| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: MozillaThunderbird-translations-common | Distribution: openSUSE Tumbleweed |
| Version: 140.3.0 | Vendor: openSUSE |
| Release: 1.1 | Build date: Sun Sep 14 08:58:42 2025 |
| Group: System/Localization | Build host: reproducible |
| Size: 11992513 | Source RPM: MozillaThunderbird-140.3.0-1.1.src.rpm |
| Packager: http://bugs.opensuse.org | |
| Url: https://www.thunderbird.net/ | |
| Summary: Common translations for Thunderbird | |
This package contains several common languages for the user interface of Thunderbird.
MPL-2.0
* Sun Sep 14 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 140.3.0 ESR
* Right-clicking 'List-ID' -> 'Unsubscribe' created double encoded
draft subject
* Thunderbird could crash on startup
* Thunderbird could crash when importing mail
* Opening Website header link in RSS feed incorrectly re-encoded
URL parameters
MFSA 2025-78 (bsc#1249391)
* CVE-2025-10527 (bmo#1984825)
Sandbox escape due to use-after-free in the Graphics:
Canvas2D component
* CVE-2025-10528 (bmo#1986185)
Sandbox escape due to undefined behavior, invalid pointer in
the Graphics: Canvas2D component
* CVE-2025-10529 (bmo#1970490)
Same-origin policy bypass in the Layout component
* CVE-2025-10532 (bmo#1979502)
Incorrect boundary conditions in the JavaScript: GC component
* CVE-2025-10533 (bmo#1980788)
Integer overflow in the SVG component
* CVE-2025-10536 (bmo#1981502)
Information disclosure in the Networking: Cache component
* CVE-2025-10537 (bmo#1938220, bmo#1980730, bmo#1981280,
bmo#1981283, bmo#1984505, bmo#1985067)
Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird
ESR 140.3, Firefox 143 and Thunderbird 143
* Tue Sep 09 2025 Lubos Kocman <lubos.kocman@suse.com>
- Fix suse_version check for 16.0
* Mon Sep 08 2025 Yoshio Sato <vasua.ukraine@gmail.com>
- Build for Leap 16 using gcc13 (gcc14 is unavailable on Leap 16)
* Sat Sep 06 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 140.2.1
* Users could no longer send using smtp-relay.gmail.com
* Folder compaction could fail to complete due to folder write errors
* Creating an event or task from mail failed if the mail was
opened in a tab
* Wed Aug 20 2025 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 140.2
* fixed: Users were unable to use Fastmail calendars due to
missing OAuth settings (bmo#1978192)
* fixed: Account setup error handling was broken for Account
hub (bmo#1971303)
* fixed: Menu bar was hidden after updating from 128esr to
140esr (bmo#1979002)
* fixed: Security fixes
MFSA 2025-72 (bsc#1248162)
* CVE-2025-9179 (bmo#1979527)
Sandbox escape due to invalid pointer in the Audio/Video: GMP
component
* CVE-2025-9180 (bmo#1979782)
Same-origin policy bypass in the Graphics: Canvas2D component
* CVE-2025-9181 (bmo#1977130)
Uninitialized memory in the JavaScript Engine component
* CVE-2025-9182 (bmo#1975837)
Denial-of-service due to out-of-memory in the Graphics:
WebRender component
* CVE-2025-9184 (bmo#1929482, bmo#1976376, bmo#1979163,
bmo#1979955)
Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird
ESR 140.2, Firefox 142 and Thunderbird 142
* CVE-2025-9185 (bmo#1970154, bmo#1976782, bmo#1977166)
Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR
128.14, Thunderbird ESR 128.14, Firefox ESR 140.2,
Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142
* Tue Aug 05 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 140.1.1
Fixed
* Users with attachments open in tabs saw an error on Thunderbird restart
* Sending from unified or local folder failed if no default account was set
* Delete button could remove attachment instead of message
* Message list scrolled back when returning to mail tab after opening a message
* Sat Jul 26 2025 Andreas Schwab <schwab@suse.de>
- Update memory constraints
* Sat Jul 19 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 140.1.0
* New folders were not added alphabetically if folders manually
reordered beforehand
* Message archive folder creation could silently stop during async
folder creation
MFSA 2025-63 (bsc#1246664)
* CVE-2025-8027 (bmo#1968423)
JavaScript engine only wrote partial return value to stack
* CVE-2025-8028 (bmo#1971581)
Large branch table could lead to truncated instruction
* CVE-2025-8029 (bmo#1928021)
javascript: URLs executed on object and embed tags
* CVE-2025-8036 (bmo#1960834)
DNS rebinding circumvents CORS
* CVE-2025-8037 (bmo#1964767)
Nameless cookies shadow secure cookies
* CVE-2025-8030 (bmo#1968414)
Potential user-assisted code execution in “Copy as cURL” command
* CVE-2025-8031 (bmo#1971719)
Incorrect URL stripping in CSP reports
* CVE-2025-8032 (bmo#1974407)
XSLT documents could bypass CSP
* CVE-2025-8038 (bmo#1808979)
CSP frame-src was not correctly enforced for paths
* CVE-2025-8039 (bmo#1970997)
Search terms persisted in URL bar
* CVE-2025-8033 (bmo#1973990)
Incorrect JavaScript state machine for generators
* CVE-2025-8034 (bmo#1970422, bmo#1970422, bmo#1970422, bmo#1970422)
Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR
128.13, Thunderbird ESR 128.13, Firefox ESR 140.1,
Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
* CVE-2025-8040 (bmo#1975058, bmo#1975058, bmo#1975998, bmo#1975998)
Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird
ESR 140.1, Firefox 141 and Thunderbird 141
* CVE-2025-8035 (bmo#1975961, bmo#1975961, bmo#1975961)
Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird
ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox
141 and Thunderbird 141
* Tue Jul 15 2025 Tristan Miller <psychonaut@nothingisreal.com>
- Mozilla Thunderbird ESR 140.0.1
MFSA 2025-54
* CVE-2025-6424 (bmo#1966423)
Use-after-free in FontFaceSet
* CVE-2025-6425 (bmo#1717672)
The WebCompat WebExtension shipped exposed a persistent UUID
* CVE-2025-6426 (bmo#1964385)
No warning when opening executable terminal files on macOS
* CVE-2025-6427 (bmo#1966927)
connect-src Content Security Policy restriction could be
bypassed
* CVE-2025-6429 (bmo#1970658)
Incorrect parsing of URLs could have allowed embedding of
youtube.com
* CVE-2025-6430 (bmo#1971140)
Content-Disposition header ignored when a file is included in
an embed or object tag
* CVE-2025-6432 (bmo#1943804)
DNS Requests leaked outside of a configured SOCKS proxy
* CVE-2025-6433 (bmo#1954033)
WebAuthn would allow a user to sign a challenge on a webpage
with an invalid TLS certificate
* CVE-2025-6434 (bmo#1955182)
HTTPS-Only exception screen lacked anti-clickjacking delay
* CVE-2025-6435 (bmo#1961777 bmo#1950056)
Save as in Devtools could download files without sanitizing
the extension
* CVE-2025-6436 (bmo#1941377 bmo#1960948 bmo#1966187 bmo#1966505
bmo#1970764)
Memory safety bugs fixed in Firefox 140 and Thunderbird 140
- adapt mozilla-ntlm-full-path.patch for Thunderbird 140.0.1
- adapt mozilla-silence-no-return-type.patch for Thunderbird
140.0.1
* Sun Jun 29 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 128.12.0
MFSA 2025-55 (bsc#1244670)
* CVE-2025-6424 (bmo#1966423)
Use-after-free in FontFaceSet
* CVE-2025-6425 (bmo#1717672)
The WebCompat WebExtension shipped exposed a persistent UUID
* CVE-2025-6426 (bmo#1964385)
No warning when opening executable terminal files on macOS
* CVE-2025-6429 (bmo#1970658)
Incorrect parsing of URLs could have allowed embedding of
youtube.com
* CVE-2025-6430 (bmo#1971140)
Content-Disposition header ignored when a file is included in
an embed or object tag
* Tue Jun 17 2025 Manfred Hollstein <manfred.h@gmx.net>
- Use these tools/versions unconditionally, package won't build on
Tumbleweed with new gcc15 otherwise:
gcc14, gcc14-c++, cargo1.84, rust1.84
* Mon Jun 09 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 128.11.1
MFSA 2025-49
* CVE-2025-5986 (bmo#1958580, bmo#1968012)
Unsolicited File Download, Disk Space Exhaustion, and Credential
Leakage via mailbox:/// Links
* Sun Jun 08 2025 Bernhard Wiedemann <bwiedemann@suse.com>
- Replace usage of %jobs for reproducible builds (boo#1237231)
* Mon May 26 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 128.11.0
MFSA 2025-46 (boo#1243353)
* CVE-2025-5262 (bmo#1962421)
Double-free in libvpx encoder
* CVE-2025-5263 (bmo#1960745)
Error handling for script execution was incorrectly isolated
from web content
* CVE-2025-5264 (bmo#1950001)
Potential local code execution in “Copy as cURL” command
* CVE-2025-5265 (bmo#1962301)
Potential local code execution in “Copy as cURL” command
* CVE-2025-5266 (bmo#1965628)
Script element events leaked cross-origin resource status
* CVE-2025-5267 (bmo#1954137)
Clickjacking vulnerability could have led to leaking saved
payment card details
* CVE-2025-5268 (bmo#1950136, bmo#1958121, bmo#1960499,
bmo#1962634)
Memory safety bugs fixed in Firefox 139, Thunderbird 139,
Firefox ESR 128.11, and Thunderbird 128.11
* CVE-2025-5269 (bmo#1924108)
Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird
128.11
* fixed: Thunderbird could crash if message copying to Sent
folder was interrupted (bmo#1965304)
* Wed May 21 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 128.10.2
MFSA 2025-40 (boo#1243303)
* CVE-2025-4918 (bmo#1966612)
Out-of-bounds access when resolving Promise objects
* CVE-2025-4919 (bmo#1966614)
Out-of-bounds access when optimizing linear sums
* Messages could not be viewed if the profile used a UNC path
* Visual and UX improvements
* Thu May 15 2025 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird ESR 128.10.1:
MFSA 2025-34 (boo#1243216)
* CVE-2025-3875 (bmo#1950629)
Sender Spoofing via Malformed From Header in Thunderbird
* CVE-2025-3877 (bmo#1958580)
Unsolicited File Download, Disk Space Exhaustion, and
Credential Leakage via mailbox:/// Links
* CVE-2025-3909 (bmo#1958376)
JavaScript Execution via Spoofed PDF Attachment and file:///
Link
* CVE-2025-3932 (bmo#1960412)
Tracking Links in Attachments Bypassed Remote Content
Blocking
* fixed: Standalone message windows/tabs no longer responded
after folder compaction (bmo#1960349)
* fixed: Thunderbird could crash when importing Outlook
messages (bmo#1851297)
* fixed: Visual and UX improvements (bmo#1960861)
* Sun May 11 2025 Christian Boltz <suse-beta@cboltz.de>
- build on s390x needs 17G memory - adjust _constraints
* Tue Apr 29 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 128.10.0
* Changed color override defaults with high contrast mode on
macOS and Linux
* Using Delete column in "Search Messages..." window could delete
other messages
MFSA 2025-32 (bsc#1241621)
* CVE-2025-2817 (bmo#1917536)
Privilege escalation in Thunderbird Updater
* CVE-2025-4082 (bmo#1937097)
WebGL shader attribute memory corruption in Thunderbird for
macOS
* CVE-2025-4083 (bmo#1958350)
Process isolation bypass using "javascript:" URI links in
cross-origin frames
* CVE-2025-4084 (bmo#1949994, bmo#1956698, bmo#1960198)
Potential local code execution in "copy as cURL" command
* CVE-2025-4087 (bmo#1952465)
Unsafe attribute access during XPath parsing
* CVE-2025-4091 (bmo#1951161, bmo#1952105)
Memory safety bugs fixed in Firefox 138, Thunderbird 138,
Firefox ESR 128.10, and Thunderbird 128.10
* CVE-2025-4093 (bmo#1894100)
Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird
128.10
* Tue Apr 15 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 128.9.2
* Two-factor auth via text or email did not work with Office 365 using Oauth2
* IRC channel was not visible after restart
* Global indexing failed when processing email with invalid calendar data
MFSA 2025-27
* CVE-2025-3522 (bmo#1955372)
Leak of hashed Window credentials via crafted attachment URL
* CVE-2025-2830 (bmo#1956379)
Information Disclosure of /tmp directory listing
* CVE-2025-3523 (bmo#1958385)
User Interface (UI) Misrepresentation of attachment URL
* Sat Apr 05 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 128.9.1
* Added delay to built-in notifications when new profile is
created in offline mode
* Thu Apr 03 2025 Ana Guerrero <ana.guerrero@suse.com>
- Update to use BuildRequires on clang-devel on Tumbleweed/Factory
instead of clang18-tools.
* Thu Mar 27 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 128.9.0
* Thunderbird now has a notification system for real-time desktop alerts
* Data corruption occurred when compacting IMAP Drafts folder after
saving a message
* Right-clicking "Decrypt and Save As..." on an attachment file failed.
* Thunderbird could crash when importing mail
* Sort indicators were missing on the calendar events list
MFSA 2025-24 (bsc#1240083)
* CVE-2025-3028 (bmo#1941002)
Use-after-free triggered by XSLTProcessor
* CVE-2025-3029 (bmo#1952213)
URL Bar Spoofing via non-BMP Unicode characters
* CVE-2025-3030 (bmo#1850615, bmo#1932468, bmo#1942551,
bmo#1951017, bmo#1951494)
Memory safety bugs fixed in Firefox 137, Thunderbird 137,
Firefox ESR 128.9, and Thunderbird 128.9
* Wed Mar 05 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.8.0
* Opening an .EML file in profiles with many folders could take a long time
* Users with many folders experienced poor performance when resizing
message panes
* "Replace" button in compose window was overwritten when the window
was narrow
* Export to mobile did not work when "Use default server" was selected
* "Save Link As" was not working in feed web content
MFSA 2025-18 (bsc#1237683)
* CVE-2024-43097 (bmo#1945624)
Overflow when growing an SkRegion's RunArray
* CVE-2025-1930 (bmo#1902309)
AudioIPC StreamData could trigger a use-after-free in the
Browser process
* CVE-2025-1931 (bmo#1944126)
Use-after-free in WebTransportChild
* CVE-2025-1932 (bmo#1944313)
Inconsistent comparator in XSLT sorting led to out-of-bounds access
* CVE-2025-1933 (bmo#1946004)
JIT corruption of WASM i32 return values on 64-bit CPUs
* CVE-2025-1934 (bmo#1942881)
Unexpected GC during RegExp bailout processing
* CVE-2025-1935 (bmo#1866661)
Clickjacking the registerProtocolHandler info-bar
* CVE-2025-1936 (bmo#1940027)
Adding %00 and a fake extension to a jar: URL changed the
interpretation of the contents
* CVE-2025-1937 (bmo#1938471, bmo#1940716)
Memory safety bugs fixed in Firefox 136, Thunderbird 136,
Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8
* CVE-2025-1938 (bmo#1922889, bmo#1935004, bmo#1943586,
bmo#1943912, bmo#1948111)
Memory safety bugs fixed in Firefox 136, Thunderbird 136,
Firefox ESR 128.8, and Thunderbird 128.8
* Wed Feb 19 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.7.1
* Users may not have been notified if messages arrived in multiple
folders at once
* Message list scrolled to the wrong place on start-up
* Unified folders could become unusable instead of being
automatically rebuilt
* Some messages may have been threaded incorrectly in unified folders
* Middle-click autoscroll cursor appeared without arrows instead
of expected design
* Wed Feb 05 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.7.0
MFSA 2025-10 (bsc#1236539)
* CVE-2025-1009 (bmo#1936613)
Use-after-free in XSLT
* CVE-2025-1010 (bmo#1936982)
Use-after-free in Custom Highlight
* CVE-2025-1011 (bmo#1936454)
A bug in WebAssembly code generation could result in a crash
* CVE-2025-1012 (bmo#1939710)
Use-after-free during concurrent delazification
* CVE-2024-11704 (bmo#1899402)
Potential double-free vulnerability in PKCS#7 decryption
handling
* CVE-2025-1013 (bmo#1932555)
Potential opening of private browsing tabs in normal browsing
windows
* CVE-2025-1014 (bmo#1940804)
Certificate length was not properly checked
* CVE-2025-1015 (bmo#1939458)
Unsanitized address book fields
* CVE-2025-0510 (bmo#1940570)
Address of e-mail sender can be spoofed by malicious email
* CVE-2025-1016 (bmo#1936601, bmo#1936844, bmo#1937694,
bmo#1938469, bmo#1939583, bmo#1940994)
Memory safety bugs fixed in Firefox 135, Thunderbird 135,
Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 115.20,
and Thunderbird 128.7
* CVE-2025-1017 (bmo#1926256, bmo#1935471, bmo#1935984)
Memory safety bugs fixed in Firefox 135, Thunderbird 135,
Firefox ESR 128.7, and Thunderbird 128.7
* Mon Jan 27 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.6.1
* fixed: Link at about:rights pointed to Firefox privacy policy
instead of Thunderbird's (bmo#1941998)
* fixed: POP3 'fetch headers only' and 'get selected messages'
could delete messages (bmo#1930847)
* fixed: 'Search Online' checkbox in saved search properties
was incorrectly disabled (bmo#1937642)
* fixed: POP3 status message showed incorrect download count
when messages were deleted (bmo#1935800)
* fixed: Space bar did not always advance to the next unread
message (bmo#1468925)
* fixed: Folder creation or renaming failed due to incorrect
preference settings (bmo#1911225)
* fixed: Forwarding/editing S/MIME drafts/templates unusable
due to regression (bmo#1940605, boo#1236411)
* fixed: Sort order in 'Search Messages' panel reset after
search or on first launch (bmo#1935073)
* fixed: Reply window added an unnecessary third blank line at
the top (bmo#1935938)
* fixed: Thunderbird spell check box did not allow ENTER to
accept suggested changes (bmo#1935401)
* fixed: Long email subject lines could overlap window control
buttons on macOS (bmo#1940201)
* fixed: Flathub manifest link was not correct (bmo#1907695)
* fixed: 'Prefer client-side email scheduling' needed to be
selected twice (bmo#1862400)
* fixed: Duplicate invitations were sent if CALDAV calendar
email case did not match (bmo#1889607)
* fixed: Visual and UX improvements
(bmo#1875325,bmo#1901846,bmo#1939603,bmo#1855276)
* Wed Jan 08 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.6.0
* New mail notification was not hidden after reading the new message
* New mail notification could show for the wrong folder, causing
repeated alerts
* macOS shortcut CMD+1 did not restore the main window when it was
minimized
* Clicking the context menu "Reply" button resulted in "Reply-All"
* Switching from "All", "Unread", and "Threads with unread" did not work
* Downloading message headers from a newsgroup could cause a hang
* Message list performance slow when many updates happened at once
* "mailto:" links did not apply the compose format of the current identity
* Authentication failure of AUTH PLAIN or AUTH LOGIN did not fall
back to USERPASS
MFSA 2025-05 (bsc#1234991)
* CVE-2025-0237 (bmo#1915257)
WebChannel APIs susceptible to confused deputy attack
* CVE-2025-0238 (bmo#1915535)
Use-after-free when breaking lines in text
* CVE-2025-0239 (bmo#1929156)
Alt-Svc ALPN validation failure when redirected
* CVE-2025-0240 (bmo#1929623)
Compartment mismatch when parsing JavaScript JSON module
* CVE-2025-0241 (bmo#1933023)
Memory corruption when using JavaScript Text Segmentation
* CVE-2025-0242 (bmo#1874523, bmo#1926454, bmo#1931873, bmo#1932169)
Memory safety bugs fixed in Firefox 134, Thunderbird 134,
Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19,
and Thunderbird 128.6
* CVE-2025-0243 (bmo#1827142, bmo#1932783)
Memory safety bugs fixed in Firefox 134, Thunderbird 134,
Firefox ESR 128.6, and Thunderbird 128.6
* Wed Dec 11 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.5.2
* Large virtual folders could be very slow
* Message could disappear after moving from IMAP folder followed
by Undo and Redo
* XMPP chat did not display messages sent inside a CDATA element
* Selected calendar day did not move forward at midnight
* Today pane agenda sometimes scrolled for no apparent reason
* CalDAV calendars without offline support could degrade start-up
performance
* Visual and UX improvements
MFSA 2024-69
* CVE-2024-50336 (bmo#1929264)
matrix-js-sdk has insufficient MXC URI validation which could
allow client-side path traversal
* Tue Dec 03 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.5.1
* Add end of year donation appeal
* Total message count for favorite folders did not work consistently
* Thu Nov 28 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- make spec compatible with rpm < 4.17 again
- correct appdata for different desktop filename
* Tue Nov 26 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.5.0
* IMAP could crash when reading cached messages
* Enabling "Show Folder Size" on Maildir profile could render
Thunderbird unusable
* Messages corrupted by folder compaction were only fixed by user
intervention
* Reading a message from past the end of an mbox file did not
cause an error
* View -> Folders had duplicate F access keys
* Add-ons adding columns to the message list could fail and cause
display issue
* "Empty trash on exit" and "Expunge inbox on exit" did not
always work
* Selecting a display option in View -> Tasks did not apply in
the Task interface
MFSA 2024-68 (bsc#1233695)
* CVE-2024-11691 (bmo#1914707, bmo#1924184)
Memory corruption in Apple GPU drivers
* CVE-2024-11692 (bmo#1909535)
Select list elements could be shown over another site
* CVE-2024-11693 (bmo#1921458)
Download Protections were bypassed by .library-ms files on Windows
* CVE-2024-11694 (bmo#1924167)
CSP Bypass and XSS Exposure via Web Compatibility Shims
* CVE-2024-11695 (bmo#1925496)
URL Bar Spoofing via Manipulated Punycode and Whitespace Characters
* CVE-2024-11696 (bmo#1929600)
Unhandled Exception in Add-on Signature Verification
* CVE-2024-11697 (bmo#1842187)
Improper Keypress Handling in Executable File Confirmation Dialog
* CVE-2024-11698 (bmo#1916152)
Fullscreen Lock-Up When Modal Dialog Interrupts Transition on macOS
* CVE-2024-11699 (bmo#1880582, bmo#1929911)
Memory safety bugs fixed in Firefox 133, Thunderbird 133,
Firefox ESR 128.5, and Thunderbird 128.5
- appid is thunderbird-esr currently; use the matching desktop
file name (boo#1233650)
* Wed Nov 20 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.4.4
* QR codes were not scannable by Android app when using most
high-contrast themes
* Primary password prompt cancellation during mobile export was
confusing
- revert using xdg-desktop-portal as some desktops have limited
support
* Sat Nov 09 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.4.3
Fixes:
* Folder corruption could cause Thunderbird to freeze and become unusable
* Message corruption could be propagated when reading mbox
* Folder compaction was not abandoned on shutdown
* Folder compaction did not clean up on failure
* Collapsed NNTP thread incorrectly indicated there were unread messages
* Navigating to next unread message did not wait for all messages
to be loaded
* Applying column view to folder and children could break if folder
error occurred
* Remote content notifications were broken with encrypted messages
* Updating criteria of a saved search resulted in poor search performance
* Drop-downs may not work in some places
MFSA 2024-61
* CVE-2024-11159 (bmo#1925929)
Potential disclosure of plaintext in OpenPGP encrypted message
- remove kmozillahelper support (boo#1226112)
* removed mozilla-kde.patch
* requires xdg-desktop-portal instead
* Wed Nov 06 2024 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 128.4.2
* Increased the auto-compaction threshold to reduce the frequency
of compaction (bmo#1927656)
* fixed: New profile creation caused console errors (bmo#1912675)
* fixed: Repair folder could result in older messages showing
wrong date and time (bmo#1911916)
* fixed: Recently deleted messages could become undeleted if
message compaction failed (bmo#1924927)
* fixed: Visual and UX improvements
(bmo#1857413,bmo#1922934,bmo#1924437)
* fixed: Clicking on an HTML button could cause Thunderbird to
freeze (bmo#1879355)
* fixed: Messages could not be selected for dragging
(bmo#1887518)
* fixed: Could not open attached file in a MIME encrypted
message (bmo#1924637)
* fixed: Account creation "Setup Documentation" link was broken
(bmo#1925493)
* fixed: Unable to generate QR codes when exporting to mobile
in some cases (bmo#1928114)
* fixed: Operating system reauthentication was missing when
exporting QR codes for mobile (bmo#1928232)
* fixed: Could not drag all-day events from one day to another
in week view (bmo#1922944)
* Sat Nov 02 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.4.1
* Add the 20 year donation appeal (bmo#192538)
* Wed Oct 30 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.4.0
* Export Thunderbird account settings to Thunderbird Mobile via QRCode
Bugfixes:
* Unable to send an unencrypted response to an OpenPGP encrypted message
MFSA 2024-58 (bsc#1231879)
* CVE-2024-10458 (bmo#1921733)
Permission leak via embed or object elements
* CVE-2024-10459 (bmo#1919087)
Use-after-free in layout with accessibility
* CVE-2024-10460 (bmo#1912537)
Confusing display of origin for external protocol handler prompt
* CVE-2024-10461 (bmo#1914521)
XSS due to Content-Disposition being ignored in
multipart/x-mixed-replace response
* CVE-2024-10462 (bmo#1920423)
Origin of permission prompt could be spoofed by long URL
* CVE-2024-10463 (bmo#1920800)
Cross origin video frame leak
* CVE-2024-10464 (bmo#1913000)
History interface could have been used to cause a Denial of
Service condition in the browser
* CVE-2024-10465 (bmo#1918853)
Clipboard "paste" button persisted across tabs
* CVE-2024-10466 (bmo#1924154)
DOM push subscription message could hang Firefox
* CVE-2024-10467 (bmo#1829029, bmo#1888538, bmo#1900394, bmo#1904059,
bmo#1917742, bmo#1919809, bmo#1923706)
Memory safety bugs fixed in Firefox 132, Thunderbird 132,
Firefox ESR 128.4, and Thunderbird 128.4
* Wed Oct 23 2024 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 128.3.3
* Files left over from failed folder compactions could use up
disk space (bmo#1878541)
* Message list returned to selected message after action on
another message (bmo#1917485)
* Some faulty messages were downloaded and never stored
(bmo#1923765)
* Messages could become corrupted during folder compaction
(bmo#1923747,bmo#1923541,bmo#1720047)
* Searching events by Location, Description, or URL failed
(bmo#1912710)
* "Remove All Shown" saved passwords deleted all logins if
filtered without results (bmo#601447)
* Calendar event updates were not always sent to attendees
(bmo#1877640)
* Wed Oct 16 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.3.2
bugfix release:
https://www.thunderbird.net/en-US/thunderbird/128.3.2esr/releasenotes
- bring back mozilla-bmo531915.patch to fix x86
* Thu Oct 10 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 128.3.1
https://www.thunderbird.net/en-US/thunderbird/128.0esr/releasenotes/
and following release notes for minor version updates
MFSA 2024-52 (bsc#1231413)
* CVE-2024-9680 (bmo#1923344)
Use-after-free in Animation timeline
Mozilla Thunderbird 128.3.0
MFSA 2024-32 (128.0)
MFSA 2024-37 (128.1)
MFSA 2024-43 (128.2)
MFSA 2024-49 (128.3) (bsc#1230979)
* CVE-2024-9392 (bmo#1899154, bmo#1905843)
Compromised content process can bypass site isolation
* CVE-2024-9393 (bmo#1918301)
Cross-origin access to PDF contents through multipart responses
* CVE-2024-9394 (bmo#1918874)
Cross-origin access to JSON contents through multipart responses
* CVE-2024-8900 (bmo#1872841)
Clipboard write permission bypass
* CVE-2024-9396 (bmo#1912471)
Potential memory corruption may occur when cloning certain objects
* CVE-2024-9397 (bmo#1916659)
Potential directory upload bypass via clickjacking
* CVE-2024-9398 (bmo#1881037)
External protocol handlers could be enumerated via popups
* CVE-2024-9399 (bmo#1907726)
Specially crafted WebTransport requests could lead to denial
of service
* CVE-2024-9400 (bmo#1915249)
Potential memory corruption during JIT compilation
* CVE-2024-9401 (bmo#1872744, bmo#1897792, bmo#1911317, bmo#1916476)
Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16,
Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
* CVE-2024-9402 (bmo#1872744, bmo#1897792, bmo#1911317, bmo#1913445,
bmo#1914106, bmo#1914475, bmo#1914963, bmo#1915008, bmo#1916476)
Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3,
Thunderbird 131, and Thunderbird 128.3
- removed obsolete patches
mozilla-bmo1504834-part3.patch
mozilla-bmo1512162.patch
mozilla-bmo1775202.patch
mozilla-bmo531915.patch
mozilla-fix-aarch64-libopus.patch
mozilla-fix-issues-with-llvm18.patch
mozilla-fix-top-level-asm.patch
mozilla-partial-revert-1768632.patch
mozilla-rust-disable-future-incompat.patch
thunderbird-fix-CVE-2024-34703.patch
- new patch thunderbird-silence-no-return.patch
- rebased
mozilla-bmo1504834-part1.patch
mozilla-kde.patch
mozilla-libavcodec58_91.patch
mozilla-silence-no-return-type.patch
* Fri Sep 06 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.15.0
MFSA 2024-44 (bsc#1229821)
* CVE-2024-8381 (bmo#1912715)
Type confusion when looking up a property name in a "with"
block
* CVE-2024-8382 (bmo#1906744)
Internal event interfaces were exposed to web content when
browser EventHandler listener callbacks ran
* CVE-2024-8384 (bmo#1911288)
Garbage collection could mis-color cross-compartment objects
in OOM conditions
* Thu Aug 29 2024 Manfred Hollstein <manfred.h@gmx.net>
- Use gcc13 on Tumbleweed and where it is available.
- Don't use gcc14 as sources don't compile.
* Fri Aug 02 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.14.0
* When using an external installation of GnuPG, Thunderbird
occassionally sent/received corrupted messages (bmo#1898832)
* Users of external GnuPG were unable to decrypt incorrectly
encoded messages (bmo#1906903)
MFSA 2024-38 (bsc#1228648)
* CVE-2024-7519 (bmo#1902307)
Out of bounds memory access in graphics shared memory handling
* CVE-2024-7521 (bmo#1904644)
Incomplete WebAssembly exception handing
* CVE-2024-7522 (bmo#1906727)
Out of bounds read in editor component
* CVE-2024-7525 (bmo#1909298)
Missing permission check when creating a StreamFilter
* CVE-2024-7526 (bmo#1910306)
Uninitialized memory used by WebGL
* CVE-2024-7527 (bmo#1871303)
Use-after-free in JavaScript garbage collection
* CVE-2024-7529 (bmo#1903187)
Document content could partially obscure security prompts
* Wed Jul 10 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.13.0
* After starting Thunderbird, the message list position was
sometimes set to an incorrect position
MFSA 2024-30 (bsc#1226316)
* CVE-2024-6600 (bmo#1888340)
Memory corruption in WebGL API
* CVE-2024-6601 (bmo#1890748)
Race condition in permission assignment
* CVE-2024-6602 (bmo#1895032)
Memory corruption in NSS
* CVE-2024-6603 (bmo#1895081)
Memory corruption in thread creation
* CVE-2024-6604 (bmo#1748105, bmo#1837550, bmo#1884266)
Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13,
and Thunderbird 115.13
* Tue Jul 02 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 115.12.2
* fixed: Annual Thunderbird Beta appeal intended for
Thunderbird 115.12.0 did not open as expected (bmo#1898084)
- Mozilla Thunderbird 115.12.1
* 115.12.0 got pulled because of upstream automation process errors
and Windows installer signing changes.
No code changes, changelog is the same as 115.12.0 (bsc#1226495)
- Added thunderbird-fix-CVE-2024-34703.patch (bsc#1227239)
* Mon Jun 17 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.12.0
https://www.thunderbird.net/en-US/thunderbird/115.12.0/releasenotes
MFSA 2024-28 (bsc#1226027)
* CVE-2024-5702 (bmo#1193389)
Use-after-free in networking
* CVE-2024-5688 (bmo#1895086)
Use-after-free in JavaScript object transplant
* CVE-2024-5690 (bmo#1883693)
External protocol handlers leaked by timing attack
* CVE-2024-5691 (bmo#1888695)
Sandboxed iframes were able to bypass sandbox restrictions to
open a new window
* CVE-2024-5692 (bmo#1891234)
Bypass of file name restrictions during saving
* CVE-2024-5693 (bmo#1891319)
Cross-Origin Image leak via Offscreen Canvas
* CVE-2024-5696 (bmo#1896555)
Memory Corruption in Text Fragments
* CVE-2024-5700 (bmo#1862809, bmo#1889355, bmo#1893388, bmo#1895123)
Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12,
and Thunderbird 115.12
* Wed May 29 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.11.1
* Added a short anonymous survey that a small number of users will
be randomly asked to complete
* Tue May 14 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.11.0
MFSA 2024-23 (bsc#1224056)
* CVE-2024-4367 (bmo#1893645)
Arbitrary JavaScript execution in PDF.js
* CVE-2024-4767 (bmo#1878577)
IndexedDB files retained in private browsing mode
* CVE-2024-4768 (bmo#1886082)
Potential permissions request bypass via clickjacking
* CVE-2024-4769 (bmo#1886108)
Cross-origin responses could be distinguished between script
and non-script content-types
* CVE-2024-4770 (bmo#1893270)
Use-after-free could occur when printing to PDF
* CVE-2024-4777 (bmo#1878199, bmo#1893340)
Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11,
and Thunderbird 115.11
* Sat May 04 2024 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 115.10.2:
https://www.thunderbird.net/en-US/thunderbird/115.10.2/releasenotes/
This release is identical to 115.10.1, other than changing the
Update channel for self-updating builds to ESR. (bmo#1893271)
* Fri Apr 19 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.10.1
https://www.thunderbird.net/en-US/thunderbird/115.10.1/releasenotes/
* fixed hangup introduced with 115.10.0 (bmo#1891889)
* Sun Apr 14 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.10.0
https://www.thunderbird.net/en-US/thunderbird/115.10.0/releasenotes/
MFSA 2024-20 (bsc#1222535)
* CVE-2024-3852 (bmo#1883542)
GetBoundName in the JIT returned the wrong object
* CVE-2024-3854 (bmo#1884552)
Out-of-bounds-read after mis-optimized switch statement
* CVE-2024-3857 (bmo#1886683)
Incorrect JITting of arguments led to use-after-free during
garbage collection
* CVE-2024-2609 (bmo#1866100)
Permission prompt input delay could expire when not in focus
* CVE-2024-3859 (bmo#1874489)
Integer-overflow led to out-of-bounds-read in the OpenType sanitizer
* CVE-2024-3861 (bmo#1883158)
Potential use-after-free due to AlignedBuffer self-move
* CVE-2024-3863 (bmo#1885855)
Download Protections were bypassed by .xrm-ms files on Windows
* CVE-2024-3302 (bmo#1881183)
Denial of Service using HTTP/2 CONTINUATION frames
* CVE-2024-3864 (bmo#1888333)
Memory safety bug fixed in Firefox 125, Firefox ESR 115.10,
and Thunderbird 115.10
* Wed Mar 20 2024 Manfred Hollstein <manfred.h@gmx.net>
- LLVM18 breaks building Thunderbird on Tumbleweed; add
* mozilla-fix-issues-with-llvm18.patch
* Sat Mar 16 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.9.0
https://www.thunderbird.net/en-US/thunderbird/115.9.0/releasenotes/
MFSA 2024-14 (bsc#1221327)
* CVE-2024-0743 (bmo#1867408)
Crash in NSS TLS method
* CVE-2024-2605 (bmo#1872920)
Windows Error Reporter could be used as a Sandbox escape vector
* CVE-2024-2607 (bmo#1879939)
JIT code failed to save return registers on Armv7-A
* CVE-2024-2608 (bmo#1880692)
Integer overflow could have led to out of bounds write
* CVE-2024-2616 (bmo#1846197)
Improve handling of out-of-memory conditions in ICU
* CVE-2023-5388 (bmo#1780432)
NSS susceptible to timing attack against RSA decryption
* CVE-2024-2610 (bmo#1871112)
Improper handling of html and body tags enabled CSP nonce leakage
* CVE-2024-2611 (bmo#1876675)
Clickjacking vulnerability could have led to a user accidentally
granting permissions
* CVE-2024-2612 (bmo#1879444)
Self referencing object could have potentially led to a use-
after-free
* CVE-2024-2614 (bmo#1685358, bmo#1861016, bmo#1880405, bmo#1881093)
Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9,
and Thunderbird 115.9
* Tue Mar 05 2024 Adam Mizerski <adam@mizerski.pl>
- Create subpackage MozillaThunderbird-openpgp-librnp
* Tue Mar 05 2024 Wolfgang Rosenauer <wr@@rosenauer.org>
- Mozilla Thunderbird 115.8.1
https://www.thunderbird.net/en-US/thunderbird/115.8.1/releasenotes/
MFSA 2024-11
* CVE-2024-1936 (bmo#1860977)
Leaking of encrypted email subjects to other conversations
* Mon Feb 19 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.8.0
MFSA 2024-07 (bsc#1220048)
* CVE-2024-1546 (bmo#1843752)
Out-of-bounds memory read in networking channels
* CVE-2024-1547 (bmo#1877879)
Alert dialog could have been spoofed on another site
* CVE-2024-1548 (bmo#1832627)
Fullscreen Notification could have been hidden by select
element
* CVE-2024-1549 (bmo#1833814)
Custom cursor could obscure the permission dialog
* CVE-2024-1550 (bmo#1860065)
Mouse cursor re-positioned unexpectedly could have led to
unintended permission grants
* CVE-2024-1551 (bmo#1864385)
Multipart HTTP Responses would accept the Set-Cookie header
in response parts
* CVE-2024-1552 (bmo#1874502)
Incorrect code generation on 32-bit ARM devices
* CVE-2024-1553 (bmo#1855686, bmo#1867982, bmo#1871498,
bmo#1872296, bmo#1873521, bmo#1873577, bmo#1873597,
bmo#1873866, bmo#1874080, bmo#1874740, bmo#1875795,
bmo#1875906, bmo#1876425, bmo#1878211, bmo#1878286)
Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8,
and Thunderbird 115.8
* new: Added option to show packet dump when OpenPGP fails to
decrypt (bmo#1874504)
* fixed: Thunderbird slowed down significantly when opening
email files (.eml) (bmo#1863957)
* fixed: Inbox view intermittently reverted to default view
after moving or deleting messages (bmo#1725127)
* fixed: Size of collapsed folders in folder pane did not
include size of subfolders (bmo#1870641)
* fixed: Hovering over folder does not always expand subfolders
(bmo#1873101)
* fixed: Switching to thread pane of a folder using keyboard
navigation did not focus top message (bmo#1869557)
* fixed: Clicking "Sent unsent messages" in Outbox context menu
while in offline mode did not prompt user to go online
(bmo#1873487)
* fixed: Mail tab-specific Unified Toolbar buttons received
focus incorrectly (bmo#1872239)
* fixed: Quick Filter settings did not persist when Quick
Filter bar was turned off (bmo#1850266)
* fixed: Quick Filters were unusually slow (bmo#1849650)
* fixed: OpenPGP Key Manager filtering did not work
(bmo#1873655)
* fixed: OpenPGP sometimes attempted to decrypt message with
incorrect key (bmo#1865620)
* fixed: Autoconfig failed on servers that did not support
OAuth2 (bmo#1869122)
* fixed: Opening different attachments with the same name in
different messages could cause attachment files to become
conflated (bmo#1873023)
* fixed: Overflowed attachment list could not be scrolled
(bmo#1871343)
* fixed: Passwords disappeared from password manager list after
applying and clearing filters (bmo#1874646)
* fixed: Cookies in cookie manager list disappeared after
applying and then clearing filters (bmo#1876733)
* Sun Jan 21 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.7.0
https://www.thunderbird.net/en-US/thunderbird/115.7.0/releasenotes/
MFSA 2024-04 (bsc#1218955)
* CVE-2024-0741 (bmo#1864587)
Out of bounds write in ANGLE
* CVE-2024-0742 (bmo#1867152)
Failure to update user input timestamp
* CVE-2024-0746 (bmo#1660223)
Crash when listing printers on Linux
* CVE-2024-0747 (bmo#1764343)
Bypass of Content Security Policy when directive unsafe-inline was set
* CVE-2024-0749 (bmo#1813463)
Phishing site popup could show local origin in address bar
* CVE-2024-0750 (bmo#1863083)
Potential permissions request bypass via clickjacking
* CVE-2024-0751 (bmo#1865689)
Privilege escalation through devtools
* CVE-2024-0753 (bmo#1870262)
HSTS policy on subdomain could bypass policy of upper domain
* CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701)
Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7,
and Thunderbird 115.7
* Wed Jan 10 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 115.6.1
https://www.thunderbird.net/en-US/thunderbird/115.6.1/releasenotes/
* new: OAuth2 now supported for comcast.net (bmo#1844810)
* fixed: High CPU usage sometimes occurred with IMAP CONDSTORE
(conditional STORE) enabled (bmo#1839256)
* fixed: Replying to a collapsed thread via keyboard shortcut
(Ctrl+R/Cmd+R) opened a reply for every message in the thread
(bmo#1866819)
* fixed: Enabling Grouped By view after reversing sort order of
column header caused messages to be grouped incorrectly
(bmo#1868794)
* fixed: Opening thread pane context menu via keyboard did not
always scroll view to selection (bmo#1867532)
* fixed: New mail indicator for POP3 accounts did not indicate
new messages ready to be downloaded (bmo#1870619)
* fixed: Messages could not be moved to folders using Message >
Move To if text or a link in the message had been clicked on
first (bmo#1868474)
* fixed: MIME part boundaries were not properly terminated
(bmo#1805558)
* Sun Dec 17 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.6.0
https://www.thunderbird.net/en-US/thunderbird/115.6.0/releasenotes/
* Message selection misbehaved after selecting a sub-message in an
expanded thread, collapsing the thread, then pressing up/down to
move selection
* Thunderbird now attempts to reconnect on a new connection after
SMTP 4xx errors
* HTML FileLink attachments used the wrong encoding
MFSA 2023-55 (bsc#1217230)
* CVE-2023-50762 (bmo#1862625)
Truncated signed text was shown with a valid OpenPGP
signature
* CVE-2023-50761 (bmo#1865647)
S/MIME signature accepted despite mismatching message date
* CVE-2023-6856 (bmo#1843782)
Heap-buffer-overflow affecting WebGL DrawElementsInstanced
method with Mesa VM driver
* CVE-2023-6857 (bmo#1796023)
Symlinks may resolve to smaller than expected buffers
* CVE-2023-6858 (bmo#1826791)
Heap buffer overflow in nsTextFragment
* CVE-2023-6859 (bmo#1840144)
Use-after-free in PR_GetIdentitiesLayer
* CVE-2023-6860 (bmo#1854669)
Potential sandbox escape due to VideoBridge lack of texture
validation
* CVE-2023-6861 (bmo#1864118)
Heap buffer overflow affected nsWindow::PickerOpen(void) in
headless mode
* CVE-2023-6862 (bmo#1868042)
Use-after-free in nsDNSService
* CVE-2023-6863 (bmo#1868901)
Undefined behavior in ShutdownObserver()
* CVE-2023-6864 (bmo#1736385, bmo#1810805, bmo#1846328,
bmo#1856090, bmo#1858033, bmo#1858509, bmo#1862089,
bmo#1862777, bmo#1864015)
Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6,
and Thunderbird 115.6
* Tue Dec 12 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.5.2
Bugfix release
https://www.thunderbird.net/en-US/thunderbird/115.5.2/releasenotes/
* Tue Nov 28 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.5.1
Bugfix release
https://www.thunderbird.net/en-US/thunderbird/115.5.1/releasenotes
* Advanced GnuPG keys may be protected with an unexpected passphrase
* OpenPGP signatures rejected due to mismatched signature timestamp
now display signature timestamp and clarifying message
* Advanced address book search did not return results if display name
was left blank
* Clicking on attendee when inviting attendees added the attendee twice
* Wed Nov 22 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.5.0
https://www.thunderbird.net/en-US/thunderbird/115.5.0/releasenotes
MFSA 2023-52 (bsc#1217230)
* CVE-2023-6204 (bmo#1841050)
Out-of-bound memory access in WebGL2 blitFramebuffer
* CVE-2023-6205 (bmo#1854076)
Use-after-free in MessagePort::Entangled
* CVE-2023-6206 (bmo#1857430)
Clickjacking permission prompts using the fullscreen transition
* CVE-2023-6207 (bmo#1861344)
Use-after-free in ReadableByteStreamQueueEntry::Buffer
* CVE-2023-6208 (bmo#1855345)
Using Selection API would copy contents into X11 primary
selection.
* CVE-2023-6209 (bmo#1858570)
Incorrect parsing of relative URLs starting with "///"
* CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252, bmo#1856072,
bmo#1856091, bmo#1859030, bmo#1860943, bmo#1862782)
Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5,
and Thunderbird 115.5
* Wed Nov 15 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.4.3
Bugfix release
https://www.thunderbird.net/en-US/thunderbird/115.4.3/releasenotes
* Sat Nov 04 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.4.2
https://www.thunderbird.net/en-US/thunderbird/115.4.2/releasenotes
- build using rust/cargo 1.72 (1.69 about to be dropped from Factory)
* Tue Oct 24 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.4.1
https://www.thunderbird.net/en-US/thunderbird/115.4.1/releasenotes
https://www.thunderbird.net/en-US/thunderbird/115.4.0/releasenotes
MFSA 2023-47 (bsc#1216338)
* CVE-2023-5721 (bmo#1830820)
Queued up rendering could have allowed websites to clickjack
* CVE-2023-5732 (bmo#1690979, bmo#1836962)
Address bar spoofing via bidirectional characters
* CVE-2023-5724 (bmo#1836705)
Large WebGL draw could have led to a crash
* CVE-2023-5725 (bmo#1845739)
WebExtensions could open arbitrary URLs
* CVE-2023-5726 (bmo#1846205)
Full screen notification obscured by file open dialog on macOS
* CVE-2023-5727 (bmo#1847180)
Download Protections were bypassed by .msix, .msixbundle,
.appx, and .appxbundle files on Windows
* CVE-2023-5728 (bmo#1852729)
Improper object tracking during GC in the JavaScript engine
could have led to a crash.
* CVE-2023-5730 (bmo#1836607, bmo#1840918, bmo#1848694, bmo#1848833,
bmo#1850191, bmo#1850259, bmo#1852596, bmo#1853201, bmo#1854002,
bmo#1855306, bmo#1855640, bmo#1856695)
Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4,
and Thunderbird 115.4.1
- removed obsolete mozilla-bmo1846703.patch
* Tue Oct 24 2023 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 115.3.3
* fixed: "Folder Location" toolbar button did not work for
local folders (bmo#1843979)
* fixed: "Copy to <folder name> again" option disappeared from
context menu after copying to Gmail folder with non-ASCII
name (bmo#1856712)
* fixed: Default reply identity did not use "Delivered-To"
address when catch-all was active (bmo#1815559)
* fixed: "View Headers All" did not work when selected in
standalone message window (bmo#1855316)
* fixed: Viewing the mail filter log displayed an error if no
log file was present (bmo#1789244)
* Tue Oct 10 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.3.2
Bugfix release
https://www.thunderbird.net/en-US/thunderbird/115.3.2/releasenotes
* Fri Sep 29 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.3.1
MFSA 2023-45 (bsc#1215814)
* CVE-2023-5217 (bmo#1855550)
Heap buffer overflow in libvpx
- Add mozilla-bmo1846703.patch
* Tue Sep 26 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.3.0
https://www.thunderbird.net/en-US/thunderbird/115.3.0/releasenotes
MFSA 2023-43 (bsc#1215575)
* CVE-2023-5168 (bmo#1846683)
Out-of-bounds write in FilterNodeD2D1
* CVE-2023-5169 (bmo#1846685)
Out-of-bounds write in PathOps
* CVE-2023-5171 (bmo#1851599)
Use-after-free in Ion Compiler
* CVE-2023-5174 (bmo#1848454)
Double-free in process spawning on Windows
* CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824,
bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983,
bmo#1851195)
Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3,
and Thunderbird 115.3
* Wed Sep 20 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.2.3
Bugfix release:
https://www.thunderbird.net/en-US/thunderbird/115.2.3/releasenotes
* Tue Sep 12 2023 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 115.2.2
https://www.thunderbird.net/en-US/thunderbird/115.2.2/releasenotes
MFSA 2023-40 (bsc#1215231)
* CVE-2023-4863 (bmo# bmo#1852649)
Heap buffer overflow in libwebp
* Tue Sep 12 2023 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 115.2.1
https://www.thunderbird.net/en-US/thunderbird/115.2.1/releasenotes
* new: Column separators are now shown between all columns in
tree view (bmo#1847441)
* fixed: New mail notification always opened message in message
pane, even if pane was disabled (bmo#1840092)
* fixed: After moving an IMAP message to another folder, the
incorrect message was selected in the message list
(bmo#1845376)
* fixed: Adding a tag to an IMAP message opened in a tab failed
(bmo#1844452)
* fixed: Junk/Spam folders were not always shown in Unified
Folders mode (bmo#1838672)
* fixed: Middle-clicking a folder or message did not open it in
a background tab, as in previous versions (bmo#1842482)
* fixed: Settings tab visual improvements: Advanced Fonts
dialog, Section headers hidden behind search box
(bmo#1717382,bmo#1846751)
* fixed: Various visual and style fixes
(bmo#1843707,bmo#1849823)
* Sun Aug 27 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.2.0
https://www.thunderbird.net/en-US/thunderbird/115.2.0/releasenotes
MFSA 2023-38 (bsc#1214606)
* CVE-2023-4573 (bmo#1846687)
Memory corruption in IPC CanvasTranslator
* CVE-2023-4574 (bmo#1846688)
Memory corruption in IPC ColorPickerShownCallback
* CVE-2023-4575 (bmo#1846689)
Memory corruption in IPC FilePickerShownCallback
* CVE-2023-4576 (bmo#1846694)
Integer Overflow in RecordedSourceSurfaceCreation
* CVE-2023-4577 (bmo#1847397)
Memory corruption in JIT UpdateRegExpStatics
* CVE-2023-4051 (bmo#1821884)
Full screen notification obscured by file open dialog
* CVE-2023-4578 (bmo#1839007)
Error reporting methods in SpiderMonkey could have triggered
an Out of Memory Exception
* CVE-2023-4053 (bmo#1839079)
Full screen notification obscured by external program
* CVE-2023-4580 (bmo#1843046)
Push notifications saved to disk unencrypted
* CVE-2023-4581 (bmo#1843758)
XLL file extensions were downloadable without warnings
* CVE-2023-4582 (bmo#1773874)
Buffer Overflow in WebGL glGetProgramiv
* CVE-2023-4583 (bmo#1842030)
Browsing Context potentially not cleared when closing Private
Window
* CVE-2023-4584 (bmo#1843968, bmo#1845205, bmo#1846080,
bmo#1846526, bmo#1847529)
Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15,
Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2
* CVE-2023-4585 (bmo#1751583, bmo#1833504, bmo#1841082,
bmo#1847904, bmo#1848999)
Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2,
and Thunderbird 115.2
* Tue Aug 15 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.1.1
bugfixes as documented here
https://www.thunderbird.net/en-US/thunderbird/115.1.1/releasenotes
* Tue Aug 01 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 115.1.0
New major release with Supernova UI
Releasenotes for 115.0:
https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes
MFSA 2023-33 (bsc#1213746)
* CVE-2023-4045 (bmo#1833876)
Offscreen Canvas could have bypassed cross-origin restrictions
* CVE-2023-4046 (bmo#1837686)
Incorrect value used during WASM compilation
* CVE-2023-4047 (bmo#1839073)
Potential permissions request bypass via clickjacking
* CVE-2023-4048 (bmo#1841368)
Crash in DOMParser due to out-of-memory conditions
* CVE-2023-4049 (bmo#1842658)
Fix potential race conditions when releasing platform objects
* CVE-2023-4050 (bmo#1843038)
Stack buffer overflow in StorageManager
* CVE-2023-4052 (bmo#1824420)
File deletion and privilege escalation through Firefox uninstaller
* CVE-2023-4054 (bmo#1840777)
Lack of warning when opening appref-ms files
* CVE-2023-4055 (bmo#1782561)
Cookie jar overflow caused unexpected cookie jar state
* CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235, bmo#1842325,
bmo#1843847)
Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
* CVE-2023-4057 (bmo#1841682)
Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
and Thunderbird 115.1
- requires NSS 3.90
- add patches:
mozilla-rust-disable-future-incompat.patch
mozilla-partial-revert-1768632.patch
mozilla-bmo1775202.patch
- removed obsolete patches:
gcc13-fix.patch
mozilla-bmo1568145.patch
mozilla-bmo1005535.patch
mozilla-s390x-skia-gradient.patch
- update create-tar.sh
* Tue Jul 25 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.13.1
MFSA 2023-28
* CVE-2023-3417 (bmo#1835582, boo#1213658)
File Extension Spoofing using the Text Direction Override Character
* Fri Jul 07 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.13.0
* Upstream RNP version numbers now recognized as official in about:support
MFSA 2023-24 (bsc#1212438)
* CVE-2023-37201 (bmo#1826002)
Use-after-free in WebRTC certificate generation
* CVE-2023-37202 (bmo#1834711)
Potential use-after-free from compartment mismatch in
SpiderMonkey
* CVE-2023-37207 (bmo#1816287)
Fullscreen notification obscured
* CVE-2023-37208 (bmo#1837675)
Lack of warning when opening Diagcab files
* CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886,
bmo#1836550, bmo#1837450)
Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13,
and Thunderbird 102.13
- mozilla-llvm16.patch has been applied upstream, remove it here
* Sun Jun 04 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.12.0:
MFSA 2023-21 (bsc#1211922)
* CVE-2023-34414 (bmo#1695986)
Click-jacking certificate exceptions through rendering lag
* CVE-2023-34416 (bmo#1752703, bmo#1818394, bmo#1826875,
bmo#1827340, bmo#1827655, bmo#1828065, bmo#1830190,
bmo#1830206, bmo#1830795, bmo#1833339)
Memory safety bugs fixed in Thunderbird 102.12
* fixed: "Searching the directory for recipients certificates"
popup could block compose window when "S/MIME reminder" was
enabled and using an LDAP address book (bmo#1833651)
* fixed: Some elements still used animations with "prefers-
reduced-motion" set (bmo#1833353)
* fixed: Visual and theme improvements
(bmo#1832943,bmo#1832990)
* Sat May 27 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.11.2
* fixed: Thunderbird 102.11.1 contained POP3 client regressions
with offline mode and TLS certificate overrides
(bmo#1801286,bmo#1816596,bmo#1798785)
- Includes changes from Thunderbird 102.11.1
* fixed: POP message retrieval stopped after a network error
occurred and connectivity was restored (bmo#1798785)
* fixed: Reused SMTP connections sometimes silently
disconnected, causing timeouts (bmo#1766382)
* fixed: Thunderbird could freeze if saving a sent message to
IMAP failed (bmo#1745130)
* fixed: Creating OpenPGP keys with no expiration was not
possible (bmo#1830094)
* fixed: News reader did not always issue GROUP command after
authentication with remote server, preventing Thundebird from
displaying or refreshing news from the server (bmo#1824377)
- updated mozilla.keyring
* Thu May 11 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.11.0
* https://www.thunderbird.net/en-US/thunderbird/102.11.0/releasenotes
MFSA 2023-18 (bsc#1211175)
* CVE-2023-32205 (bmo#1753339, bmo#1753341)
Browser prompts could have been obscured by popups
* CVE-2023-32206 (bmo#1824892)
Crash in RLBox Expat driver
* CVE-2023-32207 (bmo#1826116)
Potential permissions request bypass via clickjacking
* CVE-2023-32211 (bmo#1823379)
Content process crash due to invalid wasm code
* CVE-2023-32212 (bmo#1826622)
Potential spoof due to obscured address bar
* CVE-2023-32213 (bmo#1826666)
Potential memory corruption in FileReader::DoReadData()
* CVE-2023-32214 (bmo#1828716)
Potential DoS via exposed protocol handlers
* CVE-2023-32215 (bmo#1540883, bmo#1751943, bmo#1814856,
bmo#1820210, bmo#1821480, bmo#1827019, bmo#1827024, bmo#1827144,
bmo#1827359, bmo#1830186)
Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11
* Sun Apr 23 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.10.1
* https://www.thunderbird.net/en-US/thunderbird/102.10.1/releasenotes
* Wed Apr 05 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.10.0
* New messages will automatically select S/MIME if configured and
OpenPGP is not
* Calendar events with timezone America/Mexico_City incorrectly
applied Daylight Savings Time
MFSA 2023-15 (bsc#1210212)
* CVE-2023-29531 (bmo#1794292)
Out-of-bound memory access in WebGL on macOS
* CVE-2023-29532 (bmo#1806394)
Mozilla Maintenance Service Write-lock bypass
* CVE-2023-29533 (bmo#1798219, bmo#1814597)
Fullscreen notification obscured
* MFSA-TMP-2023-0001 (bmo#1819244)
Double-free in libwebp
* CVE-2023-29535 (bmo#1820543)
Potential Memory Corruption following Garbage Collector compaction
* CVE-2023-29536 (bmo#1821959)
Invalid free from JavaScript code
* CVE-2023-0547 (bmo#1811298)
Revocation status of S/Mime recipient certificates was not checked
* CVE-2023-29479 (bmo#1824978)
Hang when processing certain OpenPGP messages
* CVE-2023-29539 (bmo#1784348)
Content-Disposition filename truncation leads to Reflected
File Download
* CVE-2023-29541 (bmo#1810191)
Files with malicious extensions could have been downloaded
unsafely on Linux
* CVE-2023-29542 (bmo#1810793, bmo#1815062)
Bypass of file download extension restrictions
* CVE-2023-29545 (bmo#1823077)
Windows Save As dialog resolved environment variables
* CVE-2023-1945 (bmo#1777588)
Memory Corruption in Safe Browsing Code
* CVE-2023-29548 (bmo#1822754)
Incorrect optimization result on ARM64
* CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, bmo#1814217,
bmo#1818357, bmo#1818762, bmo#1819493, bmo#1820389, bmo#1820602,
bmo#1821448, bmo#1822413, bmo#1824828)
Memory safety bugs fixed in Thunderbird 102.10
- add mozilla-llvm16.patch to fix build with LLVM16
* Wed Mar 29 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.9.1
MFSA 2023-12
* CVE-2023-28427 (bmo#1822595)
Matrix SDK bundled with Thunderbird vulnerable to
denial-of-service attack
* Sun Mar 26 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- add gcc13-fix.patch to support current Tumbleweed
* Sun Mar 12 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.9.0
* https://www.thunderbird.net/en-US/thunderbird/102.9.0/releasenotes
MFSA 2023-11 (bsc#1209173))
* CVE-2023-25751 (bmo#1814899)
Incorrect code generation during JIT compilation
* CVE-2023-28164 (bmo#1809122)
URL being dragged from a removed cross-origin iframe into the
same tab triggered navigation
* CVE-2023-28162 (bmo#1811327)
Invalid downcast in Worklets
* CVE-2023-25752 (bmo#1811627)
Potential out-of-bounds when accessing throttled streams
* CVE-2023-28163 (bmo#1817768)
Windows Save As dialog resolved environment variables
* CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904,
bmo#1817442, bmo#1818674)
Memory safety bugs fixed in Thunderbird 102.9
- update create-tar.sh
- build using rust 1.67
* Tue Mar 07 2023 Manfred Hollstein <manfred.h@gmx.net>
- Ensure gcc11-c++ gets used on Leap 15.5, too.
* Wed Feb 15 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.8.0
* https://www.thunderbird.net/en-US/thunderbird/102.8.0/releasenotes
MFSA 2023-07 (bsc#1208144)
* CVE-2023-0616 (bmo#1806507)
User Interface lockup with messages combining S/MIME and OpenPGP
* CVE-2023-25728 (bmo#1790345)
Content security policy leak in violation reports using iframes
* CVE-2023-25730 (bmo#1794622)
Screen hijack via browser fullscreen mode
* CVE-2023-0767 (bmo#1804640)
Arbitrary memory write via PKCS 12 in NSS
* CVE-2023-25735 (bmo#1810711)
Potential use-after-free from compartment mismatch in SpiderMonkey
* CVE-2023-25737 (bmo#1811464)
Invalid downcast in SVGUtils::SetupStrokeGeometry
* CVE-2023-25738 (bmo#1811852)
Printing on Windows could potentially crash Thunderbird with
some device drivers
* CVE-2023-25739 (bmo#1811939)
Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
* CVE-2023-25729 (bmo#1792138)
Extensions could have opened external schemes without user knowledge
* CVE-2023-25732 (bmo#1804564)
Out of bounds memory write from EncodeInputStream
* CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338)
Opening local .url files could cause unexpected network loads
* CVE-2023-25742 (bmo#1813424)
Web Crypto ImportKey crashes tab
* CVE-2023-25746 (bmo#1544127, bmo#1762368, bmo#1789449, bmo#1803628,
bmo#1810536)
Memory safety bugs fixed in Thunderbird 102.8
- requires
NSPR >= 4.34.1
NSS >= 3.79.4
* Wed Feb 08 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.7.2
* Various crash fixes
* Tue Jan 31 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.7.1
* Microsoft Office 365 accounts were unable to authenticate
* https://www.thunderbird.net/en-US/thunderbird/102.7.1/releasenotes/
MFSA 2023-04
* CVE-2023-0430 (bmo#1769000)
Revocation status of S/Mime signature certificates was not checked
- update create-tar.sh
* Tue Jan 17 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.7.0
https://www.thunderbird.net/en-US/thunderbird/102.7.0/releasenotes/
MFSA 2023-03 (bsc#1207119)
* CVE-2022-46871 (bmo#1795697)
libusrsctp library out of date
* CVE-2023-23598 (bmo#1800425)
Arbitrary file read from GTK drag and drop on Linux
* CVE-2023-23599 (bmo#1777800)
Malicious command could be hidden in devtools output on
Windows
* CVE-2023-23601 (bmo#1794268)
URL being dragged from cross-origin iframe into same tab
triggers navigation
* CVE-2023-23602 (bmo#1800890)
Content Security Policy wasn't being correctly applied to
WebSockets in WebWorkers
* CVE-2022-46877 (bmo#1795139)
Fullscreen notification bypass
* CVE-2023-23603 (bmo#1800832)
Calls to <code>console.log</code> allowed bypasing Content
Security Policy via format directive
* CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974)
Memory safety bugs fixed in Thunderbird 102.7
* Tue Dec 20 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.6.1
* Remote content did not load in user-defined signatures
* Addons that added new action buttons were not shown for addon
upgrades, requiring removal and reinstall
* Various stability improvements
MFSA 2022-54
* CVE-2022-46874 (bmo#1746139)
Drag and Dropped Filenames could have been truncated to
malicious extensions
* Tue Dec 13 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.6.0
https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/
MFSA 2022-53 (bsc#1206242)
* CVE-2022-46880 (bmo#1749292)
Use-after-free in WebGL
* CVE-2022-46872 (bmo#1799156)
Arbitrary file read from a compromised content process
* CVE-2022-46881 (bmo#1770930)
Memory corruption in WebGL
* CVE-2022-46874 (bmo#1746139)
Drag and Dropped Filenames could have been truncated to
malicious extensions
* CVE-2022-46875 (bmo#1786188)
Download Protections were bypassed by .atloc and .ftploc
files on Mac OS
* CVE-2022-46882 (bmo#1789371)
Use-after-free in WebGL
* CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685,
bmo#1801102, bmo#1801315, bmo#1802395)
Memory safety bugs fixed in Thunderbird 102.6
- removed obsolete patches
mozilla-newer-cbindgen.patch
mozilla-glibc236.patch
* Wed Nov 30 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.5.1
MFSA 2022-50
* CVE-2022-45414 (bmo#1788096)
Quoting from an HTML email with certain tags will trigger network
requests and load remote content, regardless of a configuration
to block remote content
* Sat Nov 12 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.5.0
* changes and fixes as described here
https://www.thunderbird.net/en-US/thunderbird/102.5.0/releasenotes
MFSA 2022-49 (bsc#1205270)
* CVE-2022-45403 (bmo#1762078)
Service Workers might have learned size of cross-origin media files
* CVE-2022-45404 (bmo#1790815)
Fullscreen notification bypass
* CVE-2022-45405 (bmo#1791314)
Use-after-free in InputStream implementation
* CVE-2022-45406 (bmo#1791975)
Use-after-free of a JavaScript Realm
* CVE-2022-45408 (bmo#1793829)
Fullscreen notification bypass via windowName
* CVE-2022-45409 (bmo#1796901)
Use-after-free in Garbage Collection
* CVE-2022-45410 (bmo#1658869)
ServiceWorker-intercepted requests bypassed SameSite cookie policy
* CVE-2022-45411 (bmo#1790311)
Cross-Site Tracing was possible via non-standard override headers
* CVE-2022-45412 (bmo#1791029)
Symlinks may resolve to partially uninitialized buffers
* CVE-2022-45416 (bmo#1793676)
Keystroke Side-Channel Leakage
* CVE-2022-45418 (bmo#1795815)
Custom mouse cursor could have been drawn over browser UI
* CVE-2022-45420 (bmo#1792643)
Iframe contents could be rendered outside the iframe
* CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061)
Memory safety bugs fixed in Thunderbird 102.5
* Sat Nov 05 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.4.2
* "Address Book" button in Account Central will now create a
CardDAV address book instead of a local address book
* Bugfixes as described here
https://www.thunderbird.net/en-US/thunderbird/102.4.2/releasenotes
* Tue Oct 25 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.4.1
* Thunderbird will now catch and report errors parsing vCards
that contain incorrectly formatted dates
* Dynamic language switching did not update interface when switched
to right-to-left languages
* Custom header data was discarded after messages were saved as
draft and reopened
* -remote command line argument did not work, affecting integration
with various applications such as LibreOffice
* Messages received via some SMS-to-email services could not
display images
* VCards with nickname field set could not be edited
* Some recurring events were missing from Agenda on first load
* Download requests for remote ICS calendars incorrectly set
"Accept" header to text/xml
* Monthly events created on the 31st of a month with <30 days placed
first occurrence 1-2 days after the beginning of the following month
* Various visual and UX improvements
* Fri Oct 14 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.4.0
https://www.thunderbird.net/en-US/thunderbird/102.4.0/releasenotes
MFSA 2022-46 (bsc#1203477)
* CVE-2022-42927 (bmo#1789128)
Same-origin policy violation could have leaked cross-origin URLs
* CVE-2022-42928 (bmo#1791520)
Memory Corruption in JS Engine
* CVE-2022-42929 (bmo#1789439)
Denial of Service via window.print
* CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041)
Memory safety bugs fixed in Firefox 106, Firefox ESR 102.4 and
Thunderbird 102.4.0
* Tue Oct 11 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.3.3
* Option added to show containing address book for a contact when
using All Address Books in vertical mode
* Thunderbird will try to use POP NTLM authentication even if
not advertised by server
* Task List and Today Pane sidebars will no longer load when not visible
* bugfixes as documented here
https://www.thunderbird.net/en-US/thunderbird/102.3.3/releasenotes
* Thu Oct 06 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.3.2
* Thunderbird will try to use POP CRAM-MD5 authentication even if
not advertised by server
* more bugfixes as in
https://www.thunderbird.net/en-US/thunderbird/102.3.2/releasenotes
* Mon Oct 03 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- build using rust 1.63
* Wed Sep 28 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.3.1
* Compose window encryption options now only appear for encryption
technologies that have already been configured
* Number of contacts in currently selected address book now
displayed at bottom of Address Book list column
Fixes
* Password prompt did not include server hostname for POP servers
* Edit Contact was missing from Contacts sidebar context menus
* Address Book contact lists cut off display of some characters,
the result being unreadable
MFSA 2022-43
* CVE-2022-39249 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to an
impersonation attack by malicious server administrators
* CVE-2022-39250 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to a device
verification attack
* CVE-2022-39251 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to an
impersonation attack
* CVE-2022-39236 (bmo#1791765)
Matrix SDK bundled with Thunderbird vulnerable to a data
corruption issue
* Fri Sep 16 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.3.0
https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/
* Thunderbird will no longer attempt to import account passwords
when importing from another Thunderbird profile in order to
prevent profile corruption and permanent data loss. (bmo#1790605)
* Devtools performance profile will use Thunderbird presets
instead of Web Developer presets (bmo#1785954)
* Thunderbird startup performance improvements (bmo#1785967)
* Saving email source and images failed (bmo#1777323, bmo#1778804)
* Error message was shown repeatedly when temporary disk
space was full (bmo#1788580)
* Attaching OpenPGP keys without a set size to non-encrypted
messages briefly displayed a size of zero bytes (bmo#1788952)
* Global Search entry box initially contained "undefined" (bmo#1780963)
* Delete from POP Server mail filter rule intermittently
failed to trigger (bmo#1789418)
* Connections to POP3 servers without UIDL support failed (bmo#1789314)
* Pop accounts with "Fetch headers only" set downloaded complete
messages if server did not advertise TOP capability (bmo#1789356)
* "File -> New -> Address Book Contact" from Compose window did
not work (bmo#1782418)
* Attach "My vCard" option in compose window was not available
(bmo#1787614)
* Improved performance of matching a contact to an email address
(bmo#1782725)
* Address book only recognized a contact's first two email
addresses (bmo#1777156)
* Address book search and autocomplete failed if a contact vCard
could not be parsed (bmo#1789793)
* Downloading NNTP messages for offline use failed (bmo#1785773)
* NNTP client became stuck when connecting to Public-Inbox servers
(bmo#1786203, boo#1203554)
* Various visual and UX improvements (bmo#1782235, bmo#1787448,
bmo#1788725, bmo#1790324)
* unresolved: No dedicated "Department" field in address book
(bmo#1777780)
MFSA 2022-42 (bsc#1203477)
* CVE-2022-40959 (bmo#1782211)
Bypassing FeaturePolicy restrictions on transient pages
* CVE-2022-40960 (bmo#1787633)
Data-race when parsing non-UTF-8 URLs in threads
* CVE-2022-40958 (bmo#1779993)
Bypassing Secure Context restriction for cookies with __Host
and __Secure prefix
* CVE-2022-40956 (bmo#1770094)
Content-Security-Policy base-uri bypass
* CVE-2022-40957 (bmo#1777604)
Incoherent instruction cache when building WASM on ARM64
* CVE-2022-3155 (bmo#1789061)
Attachment files saved to disk on macOS could be executed
without warning
* CVE-2022-40962 (bmo#1767360, bmo#1776655, bmo#1777574, bmo#1784835,
bmo#1785109, bmo#1786502, bmo#1789440)
Memory safety bugs fixed in Thunderbird 102.3
* Thu Sep 08 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.2.2
https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/
* Setting added to change Calendar event double-click action to
open Edit Event dialog rather than view only;
Set calendar.events.defaultActionEdit to true
* Running Compact Folders on maildir folders caused a redownload
of all messages in the folder
* Accessing mail folders in profiles with many folders was slow
* SMTP servers were not always properly initialized, and were not
listed in Account Settings
* APOP authentication unsupported when connecting to POP3 server
* OpenPGP key discovery failed
* POP accounts hosted by AOL were not able to authenticate using OAuth2
* Unable to open context menu in newsgroups header for groups
that are not subscribed
* Thu Sep 08 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.2.2
https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/
* Setting added to change Calendar event double-click action to
open Edit Event dialog rather than view only;
Set calendar.events.defaultActionEdit to true
* Running Compact Folders on maildir folders caused a redownload
of all messages in the folder
* Accessing mail folders in profiles with many folders was slow
* SMTP servers were not always properly initialized, and were not
listed in Account Settings
* APOP authentication unsupported when connecting to POP3 server
* OpenPGP key discovery failed
* POP accounts hosted by AOL were not able to authenticate using OAuth2
* Unable to open context menu in newsgroups header for groups
that are not subscribed
* Thu Sep 01 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.2.1
MFSA 2022-38 (bsc#1203007)
* CVE-2022-3033 (bmo#1784838)
Leaking of sensitive information when composing a response to
an HTML email with a META refresh tag
* CVE-2022-3032 (bmo#1783831)
Remote content specified in an HTML document that was nested
inside an iframe's srcdoc attribute was not blocked
* CVE-2022-3034 (bmo#1745751)
An iframe element in an HTML email could trigger a network
request
* CVE-2022-36059 (bmo#1787741)
Matrix SDK bundled with Thunderbird vulnerable to denial-of-
service attack
* Fri Aug 19 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.2.0
* https://www.thunderbird.net/en-US/thunderbird/102.2.0/releasenotes/
MFSA 2022-36 (bsc#1202645)
* CVE-2022-38472 (bmo#1769155)
Address bar spoofing via XSLT error handling
* CVE-2022-38473 (bmo#1771685)
Cross-origin XSLT Documents would have inherited the parent's
permissions
* CVE-2022-38476 (bmo#1760998)
Data race and potential use-after-free in PK11_ChangePW
* CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363)
Memory safety bugs fixed in Thunderbird 102.2
* CVE-2022-38478 (bmo#1770630, bmo#1776658)
Memory safety bugs fixed in Thunderbird 102.2, and
Thunderbird 91.13
- disabled automatic usage of wayland because of known issues
using MOZ_ENABLE_WAYLAND=1 in environment would still enable it
(boo#1202606)
* Sun Aug 14 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- added mozilla-glibc236.patch (bmo#1782988, boo#1202323)
* Tue Aug 09 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.1.2
* fix for bmo#1777765 (no POP download progress bar) was backed
out from this release to address broken POP message download
with Fetch headers only selected in Account Settings (bmo#1783552)
* Mon Aug 08 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.1.1
Bugfixes:
* https://www.thunderbird.net/en-US/thunderbird/102.1.1/releasenotes/
* Tue Jul 26 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.1.0
* https://www.thunderbird.net/en-US/thunderbird/102.1.0/releasenotes
MFSA 2022-32 (bsc#1201758)
* CVE-2022-36319 (bmo#1737722)
Mouse Position spoofing with CSS transforms
* CVE-2022-36318 (bmo#1771774)
Directory indexes for bundled resources reflected URL parameters
* CVE-2022-36314 (bmo#1773894)
Opening local <code>.lnk</code> files could cause unexpected
network loads
* CVE-2022-2505 (bmo#1769739, bmo#1772824)
Memory safety bugs fixed in Thunderbird 102.1
- added mozilla-newer-cbindgen.patch to fix build with
rust-cbindgen >= 0.24 (and also require that for build)
- added mozilla-pgo.patch to fix LTO builds with gcc
* Tue Jul 19 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.0.3
Bugfixes as in
* https://www.thunderbird.net/en-US/thunderbird/102.0.3/releasenotes/
* Sat Jul 09 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.0.2
* https://www.thunderbird.net/en-US/thunderbird/102.0/releasenotes/
- removed obsolete patches
mozilla-bmo1504834-part2.patch
mozilla-bmo1504834-part4.patch
mozilla-bmo1602730.patch
mozilla-bmo1626236.patch
mozilla-bmo1724679.patch
mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
mozilla-sandbox-fips.patch
- added patches inherited from FF 102
one_swizzle_to_rule_them_all.patch
svg-rendering.patch
- fix KDE detection (boo#1200987) in mozilla-kde.patch
- requires
rust = 1.60
NSPR >= 4.34
NSS >= 3.79
rust-cbindgen >= 0.23.0
- remove special breakpad debug symbol creation
* Sun Jun 26 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.11.0
* CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work
additional fix applied
* "Save-As" attachment dialog did not have filename pre-populated
MFSA 2022-26 (bsc#1200793)
* CVE-2022-34479 (bmo#1745595)
A popup window could be resized in a way to overlay the
address bar with web content
* CVE-2022-34470 (bmo#1765951)
Use-after-free in nsSHistory
* CVE-2022-34468 (bmo#1768537)
CSP sandbox header without `allow-scripts` can be bypassed
via retargeted javascript: URI
* CVE-2022-2226 (bmo#1775441)
An email with a mismatching OpenPGP signature date was
accepted as valid
* CVE-2022-34481 (bmo#1497246)
Potential integer overflow in ReplaceElementsAt
* CVE-2022-31744 (bmo#1757604)
CSP bypass enabling stylesheet injection
* CVE-2022-34472 (bmo#1770123)
Unavailable PAC file resulted in OCSP requests being blocked
* CVE-2022-34478 (bmo#1773717)
Microsoft protocols can be attacked if a user accepts a prompt
* CVE-2022-2200 (bmo#1771381)
Undesired attributes could be set as part of prototype pollution
* CVE-2022-34484 (bmo#1763634, bmo#1772651)
Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102
* Thu May 26 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.10.0
* Various UX and theme improvements
MFSA 2022-22 (bsc#1200027)
* CVE-2022-31736 (bmo#1735923)
Cross-Origin resource's length leaked
* CVE-2022-31737 (bmo#1743767)
Heap buffer overflow in WebGL
* CVE-2022-31738 (bmo#1756388)
Browser window spoof using fullscreen mode
* CVE-2022-31739 (bmo#1765049)
Attacker-influenced path traversal when saving downloaded
files
* CVE-2022-31740 (bmo#1766806)
Register allocation problem in WASM on arm64
* CVE-2022-31741 (bmo#1767590)
Uninitialized variable leads to invalid memory read
* CVE-2022-1834 (bmo#1767816)
Braille space character caused incorrect sender email to be
shown for a digitally signed email
* CVE-2022-31742 (bmo#1730434)
Querying a WebAuthn token with a large number of
allowCredential entries may have leaked cross-origin
information
* CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
bmo#1767365, bmo#1768559, bmo#1768734)
Memory safety bugs fixed in Thunderbird 91.10
* Sat May 21 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.9.1
MFSA 2022-19 (bsc#1199768)
* CVE-2022-1802 (bmo#1770137)
Prototype pollution in Top-Level Await implementation
* CVE-2022-1529 (bmo#1770048)
Untrusted input used in JavaScript object indexing, leading
to prototype pollution
* Mon May 02 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.9.0
* A warning is now displayed if an OpenPGP key has unsafe
attributes that are ignored
* OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not
allow SHA-1 key signatures
* CalDAV calendars were marked read-only on startup
MFSA 2022-18 (bsc#1198970)
* CVE-2022-1520 (bmo#1745019)
Incorrect security status shown after viewing an attached
email
* CVE-2022-29914 (bmo#1746448)
Fullscreen notification bypass using popups
* CVE-2022-29909 (bmo#1755081)
Bypassing permission prompt in nested browsing contexts
* CVE-2022-29916 (bmo#1760674)
Leaking browser history with CSS variables
* CVE-2022-29911 (bmo#1761981)
iframe sandbox bypass
* CVE-2022-29912 (bmo#1692655)
Reader mode bypassed SameSite cookies
* CVE-2022-29913 (bmo#1764778)
Speech Synthesis feature not properly disabled
* CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
bmo#1762614, bmo#1762620)
Memory safety bugs fixed in Thunderbird 91.9
* Sat Apr 16 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.8.1
* CLIENTID extension to SMTP was not supported by smtp-js#
* Additional SMTP errors now propagated to user
* OpenPGP was not able to use some previously supported key types
* OpenPGP Key Manager did not always display correct information
after importing additional IDs
* Duplicate new mail notifications could be displayed when
server-side filters were in use
* Cancelling an SMTP password entry resulted in multiple failure
dialogs being displayed
* Tue Apr 12 2022 Martin Liška <mliska@suse.cz>
- Set memory limits for DWZ to 4x.
* Sat Apr 02 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.8.0
* Google accounts using password authentication will be migrated
to OAuth2.
* bugfixes
https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes
MFSA 2022- (bsc#1197903)
- update create-tar.sh
* Thu Mar 17 2022 Dirk Müller <dmueller@suse.com>
- skip slow workers, this is a tough build job
* Sun Mar 06 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.7.0
* Thunderbird will use the first occurrence of headers that should
only appear once
* Auto-complete incorrectly changed a pasted email address to the
primary address of a contact
* Attachments with filename extensions that were not registered in
MIME types could not be opened
* Copy/Cut/Paste actions not working in Thunderbird Preferences
* Improved screen reader support of displayed message headers
MFSA 2022-12 (bsc#1196900)
* CVE-2022-26383 (bmo#1742421)
Browser window spoof using fullscreen mode
* CVE-2022-26384 (bmo#1744352)
iframe allow-scripts sandbox bypass
* CVE-2022-26387 (bmo#1752979)
Time-of-check time-of-use bug when verifying add-on signatures
* CVE-2022-26381 (bmo#1736243)
Use-after-free in text reflows
* CVE-2022-26386 (bmo#1752396)
Temporary files downloaded to /tmp and accessible by other
local users
* Sun Mar 06 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.6.2
MFSA 2022-09
* CVE-2022-26485 (bmo#1758062)
Use-after-free in XSLT parameter processing
* CVE-2022-26486 (bmo#1758070)
Use-after-free in WebGPU IPC Framework
* Tue Feb 15 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.6.1
* generated views of meeting invitations are now expanded by default
* Emails were not downloading at startup under some conditions
* Port numbers were not shown in "Confirm Security Exception"
dialog for CalDAV connections
MFSA 2022-07 (bsc#1196072)
* CVE-2022-0566 (bmo#1753094)
Crafted email could trigger an out-of-bounds write
* Sat Feb 05 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.6.0
* TB will now offer to send large forwarded attachments via FileLink
* Partially signed unencrypted messages displayed an incorrect
"parrtially encrypted" notification
* Attachments filenames were not sanitized before saving to disk
* In the attachment bar, the "Import OpenPGP Key" item displayed
for public keys displayed an error and did not import the key
* "Open with" attachment dialog did not have a selected radio
button option
MFSA 2022-06 (bsc#1195682)
* CVE-2022-22753 (bmo#1732435)
Privilege Escalation to SYSTEM on Windows via Maintenance
Service
* CVE-2022-22754 (bmo#1750565)
Extensions could have bypassed permission confirmation during
update
* CVE-2022-22756 (bmo#1317873)
Drag and dropping an image could have resulted in the dropped
object being an executable
* CVE-2022-22759 (bmo#1739957)
Sandboxed iframes could have executed script if the parent
appended elements
* CVE-2022-22760 (bmo#1740985, bmo#1748503)
Cross-Origin responses could be distinguished between script
and non-script content-types
* CVE-2022-22761 (bmo#1745566)
frame-ancestors Content Security Policy directive was not
enforced for framed extension pages
* CVE-2022-22763 (bmo#1740534)
Script Execution during invalid object state
* CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545,
bmo#1748210, bmo#1748279)
Memory safety bugs fixed in Thunderbird 91.6
- do not use ccache by default
- removed obsolete mozilla-bmo1745560.patch
* Sat Jan 22 2022 Manfred Hollstein <manfred.h@gmx.net>
- Mozilla Thunderbird 91.5.1
* JS LDAP implementation did not support self-signed SSL certificates
* After saving a draft and subsequently sending a FileLink email,
the original file was removed from disk
* Chat OTR encryption did not work
* OTR verification bar was not removed after completing verification
* Various theme improvements
* Thu Jan 20 2022 Martin Liška <mliska@suse.cz>
- Enable -fimplicit-constexpr for GCC 12+.
* Fri Jan 07 2022 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 91.5.0
https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes
MFSA 2022-03 (bsc#1194547)
* CVE-2022-22746 (bmo#1735071)
Calling into reportValidity could have lead to fullscreen
window spoof
* CVE-2022-22743 (bmo#1739220)
Browser window spoof using fullscreen mode
* CVE-2022-22742 (bmo#1739923)
Out-of-bounds memory access when inserting text in edit mode
* CVE-2022-22741 (bmo#1740389)
Browser window spoof using fullscreen mode
* CVE-2022-22740 (bmo#1742334)
Use-after-free of ChannelEventQueue::mOwner
* CVE-2022-22738 (bmo#1742382)
Heap-buffer-overflow in blendGaussianBlur
* CVE-2022-22737 (bmo#1745874)
Race condition when playing audio files
* CVE-2021-4140 (bmo#1746720)
Iframe sandbox bypass with XSLT
* CVE-2022-22748 (bmo#1705211)
Spoofed origin on external protocol launch dialog
* CVE-2022-22745 (bmo#1735856)
Leaking cross-origin URLs through securitypolicyviolation event
* CVE-2022-22744 (bmo#1737252)
The 'Copy as curl' feature in DevTools did not fully escape
website-controlled data, potentially leading to command injection
* CVE-2022-22747 (bmo#1735028)
Crash when handling empty pkcs7 sequence
* CVE-2022-22739 (bmo#1744158)
Missing throttling on external protocol launch dialog
* CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366,
bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869, bmo#1743221,
bmo#1743515, bmo#1745373, bmo#1746011)
Memory safety bugs fixed in Thunderbird 91.5
/usr/lib/thunderbird/extensions /usr/lib/thunderbird/extensions/langpack-ar@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-ca@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-cs@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-da@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-de@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-el@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-en-GB@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-es-AR@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-es-ES@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-fi@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-fr@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-hu@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-it@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-ja@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-ko@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-nb-NO@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-nl@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-pl@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-pt-BR@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-pt-PT@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-ru@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-sv-SE@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-zh-CN@thunderbird.mozilla.org.xpi /usr/lib/thunderbird/extensions/langpack-zh-TW@thunderbird.mozilla.org.xpi
Generated by rpm2html 1.8.1
Fabrice Bellet, Fri Oct 3 22:53:00 2025