From c08272f856bcb7fd29967eb0361bb54a1fd36d5e499f3d0923a617a89763f11b Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Mon, 3 Sep 2018 20:13:55 +0000 Subject: [PATCH] Accepting request 632919 from home:AndreasStieger:branches:mozilla:Factory Add changelog detail for MFSA 2018-19 (bsc#1098998) OBS-URL: https://build.opensuse.org/request/show/632919 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=426 --- MozillaThunderbird.changes | 51 +++++++++++++++++++++++++++++++++++--- MozillaThunderbird.spec | 2 +- 2 files changed, 48 insertions(+), 5 deletions(-) diff --git a/MozillaThunderbird.changes b/MozillaThunderbird.changes index 06cf56f..e0dc9f5 100644 --- a/MozillaThunderbird.changes +++ b/MozillaThunderbird.changes @@ -13,10 +13,53 @@ Wed Aug 15 09:09:03 UTC 2018 - bjorn.lie@gmail.com ------------------------------------------------------------------- Fri Aug 3 06:02:53 UTC 2018 - wr@rosenauer.org -- update to Thunderbird 60.0 - * requires NSPR 4.19 and NSS 3.36.4 - * what's new - https://www.thunderbird.net/en-US/thunderbird/60.0/releasenotes/ +- update to Thunderbird 60.0: + https://www.thunderbird.net/en-US/thunderbird/60.0/releasenotes/ + * Improved message handling and composing + * Improved handling of message templates + * Support for OAuth2 and FIDO U2F + * Various Calendar improvements + * Various fixes and changes to e-mail workflow + * Various IMAP fixes + * Native desktop notifications +- Security fixes which can not, in general, be exploited through + email, but are potential risks in browser or browser-like contexts: + MFSA 2018-19 (bsc#1098998) + * CVE-2018-12359 (bmo#1459162) + Buffer overflow using computed size of canvas element + * CVE-2018-12360 (bmo#1459693) + Use-after-free when using focus() + * CVE-2018-12361 (bmo#1463244) + Integer overflow in SwizzleData + * CVE-2018-12362 (bmo#1452375) + Integer overflow in SSSE3 scaler + * CVE-2018-5156 (bmo#1453127) + Media recorder segmentation fault when track type is changed + during capture + * CVE-2018-12363 (bmo#1464784) + Use-after-free when appending DOM nodes + * CVE-2018-12364 (bmo#1436241) + CSRF attacks through 307 redirects and NPAPI plugins + * CVE-2018-12365 (bmo#1459206) + Compromised IPC child process can list local filenames + * CVE-2018-12371 (bmo#1465686) + Integer overflow in Skia library during edge builder allocation + * CVE-2018-12366 (bmo#1464039) + Invalid data handling during QCMS transformations + * CVE-2018-12367 (bmo#1462891) + Timing attack mitigation of PerformanceNavigationTiming + * CVE-2018-5187 (bmo#1461324,bmo#1414829,bmo#1395246,bmo#1467938, + bmo#1461619,bmo#1425930,bmo#1438556,bmo#1454285,bmo#1459568, + bmo#1463884) + Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and + Thunderbird 60 + * CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739, + bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576, + bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829, + bmo#1464079,bmo#1463494,bmo#1458048) + Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox + ESR 52.9, and Thunderbird 60 +- requires NSPR 4.19 and NSS 3.36.4 - source archives are now signed directly (removed checksum signature check) - imported patches from Firefox 60 diff --git a/MozillaThunderbird.spec b/MozillaThunderbird.spec index 66080bd..633618c 100644 --- a/MozillaThunderbird.spec +++ b/MozillaThunderbird.spec @@ -13,7 +13,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ #