From ed5ea29202f09dc53ce515c2aea6318e33a7142c4a583073affa22addb82e8dc Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Tue, 11 Jan 2022 22:11:21 +0000 Subject: [PATCH] - Mozilla Thunderbird 91.5.0 https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes MFSA 2022-03 (bsc#1194547) * CVE-2022-22746 (bmo#1735071) Calling into reportValidity could have lead to fullscreen window spoof * CVE-2022-22743 (bmo#1739220) Browser window spoof using fullscreen mode * CVE-2022-22742 (bmo#1739923) Out-of-bounds memory access when inserting text in edit mode * CVE-2022-22741 (bmo#1740389) Browser window spoof using fullscreen mode * CVE-2022-22740 (bmo#1742334) Use-after-free of ChannelEventQueue::mOwner * CVE-2022-22738 (bmo#1742382) Heap-buffer-overflow in blendGaussianBlur * CVE-2022-22737 (bmo#1745874) Race condition when playing audio files * CVE-2021-4140 (bmo#1746720) Iframe sandbox bypass with XSLT * CVE-2022-22748 (bmo#1705211) Spoofed origin on external protocol launch dialog * CVE-2022-22745 (bmo#1735856) Leaking cross-origin URLs through securitypolicyviolation event * CVE-2022-22744 (bmo#1737252) The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection * CVE-2022-22747 (bmo#1735028) Crash when handling empty pkcs7 sequence * CVE-2022-22739 (bmo#1744158) OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=620 --- MozillaThunderbird.changes | 39 ++++++++++++++++++++++++++++ MozillaThunderbird.spec | 6 ++--- l10n-91.4.1.tar.xz | 3 --- l10n-91.5.0.tar.xz | 3 +++ tar_stamps | 8 +++--- thunderbird-91.4.1.source.tar.xz | 3 --- thunderbird-91.4.1.source.tar.xz.asc | 16 ------------ thunderbird-91.5.0.source.tar.xz | 3 +++ thunderbird-91.5.0.source.tar.xz.asc | 16 ++++++++++++ 9 files changed, 68 insertions(+), 29 deletions(-) delete mode 100644 l10n-91.4.1.tar.xz create mode 100644 l10n-91.5.0.tar.xz delete mode 100644 thunderbird-91.4.1.source.tar.xz delete mode 100644 thunderbird-91.4.1.source.tar.xz.asc create mode 100644 thunderbird-91.5.0.source.tar.xz create mode 100644 thunderbird-91.5.0.source.tar.xz.asc diff --git a/MozillaThunderbird.changes b/MozillaThunderbird.changes index 77a6889..993a1d4 100644 --- a/MozillaThunderbird.changes +++ b/MozillaThunderbird.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Fri Jan 7 16:13:57 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.5.0 + https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes + MFSA 2022-03 (bsc#1194547) + * CVE-2022-22746 (bmo#1735071) + Calling into reportValidity could have lead to fullscreen + window spoof + * CVE-2022-22743 (bmo#1739220) + Browser window spoof using fullscreen mode + * CVE-2022-22742 (bmo#1739923) + Out-of-bounds memory access when inserting text in edit mode + * CVE-2022-22741 (bmo#1740389) + Browser window spoof using fullscreen mode + * CVE-2022-22740 (bmo#1742334) + Use-after-free of ChannelEventQueue::mOwner + * CVE-2022-22738 (bmo#1742382) + Heap-buffer-overflow in blendGaussianBlur + * CVE-2022-22737 (bmo#1745874) + Race condition when playing audio files + * CVE-2021-4140 (bmo#1746720) + Iframe sandbox bypass with XSLT + * CVE-2022-22748 (bmo#1705211) + Spoofed origin on external protocol launch dialog + * CVE-2022-22745 (bmo#1735856) + Leaking cross-origin URLs through securitypolicyviolation event + * CVE-2022-22744 (bmo#1737252) + The 'Copy as curl' feature in DevTools did not fully escape + website-controlled data, potentially leading to command injection + * CVE-2022-22747 (bmo#1735028) + Crash when handling empty pkcs7 sequence + * CVE-2022-22739 (bmo#1744158) + Missing throttling on external protocol launch dialog + * CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366, + bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869, bmo#1743221, + bmo#1743515, bmo#1745373, bmo#1746011) + Memory safety bugs fixed in Thunderbird 91.5 + ------------------------------------------------------------------- Tue Dec 28 20:20:30 UTC 2021 - Bjørn Lie diff --git a/MozillaThunderbird.spec b/MozillaThunderbird.spec index 346d8be..ebe4049 100644 --- a/MozillaThunderbird.spec +++ b/MozillaThunderbird.spec @@ -1,7 +1,7 @@ # # spec file # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # 2006-2021 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties @@ -26,8 +26,8 @@ # major 69 # mainver %major.99 %define major 91 -%define mainver %major.4.1 -%define orig_version 91.4.1 +%define mainver %major.5.0 +%define orig_version 91.5.0 %define orig_suffix %{nil} %define update_channel release %define source_prefix thunderbird-%{orig_version} diff --git a/l10n-91.4.1.tar.xz b/l10n-91.4.1.tar.xz deleted file mode 100644 index 83e9734..0000000 --- a/l10n-91.4.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:58357a0157b34de992f4a7c2c5a35bcbd956d11b0b0061df97bcfcefb4a594da -size 28646024 diff --git a/l10n-91.5.0.tar.xz b/l10n-91.5.0.tar.xz new file mode 100644 index 0000000..fe3ad6c --- /dev/null +++ b/l10n-91.5.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a3fdd64670634c9337473d4a6f59191103ca0584047cf258da5db22966e65156 +size 28627244 diff --git a/tar_stamps b/tar_stamps index 1c5f6c3..4d1bd77 100644 --- a/tar_stamps +++ b/tar_stamps @@ -1,10 +1,10 @@ PRODUCT="thunderbird" CHANNEL="esr91" -VERSION="91.4.1" +VERSION="91.5.0" VERSION_SUFFIX="" -PREV_VERSION="91.4.0" +PREV_VERSION="91.4.1" PREV_VERSION_SUFFIX="" #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr91" -RELEASE_TAG="11529576c3a7d89514771d1e0f5fa116eef29b81" -RELEASE_TIMESTAMP="20211216022855" +RELEASE_TAG="bcd2aab51cd0889d506d29455210d65602b97430" +RELEASE_TIMESTAMP="20220106182030" diff --git a/thunderbird-91.4.1.source.tar.xz b/thunderbird-91.4.1.source.tar.xz deleted file mode 100644 index eb9bdfb..0000000 --- a/thunderbird-91.4.1.source.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f1079ed2cbd335a417b18929c5018d8ade9fb1d0c8cba9fdb2b6d672f14074f1 -size 408805472 diff --git a/thunderbird-91.4.1.source.tar.xz.asc b/thunderbird-91.4.1.source.tar.xz.asc deleted file mode 100644 index e7954e8..0000000 --- a/thunderbird-91.4.1.source.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmG8fOQACgkQ6+QekPbx -L21alhAAs680nSh8Q0nZxEE9mfOtLSpRWlal5KsPwGxVobNZ9wbiAiqSKgA1dNHp -AxqxUTt5ZGlvICzSKBrssvZyNyw1V4wLXYW4RDRTzeFPSCeAANdi6/pOue+E1AYB -XMiw69ZlfT6OtRh5iQiuYVtfectOVBV+92ZxBvBv3sJcLhWen4Jbr9I+yhRl31Hs -m3VtPMg4m3S6nxSQaZkErkFrg8hVCOxxkCF8gycpRTQGVc4qYpuuutIH8aCITGpM -cdauOamSF83XXQB9HZqp4deGhYxS0Zt8RkfGGM5C2oMPnoaoOcKM5g7SHk9oFqyn -rmUZ+YweV8D6dhzTFkwLtJ2l0u7jpmfF59VjYqPDDmjkr0OE+48ilNdwir03rgAj -s5ptGkqI62AFSeekj2vDMBHRpmgZW/xOBO6Lg0s1NIyySr8k1NrmGQLYWeGaFbcR -NICrlXKaLJVXFE/yOPO5jB3qff3foulWENP2WZtvuzJFMg/TxvgKL9fl0f9EShWm -SIV1zD65BxU7K4KzGKhd2L/IAj28XmhtHwccF9gWlLQALtsLfoAK+acVKwje/aQQ -1MxvvNp0Rt1vpdDwNWzT5KNIJgZ1Tu6oBe/f6jJXAo44wWGEwRrdlqZG5KnlkWEi -2a5SeGmXjkwyF++bxsYQ4sbsM7f7/lyQy0yETa/2XFW0ipRgBig= -=cguv ------END PGP SIGNATURE----- diff --git a/thunderbird-91.5.0.source.tar.xz b/thunderbird-91.5.0.source.tar.xz new file mode 100644 index 0000000..24ff560 --- /dev/null +++ b/thunderbird-91.5.0.source.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b89a8e1b57d5be828a7346e817120d7c763a258a2397a23393b7ceb3ce810ab2 +size 405937856 diff --git a/thunderbird-91.5.0.source.tar.xz.asc b/thunderbird-91.5.0.source.tar.xz.asc new file mode 100644 index 0000000..1bea325 --- /dev/null +++ b/thunderbird-91.5.0.source.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmHXnp8ACgkQ6+QekPbx +L23cexAAg90hG/vxcAKjy6JNVpKIa7eZOZUbyHAe8pJU8+L58tMIkFciF3vI1cDN +/qgjHXX/3ZOI797QRVBgnKBcys3hz0TRX0w942jAnnV9rIeFSZ656WbJOUroucHY +4Cn1C5Vu7s77Y3AbUgMKP+/xgMhSXiHB5LfC/J4LT5gIkM5+X9cebnMctFvyUasK +WqDPXvqB92u+qSYNo3Uof8OA3i6olNZYyP7PpHh3R23Z95rrBb4D2AroU+7Z2YXy +qJkQjLcVApggbCfUGeiL5qBVJFUQYypTN4o9BxJdkp789rWWXgeSfrgA4vD+uraz +dFtmv+SrITST3ToPszf3nfPC8km2Nb90IArJO/fIJuRF3oxsKq0ZgHdj1XmzIpsR +uzyXGvGTfCmLjhkOAE8DTx/tnIt1DOFcVvGue6hifDFwUbejSbYV0vGiZpQ+f26W +Q7IdrDF2kpgtznBfpobaMANXWT63MyrY1ryZQxOEKqdt/KZpCwxCc01gYCodOSoK +9T/j+JSI0tAtW7v+3VMnagqpEJ4EXPWUzs8xkZJbsWkj4aZ7ndKp+TnccO1rPT5E +qCAZfAnN6SjV36KNQi/WJvDNqad1IL1oQlxNlDbRA3+Cq8UVz+6hbhCb72mhHZv/ +baZWCcnYGlI7/1eh+t8PHg1wcKZTn37vFV8vvvYqnQZHaeHiV8I= +=lgac +-----END PGP SIGNATURE-----