Change log for thunderbird package in Debian
| 151 → 225 of 229 results | First • Previous • Next • Last |
| Superseded in experimental-release |
thunderbird (1:78.0~b2-1) experimental; urgency=medium
* [c8da927] d/source.filter: fix obviously happen typo
* [c513a96] New upstream version 78.0~b2
* [6e9104e] d/control: tb, adding binary version to lightning provides
Make the Provides for Lightning a versioned provide.
* [8adec8f] enigmail: let any version of Enigmail break
We now can break on any Enigmail version, the Enigmail functions are now
included in Thunderbird and don't want to have an Enigmail package get
installed in parallel.
* [696b1fc] xul-ext-*/webext-*: adding more extensions to break
Quite all of the current packaged Thunderbird extensions will not work
for now with Thunderbird 78.*, adding/renaming the current know packages
with recent versions to Breaks for thunderbird.
* [e488d0c] thunderbird: remove some non-existing packages from Breaks
The listed packages
xul-ext-foxyproxy-standard
xul-ext-gnome-keyring
xul-ext-nostalgy
aren't in any supported release so we don't need them any more within a
Breaks for thunderbird.
* [039ee90] thunderbird: remove outdated myspell packages from Breaks
All previously listed myspell packages in Breaks for thunderbird aren't
reachable with the given version any more. We can remove them safely.
* [08ea0ba] thunderbird: remove outdated hunspell packages from Breaks
The same is true for the hunspell packages that were listed in the Breaks
field for thunderbird.
-- Carsten Schoenert <email address hidden> Sat, 20 Jun 2020 18:04:59 +0200
| Superseded in experimental-release |
thunderbird (1:78.0~b1-1) experimental; urgency=medium
[ Carsten Schoenert ]
* [625efa9] d/source.filter: some updates to filtering list
Recent modification of the shipped files in the upstream tarball do
require small updates of the filter list we use to repack the tarball.
* [967ee19] New upstream version 78.0~b1
* [240991e] rebuild patch queue from patch-queue branch
removed patch:
debian-hacks/use-icudt-b-l-.dat-depending-on-architecture.patch
This will require some additional adjustment later for the stable-security
upkoads as this patch was required to get a recent ICU version build
before the build of the thunderbird sources did start.
reworked patch:
debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch
* [07cab53] d/mozconfig.default: remove no longer existing options
By this release a lot of old configure options are kicked out, some of
them we have used until now. We need to remove these from the config.
* [df2e99b] d/copyright: update content
As usual some required update of the copyright file, more files are not
shipped anymore.
[ intrigeri ]
* [82a4b03] AppArmor: update profile from upstream at commit 860d2d9
(cherry-picked from unstable)
-- Carsten Schoenert <email address hidden> Sat, 13 Jun 2020 20:01:39 +0200
| Superseded in sid-release |
thunderbird (1:68.9.0-1) unstable; urgency=medium
[ intrigeri ]
* [fd13825] AppArmor: update profile from upstream at commit 860d2d9
(Closes: #960465)
[ Carsten Schoenert ]
* [c310c40] New upstream version 68.9.0
Fixed CVE issues in upstream version 68.9.0 (MFSA 2020-22):
CVE-2020-12399: Timing attack on DSA signatures in NSS library
CVE-2020-12405: Use-after-free in SharedWorkerService
CVE-2020-12406: JavaScript Type confusion with NativeTypes
CVE-2020-12410: Memory safety bugs fixed in Thunderbird 68.9.0
CVE-2020-12398: Security downgrade with IMAP STARTTLS leads to
information leakage
-- Carsten Schoenert <email address hidden> Fri, 05 Jun 2020 20:29:35 +0200
| Superseded in sid-release |
thunderbird (1:68.8.1-1) unstable; urgency=medium * [7495e7a] New upstream version 68.8.1 -- Carsten Schoenert <email address hidden> Fri, 22 May 2020 19:04:20 +0200
| Superseded in experimental-release |
thunderbird (1:77.0~b3-1) experimental; urgency=medium
* [82de2f6] New upstream version 77.0~b3
* [8beaf6f] rebuild patch queue from patch-queue branch
removed patch (included upstream):
fixes/Bug-1634994-fix-disable-av1-r-tnikkel.patch
* [ab2d7a2] d/copyright: Add license for appstream xml file
* [1533187] d/source.filter: Remove some *.wasm files as well
* [7cdfe03] d/thunderbird.lintian-overrides: Some more needed overrides
We need currently the included bzip library. Also add a false positive
about the misread postinst script.
* [9385fd4b] d/control: Remove doubled listed package libglib2.0-dev
Drop a doubled listed package libglib2.0-dev within B-D.
-- Carsten Schoenert <email address hidden> Wed, 20 May 2020 20:58:09 +0200
| Superseded in experimental-release |
thunderbird (1:77.0~b2-1) experimental; urgency=medium
* [185d4f7] New upstream version 77.0~b2
* [e918036] rebuild patch queue from patch-queue branch
removed patch:
fixes/Bug-1635671-Upgrade-typename-to-1.12.0.-r-emilio.patch
* [c1979ce] d/mozconfig.default: Remove obsolete options
Drop the options '--with-distribution-id' and '--with-user-appdir'.
The former is basically only supporting the given default 'org.mozilla'
and the latter was set to the default '.mozilla' anyway.
-- Carsten Schoenert <email address hidden> Sat, 16 May 2020 14:04:02 +0200
| Superseded in buster-release |
thunderbird (1:68.7.0-1~deb10u1) stable-security; urgency=medium * Rebuild for buster-security -- Carsten Schoenert <email address hidden> Sun, 12 Apr 2020 10:21:40 +0200
| Superseded in experimental-release |
thunderbird (1:77.0~b1-1) experimental; urgency=medium
* [ee06e6e] New upstream version 77.0~b1
* [a21b649] rebuild patch queue from patch-queue branch
removed patches (not needed any more):
lower-down-required-version-on-NSS3.patch
added patches:
fixes/Bug-1634994-fix-disable-av1-r-tnikkel.patch
fixes/Bug-1635671-Upgrade-typename-to-1.12.0.-r-emilio.patch
* [295cc4d] d/control: increase B-D for libnss3
The build requires now libnss3-dev >= 2:3.52.
* [f998baf] lintian-overrides: remove overrides for kinto-http-client.js
No override needed for this file, it's not included any more.
-- Carsten Schoenert <email address hidden> Fri, 08 May 2020 15:18:44 +0200
| Superseded in sid-release |
thunderbird (1:68.8.0-1) unstable; urgency=medium
* [9b5ae46] New upstream version 68.8.0
Fixed CVE issues in upstream version 68.8.0 (MFSA 2020-18):
CVE-2020-12397: Sender Email Address Spoofing using encoded Unicode
characters
CVE-2020-12387: Use-after-free during worker shutdown
CVE-2020-6831: Buffer overflow in SCTP chunk input validation
CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command
injection
CVE-2020-12395: Memory safety bugs fixed in Thunderbird 68.8.0
-- Carsten Schoenert <email address hidden> Tue, 05 May 2020 20:47:29 +0200
| Superseded in experimental-release |
thunderbird (1:76.0~b2-1) experimental; urgency=medium
* [87988db] d/control: increase B-D for cargo to 0.42
* [b9b0dfd] rebuild patch queue from patch-queue branch
removed patch:
debian-hacks/Ignore-version-check-for-cargo.patch
* [8386db0] d/control: Remove B-D on libjson-dev and libsqlite3-dev
The built uses internal copies for libjson and libsqlite as there are
made modifications to them. For now we can decrease the list of build
dependencies by removing this two packages.
* [6324222] New upstream version 76.0~b2
* [629b3bb] d/rules: Remove default compiler flag
No needed for '-Wl,--as-needed' any more, it's default now.
-- Carsten Schoenert <email address hidden> Mon, 27 Apr 2020 09:55:43 +0200
| Superseded in experimental-release |
thunderbird (1:76.0~b1-1) experimental; urgency=medium
* [b52cd52] d/c-thunderbird-l10n-tarball.sh: change upstream resource
Upstream has changed the folder were we can find the language providing
XPI packages. They simply moved over from linux-i686 to linux-x86_64.
* [22e697a] d/rules: drop set up of LIGHTNING_VERSION variable
We don't need this variable any more for building the packages (like all
the lightning-foo named stuff), there is no dedicated Lighting named stuff
around.
* [4ad871b] d/gbp.conf: Remove additional tarball for lightning-l10n
git-buildpackage won't find this additional tarball as it's not needed
starting by the import of the next upstream version (this is 76.0b1).
* [25d8d42] d/c-l-l10n-t.sh: Remove helper script
We also don't need to build the l10n specific additional tarball for
Lighting related parts any more. Dropping this helper script.
* [9d33d06] d/README.source: Remove part of lightning-l10n
* [b063d7f] New upstream version 76.0~b1
* [e7a23ec] rebuild patch queue from patch-queue branch
removed patches (not needed or included upstream):
debian-hacks/Build-against-system-libjsoncpp.patch
debian-hacks/Downgrade-SQlite-version-to-3.27.2.patch
fixes/Bug-1531309-Don-t-use-__PRETTY_FUNCTION__-or-__FUNCTION__.patch
fixes/Bug-1560340-Only-add-confvars.sh-as-a-dependency-to-confi.patch
added patches:
debian-hacks/Ignore-version-check-for-cargo.patch
lower-down-required-version-on-NSS3.patch
* [94d8593] d/control: adding new packages thunderbird-l10n-{cak,kab,uz}
After the final release of Thunderbird 68.0 new l10n support for the
languages Kacqhikel, Georgian and Uzbek was added. Reflect this by adding
new binary packages for those languages.
* [5397182] d/mozconfig.default: remove option for system-sqlite
Upstream is using their own version of an modified SQLite now and has
dropping the additional configure option about this.
* [abb0ded] d/control: increase various versions in B-D
The current source requires some more recent versions of the helping tools
for building the sources as usual.
* [abfc8b2] d/rules: remove any action related to old lightning stuff
As the sources doesn't have any Lightning specific parts any more we need
to adjust the build process within debina/rules a bit. Thus dropping all
the rules around Lighting things.
* [f95b3ad] d/control: Turn lightning into transitional package
For now switch the behaviour of the lightning package into a transitional
one. We might can drop the whole package rather soon.
* [c3062cb] d/thunderbird.install: Remove blocklist.xml
Don't install the file blocklist.xml any more, it's now not shipped by
upstream any more.
* [856e99e] d/mozconfig.thunderbird: Remove --enable-calendar
Previously the build of the Lightning extension was needed to get enabled
to built this as an extension. Now it's fully integrated into the core
this configure option isn't needed any longer.
* [5551a8a] d/copyright: update content
As usual there is some moving within the source code between the major
versions, reflect this by adjusting the content of the copyright file.
* [21e9b7f] lintian-overrides: adjust overrides for needed files
Also the override file for the source is needing some adjustments.
* [f25ddc4] d/source.filter: update the filter sequences
The control for filtering non needed stuff from the upstream tarball must
also get adjusted due changed versions, moved folders etc.
* [e4a81ba] d/thunderbird.install: Install also appdata.xml
Upstream is providing an AppStream data file which we want install mow
also.
* [80385c9] d/source.filter: Sorting entries alphabetically
No functional modifications, just sorting entries to find stuff more easily.
* [585cf0a] d/thunderbird.lintian-overrides: update after config changes
We also need to modify the content for Lintian overrides for the
thunderbird package a bit. Thunderbird comes now (again) with own versions
of the libraries libtheora and libjsoncpp. Mostly because Mozilla has made
some own modifications within these libraries.
-- Carsten Schoenert <email address hidden> Sat, 18 Apr 2020 08:28:25 +0200
| Superseded in sid-release |
thunderbird (1:68.7.0-1) unstable; urgency=medium
* [c0052af] New upstream version 68.7.0
Fixed CVE issues in upstream version 68.7.0 (MFSA 2020-14):
CVE-2020-6819: Use-after-free while running the nsDocShell destructor
CVE-2020-6820: Use-after-free when handling a ReadableStream
CVE-2020-6821: Uninitialized memory could be read when using the WebGL
copyTexSubImage method
CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large
images
CVE-2020-6825: Memory safety bugs fixed in Thunderbird 68.7
-- Carsten Schoenert <email address hidden> Sun, 12 Apr 2020 07:40:41 +0200
| Superseded in sid-release |
thunderbird (1:68.6.0-1) unstable; urgency=medium
* [5709774] New upstream version 68.6.0
Fixed CVE issues in upstream version 68.6.0 (MFSA 2020-10):
CVE-2019-20503: Out of bounds reads in sctp_load_addresses_from_init
CVE-2020-6805: Use-after-free when removing data about origins
CVE-2020-6806: BodyStream::OnInputStreamReady was missing protections
against state confusion
CVE-2020-6807: Use-after-free in cubeb during stream destruction
CVE-2020-6811: Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to
command injection
CVE-2020-6812: The names of AirPods with personally identifiable
information were exposed to websites with camera or
microphone permission
CVE-2020-6814: Memory safety bugs fixed in Thunderbird 68.6
-- Carsten Schoenert <email address hidden> Mon, 16 Mar 2020 20:01:29 +0100
| Superseded in sid-release |
thunderbird (1:68.5.0-1) unstable; urgency=medium
* [d79bf82] New upstream version 68.5.0
Fixed CVE issues in upstream version 68.5.0 (MFSA 2020-07):
CVE-2020-6793: Out-of-bounds read when processing certain email messages
CVE-2020-6794: Setting a master password post-Thunderbird 52 does not
delete unencrypted previously stored passwords
CVE-2020-6795: Crash processing S/MIME messages with multiple signatures
CVE-2020-6798: Incorrect parsing of template tag could result in
JavaScript injection
CVE-2020-6792: Message ID calculcation was based on uninitialized data
CVE-2020-6800: Memory safety bugs fixed in Thunderbird 68.5
(Closes: #891848)
* [0884df6] d/control: increase Standards-Version to 4.5.0
No further changes needed.
-- Carsten Schoenert <email address hidden> Thu, 13 Feb 2020 17:58:44 +0100
| Superseded in stretch-release |
thunderbird (1:68.4.1-1~deb9u1) stretch-security; urgency=medium * Rebuild for stretch-security -- Carsten Schoenert <email address hidden> Sat, 16 Jan 2020 15:39:41 +0100
| Published in stretch-release |
thunderbird (1:60.9.0-1~deb9u1) stretch-security; urgency=medium [ Carsten Schoenert ] * Rebuild for stretch-security -- Carsten Schoenert <email address hidden> Thu, 12 Sep 2019 19:25:59 +0200
| Superseded in buster-release |
thunderbird (1:68.4.1-1~deb10u1) stable-security; urgency=medium * Rebuild for buster-security -- Carsten Schoenert <email address hidden> Sat, 15 Jan 2020 17:48:09 +0100
| Superseded in sid-release |
thunderbird (1:68.4.2-1) unstable; urgency=medium * [7ab7786] d/gbp.conf: add some more files we need to filter out * [9c02c34] New upstream version 68.4.2 -- Carsten Schoenert <email address hidden> Sun, 26 Jan 2020 13:13:49 +0100
| Superseded in sid-release |
thunderbird (1:68.4.1-1) unstable; urgency=medium
* [a00f3e9] New upstream version 68.4.1
Fixed CVE issues in upstream version 68.4.1 (MFSA 2020-04):
CVE-2019-17026: IonMonkey type confusion with StoreElementHole and
FallibleStoreElement
CVE-2019-17015: Memory corruption in parent process during new content
process initialization on Windows
CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting
CVE-2019-17017: Type Confusion in XPCVariant.cpp
CVE-2019-17022: CSS sanitization does not escape HTML tags
CVE-2019-17024: Memory safety bugs fixed in Thunderbird 68.4.1
* [6b1fd82] rebuild patch queue from patch-queue branch
removed patch (included upstream)
fixes/Update-bindgen-in-ESR68.-r-glandium-a-RyanVM.patch
-- Carsten Schoenert <email address hidden> Fri, 10 Jan 2020 18:33:43 +0100
| Superseded in sid-release |
thunderbird (1:68.3.1-1) unstable; urgency=medium
[ Emilio Pozuelo Monfort ]
* [6f59313] Fix MOZ_BUILD_DATE to have the expected format
[ Carsten Schoenert ]
* [5d0f4b1] d/rules: don't use SOURCE_DATE_EPOCH for MOZ_BUILD_DATE
(Closes: #946588)
* [1467af5] New upstream version 68.3.1
-- Carsten Schoenert <email address hidden> Wed, 18 Dec 2019 15:54:44 +0100
| Superseded in sid-release |
thunderbird (1:68.3.0-2) unstable; urgency=medium
* [0625d30] rebuild patch queue from patch-queue branch
added patches:
fixes/Bug-1531309-Don-t-use-__PRETTY_FUNCTION__-or-__FUNCTION__.patch
fixes/Update-bindgen-in-ESR68.-r-glandium-a-RyanVM.patch
* [ea8d98c] Breaks: add versioned birdtray package
-- Carsten Schoenert <email address hidden> Mon, 09 Dec 2019 18:22:15 +0100
| Superseded in sid-release |
thunderbird (1:68.3.0-1) unstable; urgency=medium
* [fe289ec] /u/b/thunderbird: export variable DICPATH before start
(Closes: #944295)
* [a9a48c6] New upstream version 68.3.0
Fixed CVE issues in upstream version 68.3 (MFSA 2019-38):
CVE-2019-17008: Use-after-free in worker destruction
CVE-2019-13722: Stack corruption due to incorrect number of arguments in
WebRTC code
CVE-2019-11745: Out of bounds write in NSS when encrypting with a block
cipher
CVE-2019-17009: Updater temporary files accessible to unprivileged
processes
CVE-2019-17010: Use-after-free when performing device orientation checks
CVE-2019-17005: Buffer overflow in plain text serializer
CVE-2019-17011: Use-after-free when retrieving a document in
antitracking
CVE-2019-17012: Memory safety bugs fixed in Firefox 71, Firefox ESR
68.3, and Thunderbird 68.3
* [fb23473] d/control: increase B-D version on NSS to 3.44.3
* [6f59938] Breaks: adding more non compatible packaged AddOns
-- Carsten Schoenert <email address hidden> Thu, 05 Dec 2019 10:03:22 +0100
| Published in buster-release |
thunderbird (1:60.9.0-1~deb10u1) buster-security; urgency=medium * Rebuild for buster-security * [9802e1d] Revert "Use gcc-8 and g++-8 due broken build with GCC-9" -- Carsten Schoenert <email address hidden> Thu, 12 Sep 2019 16:52:34 +0200
| Superseded in sid-release |
thunderbird (1:68.2.2-1) unstable; urgency=medium
* [198d539] xul-ext-compactheader: allow also version << 3.0.0
* [0e93753] d/control: add incompatibility with jsunit << 0.2.2
* [87c84cb] New upstream version 68.2.2
This upstream version has removed the source for calendar-google-provider,
thus we can't provide the related binary package any more.
* [a3cea2a] rebuild patch queue from patch-queue branch
rebuild patch queue from patch-queue branch
removed patches (included upstream):
debian/patches/fixes/Bug-1470701-Use-run-time-page-size-when-changing-map.patch
debian/patches/fixes/Bug-1505608-Try-to-ensure-the-bss-section-of-the-elf.patch
debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
debian/patches/fixes/Build-also-gdata-provider-as-xpi-file.patch
debian/patches/fixes/rust-ignore-not-available-documentation.patch
debian/patches/porting-kfreebsd-hurd/Fix-GNU-non-Linux-failure-to-build-because-of-ipc-ch.patch
debian/patches/porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch
debian/patches/porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch
debian/patches/porting-powerpc/powerpc-Don-t-use-static-page-sizes-on-powerpc.patch
debian/patches/porting-sparc64/Bug-1434726-Early-startup-crash-on-Linux-sparc64-in-HashI.patch
* [1730f5f] d/control: remove references to calendar-google-provider
Don't build calendar-google-provider any more and remove any references
from other binary packages.
* [1b0bbb8] d/rules: remove any calendar-google-provider stuff
* [92f681c] thunderbird.NEWS: Adding hint about removal of gdata
Give out an announcement about the removal of a possible previously
installed package calendar-google-provider.
-- Carsten Schoenert <email address hidden> Sun, 10 Nov 2019 12:09:17 +0100
| Superseded in sid-release |
thunderbird (1:68.2.1-1) unstable; urgency=medium
[ intrigeri ]
* [c48e2cb] AppArmor: update profile from upstream at commit a27a1a5
(Closes: #941290)
[ Carsten Schoenert ]
* [98497ae] New upstream version 68.2.0
Fixed CVE issues in upstream version 68.2 (MFSA 2019-35):
CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber
CVE-2019-11757: Use-after-free when creating index updates in IndexedDB
CVE-2019-11758: Potentially exploitable crash due to 360 Total Security
CVE-2019-11759: Stack buffer overflow in HKDF output
CVE-2019-11760: Stack buffer overflow in WebRTC networking
CVE-2019-11761: Unintended access to a privileged JSONView object
CVE-2019-11762: document.domain-based origin isolation has
same-origin-property violation
CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique
CVE-2019-11764: Memory safety bugs fixed in Thunderbird 68.2
(Closes: #925841)
* [a104c51] d/control: increase Standards-Version to 4.4.1
* [6c9d012] xul-ext-dispmua: set current min usable version
* [b3bf16f] New upstream version 68.2.1
* [8f89b90] d/control: decrease build architecture list
Decreasing the current list of build architectures. Not meant to keep this
forever, removed RC architectures needing support and volunteering to get
them back.
(Closes: #921258)
-- Carsten Schoenert <email address hidden> Fri, 01 Nov 2019 20:36:59 +0100
| Deleted in experimental-release (Reason: None provided.) |
thunderbird (1:68.1.2-1~exp1) experimental; urgency=medium * [81f4144] xul-ext-compactheader: increase minimal usable version * [a815589] Update the global information about TB in Debian * [bb5f5f7] rebuild patch queue from patch-queue branch * [6fe7d3f] xul-ext-sogo-connector: increase minimal usable version * [2e29af5] New upstream version 68.1.2 -- Carsten Schoenert <email address hidden> Sat, 26 Oct 2019 08:41:50 +0200
| Superseded in experimental-release |
thunderbird (1:68.1.1-1~exp1) experimental; urgency=medium
[ intrigeri ]
* [3f49653] AppArmor: update profile from upstream at commit ed52e4a
[ Carsten Schoenert ]
* [348f476] New upstream version 68.0~b5
* [2a2f101] New upstream version 68.1.1
Fixed CVE issues in upstream version 68.1 (MFSA 2019-20):
CVE-2019-11711: Script injection within domain through inner window reuse
CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins
by following 308 redirects
CVE-2019-11713: Use-after-free with HTTP/2 cached stream
CVE-2019-11714: NeckoChild can trigger crash when accessed off of main
thread
CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a
segmentation fault
CVE-2019-11715: HTML parsing error can contribute to content XSS
CVE-2019-11716: globalThis not enumerable until accessed
CVE-2019-11717: Caret character improperly escaped in origins
CVE-2019-11719: Out-of-bounds read when importing curve25519 private key
CVE-2019-11720: Character encoding XSS vulnerability
CVE-2019-11721: Domain spoofing through unicode latin 'kra' character
CVE-2019-11730: Same-origin policy treats all files in a directory as
having the same-origin
CVE-2019-11723: Cookie leakage during add-on fetching across private
browsing boundaries
CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting
permissions
CVE-2019-11725: Websocket resources bypass safebrowsing protections
CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3
CVE-2019-11728: Port scanning through Alt-Svc header
CVE-2019-11710: Memory safety bugs fixed in Firefox 68 and Thunderbird 68
CVE-2019-11709: Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8,
and Thunderbird 68
Fixed CVE issues in upstream version 68.1 (MFSA 2019-20):
CVE-2019-11739: Covert Content Attack on S/MIME encryption using a crafted
multipart/alternative message
CVE-2019-11746: Use-after-free while manipulating video
CVE-2019-11744: XSS by breaking out of title and textarea elements using
innerHTML
CVE-2019-11742: Same-origin policy violation with SVG filters and canvas
to steal cross-origin images
CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB
CVE-2019-11743: Cross-origin access to unload event attributes
CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1,
Firefox ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9
Fixed CVE issues in upstream version 68.1.1 (MFSA 2019-32):
CVE-2019-11755: Spoofing a message author via a crafted S/MIME message
* [9342624] rebuild patch queue from patch-queue branch
added patches:
debian-hacks/Set-program-name-from-the-remoting-name.patch
debian-hacks/Use-remoting-name-for-call-to-gdk_set_program_class.patch
debian-hacks/Work-around-Debian-bug-844357.patch
fixes/Allow-.js-preference-files-to-set-locked-prefs-with-lockP.patch
fixes/Bug-1556197-amend-Bug-1544631-for-fixing-mips32.patch
fixes/Bug-1560340-Only-add-confvars.sh-as-a-dependency-to-confi.patch
porting-armhf/Bug-1526653-Include-struct-definitions-for-user_vfp-and-u.patch
removed patch (fixed upstream):
porting-mips/Fix-CPU_ARCH-test-for-libjpeg-on-mips.patch
porting/Work-around-GCC-ICE-on-mips-i386-and-s390x.patch
* [25cb500] d/control: increase various versions in B-D
* [ee5b713] d/control: remove B-D on librust-cbindgen-dev
Use librust-toml-dev instead, we only need some files from this package,
librust-cbindgen-dev is a metapackage which is broken while packaging.
* [442a6b1] d/rules: work around cargo needs a HOME dir
* [4894a4c] d/control: increase Standards-Version to 4.4.0
No further changes needed.
* [bb47b68] d/control: update upstream homepage for Thunderbird
Since some time Mozilla Thunderbird has a new homepage placed on URI
https://www.thunderbird.net/
* [a3b680e] d/source.filter: update the filter sequences
New Thunderbird upstream versions bringing some new unwanted files within
the source.
* [7290ff4] d/control: remove transitional lightning l10n packages
The Lightning l10n packages moved into transitional packages before Buster
was released, now after the Buster release removing these transitional
packages. All required l10n files are available in the packages
thunderbird-$(locale) even for Lightning.
* [3d1d27d] enigmail: increase minimal usable version
Thunderbird 68.x needs at least Enigmal in version 2.1, but increase the
version on Enigmail to the most recent version which is released while
packaging.
* [66069d9] calendar-exchange-provider: removed from Breaks
This package isn't alive in unstable and testing.
* [3b9f936] d/control: remove Xb-Xul-AppId field
Thunderbird don't has any Xul based AddOns since version 68.0
* [7d8cd7d] lintian-overrides: remove not needed overrides
-- Carsten Schoenert <email address hidden> Sat, 28 Sep 2019 15:38:28 +0200
| Superseded in sid-release |
thunderbird (1:60.9.0-1) unstable; urgency=medium
* [5f7ba31] New upstream version 60.9.0
Fixed CVE issues in upstream version 60.8.0 (MFSA 2019-29)
CVE-2019-11746: Use-after-free while manipulating video
CVE-2019-11744: XSS by breaking out of title and textarea elements using
innerHTML
CVE-2019-11742: Same-origin policy violation with SVG filters and canvas
to steal cross-origin images
CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB
CVE-2019-11743: Cross-origin access to unload event attributes
CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1,
Firefox ESR 60.9, and Thunderbird 60.9
-- Carsten Schoenert <email address hidden> Wed, 11 Sep 2019 17:54:10 +0200
| Superseded in stretch-release |
thunderbird (1:60.8.0-1~deb9u1) stretch-security; urgency=medium [ Carsten Schoenert ] * Rebuild for stretch-security -- Carsten Schoenert <email address hidden> Sat, 13 Jul 2019 15:33:17 +0200
| Superseded in buster-release |
thunderbird (1:60.8.0-1~deb10u1) buster-security; urgency=medium [ Carsten Schoenert ] * Rebuild for buster-security -- Carsten Schoenert <email address hidden> Sat, 13 Jul 2019 08:27:42 +0200
| Superseded in sid-release |
thunderbird (1:60.8.0-2) unstable; urgency=medium * [41e9047] d/rules: work around carge needs a HOME dir * [c67707c] Use gcc-8 and g++-8 due broken build with GCC-9 -- Carsten Schoenert <email address hidden> Fri, 23 Aug 2019 20:30:17 +0200
| Superseded in sid-release |
thunderbird (1:60.8.0-1) unstable; urgency=medium
* [49f4e91] New upstream version 60.8.0
Fixed CVE issues in upstream version 60.8.0 (MFSA 2019-23)
CVE-2019-9811: Sandbox escape via installation of malicious language pack
CVE-2019-11711: Script injection within domain through inner window reuse
CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins
by following 308 redirects
CVE-2019-11713: Use-after-free with HTTP/2 cached stream
CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a
segmentation fault
CVE-2019-11715: HTML parsing error can contribute to content XSS
CVE-2019-11717: Caret character improperly escaped in origins
CVE-2019-11719: Out-of-bounds read when importing curve25519 private key
CVE-2019-11730: Same-origin policy treats all files in a directory as
having the same-origin
CVE-2019-11709: Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8,
and Thunderbird 60.8
-- Carsten Schoenert <email address hidden> Tue, 09 Jul 2019 22:09:04 +0200
thunderbird (1:60.7.2-1) unstable; urgency=medium
* [d6c79ed] New upstream version 60.7.2
Fixed CVE issues in upstream version 60.7.2 (MFSA 2019-20
CVE-2019-11707: Type confusion in Array.pop
CVE-2019-11708: sandbox escape using Prompt:Open
-- Carsten Schoenert <email address hidden> Fri, 21 Jun 2019 18:48:43 +0200
| Superseded in experimental-release |
thunderbird (1:68.0~b1-1) experimental; urgency=medium
* [0eabe70] New upstream version 68.0~b1
* [2febf67] rebuild patch queue from patch-queue branch
added patch:
debian-hacks/Downgrade-SQlite-version-to-3.27.2.patch
* [cfa5973] d/s/lintian-overrides: adjust overrides for needed files
* [46077e2] d/copyright: update after upstream changes
-- Carsten Schoenert <email address hidden> Sun, 16 Jun 2019 10:28:52 +0200
thunderbird (1:60.7.1-1) unstable; urgency=high
* [f791dee] New upstream version 60.7.1
Fixed CVE issues in upstream version 60.7.1 (MFSA 2019-17)
CVE-2019-11703: Heap buffer overflow in icalparser.c
CVE-2019-11704: Heap buffer overflow in icalvalue.c
CVE-2019-11705: Stack buffer overflow in icalrecur.c
CVE-2019-11706: Type confusion in icalproperty.c
-- Carsten Schoenert <email address hidden> Fri, 14 Jun 2019 07:25:35 +0200
| Superseded in experimental-release |
thunderbird (1:67.0~b3-1) experimental; urgency=medium
[ intrigeri ]
* [9ad75ad] d/rules: drop useless usage of dpkg-parsechangelog
[ Carsten Schoenert ]
* [d6f6747] New upstream version 67.0~b3
* [90f73be] rebuild patch queue from patch-queue branch
removed patch:
fixes/Bug-1515641-Turn-enable-av1-around.-r-nalexander.patch
* [7dd5c54] d/control: increase various B-D versions
Increasing the version for the build depending packages of cargo, cbindgen,
libnspr4-dev, libnss3-dev, libsqlite3-dev and rustc.
-- Carsten Schoenert <email address hidden> Tue, 11 Jun 2019 19:36:00 +0200
thunderbird (1:60.7.0-1) unstable; urgency=medium
* [f6dd130] New upstream version 60.7.0
Fixed CVE issues in upstream version 60.7.0 (MFSA 2019-15)
CVE-2019-9816: Type confusion with object groups and UnboxedObjects
CVE-2019-9817: Stealing of cross-domain images using canvas
CVE-2019-9819: Compartment mismatch with fetch API
CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell
CVE-2019-11691: Use-after-free in XMLHttpRequest
CVE-2019-11692: Use-after-free removing listeners in the event listener
manager
CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
CVE-2019-7317: Use-after-free in png_image_free of libpng library
CVE-2019-9797: Cross-origin theft of images with createImageBitmap
CVE-2018-18511: Cross-origin theft of images with
ImageBitmapRenderingContext
CVE-2019-11698: Theft of user history data through drag and drop of
hyperlinks to and from bookmarks
CVE-2019-5798: Out-of-bounds read in Skia
CVE-2019-9800: Memory safety bugs fixed in Firefox 67, Firefox ESR 60.7,
and Thunderbird 60.7
* [4106d54] rebuild patch queue from patch-queue branch
added patch:
fixes/rust-ignore-not-available-documentation.patch
-- Carsten Schoenert <email address hidden> Thu, 23 May 2019 17:03:27 +0200
| Superseded in stretch-release |
thunderbird (1:60.6.1-1~deb9u1) stretch-security; urgency=medium [ Carsten Schoenert ] * Rebuild for stretch-security -- Carsten Schoenert <email address hidden> Thu, 28 Mar 2019 20:29:33 +0100
thunderbird (1:60.6.1-1) unstable; urgency=medium
[ intrigeri ]
* [2013645] d/rules: drop useless usage of dpkg-parsechangelog
[ Carsten Schoenert ]
* [daf1252] New upstream version 60.6.1
Fixed CVE issues in upstream version 60.6.0 (MFSA 2019-11)
CVE-2019-9790: Use-after-free when removing in-use DOM elements
CVE-2019-9791: Type inference is incorrect for constructors entered
through on-stack replacement with IonMonkey
CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled
CVE-2019-9794: Command line arguments not discarded during execution
CVE-2019-9795: Type-confusion in IonMonkey JIT compiler
CVE-2019-9796: Use-after-free with SMIL animation controller
CVE-2018-18506: Proxy Auto-Configuration file can define localhost access
to be proxied
CVE-2019-9788: Memory safety bugs fixed in Firefox 66, Firefox ESR 60.6,
and Thunderbird 60.6
Fixed CVE issues in upstream version 60.6.1 (MFSA 2019-12)
CVE-2019-9810: IonMonkey MArraySlice has incorrect alias information
CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations
* [f88a505] rebuild patch queue from patch-queue branch
added patch:
fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
-- Carsten Schoenert <email address hidden> Wed, 27 Mar 2019 18:22:51 +0100
| Superseded in experimental-release |
thunderbird (1:66.0~b1-1) experimental; urgency=medium
[ Carsten Schoenert ]
* [afe31d9] New upstream version 66.0~b1
* [4ec53cc] apparmor: update profile from upstream (commit 7ace41b1)
(cherry-picked from debian/sid)
* [b3657a0] d/rules: make dh_clean more robust
Remove some regenerated files in dh_clean to the build will not fail in
case the build needs to be started twice within the same build environment.
(cherry-picked from debian/sid)
* [dceb027] d/rules: move disable debug option into configure step
Adding the option '--disable-debug-symbols' to the file mozconfig.default
in case the build is running on a 32bit architecture instead of expanding
the variable 'CONFIGURE_FLAGS'. The configuration approach for this option
taken from firefox-esr was not working for the thunderbird package.
(cherry-picked from debian/sid)
* [f7f02a9] d/rules: reorder LDFLAGS for better readability
Make the used additional options for LDFLAGS better readable by reordering
the various used options. Also adding the option '-Wl, --as-needed' to the
list of used options here.
(cherry-picked from debian/sid)
* [79801fb] d/rules: use 'compress-debug-sections' only on 64bit
Do not set 'LDFLAGS += -Wl,--compress-debug-sections=zlib' globally, lets
use this option only if we are on a 64bit architecture as otherwise the
build is failing on 32bit architectures again. We don't want to build any
debug information on 32bit anyway so we don't need this option on these
platforms.
(cherry-picked from debian/sid)
* [11f9e14] d/mozconfig.default: adding option for mipsel
We don't have set up any options for the mipsel platform before, but the
build needs some additional options too on this platform to succeed.
(cherry-picked from debian/sid)
* [e46e178] d/mozconfig.default: disable ion on mips and mipsel
The build will fail on mips{,el} if we have enabled ION, the JavaScript
JIT compiler on these platforms will loose some performance by this.
(cherry-picked from debian/sid)
[ Alexander Nitsch ]
* [31b87e9] Make the logo SVG square
The original SVG source isn't completely square, modifying the SVG file
so all generated other files from the input are also exactly square.
* [c0f19a3] Add script for generating PNGs from logo SVG
* [c153c5f] Update icon PNGs to be properly scaled
[ Carsten Schoenert ]
* [c372e1f] d/source.filter: add some configure scripts
Filter out some files that are named 'configure', they are rebuild later
anyway. The filtering of these files is moved from gbp.conf to
source.filter.
(cherry-picked from debian/sid)
* [a40c5df] d/c-lightning-l10n-t.sh: drop version checking
Remove an old check for a version string within the file install.rdf.
It's not created any more by upstream since > 60.0.
* [05b325e] d/source.filter: don't ignore files in root folder
Try to not ignore files which are in the top root folder of the upstream
source tarball.
* [d2ca267] rebuild patch queue from patch-queue branch
added patch:
fixes/Bug-1515641-Turn-enable-av1-around.-r-nalexander.patch
modified (refreshed) patches:
porting-armel/Avoid-using-vmrs-vmsr-on-armel.patch
porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
porting-kfreebsd-hurd/Allow-ipc-code-to-build-on-GNU-hurd.patch
porting-kfreebsd-hurd/Allow-ipc-code-to-build-on-GNU-kfreebsd.patch
porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
porting-kfreebsd-hurd/Fix-GNU-non-Linux-failure-to-build-because-of-ipc-ch.patch
porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch
porting-kfreebsd-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch
porting-m68k/Add-m68k-support-to-Thunderbird.patch
removed patches (applied upstream):
fixes/Fix-big-endian-build-for-SKIA.patch
porting-kfreebsd-hurd/Fix-GNU-non-Linux-failure-to-build-because-of-ipc-ch.patch
porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch
* [cb1dde9] d/control: increase version in B-D for libsqlite3-dev
* [54e8890] d/mozconfig.default: add new configure option
We need to disable the usage of libav1 for an successful build. The used
configure option was added by the new added patch to the patch queue.
* [ecd3ade] d/copyright: update after upstream changes
* [af58ed8] d/source.filter: add extra content to ignore
-- Carsten Schoenert <email address hidden> Sun, 17 Feb 2019 10:58:46 +0100
| Superseded in stretch-release |
thunderbird (1:60.4.0-1~deb9u1) stretch-security; urgency=medium [ Carsten Schoenert ] * Rebuild for stretch-security -- Carsten Schoenert <email address hidden> Thu, 27 Dec 2018 17:24:19 +0100
thunderbird (1:60.5.1-1) unstable; urgency=medium
[ Alexander Nitsch ]
* [c9775d4] Make the logo SVG square
The original SVG source isn't completely square, modifying the SVG file
so all generated other files from the input are also exactly square.
* [6096812] Add script for generating PNGs from logo SVG
* [4e9e5cc] Update icon PNGs to be properly scaled
[ Carsten Schoenert ]
* [9e5527d] d/source.filter: add some configure scripts
Filter out some files that are named 'configure', they are rebuild later
anyway. The filtering of these files is moved from gbp.conf to
source.filter.
* [b63f2a2] Revert "d/gbp.conf: ignore configure script while importing"
Reverting this commit as we need to move the files to filter to
source.filter as the behaviour wasn't the expected outcome.
* [4965c2a] New upstream version 60.5.1
Fixed CVE issues in upstream version 60.5.0 (MFSA 2019-06)
CVE-2018-18356: Use-after-free in Skia
CVE-2019-5785: Integer overflow in Skia
CVE-2018-18335: Buffer overflow in Skia with accelerated Canvas 2D
CVE-2018-18509: S/MIME signature spoofing
-- Carsten Schoenert <email address hidden> Thu, 14 Feb 2019 20:01:03 +0100
thunderbird (1:60.5.0-3) unstable; urgency=medium
* [3e274d8] d/rules: move disable debug option into configure step
Adding the option '--disable-debug-symbols' to the file mozconfig.default
in case the build is running on a 32bit architecture instead of expanding
the variable 'CONFIGURE_FLAGS'. The configuration approach for this option
taken from firefox-esr was not working for the thunderbird package.
* [b3d82d3] d/rules: reorder LDFLAGS for better readability
Make the used additional options for LDFLAGS better readable by reordering
the various used options. Also adding the option '-Wl, --as-needed' to the
list of used options here.
* [62d11e3] d/rules: use 'compress-debug-sections' only on 64bit
Do not set 'LDFLAGS += -Wl,--compress-debug-sections=zlib' globally, lets
use this option only if we are on a 64bit architecture as otherwise the
build is failing on 32bit architectures again. We don't want to build any
debug information on 32bit anyway so we don't need this option on these
platforms.
* [6225c44] d/mozconfig.default: adding option for mipsel
We don't have set up any options for the mipsel platform before, but the
build needs some additional options too on this platform to succeed.
* [4e348d9] d/mozconfig.default: disable ion on mips and mipsel
The build will fail on mips{,el} if we have enabled ION, the JaveScript
JIT compiler on these platforms will loose some performance by this.
-- Carsten Schoenert <email address hidden> Tue, 05 Feb 2019 17:11:25 +0100
| Superseded in sid-release |
thunderbird (1:60.5.0-2) unstable; urgency=medium
* [aa2dbe3] d/changelog: update MFSA information for 60.5.0
The MFSA gut published shortly after the upload of the previous version.
Adding the CVE numbers for MFSA 2019-03 to the changelog accordingly like
happen for 1:60.4.0-1 too.
* [71807dc] rebuild patch queue from patch-queue branch
Due greater changes to the source the previous rebuild and refreshing of
the patch queue wasn't correctly nor complete. Some more rework was needed
and some patches got cherry-picked from firefox-esr.
readded patches (not included upstream):
porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch
porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch
cherry-picked from firefox-esr:
fixes/Bug-1470701-Use-run-time-page-size-when-changing-map.patch
fixes/Bug-1505608-Try-to-ensure-the-bss-section-of-the-elf.patch
porting-powerpc/powerpc-Don-t-use-static-page-sizes-on-powerpc.patch
removed patches (included upstream):
porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch
* [eaa065b] apparmor: update profile from upstream (commit 7ace41b1)
* [c761425] d/rules: make dh_clean more robust
Remove some regenerated files in dh_clean to the build will not fail in
case the buils needs to be started twice within the same build environment.
* [aa7b033] d/gbp.conf: ignore configure script while importing
The shipped scripts '*configure' in the toplevel folder and also in js/src
aren't needed and we can them filter out while importing the tarballs.
These scripts got (re)created by dh_auto_configure nevertheless.
* [9f0acb2] d/rules: tweek LDFLAGS more to reduce RAM usage
Reduce RAM usage while linking by using compressed sections.
(picked from firefox-esr)
* [62f195d] d/rules: Don't build debug symbols on non 64bit platforms
Reduce even more RAM usage while linking by don't build debugging symbols
if we build on non 64bit architectures.
(picked from firefox-esr)
-- Carsten Schoenert <email address hidden> Fri, 01 Feb 2019 09:24:30 +0100
| Superseded in sid-release |
thunderbird (1:60.5.0-1) unstable; urgency=medium
* d/source.filter: update filter list
Updating the list of files to filter out while repacking the upstream
tarball based on recent work done in debian/experimental.
Unfortunately a lot of semi minimized *.js files from the original
upstream tarball are later needed within some integrated consoles like the
AddOn debugger or the error console. Don't filter out such files for now.
(Closes: #911198)
* [edab34d] d/changelog: update MFSA information for 60.4.0
While releasing and uploading the Debian version 1:60.4.0-1 no MFSA
information was available, adding this information now into the changelog
entry for 1:60.4.0-1.
* [f3f44a3] New upstream version 60.5.0
No dedicated MFSA announcement for this Thunderbird version provided.
* [ccac089] rebuild patch queue from patch-queue branch
removed patches (included upstream):
porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch
porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch
removed patches (dropped by us):
debian-hacks/Don-t-build-testing-suites-and-stuff.patch
debian-hacks/Don-t-build-testing-suites-and-stuff-part-2.patch
refreshed patches:
debian-hacks/Add-another-preferences-directory-for-applications-p.patch
porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch
porting-kfreebsd-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch
porting-m68k/Add-m68k-support-to-Thunderbird.patch
porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch
porting-sparc64/Bug-1434726-Early-startup-crash-on-Linux-sparc64-in-HashI.patch
* [43c28c2] d/s/lintian-overrides: more files to ignore
Related to [4201f43] the override list for the source needs to be adjusted
as we have now more files included there Lintian is complaining about
missing source. These files are no 'real' minimized JS files, but the have
mostly some long lines that are triggered the Lintian check.
-- Carsten Schoenert <email address hidden> Tue, 29 Jan 2019 20:24:29 +0100
| Superseded in experimental-release |
thunderbird (1:65.0~b1-1) experimental; urgency=medium
* [e5956ef] Merge tag 'debian/1%60.4.0-1' into debian/experimental
* [389748b] d/source.filter: adjust files to filter while repack
Rework of the file filter list due new upstream version but also to no
filter out files we obviously need later, e.g. for the omni.jar archive.
* [4b86a78] New upstream version 65.0~b1
* [3db29ed] rebuild patch queue from patch-queue branch
removed patches (fixed upstream):
debian-hacks/icu-use-locale.h-instead-of-xlocale.h.patch
debian-hacks/shellutil.py-ignore-tilde-as-special-character.patch
fixes/Build-also-gdata-provider-as-xpi-file.patch
fixes/Use-msse-2-fpmath-C-CXXFLAGS-only-on-x86_64-platforms.patch
porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch
porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch
porting-sparc64/Bug-1434726-Early-startup-crash-on-Linux-sparc64-in-HashI.patch
removed patches (dropped for Debian specific build):
debian-hacks/Don-t-build-testing-suites-and-stuff.patch
debian-hacks/Don-t-build-testing-suites-and-stuff-part-2.patch
adjusted patches:
debian-hacks/Add-another-preferences-directory-for-applications-p.patch
debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch
patches/fixes/Fix-big-endian-build-for-SKIA.patch (but currently disabled)
porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch
porting-kfreebsd-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch
porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch
* [e918c6c] d/control: increase versions in B-D
New Thunderbirds version typically need other packages available with
higher versions like NSS, NSPR, rust ...
Also adding cbindgen and nodejs()!!).
* [b6c63bf] d/mozconfig.default: remove dead options
More old configure option are now not available anymore and we need to
drop them.
* [0f959ad] remove GCC specific options
LLVM's clang is now widely used, and clang isn't knowing the GCC options
'-fno-schedule-insns2' and '-fno-lifetime-dse', removing these options
from CFLAGS and CXXFLAGS.
* [d0b1f4b] d/rules: work around about strong quotings in .mk files
After the configuration of the source some Makefiles in the build folder
'obj-thunderbird' have a strong qouting on some entries. This will
later provoke a build failure if we don't remove the single quotes
before in the Makefiles.
* [093053e] copyright: update after upstream changes
* [95eaacf] d/s/lintian-overrides: adjust overrides for needed files
-- Carsten Schoenert <email address hidden> Sun, 20 Jan 2019 15:48:06 +0100
thunderbird (1:60.4.0-1) unstable; urgency=medium
* [2e5a9d0] d/control: don't hard code LLVM packages in B-D
(Closes: #912797)
* [3aaa4a6] New upstream version 60.4.0
No MFSA published yet by Mozilla Security while packaging this version.
(Closes: #913645)
* [12d3be3] debian/control: increase Standards-Version to 4.3.0
No further changes needed.
-- Carsten Schoenert <email address hidden> Mon, 24 Dec 2018 17:04:10 +0100
thunderbird (1:60.3.1-1) unstable; urgency=medium
* [e1b489a] New upstream version 60.3.1
* [f376b38] lightning: use ${source:Version} in Breaks and Recommends
(Closes: #914175)
* [7e560b3] Revert "lintian: adding a semi automated lintian-override"
The override about a misspelled word Synopsys isn't needed any more.
* [893c0e6] rebuild patch queue from patch-queue branch
modified patches:
debian-hacks/Don-t-build-testing-suites-and-stuff.patch
debian-hacks/Don-t-build-testing-suites-and-stuff-part-2.patch
* [20d8827] d/source.filter: update the filter sequences
-- Carsten Schoenert <email address hidden> Sun, 25 Nov 2018 10:02:50 +0100
thunderbird (1:60.2.1-2~deb9u1) stretch-security; urgency=medium
[ Carsten Schoenert ]
* Rebuild for stretch-security
Resync binary packages to build against the version in unstable/testing:
Upstream isn't shipping localization for bn-bd and ta-lk for Thunderbird
60.x. Thus the packages {icedove,thunderbird}-l10n-bn-bd,
{icedove,thunderbird}-l10n-ta-lk got dropped. The localization for pa-in
was removed for Thunderbird earlier but the transitional packages
{icedove,iceowl}-l10n-pa-in aren't until now.
icedove-dev got dropped as we don't have also the referring package
thunderbird-dev since version 59.
Besides this localization for cy was added by upstream, reflecting this in
a new package thunderbird-l10n-cy.
(Closes: #911292, #911504)
-- Carsten Schoenert <email address hidden> Sun, 21 Oct 2018 09:42:27 +0200
thunderbird (1:60.0-2~deb9u1) stretch-security; urgency=medium [ Carsten Schoenert ] * Rebuild for stretch-security * [fd4e834] d/mozconfig.default: use internal libraries * [29621ed] d/control: remove no longer needed Build-Depends -- Carsten Schoenert <email address hidden> Tue, 04 Sep 2018 20:14:34 +0200
| Published in stretch-release |
thunderbird (1:52.9.1-1~deb9u1) stretch-security; urgency=medium [ Carsten Schoenert ] * Rebuild for stretch-security -- Carsten Schoenert <email address hidden> Thu, 12 Jul 2018 19:09:41 +0200
thunderbird (1:60.3.0-1) unstable; urgency=medium
[ intrigeri ]
* [7949b31] AppArmor: update profile from upstream at commit f3d9a8b
(Closes: #903898)
* [e31dc14] AppArmor: update profile from upstream at commit 81c9457
(Closes: #908206)
[ Carsten Schoenert ]
* [0dcbe22] d/control: add xul-ext-gnome-keyring to Breaks for thunderbird
(Closes: #907979)
* [65db00d] armel: adding extra LDFLAGS so rust compiler isn't confused
The settings that are builtin within rust are conflicting with the GCC.
* [9c65884] New upstream version 60.3.0
Fixed CVE issues in upstream version 60.3.0 (MFSA 2018-28)
CVE-2018-12392: Crash with nested event loops
CVE-2018-12393: Integer overflow during Unicode conversion while loading
JavaScript
CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3 and
Thunderbird 60.3
CVE-2018-12390: Memory safety bugs fixed in Firefox 63, Firefox ESR 60.3,
and Thunderbird 60.3
* [8726bb1] rebuild patch queue from patch-queue branch
removed patches (included upstream)
fixes/Bug-1479540-Accept-triplet-strings-with-only-two-parts-in.patch
fixes/Bug-1492064-Disable-baseline-JIT-when-SSE2-is-not-support.patch
fixes/Bug-1492065-Use-Swizzle-fallback-when-SSE2-is-not-support.patch
porting-mips/Add-struct-ucred-for-Linux-on-MIPS.patch
-- Carsten Schoenert <email address hidden> Thu, 01 Nov 2018 12:19:34 +0100
| Superseded in sid-release |
thunderbird (1:60.2.1-1) unstable; urgency=medium
* [ba75ca3] logo: move old TB graphics into dedicated folder
* [ba47234] logo: adding new TB icon *.png graphics
Like Firefox Thunderbird has also got a reworked logo. As we use some own
icon created from a SVG graphic this commit adds the new icons in the
various sizes. The source of the SVG graphic is taken from
https://demo.identihub.co/thunderbird#/view/icon/element/612
(Closes: #909108)
* [0b16a87] d/source.filter: don't remove react files from source
(Closes: #909046)
* [d01dfd6] rebuild patch queue from patch-queue branch
added patches:
fixes/Bug-1479540-Accept-triplet-strings-with-only-two-parts-in.patch
fixes/Bug-1482248-don-t-crash-on-empty-file-name-in-nsMsgLocalS.patch
fixes/Bug-1492064-Disable-baseline-JIT-when-SSE2-is-not-support.patch
fixes/Bug-1492065-Use-Swizzle-fallback-when-SSE2-is-not-support.patch
(Closes: #909628, #909039, #906816)
* [bf64065] New upstream version 60.2.1
Fixed CVE issues in upstream version 60.2.1 (MFSA 2018-25)
CVE-2018-12377: Use-after-free in refresh driver timers
CVE-2018-12378: Use-after-free in IndexedDB
CVE-2018-12379: Out-of-bounds write with malicious MAR file
CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
CVE-2018-12385: Crash in TransportSecurityInfo due to cached data
CVE-2018-12383: Setting a master password post-Firefox 58 does not delete
unencrypted previously stored passwords
* [b4712af] rebuild patch queue from patch-queue branch
removed patches (fixed upstream):
fixes/Bug-1482248-don-t-crash-on-empty-file-name-in-nsMsgLocalS.patch
* [79057f6] d/control: make lightning-l10n packages transitional
The l10n content for Lightning and a specific language is now much more
related to the Thunderbird l10n content. By this the existing lightning
l10n packages are not really useful any more as we move the Lightning
l10n content into the respective Thunderbird l10n package a we need to
turn the existing Lightning l10n packages into transitional packages.
* [a0ac3b7] d/control: adding Replaces, Breaks, Provides to thunderbird-l10n-*
Related to the previous commit the Thunderbird l10n packages need some
more fields in the control file so the transition from lightning-l10n into
thunderbird-l10n can work.
* [c82ee7c] d/rules: install lightning l10n into thunderbird-l10n-* packages
The content for the lightning l10n stuff needs now to be installed into
thunderbird-l10n packages.
* [72cd535] d/control: add thunderbird-l10n-cy
Oops, seems like we never have introduced this language for Thunderbird
before. Now required to provide the l10n content for Lightning.
* [510bea6] d/thunderbird-wrapper.sh: improve GDB switch
Since TB 60 upstream isn't installing the old wrapper script
run-mozilla.sh any more. By this we need to adjust our starting wrapper
so the call to start Thunderbird within the GDB debugger is working.
-- Carsten Schoenert <email address hidden> Fri, 05 Oct 2018 17:43:49 +0200
thunderbird (1:60.0-3) unstable; urgency=medium
* [daa0dd7] locale: use 'intl.locale.requested' correctly
Thanks to hint from Sven Joachim we can use the preference setting
'intl.locale.requested' in way that users don't need to use this setting
within their prefs.js to control the language of the Thunderbird UI.
'intl.locale.requested' is somehow the successor of 'intl.locale.matchOS'.
(Closes: #908034)
* [f8ac1b2] debian/control: increase Standards-Version to 4.2.1
No further changes needed.
* [a001579] d/control: remove empty 'Replaces' in thunderbird-l10n-da
We can remove that line of Replaces without any key.
-- Carsten Schoenert <email address hidden> Thu, 06 Sep 2018 18:46:31 +0200
thunderbird (1:60.0-2) unstable; urgency=medium
[ Carsten Schoenert ]
* [71ac5e7] rebuild patch queue from patch-queue branch
added patches:
porting-mips/Add-struct-ucred-for-Linux-on-MIPS.patch
porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch
porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch
* [d94e5dc] d/control: B-D on {lib}clang-6.0* and llvm-6.0-dev
(Closes: #906707)
-- Carsten Schoenert <email address hidden> Mon, 20 Aug 2018 17:57:07 +0200
thunderbird (1:60.0-1) unstable; urgency=medium
[ Cyril Brulebois ]
* [4f1fcd4] Bump B-D libsqlite3-dev version
Upstream requires a more recent version that is already available in
unstable but not in Stretch later e.g.
* [5a790c2] Add libicu-dev to Build-Depends (required for icu-i18n.pc)
This package was pulled from some other package already but we need this
explicit now again as we don't use the internal ICU version any more.
* [8c86207] Bump libhunspell-dev version
The same as for libsqlite3-dev, adding the correct B-D version.
(Closes: #905465)
[ Carsten Schoenert ]
* [901f257] New upstream version 60.0
Fixed CVE issues in upstream version 60.0 (MFSA 2018-19)
CVE-2018-12359: Buffer overflow using computed size of canvas element
CVE-2018-12360: Use-after-free when using focus()
CVE-2018-12361: Integer overflow in SwizzleData
CVE-2018-12362: Integer overflow in SSSE3 scaler
CVE-2018-5156: Media recorder segmentation fault when track type is
changed during capture
CVE-2018-12363: Use-after-free when appending DOM nodes
CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
CVE-2018-12365: Compromised IPC child process can list local filenames
CVE-2018-12371: Integer overflow in Skia library during edge builder
allocation
CVE-2018-12366: Invalid data handling during QCMS transformations
CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming
CVE-2018-5187: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1,
and Thunderbird 60
CVE-2018-5188: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1,
Firefox ESR 52.9, and Thunderbird 60
* [44ab834] rebuild patch queue from patch-queue branch
removed patches (applied upstream):
porting-arm64/Bug-1453892-Only-use-SkJumper-s-arm64-half-float-optimiza.patch
porting-arm64/Bug-1463036-Use-HAVE_ARM_NEON-instead-of-BUILD_ARM_NEON-f.patch
porting-armel/Bug-1463036-Add-mfloat-abi-softfp-to-NEON_FLAGS-when-it-m.patch
* [3168b29] debian/control: increase Standards-Version to 4.2.0
No further changes needed.
* [f2f206e] d/rules: use MOZ_LANGPACK_ID instead of hard coding
* [996352a] d/rules: ensure l10n MOZ_LANGPACK_ID matches variable from
makefile
Previous beta versions for the thunderbird-l10n data have used
'@firefox.mozilla.org' within their application.id setting. Thunderbird
now expects '@thunderbird.mozilla.org' instead. Make the build more
flexible so we can detect mismatches here.
(Closes: #906176)
-- Carsten Schoenert <email address hidden> Sun, 19 Aug 2018 11:32:11 +0200
thunderbird (1:52.8.0-1~deb9u1) stretch-security; urgency=medium
[ Carsten Schoenert ]
* Rebuild for stretch-security
[ intrigeri ]
* [703c9ec] Revert "apparmor: allow access to @{HOME}/.gnupg/tofu.db"
(Cherry-picked from debian/sid to not differ the Apparmor settings
between the Debian releases)
-- Carsten Schoenert <email address hidden> Mon, 21 May 2018 17:31:53 +0200
| Deleted in experimental-release (Reason: None provided.) |
thunderbird (1:60.0~b10-1) experimental; urgency=medium
[ intrigeri ]
* [596869d] AppArmor: update profile from upstream (at commit edc9487)
(Closes: #901471)
[ Carsten Schoenert ]
* [57195ff] New upstream version 60.0~b10
* [770c9a6] rebuild patch queue from patch-queue branch
added patches:
porting-arm64/Bug-1463036-Use-HAVE_ARM_NEON-instead-of-BUILD_ARM_NEON-f.patch
porting-armel/Avoid-using-vmrs-vmsr-on-armel.patch
porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
porting-armel/Bug-1463036-Add-mfloat-abi-softfp-to-NEON_FLAGS-when-it-m.patch
* [7fa6ebd] debian/control: increase Standards-Version to 4.1.5
No further changes needed.
* [22e701c] c-l-l10n-t.sh: adjust the path to the python helper
Adjust the shell script helper to use the changed path to makeversion.py.
* [90a1d9e] sticky prefs: use the new syntax in vendor.js
The syntax for locked preferences has been changed a while ago, it's
time to adjust the entry within vendor.js to disable automatic updates
for AddOns.
-- Carsten Schoenert <email address hidden> Thu, 12 Jul 2018 17:52:27 +0200
thunderbird (1:52.9.1-1) unstable; urgency=high
[ intrigeri ]
* [1259eaa] AppArmor: update profile from upstream (at commit edc9487)
(Closes: #901471)
[ Carsten Schoenert ]
* [d706f5b] debian/control: increase Standards-Version to 4.1.5
No further changes needed.
* [f5a3eb2] New upstream version 52.9.1
(Closes: #903160)
-- Carsten Schoenert <email address hidden> Tue, 10 Jul 2018 19:40:41 +0200
| Superseded in sid-release |
thunderbird (1:52.9.0-1) unstable; urgency=high
[ intrigeri ]
* [c33dba2] Revert "apparmor: allow access to @{HOME}/.gnupg/tofu.db"
* [cb64397] AppArmor: update profile from upstream (Closes: #900840)
* [b5d6545] AppArmor: update profile from upstream (at commit 104da32)
[ Carsten Schoenert ]
* [099b525] d/source.filter: add some more files to filter
There are some more files we want to filter out.
* [376e5f3] New upstream version 52.9.0
Fixed CVE issues in upstream version 52.9 (MFSA 2018-18)
CVE-2018-12359: Buffer overflow using computed size of canvas element
CVE-2018-12360: Use-after-free when using focus()
CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML
emails
CVE-2018-12373: S/MIME plaintext can be leaked through HTML reply/forward
CVE-2018-12362: Integer overflow in SSSE3 scaler
CVE-2018-12363: Use-after-free when appending DOM nodes
CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
CVE-2018-12365: Compromised IPC child process can list local filenames
CVE-2018-12366: Invalid data handling during QCMS transformations
CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing
enter in form field
CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1,
Firefox ESR 52.9, and Thunderbird 52.9
* [83a9c9b] rebuild patch queue from patch-queue branch
As we have filtered more files out from the source we need to modify the
list of tests we won't to built while built the source too so a small
adjustment on that.
Also fixing some spelling issues which Lintian has found.
modified patches:
debian-hacks/Don-t-build-testing-suites-and-stuff.patch
porting-alpha/fix-FTBFS-on-alpha.patch
porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
porting-kfreebsd-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch
renamed patches:
Allow-to-override-ICU_DATA_FILE-from-the-environment.patch ->
Allow-one-to-override-ICU_DATA_FILE-from-the-environment.patch
fix-function-nsMsgComposeAndSend-to-to-respect-Replo.patch ->
fix-function-nsMsgComposeAndSend-to-respect-ReploToSend.patch
* [d5254e2] Removed unneded lintian override about brace expansion
-- Carsten Schoenert <email address hidden> Wed, 04 Jul 2018 21:44:26 +0200
| Superseded in experimental-release |
thunderbird (1:60.0~b9-2) experimental; urgency=medium
[ intrigeri ]
* [eb7cb44] Revert "apparmor: allow access to @{HOME}/.gnupg/tofu.db"
* [4cd8baf] AppArmor: update profile from upstream
(Closes: #900840)
* [807eb99] AppArmor: update profile from upstream (at commit 104da32)
[ Carsten Schoenert ]
* [c980546] rebuild patch queue from patch-queue branch
added patch:
porting-arm64/Bug-1453892-Only-use-SkJumper-s-arm64-half-float-optimiza.patch
-- Carsten Schoenert <email address hidden> Sun, 01 Jul 2018 19:15:00 +0200
| Superseded in experimental-release |
thunderbird (1:60.0~b9-1) experimental; urgency=medium
* [be64a3e] d/source.filter: update due upstream changes
Writing the import filter file source.filter mostly complete new from
scratch. Needed because upstream has changed the structure of the source
completely.
* [c4b9113] New upstream version 60.0~b9
* [3dc900a] rebuild patch queue from patch-queue branch
Related to the changed source structure the patches for the patch queue
needs to be adjusted to the new folders and their structure. Thanks to
git this wasn't that painful as git did all of the job. Two new patches
are needed to add.
added patches:
fixes/Build-also-gdata-provider-as-xpi-file.patch
debian-hacks/Don-t-build-testing-suites-and-stuff-part-2.patch
* [e50ae04] d/rules: remove references to folder 'mozilla'
To get the source built some targets in debian/rules are needed to be
modified. All references to the old used folder 'mozilla/' are removed
now.
* [a650500] ICU: don't build the Paragraph Layout library
Disable the build of the Paragraph Layout library, we don't need them if
we need to built the ICU stuff. Cherry-picked from current ESR 52
packaging.
* [977b7fe] d/mozconfig.default: use the ICU package from system
The Debian packages of icu are recent enough so we don't need to build
own dedicated ICU binaries.
* [0c7ed7e] adjust the configuration of the built
Because of the modified source structure some more adjustments are needed
while going through the built targets like different paths, and built
calls of the Thunderbird source.
* [1c09011] adjust the install temporary folder
Upstream is now wrapping all internal make calls through a Python wrapper
called 'mach'. This also involves a changed behavior for installing the
Thunderbird files into the temporary folder we later use by the debhelper
sequencer.
* [bfbc9ca] d/s/lintian-overrides: update content due changed source.filter
The modified file debian/source.filter make some adjustments needed in
the lintian-overrides file for the source files related part.
* [44a4c5a] d/thunderbird.lintian-overrides: update after config changes
Like before some adjustments are needed for the lintian override rules
for the source files.
* [dd48091] d/copyright: adjust the content due folder changes
And one more file that needs to be adjusted due the changed source files.
-- Carsten Schoenert <email address hidden> Sun, 01 Jul 2018 16:12:33 +0200
| Published in jessie-release |
thunderbird (1:52.8.0-1~deb8u1) jessie-security; urgency=medium
[ Carsten Schoenert ]
* Rebuild for jessie-security
[ intrigeri ]
* [acc3a6b] Revert "apparmor: allow access to @{HOME}/.gnupg/tofu.db"
(Cherry-picked from debian/sid to not differ the Apparmor settings
between the Debian releases)
-- Carsten Schoenert <email address hidden> Mon, 21 May 2018 20:37:55 +0200
thunderbird (1:52.8.0-1) unstable; urgency=high
[ intrigeri ]
* [4656ebf] AppArmor: update profile from upstream
(Closes: #882048, #882122)
[ Agustin Henze ]
* [840cbc8] apparmor: allow access to @{HOME}/.gnupg/tofu.db
(Closes: #894907)
[ Carsten Schoenert ]
* [514e9e8] New upstream version 52.8.0
Fixed CVE issues in upstream version 52.8 (MFSA 2018-13)
CVE-2018-5183: Backport critical security fixes in Skia
CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext
attack (aka Efail)
CVE-2018-5154: Use-after-free with SVG animations and clip paths
CVE-2018-5155: Use-after-free with SVG animations and text paths
CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
CVE-2018-5161: Hang via malformed headers
CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
(aka Efail)
CVE-2018-5170: Filename spoofing for external attachments
CVE-2018-5168: Lightweight themes can be installed without user
interaction
CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion
through legacy extension
CVE-2018-5185: Leaking plaintext through HTML forms (aka Efail)
CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8,
and Thunderbird 52.8
(Closes: #898631)
* [7845229] ICU: don't build the Paragraph Layout library
Disable the build of the layout library in the internal ICU build as we
don't need this and can cause build issues.
* [e0a79fc] debian/control: increase Standards-Version to 4.1.4
No further changes needed.
-- Carsten Schoenert <email address hidden> Thu, 17 May 2018 21:04:15 +0200
| Superseded in experimental-release |
thunderbird (1:60.0~b6-1) experimental; urgency=medium
[ Carsten Schoenert ]
* [3d91710] create-lightning-l10n: adjust folder structure
To build more easy lightning-l10n packages let's modify the helper script
for building the additional tarball. Change the content structure so we
can simple copy the needed l10n stuff into the l10n packages.
* [f1d6031] New upstream version 60.0~b6
* [6643c31] Revert the linking into /u/l/tb/d/extensions
Thunderbird in Debian won't detecting extension which are placed in
/usr/lib/thunderbird/distribution/extensions, going back to the old
folder /usr/lib/thunderbird/extensions to link extensions into
Thunderbird.
* [26549a3] lightning: turning package into Architecture all
Change the architecture for the lightning package from 'any' to 'all'.
Lightning is only build by Javascript, CSS, JSM and other text based
files and we don't need to build and install it as a architecture
dependent package.
* [86cd48f] mozconfig.default: disable webrtc build and inclusion
Let's drop the build of support for WebRTC, Thunderbird isn't able to use
this as there is no component which is depending on this. The chat
component would be a potential use case but right now it lacks any
functionality by webrtc features.
-- Carsten Schoenert <email address hidden> Sat, 05 May 2018 13:56:36 +0200
| Superseded in experimental-release |
thunderbird (1:60.0~b5-1) experimental; urgency=medium [ Carsten Schoenert ] * [b8625ea] New upstream version 60.0~b5 -- Carsten Schoenert <email address hidden> Sat, 28 Apr 2018 19:15:07 +0200
| Superseded in experimental-release |
thunderbird (1:60.0~b4-1) experimental; urgency=medium [ Carsten Schoenert ] * [62ae939] New upstream version 60.0~b4 -- Carsten Schoenert <email address hidden> Mon, 23 Apr 2018 18:19:11 +0200
| Superseded in experimental-release |
thunderbird (1:60.0~b3-1) experimental; urgency=medium
[ Carsten Schoenert ]
* [94f8505] debian/control: increase Standards-Version to 4.1.4
No further changes needed.
* [3ba10c6] rebuild patch queue from patch-queue branch
added patches:
porting-sparc64/Bug-1434726-Early-startup-crash-on-Linux-sparc64-in-HashI.patch
fixes/Use-msse-2-fpmath-C-CXXFLAGS-only-on-x86_64-platforms.patch
fixes/Fix-big-endian-build-for-SKIA.patch (re-added)
Thanks Andreas Glaubitz for providing these patches!
* [dabf294] New upstream version 60.0~b3
* [24f8a38] re-enable usage of lib{nspr4,nss3}-dev while built
The available versions of these libraries now recent enough so we can
drop the usage of the embedded code copies.
-- Carsten Schoenert <email address hidden> Sun, 15 Apr 2018 12:47:43 +0200
| Superseded in experimental-release |
thunderbird (1:60.0~b2-1) experimental; urgency=medium
[ Agustin Henze ]
* [3639717] apparmor: allow access to @{HOME}/.gnupg/tofu.db
(Closes: #894907)
[ intrigeri ]
* [3895bba] AppArmor: fix empty black windows in Thunderbird 58+
(Closes: #887973)
* [353ca25] AppArmor: update profile from upstream
(Closes: #882048, #882122)
[ Carsten Schoenert ]
* [37e0bbe] New upstream version 59.0~b1
* [d75c4be] rebuild patch queue from patch-queue branch
added patches:
fixes/Fix-build-against-libcairo2-dev-1.15.10.patch
patches/fixes/Fix-big-endian-build-for-SKIA.patch
removed patches:
debian-hacks/Allow-usage-of-libnspr4-dev-4.16.patch
fixes/Bug-1418598-Make-cargo-linker-properly-handle-quoted-stri.patch
thunderbird/Thunderbird-fix-installdir-for-icons.patch
* [9615d6a] New upstream version 60.0~b1
* [431006c] d/source.filter: update due upstream changes
Update the list of files we filter out, Upstream added various new files
mostly used for auto-testing we don't use.
* [2cb4635] d/s/lintian-overrides: remove entries about brace expansion
We can remove the override about brace expansion in dh sequencer files.
* [4c9f185] debian/rules: using 'rm -f' because probably non existing files
The file app.ini isn't existing in some l10n folders for lightning,
simply use '-f' for convenience.
* [ed00442] debian/rules: fix typo to grep app ID of calendar-g-p
* [4a993c5] adding additional packages to Breaks with thunderbird
The packages calendar-exchange-provider and enigmail
xul-ext-sogo-connector aren't compatible to the webextension interface
and we need to add a versioned Breaks.
* [9bd8286] adjust Breaks for enigmail
Also enigmail needs an adjusted version for Breaks.
* [24382c2] Revert "Use gcc-6 and g++-6 due broken GUI with GCC-7"
(Closes: #892404)
* [f0ac8a5] rebuild patch queue from patch-queue branch
removed patches:
debian-hacks/Allow-to-override-ICU_DATA_FILE-from-the-environment.patch
debian-hacks/remove-non-free-W3C-icon-valid.png.patch
fixes/Allow-.js-preference-files-to-set-locked-prefs-with-lockP.patch
fixes/Fix-build-against-libcairo2-dev-1.15.10.patch
modified patches:
debian-hacks/Build-against-system-libjsoncpp.patch
debian-hacks/Don-t-build-testing-suites-and-stuff.patch
porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch
* [6ab35ad] d/mozconfig.default: don't use nspr and nss from system
We need to switch back to the embedded source for NSS and NSPR, the
versions in unstable aren't usable.
* [055ed65] d/mozconfig.default: remove no longer alive option
The option '--enable-system-cairo' is gone with TB 60.
* [663d6f1] lightning-l10n-bn-bd: remove Bengali (Bangladesh) l10n package
* [02b21cb] lightning-l10n-pa-in: remove Punjabi (India) l10ng package
* [0cc0b5d] lightning-l10n-ta-lk: remove Tamil (Sri Lanka) l10n package
* [62f23a5] thunderbird-l10n-bn-bd: remove (Bangladesh) l10n package
* [61bfdf4] thunderbird-l10n-pa-in: remove Punjabi (India) l10n package
* [a361750] thunderbird-l10n-ta-lk: remove Tamil (Sri Lanka) l10n package
* [8ba5b0d] debian/control: add new packages for *-kk language
* [e4280ac] debian/control: add new packages for *-ms language
* [aaef9fe] adjust Vcs fields to salsa.debian.org
* [144c492, 009b145] debian/copyright: update after upstream changes
Upstream removed some files/folders, which reflects in needed adjustments
for the copyright file.
* [3623f84] d/thunderbird.lintian-overrides: add libnspr4.so and libnss3.so
We now need to ship (again) embedded libraries for NSPR and NSS.
* [0d3de65] lightning: move linking into /u/l/tb/distribution/extensions
Following upstream with the folder for the Lightning to not differ.
* [4d6cefe] New upstream version 60.0~b2
* [e1c40a7] rebuild patch queue from patch-queue branch
removed patches:
fixes/Fix-big-endian-build-for-SKIA.patch
* [4834a1d] add entries to README and NEWS for thunderbird
Adding notes about the current situation foe the l10n packages and their
integration into the UI of Thunderbird and Lightning.
-- Carsten Schoenert <email address hidden> Sat, 07 Apr 2018 11:12:37 +0200
thunderbird (1:52.7.0-1) unstable; urgency=medium
* [9eb2692] New upstream version 52.7.0
Fixed CVE issues in upstream version 52.7 (MFSA 2018-09)
CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
CVE-2018-5129: Out-of-bounds write with malformed IPC messages
CVE-2018-5144: Integer overflow during Unicode conversion
CVE-2018-5146: Out of bounds memory write in libvorbis
CVE-2018-5125: Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7,
and Thunderbird 52.7
CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7 and
Thunderbird 52.7
* [a01cf4b] Revert "Use gcc-6 and g++-6 due broken GUI with GCC-7"
Switching now back to GCC7 as we don't have any longer issues with
broken visuals in the GUI.
(Closes: #892404)
-- Carsten Schoenert <email address hidden> Mon, 26 Mar 2018 17:21:40 +0200
thunderbird (1:52.6.0-1~deb9u1) stretch-security; urgency=medium [ Carsten Schoenert ] * Rebuild for stretch-security -- Carsten Schoenert <email address hidden> Sun, 28 Jan 2018 08:05:28 +0100
thunderbird (1:52.6.0-1) unstable; urgency=high
* [97e1cd7] New upstream version 52.6.0
Fixed CVE issues in upstream version 52.6 (MFSA 2018-04)
CVE-2018-5095: Integer overflow in Skia library during edge builder
allocation
CVE-2018-5096: Use-after-free while editing form elements
CVE-2018-5097: Use-after-free when source document is manipulated
during XSLT
CVE-2018-5098: Use-after-free while manipulating form input elements
CVE-2018-5099: Use-after-free with widget listener
CVE-2018-5102: Use-after-free in HTML media elements
CVE-2018-5103: Use-after-free during mouse event handling
CVE-2018-5104: Use-after-free during font face manipulation
CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6,
and Thunderbird 52.6
* [0300242] rebuild patch queue from patch-queue branch
Added patch debian-hacks/icu-use-locale.h-instead-of-xlocale.h.patch
that fixes the build of the included ICU source against glibc 2.26.
(Closes: #887766)
* [4bf22e0] debian/control: increase Standards-Version to 4.1.3
No further changes needed.
* [3616443] adjust Vcs fields to salsa.debian.org
The Vcs for Thunderbird packaging live now on Salsa as Alioth will be
shutdown in the future.
* [c2f3e14] lintian: ignore non multiarch install folder for thunderbird.pc
Ignore a lintian warning about unavailable pkg-config file thunderbird.pc
as the ESR versions 52.x are the last series which will have a
thunderbird-dev. The next ESR version will be 60.x which uses
webextension and makes thunderbird-dev obsolete.
-- Carsten Schoenert <email address hidden> Thu, 25 Jan 2018 20:21:10 +0100
| Deleted in experimental-release (Reason: None provided.) |
thunderbird (1:58.0~b3-1) experimental; urgency=medium
[ Carsten Schoenert ]
* [d114338] d/source.filter: update due upstream changes
Update the filtering list for excluding some unwanted source files as
usual while preparing new major upstream versions.
* [91d23a9] New upstream version 58.0~b3
* [f34e555] rebuild patch queue from patch-queue branch
added patches:
debian-hacks/Allow-usage-of-libnspr4-dev-4.16.patch
debian-hacks/icu-use-locale.h-instead-of-xlocale.h.patch
debian-hacks/shellutil.py-ignore-tilde-as-special-character.patch
fixes/Bug-1418598-Make-cargo-linker-properly-handle-quoted-stri.patch
modified patches:
debian-hacks/Build-against-system-libjsoncpp.patch
debian-hacks/Don-t-build-testing-suites-and-stuff.patch
porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch
porting-m68k/Add-m68k-support-to-Thunderbird.patch
porting-sh4/Add-sh4-support-to-Thunderbird.patch
porting/Disable-optimization-on-alpha-for-the-url-classifier.patch
prefs/Don-t-auto-disable-extensions-in-system-directories.patch
prefs/Set-javascript.options.showInConsole.patch
obsolete patches (included somehow or fixed upstream):
debian-hacks/Force-use-the-i686-rust-target.patch
porting-alpha/FTBFS-alpha-adjust-some-source-to-prevent-build-issues.patch
patches/porting-alpha/fix-FTBFS-on-alpha.patch
patches/porting-arm64/Bug-1257055-Use-jit-arm64-Architecture-arm64.h-on-non-JIT.patch
patches/porting-hppa/FTBFS-hppa-xpcshell-segfaulting-during-make-install.patch
porting-kfreebsd-hurd/FTBFS-hurd-adding-GNU-Hurd-to-the-list-of-OS-systems.patch
porting-mips/FTBFS-mips-add-missing-char-variable.patch
porting/ppc-fix-divide-page-size-in-jemalloc.patch
thunderbird-l10n/thunderbird-l10n-disable-external-extension-update.patch
* [bd45d47] debian/control: adding new Build-Depends
Since this is the first version > 52 we need now cargo, clang, rustc and
llvm development files.
* [c63a03f] d/mozconfig.default: remove no longer alive options
Some old options like --disable-gnomeui, --enable-gio, and
--with-default-mozilla-five-home are history now.
* [609dbbe] l10n lightning: modify script to work with recent version
We still need to use the shellscript create-lightning-l10n-tarball.sh
(and also *-thunderbird-l10n-*) to create the additional tarballs.
* [2f276b7] thunderbird-l10n: change tb-l10n package installation
Due the changed structure from upstream for the thunderbird l10n files
the packaging needs also to be adopted.
* [ee476f8] d/thunderbird.install: update install sequencer file
Also small adjustments are needed for the installation of the thunderbird
binary files. The old script run-mozilla.sh (which we didn't have used
within the Debian packaging) isn't shipped now, and there is now a new
folder gtk2 which includes the libmozgtk library linked against GTK2.
* [ced9d18] thunderbird-dev: remove the package and adjustments on this
The complete content that was packaged previously in thunderbird-dev
isn't created and installed now. Thus makes the old package
thunderbird-dev obsolete.
* [484a142] autopkgtests: disable tests around thunderbird-dev
Disable all autopkgtests which have used thunderbird-dev.
* [0aa2546] switch to system libraries back
We can now use the system libararies libnspr4, libnss3 and libsqlite3
again, the version of libicu is still to old for usage within the
package build.
* [858ae82] d/control: thunderbird, remove variable ${gnome:Depends}
* [7c3a258] d/control: lightning, remove variable ${shlibs:Depends}
* [aabf0d4] debian/source/lintian-overrides: update entries
* [94b00db] debian/control: increase Standards-Version to 4.1.3
No further changes needed.
* [245e8c2] debian/copyright: update after upstream changes
Also almost needed with new major upstream versions reflect the
changes from upstream in the copyright file.
* [72507b2] d/control: enigmail < 1.9.9 isn't working with TB > 55
Due the new plugin interface some old plugins doesn't work with this
thunderbird version anymore, or behaving unexpected. Enigmal is one of
the this (known) plugins which needs to be at least in version 2.0a2pre
installed to work with Thunderbird.
* [6cf0133] lightning-l1on: change l10n installation
Related to [4abc7f2] the various thunderbird-l10n packages need to be
installed differently to old package installations.
* [6af7054] calendar-google-provider: tweak installation a bit
More a hack but the Mozilla plugin installation by mozilla-devscripts
isn't prepared for the new webextension logic by Mozilla. Symlinking the
c-g-p plugin for now directly from the thunderbird extension folder.
-- Carsten Schoenert <email address hidden> Sun, 21 Jan 2018 14:03:39 +0100
thunderbird (1:52.5.2-2) unstable; urgency=medium
[ Carsten Schoenert ]
* [f597157] Revert "d/thunderbird.postinst: reload AA profile on updates"
The trigger automatics for appamor already is handling the
needed reload on profile updates for the applications.
(Closes: #885158)
* [8ebdb96] debian/control: increase Standards-Version to 4.1.2
No further changes needed.
* [81a8c00] use inverse logic on version for AA profile status check
By this change we don't enforce the disabled profile from the
previous version in some cases and can also handle possible
version strings from -security and -backports.
(Closes: #885157)
-- Carsten Schoenert <email address hidden> Tue, 26 Dec 2017 14:56:40 +0100
| Superseded in sid-release |
thunderbird (1:52.5.2-1) unstable; urgency=high
[ intrigeri ]
* [b791221] AppArmor: support new thunderbird executable path
(Closes: #883561, #884217)
[ Carsten Schoenert ]
* [1f46308] New upstream version 52.5.2
Fixed CVE issues in upstream version 52.5 (MFSA 2017-30)
CVE-2017-7829: Mailsploit part 1: From address with encoded null character
is cut off in message header display
CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin
CVE-2017-7847: Local path string can be leaked from RSS feed
CVE-2017-7848: RSS Feed vulnerable to new line Injection
* [0dd21b9] d/thunderbird.postinst: reload AA profile on updates
* [8c57218] don't disable AA profile on package updates
As people want to re-enable the AA profile a update of
thunderbird doesn't have to disable this again.
(Closes: #884191)
-- Carsten Schoenert <email address hidden> Sun, 24 Dec 2017 11:30:09 +0100
| 151 → 225 of 229 results | First • Previous • Next • Last |
