Accepting request 632919 from home:AndreasStieger:branches:mozilla:Factory

Add changelog detail for MFSA 2018-19 (bsc#1098998) OBS-URL: https://build.opensuse.org/request/show/632919 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=426
2018-09-03 20:13:55 +00:00 · 2018-09-03 20:13:55 +00:00 · c08272f856
commit c08272f856
parent ff674588f7
2 changed files with 48 additions and 5 deletions
--- a/MozillaThunderbird.changes
+++ b/MozillaThunderbird.changes
@ -13,10 +13,53 @@ Wed Aug 15 09:09:03 UTC 2018 - bjorn.lie@gmail.com
 -------------------------------------------------------------------
 Fri Aug  3 06:02:53 UTC 2018 - wr@rosenauer.org

- update to Thunderbird 60.0
-  * requires NSPR 4.19 and NSS 3.36.4
-  * what's new
+- update to Thunderbird 60.0:
  https://www.thunderbird.net/en-US/thunderbird/60.0/releasenotes/
+  * Improved message handling and composing
+  * Improved handling of message templates
+  * Support for OAuth2 and FIDO U2F
+  * Various Calendar improvements
+  * Various fixes and changes to e-mail workflow 
+  * Various IMAP fixes
+  * Native desktop notifications
+- Security fixes which can not, in general, be exploited through
+  email, but are potential risks in browser or browser-like contexts:
+  MFSA 2018-19 (bsc#1098998)
+  * CVE-2018-12359 (bmo#1459162)
+    Buffer overflow using computed size of canvas element
+  * CVE-2018-12360 (bmo#1459693)
+    Use-after-free when using focus()
+  * CVE-2018-12361 (bmo#1463244)
+    Integer overflow in SwizzleData
+  * CVE-2018-12362 (bmo#1452375)
+    Integer overflow in SSSE3 scaler
+  * CVE-2018-5156 (bmo#1453127)
+    Media recorder segmentation fault when track type is changed
+    during capture
+  * CVE-2018-12363 (bmo#1464784)
+    Use-after-free when appending DOM nodes
+  * CVE-2018-12364 (bmo#1436241)
+    CSRF attacks through 307 redirects and NPAPI plugins
+  * CVE-2018-12365 (bmo#1459206)
+    Compromised IPC child process can list local filenames
+  * CVE-2018-12371 (bmo#1465686)
+    Integer overflow in Skia library during edge builder allocation
+  * CVE-2018-12366 (bmo#1464039)
+    Invalid data handling during QCMS transformations
+  * CVE-2018-12367 (bmo#1462891)
+    Timing attack mitigation of PerformanceNavigationTiming
+  * CVE-2018-5187 (bmo#1461324,bmo#1414829,bmo#1395246,bmo#1467938,
+    bmo#1461619,bmo#1425930,bmo#1438556,bmo#1454285,bmo#1459568,
+    bmo#1463884)
+    Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and 
+    Thunderbird 60
+  * CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
+    bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576,
+    bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829,
+    bmo#1464079,bmo#1463494,bmo#1458048)
+    Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox
+    ESR 52.9, and Thunderbird 60
+- requires NSPR 4.19 and NSS 3.36.4
 - source archives are now signed directly
  (removed checksum signature check)
 - imported patches from Firefox 60
--- a/MozillaThunderbird.spec
+++ b/MozillaThunderbird.spec
@ -13,7 +13,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
 #