pool/MozillaThunderbird
SHA256
20
0
Fork 4
Code Issues Pull Requests Activity

leap-16.0 code-o-o#leap/features#240 #1

Closed
lkocman wants to merge 23 commits from lkocman/MozillaThunderbird:leap-16.0 into leap-16.0
pull from: lkocman/MozillaThunderbird:leap-16.0
merge into: pool:leap-16.0
Conversation 1 Commits 23 Files Changed 13 +1101 -309
lkocman commented 2025-08-25 15:45:11 +02:00
First-time contributor
Copy Link

Update Leap 16.0's Thunderbird to Factory version

Update Leap 16.0's Thunderbird to Factory version * Thunderbird in 15.6 was significantly newer which broke upgrade (140.1X compared to our 128.X in 16.0) https://code.opensuse.org/leap/features/issue/240
lkocman added 23 commits 2025-08-25 15:45:12 +02:00
- Mozilla Thunderbird ESR 128.10.0 b9baeaa3a2 
* Changed color override defaults with high contrast mode on
    macOS and Linux
  * Using Delete column in "Search Messages..." window could delete
    other messages
  MFSA 2025-32 (bsc#1241621)
  * CVE-2025-2817 (bmo#1917536)
    Privilege escalation in Thunderbird Updater
  * CVE-2025-4082 (bmo#1937097)
    WebGL shader attribute memory corruption in Thunderbird for
    macOS
  * CVE-2025-4083 (bmo#1958350)
    Process isolation bypass using "javascript:" URI links in
    cross-origin frames
  * CVE-2025-4084 (bmo#1949994, bmo#1956698, bmo#1960198)
    Potential local code execution in "copy as cURL" command
  * CVE-2025-4087 (bmo#1952465)
    Unsafe attribute access during XPath parsing
  * CVE-2025-4091 (bmo#1951161, bmo#1952105)
    Memory safety bugs fixed in Firefox 138, Thunderbird 138,
    Firefox ESR 128.10, and Thunderbird 128.10
  * CVE-2025-4093 (bmo#1894100)
    Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird
    128.10

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=812
Accepting request 1273775 from mozilla:Factory ce10049049 
- Mozilla Thunderbird ESR 128.10.0
  * Changed color override defaults with high contrast mode on
    macOS and Linux
  * Using Delete column in "Search Messages..." window could delete
    other messages
  MFSA 2025-32 (bsc#1241621)
  * CVE-2025-2817 (bmo#1917536)
    Privilege escalation in Thunderbird Updater
  * CVE-2025-4082 (bmo#1937097)
    WebGL shader attribute memory corruption in Thunderbird for
    macOS
  * CVE-2025-4083 (bmo#1958350)
    Process isolation bypass using "javascript:" URI links in
    cross-origin frames
  * CVE-2025-4084 (bmo#1949994, bmo#1956698, bmo#1960198)
    Potential local code execution in "copy as cURL" command
  * CVE-2025-4087 (bmo#1952465)
    Unsafe attribute access during XPath parsing
  * CVE-2025-4091 (bmo#1951161, bmo#1952105)
    Memory safety bugs fixed in Firefox 138, Thunderbird 138,
    Firefox ESR 128.10, and Thunderbird 128.10
  * CVE-2025-4093 (bmo#1894100)
    Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird
    128.10

OBS-URL: https://build.opensuse.org/request/show/1273775
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=360
- build on s390x needs 17G memory - adjust _constraints 854da840c2 
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=814
Mozilla Thunderbird ESR 128.10.1 boo#1243216 fcd8a5b9c3 
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=815
Accepting request 1277886 from mozilla:Factory 17738f3082 
OBS-URL: https://build.opensuse.org/request/show/1277886
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=361
Accepting request 1279086 from home:AndreasStieger:branches:mozilla:Factory 61dba6b468 
changelog for Mozilla Thunderbird ESR 128.0.2

OBS-URL: https://build.opensuse.org/request/show/1279086
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=817
Accepting request 1279280 from home:AndreasStieger:branches:mozilla:Factory ae500f1db6 
fix mfsa

OBS-URL: https://build.opensuse.org/request/show/1279280
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=818
Accepting request 1279281 from mozilla:Factory e363e60cd3 
OBS-URL: https://build.opensuse.org/request/show/1279281
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=362
128.11.0 1f9d559ff5 
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=820
Accepting request 1280770 from mozilla:Factory 4c3dd7fae5 
OBS-URL: https://build.opensuse.org/request/show/1280770
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=363
Accepting request 1283963 from home:bmwiedemann:branches:mozilla:Factory f41fa22c90 
Replace usage of %jobs for reproducible builds (boo#1237231)

OBS-URL: https://build.opensuse.org/request/show/1283963
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=822
- Mozilla Thunderbird ESR 128.11.1 28d3dfb87f 
MFSA 2025-49
  * CVE-2025-5986 (bmo#1958580, bmo#1968012)
    Unsolicited File Download, Disk Space Exhaustion, and Credential
    Leakage via mailbox:/// Links

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=823
Accepting request 1284604 from mozilla:Factory 85783160a3 
- Mozilla Thunderbird ESR 128.11.1
  MFSA 2025-49
  * CVE-2025-5986 (bmo#1958580, bmo#1968012)
    Unsolicited File Download, Disk Space Exhaustion, and Credential
    Leakage via mailbox:/// Links

- Replace usage of %jobs for reproducible builds (boo#1237231)

OBS-URL: https://build.opensuse.org/request/show/1284604
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=364
- Use these tools/versions unconditionally, package won't build on 3a8271f9c8 
Tumbleweed with new gcc15 otherwise:
  gcc14, gcc14-c++, cargo1.84, rust1.84

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=825
Accepting request 1287471 from mozilla:Factory d0db3c1d44 
- Use these tools/versions unconditionally, package won't build on
  Tumbleweed with new gcc15 otherwise:
  gcc14, gcc14-c++, cargo1.84, rust1.84

OBS-URL: https://build.opensuse.org/request/show/1287471
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=365
- Mozilla Thunderbird ESR 128.12.0 8cd0971e90 
MFSA 2025-55 (bsc#1244670)
  * CVE-2025-6424 (bmo#1966423)
    Use-after-free in FontFaceSet
  * CVE-2025-6425 (bmo#1717672)
    The WebCompat WebExtension shipped exposed a persistent UUID
  * CVE-2025-6426 (bmo#1964385)
    No warning when opening executable terminal files on macOS
  * CVE-2025-6429 (bmo#1970658)
    Incorrect parsing of URLs could have allowed embedding of
    youtube.com
  * CVE-2025-6430 (bmo#1971140)
    Content-Disposition header ignored when a file is included in
    an embed or object tag

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=827
Accepting request 1290580 from mozilla:Factory d728693161 
- Mozilla Thunderbird ESR 128.12.0
  MFSA 2025-55 (bsc#1244670)
  * CVE-2025-6424 (bmo#1966423)
    Use-after-free in FontFaceSet
  * CVE-2025-6425 (bmo#1717672)
    The WebCompat WebExtension shipped exposed a persistent UUID
  * CVE-2025-6426 (bmo#1964385)
    No warning when opening executable terminal files on macOS
  * CVE-2025-6429 (bmo#1970658)
    Incorrect parsing of URLs could have allowed embedding of
    youtube.com
  * CVE-2025-6430 (bmo#1971140)
    Content-Disposition header ignored when a file is included in
    an embed or object tag

OBS-URL: https://build.opensuse.org/request/show/1290580
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=366
- Mozilla Thunderbird ESR 140.1.0 36e53452f3 
* New folders were not added alphabetically if folders manually
    reordered beforehand
  * Message archive folder creation could silently stop during async
    folder creation
  MFSA 2025-63 (bsc#1246664)
  * CVE-2025-8027 (bmo#1968423)
    JavaScript engine only wrote partial return value to stack
  * CVE-2025-8028 (bmo#1971581)
    Large branch table could lead to truncated instruction
  * CVE-2025-8029 (bmo#1928021)
    javascript: URLs executed on object and embed tags
  * CVE-2025-8036 (bmo#1960834)
    DNS rebinding circumvents CORS
  * CVE-2025-8037 (bmo#1964767)
    Nameless cookies shadow secure cookies
  * CVE-2025-8030 (bmo#1968414)
    Potential user-assisted code execution in “Copy as cURL” command
  * CVE-2025-8031 (bmo#1971719)
    Incorrect URL stripping in CSP reports
  * CVE-2025-8032 (bmo#1974407)
    XSLT documents could bypass CSP
  * CVE-2025-8038 (bmo#1808979)
    CSP frame-src was not correctly enforced for paths
  * CVE-2025-8039 (bmo#1970997)
    Search terms persisted in URL bar
  * CVE-2025-8033 (bmo#1973990)
    Incorrect JavaScript state machine for generators
  * CVE-2025-8034 (bmo#1970422, bmo#1970422, bmo#1970422, bmo#1970422)
    Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=829
Accepting request 1295681 from mozilla:Factory 842cecfac2 
- Mozilla Thunderbird ESR 140.1.0
  * New folders were not added alphabetically if folders manually
    reordered beforehand
  * Message archive folder creation could silently stop during async
    folder creation
  MFSA 2025-63 (bsc#1246664)
  * CVE-2025-8027 (bmo#1968423)
    JavaScript engine only wrote partial return value to stack
  * CVE-2025-8028 (bmo#1971581)
    Large branch table could lead to truncated instruction
  * CVE-2025-8029 (bmo#1928021)
    javascript: URLs executed on object and embed tags
  * CVE-2025-8036 (bmo#1960834)
    DNS rebinding circumvents CORS
  * CVE-2025-8037 (bmo#1964767)
    Nameless cookies shadow secure cookies
  * CVE-2025-8030 (bmo#1968414)
    Potential user-assisted code execution in “Copy as cURL” command
  * CVE-2025-8031 (bmo#1971719)
    Incorrect URL stripping in CSP reports
  * CVE-2025-8032 (bmo#1974407)
    XSLT documents could bypass CSP
  * CVE-2025-8038 (bmo#1808979)
    CSP frame-src was not correctly enforced for paths
  * CVE-2025-8039 (bmo#1970997)
    Search terms persisted in URL bar
  * CVE-2025-8033 (bmo#1973990)
    Incorrect JavaScript state machine for generators
  * CVE-2025-8034 (bmo#1970422, bmo#1970422, bmo#1970422, bmo#1970422)
    Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR

OBS-URL: https://build.opensuse.org/request/show/1295681
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=367
- Update memory constraints b12070674d 
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=831
Accepting request 1297206 from mozilla:Factory 24b8a7dd97 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1297206
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=368
- Mozilla Thunderbird ESR 140.1.1 5257fb9ed3 
Fixed
  * Users with attachments open in tabs saw an error on Thunderbird restart
  * Sending from unified or local folder failed if no default account was set
  * Delete button could remove attachment instead of message
  * Message list scrolled back when returning to mail tab after opening a message

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=833
Accepting request 1298009 from mozilla:Factory 02b45382fb 
- Mozilla Thunderbird ESR 140.1.1
  Fixed
  * Users with attachments open in tabs saw an error on Thunderbird restart
  * Sending from unified or local folder failed if no default account was set
  * Delete button could remove attachment instead of message
  * Message list scrolled back when returning to mail tab after opening a message

OBS-URL: https://build.opensuse.org/request/show/1298009
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=369
lkocman changed title from leap-16.0 to leap-16.0 code-o-o#leap/features#240 2025-08-25 15:45:51 +02:00
smithfarm commented 2025-09-05 13:22:30 +02:00
Owner
Copy Link

Manually closed:

Manually closed: * https://src.opensuse.org/pool/MozillaThunderbird/pulls/1 * https://src.opensuse.org/products/PackageHub/pulls/50
smithfarm closed this pull request 2025-09-05 13:22:30 +02:00

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
legaldb
Critical Priority
Critical legaldb priority
Archived
legaldb
High Priority
2
High legaldb priority
legaldb
Normal Priority
1
Normal legaldb priority
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
adamm_super adrianSuSE autobuild-owner autobuild-review autogits_workflow_pr_bot bigironman dirkmueller eroca factory_bot gitea_test legaldb lkocman-factory maxlin_factory opensuse-review packagehub-review smithfarm
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: pool/MozillaThunderbird#1
Delete Branch "lkocman/MozillaThunderbird:leap-16.0"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?