- Mozilla Thunderbird 91.4.0
* several fixes as outlined here
https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes
MFSA 2021-54 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120)
URL leakage when navigating while executing asynchronous
function
* CVE-2021-43537 (bmo#1738237)
Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091)
Missing fullscreen and pointer lock notification when
requesting both
* CVE-2021-43539 (bmo#1739683)
GC rooting failure when calling wasm instance methods
* CVE-2021-43541 (bmo#1696685)
External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281)
XMLHttpRequest error codes could have leaked the existence of
an external protocol handler
* CVE-2021-43543 (bmo#1738418)
Bypass of CSP sandbox directive when embedding
* CVE-2021-43545 (bmo#1720926)
Denial of Service when using the Location API in a loop
* CVE-2021-43546 (bmo#1737751)
Cursor spoofing could overlay user interface when native
cursor is zoomed
* CVE-2021-43528 (bmo#1742579)
JavaScript unexpectedly enabled for the composition area
* MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
bmo#1737009, bmo#1739372, bmo#1739421)
OBS-URL: https://build.opensuse.org/request/show/936365
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=268
* several fixes as outlined here
https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes
MFSA 2021-54 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120)
URL leakage when navigating while executing asynchronous
function
* CVE-2021-43537 (bmo#1738237)
Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091)
Missing fullscreen and pointer lock notification when
requesting both
* CVE-2021-43539 (bmo#1739683)
GC rooting failure when calling wasm instance methods
* CVE-2021-43541 (bmo#1696685)
External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281)
XMLHttpRequest error codes could have leaked the existence of
an external protocol handler
* CVE-2021-43543 (bmo#1738418)
Bypass of CSP sandbox directive when embedding
* CVE-2021-43545 (bmo#1720926)
Denial of Service when using the Location API in a loop
* CVE-2021-43546 (bmo#1737751)
Cursor spoofing could overlay user interface when native
cursor is zoomed
* CVE-2021-43528 (bmo#1742579)
JavaScript unexpectedly enabled for the composition area
* MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
bmo#1737009, bmo#1739372, bmo#1739421)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=617
- Mozilla Thunderbird 91.3.0
* several fixes as outlined here
https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/
MFSA 2021-50 (bsc#1192250)
* CVE-2021-38503 (bmo#1729517)
iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504 (bmo#1730156)
Use-after-free in file picker dialog
* CVE-2021-38505 (bmo#1730194)
Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506 (bmo#1730750)
Thunderbird could be coaxed into going into fullscreen mode
without notification or warning
* CVE-2021-38507 (bmo#1730935)
Opportunistic Encryption in HTTP2 could be used to bypass the
Same-Origin-Policy on services hosted on other ports
* MOZ-2021-0008 (bmo#1667102)
Use-after-free in HTTP2 Session object
* CVE-2021-38508 (bmo#1366818)
Permission Prompt could be overlaid, resulting in user
confusion and potential spoofing
* CVE-2021-38509 (bmo#1718571)
Javascript alert box could have been spoofed onto an
arbitrary domain
* CVE-2021-38510 (bmo#1731779)
Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048,
bmo#1735152)
Memory safety bugs fixed in Thunderbird ESR 91.3
- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires
OBS-URL: https://build.opensuse.org/request/show/929062
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=266
https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/
MFSA 2021-50 (bsc#1192250)
* CVE-2021-38503 (bmo#1729517)
iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504 (bmo#1730156)
Use-after-free in file picker dialog
* CVE-2021-38505 (bmo#1730194)
Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506 (bmo#1730750)
Thunderbird could be coaxed into going into fullscreen mode
without notification or warning
* CVE-2021-38507 (bmo#1730935)
Opportunistic Encryption in HTTP2 could be used to bypass the
Same-Origin-Policy on services hosted on other ports
* MOZ-2021-0008 (bmo#1667102)
Use-after-free in HTTP2 Session object
* CVE-2021-38508 (bmo#1366818)
Permission Prompt could be overlaid, resulting in user
confusion and potential spoofing
* CVE-2021-38509 (bmo#1718571)
Javascript alert box could have been spoofed onto an
arbitrary domain
* CVE-2021-38510 (bmo#1731779)
Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048,
bmo#1735152)
Memory safety bugs fixed in Thunderbird ESR 91.3
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=613
- Mozilla Thunderbird 91.2.0
* Saving a single message as .eml now uses a unique filename
* New mail notifications did not properly take subfolders into account
* Decrypting binary attachments when using an external GnuPG
configuration failed
* Account name fields in the account manager were not big enough
for long names
* LDAP searches using an extensibleMatch filter returned no results
* Read-only CalDAV calendars and CardDAV address books were not detected
* Multipart messages containing a calendar invite did not display
any of the human-readable alternatives
* Some calendar days were displayed incorrectly or duplicated
(eg. two "29th" days of a particular month)
* Phantom event was shown at the end of each day in Calendar week view
MFSA 2021-46 (bsc#1191332)
* CVE-2021-38496 (bmo#1725335)
Use-after-free in MessageTask
* CVE-2021-38497 (bmo#1726621)
Validation message could have been overlaid on another origin
* CVE-2021-38498 (bmo#1729642)
Use-after-free of nsLanguageAtomService object
* CVE-2021-32810 (bmo#1729813,
https://github.com/crossbeam-
rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
Data race in crossbeam-deque
* CVE-2021-38500 (bmo#1725854, bmo#1728321)
Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
and Firefox ESR 91.2
* CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
OBS-URL: https://build.opensuse.org/request/show/924567
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=264
* Saving a single message as .eml now uses a unique filename
* New mail notifications did not properly take subfolders into account
* Decrypting binary attachments when using an external GnuPG
configuration failed
* Account name fields in the account manager were not big enough
for long names
* LDAP searches using an extensibleMatch filter returned no results
* Read-only CalDAV calendars and CardDAV address books were not detected
* Multipart messages containing a calendar invite did not display
any of the human-readable alternatives
* Some calendar days were displayed incorrectly or duplicated
(eg. two "29th" days of a particular month)
* Phantom event was shown at the end of each day in Calendar week view
MFSA 2021-46 (bsc#1191332)
* CVE-2021-38496 (bmo#1725335)
Use-after-free in MessageTask
* CVE-2021-38497 (bmo#1726621)
Validation message could have been overlaid on another origin
* CVE-2021-38498 (bmo#1729642)
Use-after-free of nsLanguageAtomService object
* CVE-2021-32810 (bmo#1729813,
https://github.com/crossbeam-
rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
Data race in crossbeam-deque
* CVE-2021-38500 (bmo#1725854, bmo#1728321)
Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
and Firefox ESR 91.2
* CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=608
- Mozilla Thunderbird 91.1.0
* Thunderbird registered Accessibility Handlers using same GUIDs
as Firefox, causing performance issues for NVDA users
* Focus lost when reordering accounts by keyboard in the Account Manager
* Account setup did not use provider display name for setting up
calendars
* Various theme and UX fixes
MFSA 2021-41 (bsc#1190269)
* CVE-2021-38492 (bmo#1721107)
Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495 (bmo#1723391, bmo#1723920, bmo#1724101,
bmo#1724107)
Memory safety bugs fixed in Thunderbird 91.1
- (re-)added mozilla-silence-no-return-type.patch
- add mozilla-bmo531915.patch to fix build for i586
OBS-URL: https://build.opensuse.org/request/show/917701
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=261
* Thunderbird registered Accessibility Handlers using same GUIDs
as Firefox, causing performance issues for NVDA users
* Focus lost when reordering accounts by keyboard in the Account Manager
* Account setup did not use provider display name for setting up
calendars
* Various theme and UX fixes
MFSA 2021-XX (bsc#1190269)
- (re-)added mozilla-silence-no-return-type.patch
- add mozilla-bmo531915.patch to fix build for i586
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=604
- Mozilla Thunderbird 91.0.1
MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
- appdate screenshot URL updated (by mailaender@opensuse.org)
- Mozilla Thunderbird 91.0
* based on Mozilla's 91 ESR codebase
* many new and changed features
https://www.thunderbird.net/en-US/thunderbird/91.0/releasenotes/#whatsnew
* Renamed "Add-ons" to "Add-ons and Themes" and "Options" to "Preferences"
* Thunderbird now operates in multi-process (e10s) mode by default
* New user interface for adding attachments
* Enable redirect of messages
* CardDAV address book support
- Removed obsolete patches:
* mozilla-bmo1463035.patch
* mozilla-ppc-altivec_static_inline.patch
* mozilla-pipewire-0-3.patch
* mozilla-bmo1554971.patch
- add mozilla-libavcodec58_91.patch
- removed obsolete BigEndian ICU build workaround
- updated build requirements
- build using clang
OBS-URL: https://build.opensuse.org/request/show/913013
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=259
- appdate screenshot URL updated (by mailaender@opensuse.org)
- Mozilla Thunderbird 91.0
* based on Mozilla's 91 ESR codebase
* many new and changed features
https://www.thunderbird.net/en-US/thunderbird/91.0/releasenotes/#whatsnew
* Renamed "Add-ons" to "Add-ons and Themes" and "Options" to "Preferences"
* Thunderbird now operates in multi-process (e10s) mode by default
* New user interface for adding attachments
* Enable redirect of messages
* CardDAV address book support
- Removed obsolete patches:
* mozilla-bmo1463035.patch
* mozilla-ppc-altivec_static_inline.patch
* mozilla-pipewire-0-3.patch
* mozilla-bmo1554971.patch
- add mozilla-libavcodec58_91.patch
- removed obsolete BigEndian ICU build workaround
- updated build requirements
- build using clang
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=600
- Mozilla Thunderbird 78.13.0
* removed WeTransfer integration package (not supported by vendor
any longer)
MFSA 2021-35 (bsc#1188891)
* CVE-2021-29986 (bmo#1696138)
Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29988 (bmo#1717922)
Memory corruption as a result of incorrect style treatment
* CVE-2021-29984 (bmo#1720031)
Incorrect instruction reordering during JIT optimization
* CVE-2021-29980 (bmo#1722204)
Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29985 (bmo#1722083)
Use-after-free media channels
* CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
bmo#1719998, bmo#1720568)
Memory safety bugs fixed in Thunderbird 78.13
OBS-URL: https://build.opensuse.org/request/show/911495
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=258
* removed WeTransfer integration package (not supported by vendor
any longer)
MFSA 2021-35 (bsc#1188891)
* CVE-2021-29986 (bmo#1696138)
Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29988 (bmo#1717922)
Memory corruption as a result of incorrect style treatment
* CVE-2021-29984 (bmo#1720031)
Incorrect instruction reordering during JIT optimization
* CVE-2021-29980 (bmo#1722204)
Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29985 (bmo#1722083)
Use-after-free media channels
* CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
bmo#1719998, bmo#1720568)
Memory safety bugs fixed in Thunderbird 78.13
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=598
- Mozilla Thunderbird 78.12.0
MFSA 2021-30 (bsc#1188275)
* CVE-2021-29969 (bmo#1682370)
IMAP server responses sent by a MITM prior to STARTTLS could be
processed
* CVE-2021-29970 (bmo#1709976)
Use-after-free in accessibility features of a document
* CVE-2021-30547 (bmo#1715766)
Out of bounds write in ANGLE
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
bmo#1711576, bmo#1714391)
Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
OBS-URL: https://build.opensuse.org/request/show/906332
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=257
MFSA 2021-30 (bsc#1188275)
* CVE-2021-29969 (bmo#1682370)
IMAP server responses sent by a MITM prior to STARTTLS could be
processed
* CVE-2021-29970 (bmo#1709976)
Use-after-free in accessibility features of a document
* CVE-2021-30547 (bmo#1715766)
Out of bounds write in ANGLE
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
bmo#1711576, bmo#1714391)
Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=597
- Mozilla Thunderbird 78.11.0
* OpenPGP could not be disabled for an account if a key was
previously configured
* Recipients were unable to decrypt some messages when the sender
had changed the message encryption from OpenPGP to S/MIME
* Contacts moved between CardDAV address books were not synced to
the new server
* CardDAV compatibility fixes for Google Contacts
MFSA 2021-26 (bsc#1186696)
* CVE-2021-29964 (bmo#1706501)
Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
bmo#1704722, bmo#1706041)
Memory safety bugs fixed in Thunderbird 78.11
- renewed expired mozilla.keyring
* CVE-2021-29956 (boo#1186199, bmo#1710290)
* CVE-2021-29957 (boo#1186198, bmo#1673241)
OBS-URL: https://build.opensuse.org/request/show/897289
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=256
* OpenPGP could not be disabled for an account if a key was
previously configured
* Recipients were unable to decrypt some messages when the sender
had changed the message encryption from OpenPGP to S/MIME
* Contacts moved between CardDAV address books were not synced to
the new server
* CardDAV compatibility fixes for Google Contacts
MFSA 2021-
- renewed expired mozilla.keyring
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=594
- Mozilla Thunderbird 78.10.2
* Added support for importing OpenPGP keys without a primary
secret key
* Add-ons manager displays a preferences icon for mail extensions
that include an options page
Fixed
* OpenPGP messages with a high compression ratio (over 10x) could
not be decrypted
* Selected OpenPGP key was lost after opening the Key Properties
dialog in Account Settings
* Parsing some OpenPGP user IDs failed
* Various improvements to OpenPGP partial encryption reminders
* Mail toolbar buttons were too big when displaying both icons
and text
MFSA 2021-22
* CVE-2021-29956 (bmo#1710290)
Thunderbird stored OpenPGP secret keys without master password
protection
* CVE-2021-29957 (bmo#1673241)
Partial protection of inline OpenPGP message not indicated
- do not rely on nodejs10 explicitely
OBS-URL: https://build.opensuse.org/request/show/894215
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=255
- Mozilla Thunderbird 78.10.0
MFSA 2021-14 (bsc#1184960)
* CVE-2021-23994 (bmo#1699077)
Out of bound write due to lazy initialization
* CVE-2021-23995 (bmo#1699835)
Use-after-free in Responsive Design Mode
* CVE-2021-23998 (bmo#1667456)
Secure Lock icon could have been spoofed
* CVE-2021-23961 (bmo#1677940)
More internal network hosts could have been probed by a
malicious webpage
* CVE-2021-23999 (bmo#1691153)
Blob URLs may have been granted additional privileges
* CVE-2021-24002 (bmo#1702374)
Arbitrary FTP command execution on FTP servers using an
encoded URL
* CVE-2021-29945 (bmo#1700690)
Incorrect size computation in WebAssembly JIT could lead to
null-reads
* CVE-2021-29946 (bmo#1698503)
Port blocking could be bypassed
* CVE-2021-29948 (bmo#1692899)
Race condition when reading from disk while verifying
signatures
- recommend libotr5
OBS-URL: https://build.opensuse.org/request/show/886906
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=253
MFSA 2021-14 (bsc#1184960)
* CVE-2021-23994 (bmo#1699077)
Out of bound write due to lazy initialization
* CVE-2021-23995 (bmo#1699835)
Use-after-free in Responsive Design Mode
* CVE-2021-23998 (bmo#1667456)
Secure Lock icon could have been spoofed
* CVE-2021-23961 (bmo#1677940)
More internal network hosts could have been probed by a
malicious webpage
* CVE-2021-23999 (bmo#1691153)
Blob URLs may have been granted additional privileges
* CVE-2021-24002 (bmo#1702374)
Arbitrary FTP command execution on FTP servers using an
encoded URL
* CVE-2021-29945 (bmo#1700690)
Incorrect size computation in WebAssembly JIT could lead to
null-reads
* CVE-2021-29946 (bmo#1698503)
Port blocking could be bypassed
* CVE-2021-29948 (bmo#1692899)
Race condition when reading from disk while verifying
signatures
- recommend libotr5
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=586
- Mozilla Thunderbird 78.9.1
* Support recipient aliases for OpenPGP encryption
* The key and signature parts of the message security popup on a
received message could not be selected for copy/paste
* Various UX and theme improvements
MFSA 2021-13
* CVE-2021-23991 (bmo#1673240)
An attacker may use Thunderbird's OpenPGP key refresh mechanism
to poison an existing key
* MOZ-2021-23992 (bmo#1666236)
A crafted OpenPGP key with an invalid user ID could be used to
confuse the user
* CVE-2021-23993 (bmo#1666360)
Inability to send encrypted OpenPGP email after importing a
crafted OpenPGP key
OBS-URL: https://build.opensuse.org/request/show/884316
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=252
* Support recipient aliases for OpenPGP encryption
* The key and signature parts of the message security popup on a
received message could not be selected for copy/paste
* Various UX and theme improvements
MFSA 2021-13
* CVE-2021-23991 (bmo#1673240)
An attacker may use Thunderbird's OpenPGP key refresh mechanism
to poison an existing key
* MOZ-2021-23992 (bmo#1666236)
A crafted OpenPGP key with an invalid user ID could be used to
confuse the user
* CVE-2021-23993 (bmo#1666360)
Inability to send encrypted OpenPGP email after importing a
crafted OpenPGP key
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=584
- Mozilla Thunderbird 78.9.0
* bugfixes:
https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes
MFSA 2021-12 (boo#1183942)
* CVE-2021-23981 (bmo#1692832)
Texture upload into an unbound backing buffer resulted in an
out-of-bound read
* MOZ-2021-0002 (bmo#1691547)
Angle graphics library out of date
* CVE-2021-23982 (bmo#1677046)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2021-23984 (bmo#1693664)
Malicious extensions could have spoofed popup information
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718)
Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
- cleaned up and fixed mozilla.sh.in for wayland (boo#1177542)
OBS-URL: https://build.opensuse.org/request/show/881213
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=251
* bugfixes:
https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes
MFSA 2021-12 (boo#1183942)
* CVE-2021-23981 (bmo#1692832)
Texture upload into an unbound backing buffer resulted in an
out-of-bound read
* MOZ-2021-0002 (bmo#1691547)
Angle graphics library out of date
* CVE-2021-23982 (bmo#1677046)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2021-23984 (bmo#1693664)
Malicious extensions could have spoofed popup information
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718)
Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
- cleaned up and fixed mozilla.sh.in for wayland (boo#1177542)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=582
