Revisions of MozillaThunderbird
Dominique Leuenberger (dimstar_suse)
accepted
request 1102113
from
Wolfgang Rosenauer (wrosenauer)
(revision 314)
- Mozilla Thunderbird 102.14.0
MFSA 2023-32 (bsc#1213746)
* CVE-2023-4045 (bmo#1833876)
Offscreen Canvas could have bypassed cross-origin restrictions
* CVE-2023-4046 (bmo#1837686)
Incorrect value used during WASM compilation
* CVE-2023-4047 (bmo#1839073)
Potential permissions request bypass via clickjacking
* CVE-2023-4048 (bmo#1841368)
Crash in DOMParser due to out-of-memory conditions
* CVE-2023-4049 (bmo#1842658)
Fix potential race conditions when releasing platform objects
* CVE-2023-4050 (bmo#1843038)
Stack buffer overflow in StorageManager
* CVE-2023-4054 (bmo#1840777)
Lack of warning when opening appref-ms files
* CVE-2023-4055 (bmo#1782561)
Cookie jar overflow caused unexpected cookie jar state
* CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235,
bmo#1842325, bmo#1843847)
Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
* CVE-2023-3417 (bmo#1835582, boo#1213658)
Ana Guerrero (anag+factory)
accepted
request 1100766
from
Wolfgang Rosenauer (wrosenauer)
(revision 313)
- Mozilla Thunderbird 102.13.1
MFSA 2023-28
* CVE-2023-3417 (bmo#1835582)
File Extension Spoofing using the Text Direction Override Character
Dominique Leuenberger (dimstar_suse)
accepted
request 1097755
from
Wolfgang Rosenauer (wrosenauer)
(revision 312)
- Mozilla Thunderbird 102.13.0
* Upstream RNP version numbers now recognized as official in about:support
MFSA 2023-24 (bsc#1212438)
* CVE-2023-37201 (bmo#1826002)
Use-after-free in WebRTC certificate generation
* CVE-2023-37202 (bmo#1834711)
Potential use-after-free from compartment mismatch in
SpiderMonkey
* CVE-2023-37207 (bmo#1816287)
Fullscreen notification obscured
* CVE-2023-37208 (bmo#1837675)
Lack of warning when opening Diagcab files
* CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886,
bmo#1836550, bmo#1837450)
Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13,
and Thunderbird 102.13
- mozilla-llvm16.patch has been applied upstream, remove it here
Dominique Leuenberger (dimstar_suse)
accepted
request 1091973
from
Wolfgang Rosenauer (wrosenauer)
(revision 311)
Dominique Leuenberger (dimstar_suse)
accepted
request 1089289
from
Wolfgang Rosenauer (wrosenauer)
(revision 310)
- Mozilla Thunderbird 102.11.2 * fixed POP3 regressions ins 102.11.1 * https://www.thunderbird.net/en-US/thunderbird/102.11.2/releasenotes/ Thunderbird 102.11.1 * https://www.thunderbird.net/en-US/thunderbird/102.11.1/releasenotes/ - updated mozilla.keyring
Dominique Leuenberger (dimstar_suse)
accepted
request 1086176
from
Wolfgang Rosenauer (wrosenauer)
(revision 309)
- Mozilla Thunderbird 102.11.0
* https://www.thunderbird.net/en-US/thunderbird/102.11.0/releasenotes
MFSA 2023-18 (bsc#1211175)
* CVE-2023-32205 (bmo#1753339, bmo#1753341)
Browser prompts could have been obscured by popups
* CVE-2023-32206 (bmo#1824892)
Crash in RLBox Expat driver
* CVE-2023-32207 (bmo#1826116)
Potential permissions request bypass via clickjacking
* CVE-2023-32211 (bmo#1823379)
Content process crash due to invalid wasm code
* CVE-2023-32212 (bmo#1826622)
Potential spoof due to obscured address bar
* CVE-2023-32213 (bmo#1826666)
Potential memory corruption in FileReader::DoReadData()
* CVE-2023-32214 (bmo#1828716)
Potential DoS via exposed protocol handlers
* CVE-2023-32215 (bmo#1540883, bmo#1751943, bmo#1814856,
bmo#1820210, bmo#1821480, bmo#1827019, bmo#1827024, bmo#1827144,
bmo#1827359, bmo#1830186)
Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11
Dominique Leuenberger (dimstar_suse)
accepted
request 1083507
from
Wolfgang Rosenauer (wrosenauer)
(revision 308)
- Mozilla Thunderbird 102.10.1 * https://www.thunderbird.net/en-US/thunderbird/102.10.1/releasenotes
Dominique Leuenberger (dimstar_suse)
accepted
request 1078519
from
Wolfgang Rosenauer (wrosenauer)
(revision 307)
- Mozilla Thunderbird 102.10.0
* New messages will automatically select S/MIME if configured and
OpenPGP is not
* Calendar events with timezone America/Mexico_City incorrectly
applied Daylight Savings Time
MFSA 2023-15 (bsc#1210212)
* CVE-2023-29531 (bmo#1794292)
Out-of-bound memory access in WebGL on macOS
* CVE-2023-29532 (bmo#1806394)
Mozilla Maintenance Service Write-lock bypass
* CVE-2023-29533 (bmo#1798219, bmo#1814597)
Fullscreen notification obscured
* MFSA-TMP-2023-0001 (bmo#1819244)
Double-free in libwebp
* CVE-2023-29535 (bmo#1820543)
Potential Memory Corruption following Garbage Collector compaction
* CVE-2023-29536 (bmo#1821959)
Invalid free from JavaScript code
* CVE-2023-0547 (bmo#1811298)
Revocation status of S/Mime recipient certificates was not checked
* CVE-2023-29479 (bmo#1824978)
Hang when processing certain OpenPGP messages
* CVE-2023-29539 (bmo#1784348)
Content-Disposition filename truncation leads to Reflected
File Download
* CVE-2023-29541 (bmo#1810191)
Files with malicious extensions could have been downloaded
unsafely on Linux
* CVE-2023-29542 (bmo#1810793, bmo#1815062)
Bypass of file download extension restrictions
Dominique Leuenberger (dimstar_suse)
accepted
request 1074474
from
Wolfgang Rosenauer (wrosenauer)
(revision 306)
- add gcc13-fix.patch to support current Tumbleweed
Dominique Leuenberger (dimstar_suse)
accepted
request 1072474
from
Wolfgang Rosenauer (wrosenauer)
(revision 305)
- Mozilla Thunderbird 102.9.0
* https://www.thunderbird.net/en-US/thunderbird/102.9.0/releasenotes
MFSA 2023-11 (bsc#1209173))
* CVE-2023-25751 (bmo#1814899)
Incorrect code generation during JIT compilation
* CVE-2023-28164 (bmo#1809122)
URL being dragged from a removed cross-origin iframe into the
same tab triggered navigation
* CVE-2023-28162 (bmo#1811327)
Invalid downcast in Worklets
* CVE-2023-25752 (bmo#1811627)
Potential out-of-bounds when accessing throttled streams
* CVE-2023-28163 (bmo#1817768)
Windows Save As dialog resolved environment variables
* CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904,
bmo#1817442, bmo#1818674)
Memory safety bugs fixed in Thunderbird 102.9
- update create-tar.sh
- build using rust 1.67
- Ensure gcc11-c++ gets used on Leap 15.5, too.
Dominique Leuenberger (dimstar_suse)
accepted
request 1066604
from
Wolfgang Rosenauer (wrosenauer)
(revision 304)
- Mozilla Thunderbird 102.8.0
* https://www.thunderbird.net/en-US/thunderbird/102.8.0/releasenotes
MFSA 2023-07 (bsc#1208144)
* CVE-2023-0616 (bmo#1806507)
User Interface lockup with messages combining S/MIME and OpenPGP
* CVE-2023-25728 (bmo#1790345)
Content security policy leak in violation reports using iframes
* CVE-2023-25730 (bmo#1794622)
Screen hijack via browser fullscreen mode
* CVE-2023-0767 (bmo#1804640)
Arbitrary memory write via PKCS 12 in NSS
* CVE-2023-25735 (bmo#1810711)
Potential use-after-free from compartment mismatch in SpiderMonkey
* CVE-2023-25737 (bmo#1811464)
Invalid downcast in SVGUtils::SetupStrokeGeometry
* CVE-2023-25738 (bmo#1811852)
Printing on Windows could potentially crash Thunderbird with
some device drivers
* CVE-2023-25739 (bmo#1811939)
Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
* CVE-2023-25729 (bmo#1792138)
Extensions could have opened external schemes without user knowledge
* CVE-2023-25732 (bmo#1804564)
Out of bounds memory write from EncodeInputStream
* CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338)
Opening local .url files could cause unexpected network loads
* CVE-2023-25742 (bmo#1813424)
Web Crypto ImportKey crashes tab
* CVE-2023-25746 (bmo#1544127, bmo#1762368, bmo#1789449, bmo#1803628,
bmo#1810536)
Dominique Leuenberger (dimstar_suse)
accepted
request 1063880
from
Wolfgang Rosenauer (wrosenauer)
(revision 303)
- Mozilla Thunderbird 102.7.2 * Various crash fixes
Dominique Leuenberger (dimstar_suse)
accepted
request 1062396
from
Wolfgang Rosenauer (wrosenauer)
(revision 302)
- Mozilla Thunderbird 102.7.1
* Microsoft Office 365 accounts were unable to authenticate
* https://www.thunderbird.net/en-US/thunderbird/102.7.1/releasenotes/
MFSA 2023-04
* CVE-2023-0430 (bmo#1769000)
Revocation status of S/Mime signature certificates was not checked
- update create-tar.sh
- Mozilla Thunderbird 102.7.0
https://www.thunderbird.net/en-US/thunderbird/102.7.0/releasenotes/
MFSA 2023-03 (bsc#1207119)
* CVE-2022-46871 (bmo#1795697)
libusrsctp library out of date
* CVE-2023-23598 (bmo#1800425)
Arbitrary file read from GTK drag and drop on Linux
* CVE-2023-23599 (bmo#1777800)
Malicious command could be hidden in devtools output on
Windows
* CVE-2023-23601 (bmo#1794268)
URL being dragged from cross-origin iframe into same tab
triggers navigation
* CVE-2023-23602 (bmo#1800890)
Content Security Policy wasn't being correctly applied to
WebSockets in WebWorkers
* CVE-2022-46877 (bmo#1795139)
Fullscreen notification bypass
* CVE-2023-23603 (bmo#1800832)
Calls to <code>console.log</code> allowed bypasing Content
Security Policy via format directive
* CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974)
Dominique Leuenberger (dimstar_suse)
accepted
request 1044166
from
Wolfgang Rosenauer (wrosenauer)
(revision 301)
- Mozilla Thunderbird 102.6.1
* Remote content did not load in user-defined signatures
* Addons that added new action buttons were not shown for addon
upgrades, requiring removal and reinstall
* Various stability improvements
MFSA 2022-54
* CVE-2022-46874 (bmo#1746139)
Drag and Dropped Filenames could have been truncated to
malicious extensions
Dominique Leuenberger (dimstar_suse)
accepted
request 1042791
from
Wolfgang Rosenauer (wrosenauer)
(revision 300)
- Mozilla Thunderbird 102.6.0
https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/
MFSA 2022-53 (bsc#1206242)
* CVE-2022-46880 (bmo#1749292)
Use-after-free in WebGL
* CVE-2022-46872 (bmo#1799156)
Arbitrary file read from a compromised content process
* CVE-2022-46881 (bmo#1770930)
Memory corruption in WebGL
* CVE-2022-46874 (bmo#1746139)
Drag and Dropped Filenames could have been truncated to
malicious extensions
* CVE-2022-46875 (bmo#1786188)
Download Protections were bypassed by .atloc and .ftploc
files on Mac OS
* CVE-2022-46882 (bmo#1789371)
Use-after-free in WebGL
* CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685,
bmo#1801102, bmo#1801315, bmo#1802395)
Memory safety bugs fixed in Thunderbird 102.6
- removed obsolete patches
mozilla-newer-cbindgen.patch
mozilla-glibc236.patch
Dominique Leuenberger (dimstar_suse)
accepted
request 1039407
from
Wolfgang Rosenauer (wrosenauer)
(revision 299)
- Mozilla Thunderbird 102.5.1
MFSA 2022-50
* CVE-2022-45414 (bmo#1788096)
Quoting from an HTML email with certain tags will trigger network
requests and load remote content, regardless of a configuration
to block remote content
Dominique Leuenberger (dimstar_suse)
accepted
request 1036233
from
Wolfgang Rosenauer (wrosenauer)
(revision 298)
- Mozilla Thunderbird 102.5.0
* changes and fixes as described here
https://www.thunderbird.net/en-US/thunderbird/102.5.0/releasenotes
MFSA 2022-49 (bsc#1205270)
* CVE-2022-45403 (bmo#1762078)
Service Workers might have learned size of cross-origin media files
* CVE-2022-45404 (bmo#1790815)
Fullscreen notification bypass
* CVE-2022-45405 (bmo#1791314)
Use-after-free in InputStream implementation
* CVE-2022-45406 (bmo#1791975)
Use-after-free of a JavaScript Realm
* CVE-2022-45408 (bmo#1793829)
Fullscreen notification bypass via windowName
* CVE-2022-45409 (bmo#1796901)
Use-after-free in Garbage Collection
* CVE-2022-45410 (bmo#1658869)
ServiceWorker-intercepted requests bypassed SameSite cookie policy
* CVE-2022-45411 (bmo#1790311)
Cross-Site Tracing was possible via non-standard override headers
* CVE-2022-45412 (bmo#1791029)
Symlinks may resolve to partially uninitialized buffers
* CVE-2022-45416 (bmo#1793676)
Keystroke Side-Channel Leakage
* CVE-2022-45418 (bmo#1795815)
Custom mouse cursor could have been drawn over browser UI
* CVE-2022-45420 (bmo#1792643)
Iframe contents could be rendered outside the iframe
* CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061)
Memory safety bugs fixed in Thunderbird 102.5
Dominique Leuenberger (dimstar_suse)
accepted
request 1033698
from
Wolfgang Rosenauer (wrosenauer)
(revision 297)
- Mozilla Thunderbird 102.4.2
* "Address Book" button in Account Central will now create a
CardDAV address book instead of a local address book
* Bugfixes as described here
https://www.thunderbird.net/en-US/thunderbird/102.4.2/releasenotes
Dominique Leuenberger (dimstar_suse)
accepted
request 1031395
from
Wolfgang Rosenauer (wrosenauer)
(revision 296)
- Mozilla Thunderbird 102.4.1
* Thunderbird will now catch and report errors parsing vCards
that contain incorrectly formatted dates
* Dynamic language switching did not update interface when switched
to right-to-left languages
* Custom header data was discarded after messages were saved as
draft and reopened
* -remote command line argument did not work, affecting integration
with various applications such as LibreOffice
* Messages received via some SMS-to-email services could not
display images
* VCards with nickname field set could not be edited
* Some recurring events were missing from Agenda on first load
* Download requests for remote ICS calendars incorrectly set
"Accept" header to text/xml
* Monthly events created on the 31st of a month with <30 days placed
first occurrence 1-2 days after the beginning of the following month
* Various visual and UX improvements
Dominique Leuenberger (dimstar_suse)
accepted
request 1030583
from
Wolfgang Rosenauer (wrosenauer)
(revision 295)
MFSA 2022-46 (bsc#1203477)
* CVE-2022-42927 (bmo#1789128)
Same-origin policy violation could have leaked cross-origin URLs
* CVE-2022-42928 (bmo#1791520)
Memory Corruption in JS Engine
* CVE-2022-42929 (bmo#1789439)
Denial of Service via window.print
* CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041)
Memory safety bugs fixed in Firefox 106, Firefox ESR 102.4 and
Thunderbird 102.4.0
Displaying revisions 21 - 40 of 334
