Revisions of MozillaThunderbird

Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1225214 from Wolfgang Rosenauer's avatar Wolfgang Rosenauer (wrosenauer) (revision 348)
- Mozilla Thunderbird 128.4.4
  * QR codes were not scannable by Android app when using most
    high-contrast themes
  * Primary password prompt cancellation during mobile export was
    confusing
- revert using xdg-desktop-portal as some desktops have limited
  support
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1224250 from Wolfgang Rosenauer's avatar Wolfgang Rosenauer (wrosenauer) (revision 347)
- Mozilla Thunderbird 128.4.3
  Fixes:
  * Folder corruption could cause Thunderbird to freeze and become unusable
  * Message corruption could be propagated when reading mbox
  * Folder compaction was not abandoned on shutdown
  * Folder compaction did not clean up on failure
  * Collapsed NNTP thread incorrectly indicated there were unread messages
  * Navigating to next unread message did not wait for all messages
    to be loaded
  * Applying column view to folder and children could break if folder
    error occurred
  * Remote content notifications were broken with encrypted messages
  * Updating criteria of a saved search resulted in poor search performance
  * Drop-downs may not work in some places
  MFSA 2024-61
  * CVE-2024-11159 (bmo#1925929)
    Potential disclosure of plaintext in OpenPGP encrypted message
- remove kmozillahelper support (boo#1226112)
  * removed mozilla-kde.patch
  * requires xdg-desktop-portal instead
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1219576 from Wolfgang Rosenauer's avatar Wolfgang Rosenauer (wrosenauer) (revision 345)
- Mozilla Thunderbird 128.4.0
  * Export Thunderbird account settings to Thunderbird Mobile via QRCode
  Bugfixes:
  * Unable to send an unencrypted response to an OpenPGP encrypted message
  MFSA 2024-58 (bsc#1231879)
  * CVE-2024-10458 (bmo#1921733)
    Permission leak via embed or object elements
  * CVE-2024-10459 (bmo#1919087)
    Use-after-free in layout with accessibility
  * CVE-2024-10460 (bmo#1912537)
    Confusing display of origin for external protocol handler prompt
  * CVE-2024-10461 (bmo#1914521)
    XSS due to Content-Disposition being ignored in
    multipart/x-mixed-replace response
  * CVE-2024-10462 (bmo#1920423)
    Origin of permission prompt could be spoofed by long URL
  * CVE-2024-10463 (bmo#1920800)
    Cross origin video frame leak
  * CVE-2024-10464 (bmo#1913000)
    History interface could have been used to cause a Denial of
    Service condition in the browser
  * CVE-2024-10465 (bmo#1918853)
    Clipboard "paste" button persisted across tabs
  * CVE-2024-10466 (bmo#1924154)
    DOM push subscription message could hang Firefox
  * CVE-2024-10467 (bmo#1829029, bmo#1888538, bmo#1900394, bmo#1904059,
    bmo#1917742, bmo#1919809, bmo#1923706)
    Memory safety bugs fixed in Firefox 132, Thunderbird 132,
    Firefox ESR 128.4, and Thunderbird 128.4
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1208840 from Wolfgang Rosenauer's avatar Wolfgang Rosenauer (wrosenauer) (revision 343)
- Mozilla Thunderbird 128.3.2
  bugfix release:
  https://www.thunderbird.net/en-US/thunderbird/128.3.2esr/releasenotes
- bring back mozilla-bmo531915.patch to fix x86
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1207082 from Wolfgang Rosenauer's avatar Wolfgang Rosenauer (wrosenauer) (revision 342)
- Mozilla Thunderbird 128.3.1
  https://www.thunderbird.net/en-US/thunderbird/128.0esr/releasenotes/
  and following release notes for minor version updates
  MFSA 2024-52  (bsc#1231413)
  * CVE-2024-9680 (bmo#1923344)
    Use-after-free in Animation timeline
  Mozilla Thunderbird 128.3.0
  MFSA 2024-32 (128.0)
  MFSA 2024-37 (128.1)
  MFSA 2024-43 (128.2)
  MFSA 2024-49 (128.3) (bsc#1230979)
  * CVE-2024-9392 (bmo#1899154, bmo#1905843)
    Compromised content process can bypass site isolation
  * CVE-2024-9393 (bmo#1918301)
    Cross-origin access to PDF contents through multipart responses
  * CVE-2024-9394 (bmo#1918874)
    Cross-origin access to JSON contents through multipart responses
  * CVE-2024-8900 (bmo#1872841)
    Clipboard write permission bypass
  * CVE-2024-9396 (bmo#1912471)
    Potential memory corruption may occur when cloning certain objects
  * CVE-2024-9397 (bmo#1916659)
    Potential directory upload bypass via clickjacking
  * CVE-2024-9398 (bmo#1881037)
    External protocol handlers could be enumerated via popups
  * CVE-2024-9399 (bmo#1907726)
    Specially crafted WebTransport requests could lead to denial
    of service
  * CVE-2024-9400 (bmo#1915249)
    Potential memory corruption during JIT compilation
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1199551 from Wolfgang Rosenauer's avatar Wolfgang Rosenauer (wrosenauer) (revision 341)
- Mozilla Thunderbird 115.15.0
  MFSA 2024-44 (bsc#1229821)
  * CVE-2024-8381 (bmo#1912715)
    Type confusion when looking up a property name in a "with"
    block
  * CVE-2024-8382 (bmo#1906744)
    Internal event interfaces were exposed to web content when
    browser EventHandler listener callbacks ran
  * CVE-2024-8384 (bmo#1911288)
    Garbage collection could mis-color cross-compartment objects
    in OOM conditions

- Use gcc13 on Tumbleweed and where it is available.
- Don't use gcc14 as sources don't compile.
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1192519 from Wolfgang Rosenauer's avatar Wolfgang Rosenauer (wrosenauer) (revision 340)
- Mozilla Thunderbird 115.14.0
  * When using an external installation of GnuPG, Thunderbird
    occassionally sent/received corrupted messages (bmo#1898832)
  * Users of external GnuPG were unable to decrypt incorrectly
    encoded messages (bmo#1906903)
  MFSA 2024-38 (bsc#1228648)
  * CVE-2024-7519 (bmo#1902307)
    Out of bounds memory access in graphics shared memory handling
  * CVE-2024-7521 (bmo#1904644)
    Incomplete WebAssembly exception handing
  * CVE-2024-7522 (bmo#1906727)
    Out of bounds read in editor component
  * CVE-2024-7525 (bmo#1909298)
    Missing permission check when creating a StreamFilter
  * CVE-2024-7526 (bmo#1910306)
    Uninitialized memory used by WebGL
  * CVE-2024-7527 (bmo#1871303)
    Use-after-free in JavaScript garbage collection
  * CVE-2024-7529 (bmo#1903187)
    Document content could partially obscure security prompts
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1187370 from Wolfgang Rosenauer's avatar Wolfgang Rosenauer (wrosenauer) (revision 339)
- Mozilla Thunderbird 115.13.0
  * After starting Thunderbird, the message list position was
    sometimes set to an incorrect position
  MFSA 2024-30 (bsc#1226316)
  * CVE-2024-6600 (bmo#1888340)
    Memory corruption in WebGL API
  * CVE-2024-6601 (bmo#1890748)
    Race condition in permission assignment
  * CVE-2024-6602 (bmo#1895032)
    Memory corruption in NSS
  * CVE-2024-6603 (bmo#1895081)
    Memory corruption in thread creation
  * CVE-2024-6604 (bmo#1748105, bmo#1837550, bmo#1884266)
    Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13,
    and Thunderbird 115.13
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1181261 from Wolfgang Rosenauer's avatar Wolfgang Rosenauer (wrosenauer) (revision 337)
- Mozilla Thunderbird 115.12.0
  https://www.thunderbird.net/en-US/thunderbird/115.12.0/releasenotes
  MFSA 2024-28 (bsc#1226027)
  * CVE-2024-5702 (bmo#1193389)
    Use-after-free in networking
  * CVE-2024-5688 (bmo#1895086)
    Use-after-free in JavaScript object transplant
  * CVE-2024-5690 (bmo#1883693)
    External protocol handlers leaked by timing attack
  * CVE-2024-5691 (bmo#1888695)
    Sandboxed iframes were able to bypass sandbox restrictions to
    open a new window
  * CVE-2024-5692 (bmo#1891234)
    Bypass of file name restrictions during saving
  * CVE-2024-5693 (bmo#1891319)
    Cross-Origin Image leak via Offscreen Canvas
  * CVE-2024-5696 (bmo#1896555)
    Memory Corruption in Text Fragments
  * CVE-2024-5700 (bmo#1862809, bmo#1889355, bmo#1893388, bmo#1895123)
    Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12,
    and Thunderbird 115.12
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1179943 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 336)
Automatic submission by obs-autosubmit
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1175556 from Wolfgang Rosenauer's avatar Wolfgang Rosenauer (wrosenauer) (revision 335)
- Mozilla Thunderbird 115.11.0
  MFSA 2024-23 (bsc#1224056)
  * CVE-2024-4367 (bmo#1893645)
    Arbitrary JavaScript execution in PDF.js
  * CVE-2024-4767 (bmo#1878577)
    IndexedDB files retained in private browsing mode
  * CVE-2024-4768 (bmo#1886082)
    Potential permissions request bypass via clickjacking
  * CVE-2024-4769 (bmo#1886108)
    Cross-origin responses could be distinguished between script
    and non-script content-types
  * CVE-2024-4770 (bmo#1893270)
    Use-after-free could occur when printing to PDF
  * CVE-2024-4777 (bmo#1878199, bmo#1893340)
    Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11,
    and Thunderbird 115.11
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1169354 from Wolfgang Rosenauer's avatar Wolfgang Rosenauer (wrosenauer) (revision 333)
- Mozilla Thunderbird 115.10.1
  https://www.thunderbird.net/en-US/thunderbird/115.10.1/releasenotes/
  * fixed hangup introduced with 115.10.0 (bmo#1891889)

- Mozilla Thunderbird 115.10.0
  https://www.thunderbird.net/en-US/thunderbird/115.10.0/releasenotes/
  MFSA 2024-20 (bsc#1222535)
  * CVE-2024-3852 (bmo#1883542)
    GetBoundName in the JIT returned the wrong object
  * CVE-2024-3854 (bmo#1884552)
    Out-of-bounds-read after mis-optimized switch statement
  * CVE-2024-3857 (bmo#1886683)
    Incorrect JITting of arguments led to use-after-free during
    garbage collection
  * CVE-2024-2609 (bmo#1866100)
    Permission prompt input delay could expire when not in focus
  * CVE-2024-3859 (bmo#1874489)
    Integer-overflow led to out-of-bounds-read in the OpenType sanitizer
  * CVE-2024-3861 (bmo#1883158)
    Potential use-after-free due to AlignedBuffer self-move
  * CVE-2024-3863 (bmo#1885855)
    Download Protections were bypassed by .xrm-ms files on Windows
  * CVE-2024-3302 (bmo#1881183)
    Denial of Service using HTTP/2 CONTINUATION frames
  * CVE-2024-3864 (bmo#1888333)
    Memory safety bug fixed in Firefox 125, Firefox ESR 115.10,
    and Thunderbird 115.10
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1160556 from Wolfgang Rosenauer's avatar Wolfgang Rosenauer (wrosenauer) (revision 332)
- LLVM18 breaks building Thunderbird on Tumbleweed; add
  * mozilla-fix-issues-with-llvm18.patch

- Mozilla Thunderbird 115.9.0
  https://www.thunderbird.net/en-US/thunderbird/115.9.0/releasenotes/
  MFSA 2024-14 (bsc#1221327)
  * CVE-2024-0743 (bmo#1867408)
    Crash in NSS TLS method
  * CVE-2024-2605 (bmo#1872920)
    Windows Error Reporter could be used as a Sandbox escape vector
  * CVE-2024-2607 (bmo#1879939)
    JIT code failed to save return registers on Armv7-A
  * CVE-2024-2608 (bmo#1880692)
    Integer overflow could have led to out of bounds write
  * CVE-2024-2616 (bmo#1846197)
    Improve handling of out-of-memory conditions in ICU
  * CVE-2023-5388 (bmo#1780432)
    NSS susceptible to timing attack against RSA decryption
  * CVE-2024-2610 (bmo#1871112)
    Improper handling of html and body tags enabled CSP nonce leakage
  * CVE-2024-2611 (bmo#1876675)
    Clickjacking vulnerability could have led to a user accidentally
    granting permissions
  * CVE-2024-2612 (bmo#1879444)
    Self referencing object could have potentially led to a use-
    after-free
  * CVE-2024-2614 (bmo#1685358, bmo#1861016, bmo#1880405, bmo#1881093)
    Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9,
    and Thunderbird 115.9
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1155826 from Wolfgang Rosenauer's avatar Wolfgang Rosenauer (wrosenauer) (revision 331)
- Mozilla Thunderbird 115.8.1
  https://www.thunderbird.net/en-US/thunderbird/115.8.1/releasenotes/
  MFSA 2024-11
  * CVE-2024-1936 (bmo#1860977)
    Leaking of encrypted email subjects to other conversations
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1141172 from Wolfgang Rosenauer's avatar Wolfgang Rosenauer (wrosenauer) (revision 329)
- Mozilla Thunderbird 115.7.0
  https://www.thunderbird.net/en-US/thunderbird/115.7.0/releasenotes/
  MFSA 2024-04 (bsc#1218955)
  * CVE-2024-0741 (bmo#1864587)
    Out of bounds write in ANGLE
  * CVE-2024-0742 (bmo#1867152)
    Failure to update user input timestamp
  * CVE-2024-0746 (bmo#1660223)
    Crash when listing printers on Linux
  * CVE-2024-0747 (bmo#1764343)
    Bypass of Content Security Policy when directive unsafe-inline was set
  * CVE-2024-0749 (bmo#1813463)
    Phishing site popup could show local origin in address bar
  * CVE-2024-0750 (bmo#1863083)
    Potential permissions request bypass via clickjacking
  * CVE-2024-0751 (bmo#1865689)
    Privilege escalation through devtools
  * CVE-2024-0753 (bmo#1870262)
    HSTS policy on subdomain could bypass policy of upper domain
  * CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701)
    Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7,
    and Thunderbird 115.7
Displaying revisions 1 - 20 of 348
openSUSE Build Service is sponsored by