openSUSE Build Service

Overview Repositories Revisions Requests Users Attributes Meta

Revisions of MozillaThunderbird

Dominique Leuenberger (dimstar_suse) accepted request 955596 from

Wolfgang Rosenauer (wrosenauer) about 2 years ago (revision 274)

just added the bsc bug security bug reference

- Mozilla Thunderbird 91.6.1
  * generated views of meeting invitations are now expanded by default
  * Emails were not downloading at startup under some conditions
  * Port numbers were not shown in "Confirm Security Exception"
    dialog for CalDAV connections
  MFSA 2022-07 (bsc#1196072)
  * CVE-2022-0566 (bmo#1753094)
    Crafted email could trigger an out-of-bounds write

Dominique Leuenberger (dimstar_suse) accepted request 953831 from

Wolfgang Rosenauer (wrosenauer) about 2 years ago (revision 273)

- Mozilla Thunderbird 91.6.0
  * TB will now offer to send large forwarded attachments via FileLink
  * Partially signed unencrypted messages displayed an incorrect
    "parrtially encrypted" notification
  * Attachments filenames were not sanitized before saving to disk
  * In the attachment bar, the "Import OpenPGP Key" item displayed
    for public keys displayed an error and did not import the key
  * "Open with" attachment dialog did not have a selected radio
    button option
  MFSA 2022-06 (bsc#1195682)
  * CVE-2022-22753 (bmo#1732435)
    Privilege Escalation to SYSTEM on Windows via Maintenance
    Service
  * CVE-2022-22754 (bmo#1750565)
    Extensions could have bypassed permission confirmation during
    update
  * CVE-2022-22756 (bmo#1317873)
    Drag and dropping an image could have resulted in the dropped
    object being an executable
  * CVE-2022-22759 (bmo#1739957)
    Sandboxed iframes could have executed script if the parent
    appended elements
  * CVE-2022-22760 (bmo#1740985, bmo#1748503)
    Cross-Origin responses could be distinguished between script
    and non-script content-types
  * CVE-2022-22761 (bmo#1745566)
    frame-ancestors Content Security Policy directive was not
    enforced for framed extension pages
  * CVE-2022-22763 (bmo#1740534)
    Script Execution during invalid object state

Dominique Leuenberger (dimstar_suse) accepted request 949349 from

Wolfgang Rosenauer (wrosenauer) over 2 years ago (revision 272)

- Mozilla Thunderbird 91.5.1
  * JS LDAP implementation did not support self-signed SSL certificates
  * After saving a draft and subsequently sending a FileLink email,
    the original file was removed from disk
  * Chat OTR encryption did not work
  * OTR verification bar was not removed after completing verification
  * Various theme improvements

- Enable -fimplicit-constexpr for GCC 12+.

Dominique Leuenberger (dimstar_suse) accepted request 945701 from

Wolfgang Rosenauer (wrosenauer) over 2 years ago (revision 271)

- Mozilla Thunderbird 91.5.0
  https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes
  MFSA 2022-03 (bsc#1194547)
  * CVE-2022-22746 (bmo#1735071)
    Calling into reportValidity could have lead to fullscreen
    window spoof
  * CVE-2022-22743 (bmo#1739220)
    Browser window spoof using fullscreen mode
  * CVE-2022-22742 (bmo#1739923)
    Out-of-bounds memory access when inserting text in edit mode
  * CVE-2022-22741 (bmo#1740389)
    Browser window spoof using fullscreen mode
  * CVE-2022-22740 (bmo#1742334)
    Use-after-free of ChannelEventQueue::mOwner
  * CVE-2022-22738 (bmo#1742382)
    Heap-buffer-overflow in blendGaussianBlur
  * CVE-2022-22737 (bmo#1745874)
    Race condition when playing audio files
  * CVE-2021-4140 (bmo#1746720)
    Iframe sandbox bypass with XSLT
  * CVE-2022-22748 (bmo#1705211)
    Spoofed origin on external protocol launch dialog
  * CVE-2022-22745 (bmo#1735856)
    Leaking cross-origin URLs through securitypolicyviolation event
  * CVE-2022-22744 (bmo#1737252)
    The 'Copy as curl' feature in DevTools did not fully escape
    website-controlled data, potentially leading to command injection
  * CVE-2022-22747 (bmo#1735028)
    Crash when handling empty pkcs7 sequence
  * CVE-2022-22739 (bmo#1744158)

Dominique Leuenberger (dimstar_suse) accepted request 943034 from

Wolfgang Rosenauer (wrosenauer) over 2 years ago (revision 270)

Dominique Leuenberger (dimstar_suse) accepted request 941707 from

Wolfgang Rosenauer (wrosenauer) over 2 years ago (revision 269)

- Mozilla Thunderbird 91.4.1
  * several fixes as outlined here
    https://www.thunderbird.net/en-US/thunderbird/91.4.1/releasenotes/
  MFSA 2021-55 (bsc#1193845)
  * CVE-2021-4126 (bmo#1732310)
    OpenPGP signature status doesn't consider additional message
    content
  * CVE-2021-44538 (bmo#1744056)
    Matrix chat library libolm bundled with Thunderbird
    vulnerable to a buffer overflow
- updated _constraints

Dominique Leuenberger (dimstar_suse) accepted request 936365 from

Wolfgang Rosenauer (wrosenauer) over 2 years ago (revision 268)

- Mozilla Thunderbird 91.4.0
  * several fixes as outlined here
    https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes
  MFSA 2021-54 (bsc#1193485)
  * CVE-2021-43536 (bmo#1730120)
    URL leakage when navigating while executing asynchronous
    function
  * CVE-2021-43537 (bmo#1738237)
    Heap buffer overflow when using structured clone
  * CVE-2021-43538 (bmo#1739091)
    Missing fullscreen and pointer lock notification when
    requesting both
  * CVE-2021-43539 (bmo#1739683)
    GC rooting failure when calling wasm instance methods
  * CVE-2021-43541 (bmo#1696685)
    External protocol handler parameters were unescaped
  * CVE-2021-43542 (bmo#1723281)
    XMLHttpRequest error codes could have leaked the existence of
    an external protocol handler
  * CVE-2021-43543 (bmo#1738418)
    Bypass of CSP sandbox directive when embedding
  * CVE-2021-43545 (bmo#1720926)
    Denial of Service when using the Location API in a loop
  * CVE-2021-43546 (bmo#1737751)
    Cursor spoofing could overlay user interface when native
    cursor is zoomed
  * CVE-2021-43528 (bmo#1742579)
    JavaScript unexpectedly enabled for the composition area
  * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
    bmo#1737009, bmo#1739372, bmo#1739421)

Dominique Leuenberger (dimstar_suse) accepted request 932690 from

Wolfgang Rosenauer (wrosenauer) over 2 years ago (revision 267)

- Mozilla Thunderbird 91.3.2
  * Date selection in Calendar print settings widget changed to use
    mini calendar widget
  * Bugfixes as outlined in release notes
    https://www.thunderbird.net/en-US/thunderbird/91.3.2/releasenotes/

- Mozilla Thunderbird 91.3.1
  * OpenPGP public keys will no longer count as an attachment in
    the message list
  * Adding a search engine via URL now supported
  * FileLink messages' template updated; Thunderbird advertisement
    removed
  * After an update, Thunderbird will now check installed addons
    for updates
  * Bugfixes as outlined in release notes
    https://www.thunderbird.net/en-US/thunderbird/91.3.1/releasenotes/

Dominique Leuenberger (dimstar_suse) accepted request 929062 from

Wolfgang Rosenauer (wrosenauer) over 2 years ago (revision 266)

- Mozilla Thunderbird 91.3.0
  * several fixes as outlined here
    https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/
  MFSA 2021-50  (bsc#1192250)
  * CVE-2021-38503 (bmo#1729517)
    iframe sandbox rules did not apply to XSLT stylesheets
  * CVE-2021-38504 (bmo#1730156)
    Use-after-free in file picker dialog
  * CVE-2021-38505 (bmo#1730194)
    Windows 10 Cloud Clipboard may have recorded sensitive user data
  * CVE-2021-38506 (bmo#1730750)
    Thunderbird could be coaxed into going into fullscreen mode
    without notification or warning
  * CVE-2021-38507 (bmo#1730935)
    Opportunistic Encryption in HTTP2 could be used to bypass the
    Same-Origin-Policy on services hosted on other ports
  * MOZ-2021-0008 (bmo#1667102)
    Use-after-free in HTTP2 Session object
  * CVE-2021-38508 (bmo#1366818)
    Permission Prompt could be overlaid, resulting in user
    confusion and potential spoofing
  * CVE-2021-38509 (bmo#1718571)
    Javascript alert box could have been spoofed onto an
    arbitrary domain
  * CVE-2021-38510 (bmo#1731779)
    Download Protections were bypassed by .inetloc files on Mac OS
  * MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048,
    bmo#1735152)
    Memory safety bugs fixed in Thunderbird ESR 91.3
- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires

Dominique Leuenberger (dimstar_suse) accepted request 927299 from

Wolfgang Rosenauer (wrosenauer) over 2 years ago (revision 265)

Dominique Leuenberger (dimstar_suse) accepted request 924567 from

Wolfgang Rosenauer (wrosenauer) over 2 years ago (revision 264)

- Mozilla Thunderbird 91.2.0
  * Saving a single message as .eml now uses a unique filename
  * New mail notifications did not properly take subfolders into account
  * Decrypting binary attachments when using an external GnuPG
    configuration failed
  * Account name fields in the account manager were not big enough
    for long names
  * LDAP searches using an extensibleMatch filter returned no results
  * Read-only CalDAV calendars and CardDAV address books were not detected
  * Multipart messages containing a calendar invite did not display
    any of the human-readable alternatives
  * Some calendar days were displayed incorrectly or duplicated
    (eg. two "29th" days of a particular month)
  * Phantom event was shown at the end of each day in Calendar week view
  MFSA 2021-46 (bsc#1191332)
  * CVE-2021-38496 (bmo#1725335)
    Use-after-free in MessageTask
  * CVE-2021-38497 (bmo#1726621)
    Validation message could have been overlaid on another origin
  * CVE-2021-38498 (bmo#1729642)
    Use-after-free of nsLanguageAtomService object
  * CVE-2021-32810 (bmo#1729813,
    https://github.com/crossbeam-
    rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw)
    Data race in crossbeam-deque
  * CVE-2021-38500 (bmo#1725854, bmo#1728321)
    Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
    and Firefox ESR 91.2
  * CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176)
    Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2

Dominique Leuenberger (dimstar_suse) accepted request 922125 from

Wolfgang Rosenauer (wrosenauer) over 2 years ago (revision 263)

- Mozilla Thunderbird 91.1.2
  * Thunderbird will now warn if an S/MIME encrypted message includes
    BCC recipients
  * several bugfixes listed on
    https://www.thunderbird.net/en-US/thunderbird/91.1.2/releasenotes/

Dominique Leuenberger (dimstar_suse) accepted request 921250 from

Factory Maintainer (factory-maintainer) over 2 years ago (revision 262)

Automatic submission by obs-autosubmit

Dominique Leuenberger (dimstar_suse) accepted request 917701 from

Wolfgang Rosenauer (wrosenauer) over 2 years ago (revision 261)

- Mozilla Thunderbird 91.1.0
  * Thunderbird registered Accessibility Handlers using same GUIDs
    as Firefox, causing performance issues for NVDA users
  * Focus lost when reordering accounts by keyboard in the Account Manager
  * Account setup did not use provider display name for setting up
    calendars
  * Various theme and UX fixes
  MFSA 2021-41 (bsc#1190269)
  * CVE-2021-38492 (bmo#1721107)
    Navigating to `mk:` URL scheme could load Internet Explorer
  * CVE-2021-38495 (bmo#1723391, bmo#1723920, bmo#1724101,
    bmo#1724107)
    Memory safety bugs fixed in Thunderbird 91.1
- (re-)added mozilla-silence-no-return-type.patch
- add mozilla-bmo531915.patch to fix build for i586

Dominique Leuenberger (dimstar_suse) accepted request 914797 from

Wolfgang Rosenauer (wrosenauer) over 2 years ago (revision 260)

Dominique Leuenberger (dimstar_suse) accepted request 913013 from

Wolfgang Rosenauer (wrosenauer) over 2 years ago (revision 259)

- Mozilla Thunderbird 91.0.1
  MFSA 2021-37 (bsc#1189547)
  * CVE-2021-29991 (bmo#1724896)
    Header Splitting possible with HTTP/3 Responses
- appdate screenshot URL updated (by mailaender@opensuse.org)

- Mozilla Thunderbird 91.0
  * based on Mozilla's 91 ESR codebase
  * many new and changed features
    https://www.thunderbird.net/en-US/thunderbird/91.0/releasenotes/#whatsnew
  * Renamed "Add-ons" to "Add-ons and Themes" and "Options" to "Preferences"
  * Thunderbird now operates in multi-process (e10s) mode by default
  * New user interface for adding attachments
  * Enable redirect of messages
  * CardDAV address book support
- Removed obsolete patches:
  * mozilla-bmo1463035.patch
  * mozilla-ppc-altivec_static_inline.patch
  * mozilla-pipewire-0-3.patch
  * mozilla-bmo1554971.patch
- add mozilla-libavcodec58_91.patch
- removed obsolete BigEndian ICU build workaround
- updated build requirements
- build using clang

Richard Brown (RBrownSUSE) accepted request 911495 from

Wolfgang Rosenauer (wrosenauer) over 2 years ago (revision 258)

- Mozilla Thunderbird 78.13.0
  * removed WeTransfer integration package (not supported by vendor
    any longer)
  MFSA 2021-35 (bsc#1188891)
  * CVE-2021-29986 (bmo#1696138)
    Race condition when resolving DNS names could have led to
    memory corruption
  * CVE-2021-29988 (bmo#1717922)
    Memory corruption as a result of incorrect style treatment
  * CVE-2021-29984 (bmo#1720031)
    Incorrect instruction reordering during JIT optimization
  * CVE-2021-29980 (bmo#1722204)
    Uninitialized memory in a canvas object could have led to
    memory corruption
  * CVE-2021-29985 (bmo#1722083)
    Use-after-free media channels
  * CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
    bmo#1719998, bmo#1720568)
    Memory safety bugs fixed in Thunderbird 78.13

Dominique Leuenberger (dimstar_suse) accepted request 906332 from

Wolfgang Rosenauer (wrosenauer) almost 3 years ago (revision 257)

- Mozilla Thunderbird 78.12.0
  MFSA 2021-30 (bsc#1188275)
  * CVE-2021-29969 (bmo#1682370)
    IMAP server responses sent by a MITM prior to STARTTLS could be
    processed
  * CVE-2021-29970 (bmo#1709976)
    Use-after-free in accessibility features of a document
  * CVE-2021-30547 (bmo#1715766)
    Out of bounds write in ANGLE
  * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
    bmo#1711576, bmo#1714391)
    Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12

Dominique Leuenberger (dimstar_suse) accepted request 897289 from

Wolfgang Rosenauer (wrosenauer) almost 3 years ago (revision 256)

- Mozilla Thunderbird 78.11.0
  * OpenPGP could not be disabled for an account if a key was
    previously configured
  * Recipients were unable to decrypt some messages when the sender
    had changed the message encryption from OpenPGP to S/MIME
  * Contacts moved between CardDAV address books were not synced to
    the new server
  * CardDAV compatibility fixes for Google Contacts
  MFSA 2021-26 (bsc#1186696)
  * CVE-2021-29964 (bmo#1706501)
    Out of bounds-read when parsing a `WM_COPYDATA` message
  * CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
    bmo#1704722, bmo#1706041)
    Memory safety bugs fixed in Thunderbird 78.11
- renewed expired mozilla.keyring

  * CVE-2021-29956 (boo#1186199, bmo#1710290)
  * CVE-2021-29957 (boo#1186198, bmo#1673241)

Dominique Leuenberger (dimstar_suse) accepted request 894215 from

Wolfgang Rosenauer (wrosenauer) almost 3 years ago (revision 255)

- Mozilla Thunderbird 78.10.2
  * Added support for importing OpenPGP keys without a primary
    secret key
  * Add-ons manager displays a preferences icon for mail extensions
    that include an options page
  Fixed
  * OpenPGP messages with a high compression ratio (over 10x) could
    not be decrypted
  * Selected OpenPGP key was lost after opening the Key Properties
    dialog in Account Settings
  * Parsing some OpenPGP user IDs failed
  * Various improvements to OpenPGP partial encryption reminders
  * Mail toolbar buttons were too big when displaying both icons
    and text
  MFSA 2021-22
  * CVE-2021-29956 (bmo#1710290)
    Thunderbird stored OpenPGP secret keys without master password
    protection
  * CVE-2021-29957 (bmo#1673241)
    Partial protection of inline OpenPGP message not indicated
- do not rely on nodejs10 explicitely

Displaying revisions 61 - 80 of 334

Places

Revisions of MozillaThunderbird

Places