Revisions of MozillaThunderbird
Dominique Leuenberger (dimstar_suse)
accepted
request 1030125
from
Wolfgang Rosenauer (wrosenauer)
(revision 294)
- Mozilla Thunderbird 102.4.0 https://www.thunderbird.net/en-US/thunderbird/102.4.0/releasenotes
Dominique Leuenberger (dimstar_suse)
accepted
request 1010277
from
Wolfgang Rosenauer (wrosenauer)
(revision 293)
- Mozilla Thunderbird 102.3.3 * Option added to show containing address book for a contact when using All Address Books in vertical mode * Thunderbird will try to use POP NTLM authentication even if not advertised by server * Task List and Today Pane sidebars will no longer load when not visible * bugfixes as documented here https://www.thunderbird.net/en-US/thunderbird/102.3.3/releasenotes
Fabian Vogt (favogt_factory)
accepted
request 1009070
from
Wolfgang Rosenauer (wrosenauer)
(revision 292)
- Mozilla Thunderbird 102.3.2 * Thunderbird will try to use POP CRAM-MD5 authentication even if not advertised by server * more bugfixes as in https://www.thunderbird.net/en-US/thunderbird/102.3.2/releasenotes
Richard Brown (RBrownFactory)
accepted
request 1007697
from
Wolfgang Rosenauer (wrosenauer)
(revision 291)
- build using rust 1.63
Dominique Leuenberger (dimstar_suse)
accepted
request 1007573
from
Wolfgang Rosenauer (wrosenauer)
(revision 290)
- Mozilla Thunderbird 102.3.1 * Compose window encryption options now only appear for encryption technologies that have already been configured * Number of contacts in currently selected address book now displayed at bottom of Address Book list column Fixes * Password prompt did not include server hostname for POP servers * Edit Contact was missing from Contacts sidebar context menus * Address Book contact lists cut off display of some characters, the result being unreadable MFSA 2022-43 * CVE-2022-39249 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators * CVE-2022-39250 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to a device verification attack * CVE-2022-39251 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack * CVE-2022-39236 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue
Dominique Leuenberger (dimstar_suse)
accepted
request 1005289
from
Wolfgang Rosenauer (wrosenauer)
(revision 289)
- Mozilla Thunderbird 102.3.0 https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/ * Thunderbird will no longer attempt to import account passwords when importing from another Thunderbird profile in order to prevent profile corruption and permanent data loss. (bmo#1790605) * Devtools performance profile will use Thunderbird presets instead of Web Developer presets (bmo#1785954) * Thunderbird startup performance improvements (bmo#1785967) * Saving email source and images failed (bmo#1777323, bmo#1778804) * Error message was shown repeatedly when temporary disk space was full (bmo#1788580) * Attaching OpenPGP keys without a set size to non-encrypted messages briefly displayed a size of zero bytes (bmo#1788952) * Global Search entry box initially contained "undefined" (bmo#1780963) * Delete from POP Server mail filter rule intermittently failed to trigger (bmo#1789418) * Connections to POP3 servers without UIDL support failed (bmo#1789314) * Pop accounts with "Fetch headers only" set downloaded complete messages if server did not advertise TOP capability (bmo#1789356) * "File -> New -> Address Book Contact" from Compose window did not work (bmo#1782418) * Attach "My vCard" option in compose window was not available (bmo#1787614) * Improved performance of matching a contact to an email address (bmo#1782725) * Address book only recognized a contact's first two email addresses (bmo#1777156) * Address book search and autocomplete failed if a contact vCard could not be parsed (bmo#1789793) * Downloading NNTP messages for offline use failed (bmo#1785773)
Dominique Leuenberger (dimstar_suse)
accepted
request 1001927
from
Wolfgang Rosenauer (wrosenauer)
(revision 288)
- Mozilla Thunderbird 102.2.2 https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/ * Setting added to change Calendar event double-click action to open Edit Event dialog rather than view only; Set calendar.events.defaultActionEdit to true * Running Compact Folders on maildir folders caused a redownload of all messages in the folder * Accessing mail folders in profiles with many folders was slow * SMTP servers were not always properly initialized, and were not listed in Account Settings * APOP authentication unsupported when connecting to POP3 server * OpenPGP key discovery failed * POP accounts hosted by AOL were not able to authenticate using OAuth2 * Unable to open context menu in newsgroups header for groups that are not subscribed
Dominique Leuenberger (dimstar_suse)
accepted
request 1000596
from
Wolfgang Rosenauer (wrosenauer)
(revision 287)
- Mozilla Thunderbird 102.2.1 MFSA 2022-38 (bsc#1203007) * CVE-2022-3033 (bmo#1784838) Leaking of sensitive information when composing a response to an HTML email with a META refresh tag * CVE-2022-3032 (bmo#1783831) Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked * CVE-2022-3034 (bmo#1745751) An iframe element in an HTML email could trigger a network request * CVE-2022-36059 (bmo#1787741) Matrix SDK bundled with Thunderbird vulnerable to denial-of- service attack
Dominique Leuenberger (dimstar_suse)
accepted
request 999347
from
Wolfgang Rosenauer (wrosenauer)
(revision 286)
- Mozilla Thunderbird 102.2.0 * https://www.thunderbird.net/en-US/thunderbird/102.2.0/releasenotes/ MFSA 2022-36 (bsc#1202645) * CVE-2022-38472 (bmo#1769155) Address bar spoofing via XSLT error handling * CVE-2022-38473 (bmo#1771685) Cross-origin XSLT Documents would have inherited the parent's permissions * CVE-2022-38476 (bmo#1760998) Data race and potential use-after-free in PK11_ChangePW * CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363) Memory safety bugs fixed in Thunderbird 102.2 * CVE-2022-38478 (bmo#1770630, bmo#1776658) Memory safety bugs fixed in Thunderbird 102.2, and Thunderbird 91.13 - disabled automatic usage of wayland because of known issues using MOZ_ENABLE_WAYLAND=1 in environment would still enable it (boo#1202606)
Dominique Leuenberger (dimstar_suse)
accepted
request 995033
from
Wolfgang Rosenauer (wrosenauer)
(revision 285)
- added mozilla-glibc236.patch (bmo#1782988, boo#1202323)
Dominique Leuenberger (dimstar_suse)
accepted
request 993911
from
Wolfgang Rosenauer (wrosenauer)
(revision 284)
- Mozilla Thunderbird 102.1.2 * fix for bmo#1777765 (no POP download progress bar) was backed out from this release to address broken POP message download with Fetch headers only selected in Account Settings (bmo#1783552) - Mozilla Thunderbird 102.1.1 Bugfixes: * https://www.thunderbird.net/en-US/thunderbird/102.1.1/releasenotes/
Dominique Leuenberger (dimstar_suse)
accepted
request 992051
from
Wolfgang Rosenauer (wrosenauer)
(revision 283)
- Mozilla Thunderbird 102.1.0 * https://www.thunderbird.net/en-US/thunderbird/102.1.0/releasenotes MFSA 2022-32 (bsc#1201758) * CVE-2022-36319 (bmo#1737722) Mouse Position spoofing with CSS transforms * CVE-2022-36318 (bmo#1771774) Directory indexes for bundled resources reflected URL parameters * CVE-2022-36314 (bmo#1773894) Opening local <code>.lnk</code> files could cause unexpected network loads * CVE-2022-2505 (bmo#1769739, bmo#1772824) Memory safety bugs fixed in Thunderbird 102.1 - added mozilla-newer-cbindgen.patch to fix build with rust-cbindgen >= 0.24 (and also require that for build) - added mozilla-pgo.patch to fix LTO builds with gcc - Mozilla Thunderbird 102.0.3 Bugfixes as in * https://www.thunderbird.net/en-US/thunderbird/102.0.3/releasenotes/ - Mozilla Thunderbird 102.0.2 * https://www.thunderbird.net/en-US/thunderbird/102.0/releasenotes/ - removed obsolete patches mozilla-bmo1504834-part2.patch mozilla-bmo1504834-part4.patch mozilla-bmo1602730.patch mozilla-bmo1626236.patch mozilla-bmo1724679.patch mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch mozilla-sandbox-fips.patch
Dominique Leuenberger (dimstar_suse)
accepted
request 985736
from
Wolfgang Rosenauer (wrosenauer)
(revision 282)
- Mozilla Thunderbird 91.11.0 * CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work additional fix applied * "Save-As" attachment dialog did not have filename pre-populated MFSA 2022-26 (bsc#1200793) * CVE-2022-34479 (bmo#1745595) A popup window could be resized in a way to overlay the address bar with web content * CVE-2022-34470 (bmo#1765951) Use-after-free in nsSHistory * CVE-2022-34468 (bmo#1768537) CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI * CVE-2022-2226 (bmo#1775441) An email with a mismatching OpenPGP signature date was accepted as valid * CVE-2022-34481 (bmo#1497246) Potential integer overflow in ReplaceElementsAt * CVE-2022-31744 (bmo#1757604) CSP bypass enabling stylesheet injection * CVE-2022-34472 (bmo#1770123) Unavailable PAC file resulted in OCSP requests being blocked * CVE-2022-34478 (bmo#1773717) Microsoft protocols can be attacked if a user accepts a prompt * CVE-2022-2200 (bmo#1771381) Undesired attributes could be set as part of prototype pollution * CVE-2022-34484 (bmo#1763634, bmo#1772651) Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102
Dominique Leuenberger (dimstar_suse)
accepted
request 980158
from
Wolfgang Rosenauer (wrosenauer)
(revision 281)
- Mozilla Thunderbird 91.10.0 * Various UX and theme improvements MFSA 2022-22 (bsc#1200027) * CVE-2022-31736 (bmo#1735923) Cross-Origin resource's length leaked * CVE-2022-31737 (bmo#1743767) Heap buffer overflow in WebGL * CVE-2022-31738 (bmo#1756388) Browser window spoof using fullscreen mode * CVE-2022-31739 (bmo#1765049) Attacker-influenced path traversal when saving downloaded files * CVE-2022-31740 (bmo#1766806) Register allocation problem in WASM on arm64 * CVE-2022-31741 (bmo#1767590) Uninitialized variable leads to invalid memory read * CVE-2022-1834 (bmo#1767816) Braille space character caused incorrect sender email to be shown for a digitally signed email * CVE-2022-31742 (bmo#1730434) Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information * CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283, bmo#1767365, bmo#1768559, bmo#1768734) Memory safety bugs fixed in Thunderbird 91.10
Dominique Leuenberger (dimstar_suse)
accepted
request 978422
from
Wolfgang Rosenauer (wrosenauer)
(revision 280)
- Mozilla Thunderbird 91.9.1 MFSA 2022-19 (bsc#1199768) * CVE-2022-1802 (bmo#1770137) Prototype pollution in Top-Level Await implementation * CVE-2022-1529 (bmo#1770048) Untrusted input used in JavaScript object indexing, leading to prototype pollution
Dominique Leuenberger (dimstar_suse)
accepted
request 975202
from
Wolfgang Rosenauer (wrosenauer)
(revision 279)
- Mozilla Thunderbird 91.9.0 * A warning is now displayed if an OpenPGP key has unsafe attributes that are ignored * OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not allow SHA-1 key signatures * CalDAV calendars were marked read-only on startup MFSA 2022-18 (bsc#1198970) * CVE-2022-1520 (bmo#1745019) Incorrect security status shown after viewing an attached email * CVE-2022-29914 (bmo#1746448) Fullscreen notification bypass using popups * CVE-2022-29909 (bmo#1755081) Bypassing permission prompt in nested browsing contexts * CVE-2022-29916 (bmo#1760674) Leaking browser history with CSS variables * CVE-2022-29911 (bmo#1761981) iframe sandbox bypass * CVE-2022-29912 (bmo#1692655) Reader mode bypassed SameSite cookies * CVE-2022-29913 (bmo#1764778) Speech Synthesis feature not properly disabled * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298, bmo#1762614, bmo#1762620) Memory safety bugs fixed in Thunderbird 91.9
Dominique Leuenberger (dimstar_suse)
accepted
request 970866
from
Wolfgang Rosenauer (wrosenauer)
(revision 278)
- Mozilla Thunderbird 91.8.1 * CLIENTID extension to SMTP was not supported by smtp-js# * Additional SMTP errors now propagated to user * OpenPGP was not able to use some previously supported key types * OpenPGP Key Manager did not always display correct information after importing additional IDs * Duplicate new mail notifications could be displayed when server-side filters were in use * Cancelling an SMTP password entry resulted in multiple failure dialogs being displayed - Mozilla Thunderbird 91.8.0 * Google accounts using password authentication will be migrated to OAuth2. * bugfixes https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes MFSA 2022- (bsc#1197903) - update create-tar.sh - skip slow workers, this is a tough build job
Dominique Leuenberger (dimstar_suse)
accepted
request 969350
from
Wolfgang Rosenauer (wrosenauer)
(revision 277)
Dominique Leuenberger (dimstar_suse)
accepted
request 964779
from
Wolfgang Rosenauer (wrosenauer)
(revision 276)
- skip slow workers, this is a tough build job
Dominique Leuenberger (dimstar_suse)
accepted
request 960657
from
Wolfgang Rosenauer (wrosenauer)
(revision 275)
- Mozilla Thunderbird 91.7.0 * Thunderbird will use the first occurrence of headers that should only appear once * Auto-complete incorrectly changed a pasted email address to the primary address of a contact * Attachments with filename extensions that were not registered in MIME types could not be opened * Copy/Cut/Paste actions not working in Thunderbird Preferences * Improved screen reader support of displayed message headers MFSA 2022-12 (bsc#1196900) * CVE-2022-26383 (bmo#1742421) Browser window spoof using fullscreen mode * CVE-2022-26384 (bmo#1744352) iframe allow-scripts sandbox bypass * CVE-2022-26387 (bmo#1752979) Time-of-check time-of-use bug when verifying add-on signatures * CVE-2022-26381 (bmo#1736243) Use-after-free in text reflows * CVE-2022-26386 (bmo#1752396) Temporary files downloaded to /tmp and accessible by other local users - Mozilla Thunderbird 91.6.2 MFSA 2022-09 * CVE-2022-26485 (bmo#1758062) Use-after-free in XSLT parameter processing * CVE-2022-26486 (bmo#1758070) Use-after-free in WebGPU IPC Framework
Displaying revisions 41 - 60 of 334