Back to Top
Package thunderbird: Changelog
|91.5.0-alt1 built Jan. 20, 2022 Andrey Cherepanov in task #293378|
|Jan. 12, 2022 Andrey Cherepanov|
- New version. - Security fixes: + CVE-2022-22746 Calling into reportValidity could have lead to fullscreen window spoof + CVE-2022-22743 Browser window spoof using fullscreen mode + CVE-2022-22742 Out-of-bounds memory access when inserting text in edit mode + CVE-2022-22741 Browser window spoof using fullscreen mode + CVE-2022-22740 Use-after-free of ChannelEventQueue::mOwner + CVE-2022-22738 Heap-buffer-overflow in blendGaussianBlur + CVE-2022-22737 Race condition when playing audio files + CVE-2021-4140 Iframe sandbox bypass with XSLT + CVE-2022-22748 Spoofed origin on external protocol launch dialog + CVE-2022-22745 Leaking cross-origin URLs through securitypolicyviolation event + CVE-2022-22744 The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection + CVE-2022-22747 Crash when handling empty pkcs7 sequence + CVE-2022-22739 Missing throttling on external protocol launch dialog + CVE-2022-22751 Memory safety bugs fixed in Thunderbird 91.5
|91.4.1-alt1 built Dec. 27, 2021 Andrey Cherepanov in task #292439|
|Dec. 21, 2021 Andrey Cherepanov|
- New version. - Security fixes: + CVE-2021-4126 OpenPGP signature status doesn't consider additional message content + CVE-2021-44538 Matrix chat library libolm bundled with Thunderbird vulnerable to a buffer overflow
|91.4.0-alt1 built Dec. 21, 2021 Andrey Cherepanov in task #291741|
|Dec. 10, 2021 Andrey Cherepanov|
|91.3.2-alt1 built Dec. 1, 2021 Andrey Cherepanov in task #290591|
|Nov. 19, 2021 Andrey Cherepanov|
- New version.
|Nov. 15, 2021 Andrey Cherepanov 91.3.1-alt1|
- New version.
|91.3.0-alt1 built Nov. 10, 2021 Andrey Cherepanov in task #288818|
|Nov. 3, 2021 Andrey Cherepanov|
|91.2.1-alt1 built Nov. 2, 2021 Anton Farygin in task #281644|
|91.2.1-alt1 built Oct. 26, 2021 Andrey Cherepanov in task #287811|
|Oct. 22, 2021 Andrey Cherepanov|
- New version. - Security fixes: + CVE-2021-38502 Downgrade attack on SMTP STARTTLS connections + CVE-2021-38496 Use-after-free in MessageTask + CVE-2021-38497 Validation message could have been overlaid on another origin + CVE-2021-38498 Use-after-free of nsLanguageAtomService object + CVE-2021-32810 Data race in crossbeam-deque + CVE-2021-38500 Memory safety bugs fixed in Thunderbird 91.2 + CVE-2021-38501 Memory safety bugs fixed in Thunderbird 91.2
|91.2.0-alt1 built Oct. 8, 2021 Andrey Cherepanov in task #286091|
|Oct. 6, 2021 Andrey Cherepanov|
- New version.
|Sept. 28, 2021 Andrey Cherepanov 91.1.2-alt1|
- New version.
|Sept. 22, 2021 Andrey Cherepanov 91.1.1-alt1|
- New version.
|Sept. 13, 2021 Andrey Cherepanov 91.1.0-alt2|
- Fix unreadable text in chat (ALT #40907).
|91.1.0-alt1 built Sept. 15, 2021 Andrey Cherepanov in task #284957|
|Sept. 8, 2021 Andrey Cherepanov|
- New version. - Security fixes: + CVE-2021-38492 Navigating to `mk:` URL scheme could load Internet Explorer + CVE-2021-38495 Memory safety bugs fixed in Thunderbird 91.1
|91.0.3-alt1 built Sept. 3, 2021 Andrey Cherepanov in task #283946|
|Aug. 27, 2021 Andrey Cherepanov|
- New version.
|Aug. 23, 2021 Andrey Cherepanov 91.0.2-alt1|
- New version. - Build using LLVM 12.0. - Do not build for armh. - Security fixes in 91.0.1: + CVE-2021-29991 Header Splitting possible with HTTP/3 Responses
|Aug. 17, 2021 Andrey Cherepanov 91.0.1-alt1|
- New version.
|Aug. 12, 2021 Andrey Cherepanov 91.0-alt1|
- New version. - Security fixes: + CVE-2021-29986 Race condition when resolving DNS names could have led to memory corruption + CVE-2021-29981 Live range splitting could have led to conflicting assignments in the JIT + CVE-2021-29988 Memory corruption as a result of incorrect style treatment + CVE-2021-29984 Incorrect instruction reordering during JIT optimization + CVE-2021-29980 Uninitialized memory in a canvas object could have led to memory corruption + CVE-2021-29987 Users could have been tricked into accepting unwanted permissions on Linux + CVE-2021-29985 Use-after-free media channels + CVE-2021-29982 Single bit data leak due to incorrect JIT optimization and type confusion + CVE-2021-29989 Memory safety bugs fixed in Thunderbird 91 - Remove deprecated packages like google-calendar.
|78.13.0-alt1 built Aug. 12, 2021 Andrey Cherepanov in task #282394|
|Aug. 10, 2021 Andrey Cherepanov|
- New version (78.13.0). - Security fixes: + CVE-2021-29986 Race condition when resolving DNS names could have led to memory corruption + CVE-2021-29988 Memory corruption as a result of incorrect style treatment + CVE-2021-29984 Incorrect instruction reordering during JIT optimization + CVE-2021-29980 Uninitialized memory in a canvas object could have led to memory corruption + CVE-2021-29985 Use-after-free media channels + CVE-2021-29989 Memory safety bugs fixed in Thunderbird 78.13
|July 14, 2021 Andrey Cherepanov 78.12.0-alt1|
- New version (78.12.0). - Security fixes: + CVE-2021-29969 IMAP server responses sent by a MITM prior to STARTTLS could be processed + CVE-2021-29970 Use-after-free in accessibility features of a document + CVE-2021-30547 Out of bounds write in ANGLE + CVE-2021-29976 Memory safety bugs fixed in Thunderbird 78.12 - Completely remove build external enigmail.
|June 3, 2021 Andrey Cherepanov 78.11.0-alt1|
- New version (78.11.0). - Security fixes: + CVE-2021-29964 Out of bounds-read when parsing a `WM_COPYDATA` message + CVE-2021-29967 Memory safety bugs fixed in Thunderbird 78.11
|May 18, 2021 Andrey Cherepanov 78.10.2-alt1|
- New version (78.10.2). - Security fixes: + CVE-2021-29957 Partial protection of inline OpenPGP message not indicated + CVE-2021-29956 Thunderbird stored OpenPGP secret keys without master password protection
|May 5, 2021 Andrey Cherepanov 78.10.1-alt1|
- New version (78.10.1). - Security fixes: + CVE-2021-29951 Thunderbird Maintenance Service could have been started or stopped by domain users - Do not build for ppc64le.
|April 26, 2021 Andrey Cherepanov 78.10.0-alt1|
- New version (78.10.0). - Security fixes: + CVE-2021-23994 Out of bound write due to lazy initialization + CVE-2021-23995 Use-after-free in Responsive Design Mode + CVE-2021-23998 Secure Lock icon could have been spoofed + CVE-2021-23961 More internal network hosts could have been probed by a malicious webpage + CVE-2021-23999 Blob URLs may have been granted additional privileges + CVE-2021-24002 Arbitrary FTP command execution on FTP servers using an encoded URL + CVE-2021-29945 Incorrect size computation in WebAssembly JIT could lead to null-reads + CVE-2021-29946 Port blocking could be bypassed + CVE-2021-29948 Race condition when reading from disk while verifying signatures + CVE-2021-23991 An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key + CVE-2021-23992 A crafted OpenPGP key with an invalid user ID could be used to confuse the user + CVE-2021-23993 Inability to send encrypted OpenPGP email after importing a crafted OpenPGP key + CVE-2021-29949 Thunderbird might execute an alternative OTR library + CVE-2021-23981 Texture upload into an unbound backing buffer resulted in an out-of-bound read + CVE-2021-23982 Internal network hosts could have been probed by a malicious webpage + CVE-2021-23984 Malicious extensions could have spoofed popup information + CVE-2021-23987 Memory safety bugs fixed in Thunderbird 78.9
|March 10, 2021 Andrey Cherepanov 78.8.1-alt1|
- New version (78.8.1). - Security fixes: + CVE-2021-29950 Logic issue potentially leaves key material unlocked
|Feb. 25, 2021 Andrey Cherepanov 78.8.0-alt1|
- New version (78.8.0). - Security fixes: + CVE-2021-23969 Content Security Policy violation report could have contained the destination of a redirect + CVE-2021-23968 Content Security Policy violation report could have contained the destination of a redirect + CVE-2021-23973 MediaError message property could have leaked information about cross-origin resources + CVE-2021-23978 Memory safety bugs fixed in Thunderbird 78.8
|Feb. 6, 2021 Andrey Cherepanov 78.7.1-alt1|
- New version (78.7.1).
|Jan. 27, 2021 Andrey Cherepanov 78.7.0-alt1|
|Jan. 12, 2021 Andrey Cherepanov 78.6.1-alt1|
- New version (78.6.1). - Security fixes: + CVE-2020-16044 Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk
|Dec. 15, 2020 Andrey Cherepanov 78.6.0-alt1|
- New version (78.6.0). - Security fixes: + CVE-2020-16042 Operations on a BigInt could have caused uninitialized memory to be exposed + CVE-2020-26971 Heap buffer overflow in WebGL + CVE-2020-26973 CSS Sanitizer performed incorrect sanitization + CVE-2020-26974 Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free + CVE-2020-26978 Internal network hosts could have been probed by a malicious webpage + CVE-2020-35111 The proxy.onRequest API did not catch view-source URLs + CVE-2020-35112 Opening an extension-less download may have inadvertently launched an executable instead + CVE-2020-35113 Memory safety bugs fixed in Thunderbird 78.6
|Dec. 2, 2020 Andrey Cherepanov 78.5.1-alt1|
- New version (78.5.1). - Security fixes: + CVE-2020-26970 Stack overflow due to incorrect parsing of SMTP server response codes
|Nov. 19, 2020 Andrey Cherepanov 78.5.0-alt1|
- New version (78.5.0). - Fixes: + CVE-2020-26951 Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code + CVE-2020-16012 Variable time processing of cross-origin images during drawImage calls + CVE-2020-26953 Fullscreen could be enabled without displaying the security UI + CVE-2020-26956 XSS through paste (manual and clipboard API) + CVE-2020-26958 Requests intercepted through ServiceWorkers lacked MIME type restrictions + CVE-2020-26959 Use-after-free in WebRequestService + CVE-2020-26960 Potential use-after-free in uses of nsTArray + CVE-2020-15999 Heap buffer overflow in freetype + CVE-2020-26961 DoH did not filter IPv4 mapped IP Addresses + CVE-2020-26965 Software keyboards may have remembered typed passwords + CVE-2020-26966 Single-word search queries were also broadcast to local network + CVE-2020-26968 Memory safety bugs fixed in Thunderbird 78.5 - Fix guess timezone for calendar (ALT #38081).
|Nov. 12, 2020 Andrey Cherepanov 78.4.3-alt1|
- New version (78.4.3).
|Nov. 11, 2020 Andrey Cherepanov 78.4.2-alt1|
- New version (78.4.2). - Fixes: + CVE-2020-26950 Write side effects in MCallGetProperty opcode not accounted for
|Nov. 7, 2020 Andrey Cherepanov 78.4.1-alt1|
- New version (78.4.1). - Thunderbird now provides thunderbird-enigmail itself.
|Oct. 22, 2020 Andrey Cherepanov 78.4.0-alt1|
- New version (78.4.0). - Fixes: + CVE-2020-15969 Use-after-free in usersctp + CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4
|Oct. 16, 2020 Andrey Cherepanov 78.3.3-alt1|
- New version (78.3.3).
|Oct. 7, 2020 Andrey Cherepanov 78.3.2-alt1|
- New version (78.3.2).
|Sept. 26, 2020 Andrey Cherepanov 78.3.1-alt1|
- New version (78.3.1). - Fix Thunderbird crash after updating to 78.3.0.
|Sept. 25, 2020 Andrey Cherepanov 78.3.0-alt1|
- New version (78.3.0). - Fixes: + CVE-2020-15677 Download origin spoofing via redirect + CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element + CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free + CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3
|Sept. 19, 2020 Andrey Cherepanov 78.2.2-alt2|
- Fix show folders and messages by patches from Debian (ALT #38964).
|Sept. 17, 2020 Andrey Cherepanov 78.2.2-alt1|
- New version (78.2.2).
|Sept. 2, 2020 Andrey Cherepanov 78.2.1-alt1|
- New version (78.2.1). - Fixes: + CVE-2020-15663 Downgrade attack on the Mozilla Maintenance Service could have resulted in escalation of privilege + CVE-2020-15664 Attacker-induced prompt for extension installation + CVE-2020-15670 Memory safety bugs fixed in Thunderbird 78.2 - Build without thunderbird-enigmail because this extension is not compatible with Thunderbird 78.x.
|Aug. 18, 2020 Aleksei Nikiforov 78.1.1-alt1|
- Updated to upstream version 78.1.1 (thx to cas@ and sbolshakov@). - Fixes: + CVE-2020-15652 Potential leak of redirect targets when loading scripts in a worker + CVE-2020-6514 WebRTC data channel leaks internal address to peer + CVE-2020-15655 Extension APIs could be used to bypass Same-Origin Policy + CVE-2020-15653 Bypassing iframe sandbox when allowing popups + CVE-2020-6463 Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture + CVE-2020-15656 Type confusion for special arguments in IonMonkey + CVE-2020-15658 Overriding file type when saving to disk + CVE-2020-15657 DLL hijacking due to incorrect loading path + CVE-2020-15654 Custom cursor can overlay user interface + CVE-2020-15659 Memory safety bugs fixed in Thunderbird 78.1
|July 21, 2020 Andrey Cherepanov 78.0-alt1|
- New version (78.0). - Fixes: + CVE-2020-12415 AppCache manifest poisoning due to url encoded character processing + CVE-2020-12416 Use-after-free in WebRTC VideoBroadcaster + CVE-2020-12417 Memory corruption due to missing sign-extension for ValueTags on ARM64 + CVE-2020-12418 Information disclosure due to manipulated URL object + CVE-2020-12419 Use-after-free in nsGlobalWindowInner + CVE-2020-12420 Use-After-Free when trying to connect to a STUN server + CVE-2020-15648 X-Frame-Options bypass using object or embed tags + CVE-2020-12402 RSA Key Generation vulnerable to side-channel attack + CVE-2020-12421 Add-On updates did not respect the same certificate trust rules as software updates + CVE-2020-12422 Integer overflow in nsJPEGEncoder::emptyOutputBuffer + CVE-2020-12423 DLL Hijacking due to searching %PATH% for a library + CVE-2020-12424 WebRTC permission prompt could have been bypassed by a compromised content process + CVE-2020-12425 Out of bound read in Date.parse() + CVE-2020-12426 Memory safety bugs fixed in Thunderbird 78 - Build with bundled languages: kk, ru, uk.
|July 13, 2020 Andrey Cherepanov 68.10.0-alt1|
- New version (68.10.0). - Fixes: + CVE-2020-12417 Memory corruption due to missing sign-extension for ValueTags on ARM64 + CVE-2020-12418 Information disclosure due to manipulated URL object + CVE-2020-12419 Use-after-free in nsGlobalWindowInner + CVE-2020-12420 Use-After-Free when trying to connect to a STUN server + CVE-2020-12421 Add-On updates did not respect the same certificate trust rules as software updates + MFSA-2020-0001 Automatic account setup leaks Microsoft Exchange login credentials - Enigmail 2.1.7.
|June 4, 2020 Andrey Cherepanov 68.9.0-alt1|
|May 29, 2020 Andrey Cherepanov 68.8.1-alt2|
- Build with default llvm-devel in repository. - Fix rpm macros placement.
|May 23, 2020 Andrey Cherepanov 68.8.1-alt1|
- New version (68.8.1). - Fixes: + IMAP stability improvements + HTML tags in IRC topic changes were rendered incorrectly + MailExtensions: Websockets could not be used
|May 6, 2020 Andrey Cherepanov 68.8.0-alt2|
- Add security fixes information to changelog.
|May 5, 2020 Andrey Cherepanov 68.8.0-alt1|
- New version (68.8.0). - Fixes: + CVE-2020-12397 Sender Email Address Spoofing using encoded Unicode characters + CVE-2020-12387 Use-after-free during worker shutdown + CVE-2020-6831 Buffer overflow in SCTP chunk input validation + CVE-2020-12392 Arbitrary local file access with 'Copy as cURL' + CVE-2020-12393 Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection + CVE-2020-12395 Memory safety bugs fixed in Thunderbird 68.8.0
|May 4, 2020 Andrey Cherepanov 68.7.0-alt3|
- Add Wayland support (ALT #38433).
|April 12, 2020 Andrey Cherepanov 68.7.0-alt2|
- Add security fixes information to changelog.
|April 8, 2020 Andrey Cherepanov 68.7.0-alt1|
- New version (68.7.0). - Fixes: + CVE-2020-6819 Use-after-free while running the nsDocShell destructor + CVE-2020-6820 Use-after-free when handling a ReadableStream + CVE-2020-6821 Uninitialized memory could be read when using the WebGL copyTexSubImage method + CVE-2020-6822 Out of bounds write in GMPDecodeData when processing large images + CVE-2020-6825 Memory safety bugs fixed in Thunderbird 68.7.0 - Enigmail 2.1.6.
|March 14, 2020 Andrey Cherepanov 68.6.0-alt1|
- New version (68.6.0). - Fixed: + CVE-2020-6805 Use-after-free when removing data about origins + CVE-2020-6806 BodyStream::OnInputStreamReady was missing protections against state confusion + CVE-2020-6807 Use-after-free in cubeb during stream destruction + CVE-2020-6811 Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection + CVE-2019-20503 Out of bounds reads in sctp_load_addresses_from_init + CVE-2020-6812 The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission + CVE-2020-6814 Memory safety bugs fixed in Thunderbird 68.6
|Feb. 12, 2020 Andrey Cherepanov 68.5.0-alt1|
|Feb. 3, 2020 Andrey Cherepanov 68.4.2-alt1|
- New version.
|Jan. 11, 2020 Andrey Cherepanov 68.4.1-alt1|
- New version (68.4.1). - Fixed: + CVE-2019-17026 IonMonkey type confusion with StoreElementHole and FallibleStoreElement + CVE-2019-17015 Memory corruption in parent process during new content process initialization on Windows + CVE-2019-17016 Bypass of @namespace CSS sanitization during pasting + CVE-2019-17017 Type Confusion in XPCVariant.cpp + CVE-2019-17021 Heap address disclosure in parent process during content process initialization on Windows + CVE-2019-17022 CSS sanitization does not escape HTML tags + CVE-2019-17024 Memory safety bugs fixed in Thunderbird 68.4.1 - Enigmail 2.1.5.
|Dec. 23, 2019 Andrey Cherepanov 68.3.1-alt1|
- New version (68.3.1). - Fixed: + CVE-2019-17008 Use-after-free in worker destruction + CVE-2019-13722 Stack corruption due to incorrect number of arguments in WebRTC code + CVE-2019-11745 Out of bounds write in NSS when encrypting with a block cipher + CVE-2019-17009 Updater temporary files accessible to unprivileged processes + CVE-2019-17010 Use-after-free when performing device orientation checks + CVE-2019-17005 Buffer overflow in plain text serializer + CVE-2019-17011 Use-after-free when retrieving a document in antitracking + CVE-2019-17012 Memory safety bugs fixed in Firefox 71, Firefox ESR 68.3, and Thunderbird 68.3 - Enigmail 2.1.4.
|Nov. 9, 2019 Andrey Cherepanov 68.2.2-alt1|
- New version (68.2.2). - Fixed: + CVE-2019-15903 Heap overflow in expat library in XML_GetCurrentLineNumber + CVE-2019-11757 Use-after-free when creating index updates in IndexedDB + CVE-2019-11758 Potentially exploitable crash due to 360 Total Security + CVE-2019-11759 Stack buffer overflow in HKDF output + CVE-2019-11760 Stack buffer overflow in WebRTC networking + CVE-2019-11761 Unintended access to a privileged JSONView object + CVE-2019-11762 document.domain-based origin isolation has same-origin-property violation + CVE-2019-11763 Incorrect HTML parsing results in XSS bypass technique + CVE-2019-11764 Memory safety bugs fixed in Thunderbird 68.2 - Enigmail 2.1.3.
|Oct. 13, 2019 Andrey Cherepanov 68.1.2-alt1|
- New version (68.1.2). - Fixed: + CVE-2019-11739 Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message + CVE-2019-11746 Use-after-free while manipulating video + CVE-2019-11744 XSS by breaking out of title and textarea elements using innerHTML + CVE-2019-11742 Same-origin policy violation with SVG filters and canvas to steal cross-origin images + CVE-2019-11752 Use-after-free while extracting a key value in IndexedDB + CVE-2019-11743 Cross-origin access to unload event attributes + CVE-2019-11740 Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, Firefox ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9 + CVE-2019-11755 Spoofing a message author via a crafted S/MIME message
|Aug. 29, 2019 Andrey Cherepanov 68.0-alt1|
- New version (68.0). - Fixed: + CVE-2019-9811 Sandbox escape via installation of malicious language pack + CVE-2019-11711 Script injection within domain through inner window reuse + CVE-2019-11712 Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects + CVE-2019-11713 Use-after-free with HTTP/2 cached stream + CVE-2019-11729 Empty or malformed p256-ECDH public keys may trigger a segmentation fault + CVE-2019-11715 HTML parsing error can contribute to content XSS + CVE-2019-11717 Caret character improperly escaped in origins + CVE-2019-11719 Out-of-bounds read when importing curve25519 private key + CVE-2019-11730 Same-origin policy treats all files in a directory as having the same-origin + CVE-2019-11709 Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8, and Thunderbird 60.8 - Enigmail 2.1.2.
|July 10, 2019 Andrey Cherepanov 60.8.0-alt1|
- New version (60.8.0). - Fixed: + CVE-2019-9811 Sandbox escape via installation of malicious language pack + CVE-2019-11711 Script injection within domain through inner window reuse + CVE-2019-11712 Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects + CVE-2019-11713 Use-after-free with HTTP/2 cached stream + CVE-2019-11729 Empty or malformed p256-ECDH public keys may trigger a segmentation fault + CVE-2019-11715 HTML parsing error can contribute to content XSS + CVE-2019-11717 Caret character improperly escaped in origins + CVE-2019-11719 Out-of-bounds read when importing curve25519 private key + CVE-2019-11730 Same-origin policy treats all files in a directory as having the same-origin + CVE-2019-11709 Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8, and Thunderbird 60.8 - Enigmail 2.0.12.
|July 3, 2019 Gleb Fotengauer-Malinovskiy 60.7.2-alt2|
- Added ppc64le support.
|June 22, 2019 Andrey Cherepanov 60.7.2-alt1|
- New version (60.7.2). - Fixed: + CVE-2019-11707 Type confusion in Array.pop + CVE-2019-11708 sandbox escape using Prompt:Open
|June 18, 2019 Andrey Cherepanov 60.7.1-alt2|
- enigmail: disable pEpAutoDownload.
|June 14, 2019 Andrey Cherepanov 60.7.1-alt1|
- New version (60.7.1). - Fixed: + CVE-2019-11703 Heap buffer overflow in icalparser.c + CVE-2019-11704 Heap buffer overflow in icalvalue.c + CVE-2019-11705 Stack buffer overflow in icalrecur.c + CVE-2019-11706 Type confusion in icalproperty.c - Enigmail 2.0.11. - thunderbird-enigmail now requires pinentry-x11 (ALT #18790). - Use juniorModeForceOff by default in Enigmail (ALT #36447). - Fix l10n dtd of Enigmail.
|May 20, 2019 Andrey Cherepanov 60.7.0-alt1|
|April 22, 2019 Andrey Cherepanov 60.6.1-alt2|
- Fix global serch indexing by link with bundled sqlite3 (ALT #35761).
|March 26, 2019 Andrey Cherepanov 60.6.1-alt1|
- New version (60.6.1). - Fixes: + CVE-2019-9810 IonMonkey MArraySlice has incorrect alias information + CVE-2019-9813 Ionmonkey type confusion with __proto__ mutations
|March 21, 2019 Andrey Cherepanov 60.6.0-alt1|
- New version (60.6.0). - Fixes: + CVE-2019-9790 Use-after-free when removing in-use DOM elements + CVE-2019-9791 Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey + CVE-2019-9792 IonMonkey leaks JS_OPTIMIZED_OUT magic value to script + CVE-2019-9793 Improper bounds checks when Spectre mitigations are disabled + CVE-2019-9794 Command line arguments not discarded during execution + CVE-2019-9795 Type-confusion in IonMonkey JIT compiler + CVE-2019-9796 Use-after-free with SMIL animation controller + CVE-2019-9801 Windows programs that are not 'URL Handlers' are exposed to web content + CVE-2018-18506 Proxy Auto-Configuration file can define localhost access to be proxied + CVE-2019-9788 Memory safety bugs fixed in Firefox 66, Firefox ESR 60.6, and Thunderbird 60.6 - Build with Clang.
|Feb. 27, 2019 Andrey Cherepanov 60.5.2-alt1|
- New version (60.5.2).
|Feb. 15, 2019 Andrey Cherepanov 60.5.1-alt1|
- New version (60.5.1). - Fixes: + CVE-2018-18356 Use-after-free in Skia + CVE-2019-5785 Integer overflow in Skia + CVE-2018-18335 Buffer overflow in Skia with accelerated Canvas 2D + CVE-2018-18509 S/MIME signature spoofing
|Feb. 1, 2019 Andrey Cherepanov 60.5.0-alt1|
- New version (60.5.0). - Fixes: + CVE-2018-18500 Use-after-free parsing HTML5 stream + CVE-2018-18505 Privilege escalation through IPC channel messages + CVE-2016-5824 DoS (use-after-free) via a crafted ics file + CVE-2018-18501 Memory safety bugs fixed in Firefox 65, Firefox ESR 60.5, and Thunderbird 60.5
|Jan. 29, 2019 Paul Wolneykien 60.4.0-alt3|
- Added Enigmail GOST patch.
|Jan. 10, 2019 Andrey Cherepanov 60.4.0-alt2|
- Rebuild with llvm7.0.
|Dec. 24, 2018 Andrey Cherepanov 60.4.0-alt1|
- New version (60.4.0). - Enigmail 2.0.9. - Fixes: + CVE-2018-17466 Buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11 + CVE-2018-18492 Use-after-free with select element + CVE-2018-18493 Buffer overflow in accelerated 2D canvas with Skia + CVE-2018-18494 Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs + CVE-2018-18498 Integer overflow when calculating buffer sizes for images + CVE-2018-12405 Memory safety bugs fixed in Firefox 64, Firefox ESR 60.4, and Thunderbird 60.4
|Dec. 9, 2018 Andrey Cherepanov 60.3.3-alt1|
- New version (60.3.3).
|Nov. 30, 2018 Andrey Cherepanov 60.3.2-alt1|
- New version (60.3.2).
|Nov. 22, 2018 Andrey Cherepanov 60.3.1-alt1|
- New version (60.3.1).
|Nov. 2, 2018 Andrey Cherepanov 60.3.0-alt1|
|Oct. 15, 2018 Andrey Cherepanov 60.2.1-alt1|
- New version (60.2.1). - Fixes: + CVE-2018-12377 Use-after-free in refresh driver timers + CVE-2018-12378 Use-after-free in IndexedDB + CVE-2018-12379 Out-of-bounds write with malicious MAR file + CVE-2017-16541 Proxy bypass using automount and autofs + CVE-2018-12376 Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 + CVE-2018-12385 Crash in TransportSecurityInfo due to cached data + CVE-2018-12383 Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords
|Aug. 13, 2018 Andrey Cherepanov 60.0-alt1|
- New version (60.0). - Enigmail 2.0.8. - Fixes: + CVE-2018-12359 Buffer overflow using computed size of canvas element + CVE-2018-12360 Use-after-free when using focus() + CVE-2018-12361 Integer overflow in SwizzleData + CVE-2018-12362 Integer overflow in SSSE3 scaler + CVE-2018-5156 Media recorder segmentation fault when track type is changed during capture + CVE-2018-12363 Use-after-free when appending DOM nodes + CVE-2018-12364 CSRF attacks through 307 redirects and NPAPI plugins + CVE-2018-12365 Compromised IPC child process can list local filenames + CVE-2018-12371 Integer overflow in Skia library during edge builder allocation + CVE-2018-12366 Invalid data handling during QCMS transformations + CVE-2018-12367 Timing attack mitigation of PerformanceNavigationTiming + CVE-2018-12368 No warning when opening executable SettingContent-ms files + CVE-2018-5187 Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Thunderbird 60 + CVE-2018-5188 Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 60
|July 11, 2018 Andrey Cherepanov 52.9.1-alt1|
- New version (52.9.1). - Complete fix of the EFAIL vulnerability.
|July 4, 2018 Andrey Cherepanov 52.9.0-alt1|
- New version (52.9.0). - Enigmail 2.0.7. - Fixes: + CVE-2018-12359 Buffer overflow using computed size of canvas element + CVE-2018-12360 Use-after-free when using focus() + CVE-2018-12372 S/MIME and PGP decryption oracles can be built with HTML emails + CVE-2018-12373 S/MIME plaintext can be leaked through HTML reply/forward + CVE-2018-12362 Integer overflow in SSSE3 scaler + CVE-2018-12363 Use-after-free when appending DOM nodes + CVE-2018-12364 CSRF attacks through 307 redirects and NPAPI plugins + CVE-2018-12365 Compromised IPC child process can list local filenames + CVE-2018-12366 Invalid data handling during QCMS transformations + CVE-2018-12368 No warning when opening executable SettingContent-ms files + CVE-2018-12374 Using form to exfiltrate encrypted mail part by pressing enter in form field + CVE-2018-5188 Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 52.9
|May 19, 2018 Andrey Cherepanov 52.8.0-alt1|
- New version (52.8.0). - Enigmail 2.0.4. - Fixes: + CVE-2018-5183 Backport critical security fixes in Skia + CVE-2018-5184 Full plaintext recovery in S/MIME via chosen-ciphertext attack + CVE-2018-5154 Use-after-free with SVG animations and clip paths + CVE-2018-5155 Use-after-free with SVG animations and text paths + CVE-2018-5159 Integer overflow and out-of-bounds write in Skia + CVE-2018-5161 Hang via malformed headers + CVE-2018-5162 Encrypted mail leaks plaintext through src attribute + CVE-2018-5170 Filename spoofing for external attachments + CVE-2018-5168 Lightweight themes can be installed without user interaction + CVE-2018-5178 Buffer overflow during UTF-8 to Unicode string conversion through legacy extension + CVE-2018-5185 Leaking plaintext through HTML forms + CVE-2018-5150 Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8, and Thunderbird 52.8 - Build in several threads.
|March 24, 2018 Andrey Cherepanov 52.7.0-alt1|
- New version (52.7.0) - Fixes: + CVE-2018-5127 Buffer overflow manipulating SVG animatedPathSegList + CVE-2018-5129 Out-of-bounds write with malformed IPC messages + CVE-2018-5144 Integer overflow during Unicode conversion + CVE-2018-5146 Out of bounds memory write in libvorbis + CVE-2018-5125 Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7, and Thunderbird 52.7 + CVE-2018-5145 Memory safety bugs fixed in Firefox ESR 52.7 and Thunderbird 52.7
|Jan. 29, 2018 Andrey Cherepanov 52.6.0-alt1|
- New version (52.6.0) - Fixes: + CVE-2018-5095 Integer overflow in Skia library during edge builder allocation + CVE-2018-5096 Use-after-free while editing form elements + CVE-2018-5097 Use-after-free when source document is manipulated during XSLT + CVE-2018-5098 Use-after-free while manipulating form input elements + CVE-2018-5099 Use-after-free with widget listener + CVE-2018-5102 Use-after-free in HTML media elements + CVE-2018-5103 Use-after-free during mouse event handling + CVE-2018-5104 Use-after-free during font face manipulation + CVE-2018-5117 URL spoofing with right-to-left text aligned left-to-right + CVE-2018-5089 Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6, and Thunderbird 52.6
|Dec. 25, 2017 Andrey Cherepanov 52.5.2-alt1|
|Nov. 24, 2017 Andrey Cherepanov 52.5.0-alt1|
- New version (52.5.0) - Fixes: + CVE-2017-7828 Use-after-free of PressShell while restyling layout + CVE-2017-7830 Cross-origin URL information leak through Resource + CVE-2017-7826 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5
|Oct. 7, 2017 Andrey Cherepanov 52.4.0-alt1|
- New version (52.4.0) - Enigmail 220.127.116.11 - Fixes: + CVE-2017-7793 Use-after-free with Fetch API + CVE-2017-7818 Use-after-free during ARIA array manipulation + CVE-2017-7819 Use-after-free while resizing images in design mode + CVE-2017-7824 Buffer overflow when drawing and validating elements with ANGLE + CVE-2017-7805 Use-after-free in TLS 1.2 generating handshake hashes + CVE-2017-7814 Blob and data URLs bypass phishing and malware protection warnings + CVE-2017-7825 OS X fonts render some Tibetan and Arabic unicode characters as spaces + CVE-2017-7823 CSP sandbox directive did not create a unique origin + CVE-2017-7810 Memory safety bugs fixed in Firefox 56, Firefox ESR 52.4, and Thunderbird 52.4
|Aug. 20, 2017 Andrey Cherepanov 52.3.0-alt1|
- New version (52.3.0) - Enigmail 18.104.22.168
|June 26, 2017 Andrey Cherepanov 52.2.1-alt1|
- New version (52.2.1)
|June 22, 2017 Andrey Cherepanov 52.2.0-alt1|
- New version (52.2.0) - Security fixes: + CVE-2017-5472: Use-after-free using destroyed node when regenerating trees + CVE-2017-7749: Use-after-free during docshell reloading + CVE-2017-7750: Use-after-free with track elements + CVE-2017-7751: Use-after-free with content viewer listeners + CVE-2017-7752: Use-after-free with IME input + CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object + CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors + CVE-2017-7757: Use-after-free in IndexedDB + CVE-2017-7778: Vulnerabilities in the Graphite 2 library + CVE-2017-7758: Out-of-bounds read in Opus encoder + CVE-2017-7763: Mac fonts render some unicode characters as spaces + CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks + CVE-2017-7765: Mark of the Web bypass when saving executable files + CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2, and Thunderbird 52.2
|May 16, 2017 Andrey Cherepanov 52.1.1-alt1|
- New version (52.1.1) - New Enigmail 1.9.7
|May 2, 2017 Andrey Cherepanov 52.1.0-alt1|
- New version (52.0.1) - Security fixes: + CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR + CVE-2017-5430: Memory safety bugs fixed in Firefox 53, Firefox ESR + CVE-2017-5432: Use-after-free in text input selection + CVE-2017-5433: Use-after-free in SMIL animation functions + CVE-2017-5434: Use-after-free during focus handling + CVE-2017-5435: Use-after-free during transaction processing in the + CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2 + CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing + CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT + CVE-2017-5440: Use-after-free in txExecutionState destructor during + CVE-2017-5441: Use-after-free with selection during scroll events + CVE-2017-5442: Use-after-free during style changes + CVE-2017-5443: Out-of-bounds write during BinHex decoding + CVE-2017-5444: Buffer overflow while parsing + CVE-2017-5445: Uninitialized values used while parsing + CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent + CVE-2017-5447: Out-of-bounds read during glyph processing + CVE-2017-5449: Crash during bidirectional unicode manipulation with + CVE-2017-5451: Addressbar spoofing with onblur event + CVE-2017-5454: Sandbox escape allowing file system read access through + CVE-2017-5459: Buffer overflow in WebGL + CVE-2017-5460: Use-after-free in frame selection + CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS + CVE-2017-5462: DRBG flaw in NSS + CVE-2017-5464: Memory corruption with accessibility and DOM + CVE-2017-5465: Out-of-bounds read in ConvolvePixel + CVE-2017-5466: Origin confusion when reloading isolated data:text/html + CVE-2017-5467: Memory corruption when drawing Skia content + CVE-2017-5469: Potential Buffer overflow in flex-generated code + CVE-2016-10196: Vulnerabilities in Libevent library
|April 17, 2017 Andrey Cherepanov 52.0.1-alt1|
- New version (52.0.1)
|April 5, 2017 Andrey Cherepanov 52.0-alt1|
- New version (52.0)
|March 7, 2017 Andrey Cherepanov 45.8.0-alt1|
- New versoin (45.8.0)
|March 3, 2017 Andrey Cherepanov 45.7.1-alt1|
- New version (45.7.1) - Add windows-1251 to sendDefaultCharsetList - Fix subdirectory name from mozilla to thunderbird-<version>
|Feb. 2, 2017 Anton Farygin 45.7.0-alt3|
- prevent thunderbird segfault due overoptimisation of new gcc6 (closes: #33048)
|Jan. 27, 2017 Vladimir Didenko 45.7.0-alt2|
- Disable null pointer gcc6 optimization (closes: #33048)
|Jan. 26, 2017 Andrey Cherepanov 45.7.0-alt1|
- New version (45.7.0)
|Jan. 21, 2017 Andrey Cherepanov 45.6.0-alt2|
- Fix build with GCC 6.1
|Dec. 29, 2016 Andrey Cherepanov 45.6.0-alt1|
- New version (45.6.0)
|Dec. 1, 2016 Andrey Cherepanov 45.5.1-alt1|
- New version (45.5.1) - Security fixes: + MFSA 2016-92 Firefox SVG Animation Remote Code Execution
|Nov. 21, 2016 Andrey Cherepanov 45.5.0-alt1|
- New version (45.5.0) - Enigmail 22.214.171.124
|Oct. 1, 2016 Andrey Cherepanov 45.4.0-alt1|
- New version (45.4.0)
|Sept. 5, 2016 Andrey Cherepanov 45.3.0-alt1|
- New version (45.3.0) - Enigmail 1.9.5 - Remove separate package with Lightning because Lightning is part of Thunderbird
|July 2, 2016 Andrey Cherepanov 45.2.0-alt1|
- New version (45.2.0) - Enigmail 1.9.3
|June 1, 2016 Andrey Cherepanov 45.1.1-alt1|
- New version (45.1.1)
|May 20, 2016 Andrey Cherepanov 45.1.0-alt1|
- New version (45.1.0) - Enigmail 1.9.2 - Set correct URL and version to extension packages
|April 14, 2016 Andrey Cherepanov 45.0.0-alt1|
- New version (45.0.0)
|March 28, 2016 Andrey Cherepanov 38.7.1-alt1|
- New version (38.7.1)
|March 15, 2016 Andrey Cherepanov 38.7.0-alt1|
- New version (38.7.0) - Enigmail (1.9.1) - Obsoletes thunderbird-esr
|Feb. 17, 2016 Andrey Cherepanov 38.6.0-alt1|
- New version - Security fixes: + MFSA 2016-14 Vulnerabilities in Graphite 2 + MFSA 2016-03 Buffer overflow in WebGL after out of memory allocation + MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6) + MFSA 2015-150 MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature
|Jan. 17, 2016 Andrey Cherepanov 38.5.1-alt1|
- New version
|Dec. 26, 2015 Andrey Cherepanov 38.5.0-alt1|
- New version - Security fixes: + MFSA 2015-149 Cross-site reading attack through data and view-source URIs + MFSA 2015-146 Integer overflow in MP4 playback in 64-bit versions + MFSA 2015-145 Underflow through code inspection + MFSA 2015-139 Integer overflow allocating extremely large textures
|Nov. 26, 2015 Alexey Gladkov 38.4.0-alt1|
- New version (38.4.0). - Enigmail (1.8.2). - Fixed: + 2015-90 Vulnerabilities found through code inspection + 2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images + 2015-85 Out-of-bounds write with Updater and malicious MAR file + 2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links + 2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2) + 2015-71 NSS incorrectly permits skipping of ServerKeyExchange + 2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites + 2015-67 Key pinning is ignored when overridable errors are encountered + 2015-66 Vulnerabilities found through code inspection + 2015-63 Use-after-free in Content Policy due to microtask execution error + 2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)
|June 20, 2015 Alexey Gladkov 38.0.1-alt1|
- New version (38.0.1).
|Dec. 11, 2014 Alexey Gladkov 31.3.0-alt1|
- New version (31.3.0). - Fixed: + MFSA 2014-90 Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory + MFSA 2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer + MFSA 2014-88 Buffer overflow while parsing media content + MFSA 2014-87 Use-after-free during HTML5 parsing + MFSA 2014-85 XMLHttpRequest crashes with some input streams + MFSA 2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)
|Oct. 23, 2014 Alexey Gladkov 31.2.0-alt1|
- New version (31.2.0). - Fixed: + MFSA 2014-81 Inconsistent video sharing within iframe + MFSA 2014-79 Use-after-free interacting with text directionality + MFSA 2014-77 Out-of-bounds write with WebM video + MFSA 2014-76 Web Audio memory corruption issues with custom waveforms + MFSA 2014-75 Buffer overflow during CSS manipulation + MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)
|Sept. 25, 2014 Alexey Gladkov 31.1.2-alt1|
- New version (31.1.2). - Fixed: + MFSA 2014-73 RSA Signature Forgery in NSS + MFSA 2014-72 Use-after-free setting text directionality + MFSA 2014-70 Out-of-bounds read in Web Audio audio timeline + MFSA 2014-69 Uninitialized memory use during GIF rendering + MFSA 2014-68 Use-after-free during DOM interactions with SVG + MFSA 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8)
|July 28, 2014 Alexey Gladkov 31.0-alt1|
|July 21, 2014 Alexey Gladkov 24.6.0-alt1|
- New version (24.6.0). - Fixed: + MFSA 2014-52 Use-after-free with SMIL Animation Controller + MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer + MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)
|May 11, 2014 Alexey Gladkov 24.5.0-alt1|
- New version (24.5.0). - Fixed: + MFSA 2014-46 Use-after-free in nsHostResolve + MFSA 2014-44 Use-after-free in imgLoader while resizing images + MFSA 2014-43 Cross-site scripting (XSS) using history navigations + MFSA 2014-42 Privilege escalation through Web Notification API + MFSA 2014-38 Buffer overflow when using non-XBL object as XBL + MFSA 2014-37 Out of bounds read while decoding JPG images + MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer + MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)
|March 23, 2014 Alexey Gladkov 24.4.0-alt1|
- New version (24.4.0). - Fixed: + MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering + MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects + MFSA 2014-30 Use-after-free in TypeObject + MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs + MFSA 2014-28 SVG filters information disclosure through feDisplacementMap + MFSA 2014-27 Memory corruption in Cairo during PDF font rendering + MFSA 2014-26 Information disclosure through polygon rendering in MathML + MFSA 2014-17 Out of bounds read during WAV file decoding + MFSA 2014-16 Files extracted during updates are not always read only + MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)
|Feb. 9, 2014 Alexey Gladkov 24.3.0-alt1|
|Dec. 24, 2013 Alexey Gladkov 24.2.0-alt1|
- New version (24.2.0). - Fixed: + MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate + MFSA 2013-116 JPEG information leak + MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets + MFSA 2013-114 Use-after-free in synthetic mouse movement + MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation + MFSA 2013-111 Segmentation violation when replacing ordered list elements + MFSA 2013-109 Use-after-free during Table Editing + MFSA 2013-108 Use-after-free in event listeners + MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)
|Nov. 21, 2013 Alexey Gladkov 24.1.1-alt1|
- New version (24.1.1). - Fixed: + MFSA 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities
|Nov. 3, 2013 Alexey Gladkov 24.1.0-alt1|
|Oct. 13, 2013 Alexey Gladkov 24.0.1-alt1|
|Aug. 13, 2013 Alexey Gladkov 17.0.8-alt1|
|June 30, 2013 Alexey Gladkov 17.0.7-alt1|
- New version (17.0.7). - Fixed: + MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context + MFSA 2013-56 PreserveWrapper has inconsistent behavior + MFSA 2013-55 SVG filters can lead to information disclosure + MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks + MFSA 2013-53 Execution of unmapped memory through onreadystatechange event + MFSA 2013-51 Privileged content access and execution via XBL + MFSA 2013-50 Memory corruption found using Address Sanitizer + MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)
|June 5, 2013 Alexey Gladkov 17.0.6-alt1|
- New version (17.0.6). - Fixed: + MFSA 2013-48 Memory corruption found using Address Sanitizer + MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent + MFSA 2013-46 Use-after-free with video and onresize event + MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service + MFSA 2013-42 Privileged access for content level constructor + MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)
|April 11, 2013 Alexey Gladkov 17.0.5-alt1|
- New version (17.0.5). - Enigmail (1.5.1). - Fixed: + MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage + MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations + MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes + MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux + MFSA 2013-34 Privilege escalation through Mozilla Updater + MFSA 2013-32 Privilege escalation through Mozilla Maintenance Service + MFSA 2013-31 Out-of-bounds write in Cairo library + MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5) + MFSA 2013-29 Use-after-free in HTML Editor
|March 1, 2013 Alexey Gladkov 17.0.3-alt1|
|Jan. 17, 2013 Alexey Gladkov 17.0.2-alt1|
|Nov. 23, 2012 Alexey Gladkov 17.0-alt1|
- New version (17.0). - Fixed: + MFSA 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer + MFSA 2012-105 Use-after-free and buffer overflow issues found using Address Sanitizer + MFSA 2012-103 Frames can shadow top.location + MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset + MFSA 2012-100 Improper security filtering for cross-origin wrappers + MFSA 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment + MFSA 2012-97 XMLHttpRequest inherits incorrect principal within sandbox + MFSA 2012-96 Memory corruption in str_unescape + MFSA 2012-94 Crash when combining SVG text on path with CSS + MFSA 2012-93 evalInSanbox location context incorrectly applied + MFSA 2012-92 Buffer overflow while rendering GIF images + MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)
|Nov. 1, 2012 Alexey Gladkov 16.0.2-alt1|
- New version (16.0.2). - Fixed: + MFSA 2012-90 Fixes for Location object issues + MFSA 2012-67 Installer will launch incorrect executable following new installation
|Oct. 23, 2012 Alexey Gladkov 16.0.1-alt1|
- New version (16.0.1). - Enigmail (1.4.5). - Fixed: + MFSA 2012-89 defaultValue security checks not applied + MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1) + MFSA 2012-87 Use-after-free in the IME State Manager + MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer + MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer + MFSA 2012-84 Spoofing and script injection through location.hash + MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties + MFSA 2012-82 top object and location property accessible by plugins + MFSA 2012-81 GetProperty function can bypass security checks + MFSA 2012-80 Crash with invalid cast when using instanceof operator + MFSA 2012-79 DOS and crash with full screen and history navigation + MFSA 2012-77 Some DOMWindowUtils methods bypass security checks + MFSA 2012-76 Continued access to initial origin after setting document.domain + MFSA 2012-75 select element persistance allows for attacks + MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)
|Aug. 29, 2012 Alexey Gladkov 15.0-alt1|
- New version (15.0). - Fixed: + MFSA 2012-72 Web console eval capable of executing chrome-privileged code + MFSA 2012-70 Location object security checks bypassed by chrome code + MFSA 2012-68 DOMParser loads linked resources in extensions when parsing text/html + MFSA 2012-67 Installer will launch incorrect executable following new installation + MFSA 2012-65 Out-of-bounds read in format-number in XSLT + MFSA 2012-64 Graphite 2 memory corruption + MFSA 2012-63 SVG buffer overflow and use-after-free issues + MFSA 2012-62 WebGL use-after-free and memory corruption + MFSA 2012-61 Memory corruption with bitmap format images with negative height + MFSA 2012-59 Location object can be shadowed using Object.defineProperty + MFSA 2012-58 Use-after-free issues found using Address Sanitizer + MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)
|July 30, 2012 Alexey Gladkov 14.0-alt1|
|July 5, 2012 Alexey Gladkov 13.0.1-alt1|
- New version (13.0.1). - Fixed: + MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer + MFSA 2012-39 NSS parsing errors with zero length items + MFSA 2012-38 Use-after-free while replacing/inserting a node in a document + MFSA 2012-37 Information disclosure though Windows file shares and shortcut files + MFSA 2012-36 Content Security Policy inline-script bypass + MFSA 2012-35 Privilege escalation through Mozilla Updater and Windows Updater Service + MFSA 2012-34 Miscellaneous memory safety hazards
|May 9, 2012 Alexey Gladkov 12.0.1-alt1|
|April 20, 2012 Alexey Gladkov 11.0.1-alt1|
|Feb. 23, 2012 Alexey Gladkov 10.0.2-alt1|
|Jan. 31, 2012 Alexey Gladkov 8.0-alt2|
- Rebuilt with libvpx.
|Nov. 15, 2011 Alexey Gladkov 8.0-alt1|
- New version (8.0). - Fixed: + MFSA 2011-52 Code execution via NoWaiverWrapper + MFSA 2011-51 Cross-origin image theft on Mac with integrated Intel GPU + MFSA 2011-50 Cross-origin data theft using canvas and Windows D2D + MFSA 2011-49 Memory corruption while profiling using Firebug + MFSA 2011-48 Miscellaneous memory safety hazards (rv:8.0) + MFSA 2011-47 Potential XSS against sites using Shift-JIS + MFSA 2011-44 Use after free reading OGG headers + MFSA 2011-42 Potentially exploitable crash in the YARR regular expression library + MFSA 2011-40 Code installation through holding down Enter + MFSA 2011-39 Defense against multiple Location headers due to CRLF Injection + MFSA 2011-36 Miscellaneous memory safety hazards (rv:7.0 / rv:126.96.36.199)
|Sept. 6, 2011 Alexey Gladkov 6.0.1-alt1|
- New version (6.0.1). - Fixed: + MFSA 2011-34 Protection against fraudulent DigiNotar certificates
|Aug. 25, 2011 Alexey Gladkov 6.0-alt1|
- New version (6.0). - Add GIO support (ALT#11503). - Fixed: + MFSA 2011-31 Security issues addressed in Thunderbird 6
|July 21, 2011 Alexey Gladkov 5.0-alt1|
- New version (5.0). - Remove gnome-support subpackage.
|April 9, 2011 Alexey Gladkov 3.1.9-alt1.20110409|
- New snapshot (3.1.9 20110409). - Use xdg-open (ALT#25403).
|March 8, 2011 Alexey Gladkov 3.1.9-alt1.20110308|
|Jan. 23, 2011 Alexey Gladkov 3.1.7-alt1.20110123|
- New snapshot (3.1.7 20110123) - Fix update request (ALT#23867)
|Aug. 15, 2010 Alexey Gladkov 3.1.2-alt1.20100815|
- New snapshot (3.1.2 20100810) - Fixed: + MFSA 2010-47 Cross-origin data leakage from script filename in error messages + MFSA 2010-46 Cross-domain data theft using CSS + MFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish + MFSA 2010-43 Same-origin bypass using canvas context + MFSA 2010-42 Cross-origin data disclosure via Web Workers and importScripts + MFSA 2010-41 Remote code execution using malformed PNG image + MFSA 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability + MFSA 2010-39 nsCSSValue::Array index integer overflow + MFSA 2010-38 Arbitrary code execution using SJOW and fast native function + MFSA 2010-34 Miscellaneous memory safety hazards (rv:188.8.131.52/ 184.108.40.206)
|June 29, 2010 Alexey Gladkov 3.1.1-alt1.20100626|
- New snapshot
|April 5, 2010 Alexey Gladkov 3.0.4-alt1.20100404|
- New snapshot (3.0.4 20100404) - Add gnome support. - Fixed: + MFSA 2010-24 XMLDocument::load() doesn't check nsIContentPolicy + MFSA 2010-22 Update NSS to support TLS renegotiation indication + MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView + MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection + MFSA 2010-16 Crashes with evidence of memory corruption (rv:220.127.116.11/ 18.104.22.168/ 22.214.171.124)
|Jan. 28, 2010 Alexey Gladkov 3.0.1-alt1.20100128|
- New snapshot (3.0.1 20100128)
|Nov. 26, 2009 Alexey Gladkov 3.0-alt1.20091126|
- New snapshot (3.0 20091126)
|Oct. 18, 2009 Alexey Gladkov 3.0-alt1.20091018|
- New snapshot (3.0 20091018)
|Oct. 11, 2009 Alexey Gladkov 3.0-alt1.20091010|
- New snapshot (3.0 20091010)
|Sept. 29, 2009 Alexey Gladkov 3.0-alt1.20090929|
- New snapshot (3.0 20090929)
|Sept. 1, 2009 Alexey Gladkov 3.0-alt1.20090917|
- New snapshot (3.0 20090917)
|Aug. 17, 2009 Alexey Gladkov 3.0-alt1.20090817|
- New snapshot (3.0 20090817)
|July 29, 2009 Alexey Gladkov 3.0-alt1.20090729|
- New snapshot (3.0 20090729)
|June 1, 2009 Alexey Gladkov 3.0-alt1.20090601|
- New snapshot (3.0 20090601)
|April 26, 2009 Alexey Gladkov 3.0-alt1.20090424|
- New snapshot (3.0 20090424)
|March 12, 2009 Alexey Gladkov 3.0-alt1.20090312|
- New snapshot (3.0 20090312) - Use system mozsqlite3 (sqlite3 unsupported)
|Nov. 24, 2008 Alexey Gladkov 126.96.36.199-alt1|
- New version (188.8.131.52) - Fixed: + MFSA 2008-59 Script access to .documentURI and .textContent in mail + MFSA 2008-58 Parsing error in E4X default namespace + MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation + MFSA 2008-55 Crash and remote code execution in nsFrameManager + MFSA 2008-52 Crashes with evidence of memory corruption (rv:184.108.40.206/220.127.116.11) + MFSA 2008-50 Crash and remote code execution via __proto__ tampering + MFSA 2008-48 Image stealing via canvas and HTTP redirect
|Nov. 18, 2008 Alexey Gladkov 18.104.22.168-alt1|
|July 17, 2008 Alexey Gladkov 22.214.171.124-alt2|
- Bugfix build. - Dont use LD_LIBRARY_PATH in startup scripts.
|May 11, 2008 Alexey Gladkov 126.96.36.199-alt1|
|March 2, 2008 Alexey Gladkov 188.8.131.52-alt1|
- New version (184.108.40.206) - Fixed: + MFSA 2008-12 Heap buffer overflow in external MIME bodies + MFSA 2008-05 Directory traversal via chrome: URI + MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution + MFSA 2008-01 Crashes with evidence of memory corruption (rv:220.127.116.11) + MFSA 2007-36 URIs with invalid mishandled by Windows + MFSA 2007-29 Crashes with evidence of memory corruption (rv:18.104.22.168) + MFSA 2007-27 Unescaped URIs passed to external programs + MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows
|Aug. 2, 2007 Alexey Gladkov 22.214.171.124-alt1|
- New version (126.96.36.199) - Fixed: + MFSA 2007-27 Unescaped URIs passed to external programs + MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows
|July 20, 2007 Alexey Gladkov 188.8.131.52-alt1|
- New version (184.108.40.206) - Fixed: + MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer + MFSA 2007-18 Crashes with evidence of memory corruption
|June 29, 2007 Alexey Gladkov 220.127.116.11-alt1|
- New version (18.104.22.168) - Fix normal icons. - Fixed: + MFSA 2007-15 Security Vulnerability in APOP Authentication + MFSA 2007-12 Crashes with evidence of memory corruption (rv:22.214.171.124/126.96.36.199)
|April 22, 2007 Alexey Gladkov 188.8.131.52-alt1|
- New version (184.108.40.206) - Many bugfixes (see http://weblogs.mozillazine.org/rumblingedge/archives/2007/03/tb_2.html). - Add RSS files (again).
|Feb. 27, 2007 Alexey Gladkov 2.0-alt1.b2|
- New version (2.0 Beta 2)
|Nov. 23, 2006 Alexey Gladkov 220.127.116.11-alt1|
|Aug. 17, 2006 Alexey Gladkov 18.104.22.168-alt1|
|May 2, 2006 Alexey Gladkov 22.214.171.124-alt1|
|March 24, 2006 Alexey Gladkov 1.5-alt2|
- bugfix build. - share extension directory fix.
|Feb. 21, 2006 Alexey Gladkov 1.5-alt1|
- new version 1.5 - build with rpm-build-thunderbird (external build macros) - Build with system NSS and NSPR. - Buildrequires updated for xorg-7.0 - directory /usr/share/thunderbird-@version@/extensions was added to extensions search path . * this location is controled by the option extensions.dir.extensions . - Startup script rewritten. Now it is single script. * command line shortcut added: altmail:MAILLIST (example: "altmail:devel" -> mailto:email@example.com). - LDAP support disabled. - firsttime script removed - NoX patch removed
|Aug. 24, 2005 Alexey Gladkov 1.0.6-alt2|
- packaging bugfix. - rpm mascros bugfix. - The script is added for switching language after installation/removal of a localization package. - Bug: #6204, #6254 fixed.
|Aug. 15, 2005 Alexey Gladkov 1.0.6-alt1|
- new version. - firsttime script added.
|May 11, 2005 Alexey Gladkov 1.0.2-alt1|
- new version; - RSS missing files add;
|Feb. 1, 2005 Alexey Gladkov 1.0-alt4|
- update patch thunderbird-1.0-20050201-alt-nox.patch * uninstall-global-theme command-line option was added; * update-register command-line option was added; - thunderbird-1.0-alt-rpm-scripts.tar.bz2 bugfix;
|Jan. 27, 2005 Alexey Gladkov 1.0-alt3|
- fix crush when comiling with gcc3.4 .
|Jan. 19, 2005 Alexey Gladkov 1.0-alt2|
- Rebuilt with libstdc++.so.6.
|Jan. 6, 2005 Alexey Gladkov 1.0-alt1|
- new version; - new extension load scheme; - uninstall-global-extension option fixed; - add RPATH=%_libdir/%fullname to the all binares; - rpm macros was updated; - %post_ldconfig and %postun_ldconfig was removed. - icons updated (thx shrek@);
|July 16, 2004 Alexey Morozov 0.7.2-alt2|
- new version (0.7.2) - rpm macros file is splitted to base and devel parts - Russian spec translation - A patch to handle external URLs w/ url_handler - Requirements cleanup
|May 7, 2004 Alexey Gladkov 0.6-alt1|
- New version; - Splash screen added; - Default userContent.css added; - Offline extension added by default; - Confilct between mozilla-like devel packages was removed.
|Feb. 11, 2004 Alexey Gladkov 0.5-alt1|
- New version.
|Jan. 13, 2004 Alexey Gladkov 0.4-alt4|
- Spec changes.
|Dec. 26, 2003 Alexey Gladkov 0.4-alt3|
- first build for ALT Linux. - rpm macro added. - new scheme loading extensions added (thx force@) - Spec modifications.