SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for MozillaThunderbird-translations-common-102.15.1-1.2.i686.rpm :

* Fri Sep 29 2023 Manfred Hollstein - Mozilla Thunderbird 102.15.1 MFSA 2023-40 (bsc#???????)
* CVE-2023-5129 (bmo#1852649 Heap buffer overflow in libwebp- Add mozilla-bmo1846703.patch
* Sun Aug 27 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.15.0
* Wed Aug 16 2023 Manfred Hollstein - Rectify build requirements for the upcoming openSUSE Leap 15.6
* Tue Aug 01 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.14.0 MFSA 2023-32 (bsc#1213746)
* CVE-2023-4045 (bmo#1833876) Offscreen Canvas could have bypassed cross-origin restrictions
* CVE-2023-4046 (bmo#1837686) Incorrect value used during WASM compilation
* CVE-2023-4047 (bmo#1839073) Potential permissions request bypass via clickjacking
* CVE-2023-4048 (bmo#1841368) Crash in DOMParser due to out-of-memory conditions
* CVE-2023-4049 (bmo#1842658) Fix potential race conditions when releasing platform objects
* CVE-2023-4050 (bmo#1843038) Stack buffer overflow in StorageManager
* CVE-2023-4054 (bmo#1840777) Lack of warning when opening appref-ms files
* CVE-2023-4055 (bmo#1782561) Cookie jar overflow caused unexpected cookie jar state
* CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235, bmo#1842325, bmo#1843847) Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
* Tue Jul 25 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.13.1 MFSA 2023-28
* CVE-2023-3417 (bmo#1835582, boo#1213658) File Extension Spoofing using the Text Direction Override Character
* Fri Jul 07 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.13.0
* Upstream RNP version numbers now recognized as official in about:support MFSA 2023-24 (bsc#1212438)
* CVE-2023-37201 (bmo#1826002) Use-after-free in WebRTC certificate generation
* CVE-2023-37202 (bmo#1834711) Potential use-after-free from compartment mismatch in SpiderMonkey
* CVE-2023-37207 (bmo#1816287) Fullscreen notification obscured
* CVE-2023-37208 (bmo#1837675) Lack of warning when opening Diagcab files
* CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886, bmo#1836550, bmo#1837450) Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13- mozilla-llvm16.patch has been applied upstream, remove it here
* Sun Jun 04 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.12.0: MFSA 2023-21 (bsc#1211922)
* CVE-2023-34414 (bmo#1695986) Click-jacking certificate exceptions through rendering lag
* CVE-2023-34416 (bmo#1752703, bmo#1818394, bmo#1826875, bmo#1827340, bmo#1827655, bmo#1828065, bmo#1830190, bmo#1830206, bmo#1830795, bmo#1833339) Memory safety bugs fixed in Thunderbird 102.12
* fixed: \"Searching the directory for recipients certificates\" popup could block compose window when \"S/MIME reminder\" was enabled and using an LDAP address book (bmo#1833651)
* fixed: Some elements still used animations with \"prefers- reduced-motion\" set (bmo#1833353)
* fixed: Visual and theme improvements (bmo#1832943,bmo#1832990)
* Sat May 27 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.11.2
* fixed: Thunderbird 102.11.1 contained POP3 client regressions with offline mode and TLS certificate overrides (bmo#1801286,bmo#1816596,bmo#1798785)- Includes changes from Thunderbird 102.11.1
* fixed: POP message retrieval stopped after a network error occurred and connectivity was restored (bmo#1798785)
* fixed: Reused SMTP connections sometimes silently disconnected, causing timeouts (bmo#1766382)
* fixed: Thunderbird could freeze if saving a sent message to IMAP failed (bmo#1745130)
* fixed: Creating OpenPGP keys with no expiration was not possible (bmo#1830094)
* fixed: News reader did not always issue GROUP command after authentication with remote server, preventing Thundebird from displaying or refreshing news from the server (bmo#1824377)- updated mozilla.keyring
* Thu May 11 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.11.0
* https://www.thunderbird.net/en-US/thunderbird/102.11.0/releasenotes MFSA 2023-18 (bsc#1211175)
* CVE-2023-32205 (bmo#1753339, bmo#1753341) Browser prompts could have been obscured by popups
* CVE-2023-32206 (bmo#1824892) Crash in RLBox Expat driver
* CVE-2023-32207 (bmo#1826116) Potential permissions request bypass via clickjacking
* CVE-2023-32211 (bmo#1823379) Content process crash due to invalid wasm code
* CVE-2023-32212 (bmo#1826622) Potential spoof due to obscured address bar
* CVE-2023-32213 (bmo#1826666) Potential memory corruption in FileReader::DoReadData()
* CVE-2023-32214 (bmo#1828716) Potential DoS via exposed protocol handlers
* CVE-2023-32215 (bmo#1540883, bmo#1751943, bmo#1814856, bmo#1820210, bmo#1821480, bmo#1827019, bmo#1827024, bmo#1827144, bmo#1827359, bmo#1830186) Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11
* Sun Apr 23 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.10.1
* https://www.thunderbird.net/en-US/thunderbird/102.10.1/releasenotes
* Wed Apr 05 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.10.0
* New messages will automatically select S/MIME if configured and OpenPGP is not
* Calendar events with timezone America/Mexico_City incorrectly applied Daylight Savings Time MFSA 2023-15 (bsc#1210212)
* CVE-2023-29531 (bmo#1794292) Out-of-bound memory access in WebGL on macOS
* CVE-2023-29532 (bmo#1806394) Mozilla Maintenance Service Write-lock bypass
* CVE-2023-29533 (bmo#1798219, bmo#1814597) Fullscreen notification obscured
* MFSA-TMP-2023-0001 (bmo#1819244) Double-free in libwebp
* CVE-2023-29535 (bmo#1820543) Potential Memory Corruption following Garbage Collector compaction
* CVE-2023-29536 (bmo#1821959) Invalid free from JavaScript code
* CVE-2023-0547 (bmo#1811298) Revocation status of S/Mime recipient certificates was not checked
* CVE-2023-29479 (bmo#1824978) Hang when processing certain OpenPGP messages
* CVE-2023-29539 (bmo#1784348) Content-Disposition filename truncation leads to Reflected File Download
* CVE-2023-29541 (bmo#1810191) Files with malicious extensions could have been downloaded unsafely on Linux
* CVE-2023-29542 (bmo#1810793, bmo#1815062) Bypass of file download extension restrictions
* CVE-2023-29545 (bmo#1823077) Windows Save As dialog resolved environment variables
* CVE-2023-1945 (bmo#1777588) Memory Corruption in Safe Browsing Code
* CVE-2023-29548 (bmo#1822754) Incorrect optimization result on ARM64
* CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, bmo#1814217, bmo#1818357, bmo#1818762, bmo#1819493, bmo#1820389, bmo#1820602, bmo#1821448, bmo#1822413, bmo#1824828) Memory safety bugs fixed in Thunderbird 102.10- add mozilla-llvm16.patch to fix build with LLVM16
* Wed Mar 29 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.9.1 MFSA 2023-12
* CVE-2023-28427 (bmo#1822595) Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack
* Sun Mar 26 2023 Wolfgang Rosenauer - add gcc13-fix.patch to support current Tumbleweed
* Sun Mar 12 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.9.0
* https://www.thunderbird.net/en-US/thunderbird/102.9.0/releasenotes MFSA 2023-11 (bsc#1209173))
* CVE-2023-25751 (bmo#1814899) Incorrect code generation during JIT compilation
* CVE-2023-28164 (bmo#1809122) URL being dragged from a removed cross-origin iframe into the same tab triggered navigation
* CVE-2023-28162 (bmo#1811327) Invalid downcast in Worklets
* CVE-2023-25752 (bmo#1811627) Potential out-of-bounds when accessing throttled streams
* CVE-2023-28163 (bmo#1817768) Windows Save As dialog resolved environment variables
* CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904, bmo#1817442, bmo#1818674) Memory safety bugs fixed in Thunderbird 102.9- update create-tar.sh- build using rust 1.67
* Tue Mar 07 2023 Manfred Hollstein - Ensure gcc11-c++ gets used on Leap 15.5, too.
* Wed Feb 15 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.8.0
* https://www.thunderbird.net/en-US/thunderbird/102.8.0/releasenotes MFSA 2023-07 (bsc#1208144)
* CVE-2023-0616 (bmo#1806507) User Interface lockup with messages combining S/MIME and OpenPGP
* CVE-2023-25728 (bmo#1790345) Content security policy leak in violation reports using iframes
* CVE-2023-25730 (bmo#1794622) Screen hijack via browser fullscreen mode
* CVE-2023-0767 (bmo#1804640) Arbitrary memory write via PKCS 12 in NSS
* CVE-2023-25735 (bmo#1810711) Potential use-after-free from compartment mismatch in SpiderMonkey
* CVE-2023-25737 (bmo#1811464) Invalid downcast in SVGUtils::SetupStrokeGeometry
* CVE-2023-25738 (bmo#1811852) Printing on Windows could potentially crash Thunderbird with some device drivers
* CVE-2023-25739 (bmo#1811939) Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
* CVE-2023-25729 (bmo#1792138) Extensions could have opened external schemes without user knowledge
* CVE-2023-25732 (bmo#1804564) Out of bounds memory write from EncodeInputStream
* CVE-2023-25734 (bmo#1784451, bmo#1809923, bmo#1810143, bmo#1812338) Opening local .url files could cause unexpected network loads
* CVE-2023-25742 (bmo#1813424) Web Crypto ImportKey crashes tab
* CVE-2023-25746 (bmo#1544127, bmo#1762368, bmo#1789449, bmo#1803628, bmo#1810536) Memory safety bugs fixed in Thunderbird 102.8- requires NSPR >= 4.34.1 NSS >= 3.79.4
* Wed Feb 08 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.7.2
* Various crash fixes
* Tue Jan 31 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.7.1
* Microsoft Office 365 accounts were unable to authenticate
* https://www.thunderbird.net/en-US/thunderbird/102.7.1/releasenotes/ MFSA 2023-04
* CVE-2023-0430 (bmo#1769000) Revocation status of S/Mime signature certificates was not checked- update create-tar.sh
* Tue Jan 17 2023 Wolfgang Rosenauer - Mozilla Thunderbird 102.7.0 https://www.thunderbird.net/en-US/thunderbird/102.7.0/releasenotes/ MFSA 2023-03 (bsc#1207119)
* CVE-2022-46871 (bmo#1795697) libusrsctp library out of date
* CVE-2023-23598 (bmo#1800425) Arbitrary file read from GTK drag and drop on Linux
* CVE-2023-23599 (bmo#1777800) Malicious command could be hidden in devtools output on Windows
* CVE-2023-23601 (bmo#1794268) URL being dragged from cross-origin iframe into same tab triggers navigation
* CVE-2023-23602 (bmo#1800890) Content Security Policy wasn\'t being correctly applied to WebSockets in WebWorkers
* CVE-2022-46877 (bmo#1795139) Fullscreen notification bypass
* CVE-2023-23603 (bmo#1800832) Calls to console.log allowed bypasing Content Security Policy via format directive
* CVE-2023-23605 (bmo#1764921, bmo#1802690, bmo#1806974) Memory safety bugs fixed in Thunderbird 102.7
* Tue Dec 20 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.6.1
* Remote content did not load in user-defined signatures
* Addons that added new action buttons were not shown for addon upgrades, requiring removal and reinstall
* Various stability improvements MFSA 2022-54
* CVE-2022-46874 (bmo#1746139) Drag and Dropped Filenames could have been truncated to malicious extensions
* Tue Dec 13 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.6.0 https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/ MFSA 2022-53 (bsc#1206242)
* CVE-2022-46880 (bmo#1749292) Use-after-free in WebGL
* CVE-2022-46872 (bmo#1799156) Arbitrary file read from a compromised content process
* CVE-2022-46881 (bmo#1770930) Memory corruption in WebGL
* CVE-2022-46874 (bmo#1746139) Drag and Dropped Filenames could have been truncated to malicious extensions
* CVE-2022-46875 (bmo#1786188) Download Protections were bypassed by .atloc and .ftploc files on Mac OS
* CVE-2022-46882 (bmo#1789371) Use-after-free in WebGL
* CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685, bmo#1801102, bmo#1801315, bmo#1802395) Memory safety bugs fixed in Thunderbird 102.6- removed obsolete patches mozilla-newer-cbindgen.patch mozilla-glibc236.patch
* Wed Nov 30 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.5.1 MFSA 2022-50
* CVE-2022-45414 (bmo#1788096) Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content
* Sat Nov 12 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.5.0
* changes and fixes as described here https://www.thunderbird.net/en-US/thunderbird/102.5.0/releasenotes MFSA 2022-49 (bsc#1205270)
* CVE-2022-45403 (bmo#1762078) Service Workers might have learned size of cross-origin media files
* CVE-2022-45404 (bmo#1790815) Fullscreen notification bypass
* CVE-2022-45405 (bmo#1791314) Use-after-free in InputStream implementation
* CVE-2022-45406 (bmo#1791975) Use-after-free of a JavaScript Realm
* CVE-2022-45408 (bmo#1793829) Fullscreen notification bypass via windowName
* CVE-2022-45409 (bmo#1796901) Use-after-free in Garbage Collection
* CVE-2022-45410 (bmo#1658869) ServiceWorker-intercepted requests bypassed SameSite cookie policy
* CVE-2022-45411 (bmo#1790311) Cross-Site Tracing was possible via non-standard override headers
* CVE-2022-45412 (bmo#1791029) Symlinks may resolve to partially uninitialized buffers
* CVE-2022-45416 (bmo#1793676) Keystroke Side-Channel Leakage
* CVE-2022-45418 (bmo#1795815) Custom mouse cursor could have been drawn over browser UI
* CVE-2022-45420 (bmo#1792643) Iframe contents could be rendered outside the iframe
* CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) Memory safety bugs fixed in Thunderbird 102.5
* Sat Nov 05 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.4.2
* \"Address Book\" button in Account Central will now create a CardDAV address book instead of a local address book
* Bugfixes as described here https://www.thunderbird.net/en-US/thunderbird/102.4.2/releasenotes
* Tue Oct 25 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.4.1
* Thunderbird will now catch and report errors parsing vCards that contain incorrectly formatted dates
* Dynamic language switching did not update interface when switched to right-to-left languages
* Custom header data was discarded after messages were saved as draft and reopened
* -remote command line argument did not work, affecting integration with various applications such as LibreOffice
* Messages received via some SMS-to-email services could not display images
* VCards with nickname field set could not be edited
* Some recurring events were missing from Agenda on first load
* Download requests for remote ICS calendars incorrectly set \"Accept\" header to text/xml
* Monthly events created on the 31st of a month with <30 days placed first occurrence 1-2 days after the beginning of the following month
* Various visual and UX improvements
* Fri Oct 14 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.4.0 https://www.thunderbird.net/en-US/thunderbird/102.4.0/releasenotes MFSA 2022-46 (bsc#1203477)
* CVE-2022-42927 (bmo#1789128) Same-origin policy violation could have leaked cross-origin URLs
* CVE-2022-42928 (bmo#1791520) Memory Corruption in JS Engine
* CVE-2022-42929 (bmo#1789439) Denial of Service via window.print
* CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) Memory safety bugs fixed in Firefox 106, Firefox ESR 102.4 and Thunderbird 102.4.0
* Tue Oct 11 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.3.3
* Option added to show containing address book for a contact when using All Address Books in vertical mode
* Thunderbird will try to use POP NTLM authentication even if not advertised by server
* Task List and Today Pane sidebars will no longer load when not visible
* bugfixes as documented here https://www.thunderbird.net/en-US/thunderbird/102.3.3/releasenotes
* Thu Oct 06 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.3.2
* Thunderbird will try to use POP CRAM-MD5 authentication even if not advertised by server
* more bugfixes as in https://www.thunderbird.net/en-US/thunderbird/102.3.2/releasenotes
* Mon Oct 03 2022 Wolfgang Rosenauer - build using rust 1.63
* Wed Sep 28 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.3.1
* Compose window encryption options now only appear for encryption technologies that have already been configured
* Number of contacts in currently selected address book now displayed at bottom of Address Book list column Fixes
* Password prompt did not include server hostname for POP servers
* Edit Contact was missing from Contacts sidebar context menus
* Address Book contact lists cut off display of some characters, the result being unreadable MFSA 2022-43
* CVE-2022-39249 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators
* CVE-2022-39250 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to a device verification attack
* CVE-2022-39251 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack
* CVE-2022-39236 (bmo#1791765) Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue
* Fri Sep 16 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.3.0 https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/
* Thunderbird will no longer attempt to import account passwords when importing from another Thunderbird profile in order to prevent profile corruption and permanent data loss. (bmo#1790605)
* Devtools performance profile will use Thunderbird presets instead of Web Developer presets (bmo#1785954)
* Thunderbird startup performance improvements (bmo#1785967)
* Saving email source and images failed (bmo#1777323, bmo#1778804)
* Error message was shown repeatedly when temporary disk space was full (bmo#1788580)
* Attaching OpenPGP keys without a set size to non-encrypted messages briefly displayed a size of zero bytes (bmo#1788952)
* Global Search entry box initially contained \"undefined\" (bmo#1780963)
* Delete from POP Server mail filter rule intermittently failed to trigger (bmo#1789418)
* Connections to POP3 servers without UIDL support failed (bmo#1789314)
* Pop accounts with \"Fetch headers only\" set downloaded complete messages if server did not advertise TOP capability (bmo#1789356)
* \"File -> New -> Address Book Contact\" from Compose window did not work (bmo#1782418)
* Attach \"My vCard\" option in compose window was not available (bmo#1787614)
* Improved performance of matching a contact to an email address (bmo#1782725)
* Address book only recognized a contact\'s first two email addresses (bmo#1777156)
* Address book search and autocomplete failed if a contact vCard could not be parsed (bmo#1789793)
* Downloading NNTP messages for offline use failed (bmo#1785773)
* NNTP client became stuck when connecting to Public-Inbox servers (bmo#1786203, boo#1203554)
* Various visual and UX improvements (bmo#1782235, bmo#1787448, bmo#1788725, bmo#1790324)
* unresolved: No dedicated \"Department\" field in address book (bmo#1777780) MFSA 2022-42 (bsc#1203477)
* CVE-2022-40959 (bmo#1782211) Bypassing FeaturePolicy restrictions on transient pages
* CVE-2022-40960 (bmo#1787633) Data-race when parsing non-UTF-8 URLs in threads
* CVE-2022-40958 (bmo#1779993) Bypassing Secure Context restriction for cookies with __Host and __Secure prefix
* CVE-2022-40956 (bmo#1770094) Content-Security-Policy base-uri bypass
* CVE-2022-40957 (bmo#1777604) Incoherent instruction cache when building WASM on ARM64
* CVE-2022-3155 (bmo#1789061) Attachment files saved to disk on macOS could be executed without warning
* CVE-2022-40962 (bmo#1767360, bmo#1776655, bmo#1777574, bmo#1784835, bmo#1785109, bmo#1786502, bmo#1789440) Memory safety bugs fixed in Thunderbird 102.3
* Thu Sep 08 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.2.2 https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/
* Setting added to change Calendar event double-click action to open Edit Event dialog rather than view only; Set calendar.events.defaultActionEdit to true
* Running Compact Folders on maildir folders caused a redownload of all messages in the folder
* Accessing mail folders in profiles with many folders was slow
* SMTP servers were not always properly initialized, and were not listed in Account Settings
* APOP authentication unsupported when connecting to POP3 server
* OpenPGP key discovery failed
* POP accounts hosted by AOL were not able to authenticate using OAuth2
* Unable to open context menu in newsgroups header for groups that are not subscribed
* Thu Sep 08 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.2.2 https://www.thunderbird.net/en-US/thunderbird/102.2.2/releasenotes/
* Setting added to change Calendar event double-click action to open Edit Event dialog rather than view only; Set calendar.events.defaultActionEdit to true
* Running Compact Folders on maildir folders caused a redownload of all messages in the folder
* Accessing mail folders in profiles with many folders was slow
* SMTP servers were not always properly initialized, and were not listed in Account Settings
* APOP authentication unsupported when connecting to POP3 server
* OpenPGP key discovery failed
* POP accounts hosted by AOL were not able to authenticate using OAuth2
* Unable to open context menu in newsgroups header for groups that are not subscribed
* Thu Sep 01 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.2.1 MFSA 2022-38 (bsc#1203007)
* CVE-2022-3033 (bmo#1784838) Leaking of sensitive information when composing a response to an HTML email with a META refresh tag
* CVE-2022-3032 (bmo#1783831) Remote content specified in an HTML document that was nested inside an iframe\'s srcdoc attribute was not blocked
* CVE-2022-3034 (bmo#1745751) An iframe element in an HTML email could trigger a network request
* CVE-2022-36059 (bmo#1787741) Matrix SDK bundled with Thunderbird vulnerable to denial-of- service attack
* Fri Aug 19 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.2.0
* https://www.thunderbird.net/en-US/thunderbird/102.2.0/releasenotes/ MFSA 2022-36 (bsc#1202645)
* CVE-2022-38472 (bmo#1769155) Address bar spoofing via XSLT error handling
* CVE-2022-38473 (bmo#1771685) Cross-origin XSLT Documents would have inherited the parent\'s permissions
* CVE-2022-38476 (bmo#1760998) Data race and potential use-after-free in PK11_ChangePW
* CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363) Memory safety bugs fixed in Thunderbird 102.2
* CVE-2022-38478 (bmo#1770630, bmo#1776658) Memory safety bugs fixed in Thunderbird 102.2, and Thunderbird 91.13- disabled automatic usage of wayland because of known issues using MOZ_ENABLE_WAYLAND=1 in environment would still enable it (boo#1202606)
* Sun Aug 14 2022 Wolfgang Rosenauer - added mozilla-glibc236.patch (bmo#1782988, boo#1202323)
* Tue Aug 09 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.1.2
* fix for bmo#1777765 (no POP download progress bar) was backed out from this release to address broken POP message download with Fetch headers only selected in Account Settings (bmo#1783552)
* Mon Aug 08 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.1.1 Bugfixes:
* https://www.thunderbird.net/en-US/thunderbird/102.1.1/releasenotes/
* Tue Jul 26 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.1.0
* https://www.thunderbird.net/en-US/thunderbird/102.1.0/releasenotes MFSA 2022-32 (bsc#1201758)
* CVE-2022-36319 (bmo#1737722) Mouse Position spoofing with CSS transforms
* CVE-2022-36318 (bmo#1771774) Directory indexes for bundled resources reflected URL parameters
* CVE-2022-36314 (bmo#1773894) Opening local .lnk files could cause unexpected network loads
* CVE-2022-2505 (bmo#1769739, bmo#1772824) Memory safety bugs fixed in Thunderbird 102.1- added mozilla-newer-cbindgen.patch to fix build with rust-cbindgen >= 0.24 (and also require that for build)- added mozilla-pgo.patch to fix LTO builds with gcc
* Tue Jul 19 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.0.3 Bugfixes as in
* https://www.thunderbird.net/en-US/thunderbird/102.0.3/releasenotes/
* Sat Jul 09 2022 Wolfgang Rosenauer - Mozilla Thunderbird 102.0.2
* https://www.thunderbird.net/en-US/thunderbird/102.0/releasenotes/- removed obsolete patches mozilla-bmo1504834-part2.patch mozilla-bmo1504834-part4.patch mozilla-bmo1602730.patch mozilla-bmo1626236.patch mozilla-bmo1724679.patch mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch mozilla-sandbox-fips.patch- added patches inherited from FF 102 one_swizzle_to_rule_them_all.patch svg-rendering.patch- fix KDE detection (boo#1200987) in mozilla-kde.patch- requires rust = 1.60 NSPR >= 4.34 NSS >= 3.79 rust-cbindgen >= 0.23.0- remove special breakpad debug symbol creation
* Sun Jun 26 2022 Wolfgang Rosenauer - Mozilla Thunderbird 91.11.0
* CLIENTID fix for bmo#1759197 in Thunderbird 91.8.1 did not work additional fix applied
* \"Save-As\" attachment dialog did not have filename pre-populated MFSA 2022-26 (bsc#1200793)
* CVE-2022-34479 (bmo#1745595) A popup window could be resized in a way to overlay the address bar with web content
* CVE-2022-34470 (bmo#1765951) Use-after-free in nsSHistory
* CVE-2022-34468 (bmo#1768537) CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI
* CVE-2022-2226 (bmo#1775441) An email with a mismatching OpenPGP signature date was accepted as valid
* CVE-2022-34481 (bmo#1497246) Potential integer overflow in ReplaceElementsAt
* CVE-2022-31744 (bmo#1757604) CSP bypass enabling stylesheet injection
* CVE-2022-34472 (bmo#1770123) Unavailable PAC file resulted in OCSP requests being blocked
* CVE-2022-34478 (bmo#1773717) Microsoft protocols can be attacked if a user accepts a prompt
* CVE-2022-2200 (bmo#1771381) Undesired attributes could be set as part of prototype pollution
* CVE-2022-34484 (bmo#1763634, bmo#1772651) Memory safety bugs fixed in Thunderbird 91.11 and Thunderbird 102
* Thu May 26 2022 Wolfgang Rosenauer - Mozilla Thunderbird 91.10.0
* Various UX and theme improvements MFSA 2022-22 (bsc#1200027)
* CVE-2022-31736 (bmo#1735923) Cross-Origin resource\'s length leaked
* CVE-2022-31737 (bmo#1743767) Heap buffer overflow in WebGL
* CVE-2022-31738 (bmo#1756388) Browser window spoof using fullscreen mode
* CVE-2022-31739 (bmo#1765049) Attacker-influenced path traversal when saving downloaded files
* CVE-2022-31740 (bmo#1766806) Register allocation problem in WASM on arm64
* CVE-2022-31741 (bmo#1767590) Uninitialized variable leads to invalid memory read
* CVE-2022-1834 (bmo#1767816) Braille space character caused incorrect sender email to be shown for a digitally signed email
* CVE-2022-31742 (bmo#1730434) Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
* CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283, bmo#1767365, bmo#1768559, bmo#1768734) Memory safety bugs fixed in Thunderbird 91.10
* Sat May 21 2022 Wolfgang Rosenauer - Mozilla Thunderbird 91.9.1 MFSA 2022-19 (bsc#1199768)
* CVE-2022-1802 (bmo#1770137) Prototype pollution in Top-Level Await implementation
* CVE-2022-1529 (bmo#1770048) Untrusted input used in JavaScript object indexing, leading to prototype pollution
* Mon May 02 2022 Wolfgang Rosenauer - Mozilla Thunderbird 91.9.0
* A warning is now displayed if an OpenPGP key has unsafe attributes that are ignored
* OpenPGP integration in Thunderbird 91.8.0 and 91.8.1 did not allow SHA-1 key signatures
* CalDAV calendars were marked read-only on startup MFSA 2022-18 (bsc#1198970)
* CVE-2022-1520 (bmo#1745019) Incorrect security status shown after viewing an attached email
* CVE-2022-29914 (bmo#1746448) Fullscreen notification bypass using popups
* CVE-2022-29909 (bmo#1755081) Bypassing permission prompt in nested browsing contexts
* CVE-2022-29916 (bmo#1760674) Leaking browser history with CSS variables
* CVE-2022-29911 (bmo#1761981) iframe sandbox bypass
* CVE-2022-29912 (bmo#1692655) Reader mode bypassed SameSite cookies
* CVE-2022-29913 (bmo#1764778) Speech Synthesis feature not properly disabled
* CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298, bmo#1762614, bmo#1762620) Memory safety bugs fixed in Thunderbird 91.9
* Sat Apr 16 2022 Wolfgang Rosenauer - Mozilla Thunderbird 91.8.1
* CLIENTID extension to SMTP was not supported by smtp-js#
* Additional SMTP errors now propagated to user
* OpenPGP was not able to use some previously supported key types
* OpenPGP Key Manager did not always display correct information after importing additional IDs
* Duplicate new mail notifications could be displayed when server-side filters were in use
* Cancelling an SMTP password entry resulted in multiple failure dialogs being displayed
* Tue Apr 12 2022 Martin Liška - Set memory limits for DWZ to 4x.
* Sat Apr 02 2022 Wolfgang Rosenauer - Mozilla Thunderbird 91.8.0
* Google accounts using password authentication will be migrated to OAuth2.
* bugfixes https://www.thunderbird.net/en-US/thunderbird/91.8.0/releasenotes MFSA 2022- (bsc#1197903)- update create-tar.sh
* Thu Mar 17 2022 Dirk Müller - skip slow workers, this is a tough build job
* Sun Mar 06 2022 Wolfgang Rosenauer - Mozilla Thunderbird 91.7.0
* Thunderbird will use the first occurrence of headers that should only appear once
* Auto-complete incorrectly changed a pasted email address to the primary address of a contact
* Attachments with filename extensions that were not registered in MIME types could not be opened
* Copy/Cut/Paste actions not working in Thunderbird Preferences
* Improved screen reader support of displayed message headers MFSA 2022-12 (bsc#1196900)
* CVE-2022-26383 (bmo#1742421) Browser window spoof using fullscreen mode
* CVE-2022-26384 (bmo#1744352) iframe allow-scripts sandbox bypass
* CVE-2022-26387 (bmo#1752979) Time-of-check time-of-use bug when verifying add-on signatures
* CVE-2022-26381 (bmo#1736243) Use-after-free in text reflows
* CVE-2022-26386 (bmo#1752396) Temporary files downloaded to /tmp and accessible by other local users
* Sun Mar 06 2022 Wolfgang Rosenauer - Mozilla Thunderbird 91.6.2 MFSA 2022-09
* CVE-2022-26485 (bmo#1758062) Use-after-free in XSLT parameter processing
* CVE-2022-26486 (bmo#1758070) Use-after-free in WebGPU IPC Framework
* Tue Feb 15 2022 Wolfgang Rosenauer - Mozilla Thunderbird 91.6.1
* generated views of meeting invitations are now expanded by default
* Emails were not downloading at startup under some conditions
* Port numbers were not shown in \"Confirm Security Exception\" dialog for CalDAV connections MFSA 2022-07 (bsc#1196072)
* CVE-2022-0566 (bmo#1753094) Crafted email could trigger an out-of-bounds write
* Sat Feb 05 2022 Wolfgang Rosenauer - Mozilla Thunderbird 91.6.0
* TB will now offer to send large forwarded attachments via FileLink
* Partially signed unencrypted messages displayed an incorrect \"parrtially encrypted\" notification
* Attachments filenames were not sanitized before saving to disk
* In the attachment bar, the \"Import OpenPGP Key\" item displayed for public keys displayed an error and did not import the key
* \"Open with\" attachment dialog did not have a selected radio button option MFSA 2022-06 (bsc#1195682)
* CVE-2022-22753 (bmo#1732435) Privilege Escalation to SYSTEM on Windows via Maintenance Service
* CVE-2022-22754 (bmo#1750565) Extensions could have bypassed permission confirmation during update
* CVE-2022-22756 (bmo#1317873) Drag and dropping an image could have resulted in the dropped object being an executable
* CVE-2022-22759 (bmo#1739957) Sandboxed iframes could have executed script if the parent appended elements
* CVE-2022-22760 (bmo#1740985, bmo#1748503) Cross-Origin responses could be distinguished between script and non-script content-types
* CVE-2022-22761 (bmo#1745566) frame-ancestors Content Security Policy directive was not enforced for framed extension pages
* CVE-2022-22763 (bmo#1740534) Script Execution during invalid object state
* CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545, bmo#1748210, bmo#1748279) Memory safety bugs fixed in Thunderbird 91.6- do not use ccache by default- removed obsolete mozilla-bmo1745560.patch
* Sat Jan 22 2022 Manfred Hollstein - Mozilla Thunderbird 91.5.1
* JS LDAP implementation did not support self-signed SSL certificates
* After saving a draft and subsequently sending a FileLink email, the original file was removed from disk
* Chat OTR encryption did not work
* OTR verification bar was not removed after completing verification
* Various theme improvements
* Thu Jan 20 2022 Martin Liška - Enable -fimplicit-constexpr for GCC 12+.
* Fri Jan 07 2022 Wolfgang Rosenauer - Mozilla Thunderbird 91.5.0 https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes MFSA 2022-03 (bsc#1194547)
* CVE-2022-22746 (bmo#1735071) Calling into reportValidity could have lead to fullscreen window spoof
* CVE-2022-22743 (bmo#1739220) Browser window spoof using fullscreen mode
* CVE-2022-22742 (bmo#1739923) Out-of-bounds memory access when inserting text in edit mode
* CVE-2022-22741 (bmo#1740389) Browser window spoof using fullscreen mode
* CVE-2022-22740 (bmo#1742334) Use-after-free of ChannelEventQueue::mOwner
* CVE-2022-22738 (bmo#1742382) Heap-buffer-overflow in blendGaussianBlur
* CVE-2022-22737 (bmo#1745874) Race condition when playing audio files
* CVE-2021-4140 (bmo#1746720) Iframe sandbox bypass with XSLT
* CVE-2022-22748 (bmo#1705211) Spoofed origin on external protocol launch dialog
* CVE-2022-22745 (bmo#1735856) Leaking cross-origin URLs through securitypolicyviolation event
* CVE-2022-22744 (bmo#1737252) The \'Copy as curl\' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
* CVE-2022-22747 (bmo#1735028) Crash when handling empty pkcs7 sequence
* CVE-2022-22739 (bmo#1744158) Missing throttling on external protocol launch dialog
* CVE-2022-22751 (bmo#1664149, bmo#1737816, bmo#1739366, bmo#1740274, bmo#1740797, bmo#1741201, bmo#1741869, bmo#1743221, bmo#1743515, bmo#1745373, bmo#1746011) Memory safety bugs fixed in Thunderbird 91.5
* Tue Dec 28 2021 Bjørn Lie - Add mozilla-bmo1745560.patch: Fix build against wayland 1.20.
* Fri Dec 17 2021 Wolfgang Rosenauer - Mozilla Thunderbird 91.4.1
* several fixes as outlined here https://www.thunderbird.net/en-US/thunderbird/91.4.1/releasenotes/ MFSA 2021-55 (bsc#1193845)
* CVE-2021-4126 (bmo#1732310) OpenPGP signature status doesn\'t consider additional message content
* CVE-2021-44538 (bmo#1744056) Matrix chat library libolm bundled with Thunderbird vulnerable to a buffer overflow- updated _constraints
* Thu Dec 02 2021 Wolfgang Rosenauer - Mozilla Thunderbird 91.4.0
* several fixes as outlined here https://www.thunderbird.net/en-US/thunderbird/91.4.0/releasenotes MFSA 2021-54 (bsc#1193485)
* CVE-2021-43536 (bmo#1730120) URL leakage when navigating while executing asynchronous function
* CVE-2021-43537 (bmo#1738237) Heap buffer overflow when using structured clone
* CVE-2021-43538 (bmo#1739091) Missing fullscreen and pointer lock notification when requesting both
* CVE-2021-43539 (bmo#1739683) GC rooting failure when calling wasm instance methods
* CVE-2021-43541 (bmo#1696685) External protocol handler parameters were unescaped
* CVE-2021-43542 (bmo#1723281) XMLHttpRequest error codes could have leaked the existence of an external protocol handler
* CVE-2021-43543 (bmo#1738418) Bypass of CSP sandbox directive when embedding
* CVE-2021-43545 (bmo#1720926) Denial of Service when using the Location API in a loop
* CVE-2021-43546 (bmo#1737751) Cursor spoofing could overlay user interface when native cursor is zoomed
* CVE-2021-43528 (bmo#1742579) JavaScript unexpectedly enabled for the composition area
* MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751, bmo#1737009, bmo#1739372, bmo#1739421) Memory safety bugs fixed in Thunderbird 91.4.0
* Thu Nov 25 2021 Bjørn Lie - Drop unused libidl-devel BuildRequires.
* Sat Nov 20 2021 Wolfgang Rosenauer - Mozilla Thunderbird 91.3.2
* Date selection in Calendar print settings widget changed to use mini calendar widget
* OpenPGP: Botan updated to 2.18.2; addresses CVE-2021-40529 boo#1189244
* Bugfixes as outlined in release notes https://www.thunderbird.net/en-US/thunderbird/91.3.2/releasenotes/
* Sat Nov 13 2021 Wolfgang Rosenauer - Mozilla Thunderbird 91.3.1
* OpenPGP public keys will no longer count as an attachment in the message list
* Adding a search engine via URL now supported
* FileLink messages\' template updated; Thunderbird advertisement removed
* After an update, Thunderbird will now check installed addons for updates
* Bugfixes as outlined in release notes https://www.thunderbird.net/en-US/thunderbird/91.3.1/releasenotes/
* Sun Oct 31 2021 Wolfgang Rosenauer - Mozilla Thunderbird 91.3.0
* several fixes as outlined here https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/ MFSA 2021-50 (bsc#1192250)
* CVE-2021-38503 (bmo#1729517) iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504 (bmo#1730156) Use-after-free in file picker dialog
* CVE-2021-38505 (bmo#1730194) Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506 (bmo#1730750) Thunderbird could be coaxed into going into fullscreen mode without notification or warning
* CVE-2021-38507 (bmo#1730935) Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
* MOZ-2021-0008 (bmo#1667102) Use-after-free in HTTP2 Session object
* CVE-2021-38508 (bmo#1366818) Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
* CVE-2021-38509 (bmo#1718571) Javascript alert box could have been spoofed onto an arbitrary domain
* CVE-2021-38510 (bmo#1731779) Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0007 (bmo#1606864, bmo#1712671, bmo#1730048, bmo#1735152) Memory safety bugs fixed in Thunderbird ESR 91.3- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires
* Fri Oct 22 2021 Wolfgang Rosenauer - Mozilla Thunderbird 91.2.1
* Preference added to disable automatic pausing RSS feed updates after a fetch failure
* several bugfixes as outlined in release notes https://www.thunderbird.net/en-US/thunderbird/91.2.1/releasenotes/
* Fri Oct 22 2021 Guillaume GARDET - Increase memory required per threads for aarch64 to avoid OOM
* Thu Oct 21 2021 Martin Liška - Enable LTO on Tumbleweed.
* Fri Oct 15 2021 Wolfgang Rosenauer - add mozilla-bmo1724679.patch (bmo#1724679, boo#1182863) fix some env variables which are enabled for any value
* Mon Oct 04 2021 Wolfgang Rosenauer - Mozilla Thunderbird 91.2.0
* Saving a single message as .eml now uses a unique filename
* New mail notifications did not properly take subfolders into account
* Decrypting binary attachments when using an external GnuPG configuration failed
* Account name fields in the account manager were not big enough for long names
* LDAP searches using an extensibleMatch filter returned no results
* Read-only CalDAV calendars and CardDAV address books were not detected
* Multipart messages containing a calendar invite did not display any of the human-readable alternatives
* Some calendar days were displayed incorrectly or duplicated (eg. two \"29th\" days of a particular month)
* Phantom event was shown at the end of each day in Calendar week view MFSA 2021-46 (bsc#1191332)
* CVE-2021-38496 (bmo#1725335) Use-after-free in MessageTask
* CVE-2021-38497 (bmo#1726621) Validation message could have been overlaid on another origin
* CVE-2021-38498 (bmo#1729642) Use-after-free of nsLanguageAtomService object
* CVE-2021-32810 (bmo#1729813, https://github.com/crossbeam- rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw) Data race in crossbeam-deque
* CVE-2021-38500 (bmo#1725854, bmo#1728321) Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
* CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176) Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
* Sun Sep 26 2021 Wolfgang Rosenauer - Mozilla Thunderbird 91.1.2
* Thunderbird will now warn if an S/MIME encrypted message includes BCC recipients
* several bugfixes listed on https://www.thunderbird.net/en-US/thunderbird/91.1.2/releasenotes/
* Wed Sep 15 2021 Wolfgang Rosenauer - Mozilla Thunderbird 91.1.1
* Menu item for disabling subject encryption for a single message added
* Printing messages that are not currently displayed is no longer supported, including printing multiple messages at once
* for bugfixes see https://www.thunderbird.net/en-US/thunderbird/91.1.1/releasenotes- MOZ_ENABLE_WAYLAND env variable now overrides automatic detection if already set before startup
* Thu Sep 02 2021 Wolfgang Rosenauer - Mozilla Thunderbird 91.1.0
* Thunderbird registered Accessibility Handlers using same GUIDs as Firefox, causing performance issues for NVDA users
* Focus lost when reordering accounts by keyboard in the Account Manager
* Account setup did not use provider display name for setting up calendars
* Various theme and UX fixes MFSA 2021-41 (bsc#1190269)
* CVE-2021-38492 (bmo#1721107) Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495 (bmo#1723391, bmo#1723920, bmo#1724101, bmo#1724107) Memory safety bugs fixed in Thunderbird 91.1- (re-)added mozilla-silence-no-return-type.patch- add mozilla-bmo531915.patch to fix build for i586
* Fri Aug 27 2021 Andreas Stieger - Mozilla Thunderbird 91.0.3:
* fixed: Folder icons could be overridden by linked favicons in HTML messages
* fixed: Unified folders showed no messages when underlying folders were removed
* fixed: Folder pane toolbar did not always persist after restarting Thunderbird
* fixed: Compose window attachment pane did not close when disabling signing of an OpenPGP message
* fixed: Using \"Reply to List\" with some list emails incorrectly opened a \"no-reply\" warning
* fixed: Account setup UX issues with Exchange autodiscover
* fixed: Account settings did not display non-UTF-8 server descriptions correctly
* fixed: Thunderbird sometimes sent an unnecessary \"SMTPUTF8\", causing some servers to reject mail
* fixed: No mouseover pop was displayed with event details for non-all-day events in the Today Pane
* fixed: Filtering tasks in the Today Pane did not work
* fixed: Email based event scheduling displayed the date and time in a format unreadable by humans
* Fri Aug 27 2021 Andreas Stieger - Mozilla Thunderbird 91.0.2:
* new: Tags are now colored in mail filter editor
* changed: Context menu items related to OpenPGP and attachments are now hidden when not applicable
* fixed: Creating a new account with manual setup failed
* fixed: Recipient autocomplete always preferred the primary email address for a contact
* fixed: LDAP performance improvements
* fixed: Extensions listed on the Recommended Addons did not have a clear way to view details in a browser
* fixed: Status checkmark on View > Calendar > Calendar Pane > Show Calendar Pane was reversed
* fixed: mid: URLs in calendar invites did not open the linked mail message
* fixed: Various theme and UX fixes
* Tue Aug 17 2021 Wolfgang Rosenauer - Mozilla Thunderbird 91.0.1 MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896) Header Splitting possible with HTTP/3 Responses- appdate screenshot URL updated (by mailaenderAATTopensuse.org)
* Sun Aug 15 2021 Wolfgang Rosenauer - Mozilla Thunderbird 91.0
* based on Mozilla\'s 91 ESR codebase
* many new and changed features https://www.thunderbird.net/en-US/thunderbird/91.0/releasenotes/#whatsnew
* Renamed \"Add-ons\" to \"Add-ons and Themes\" and \"Options\" to \"Preferences\"
* Thunderbird now operates in multi-process (e10s) mode by default
* New user interface for adding attachments
* Enable redirect of messages
* CardDAV address book support- Removed obsolete patches:
* mozilla-bmo1463035.patch
* mozilla-ppc-altivec_static_inline.patch
* mozilla-pipewire-0-3.patch
* mozilla-bmo1554971.patch- add mozilla-libavcodec58_91.patch- removed obsolete BigEndian ICU build workaround- updated build requirements- build using clang
* Thu Aug 05 2021 Wolfgang Rosenauer - Mozilla Thunderbird 78.13.0
* removed WeTransfer integration package (not supported by vendor any longer) MFSA 2021-35 (bsc#1188891)
* CVE-2021-29986 (bmo#1696138) Race condition when resolving DNS names could have led to memory corruption
* CVE-2021-29988 (bmo#1717922) Memory corruption as a result of incorrect style treatment
* CVE-2021-29984 (bmo#1720031) Incorrect instruction reordering during JIT optimization
* CVE-2021-29980 (bmo#1722204) Uninitialized memory in a canvas object could have led to memory corruption
* CVE-2021-29985 (bmo#1722083) Use-after-free media channels
* CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178, bmo#1719998, bmo#1720568) Memory safety bugs fixed in Thunderbird 78.13
* Wed Jul 14 2021 Wolfgang Rosenauer - Mozilla Thunderbird 78.12.0 MFSA 2021-30 (bsc#1188275)
* CVE-2021-29969 (bmo#1682370) IMAP server responses sent by a MITM prior to STARTTLS could be processed
* CVE-2021-29970 (bmo#1709976) Use-after-free in accessibility features of a document
* CVE-2021-30547 (bmo#1715766) Out of bounds write in ANGLE
* CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910, bmo#1711576, bmo#1714391) Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
* Sat May 29 2021 Wolfgang Rosenauer - Mozilla Thunderbird 78.11.0
* OpenPGP could not be disabled for an account if a key was previously configured
* Recipients were unable to decrypt some messages when the sender had changed the message encryption from OpenPGP to S/MIME
* Contacts moved between CardDAV address books were not synced to the new server
* CardDAV compatibility fixes for Google Contacts MFSA 2021-26 (bsc#1186696)
* CVE-2021-29964 (bmo#1706501) Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760, bmo#1704722, bmo#1706041) Memory safety bugs fixed in Thunderbird 78.11- renewed expired mozilla.keyring
* Fri May 14 2021 Wolfgang Rosenauer - Mozilla Thunderbird 78.10.2
* Added support for importing OpenPGP keys without a primary secret key
* Add-ons manager displays a preferences icon for mail extensions that include an options page Fixed
* OpenPGP messages with a high compression ratio (over 10x) could not be decrypted
* Selected OpenPGP key was lost after opening the Key Properties dialog in Account Settings
* Parsing some OpenPGP user IDs failed
* Various improvements to OpenPGP partial encryption reminders
* Mail toolbar buttons were too big when displaying both icons and text MFSA 2021-22
* CVE-2021-29956 (boo#1186199, bmo#1710290) Thunderbird stored OpenPGP secret keys without master password protection
* CVE-2021-29957 (boo#1186198, bmo#1673241) Partial protection of inline OpenPGP message not indicated- do not rely on nodejs10 explicitely
* Tue May 04 2021 Wolfgang Rosenauer - Mozilla Thunderbird 78.10.1
* Remove the fix for bmo#1689804 introduced in 78.9.0, restoring the previous behavior
* MFSA 2021-19 (bsc#1185633) does not affect this platform
* Sun Apr 18 2021 Wolfgang Rosenauer - Mozilla Thunderbird 78.10.0 MFSA 2021-14 (bsc#1184960)
* CVE-2021-23994 (bmo#1699077) Out of bound write due to lazy initialization
* CVE-2021-23995 (bmo#1699835) Use-after-free in Responsive Design Mode
* CVE-2021-23998 (bmo#1667456) Secure Lock icon could have been spoofed
* CVE-2021-23961 (bmo#1677940) More internal network hosts could have been probed by a malicious webpage
* CVE-2021-23999 (bmo#1691153) Blob URLs may have been granted additional privileges
* CVE-2021-24002 (bmo#1702374) Arbitrary FTP command execution on FTP servers using an encoded URL
* CVE-2021-29945 (bmo#1700690) Incorrect size computation in WebAssembly JIT could lead to null-reads
* CVE-2021-29946 (bmo#1698503) Port blocking could be bypassed
* CVE-2021-29948 (bmo#1692899) Race condition when reading from disk while verifying signatures- recommend libotr5
* Sat Apr 10 2021 Wolfgang Rosenauer - Mozilla Thunderbird 78.9.1
* Support recipient aliases for OpenPGP encryption
* The key and signature parts of the message security popup on a received message could not be selected for copy/paste
* Various UX and theme improvements MFSA 2021-13
* CVE-2021-23991 (bmo#1673240) An attacker may use Thunderbird\'s OpenPGP key refresh mechanism to poison an existing key
* MOZ-2021-23992 (bmo#1666236) A crafted OpenPGP key with an invalid user ID could be used to confuse the user
* CVE-2021-23993 (bmo#1666360) Inability to send encrypted OpenPGP email after importing a crafted OpenPGP key
* Sat Mar 20 2021 Wolfgang Rosenauer - Mozilla Thunderbird 78.9.0
* bugfixes: https://www.thunderbird.net/en-US/thunderbird/78.9.0/releasenotes MFSA 2021-12 (boo#1183942)
* CVE-2021-23981 (bmo#1692832) Texture upload into an unbound backing buffer resulted in an out-of-bound read
* MOZ-2021-0002 (bmo#1691547) Angle graphics library out of date
* CVE-2021-23982 (bmo#1677046) Internal network hosts could have been probed by a malicious webpage
* CVE-2021-23984 (bmo#1693664) Malicious extensions could have spoofed popup information
* CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, bmo#1690718) Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9- cleaned up and fixed mozilla.sh.in for wayland (boo#1177542)
* Sun Mar 07 2021 Wolfgang Rosenauer - Mozilla Thunderbird 78.8.1
* several bugfixes and improvements
* https://www.thunderbird.net/en-US/thunderbird/78.8.1/releasenotes/- updated create-tar.sh (bsc#1182357)
* Fri Feb 19 2021 Wolfgang Rosenauer - Mozilla Thunderbird 78.8.0
* various bugfixes MFSA 2021-09 (bsc#1182614)
* CVE-2021-23969 (bmo#1542194) Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23968 (bmo#1687342) Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23973 (bmo#1690976) MediaError message property could have leaked information about cross-origin resources
* CVE-2021-23978 (bmo#786797, bmo#1682928, bmo#1687391, bmo#1687597) Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
* Fri Feb 05 2021 Wolfgang Rosenauer - Mozilla Thunderbird 78.7.1
* CardDAV address books now support OAuth2 and Google Contacts
* Thunderbird will no longer allow installation of addons that use legacy APIs
* Tue Jan 26 2021 Wolfgang Rosenauer - Mozilla Thunderbird 78.7.0 MFSA 2021-05 (bsc#1181414)
* CVE-2021-23953 (bmo#1683940) Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954 (bmo#1684020) Type confusion when using logical assignment operators in JavaScript switch statements
* CVE-2020-15685 (bmo#1622640) IMAP Response Injection when using STARTTLS
* CVE-2020-26976 (bmo#1674343) HTTPS pages could have been intercepted by a registered service worker when they should not have been
* CVE-2021-23960 (bmo#1675755) Use-after-poison for incorrectly redeclared JavaScript variables during GC
* CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526, bmo#1674278, bmo#1674835, bmo#1675097, bmo#1675844, bmo#1675868, bmo#1677590, bmo#1677888, bmo#1680410, bmo#1681268, bmo#1682068, bmo#1682938, bmo#1683736, bmo#1685260, bmo#1685925) Memory safety bugs fixed in Thunderbird 78.7
* Sun Jan 24 2021 Manfred Hollstein - MozillaThunderbird.spec: Don\'t abuse BUILDROOT during %build as newer rpm versions in TW remove everything there as the first action of %install
* Mon Jan 11 2021 Wolfgang Rosenauer - Mozilla Thunderbird 78.6.1 MFSA 2021-02 (bsc#1180623)
* CVE-2020-16044 (bmo#1683964) Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk
* Sat Dec 12 2020 Wolfgang Rosenauer - Mozilla Thunderbird 78.6.0
* changes and additions in MailExtensions
* several bugfixes
* https://www.thunderbird.net/en-US/thunderbird/78.6.0/releasenotes/ MFSA 2020-56 (bsc#1180039))
* CVE-2020-16042 (bmo#1679003) Operations on a BigInt could have caused uninitialized memory to be exposed
* CVE-2020-26971 (bmo#1663466) Heap buffer overflow in WebGL
* CVE-2020-26973 (bmo#1680084) CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022) Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free
* CVE-2020-26978 (bmo#1677047) Internal network hosts could have been probed by a malicious webpage
* CVE-2020-35111 (bmo#1657916) The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365) Opening an extension-less download may have inadvertently launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589) Memory safety bugs fixed in Thunderbird 78.6
* Tue Dec 01 2020 Wolfgang Rosenauer - Mozilla Thunderbird 78.5.1 MFSA 2020-53 (bsc#1179530)
* CVE-2020-26970 (bmo#1677338) Stack overflow due to incorrect parsing of SMTP server response codes
* Mon Nov 16 2020 Wolfgang Rosenauer - Mozilla Thunderbird 78.5.0 MFSA 2020-52 (bsc#1178894)
* CVE-2020-26951 (bmo#1667113) Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
* CVE-2020-16012 (bmo#1642028) Variable time processing of cross-origin images during drawImage calls
* CVE-2020-26953 (bmo#1656741) Fullscreen could be enabled without displaying the security UI
* CVE-2020-26956 (bmo#1666300) XSS through paste (manual and clipboard API)
* CVE-2020-26958 (bmo#1669355) Requests intercepted through ServiceWorkers lacked MIME type restrictions
* CVE-2020-26959 (bmo#1669466) Use-after-free in WebRequestService
* CVE-2020-26960 (bmo#1670358) Potential use-after-free in uses of nsTArray
* CVE-2020-15999 (bmo#1672223) Heap buffer overflow in freetype
* CVE-2020-26961 (bmo#1672528) DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965 (bmo#1661617) Software keyboards may have remembered typed passwords
* CVE-2020-26966 (bmo#1663571) Single-word search queries were also broadcast to local network
* CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479, bmo#1671923) Memory safety bugs fixed in Thunderbird 78.5- removed obsolete mozilla-rust-1.47.patch
* Wed Nov 11 2020 Wolfgang Rosenauer - Mozilla Thunderbird 78.4.3 https://www.thunderbird.net/en-US/thunderbird/78.4.3/releasenotes/- added mozilla-rust-1.47.patch to fix build with rust 1.47
* Mon Nov 09 2020 Wolfgang Rosenauer - Mozilla Thunderbird 78.4.2 MFSA 2020-49
* CVE-2020-26950 (bmo#1675905) Write side effects in MCallGetProperty opcode not accounted for
* Thu Nov 05 2020 Wolfgang Rosenauer - Mozilla Thunderbird 78.4.1
* Bugfixes and minor features https://www.thunderbird.net/en-US/thunderbird/78.4.1/releasenotes/
* Tue Oct 20 2020 Wolfgang Rosenauer - Mozilla Thunderbird 78.4.0
* MailExtensions: browser.tabs.sendMessage API added
* MailExtensions: messageDisplayScripts API added
* Yahoo and AOL mail users using password authentication will be migrated to OAuth2
* MailExtensions: messageDisplay APIs extended to support multiple selected messages
* MailExtensions: compose.begin functions now support creating a message with attachments
* multiple bugfixes MFSA 2020-47 (bsc#1177872)
* CVE-2020-15969 (bmo#1666570) Use-after-free in usersctp
* CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954, bmo#1662760, bmo#1663439, bmo#1666140) Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* Thu Oct 15 2020 Wolfgang Rosenauer - Mozilla Thunderbird 78.3.3
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP message status icons were not visible in message header pane
* OpenPGP Key Manager was missing from Tools menu on macOS
* Creating a new calendar event did not require an event title- remove python2 dependencies for TW- support wayland mode/autodetection in startup wrapper- replace some Requires to use requires_ge macro where appropriate- improve langpack build (as already used for Firefox)- add ccache statistics output to build
* Wed Oct 07 2020 Wolfgang Rosenauer - Mozilla Thunderbird 78.3.2
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly
* Single-click deletion of recipient pills with middle mouse button restored
* Searching an address book list did not display results
* Dark mode, high contrast, and Windows theming fixes
* Fri Sep 25 2020 Wolfgang Rosenauer - Mozilla Thunderbird 78.3.1
* fix crash in nsImapProtocol::CreateNewLineFromSocket (bmo#1667120)
* Wed Sep 23 2020 Wolfgang Rosenauer - Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756)
* CVE-2020-15677 (bmo#1641487) Download origin spoofing via redirect
* CVE-2020-15676 (bmo#1646140) XSS when pasting attacker-controlled data into a contenteditable element
* CVE-2020-15678 (bmo#1660211) When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario
* CVE-2020-15673 (bmo#1648493, bmo#1660800) Memory safety bugs fixed in Thunderbird 78.3- requires NSPR >= 4.25.1- removed obsolete thunderbird-bmo1664607.patch
* Sun Sep 13 2020 Wolfgang Rosenauer - Mozilla Thunderbird 78.2.2 https://www.thunderbird.net/en-US/thunderbird/78.2.2/releasenotes- added thunderbird-bmo1664607.patch required for builds w/o updater (boo#1176384)
* Mon Aug 31 2020 Wolfgang Rosenauer - Mozilla Thunderbird 78.2.1
* based on Mozilla\'s 78 ESR codebase
* many new and changed features https://www.thunderbird.net/en-US/thunderbird/78.0/releasenotes/#whatsnew
* built-in OpenPGP support (enigmail neither required nor supported)- added platform patches:
* mozilla-s390x-skia-gradient.patch
* mozilla-pipewire-0-3.patch
* mozilla-bmo1512162.patch
* mozilla-bmo1626236.patch
* mozilla-bmo998749.patch
* mozilla-sandbox-fips.patch- removed obsolete platform patches
* mozilla-s390-bigendian.patch
* mozilla-nestegg-big-endian.patch
* mozilla-openaes-decl.patch
* mozilla-cubeb-noreturn.patch
* Sun Aug 30 2020 Wolfgang Rosenauer - Mozilla Thunderbird 68.12.0 MFSA 2020-40 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199) Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214) Attacker-induced prompt for extension installation
* CVE-2020-15669 (bmo#1656957) Use-After-Free when aborting an operation
* Fri Aug 28 2020 Michel Normand - Put back %limit_build macro usage to avoid build error PowerPC (remove memoryperjob constraint)
* Thu Aug 20 2020 Martin Liška - Use memoryperjob constraint instead of %limit_build macro.
* Sat Aug 01 2020 Andreas Stieger - Mozilla Thunderbird 68.11.0
* fixed: FileLink attachments included as a link and file when added from a network drive via drag & drop (bmo#793118) MFSA 2020-35 (bsc#1174538)
* CVE-2020-15652 (bmo#1634872) Potential leak of redirect targets when loading scripts in a worker
* CVE-2020-6514 (bmo#1642792) WebRTC data channel leaks internal address to peer
* CVE-2020-6463 (bmo#1635293) Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
* CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1646787, bmo#1650811) Memory safety bugs fixed in Thunderbird 68.11
* Wed Jul 01 2020 Andreas Stieger - Mozilla Thunderbird 68.10.0
* fixed: Chat: Topics displayed some characters improperly (bmo#1644024)
* fixed: Calendar: Filtering tasks did not work when \"Incomplete Tasks\" was selected (bmo#1593711) MFSA 2020-26 (bsc#1173576)
* CVE-2020-12417 (bmo#1640737) Memory corruption due to missing sign-extension for ValueTags on ARM64
* CVE-2020-12418 (bmo#1641303) Information disclosure due to manipulated URL object
* CVE-2020-12419 (bmo#1643874) Use-after-free in nsGlobalWindowInner
* CVE-2020-12420 (bmo#1643437) Use-After-Free when trying to connect to a STUN server
* MFSA-2020-0001 (bmo#1606610) Automatic account setup leaks Microsoft Exchange login credentials
* CVE-2020-12421 (bmo#1308251) Add-On updates did not respect the same certificate trust rules as software updates
* Thu Jun 11 2020 Wolfgang Rosenauer - build with nodejs10 to be able to drop nodejs8 from TW- updated create-tar.sh
* Sat Jun 06 2020 Andreas Stieger - Mozilla Thunderbird 68.9.0
* fixed: Custom headers added for searching or filtering could not be removed (bmo#1631577)
* fixed: Calendar: Today Pane updated prior to loading all data (bmo#1635613)
* fixed: Stability improvements (bmo#1625677) MFSA 2020-22 (bsc#1172402)
* CVE-2020-12405 (bmo#1631618) Use-after-free in SharedWorkerService
* CVE-2020-12406 (bmo#1639590) JavaScript Type confusion with NativeTypes
* CVE-2020-12410 (bmo#1619305, bmo#1632717) Memory safety bugs fixed in Thunderbird 68.9.0
* CVE-2020-12398 (bmo#1613623) Security downgrade with IMAP STARTTLS leads to information leakage
* Sun May 24 2020 Andreas Stieger - Mozilla Thunderbird 68.8.1
* fixed: IMAP stability improvements (bmo#1586494)
* fixed: HTML tags in IRC topic changes were rendered incorrectly (bmo#1607097)
* fixed: MailExtensions: Websockets could not be used (bmo#1627649)
* Tue May 05 2020 Wolfgang Rosenauer - Mozilla Thunderbird 68.8.0
* Account Manager fixes and improvements
* https://www.thunderbird.net/en-US/thunderbird/68.8.0/releasenotes MFSA 2020-18 (bsc#1171186)
* CVE-2020-12397 (bmo#1617370) Sender Email Address Spoofing using encoded Unicode characters
* CVE-2020-12387 (bmo#1545345) Use-after-free during worker shutdown
* CVE-2020-6831 (bmo#1632241) Buffer overflow in SCTP chunk input validation
* CVE-2020-12392 (bmo#1614468) Arbitrary local file access with \'Copy as cURL\'
* CVE-2020-12393 (bmo#1615471) Devtools\' \'Copy as cURL\' feature did not fully escape website-controlled data, potentially leading to command injection
* CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508) Memory safety bugs fixed in Thunderbird 68.8.0- removed obsolete patch mozilla-bmo1580963.patch
* Tue May 05 2020 Ismail Dönmez - Add mozilla-bmo1580963.patch to fix build with rust 1.43 (bmo#1580963)
* Thu Apr 09 2020 Andreas Stieger - Mozilla Thunderbird 68.7.0
* Updates to MailExtensions API
* Various improvements to account setup when connecting to an Exchange server
* Thread collapsed when opening news message in a new window
* Fix Addons not automatically updated to compatible version after upgrade from Thunderbird 60
* Updating addons did not prompt when requesting new permissions
* Extra recipients panel not keyboard-accessible
* Accessibility: Status bar was not detected by screenreaders
* Calendar: Invitations with embedded null bytes did not always decode correctly
* Calendar: Cancelled events didn\'t show with a line-through
* Various security fixes MFSA 2020-14 In general, these flaws cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
* CVE-2020-6819 (bmo#1620818, bsc#1168630) Use-after-free while running the nsDocShell destructor
* CVE-2020-6820 (bmo#1626728, bsc#1168630) Use-after-free when handling a ReadableStream
* CVE-2020-6821 (bmo#1625404, bsc#1168874) Uninitialized memory could be read when using the WebGL copyTexSubImage method
* CVE-2020-6822 (bmo#1544181, bsc#1168874) Out of bounds write in GMPDecodeData when processing large images
* CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203,bsc#1168874) Memory safety bugs fixed in Thunderbird 68.7.0
* Sat Mar 14 2020 Wolfgang Rosenauer - Mozilla Thunderbird 68.6.0 MFSA 2020-10 (bsc#1166238)
* CVE-2020-6805 (bmo#1610880) Use-after-free when removing data about origins
* CVE-2020-6806 (bmo#1612308) BodyStream::OnInputStreamReady was missing protections against state confusion
* CVE-2020-6807 (bmo#1614971) Use-after-free in cubeb during stream destruction
* CVE-2020-6811 (bmo#1607742) Devtools\' \'Copy as cURL\' feature did not fully escape website-controlled data, potentially leading to command injection
* CVE-2019-20503 (bmo#1613765) Out of bounds reads in sctp_load_addresses_from_init
* CVE-2020-6812 (bmo#1616661) The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission
* CVE-2020-6814 (bmo#1592078, bmo#1604847, bmo#1608256, bmo#1612636, bmo#1614339) Memory safety bugs fixed in Thunderbird 68.6- requires NSS >= 3.44.3
* Mon Feb 10 2020 Wolfgang Rosenauer - Mozilla Thunderbird 68.5.0 New
* Support for Client Identity IMAP/SMTP Service Extension
* Support for OAuth 2.0 authentication for POP3 accounts Fixes
* Status area goes blank during account setup
* Calendar: Could not remove color for default categories
* Calendar: Prevent calendar component loading multiple times
* Calendar: Today pane did not retain width between sessions MFSA 2020-07 (bsc#1163368)
* CVE-2020-6793 (bmo#1608539) Out-of-bounds read when processing certain email messages
* CVE-2020-6794 (bmo#1606619) Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords
* CVE-2020-6795 (bmo#1611105) Crash processing S/MIME messages with multiple signatures
* CVE-2020-6797 (bmo#1596668) (Mac OSX only) Extensions granted downloads.open permission could open arbitrary applications on Mac OSX
* CVE-2020-6798 (bmo#1602944) Incorrect parsing of template tag could result in JavaScript injection
* CVE-2020-6792 (bmo#1609607) Message ID calculcation was based on uninitialized data
* CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851, bmo#1608580,bmo#1608785,bmo#1605777) Memory safety bugs fixed in Thunderbird 68.5
* Tue Jan 28 2020 Stasiek Michalski - Use a symbolic icon from branding internals
* Fri Jan 24 2020 Wolfgang Rosenauer - Mozilla Thunderbird 68.4.2
* Calendar: Task and Event tree colours adjusted for the dark theme
* Retrieval of S/MIME certificates from LDAP failed
* Address-parsing crash on some IMAP servers when mail.imap.use_envelope_cmd is set
* Incorrect forwarding of HTML messages caused SMTP servers to respond with a timeout
* Calendar: Various parts of the calendar UI stopped working when a second Thunderbird window opened
* Fri Jan 10 2020 Wolfgang Rosenauer - Mozilla Thunderbird 68.4.1
* Various improvements when setting up an account for a Microsoft Exchange server: Now offers IMAP/SMTP if available, better detection for Office 365 accounts; re-run configuration after password change Fixes:
* After changing view layout, the message display pane showed garbled content under some circumstances
* Various theme changes to achieve \"pixel perfection\": Unread icon, \"no results\" icon, paragraph format and font selector, background of folder summary tooltip
* Tags were lost on messages in shared IMAP folders under some circumstances
* Calendar: Event attendee dialog was not displayed correctly MFSA 2020-04 (bsc#1160498, bsc#1160305)
* CVE-2019-17026 (bmo#1607443) IonMonkey type confusion with StoreElementHole and FallibleStoreElement
* CVE-2019-17015 (bmo#1599005) Memory corruption in parent process during new content process initialization on Windows
* CVE-2019-17016 (bmo#1599181) Bypass of AATTnamespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055) Type Confusion in XPCVariant.cpp
* CVE-2019-17021 (bmo#1599008) Heap address disclosure in parent process during content process initialization on Windows
* CVE-2019-17022 (bmo#1602843) CSS sanitization does not escape HTML tags
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605, bmo#1601826) Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4- removed obsolete patch mozilla-bmo1511604.patch- added mozilla-bmo1602730.patch to fix LE<->BE issues in the platform (bmo#1602730)
  
ICM