bmo#779821)
|
|
XMLHttpRequest inherits incorrect principal within sandbox
|
|
* MFSA 2012-99/CVE-2012-4208 (bmo#798264)
|
|
XrayWrappers exposes chrome-only properties when not in chrome
|
|
compartment
|
|
* MFSA 2012-100/CVE-2012-5841 (bmo#805807)
|
|
Improper security filtering for cross-origin wrappers
|
|
* MFSA 2012-101/CVE-2012-4207 (bmo#801681)
|
|
Improper character decoding in HZ-GB-2312 charset
|
|
* MFSA 2012-102/CVE-2012-5837 (bmo#800363)
|
|
Script entered into Developer Toolbar runs with chrome privileges
|
|
* MFSA 2012-103/CVE-2012-4209 (bmo#792405)
|
|
Frames can shadow top.location
|
|
* MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/
|
|
CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/
|
|
CVE-2012-4213/CVE-2012-4217/CVE-2012-4218
|
|
Use-after-free and buffer overflow issues found using Address
|
|
Sanitizer
|
|
* MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2012-5838
|
|
Use-after-free, buffer overflow, and memory corruption issues
|
|
found using Address Sanitizer
|
|
- rebased patches
|
|
- disabled WebRTC since build is broken (bmo#776877)
|
|
- update Enigmail to 1.4.6
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Oct 27 08:58:22 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 16.0.2 (bnc#786522)
|
|
* MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196
|
|
(bmo#800666, bmo#793121, bmo#802557)
|
|
Fixes for Location object issues
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 11 03:16:52 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 16.0.1 (bnc#783533)
|
|
* MFSA 2012-88/CVE-2012-4191 (bmo#798045)
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2012-89/CVE-2012-4192/CVE-2012-4193 (bmo#799952, bmo#720619)
|
|
defaultValue security checks not applied
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 8 13:27:10 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 16.0 (bnc#783533)
|
|
* MFSA 2012-74/CVE-2012-3982/CVE-2012-3983
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2012-75/CVE-2012-3984 (bmo#575294)
|
|
select element persistance allows for attacks
|
|
* MFSA 2012-76/CVE-2012-3985 (bmo#655649)
|
|
Continued access to initial origin after setting document.domain
|
|
* MFSA 2012-77/CVE-2012-3986 (bmo#775868)
|
|
Some DOMWindowUtils methods bypass security checks
|
|
* MFSA 2012-79/CVE-2012-3988 (bmo#725770)
|
|
DOS and crash with full screen and history navigation
|
|
* MFSA 2012-80/CVE-2012-3989 (bmo#783867)
|
|
Crash with invalid cast when using instanceof operator
|
|
* MFSA 2012-81/CVE-2012-3991 (bmo#783260)
|
|
GetProperty function can bypass security checks
|
|
* MFSA 2012-82/CVE-2012-3994 (bmo#765527)
|
|
top object and location property accessible by plugins
|
|
* MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370)
|
|
Chrome Object Wrapper (COW) does not disallow acces to privileged
|
|
functions or properties
|
|
* MFSA 2012-84/CVE-2012-3992 (bmo#775009)
|
|
Spoofing and script injection through location.hash
|
|
* MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/
|
|
CVE-2012-4181/CVE-2012-4182/CVE-2012-4183
|
|
Use-after-free, buffer overflow, and out of bounds read issues
|
|
found using Address Sanitizer
|
|
* MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/
|
|
CVE-2012-4188
|
|
Heap memory corruption issues found using Address Sanitizer
|
|
* MFSA 2012-87/CVE-2012-3990 (bmo#787704)
|
|
Use-after-free in the IME State Manager
|
|
- update Enigmail to version 1.4.5
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Aug 26 14:59:20 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 15.0 (bnc#777588)
|
|
* MFSA 2012-57/CVE-2012-1970
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2012-58/CVE-2012-1972/CVE-2012-1973/CVE-2012-1974/CVE-2012-1975
|
|
CVE-2012-1976/CVE-2012-3956/CVE-2012-3957/CVE-2012-3958/CVE-2012-3959
|
|
CVE-2012-3960/CVE-2012-3961/CVE-2012-3962/CVE-2012-3963/CVE-2012-3964
|
|
Use-after-free issues found using Address Sanitizer
|
|
* MFSA 2012-59/CVE-2012-1956 (bmo#756719)
|
|
Location object can be shadowed using Object.defineProperty
|
|
* MFSA 2012-61/CVE-2012-3966 (bmo#775794, bmo#775793)
|
|
Memory corruption with bitmap format images with negative height
|
|
* MFSA 2012-62/CVE-2012-3967/CVE-2012-3968
|
|
WebGL use-after-free and memory corruption
|
|
* MFSA 2012-63/CVE-2012-3969/CVE-2012-3970
|
|
SVG buffer overflow and use-after-free issues
|
|
* MFSA 2012-64/CVE-2012-3971
|
|
Graphite 2 memory corruption
|
|
* MFSA 2012-65/CVE-2012-3972 (bmo#746855)
|
|
Out-of-bounds read in format-number in XSLT
|
|
* MFSA 2012-68/CVE-2012-3975 (bmo#770684)
|
|
DOMParser loads linked resources in extensions when parsing
|
|
text/html
|
|
* MFSA 2012-70/CVE-2012-3978 (bmo#770429)
|
|
Location object security checks bypassed by chrome code
|
|
* MFSA 2012-72/CVE-2012-3980 (bmo#771859)
|
|
Web console eval capable of executing chrome-privileged code
|
|
- update Enigmail to 1.4.4
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jul 29 07:22:19 UTC 2012 - aj@suse.de
|
|
|
|
- Fix mozilla-kde.patch to include sys/resource.h for getrlimit etc (glibc 2.16)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jul 15 08:06:50 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 14.0 (bnc#771583)
|
|
* MFSA 2012-42/CVE-2012-1949/CVE-2012-1948
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1952
|
|
Gecko memory corruption
|
|
* MFSA 2012-45/CVE-2012-1955 (bmo#757376)
|
|
Spoofing issue with location
|
|
* MFSA 2012-47/CVE-2012-1957 (bmo#750096)
|
|
Improper filtering of javascript in HTML feed-view
|
|
* MFSA 2012-48/CVE-2012-1958 (bmo#750820)
|
|
use-after-free in nsGlobalWindow::PageHidden
|
|
* MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559)
|
|
Same-compartment Security Wrappers can be bypassed
|
|
* MFSA 2012-50/CVE-2012-1960 (bmo#761014)
|
|
Out of bounds read in QCMS
|
|
* MFSA 2012-51/CVE-2012-1961 (bmo#761655)
|
|
X-Frame-Options header ignored when duplicated
|
|
* MFSA 2012-52/CVE-2012-1962 (bmo#764296)
|
|
JSDependentString::undepend string conversion results in memory
|
|
corruption
|
|
* MFSA 2012-53/CVE-2012-1963 (bmo#767778)
|
|
Content Security Policy 1.0 implementation errors cause data
|
|
leakage
|
|
* MFSA 2012-56/CVE-2012-1967 (bmo#758344)
|
|
Code execution through javascript: URLs
|
|
* relicensed to MPL-2.0
|
|
- update Enigmail to 1.4.3
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 5 09:58:15 UTC 2012 - adrian@suse.de
|
|
|
|
- no crashreport on %arm, fixing build
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 15 07:00:43 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 13.0.1
|
|
* bugfix release
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jun 2 12:41:08 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 13.0 (bnc#765204)
|
|
* MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2012-36/CVE-2012-1944 (bmo#751422)
|
|
Content Security Policy inline-script bypass
|
|
* MFSA 2012-37/CVE-2012-1945 (bmo#670514)
|
|
Information disclosure though Windows file shares and shortcut
|
|
files
|
|
* MFSA 2012-38/CVE-2012-1946 (bmo#750109)
|
|
Use-after-free while replacing/inserting a node in a document
|
|
* MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941
|
|
Buffer overflow and use-after-free issues found using Address
|
|
Sanitizer
|
|
- require NSS 3.13.4
|
|
* MFSA 2012-39/CVE-2012-0441 (bmo#715073)
|
|
- fix build with system NSPR (mozilla-system-nspr.patch)
|
|
- add dependentlibs.list for improved XRE startup
|
|
- update enigmail to 1.4.2
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 16 05:38:46 UTC 2012 - wr@rosenauer.org
|
|
|
|
- reenabled crashreporter for Factory/12.2
|
|
(fix in mozilla-gcc47.patch)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 30 06:43:26 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 12.0.1
|
|
* fix regressions
|
|
- POP3 filters (bmo#748090)
|
|
- Message Body not loaded when using "Fetch Headers Only"
|
|
(bmo#748865)
|
|
- Received messages contain parts of other messages with
|
|
movemail account (bmo#748726)
|
|
- New mail notification issue (bmo#748997)
|
|
- crash in nsMsgDatabase::MatchDbName (bmo#748432)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 27 10:22:49 UTC 2012 - wr@rosenauer.org
|
|
|
|
- fixed build with gcc 4.7
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 21 07:39:28 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 12.0 (bnc#758408)
|
|
* MFSA 2012-20/CVE-2012-0467/CVE-2012-0468
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2012-22/CVE-2012-0469 (bmo#738985)
|
|
use-after-free in IDBKeyRange
|
|
* MFSA 2012-23/CVE-2012-0470 (bmo#734288)
|
|
Invalid frees causes heap corruption in gfxImageSurface
|
|
* MFSA 2012-24/CVE-2012-0471 (bmo#715319)
|
|
Potential XSS via multibyte content processing errors
|
|
* MFSA 2012-25/CVE-2012-0472 (bmo#744480)
|
|
Potential memory corruption during font rendering using cairo-dwrite
|
|
* MFSA 2012-26/CVE-2012-0473 (bmo#743475)
|
|
WebGL.drawElements may read illegal video memory due to
|
|
FindMaxUshortElement error
|
|
* MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307)
|
|
Page load short-circuit can lead to XSS
|
|
* MFSA 2012-28/CVE-2012-0475 (bmo#694576)
|
|
Ambiguous IPv6 in Origin headers may bypass webserver access
|
|
restrictions
|
|
* MFSA 2012-29/CVE-2012-0477 (bmo#718573)
|
|
Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
|
|
* MFSA 2012-30/CVE-2012-0478 (bmo#727547)
|
|
Crash with WebGL content using textImage2D
|
|
* MFSA 2012-31/CVE-2011-3062 (bmo#739925)
|
|
Off-by-one error in OpenType Sanitizer
|
|
* MFSA 2012-32/CVE-2011-1187 (bmo#624621)
|
|
HTTP Redirections and remote content can be read by javascript errors
|
|
* MFSA 2012-33/CVE-2012-0479 (bmo#714631)
|
|
Potential site identity spoofing when loading RSS and Atom feeds
|
|
- update Enigmail to 1.4.1
|
|
- added mozilla-revert_621446.patch
|
|
- added mozilla-libnotify.patch (bmo#737646)
|
|
- added mailnew-showalert.patch (bmo#739146)
|
|
- added mozilla-gcc47.patch and mailnews-literals.patch to fix
|
|
compilation issues with recent gcc 4.7
|
|
- disabled crashreporter temporarily for Factory (gcc 4.7 issue)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 27 22:17:05 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 11.0.1 (bnc#755060)
|
|
* Fixing an issue where filters can get messed up (bmo#735940)
|
|
* Fixes a hang when switching IMAP folders, or doing other
|
|
imap functions (bmo#733731)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 9 20:42:21 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 11.0 (bnc#750044)
|
|
* MFSA 2012-13/CVE-2012-0455 (bmo#704354)
|
|
XSS with Drag and Drop and Javascript: URL
|
|
* MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103)
|
|
SVG issues found with Address Sanitizer
|
|
* MFSA 2012-15/CVE-2012-0451 (bmo#717511)
|
|
XSS with multiple Content Security Policy headers
|
|
* MFSA 2012-16/CVE-2012-0458
|
|
Escalation of privilege with Javascript: URL as home page
|
|
* MFSA 2012-17/CVE-2012-0459 (bmo#723446)
|
|
Crash when accessing keyframe cssText after dynamic modification
|
|
* MFSA 2012-18/CVE-2012-0460 (bmo#727303)
|
|
window.fullScreen writeable by untrusted content
|
|
* MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/
|
|
CVE-2012-0463
|
|
Miscellaneous memory safety hazards
|
|
- update enigmail to 1.4
|
|
- added KDE integration patches (bnc#749440)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 27 17:15:05 CET 2012 - jslaby@suse.de
|
|
|
|
- update enigmail to 1.3.99 (1.4a1pre)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 16 10:54:42 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to Thunderbird 10.0.2 (bnc#747328)
|
|
* CVE-2011-3026 (bmo#727401)
|
|
libpng: integer overflow leading to heap-buffer overflow
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 9 08:10:32 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to version 10.0.1 (bnc#746616)
|
|
* MFSA 2012-10/CVE-2012-0452 (bmo#724284)
|
|
use after free in nsXBLDocumentInfo::ReadPrototypeBindings
|
|
- Use YARR interpreter instead of PCRE on platforms where YARR JIT
|
|
is not supported, since PCRE doesnt build (bmo#691898)
|
|
- fix ppc64 build (bmo#703534)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jan 29 17:31:32 UTC 2012 - wr@rosenauer.org
|
|
|
|
- update to version 10.0 (bnc#744275)
|
|
* MFSA 2012-01/CVE-2012-0442/CVE-2012-0443
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2012-03/CVE-2012-0445 (bmo#701071)
|
|
<iframe> element exposed across domains via name attribute
|
|
* MFSA 2012-04/CVE-2011-3659 (bmo#708198)
|
|
Child nodes from nsDOMAttribute still accessible after removal
|
|
of nodes
|
|
* MFSA 2012-05/CVE-2012-0446 (bmo#705651)
|
|
Frame scripts calling into untrusted objects bypass security
|
|
checks
|
|
* MFSA 2012-06/CVE-2012-0447 (bmo#710079)
|
|
Uninitialized memory appended when encoding icon images may
|
|
cause information disclosure
|
|
* MFSA 2012-07/CVE-2012-0444 (bmo#719612)
|
|
Potential Memory Corruption When Decoding Ogg Vorbis files
|
|
* MFSA 2012-08/CVE-2012-0449 (bmo#701806, bmo#702466)
|
|
Crash with malformed embedded XSLT stylesheets
|
|
- update enigmail to 1.3.5
|
|
- added mozilla-disable-neon-option.patch to be able to disable
|
|
neon on ARM
|
|
- removed obsolete PPC64 patch
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Dec 18 09:28:51 UTC 2011 - wr@rosenauer.org
|
|
|
|
- update to version 9.0 (bnc#737533)
|
|
* MFSA 2011-53/CVE-2011-3660
|
|
Miscellaneous memory safety hazards (rv:9.0)
|
|
* MFSA 2011-54/CVE-2011-3661 (bmo#691299)
|
|
Potentially exploitable crash in the YARR regular expression
|
|
library
|
|
* MFSA 2011-55/CVE-2011-3658 (bmo#708186)
|
|
nsSVGValue out-of-bounds access
|
|
* MFSA 2011-56/CVE-2011-3663 (bmo#704482)
|
|
Key detection without JavaScript via SVG animation
|
|
* MFSA 2011-58/VE-2011-3665 (bmo#701259)
|
|
Crash scaling <video> to extreme sizes
|
|
- fixed accessibility under GNOME 3 (bnc#732898)
|
|
(mozilla-a11y.patch)
|
|
- do not show update channel in about box
|
|
(tb-no-update-channel.patch)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Dec 4 08:20:17 UTC 2011 - wr@rosenauer.org
|
|
|
|
- update enigmail to 1.3.4 (bnc#733002)
|
|
* fixes several regressions from previous release
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Nov 21 21:54:27 UTC 2011 - wr@rosenauer.org
|
|
|
|
- do not disable system addons
|
|
- fixed enigmail localizations
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Nov 21 11:35:56 UTC 2011 - dvaleev@suse.com
|
|
|
|
- fix powerpc build
|
|
- disable crashreporter on ppc and ppc64
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Nov 7 20:23:30 UTC 2011 - wr@rosenauer.org
|
|
|
|
- update to version 8.0 (bnc#728520)
|
|
* MFSA 2011-47/CVE-2011-3648 (bmo#690225)
|
|
Potential XSS against sites using Shift-JIS
|
|
* MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2011-49/CVE-2011-3650 (bmo#674776)
|
|
Memory corruption while profiling using Firebug
|
|
* MFSA 2011-52/CVE-2011-3655 (bmo#672182)
|
|
Code execution via NoWaiverWrapper
|
|
- rebased patches
|
|
- update enigmail to 1.3.3
|
|
- update icon cache after install/removal (bnc#726758)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 30 09:59:15 UTC 2011 - wr@rosenauer.org
|
|
|
|
- update to minor version 7.0.1
|
|
* fixed staged addon updates
|
|
* Disabled the what's new tab for updaters from 7.0 (bmo#690290)
|
|
* Insert Characters & Symbols fix (bmo#690267)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 26 09:18:56 UTC 2011 - wr@rosenauer.org
|
|
|
|
- update to version 7.0 (bnc#720264)
|
|
* MFSA 2011-36
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2011-39/CVE-2011-3000 (bmo#655389)
|
|
Defense against multiple Location headers due to CRLF Injection
|
|
* MFSA 2011-40/CVE-2011-2372/CVE-2011-3001
|
|
Code installation through holding down Enter
|
|
* MFSA 2011-42/CVE-2011-3232
|
|
Potentially exploitable crash in the YARR regular expression
|
|
library
|
|
* MFSA 2011-44/CVE-2011-3005 (bmo#675747)
|
|
Use after free reading OGG headers
|
|
- removed obsolete mozilla-cairo-lcd.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 13 07:36:50 UTC 2011 - wr@rosenauer.org
|
|
|
|
- update enigmail to 1.3.2 (no changelog available)
|
|
- add dbus-1-glib-devel to BuildRequires (not pulled automatically
|
|
anymore with 12.1)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 9 20:42:23 UTC 2011 - wr@rosenauer.org
|
|
|
|
- make enigmail a subversion of Thunderbird to fix %release
|
|
number tracking issues with the Open Build Service
|
|
(taken from dmueller's 3.1.x changes)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 7 14:30:34 UTC 2011 - pcerny@suse.com
|
|
|
|
- security update to 6.0.2 (bnc#714931)
|
|
* Complete blocking of certificates issued by DigiNotar
|
|
(bmo#683449)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 2 14:40:07 UTC 2011 - pcerny@suse.com
|
|
|
|
- security update to 6.0.1 (bnc#714931)
|
|
* MFSA 2011-34
|
|
Protection against fraudulent DigiNotar certificates
|
|
(bmo#682927)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 17 08:50:39 CEST 2011 - jslaby@suse.de
|
|
|
|
- update enigmail to 1.3 final
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 12 20:40:07 UTC 2011 - wr@rosenauer.org
|
|
|
|
- update to version 6.0 (bnc#712224)
|
|
including security fixes MFSA 2011-31
|
|
* CVE-2011-2989/CVE-2011-2991/CVE-2011-2992/CVE-2011-2985
|
|
Miscellaneous memory safety hazards
|
|
* CVE-2011-2988 (bmo#665936)
|
|
String crash using WebGL shaders
|
|
* CVE-2011-2987 (bmo#665934)
|
|
Heap overflow in ANGLE library
|
|
* CVE-2011-0084 (bmo#648094)
|
|
Crash in SVGTextElement.getCharNumAtPosition()
|
|
* CVE-2011-2986 (bmo#655836)
|
|
Cross-origin data theft using canvas and Windows D2D
|
|
- add mozilla-curl.patch to remove dependencies to obsolete curl
|
|
header
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 30 08:30:11 CEST 2011 - jslaby@suse.de
|
|
|
|
- update enigmail to 1.2.99 (1.3a1pre)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 29 21:13:54 UTC 2011 - wr@rosenauer.org
|
|
|
|
- update to version 6.0b2
|
|
* removed obsolete patches
|
|
- mozilla-gio.patch
|
|
- thunderbird-gio.patch
|
|
- fix symbol dumper for linux3 platform
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jul 9 11:16:51 UTC 2011 - wr@rosenauer.org
|
|
|
|
- update to version 5.0
|
|
- update enigmail to version 1.2
|
|
- improved logic for the launcher command
|
|
- enable gio usage (instead of gnomevfs) for 11.4 and newer
|
|
- build dump_syms dynamic to build on 12.1 and above
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 20 09:36:22 UTC 2011 - wr@rosenauer.org
|
|
|
|
- security update to version 3.1.11 (bnc#701296)
|
|
* MFSA 2011-19/CVE-2011-2374 CVE-2011-2376 CVE-2011-2364
|
|
CVE-2011-2365
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2011-20/CVE-2011-2373 (bmo#617247)
|
|
Use-after-free vulnerability when viewing XUL document with
|
|
script disabled
|
|
* MFSA 2011-21/CVE-2011-2377 (bmo#638018, bmo#639303)
|
|
Memory corruption due to multipart/x-mixed-replace images
|
|
* MFSA 2011-22/CVE-2011-2371 (bmo#664009)
|
|
Integer overflow and arbitrary code execution in
|
|
Array.reduceRight()
|
|
* MFSA 2011-23/CVE-2011-0083 CVE-2011-0085 CVE-2011-2363
|
|
Multiple dangling pointer vulnerabilities
|
|
* MFSA 2011-24/CVE-2011-2362 (bmo#616264)
|
|
Cookie isolation error
|
|
- speed up find-external-requires.sh
|
|
- do not build dump_syms static as it is not needed for us
|
|
-> fixes build for 12.1 and above
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 15 06:24:16 UTC 2011 - wr@rosenauer.org
|
|
|
|
- security update to version 3.1.10 (bnc#689281)
|
|
* MFSA 2011-12/ CVE-2011-0069 CVE-2011-0070 CVE-2011-0072
|
|
CVE-2011-0074 CVE-2011-0075 CVE-2011-0077 CVE-2011-0078
|
|
CVE-2011-0080 CVE-2011-0081
|
|
Miscellaneous memory safety hazards
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 25 08:50:30 UTC 2011 - idoenmez@novell.com
|
|
|
|
- Add mozilla-gcc46.patch: fix compilation with gcc 4.6
|
|
See the following bug reports:
|
|
https://bugzilla.mozilla.org/show_bug.cgi?id=623116
|
|
https://bugzilla.mozilla.org/show_bug.cgi?id=623123
|
|
https://bugzilla.mozilla.org/show_bug.cgi?id=623126
|
|
https://bugzilla.mozilla.org/show_bug.cgi?id=628371
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 22 08:51:12 UTC 2011 - wr@rosenauer.org
|
|
|
|
- security update to version 3.1.8 (build3) (bnc#667155)
|
|
* MFSA 2011-01/CVE-2011-0053/CVE-2011-0062
|
|
Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)
|
|
* MFSA 2011-08/CVE-2010-1585 (bmo#562547)
|
|
ParanoidFragmentSink allows javascript: URLs in chrome documents
|
|
* MFSA 2011-09/CVE-2011-0061 (bmo#610601)
|
|
Crash caused by corrupted JPEG image
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 13 13:08:39 UTC 2011 - wr@rosenauer.org
|
|
|
|
- rename desktop file for 11.4 and above (bnc#664211)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 10 09:30:21 UTC 2011 - wr@rosenauer.org
|
|
|
|
- add x-scheme-handler/mailto as mimetype to the desktop file
|
|
as needed by newer Gnome environment
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Nov 29 13:47:52 UTC 2010 - wr@rosenauer.org
|
|
|
|
- security update to version 3.1.7 (bnc#657016)
|
|
* MFSA 2010-74/CVE-2010-3776/CVE-2010-3777/CVE-2010-3778
|
|
Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)
|
|
* MFSA 2010-75/CVE-2010-3769 (bmo#608336)
|
|
Buffer overflow while line breaking after document.write with
|
|
long string
|
|
* MFSA 2010-78/CVE-2010-3768 (bmo#527276)
|
|
Add support for OTS font sanitizer
|
|
- provide versioned "thunderbird" symbol
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 27 10:55:39 CEST 2010 - wr@rosenauer.org
|
|
|
|
- security update to version 3.1.6 (bnc#649492)
|
|
* MFSA 2010-73/CVE-2010-3765 (bmo#607222)
|
|
Heap buffer overflow mixing document.write and DOM insertion
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 6 23:19:15 CEST 2010 - wr@rosenauer.org
|
|
|
|
- security update to version 3.1.5 (bnc#645315)
|
|
* MFSA 2010-64/CVE-2010-3174/CVE-2010-3175/CVE-2010-3176
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2010-65/CVE-2010-3179 (bmo#583077)
|
|
Buffer overflow and memory corruption using document.write
|
|
* MFSA 2010-66/CVE-2010-3180 (bmo#588929)
|
|
Use-after-free error in nsBarProp
|
|
* MFSA 2010-67/CVE-2010-3183 (bmo#598669)
|
|
Dangling pointer vulnerability in LookupGetterOrSetter
|
|
* MFSA 2010-69/CVE-2010-3178 (bmo#576616)
|
|
Cross-site information disclosure via modal calls
|
|
* MFSA 2010-70/CVE-2010-3170 (bmo#578697)
|
|
SSL wildcard certificate matching IP addresses
|
|
* MFSA 2010-71/CVE-2010-3182 (bmo#590753, bnc#642502)
|
|
Unsafe library loading vulnerabilities
|
|
* MFSA 2010-72/CVE-2010-3173
|
|
Insecure Diffie-Hellman key exchange
|
|
* new extra locales
|
|
* removed upstreamed mozilla-helper-app.patch
|
|
- require mozilla-nss >= 3.12.8
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 15 08:19:49 CEST 2010 - wr@rosenauer.org
|
|
|
|
- update to version 3.1.4
|
|
* fixing startup topcrash
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 30 17:40:28 CEST 2010 - wr@rosenauer.org
|
|
|
|
- security update to version 3.1.3 (bnc#637303)
|
|
* MFSA 2010-49/CVE-2010-3169
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2010-50/CVE-2010-2765 (bmo#576447)
|
|
Frameset integer overflow vulnerability
|
|
* MFSA 2010-51/CVE-2010-2767 (bmo#584512)
|
|
Dangling pointer vulnerability using DOM plugin array
|
|
* MFSA 2010-53/CVE-2010-3166 (bmo#579655)
|
|
Heap buffer overflow in nsTextFrameUtils::TransformText
|
|
* MFSA 2010-54/CVE-2010-2760 (bmo#585815)
|
|
Dangling pointer vulnerability in nsTreeSelection
|
|
* MFSA 2010-55/CVE-2010-3168 (bmo#576075)
|
|
XUL tree removal crash and remote code execution
|
|
* MFSA 2010-56/CVE-2010-3167 (bmo#576070)
|
|
Dangling pointer vulnerability in nsTreeContentView
|
|
* MFSA 2010-57/CVE-2010-2766 (bmo#580445)
|
|
Crash and remote code execution in normalizeDocument
|
|
* MFSA 2010-59/CVE-2010-2762 (bmo#584180)
|
|
SJOW creates scope chains ending in outer object
|
|
* MFSA 2010-61/CVE-2010-2768 (bmo#579744)
|
|
UTF-7 XSS by overriding document charset using <object> type
|
|
attribute
|
|
* MFSA 2010-62/CVE-2010-2769 (bmo#520189)
|
|
Copy-and-paste or drag-and-drop into designMode document allows
|
|
XSS
|
|
* MFSA 2010-63/CVE-2010-2764 (bmo#552090)
|
|
Information leak via XMLHttpRequest statusText
|
|
- ESD notification sound fix included upstream
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 30 17:37:58 CEST 2010 - wr@rosenauer.org
|
|
|
|
- fixed build with latest Gnome
|
|
(mozilla-gdk-pixbuf.patch)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jul 24 17:22:58 CEST 2010 - wr@rosenauer.org
|
|
|
|
- update to version 3.1.1
|
|
* based on the Gecko 1.9.2 platform
|
|
* Faster Search Results
|
|
* Quick Filter Toolbar
|
|
* New Migration Assistant
|
|
* Saved Files Manager
|
|
- update to enigmail 1.1.2
|
|
- enable crashreporter and package buildsymbols
|
|
- fixed esd sound output (notifications) (bmo#576365)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 16 07:19:40 CEST 2010 - wr@rosenauer.org
|
|
|
|
- security update to 3.0.6 (bnc#622506)
|
|
* MFSA 2010-34/CVE-2010-1211/CVE-2010-1212
|
|
Miscellaneous memory safety hazards
|
|
* MFSA 2010-39/CVE-2010-2752 (bmo#574059)
|
|
nsCSSValue::Array index integer overflow
|
|
* MFSA 2010-40/CVE-2010-2753 (bmo#571106)
|
|
nsTreeSelection dangling pointer remote code execution
|
|
vulnerability
|
|
* MFSA 2010-41/CVE-2010-1205 (bmo#570451)
|
|
Remote code execution using malformed PNG image
|
|
* MFSA 2010-42/CVE-2010-1213 (bmo#568148)
|
|
Cross-origin data disclosure via Web Workers and importScripts
|
|
* MFSA 2010-46/CVE-2010-0654 (bmo#524223)
|
|
Cross-domain data theft using CSS
|
|
* MFSA 2010-47/CVE-2010-2754 (bmo#568564)
|
|
Cross-origin data leakage from script filename in error messages
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 21 07:31:34 CEST 2010 - wr@rosenauer.org
|
|
|
|
- security update to 3.0.5 (bnc#603356)
|
|
* MFSA 2010-25/CVE-2010-1121 (bmo#555109)
|
|
Re-use of freed object due to scope confusion
|
|
* MFSA 2010-26/CVE-2010-1200/CVE-2010-1201/CVE-2010-1202/
|
|
CVE-2010-1203
|
|
Crashes with evidence of memory corruption (rv:1.9.1.10)
|
|
* MFSA 2010-29/CVE-2010-1196 (bmo#534666)
|
|
Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
|
|
* MFSA 2010-30/CVE-2010-1199 (bmo#554255)
|
|
Integer Overflow in XSLT Node Sorting
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 12 06:50:16 CEST 2010 - wr@rosenauer.org
|
|
|
|
- do not encode the RPM release number into the useragent
|
|
to avoid non useful republishing (bnc#593807)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 17 20:07:51 CET 2010 - wr@rosenauer.org
|
|
|
|
- security update to 3.0.4 (bnc#586567)
|
|
* MFSA 2010-16/CVE-2010-0173/CVE-2010-0174
|
|
Crashes with evidence of memory corruption
|
|
* MFSA 2010-17/CVE-2010-0175 (bmo#540100,375928)
|
|
Remote code execution with use-after-free in nsTreeSelection
|
|
* MFSA 2010-18/CVE-2010-0176 (bmo#538308)
|
|
Dangling pointer vulnerability in nsTreeContentView
|
|
* MFSA 2010-22/CVE-2009-3555 (bmo#545755)
|
|
Update NSS to support TLS renegotiation indication
|
|
* MFSA 2010-24/CVE-2010-0182 (bmo#490790)
|
|
XMLDocument::load() doesn't check nsIContentPolicy
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Feb 28 19:56:44 CET 2010 - wr@rosenauer.org
|
|
|
|
- update to 3.0.3
|
|
* Fix for missing folders or empty folder pane after updating
|
|
to Thunderbird 3.0.2
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 26 17:04:00 CET 2010 - wr@rosenauer.org
|
|
|
|
- security update to 3.0.2 (bnc#576969)
|
|
* MFSA 2010-01/CVE-2010-0159
|
|
Crashes with evidence of memory corruption
|
|
* MFSA 2010-03/CVE-2009-1571
|
|
Use-after-free crash in HTML parser
|
|
* various stability improvements
|
|
- update enigmail to 1.0.1
|
|
* Czech, Dutch, Polish and Portuguese (Brazilian) languages
|
|
were added to the release.
|
|
* there are several fixes related using OpenPGP Smartcards
|
|
- use system hunspell again (bnc#582276)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 12 00:23:23 CET 2010 - wr@rosenauer.org
|
|
|
|
- update to 3.0.1
|
|
* fixed UI issues related to some combinations of installed addons
|
|
(bmo#398702)
|
|
- fixed session restore (bnc#528406, bmo#508986)
|
|
- removed obsolete lightning stuff from spec file
|
|
- removed obsolete orbit-devel build requirement
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 7 10:04:05 CET 2009 - wr@rosenauer.org
|
|
|
|
- update to 3.0 (bnc#559819)
|
|
- update enigmail to final version 1.0.0
|
|
- use --disable-updater and removed obsolete UI patch and
|
|
pref changes
|
|
- use internal cairo up to 11.1 (Gecko now requires at least 1.8.8)
|
|
- added mozilla-clipboard.patch fixing a common crash (bmo#495392)
|
|
- removed upstreamed patch thunderbird-cs-smtpauth.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 7 21:41:15 CEST 2009 - wr@rosenauer.org
|
|
|
|
- fixed startup-notification (bnc#518603)
|
|
(mozilla-startup-notification.patch)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 29 14:03:51 CEST 2009 - wr@rosenauer.org
|
|
|
|
- fixed CS locale to allow SMTP AUTH sending of mails (bnc#542809)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 15 17:58:56 CEST 2009 - wr@rosenauer.org
|
|
|
|
- update to 3.0b4
|
|
* removed upstreamed patches
|
|
* based on Gecko 1.9.1.3 (inheriting security fixes)
|
|
* new global search
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 25 17:56:36 CEST 2009 - wr@rosenauer.org
|
|
|
|
- reversioned enigmail to 0.96.99 (as it's actually 0.97a and 0.96
|
|
has been released already)
|
|
- fixed RPM group for the translation subpackages
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 21 13:58:54 CEST 2009 - wr@rosenauer.org
|
|
|
|
- remove obsolete code for protocol handlers (bmo#389732)
|
|
(mozilla-protocol_handler.patch)
|
|
- new enigmail snapshot (20090813)
|
|
- require pinentry-gui for 11.2 and up (bnc#441084)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Aug 9 09:02:25 CEST 2009 - wr@rosenauer.org
|
|
|
|
- Gtk filechooser allows alternative button order (as used in KDE)
|
|
(bnc#527418)
|
|
- translations{,-common} package doesn't provide en-US
|
|
- split translations into -common and -other packages (bnc#529180)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 28 12:59:23 CEST 2009 - wr@rosenauer.org
|
|
|
|
- fixed wrong %exclude by removing unwanted files at %install stage
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 17 13:48:02 CEST 2009 - wr@rosenauer.org
|
|
|
|
- major update to 3.0b3
|
|
- update enigmail to 0.96pre
|
|
- created enigmail subpackage and install to system wide location
|
|
for Thunderbird and SeaMonkey
|
|
- define MOZ_APP_LAUNCHER for session management (bmo#453689)
|
|
(mozilla-app-launcher.patch and mozilla.sh.in)
|
|
- move opensuse.js prefs to all-opensuse.js prefs to be able
|
|
to override prefs in all-thunderbird.js
|
|
- move intl.locale.matchOS to all-opensuse.js
|
|
- added mozilla-jemalloc_deepbind.patch to fix various possible
|
|
crashes (bnc#503151, bmo#493541)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 19 10:35:46 CEST 2009 - coolo@novell.com
|
|
|
|
- disable as-needed for this package as it fails to build with it
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 2 11:40:59 CEST 2009 - wr@rosenauer.org
|
|
|
|
- Fixed build issue for gcc 4.4 (mozilla-gcc44.patch)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 18 14:52:14 CET 2009 - wr@rosenauer.org
|
|
|
|
- security update to version 2.0.0.21 (bnc#484321)
|
|
* MFSA 2009-07/CVE-2009-0771, CVE-2009-0772, CVE-2009-0773
|
|
CVE-2009-0774:
|
|
Crashes with evidence of memory corruption (rv:1.9.0.7)
|
|
* MFSA 2009-09/CVE-2009-0776:
|
|
XML data theft via RDFXMLDataSource and cross-domain redirect
|
|
* MFSA 2009-10/CVE-2009-0040:
|
|
Upgrade PNG library to fix memory safety hazards
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 2 13:51:19 EST 2009 - hfiguiere@suse.de
|
|
|
|
- Review and approve changes.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 31 13:33:22 CET 2008 - wr@rosenauer.org
|
|
|
|
- security update to version 2.0.0.19 (bnc#455804)
|
|
+ MFSA 2008-68/CVE-2008-5511 and CVE-2008-5512: XSS and JavaScript
|
|
privilege escalation
|
|
+ MFSA 2008-67/CVE-2008-5510: Escaped null characters ignored by
|
|
CSS parser
|
|
+ MFSA 2008-66/CVE-2008-5508: Errors parsing URLs with leading
|
|
whitespace and control characters
|
|
+ MFSA 2008-65/CVE-2008-5507: Cross-domain data theft via script
|
|
redirect error message
|
|
+ MFSA 2008-64/CVE-2008-5506: XMLHttpRequest 302 response disclosure
|
|
+ MFSA 2008-61/CVE-2008-5503: Information stealing via loadBindingDocument
|
|
+ MFSA 2008-60/CVE-2008-5500, CVE-2008-5501 and CVE-2008-5502:
|
|
Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
|
|
- improved mozilla-shared-nss-db.patch and
|
|
mozilla-system-hunspell.patch to be able to apply them
|
|
unconditionally
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 21 11:26:06 CET 2008 - wr@rosenauer.org
|
|
|
|
- Add mozilla-shared-nss-db.patch which allows migrating to and
|
|
sharing with other applications using NSS
|
|
(same functionality as in xulrunner/firefox)
|
|
(can be disabled completely exporting MOZ_TB_NO_NSSHELPER=1)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 20 18:53:35 CST 2008 - maw@suse.de
|
|
|
|
- Review and approve changes.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 13 11:02:01 CET 2008 - wr@rosenauer.org
|
|
|
|
- security update to version 2.0.0.18 (bnc#439841)
|
|
* MFSA 2008-48 / CVE-2008-5012
|
|
Image stealing via canvas and HTTP redirect
|
|
* MFSA 2008-50 / CVE-2008-5014 (bmo#436741)
|
|
Crash and remote code execution via __proto__ tampering
|
|
* MFSA 2008-52 / CVE-2008-5016 / CVE-2008-5017 / CVE-2008-5018
|
|
Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
|
|
* MFSA 2008-55 / CVE-2008-5021 (bmo#456896)
|
|
Crash and remote code execution in nsFrameManager
|
|
* MFSA 2008-56 / CVE-2008-5022 (bmo#460002)
|
|
nsXMLHttpRequest::NotifyEventListeners() same-origin violation
|
|
* MFSA 2008-58 / CVE-2008-5024 (bmo#453915)
|
|
Parsing error in E4X default namespace
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 15 10:32:09 CDT 2008 - maw@suse.de
|
|
|
|
- Review and approve changes.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 8 09:51:06 CEST 2008 - wr@rosenauer.org
|
|
|
|
- use system hunspell from 11.0 on (bnc#385739)
|
|
- remove more executable bits from non-executable files
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 23 09:42:12 CEST 2008 - wr@rosenauer.org
|
|
|
|
- security update to version 2.0.0.17 (bnc#429179)
|
|
* MFSA 2008-37 / CVE-2008-0016
|
|
UTF-8 URL stack buffer overflow
|
|
* MFSA 2008-38 / CVE-2008-3835
|
|
nsXMLDocument::OnChannelRedirect() same-origin violation
|
|
* MFSA 2008-41 / CVE-2008-4058 / CVE-2008-4059 / CVE-2008-4060
|
|
Privilege escalation via XPCnativeWrapper pollution
|
|
* MFSA 2008-42 / CVE-2008-4061 / CVE-2008-4062 / CVE-2008-4063
|
|
CVE-2008-4064
|
|
Crashes with evidence of memory corruption
|
|
* MFSA 2008-43 / CVE-2008-4065 / CVE-2008-4066
|
|
BOM characters, low surrogates stripped from JavaScript before
|
|
execution
|
|
* MFSA 2008-44 / CVE-2008-4067 / CVE-2008-4068
|
|
resource: traversal vulnerabilities
|
|
* MFSA 2008-46 / CVE-2008-4070
|
|
Heap overflow when canceling newsgroup message
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 15 13:06:11 CEST 2008 - wr@rosenauer.org
|
|
|
|
- fixed undefined operation in nsMailboxService.cpp (abuild.patch)
|
|
- cleanup spec a bit while merging from OBS/mozilla
|
|
* forwarding old fixes to cups-paper.patch, mozilla.sh.in and
|
|
add-plugins.sh (were fixed long ago in the OBS repo)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 11 21:34:40 CEST 2008 - mauro@suse.de
|
|
|
|
- Update to 2.0.0.16 (fixed bnc#417869), fixes:
|
|
+ MFSA 2008-34 Remote code execution by overflowing CSS
|
|
reference counter
|
|
+ MFSA 2008-33 Crash and remote code execution in block reflow
|
|
+ MFSA 2008-31 Peer-trusted certs can use alt names to spoof
|
|
+ MFSA 2008-29 Faulty .properties file results in uninitialized
|
|
memory being used
|
|
+ MFSA 2008-26 Buffer length checks in MIME processing
|
|
+ MFSA 2008-25 Arbitrary code execution in
|
|
mozIJSSubScriptLoader.loadSubScript()
|
|
+ MFSA 2008-24 Chrome script loading from fastload file
|
|
+ MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 23 18:01:05 CEST 2008 - schwab@suse.de
|
|
|
|
- Remove unused includes.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 24 18:43:51 CEST 2008 - maw@suse.de
|
|
|
|
- Security update to version 2.0.0.14 (bnc#390992):
|
|
+ MFSA 2008-15 / CVE-2008-1236 and CVE-2008-1237: Crashes with
|
|
evidence of memory corruption (rv:1.8.1.13)
|
|
+ MFSA 2008-14 / CVE-2008-1233, CVE-2008-1234, and CVE-2008-1235:
|
|
JavaScript privilege escalation and arbitrary code execution
|
|
- Drop the following patches: thunderbird-2.0.0.14-backports.patch,
|
|
mozilla-missing-decl.patch, and unused-includes.patch
|
|
- Respin mozilla-gcc4.3-fixes.patch.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 30 17:27:50 CEST 2008 - maw@suse.de
|
|
|
|
- Add thunderbird-2.0.0.14-backports.patch (bnc390992).
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 16 16:59:40 CEST 2008 - schwab@suse.de
|
|
|
|
- Remove unused includes.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 24 20:17:09 CET 2008 - maw@suse.de
|
|
|
|
- Add mozilla-missing-decl.patch, which is necessary when building
|
|
against new versions of mozilla-nss (bmo#399589).
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 7 18:34:42 CET 2008 - maw@suse.de
|
|
|
|
- Security update to version 2.0.0.12 (bnc#354469)
|
|
* MFSA 2008-12 Buffer overflow in external MIME bodies
|
|
- Replace mozilla-maxpathlen.patch with mozilla-path_len.patch, for
|
|
consistency's sake.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 17 17:56:04 CET 2008 - maw@suse.de
|
|
|
|
- Add mozilla-maxpathlen.patch (#354150 and bmo #412610).
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 15 20:36:54 CET 2008 - maw@suse.de
|
|
|
|
- Merge changes from the build service (thanks, Wolfgang)
|
|
- Update to version 2.0.9.9 (MFSA 2007-29)
|
|
- Update enigmail to version 0.95.6
|
|
- Add a -devel subpackage
|
|
- Various fixes to enable building with gcc 4.3.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 13 17:50:35 CET 2007 - maw@suse.de
|
|
|
|
- Add thunderbird-gcc4.3-fixes.patch
|
|
- Add visibility.patch.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 13 17:00:36 CEST 2007 - cthiel@suse.de
|
|
|
|
- recommend gpg instead of requireing a fixed path
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 12 18:25:34 CEST 2007 - maw@suse.de
|
|
|
|
- Added gpg/pinentry requirements (#309160).
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 4 00:57:26 CEST 2007 - maw@suse.de
|
|
|
|
- Don't run %fdupes on directories where multiple partitions
|
|
are liable to be mounted.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 3 17:50:50 CEST 2007 - maw@suse.de
|
|
|
|
- Merge some changes from the build service (thanks, Wolfgang):
|
|
+ Provide locale info (#302288)
|
|
+ Update releasedate
|
|
- Uncomment %clean.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 21 18:45:00 CEST 2007 - maw@suse.de
|
|
|
|
- Use %fdupes.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 21 18:12:36 CEST 2007 - maw@suse.de
|
|
|
|
- Merge updates from the build service:
|
|
- Update to security release 2.0.0.6:
|
|
* MFSA 2007-26 Privilege escalation through chrome-loaded
|
|
about:blank windows
|
|
* MFSA 2007-27 Unescaped URIs passed to external programs
|
|
- Update enigmail to version 0.95.3.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 15 15:04:09 CEST 2007 - maw@suse.de
|
|
|
|
- On x86_64, s390, and s390x, deactivate the hidden visibility
|
|
support, thereby fixing the build.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 25 21:52:23 CEST 2007 - maw@suse.de
|
|
|
|
- Security update to version 2.0.0.5 (#288115)
|
|
- This new release has fixes for:
|
|
MFSA 2007-18
|
|
CVE-2007-3734 - Browser flaws
|
|
CVE-2007-3735 - Javascript flaws
|
|
|
|
MFSA 2007-19
|
|
CVE-2007-3736
|
|
|
|
MFSA 2007-20
|
|
CVE-2007-3089
|
|
|
|
MFSA 2007-21
|
|
CVE-2007-3737
|
|
|
|
MFSA 2007-22
|
|
CVE-2007-3285
|
|
|
|
MFSA 2007-23
|
|
CVE-2007-3670
|
|
|
|
MFSA 2007-24
|
|
CVE-2007-3656
|
|
|
|
MFSA 2007-25
|
|
CVE-2007-3738
|
|
- Update to enigmail 0.95.2.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 21 17:23:18 CEST 2007 - adrian@suse.de
|
|
|
|
- fix changelog entry order
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 15 18:09:28 CDT 2007 - maw@suse.de
|
|
|
|
- Merge update to 2.0.0.4 from the build service (thanks, Wolfgang)
|
|
- Remove some commented out stuff.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 13 23:00:38 CEST 2007 - wr@rosenauer.org
|
|
|
|
- update to maintenance release 2.0.0.4
|
|
- update enigmail to 0.95.1
|
|
- adopted patches:
|
|
* fixed cups-paper.patch (copied from FF)
|
|
* removed obsolete visibility.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 12 11:53:55 CDT 2007 - maw@suse.de
|
|
|
|
- Merge chagnges from the build service (thanks, Wolfgang)
|
|
- Now use l10n-%{version}.tar.bz2 instead of l10n.tar.bz2 as
|
|
before.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 5 18:20:13 CEST 2007 - maw@suse.de
|
|
|
|
- Security update to version 1.5.0.12 (#271197).
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 5 15:55:08 CEST 2007 - sbrabec@suse.cz
|
|
|
|
- Removed invalid desktop category "Application" (#254654).
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 19 07:15:36 CEST 2007 - wr@rosenauer.org
|
|
|
|
- update to final version 2.0.0.0
|
|
(http://www.mozilla.com/en-US/thunderbird/2.0.0.0/releasenotes/)
|
|
- update enigmail to 0.95.0
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 18 14:16:44 CEST 2007 - mfabian@suse.de
|
|
|
|
- add Japanese to the languages which get PANGO enabled in the
|
|
start script to support the Japanese combining characters
|
|
U+3099 U+309A (see bugzilla #262718 comment #29).
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 12 16:35:43 CEST 2007 - wr@rosenauer.org
|
|
|
|
- update to 2.0.0.0rc1
|
|
- enabled translations package
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 30 11:35:01 CEST 2007 - wr@rosenauer.org
|
|
|
|
- update to snapshot 2.0.0.0pre-20070329
|
|
- security update enigmail 0.94.3
|
|
(Bugtraq #22758)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 30 10:35:03 CEST 2007 - meissner@suse.de
|
|
|
|
- require unzip
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 13 08:36:31 CET 2007 - wr@rosenauer.org
|
|
|
|
- update to snapshot 2.0pre-20060312
|
|
- removed implicit NSS version dependency
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 8 15:56:56 CET 2007 - meissner@suse.de
|
|
|
|
- Upgraded to 1.5.0.10 security release.
|
|
- Upgraded to enigmail 0.94.2.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 15 19:47:56 CET 2007 - wr@rosenauer.org
|
|
|
|
- update to snapshot 2.0beta2-20060214
|
|
- fixed build on SLES9
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 5 18:56:14 CET 2007 - wr@rosenauer.org
|
|
|
|
- fixed check in add-plugins.sh (#242237)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 30 10:50:51 CST 2007 - maw@suse.de
|
|
|
|
- Add thunderbird-1.5.0.8-uninitalized-vars-232305.patch (#232305).
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 18 17:59:26 CST 2007 - maw@suse.de
|
|
|
|
- Add undefined-ops.patch, silencing some warnings.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 9 01:41:19 CET 2006 - jhargadon@suse.de
|
|
|
|
- security update to version 1.5.0.8
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 12 20:51:58 CEST 2006 - stark@suse.de
|
|
|
|
- security update to version 1.5.0.7
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 14 11:37:46 CEST 2006 - stark@suse.de
|
|
|
|
- update enigmail to 0.94.1
|
|
* Added support for signing attachments with inline-PGP
|
|
- update mailredirect to 0.7.4
|
|
- added backend patch to allow replies to list with
|
|
ReplyToListThunderbirdExtension (#199125, bmo #45715)
|
|
- added mailnews.clobber_list_reply pref which switches
|
|
"Reply All" to "Reply List" functionality if set
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 27 06:50:44 CEST 2006 - stark@suse.de
|
|
|
|
- security update to version 1.5.0.5 (#195043)
|
|
- fixed overwrite confirmation for GTK filesaver (#179531)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 7 19:52:37 CEST 2006 - stark@suse.de
|
|
|
|
- fixed up BuildRequires
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 2 12:18:49 CEST 2006 - mls@suse.de
|
|
|
|
- converted neededforbuild to BuildRequires
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 2 12:13:48 CEST 2006 - stark@suse.de
|
|
|
|
- update to security/stability release 1.5.0.4 (#179011)
|
|
(http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 15 07:16:13 CEST 2006 - stark@suse.de
|
|
|
|
- update to version 1.5.0.2
|
|
- update mailredirect to 0.7.3
|
|
- save printer settings properly (#174082, bmo #324072)
|
|
- improved postscript output (bmo #334485)
|
|
- changed defaults for printer properties (#6534)
|
|
- get available paper sizes from CUPS (#65482)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Mar 18 22:23:49 CET 2006 - stark@suse.de
|
|
|
|
- translations package is suggested now by main package
|
|
- yet another set of upstream fixes (#148876)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Mar 12 19:52:08 CET 2006 - stark@suse.de
|
|
|
|
- added Khmer (km-*) to pango locales (#157397)
|
|
- yet another set of upstream fixes (#148876)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Mar 4 21:27:42 CET 2006 - stark@suse.de
|
|
|
|
- latest security fixes from upstream (#148876)
|
|
- show multiple Reply-To addresses (bmo #106189)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 24 09:00:40 CET 2006 - stark@suse.de
|
|
|
|
- added GTK category to desktop-file
|
|
- dumpstack.patch is in upstream patches now
|
|
- get some more patches (#148876)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 14 07:28:48 CET 2006 - stark@suse.de
|
|
|
|
- applied set of security patches (#148876)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 7 20:09:32 CET 2006 - stark@suse.de
|
|
|
|
- fixed disabling of Pango (#148788)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 2 21:50:18 CET 2006 - stark@suse.de
|
|
|
|
- defined gssapi lib explicitely (#147670)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 1 17:34:34 CET 2006 - stark@suse.de
|
|
|
|
- removed additional CA certs from builtin NSS
|
|
- make it possible to choose $HOME as download directory
|
|
(#144894, bmo #300856)
|
|
- cleaned up BuildRequires
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 25 21:33:47 CET 2006 - mls@suse.de
|
|
|
|
- converted neededforbuild to BuildRequires
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 23 08:39:32 CET 2006 - stark@suse.de
|
|
|
|
- disable Pango if MOZ_ENABLE_PANGO is not set
|
|
and no typical language which needs Pango is used (#143428)
|
|
- preload libaoss for plugin sound (#117079)
|
|
- fix to ignore X composite extension (#135373)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 18 09:38:18 CET 2006 - stark@suse.de
|
|
|
|
- added default (font) settings
|
|
- tweak useragent
|
|
- fixed DumpStackToFile() for glibc 2.4
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 12 10:35:03 CET 2006 - stark@suse.de
|
|
|
|
- update to 1.5 (20060111)
|
|
- added sytem extensions patch
|
|
- added XUL filechooser patch (MOZ_XUL_PICKER)
|
|
- update enigmail to 0.94.0
|
|
- use -fstack-protector where available
|
|
- use system NSS since CODE10
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 28 08:35:38 CET 2005 - stark@suse.de
|
|
|
|
- update to 1.5rc2 (20051227)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Dec 11 08:16:01 CET 2005 - stark@suse.de
|
|
|
|
- update to 1.5 (20051211)
|
|
- update enigmail to 0.93.2
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 29 09:53:05 CET 2005 - stark@suse.de
|
|
|
|
- update enigmail to 0.93.1
|
|
- added patch for GTK2 handling (#134831)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 25 10:29:26 CET 2005 - stark@suse.de
|
|
|
|
- update to 1.5 (20051124)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 28 06:47:11 CEST 2005 - stark@suse.de
|
|
|
|
- update to latest 1.5 snapshot (20051027)
|
|
- added patch to be able to reply to and forward rfc822 messages
|
|
(bmo #204350)
|
|
- again don't provide and require NSS stuff
|
|
- removed disable-gconf patch (no registration needed in build
|
|
process anymore)
|
|
- added mailredirect extension
|
|
- removed update functionality
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 10 21:50:36 CEST 2005 - stark@suse.de
|
|
|
|
- update to 1.5b2 (20051008)
|
|
- preinstall Enigmail (version 0.93.0) as global extension
|
|
- add all supported locales and use if installed
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 4 09:32:11 CEST 2005 - stark@suse.de
|
|
|
|
- update to 1.5b2 (20051003) (RPM version 1.4.1)
|
|
- prerequire NSPR
|
|
- prepared translations subpackage
|
|
- fixed filelist
|
|
- fixed build with new gcc
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 21 14:32:28 CEST 2005 - stark@suse.de
|
|
|
|
- update to 1.5b1 (20050920)
|
|
- added spellchecker integration with myspell (add-plugins.sh)
|
|
- removed aviary-install-global patch (not needed anymore, with
|
|
new EM)
|
|
- enabled pango font rendering (through cairo hopefully)
|
|
- fixed GNOME gconf registration (#117851)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Aug 20 20:33:10 CEST 2005 - stark@suse.de
|
|
|
|
- workaround for linking with pangoxft and pangox
|
|
(broken by gtk 2.8 update) (#105764)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 18 08:48:17 CEST 2005 - stark@suse.de
|
|
|
|
- fixed Gdk-WARNING at startup (gtk.patch)
|
|
- fixed regression in profile locking change (bmo #303633)
|
|
- fixed crash with gtk 2.7 (bmo #300226, bnc #104586)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 3 07:23:50 CEST 2005 - stark@suse.de
|
|
|
|
- fixed profile locking (bmo #151188)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 29 07:06:57 CEST 2005 - stark@suse.de
|
|
|
|
- don't require and provide NSS libs (#98002)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 22 11:00:05 CEST 2005 - stark@suse.de
|
|
|
|
- fixed printing patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 19 10:45:22 CEST 2005 - stark@suse.de
|
|
|
|
- added NSPR to PreReq
|
|
- disable stripping in specfile
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 15 07:01:45 CEST 2005 - stark@suse.de
|
|
|
|
- update to 1.0.6 which restores API compatibility
|
|
- fixed width calculation in Postscript module (bmo #290292)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 14 12:29:41 CEST 2005 - stark@suse.de
|
|
|
|
- fixed filelist to include icon-file and startscript again
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 12 06:28:21 CEST 2005 - stark@suse.de
|
|
|
|
- fixed remote usage behaviour in start script (bnc #41903)
|
|
- update to 1.0.5 security release
|
|
- fixed quoting patch
|
|
- moved desktop file to a Gnome independent location
|
|
- don't strip explicitely
|
|
- use RPM_OPT_FLAGS for NSS component
|
|
- fixed implicit declarations and uninitialized used variables
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 28 10:45:51 CEST 2005 - stark@suse.de
|
|
|
|
- updated to current 1.0 branch version
|
|
- use static NSPR from other location
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 23 23:13:52 CEST 2005 - stark@suse.de
|
|
|
|
- activate usage of system NSPR for distributions after 9.3
|
|
- add patch to be able to use systen NSPR at all
|
|
- extended desktop file
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 22 12:48:13 CEST 2005 - ro@suse.de
|
|
|
|
- apply mozilla-gcc4.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 23 08:28:57 CET 2005 - stark@suse.de
|
|
|
|
- update to 1.0.2
|
|
- use system NSPR on SUSE releases after 9.3
|
|
- made startscript PIS aware
|
|
- set g-application-name correctly (bmo #281979)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 7 21:27:33 CET 2005 - stark@suse.de
|
|
|
|
- don't use gconfd in registration phase (#66381)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 25 18:03:31 CET 2005 - stark@suse.de
|
|
|
|
- update to version 1.0.1
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 22 21:59:53 CET 2005 - stark@suse.de
|
|
|
|
- added patch to create Postscript level 2 (instead of 3)
|
|
(special thanks to Jungshik Shin)
|
|
- disabled freetype explicitly to be able to use the above patch
|
|
(freetype wasn't used anymore since some time anyway)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 2 14:02:34 CET 2005 - stark@suse.de
|
|
|
|
- added a JS crasher fix (bmc #268535)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jan 22 13:17:37 CET 2005 - stark@suse.de
|
|
|
|
- added some backported bugfixes
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 7 10:26:15 CET 2004 - stark@suse.de
|
|
|
|
- update to 1.0
|
|
- fixed extra lines in replies (bmo #144998)
|
|
- fixed build on s390/s390x
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 24 07:16:17 CET 2004 - stark@suse.de
|
|
|
|
- update to 20041123 snapshot
|
|
- inherit downloadFolder patch from Firefox
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 12 10:58:46 CET 2004 - stark@suse.de
|
|
|
|
- fixed chrome filelist
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 4 08:12:51 CET 2004 - stark@suse.de
|
|
|
|
- update to 0.9
|
|
- sync patch-set with firefox base
|
|
- fixed neededforbuild to get GNOME functionalities
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 17 10:30:36 CEST 2004 - stark@suse.de
|
|
|
|
- added some missing fixes for official release
|
|
- synced add-plugins.sh
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Sep 11 13:47:50 CEST 2004 - stark@suse.de
|
|
|
|
- update to official 0.8 version (20040911)
|
|
- fixed enigmail config
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 6 08:58:08 CEST 2004 - stark@suse.de
|
|
|
|
- fixed profile directory
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 3 21:50:19 CEST 2004 - stark@suse.de
|
|
|
|
- update to thunderbird 0.8 (20040903)
|
|
- update enigmail to 0.86.0 and ipc to 1.0.8 (deactivated)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 24 08:09:42 CEST 2004 - stark@suse.de
|
|
|
|
- update to thunderbird 0.7.3
|
|
- update enigmail to 0.85.0 and ipc to 1.0.7
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 29 11:31:39 CEST 2004 - stark@suse.de
|
|
|
|
- update to thunderbird 0.7.1
|
|
- update enigmail to 0.84.1
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 12 18:16:28 CEST 2004 - ro@suse.de
|
|
|
|
- add some missing return values
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 3 13:16:26 CEST 2004 - stark@suse.de
|
|
|
|
- update to Thunderbird 0.6 (based on 1.7rc1)
|
|
- use official branding for release builds
|
|
- added desktop-icon (#39139)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 2 10:32:00 CEST 2004 - stark@suse.de
|
|
|
|
- removing relocation of TEMP directory (#34391)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 26 18:09:27 CET 2004 - uli@suse.de
|
|
|
|
- fixed hang during build on s390* (bug #35440)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Mar 7 23:19:54 CET 2004 - ro@suse.de
|
|
|
|
- match function declaration in enigmail mimedummy.cpp
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 5 07:00:23 CET 2004 - stark@suse.de
|
|
|
|
- more fixes for #35179
|
|
- added firefox as default handler for its protocols
|
|
- update enigmail to 0.83.4
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 3 06:52:35 CET 2004 - stark@suse.de
|
|
|
|
- removed unused patches for GTK2 build
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Feb 29 14:35:02 CET 2004 - stark@suse.de
|
|
|
|
- improved start-script to interact with firefox and mozilla
|
|
(#35179)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 27 06:50:16 CET 2004 - stark@suse.de
|
|
|
|
- update to 0.5
|
|
- spec-file cleanup
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 15 17:08:01 CEST 2003 - stark@suse.de
|
|
|
|
- update to 0.3 (sync with mozilla 1.5)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 15 09:18:45 CEST 2003 - stark@suse.de
|
|
|
|
- initial package (snapshot 20030714)
|
|
|