- Mozilla Thunderbird 91.11.0

* CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work
    additional fix applied
  * "Save-As" attachment dialog did not have filename pre-populated
  MFSA 2022-26 (bsc#1200793)
  * CVE-2022-34479 (bmo#1745595)
    A popup window could be resized in a way to overlay the
    address bar with web content
  * CVE-2022-34470 (bmo#1765951)
    Use-after-free in nsSHistory
  * CVE-2022-34468 (bmo#1768537)
    CSP sandbox header without `allow-scripts` can be bypassed
    via retargeted javascript: URI
  * CVE-2022-2226 (bmo#1775441)
    An email with a mismatching OpenPGP signature date was
    accepted as valid
  * CVE-2022-34481 (bmo#1497246)
    Potential integer overflow in ReplaceElementsAt
  * CVE-2022-31744 (bmo#1757604)
    CSP bypass enabling stylesheet injection
  * CVE-2022-34472 (bmo#1770123)
    Unavailable PAC file resulted in OCSP requests being blocked
  * CVE-2022-34478 (bmo#1773717)
    Microsoft protocols can be attacked if a user accepts a prompt
  * CVE-2022-2200 (bmo#1771381)
    Undesired attributes could be set as part of prototype pollution
  * CVE-2022-34484 (bmo#1763634, bmo#1772651)
    Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=640

MozillaThunderbird.changes

@@ -1,3 +1,35 @@
+-------------------------------------------------------------------
+Sun Jun 26 08:53:26 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Thunderbird 91.11.0
+  * CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work
+    additional fix applied
+  * "Save-As" attachment dialog did not have filename pre-populated
+  MFSA 2022-26 (bsc#1200793)
+  * CVE-2022-34479 (bmo#1745595)
+    A popup window could be resized in a way to overlay the
+    address bar with web content
+  * CVE-2022-34470 (bmo#1765951)
+    Use-after-free in nsSHistory
+  * CVE-2022-34468 (bmo#1768537)
+    CSP sandbox header without `allow-scripts` can be bypassed
+    via retargeted javascript: URI
+  * CVE-2022-2226 (bmo#1775441)
+    An email with a mismatching OpenPGP signature date was
+    accepted as valid
+  * CVE-2022-34481 (bmo#1497246)
+    Potential integer overflow in ReplaceElementsAt
+  * CVE-2022-31744 (bmo#1757604)
+    CSP bypass enabling stylesheet injection
+  * CVE-2022-34472 (bmo#1770123)
+    Unavailable PAC file resulted in OCSP requests being blocked
+  * CVE-2022-34478 (bmo#1773717)
+    Microsoft protocols can be attacked if a user accepts a prompt
+  * CVE-2022-2200 (bmo#1771381)
+    Undesired attributes could be set as part of prototype pollution
+  * CVE-2022-34484 (bmo#1763634, bmo#1772651)
+    Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102
+
 -------------------------------------------------------------------
 Thu May 26 07:56:09 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
 

MozillaThunderbird.spec

@@ -29,8 +29,8 @@
 # major 69
 # mainver %major.99
 %define major          91
-%define mainver        %major.10.0
+%define mainver        %major.11.0
-%define orig_version   91.10.0
+%define orig_version   91.11.0
 %define orig_suffix    %{nil}
 %define update_channel release
 %define source_prefix  thunderbird-%{orig_version}

tar_stamps

@@ -1,10 +1,10 @@
 PRODUCT="thunderbird"
 CHANNEL="esr91"
-VERSION="91.10.0"
+VERSION="91.11.0"
 VERSION_SUFFIX=""
-PREV_VERSION="91.9.1"
+PREV_VERSION="91.10.0"
 PREV_VERSION_SUFFIX=""
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr91"
-RELEASE_TAG="a52d41376d0374e23a0848e42a21454150c4d6a2"
+RELEASE_TAG="da48e7ecf800ec7761a3b6e0ca81e0c90adc30f7"
-RELEASE_TIMESTAMP="20220520005021"
+RELEASE_TIMESTAMP="20220628000715"

thunderbird-91.10.0.source.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a0dbf9a8083a4dff8a0506b5f4c6910f681476e2c5fce081beda4493168e66f9
-size 413952892

thunderbird-91.10.0.source.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmKOpnwACgkQ6+QekPbx
-L20tdw//XSN3MPmfipHx+sG7ttpoohrt4olNI4fu255iIwN+oY5c3bsnW9ZmVLG/
-jGqgSbiDfC13ZUlIRb8eWAkRQSJm59KWqMGsio8n2VTc4sIsbkt/jRcyOYSA8zEk
-M3DEI+MVPYPxu6VIiIsZhRrG1udB9Iptg3nvgy1+zhHvmWC4EZVLeZA+17gs9LnA
-CD1C6a87bSjzZP0B9cYiUv4j/QZQDq98NXDz62QzcgvvMA817WhDXaNol2NiHa1z
-IIKw0VSBWuIB6UnM3qyxUtVnLaznq4M+DMCrJzUrVOBOBzYh7KmKUcgak/KseojV
-YjvQ4YVu553EAG7yl89A15FND6IVl9/T5s9GQL3CeMptK1HJFIs1xEjmalNzdUYZ
-IXIPm5WdDr8btApEms1xTlZF3glq6971ZxeJXqoDJKWJD/vEepiu38tImxUx3jsA
-63gncutNJJdPVe5gSjGZXKDNLMG9Hg0BEVoWg7IhkuDP3h8u1vo98awRJez3Qc0u
-lQSGtG6b+rVMHHRNS0qb8Gy6wk1BO380HXLPnZFotN8oGcopmU59+sOtloEwyJYV
-5MoP9se1jWVUTdqQsvO+uHgV5kH5xC7GM7Sq4j/DDxy+SdbLa902NS6JAxeCrzho
-z7vMHfPu+PxUHlCQxvrkMqzy2+Nk/LfbVMFH1ZU9vYBNKi+qcY0=
-=q9Z/
------END PGP SIGNATURE-----

thunderbird-91.11.0.source.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:318e6d80eecf2d6f8af5c58e99333b8c4822a720a6193dc38848ff9a1e9e6dc8
+size 408098564

thunderbird-91.11.0.source.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmK6axsACgkQ6+QekPbx
+L20wwQ/+Ls0P1VcNs9vitUgHjtss7r7rmZQ3jiXFaX/D9719uJfa/YcXHHgFNdXP
+uVT9jjQFgIZgBN5SpIcaC7zygrh0nhbBw1Bg/4FWFyC8gHujvGMgF9hML+ltQx9x
+sKZo6N5utcDfBdEU0kvCE9bgLGq00FCnke0jfut+jxv+sN0s85lPMcRR35PEjFS2
+oEDqsauTbS+BJtA+oBF6D8IaLuZh9WA6zOgcqsNWmxxfCesUfVjYMihmicwFSvFQ
+SZmrQrvNd5bdB84GsLhf67uhWdu7UwjUjuALWIiTXNug8zdUgT7R4VDWpbcYXf8T
+VkA7HzmF6sABKkev4JX2DOxtVJwHGJteLFRNJYZnHwzz5o6qncs5I91j15SCc0AF
+u4Oriy7yis6EPRR3PLgYg9omdFQmB8E8QPgNkldfUpV9S8W2/tbKpNKCk1uMY8DL
+GkZNkPQY/Wx3CnPOy6bd1ACS9GwUdavacVvaiCLnVRRW+oWeGZ2C74CST8sXnodh
+hiZ1GFwshhdOowP4E3XthW+ZVDy7aEnTNaBLWT9s0jOsqeGwMK+XYEihstLPAdhN
+8Dq71zrmmQvnXPUlektykssVg2jox6F9xMCuM4z628/ajFoqApeJjvMYGiaQHJ8p
+BnxFDuZvB7mPlWzbtIGCCqxPRVlFq8VR9ySG3i+PDMfApOkZAjE=
+=eETF
+-----END PGP SIGNATURE-----