Change log for thunderbird package in Debian

76150 of 229 results
Superseded in sid-release
thunderbird (1:91.11.0-1) unstable; urgency=medium

  * [05a947d] New upstream version 91.11.0
    Fixed CVE issues in upstream version 91.11 (MFSA 2022-26:
    CVE-2022-34479: A popup window could be resized in a way to overlay the
                    address bar with web content
    CVE-2022-34470: Use-after-free in nsSHistory
    CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed
                    via retargeted javascript: URI
    CVE-2022-2226: An email with a mismatching OpenPGP signature date was
                   accepted as valid
    CVE-2022-34481: Potential integer overflow in ReplaceElementsAt
    CVE-2022-31744: CSP bypass enabling stylesheet injection
    CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being
                    blocked
    CVE-2022-2200: Undesired attributes could be set as part of prototype
                   pollution
    CVE-2022-34484: Memory safety bugs fixed in Thunderbird 91.11 and
                    Thunderbird 102
    (Closes: #1014004)
  * [4c4944d] Rebuild patch queue from patch-queue branch
    Added patch:
    fixes/Bug-1773070-Rename-remove-some-eventState-s-variables.-r-.patch

 -- Carsten Schoenert <email address hidden>  Fri, 01 Jul 2022 20:12:40 +0200
Deleted in experimental-release (Reason: None provided.)
thunderbird (1:102.0~b7-1) experimental; urgency=medium

  * [edf32aa] New upstream version 102.0~b7
  * [c9dd3e0] d/control: Remove not required B-D
  * [ac2ec70] d/mozconfig.default: Remove commented out options

 -- Carsten Schoenert <email address hidden>  Tue, 21 Jun 2022 19:06:58 +0200
Superseded in experimental-release
thunderbird (1:102.0~b4-1) experimental; urgency=medium

  * [8f34a01] d/source.filter: Small updates to filtering list
  * [e1d4c7c] New upstream version 102.0~b4
  * [c97416b] Rebuild patch-queue from patch queue branch
    Removed patch (needs update):
    fixes/Bug-1494436-Unset-MOZ_APP_LAUNCHER-for-external-MIME-hand.patch
    Removed patch (fixed upstream):
    porting-armhf/Don-t-use-LLVM-internal-assembler-on-armhf.patch
  * [68712eb] d/mozconfig.default: Disable wasm sandboxing
  * [a1df764] d/mozconfig.default: Remove openpgp option
    Supporting OpenPGP functionality is now set on by default.
  * [607c321] d/mozconfig.default: Add/Update some configure options
  * [efc728e] d/rules: Add new needed variable MOZBUILD_STATE_PATH
  * [7b0d743] d/rules: Ensure python is used from the environment
  * [26053f1] Build against system librnp library
    Unfortunately using librnp-dev requires the usage of the internal
    versions of botan, bz2 and jsonc.
    (Closes: #998848)
  * [5e904d8] d/control: Bump various build dependencies
  * [94ee0da] d/thunderbird.docs: Update content to install
  * [477f949] d/control: Increase Standards-Version to 4.6.1
    No further changes needed.

 -- Carsten Schoenert <email address hidden>  Wed, 15 Jun 2022 16:47:29 +0200
Superseded in sid-release
thunderbird (1:91.10.0-1) unstable; urgency=medium

  * [969960a] New upstream version 91.10.0
    Fixed CVE issues in upstream version 91.9.1 (MFSA 2022-19):
    CVE-2022-1802: Prototype pollution in Top-Level Await implementation
    CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading
                   to prototype pollution

    Fixed CVE issues in upstream version 91.10 (MFSA 2022-22):
    CVE-2022-31736: Cross-Origin resource's length leaked
    CVE-2022-31737: Heap buffer overflow in WebGL
    CVE-2022-31738: Browser window spoof using fullscreen mode
    CVE-2022-31739: Attacker-influenced path traversal when saving downloaded
                    files
    CVE-2022-31740: Register allocation problem in WASM on arm64
    CVE-2022-31741: Uninitialized variable leads to invalid memory read
    CVE-2022-1834: Braille space character caused incorrect sender email to be
                   shown for a digitally signed email
    CVE-2022-31742: Querying a WebAuthn token with a large number of
                    allowCredential entries may have leaked cross-origin
                    information
    CVE-2022-31747: Memory safety bugs fixed in Thunderbird 91.10
  * [4b55e16] d/control: Increase Standards-Version to 4.6.0
    No further changes needed.

 -- Carsten Schoenert <email address hidden>  Mon, 30 May 2022 19:36:06 +0200
Superseded in sid-release
thunderbird (1:91.9.0-1) unstable; urgency=medium

  * [88b99d1] New upstream version 91.9.0
    Fixed CVE issues in upstream version 91.9 (MFSA 2022-18):
    CVE-2022-1520: Incorrect security status shown after viewing an attached
                   email
    CVE-2022-29914: Fullscreen notification bypass using popups
    CVE-2022-29909: Bypassing permission prompt in nested browsing contexts
    CVE-2022-29916: Leaking browser history with CSS variables
    CVE-2022-29911: iframe sandbox bypass
    CVE-2022-29912: Reader mode bypassed SameSite cookies
    CVE-2022-29913: Speech Synthesis feature not properly disabled
    CVE-2022-29917: Memory safety bugs fixed in Thunderbird 91.9

 -- Carsten Schoenert <email address hidden>  Mon, 16 May 2022 13:51:59 +0200
Superseded in sid-release
thunderbird (1:91.8.1-1) unstable; urgency=medium

  * [b57406c] New upstream version 91.8.1
    (Closes: #1009321)

 -- Carsten Schoenert <email address hidden>  Tue, 19 Apr 2022 20:27:13 +0200
Superseded in sid-release
thunderbird (1:91.8.0-1) unstable; urgency=medium

  * [06619c5] New upstream version 91.8.0
    Fixed CVE issues in upstream version 91.8 (MFSA 2022-15):
    CVE-2022-1097: Use-after-free in NSSToken objects
    CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions
    CVE-2022-1197: OpenPGP revocation information was ignored
    CVE-2022-1196: Use-after-free after VR Process destruction
    CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument
    CVE-2022-28285: Incorrect AliasSet used in JIT Codegen
    CVE-2022-28286: iframe contents could be rendered outside the border
    CVE-2022-24713: Denial of Service via complex regular expressions
    CVE-2022-28289: Memory safety bugs fixed in Thunderbird 91.8

 -- Carsten Schoenert <email address hidden>  Wed, 06 Apr 2022 20:08:25 +0200
Superseded in sid-release
thunderbird (1:91.7.0-2) unstable; urgency=medium

  * [c348b62] Rebuild patch-queue from patch queue branch
    Added patch:
    fixes/Bug-1494436-Unset-MOZ_APP_LAUNCHER-for-external-MIME-hand.patch
    (Closes: #948691)
    Thanks go out to Simon McVittie for preparing this patch!

 -- Carsten Schoenert <email address hidden>  Wed, 16 Mar 2022 06:55:46 +0100
Superseded in sid-release
thunderbird (1:91.7.0-1) unstable; urgency=medium

  * [952f6d0] New upstream version 91.7.0
    Fixed CVE issues in upstream version 91.7 (MFSA 2022-12):
    CVE-2022-26383: Browser window spoof using fullscreen mode
    CVE-2022-26384: iframe allow-scripts sandbox bypass
    CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on
                    signatures
    CVE-2022-26381: Use-after-free in text reflows
    CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other
                    local users

 -- Carsten Schoenert <email address hidden>  Tue, 15 Mar 2022 17:54:46 +0100
Superseded in sid-release
thunderbird (1:91.6.2-1) unstable; urgency=medium

  * [2f95b97] New upstream version 91.6.2
    Fixed CVE issues in upstream version 91.6.2 (MFSA 2022-09):
    CVE-2022-26485: Use-after-free in XSLT parameter processing
    CVE-2022-26486: Use-after-free in WebGPU IPC Framework

 -- Carsten Schoenert <email address hidden>  Tue, 08 Mar 2022 08:40:12 +0100
Superseded in sid-release
thunderbird (1:91.6.1-1) unstable; urgency=medium

  * [3edb855] New upstream version 91.6.1
    Fixed CVE issues in upstream version 91.6.1 (MFSA 2022-07):
    CVE-2022-0566: Crafted email could trigger an out-of-bounds write

 -- Carsten Schoenert <email address hidden>  Sat, 19 Feb 2022 11:01:46 +0100
Superseded in sid-release
thunderbird (1:91.6.0-1) unstable; urgency=medium

  * [884ccb6] New upstream version 91.6.0
    Fixed CVE issues in upstream version 91.6 (MFSA 2022-06):
    CVE-2022-22754: Extensions could have bypassed permission confirmation
                    during update
    CVE-2022-22756: Drag and dropping an image could have resulted in the
                    dropped object being an executable
    CVE-2022-22759: Sandboxed iframes could have executed script if the parent
                    appended elements
    CVE-2022-22760: Cross-Origin responses could be distinguished between
                    script and non-script content-types
    CVE-2022-22761: frame-ancestors Content Security Policy directive was not
                    enforced for framed extension pages
    CVE-2022-22763: Script Execution during invalid object state
    CVE-2022-22764: Memory safety bugs fixed in Thunderbird 91.6
    (Closes: #1004951)

 -- Carsten Schoenert <email address hidden>  Fri, 11 Feb 2022 18:50:23 +0100
Superseded in sid-release
thunderbird (1:91.5.1-1) unstable; urgency=medium

  * [130bab2] New upstream version 91.5.1

 -- Carsten Schoenert <email address hidden>  Sun, 23 Jan 2022 18:41:12 +0100
Superseded in sid-release
thunderbird (1:91.5.0-2) unstable; urgency=medium

  * [fd07163] autopkgtest: Run check-global-config-path.py only on Intel

 -- Carsten Schoenert <email address hidden>  Wed, 12 Jan 2022 20:46:54 +0100
Superseded in sid-release
thunderbird (1:91.5.0-1) unstable; urgency=medium

  [ Carsten Schoenert ]
  * [8d4e5f8] New upstream version 91.5.0
    Fixed CVE issues in upstream version 91.5 (MFSA 2022-03):
    CVE-2022-22743: Browser window spoof using fullscreen mode
    CVE-2022-22742: Out-of-bounds memory access when inserting text in edit
                    mode
    CVE-2022-22741: Browser window spoof using fullscreen mode
    CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner
    CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur
    CVE-2022-22737: Race condition when playing audio files
    CVE-2021-4140: Iframe sandbox bypass with XSLT
    CVE-2022-22748: Spoofed origin on external protocol launch dialog
    CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation
                    event
    CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully
                    escape website-controlled data, potentially leading to
                    command injection
    CVE-2022-22747: Crash when handling empty pkcs7 sequence
    CVE-2022-22739: Missing throttling on external protocol launch dialog
    CVE-2022-22751: Memory safety bugs fixed in Thunderbird 91.5
  * [a86c0b4] Rebuild patch queue from patch-queue branch
    Modified patch:
    debian-hacks/Add-another-preferences-directory-for-applications-p.patch
    Reworking the patch so LoadDirIntoArray is working again that is adding
    an additional syspref folder for global settings to use.
    (Closes: #997841, #1003280)
  * [442988b] autopkgtest: Adding check for accessing syspref folder

  [ Jochen Sprickerhof ]
  * [5b5d508] d/thunderbird-wrapper.sh: Use 'command -v'
    (Closes:#1002570 )

 -- Carsten Schoenert <email address hidden>  Tue, 11 Jan 2022 19:12:50 +0100
Superseded in sid-release
thunderbird (1:91.4.1-1) unstable; urgency=medium

  * [c5b36d3] New upstream version 91.4.1
    Fixed CVE issues in upstream version 91.4.1 (MFSA 2021-55):
    CVE-2021-4126: OpenPGP signature status doesn't consider additional
                   message content
    CVE-2021-44538: Matrix chat library libolm bundled with Thunderbird
                    vulnerable to a buffer overflow
  * [b66bebb] d/changelog: Update some MOZ-* entries with assigned CVEs

 -- Carsten Schoenert <email address hidden>  Mon, 20 Dec 2021 16:05:02 +0100
Superseded in sid-release
thunderbird (1:91.4.0-1) unstable; urgency=medium

  * [7752be0] d/source.filter: Small updates to filtering list
  * [0899850] New upstream version 91.4.0
    Fixed CVE issues in upstream version 91.4 (MFSA 2021-54):
    CVE-2021-43536: URL leakage when navigating while executing asynchronous
                    function
    CVE-2021-43537: Heap buffer overflow when using structured clone
    CVE-2021-43538: Missing fullscreen and pointer lock notification when
                    requesting both
    CVE-2021-43539: GC rooting failure when calling wasm instance methods
    CVE-2021-43541: External protocol handler parameters were unescaped
    CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence
                    of an external protocol handler
    CVE-2021-43543: Bypass of CSP sandbox directive when embedding
    CVE-2021-43545: Denial of Service when using the Location API in a loop
    CVE-2021-43546: Cursor spoofing could overlay user interface when native
                    cursor is zoomed
    CVE-2021-43528: JavaScript unexpectedly enabled for the composition area
    MOZ-2021-0009: Memory safety bugs fixed in Thunderbird 91.4.0
  * [afd7750] d/t.lintian-overrides: Update entries due renamed tags
    Some Lintan tags were renamed, thus requires am adjustment of the existing
    overrides.
  * [30a387c] d/s/lintian-overrides: Adjust most of the existing entries
    Same as before but for the source package.

 -- Carsten Schoenert <email address hidden>  Tue, 07 Dec 2021 18:26:44 +0100
Superseded in sid-release
thunderbird (1:91.3.2-1) unstable; urgency=medium

  * [7fd56f0] New upstream version 91.3.2
  * [4fccecb] Rebuild patch queue from patch-queue branch
    Added patch:
    debian-hacks/Fix-Floating-Point-Normalization-breakage-on-32bit-Linux.patch

 -- Carsten Schoenert <email address hidden>  Sun, 21 Nov 2021 18:29:42 +0100
Superseded in sid-release
thunderbird (1:91.3.0-1) unstable; urgency=medium

  * [1d3e0b1] Revert "Rebuild patch queue from patch-queue branch"
    The patch for fixing the broken build on i386 breaks other architectures,
    so reverting for now.
  * [66755b4] New upstream version 91.3.0
    Fixed CVE issues in upstream version 91.3 (MFSA 2021-50):
    CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets
    CVE-2021-38504: Use-after-free in file picker dialog
    CVE-2021-38506: Thunderbird could be coaxed into going into fullscreen
                    mode without notification or warning
    CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass
                    the Same-Origin-Policy on services hosted on other ports
    MOZ-2021-0008: Use-after-free in HTTP2 Session object (no CVE assigned yet)
    CVE-2021-38508: Permission Prompt could be overlaid, resulting in user
                    confusion and potential spoofing
    CVE-2021-38509: Javascript alert box could have been spoofed onto an
                    arbitrary domain
    MOZ-2021-0007: Memory safety bugs fixed in Thunderbird ESR 91.3 (no CVE
                   assigned yet)

 -- Carsten Schoenert <email address hidden>  Wed, 03 Nov 2021 18:14:09 +0100
Superseded in sid-release
thunderbird (1:91.2.1-1) unstable; urgency=medium

  [ Carsten Schoenert ]
  * [bcb5677] d/gbp.conf: Adjust to upstream-91.x
  * [12a433a] New upstream version 91.2.1
  * [f935b52] Rebuild patch queue from patch-queue branch
    Added patch:
    debian-hacks/Fix-Floating-Point-Normalization-breakage-on-32bit-Linux.patch
  * [3faba71] Disable usage of system icu package
    The system packages of libicu-dev are to old for Thunderbird, we need to
    use the internel pre-shipped ICU sources.

 -- Carsten Schoenert <email address hidden>  Sat, 23 Oct 2021 08:59:32 +0200
Deleted in experimental-release (Reason: None provided.)
thunderbird (1:91.2.0-1) experimental; urgency=medium

  * [3c88844] New upstream version 91.2.0
    Fixed CVE issues in upstream version 91.2 (MFSA 2021-47):
    CVE-2021-38502: Downgrade attack on SMTP STARTTLS connections
    CVE-2021-38496: Use-after-free in MessageTask
    CVE-2021-38497: Validation message could have been overlaid on another
                    origin
    CVE-2021-38498: Use-after-free of nsLanguageAtomService object
    CVE-2021-32810: Data race in crossbeam-deque
    CVE-2021-38500: Memory safety bugs fixed in Thunderbird 91.2
    CVE-2021-38501: Memory safety bugs fixed in Thunderbird 91.2
    (Closes: #973042)

 -- Carsten Schoenert <email address hidden>  Sat, 16 Oct 2021 08:27:55 +0200
Published in buster-release
thunderbird (1:78.14.0-1~deb10u1) buster-security; urgency=medium

  * Rebuild for buster-security

 -- Carsten Schoenert <email address hidden>  Thu, 09 Sep 2021 19:34:41 +0200
Published in buster-release
thunderbird (1:78.8.0-1~deb10u1) stable-security; urgency=medium

  * Rebuild for buster-security

 -- Carsten Schoenert <email address hidden>  Sat, 27 Feb 2021 09:57:18 +0100
Superseded in bullseye-release
thunderbird (1:78.14.0-1~deb11u1) bullseye-security; urgency=medium

  * Rebuild for bullseye-security

 -- Carsten Schoenert <email address hidden>  Thu, 09 Sep 2021 16:34:19 +0200
Superseded in experimental-release
thunderbird (1:91.1.1-1) experimental; urgency=medium

  * [73e3b75] New upstream version 91.1.1
  * [3413d35] Rebuild patch queue from patch-queue branch
    Removed patch:
    fixes/Bug-1727113-Never-require-that-addons-are-signed-for-Thun.patch

 -- Carsten Schoenert <email address hidden>  Mon, 20 Sep 2021 20:43:25 +0200
Superseded in sid-release
thunderbird (1:78.14.0-1) unstable; urgency=medium

  * [6dc6817] d/changelog: Correct TB version for referenced MFSA
  * [38f01f4] d/rules: Don't run dh_autoreconf
    (Closes: #993494)
  * [09c4cde] New upstream version 78.14.0
    Fixed CVE issues in upstream version 78.14.0 (MFSA 2021-42):
    CVE-2021-38493: Memory safety bugs fixed in Thunderbird 78.14 and
                    Thunderbird 91.1

 -- Carsten Schoenert <email address hidden>  Wed, 08 Sep 2021 19:57:22 +0200
Superseded in experimental-release
thunderbird (1:91.1.0-1) experimental; urgency=medium

  * [0b1d9f9] New upstream version 91.1.0
    Fixed CVE issues in upstream version 91.1 (MFSA 2021-41):
    CVE-2021-38495: Memory safety bugs fixed in Thunderbird 91.1
  * [4313e64] Rebuild patch queue from patch-queue branch
    Added patch:
    fixes/Bug-1727113-Never-require-that-addons-are-signed-for-Thun.patch
    (Closes: #993594)
    Modified patch:
    porting-armhf/Bug-1526653-Include-struct-definitions-for-user_vfp-and-u.patch
  * [234c566] d/rules: Don't run dh_autoreconf
    (Closes: #993494)
  * [bce15d7] thunderbird: Set package x11-utils as fallback
    Install x11-utils only if kdialog or zenity aren't present on the system.

 -- Carsten Schoenert <email address hidden>  Sun, 05 Sep 2021 07:36:10 +0200
Superseded in experimental-release
thunderbird (1:91.0.2-1) experimental; urgency=medium

  * [a5efefd] New upstream version 91.0.2
    Fixed CVE issues in upstream version 91.0.1 (MFSA 2021-37):
    CVE-2021-29991: Header Splitting possible with HTTP/3 Responses
  * [b21a07b] d/control: increase Standards-Version to 4.6.0
    No further changes needed.

 -- Carsten Schoenert <email address hidden>  Mon, 23 Aug 2021 20:05:01 +0200
Superseded in sid-release
thunderbird (1:78.13.0-1) unstable; urgency=medium

  * [b4498b0] New upstream version 78.13.0
    Fixed CVE issues in upstream version 78.12 (MFSA 2021-35):
    CVE-2021-29986: Race condition when resolving DNS names could have led to
                    memory corruption
    CVE-2021-29988: Memory corruption as a result of incorrect style treatment
    CVE-2021-29984: Incorrect instruction reordering during JIT optimization
    CVE-2021-29980: Uninitialized memory in a canvas object could have led to
                    memory corruption
    CVE-2021-29985: Use-after-free media channels
    CVE-2021-29989: Memory safety bugs fixed in Thunderbird 78.13

 -- Carsten Schoenert <email address hidden>  Thu, 12 Aug 2021 16:13:25 +0200
Deleted in experimental-release (Reason: None provided.)
thunderbird (1:91.0~b5-1) experimental; urgency=medium

  * [8a9083f] d/control: Adjust VCS links to branch debian/experimental
  * [acf4b3c] d/source.filter: some updates to filtering list
  * [84d1b87] New upstream version 91.0~b5

 -- Carsten Schoenert <email address hidden>  Sat, 31 Jul 2021 11:25:47 +0200
Superseded in experimental-release
thunderbird (1:91.0~b3-1) experimental; urgency=medium

  * [90a153b] New upstream version 91.0~b3
  * [ada2cf0] d/control: Remove transitional package lightning
  * [3e5087f] d/control: Remove obsolete lightning-l10-* packages
  * [6eac520] d/control: Remove Suggests on libgtk2.0-0 fur thunderbird
    (Closes: #967771)

 -- Carsten Schoenert <email address hidden>  Sat, 24 Jul 2021 10:37:52 +0200
Deleted in experimental-release (Reason: None provided.)
thunderbird (1:91.0~b1-1) experimental; urgency=medium

  * [78f0ddb] d/source.filter: some updates to filtering list
  * [3d29fcf] New upstream version 91.0~b1
    (Closes: #990631)
  * [daa7fab] d/control: Increase some Build-Depends
  * [f4bfd22] d/control: Remove libgtk2.0-dev from Build-Depends
  * [ad4e281] d/s/lintian-overrides: Adding one more file to ignore

 -- Carsten Schoenert <email address hidden>  Mon, 19 Jul 2021 22:04:15 +0200
Superseded in bullseye-release
Superseded in sid-release
thunderbird (1:78.12.0-1) unstable; urgency=medium

  * [74d3cdb] New upstream version 78.12.0
    Fixed CVE issues in upstream version 78.12 (MFSA 2021-30):
    CVE-2021-29969: IMAP server responses sent by a MITM prior to STARTTLS
                    could be processed
    CVE-2021-29970: Use-after-free in accessibility features of a document
    CVE-2021-30547: Out of bounds write in ANGLE
    CVE-2021-29976: Memory safety bugs fixed in Thunderbird 78.12

 -- Carsten Schoenert <email address hidden>  Sat, 17 Jul 2021 09:33:28 +0200
Superseded in experimental-release
thunderbird (1:90.0~b2-1) experimental; urgency=medium

  [ Carsten Schoenert ]
  * [3cc0d66] d/source.filter: some updates to filtering list
  * [3c76a94] New upstream version 90.0~b2
  * [46718fe] rebuild patch queue from patch-queue branch
    removed patches:
    fixes/reduce-the-rust-debuginfo-level-on-selected-architectures.patch
    debian-hacks/Work-around-Debian-bug-844357.patch
  * [156d3c9] d/thunderbird.1: Correct debugger option
  * [ca7daca] /u/l/thunderbird: Correct escape sequencing for gdb calling
    (Closes: #976979)
  * [f310330] d/thunderbird-wrapper.sh: Use '${}' syntax for variables
  * [0ef3788] d/thunderbird.install: Remove gtk2 cruft
  * [17b0510] d/copyright: Update due removed content
  * [feca305] d/s/lintian-override: Remove two no longer existing entries

  [ Kevin Locke ]
  * [dbe3c3e] d/thunderbird-wrapper.sh: Make gdb call more fail safe
    (Closes:#942799)

 -- Carsten Schoenert <email address hidden>  Sun, 20 Jun 2021 14:51:49 +0200
Superseded in sid-release
thunderbird (1:78.11.0-2) unstable; urgency=medium

  [ Carsten Schoenert ]
  * [241e539] d/thunderbird.1: Correct debugger option
    Remove parts that are no longer valid, especially there is no dedicated
    shell script any more the user has to start, calling 'thunderbird -g' is
    enough to start a GDB call.
  * [66deb37] thunderbird: Use internal NSS source while package built
    (Closes: #989839, #989843, #989979, #989983, #989922, #990012)
  * [07fb6ef] d/thunderbird-wrapper.sh: Use '${}' syntax for variables

  [ Kevin Locke ]
  * [d003e26] d/thunderbird-wrapper.sh: Make gdb call more fail safe
    (Closes: #942799)

 -- Carsten Schoenert <email address hidden>  Sun, 20 Jun 2021 07:20:41 +0200
Superseded in sid-release
thunderbird (1:78.11.0-1) unstable; urgency=medium

  * [42c4a87] New upstream version 78.11.0
    Fixed CVE issues in upstream version 78.11 (MFSA 2021-26):
    CVE-2021-29967: Memory safety bugs fixed in Thunderbird 78.11

 -- Carsten Schoenert <email address hidden>  Thu, 03 Jun 2021 17:22:34 +0200
Superseded in experimental-release
thunderbird (1:89.0~b2-1) experimental; urgency=medium

  * [74911c7] New upstream version 89.0~b2
  * [b4fef2a] rebuild patch queue from patch-queue branch
    modified patches:
    debian-hacks/Don-t-register-plugins-if-the-MOZILLA_DISABLE_PLUGIN.patch
    porting-armhf/Don-t-use-LLVM-internal-assembler-on-armhf.patch
    porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
    removed patches:
    debian-hacks/Don-t-register-plugins-if-the-MOZILLA_DISABLE_PLUGIN.patch
  * [ea6a29e] d/control: Increase B-D for cbindgen and libnss3-dev

 -- Carsten Schoenert <email address hidden>  Thu, 03 Jun 2021 19:40:08 +0200
Superseded in sid-release
thunderbird (1:78.10.2-1) unstable; urgency=medium

  * [69552d8] New upstream version 78.10.2
    Fixed CVE issues in upstream version 78.10.2 (MFSA 2021-22):
    CVE-2021-29957: Partial protection of inline OpenPGP message not indicated
    CVE-2021-29956: Thunderbird stored OpenPGP secret keys without master
                    password protection

 -- Carsten Schoenert <email address hidden>  Wed, 19 May 2021 21:57:11 +0200
Superseded in sid-release
thunderbird (1:78.10.0-1) unstable; urgency=medium

  * [f38d78f] New upstream version 78.10.0
    Fixed CVE issues in upstream version 78.10 (MFSA 2021-15):
    CVE-2021-23994: Out of bound write due to lazy initialization
    CVE-2021-23995: Use-after-free in Responsive Design Mode
    CVE-2021-23998: Secure Lock icon could have been spoofed
    CVE-2021-23961: More internal network hosts could have been probed by a
                    malicious webpage
    CVE-2021-23999: Blob URLs may have been granted additional privileges
    CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an
                    encoded URL
    CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead
                    to null-reads (This issue only affected x86-32 platforms.)
    CVE-2021-29946: Port blocking could be bypassed
    CVE-2021-29948: Race condition when reading from disk while verifying
                    signatures

 -- Carsten Schoenert <email address hidden>  Mon, 19 Apr 2021 20:00:32 +0200
Superseded in experimental-release
thunderbird (1:88.0~b2-1) experimental; urgency=medium

  [ Carsten Schoenert ]
  * [7af1a0b] New upstream version 88.0~b2
  * [30d1d48] rebuild patch queue from patch-queue branch
    modified patch:
    debian-hacks/Add-another-preferences-directory-for-applications-p.patch
    porting-armhf/Don-t-use-LLVM-internal-assembler-on-armhf.patch
    removed patches (included upstream):
    porting-arm/Reduce-memory-usage-while-linking-on-arm-el-hf-platforms.patch
    porting-s390x/Explicitly-instantiate-TIntermTraverser-traverse-TIntermN.patch
    renamed patch:
    fixes/Load-dependent-libraries-with-their-real-path-to-avo.patch ->
    fixes/Load-dependent-libraries-with-their-real-path.patch
  * [f45da92] d/control: Increase B-D for libnss3-dev

  [ Colomban Wendling ]
  * [bbf78cb] d/thunderbird.desktop: Switch StartupWMClass (Closes: #985366)

  [ Carsten Schoenert ]
  * [a2cc9e0] d/control: Adding nasm to Build-Depends
  * [41fad62] d/copyright: update due removed content

 -- Carsten Schoenert <email address hidden>  Sun, 11 Apr 2021 13:50:27 +0200
Superseded in sid-release
thunderbird (1:78.9.0-1) unstable; urgency=medium

  [ Colomban Wendling ]
  * [7d454de] d/thunderbird.desktop: Switch StartupWMClass
    (Closes: #985366)

  [ Carsten Schoenert ]
  * [23fe9ce] d/source.filter: small update to filtering list
  * [828b9d7] New upstream version 78.9.0
    Fixed CVE issues in upstream version 78.9 (MFSA 2021-12):
    CVE-2021-23981: Texture upload into an unbound backing buffer resulted in
                    an out-of-bound read
    CVE-2021-23982: Internal network hosts could have been probed by a
                    malicious webpage
    CVE-2021-23984: Malicious extensions could have spoofed popup information
    CVE-2021-23987: Memory safety bugs fixed in Thunderbird 78.9
  * [cf4fbde] rebuild patch queue from patch-queue branch
    Removed patch (included upstream):
    porting-s390x/Explicitly-instantiate-TIntermTraverser-traverse-TIntermN.patch

 -- Carsten Schoenert <email address hidden>  Tue, 23 Mar 2021 15:55:43 +0100
Superseded in sid-release
thunderbird (1:78.8.0-1) unstable; urgency=medium

  [ Pino Toscano ]
  * [f2f1f3f] thunderbird: Stop shipping /u/s/p/thunderbird.png symlink

  [ Carsten Schoenert ]
  * [f5707a7] New upstream version 78.8.0
    Fixed CVE issues in upstream version 78.8 (MFSA 2021-09):
    CVE-2021-23969: Content Security Policy violation report could have
                    contained the destination of a redirect
    CVE-2021-23968: Content Security Policy violation report could have
                    contained the destination of a redirect
    CVE-2021-23973: MediaError message property could have leaked information
                    about cross-origin resources
    CVE-2021-23978: Memory safety bugs fixed in Thunderbird 78.8

 -- Carsten Schoenert <email address hidden>  Sun, 21 Feb 2021 14:58:05 +0100
Superseded in experimental-release
thunderbird (1:86.0~b3-1) experimental; urgency=medium

  [ Carsten Schoenert ]
  * [002f597,fe0515b] d/source.filter: updating the filtering list
  * [dfafc89,35d050f] d/copyright: updates due upstream changes
    Add Apache2 notice for third_party/python/coverage
  * [24c009c] lintian: adding override for false positive in SVG file
  * [d316a1c] New upstream version 86.0~b3
  * [20dc687] rebuild patch queue from patch-queue branch
    modified patch:
    debian/patches/porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch
  * [21b86f0] d/copyright: update due removed content
  * [7fc9755] d/s/lintian-override: path for TeXZilla.js has changed
  * [33c5d5a] d/s/lintian-override: remove JS file
  * [825a440] d/control: Increase B-D for cbindgen

  [ Pino Toscano ]
  * [35c3c3b] thunderbird: Stop shipping /u/s/p/thunderbird.png symlink

 -- Carsten Schoenert <email address hidden>  Sat, 13 Feb 2021 13:41:36 +0100
Superseded in buster-release
thunderbird (1:78.6.0-1~deb10u1) stable-security; urgency=medium

  * Rebuild for buster-security

 -- Carsten Schoenert <email address hidden>  Wed, 16 Dec 2020 08:37:39 +0100
Superseded in sid-release
thunderbird (1:78.7.1-1) unstable; urgency=medium

  * [406f9d7] New upstream version 78.7.1

 -- Carsten Schoenert <email address hidden>  Fri, 05 Feb 2021 20:12:59 +0100
Superseded in sid-release
thunderbird (1:78.7.0-1) unstable; urgency=medium

  * [8751354] New upstream version 78.7.0
    Fixed CVE issues in upstream version 78.7 (MFSA 2021-05):
    CVE-2021-23953: Cross-origin information leakage via redirected PDF
                    requests
    CVE-2021-23954: Type confusion when using logical assignment operators in
                    JavaScript switch statements
    CVE-2020-15685: IMAP Response Injection when using STARTTLS
    CVE-2020-26976: HTTPS pages could have been intercepted by a registered
                    service worker when they should not have been
    CVE-2021-23960: Use-after-poison for incorrectly redeclared JavaScript
                    variables during GC
    CVE-2021-23964: Memory safety bugs fixed in Thunderbird 78.7
  * [4b0c0a7] rebuild patch queue from patch-queue branch
    removed patch (included upstream):
    porting-mips/Bug-1642265-MIPS64-Add-branchTestSymbol-and-fallibleUnbox.patch

 -- Carsten Schoenert <email address hidden>  Fri, 29 Jan 2021 20:45:49 +0100
Superseded in sid-release
thunderbird (1:78.6.1-1) unstable; urgency=medium

  [ Carsten Schoenert ]
  * [67f6117] Add Apache2 notice for third_party/python/coverage
  * [38b9ff7] lintian: adding override for false positive in SVG file

  [ Carles Pina i Estany ]
  * [529d53a] d/thunderbird-wrapper.sh: Unset DEBUG/DEBUGGER variables
    (Closes: #960230)
  * [6d48708] d/thunderbird-wrapper-helper.sh: Adjust help text

  [ Carsten Schoenert ]
  * [5309e91] d/thunderbird-wrapper*.sh: Prefixing some local variables
  * [07b4733] New upstream version 78.6.1
    Fixed CVE issues in upstream version 78.6.1 (MFSA 2021-02):
    CVE-2020-16044: Use-after-free write when handling a malicious
                    COOKIE-ECHO SCTP chunk

 -- Carsten Schoenert <email address hidden>  Sat, 16 Jan 2021 14:59:02 +0100
Superseded in experimental-release
thunderbird (1:85.0~b3-1) experimental; urgency=medium

  * [b142ac6] New upstream version 85.0~b3
  * [0d2221a] d/control: Increase various B-D versions
  * [e4eb52e] rebuild patch queue from patch-queue branch
    added patch:
    debian-hacks/Decrease-Cargo-minimal-version-to-1.46.0.patch
    updated patches:
    debian-hacks/Use-remoting-name-for-call-to-gdk_set_program_class.patch
    fixes/reduce-the-rust-debuginfo-level-on-selected-architectures.patch

 -- Carsten Schoenert <email address hidden>  Thu, 31 Dec 2020 20:39:53 +0100
Superseded in sid-release
thunderbird (1:78.6.0-1) unstable; urgency=medium

  * [1410f1e] d/watch: update to version 4
  * [a8303b7] d/rules: use python3 explicitly while calling mach
  * [f3f535e] New upstream version 78.6.0
    Fixed CVE issues in upstream version 78.6 (MFSA 2020-56):
    CVE-2020-16042: Operations on a BigInt could have caused uninitialized
                    memory to be exposed
    CVE-2020-26971: Heap buffer overflow in WebGL
    CVE-2020-26973: CSS Sanitizer performed incorrect sanitization
    CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap
                    use-after-free
    CVE-2020-26978: Internal network hosts could have been probed by a
                    malicious webpage
    CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs
    CVE-2020-35112: Opening an extension-less download may have inadvertently
                    launched an executable instead
    CVE-2020-35113: Memory safety bugs fixed in Thunderbird 78.6
    (Closes: #972072, #973697)
  * [16a7ab7] /u/l/thunderbird: Correct escape sequencing for gdb calling
    We need to do a better escaping of values of the '-ex' option otherwise
    the shell is refusing the concatenated string we want to use as call.
    (Closes: #976979)

 -- Carsten Schoenert <email address hidden>  Tue, 15 Dec 2020 10:12:34 +0100
Superseded in experimental-release
thunderbird (1:84.0~b3-1) experimental; urgency=medium

  * [fad5103] calendar-google-provider*: removing left over cruft
  * [b095d8e] thunderbird.NEWS: Add hint about integration of OpenPGP support
  * [0f6bdf3] Revert "d/tb.lintian-overrides: ignore warning about none
    versioned breaks"
  * [f10f80c] d/copyright: update content
  * [9c3fb20] d/source.filter: some updates to filtering list
  * [c9b8274] New upstream version 84.0~b3
  * [adf3835] rebuild patch queue from patch-queue branch
    removed patches:
    fixes/Add-missing-bindings-for-mips-in-the-authenticator-crate.patch
    fixes/fix-function-nsMsgComposeAndSend-to-respect-Replo.patch
    porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
    porting-mips/Bug-1642265-MIPS64-Add-branchTestSymbol-and-fallibleUnbox.patch
    porting-s390x/Use-more-recent-embedded-version-of-sqlite3.patch
    porting-m68k/Add-m68k-support-to-Thunderbird.patch
    porting-sh4/Add-sh4-support-to-Thunderbird.patch
  * [3ff9c9d] thunderbird-l10n-all: add thunderbird-l10n-cy
    (Closes: #974127)
  * [393490c] d/control: remove l10n package for Sinhala
  * [1f4e966] d/control: increase Standards-Version to 4.5.1
    No further changes needed.
  * [288afdd] d/rules: use python3 explicitly while calling mach
    Using the Python 3 interpreter is needed otherwise the Mozilla magic tries
    to use a non existing virtualenv environment.
  * [a509bdf] d/watch: update to version 4
    No further changes needed.
  * [fc6b358] d/copyright: update some more content
    Updating the copyright information due upstream modifications.
  * [3bd5713] d/s/lintian-overrides: Adding more file to ignore

 -- Carsten Schoenert <email address hidden>  Mon, 14 Dec 2020 15:24:59 +0100
Superseded in buster-release
thunderbird (1:78.5.0-1~deb10u1) stable-security; urgency=medium

  * Rebuild for buster-security

 -- Carsten Schoenert <email address hidden>  Fri, 20 Nov 2020 17:38:25 +0100
Superseded in sid-release
thunderbird (1:78.5.1-1) unstable; urgency=medium

  * [08556c2] New upstream version 78.5.1
    Fixed CVE issues in upstream version 78.5.1 (MFSA 2020-53):
    CVE-2020-26970: Stack overflow due to incorrect parsing of SMTP server
                    response codes
  * [7047340] rebuild patch queue from patch-queue branch
    removed patch (included upstream):
    fixes/fix-function-nsMsgComposeAndSend-to-respect-Replo.patch
  * [40663bb] debian/control: increase Standards-Version to 4.5.1
    No further changes needed.

 -- Carsten Schoenert <email address hidden>  Thu, 03 Dec 2020 05:35:04 +0100
Superseded in sid-release
thunderbird (1:78.5.0-1) unstable; urgency=medium

  * [7842f02] New upstream version 78.5.0
    Fixed CVE issues in upstream version 78.5 (MFSA 2020-51):
    CVE-2020-26951: Parsing mismatches could confuse and bypass security
                    sanitizer for chrome privileged code
    CVE-2020-16012: Variable time processing of cross-origin images during
                    drawImage calls
    CVE-2020-26953: Fullscreen could be enabled without displaying the
                    security UI
    CVE-2020-26956: XSS through paste (manual and clipboard API)
    CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME
                    type restrictions
    CVE-2020-26959: Use-after-free in WebRequestService
    CVE-2020-26960: Potential use-after-free in uses of nsTArray
    CVE-2020-15999: Heap buffer overflow in freetype
    CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
    CVE-2020-26965: Software keyboards may have remembered typed passwords
    CVE-2020-26966: Single-word search queries were also broadcast to local
                    network
    CVE-2020-26968: Memory safety bugs fixed in Thunderbird 78.5
  * [e19743e] rebuild patch queue from patch-queue branch
    removed patch (included upstream):
    fixes/Bug-1663715-Update-syn-and-proc-macro2-so-that-Firefox-ca.patch

 -- Carsten Schoenert <email address hidden>  Wed, 18 Nov 2020 20:06:09 +0100
Superseded in sid-release
thunderbird (1:78.4.2-1) unstable; urgency=medium

  * [c7f4ed2] New upstream version 78.4.2
    Fixed CVE issues in upstream version 78.4 (MFSA 2020-49):
    CVE-2020-26950: Write side effects in MCallGetProperty opcode not
                    accounted for
  * [c3a617d] rebuild patch queue from patch-queue branch
    added patch:
    fixes/Bug-1663715-Update-syn-and-proc-macro2-so-that-Firefox-ca.patch
  * [8e4e7ad] thunderbird-l10n-all: add thunderbird-l10n-cy
    (Closes: #974127)

 -- Carsten Schoenert <email address hidden>  Tue, 10 Nov 2020 21:19:15 +0100
Superseded in sid-release
thunderbird (1:78.4.1-1) unstable; urgency=medium

  * [cf8bf1e] New upstream version 78.4.1
  * [529000c] rebuild patch queue from patch-queue branch
    added patches:
    fixes/Bug-1650299-Unify-the-inclusion-of-the-ICU-data-file.-r-f.patch
    fixes/Don-t-build-ICU-in-parallel.patch
    Patches are picked from Firefox and fixing FTBFS on s390x within buster.

 -- Carsten Schoenert <email address hidden>  Fri, 06 Nov 2020 21:53:24 +0100
Superseded in sid-release
thunderbird (1:78.4.0-1) unstable; urgency=medium

  [ Emilio Pozuelo Monfort ]
  * [652f8de] install the apparmor profile in thunderbird.install

  [ Carsten Schoenert ]
  * [5240d53] Revert "thunderbird.install: adjust.desktop renamed file name"
    (Closes: #972601)
  * [861b21a] Revert "Rename .desktop file for AppStream compliance"
    (Closes: #972578)
  * [ffc5818] New upstream version 78.4.0
    Fixed CVE issues in upstream version 78.4 (MFSA 2020-47):
    CVE-2020-15969: Use-after-free in usersctp
    CVE-2020-15683: Memory safety bugs fixed in Thunderbird 78.4
  * [81396e3] rebuild patch queue from patch-queue branch
    removed patches (fixed upstream):
    porting-mips/Bug-1649655-MIPS-Add-CodeGenerator-visitWasmRegisterResul.patch
    porting/Bug-1666646-Bump-CodeAlignment-to-8-in-MacroAssembler-non.patch

    modified patches:
    fixes/Appdata-Adding-some-German-translations.patch
    fixes/Appdata-Fix-up-AppStream-error-by-adding-missing-field.patch

    Minor fine tuning to the AppStream specific parts but also revert some
    translation entries as they are not intend to be translatable.
    These modification also in correlation with the mentioned bug reports above
    which are closed by the other adjustments.

 -- Carsten Schoenert <email address hidden>  Thu, 22 Oct 2020 18:48:25 +0200
Superseded in sid-release
thunderbird (1:78.3.3-1) unstable; urgency=medium

  [ Emilio Pozuelo Monfort ]
  * [6f18974] Remove duplicated --disable-debug-symbols flag
  * [1119d50] Print a verbose build log by not calling the mach wrapper
  * [fcf7c11] Exclude -g from CXXFLAGS as well

  [ Carsten Schoenert ]
  * [9eb159f] New upstream version 78.3.3
  * [47171dc] rebuild patch queue from patch-queue branch
    added patches:
    fixes/Appdata-Adding-some-German-translations.patch
    fixes/Appdata-Fix-up-AppStream-error-by-adding-missing-field.patch
  * [1474d91] Rename .desktop file for AppStream compliance
  * [10e49a9] thunderbird.install: adjust.desktop renamed file name
  * [018bbc1] thunderbird.pc: remove left over cruft

 -- Carsten Schoenert <email address hidden>  Sun, 18 Oct 2020 08:49:20 +0200
Superseded in sid-release
thunderbird (1:78.3.2-1) unstable; urgency=medium

  * [0b2f19f] d/rules: remove hand crafted icu build
    Cherry-picked from debian/buster branch.
    The possible required build of the ICU if the usage of an external ICU
    library is now handled by the upstream build system.
  * [1583517] d/rules: rewrite dpkg_buildflags to remove option '-g'
    Cherry-picked from debian/buster branch.
    We need to remove the option '-g' from the dpkg_buildflags variable for
    real if we want a build without debugging information (e.g. on 32bit
    architectures).
  * [fb4c9c4] New upstream version 78.3.2
  * [9d5e2b9] d/rules: install the language Add-ons into /u/l/t/e
    Do not install the thunderbird-l10n packages into /usr/share/thunderbird
    any more, install them directly into /usr/libt/thunderbird/extensions.
    This simplifies the package structures as there is no real need to install
    the packages into /usr/share/thunderbird and linking them back.

 -- Carsten Schoenert <email address hidden>  Fri, 09 Oct 2020 19:49:45 +0200
Superseded in sid-release
thunderbird (1:78.3.1-2) unstable; urgency=medium

  * [649f664] rebuild patch queue from patch-queue branch
    added patches:
    fixes/reduce-the-rust-debuginfo-level-on-selected-architectures.patch
    porting-s390x/Explicitly-instantiate-TIntermTraverser-traverse-TIntermN.patch

 -- Carsten Schoenert <email address hidden>  Wed, 30 Sep 2020 19:10:27 +0200
Superseded in sid-release
thunderbird (1:78.3.1-1) unstable; urgency=medium

  [ Carsten Schoenert ]
  * [6bd965f] New upstream version 78.3.1
    Fixed CVE issues in upstream version 78.3.1 (MFSA 2020-44):
    CVE-2020-15677: Download origin spoofing via redirect
    CVE-2020-15676: XSS when pasting attacker-controlled data into a
                    contenteditable element
    CVE-2020-15678: When recursing through layers while scrolling, an iterator
                    may have become invalid, resulting in a potential
                    use-after-free scenario
    CVE-2020-15673: Memory safety bugs fixed in Thunderbird 78.3
  * [8ba13c5] rebuild patch queue from patch-queue branch
    added patches(picked from firefox packaging):
    fixes/Add-missing-bindings-for-mips-in-the-authenticator-crate.patch
    porting-mips/Bug-1642265-MIPS64-Add-branchTestSymbol-and-fallibleUnbox.patch
    porting-mips/Bug-1649655-MIPS-Add-CodeGenerator-visitWasmRegisterResul.patch
    porting/Bug-1666646-Bump-CodeAlignment-to-8-in-MacroAssembler-non.patch
    removed patch(fixed upstream):
    fixes/Bug-1664607-Don-t-try-to-load-what-s-new-page-when-built-.patch
  * [c6d282d] calendar-google-provider*: removing left over cruft
    There are two left over sequencer files from the calendar-google-package,
    not need any more since 1:68.2.2-1
  * [cf37615] d/README.Debian: Update and adding new information
    Some updated information regarding the now included OpenPGP support, also
    updating some grammar for 'Add-on'.
  * [faf225b] thunderbird.NEWS: Add hint about integration of OpenPGP support
    Giving the user a information about the OpenPGP status within Thunderbird
    since the version 78.0.
  * [d6f4f0e] Revert "d/tb.lintian-overrides: ignore warning about none
              versioned breaks"
  * [9e6cbec] d/copyright: update content

 -- Carsten Schoenert <email address hidden>  Sun, 27 Sep 2020 09:08:29 +0200
Superseded in buster-release
thunderbird (1:68.12.0-1~deb10u1) stable-security; urgency=medium

  * Rebuild for buster-security
  * [32b3711] Revert "d/xpi-pack.sh: adding xpi-pack shell script"
  * [b50609a] Revert "Drop mozilla-devscripts as B-D"
  * [fd054fc] Revert "Drop python-{minimal,ply} from B-D"
  * [5a2a88c] Revert "d/control: tb manually set dep on libnss3 to 2:3.55"

 -- Carsten Schoenert <email address hidden>  Sat, 29 Aug 2020 08:52:22 +0200
Deleted in experimental-release (Reason: None provided.)
thunderbird (1:78.2.2-1) experimental; urgency=medium

  * [c6592e8] New upstream version 78.2.2
  * [28f5fce] rebuild patch queue from patch-queue branch
    added patches:
    fixes/Bug-1664607-Don-t-try-to-load-what-s-new-page-when-built-.patch
    porting-s390x/Use-more-recent-embedded-version-of-sqlite3.patch
  * [4866c06] d/mozconfig.default: add extra config options for ppc64el

 -- Carsten Schoenert <email address hidden>  Sun, 13 Sep 2020 08:58:44 +0200
Superseded in experimental-release
thunderbird (1:78.2.1-1) experimental; urgency=medium

  * [1f3f76b] d/rules: drop C{,XX}FLAGS originally intended for GCC6
  * [4490e37] d/mozconfig.default: add options for mips64el
  * [17b4e5c] d/rules: Don't build debug symbols on 32Bit arch
  * [6dff7e0] d/rules: addind -Wl,--as-needed to linker flags
  * [a213a7f] New upstream version 78.2.1

 -- Carsten Schoenert <email address hidden>  Sun, 30 Aug 2020 14:38:17 +0200
Superseded in experimental-release
thunderbird (1:78.2.0-1) experimental; urgency=medium

  [ intrigeri ]
  * [f6fcafd] d/control: drop hard dependency on libgtk2.0-0
    (Closes: #908654)
  * [85b7a2e] autopkgtests: fix typo in comment
  * [4bd70ae] d/mozconfig.default: fix typos in comments
  * [d986a6d] d/control: allow Enigmail 2.2.0 and newer
    (Closes: #968707)

  [ Carsten Schoenert ]
  * [52b4006] d/control: increase B-D for libnss3
    (Closes: #966805)
  * [7794563] New upstream version 78.2.0
    Fixed CVE issues in upstream version 78.2.0 (MFSA 2020-41):
    CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could
                    have resulted in escalation of privilege
    CVE-2020-15664: Attacker-induced prompt for extension installation
    CVE-2020-15670: Memory safety bugs fixed in Thunderbird 78.2
  * [623f853] rebuild patch queue from patch-queue branch
    No modifications made, just updating the index.

 -- Carsten Schoenert <email address hidden>  Wed, 26 Aug 2020 20:41:28 +0200
Superseded in sid-release
thunderbird (1:68.12.0-1) unstable; urgency=medium

  * [103cab7] New upstream version 68.12.0
    Fixed CVE issues in upstream version 68.11.0 (MFSA 2020-35):
    CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could
                    have resulted in escalation of privilege
    CVE-2020-15664: Attacker-induced prompt for extension installation
    CVE-2020-15669: Use-After-Free when aborting an operation

 -- Carsten Schoenert <email address hidden>  Thu, 27 Aug 2020 21:23:55 +0200
Superseded in experimental-release
thunderbird (1:78.1.1-1) experimental; urgency=medium

  * [5fb842b] d/mozconfig.default: adding new option regarding Add-Ons
    Adding additional options --allow-addon-sideload and
    --with-unsigned-addon-scopes=app,system. These option are adopted and
    taken from the firefox package.
  * [8de0b35] New upstream version 78.1.1
  * [4abe5ed] d/copyright: update content
    Some small updates to the copyright information.
  * [3caa541] d/control: adding new B-D for botan and json-c
    The upstream source now offers the possibility to use the system
    libraries for botan and json-c, for this we need to have both libraries
    installed for building Thunderbird.
  * [251d524] d/mozconfig.default: use botan and json-c system libraries
    Turn on the configuration flags for botan and also for json-c that let
    the build use the installed provided system libraries instead of using
    internal versions.
  * [a32a163] rebuild patch queue from patch-queue branch
    removed patch:
    debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch
    Upstream has now (again) a configure option for using a installed system
    bzip2 library that makes our added patch for this not needed anymore.
  * [16c91c0] lintian: remove override for embedded bzip2 in librnp.so

 -- Carsten Schoenert <email address hidden>  Sat, 08 Aug 2020 19:16:08 +0200
Superseded in sid-release
thunderbird (1:68.11.0-3) unstable; urgency=medium

  * [28707fd] d/xpi-pack.sh: adding xpi-pack shell script
    As we can't depend on mozilla-devscripts anymore we pick up the shell
    script from that package as this builds XPI files we need.
  * [037212e] Drop mozilla-devscripts as B-D
    mozilla-devscripts isn't ported to Python3 yet and depends on Python2 so.
    We don't need that package as B-D as we picked the main shell script from
    that and we can drop that package from the build dependencies.
  * [31eda41] Drop python-{minimal,ply} from B-D
    These packages are removed from teh archive and we don't need them for
    building Thunderbird as long we have python2 as package available.
  (Closes: #967223)

 -- Carsten Schoenert <email address hidden>  Tue, 04 Aug 2020 19:06:20 +0200
Superseded in sid-release
thunderbird (1:68.11.0-2) unstable; urgency=medium

  * [110a375] d/control: increase B-D for libnss3
  * [73fa23e] d/control: tb manually set dep on libnss3 to 2:3.55
  (Closes: #966806)

 -- Carsten Schoenert <email address hidden>  Sun, 02 Aug 2020 20:12:49 +0200
Superseded in buster-release
thunderbird (1:68.10.0-1~deb10u1) stable-security; urgency=medium

  * Rebuild for buster-security

 -- Carsten Schoenert <email address hidden>  Sat, 04 Jul 2020 15:29:15 +0200
Deleted in experimental-release (Reason: None provided.)
thunderbird (1:78.1.0-1) experimental; urgency=medium

  * [c4099cd] New upstream version 78.1.0
    Fixed CVE issues in upstream version 78.1.0 (MFSA 2020-33):
    CVE-2020-15652: Potential leak of redirect targets when loading scripts in
                    a worker
    CVE-2020-6514: WebRTC data channel leaks internal address to peer
    CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy
    CVE-2020-15653: Bypassing iframe sandbox when allowing popups
    CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
    CVE-2020-15656: Type confusion for special arguments in IonMonkey
    CVE-2020-15658: Overriding file type when saving to disk
    CVE-2020-15657: DLL hijacking due to incorrect loading path
    CVE-2020-15654: Custom cursor can overlay user interface
    CVE-2020-15659: Memory safety bugs fixed in Thunderbird 78.1

 -- Carsten Schoenert <email address hidden>  Fri, 31 Jul 2020 19:35:57 +0200
Superseded in sid-release
thunderbird (1:68.11.0-1) unstable; urgency=medium

  * [093b080] New upstream version 68.11.0
    Fixed CVE issues in upstream version 68.11.0 (MFSA 2020-35):
    CVE-2020-15652: Potential leak of redirect targets when loading scripts
                    in a worker
    CVE-2020-6514: WebRTC data channel leaks internal address to peer
    CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
    CVE-2020-15659: Memory safety bugs fixed in Thunderbird 68.11

 -- Carsten Schoenert <email address hidden>  Wed, 29 Jul 2020 22:26:14 +0200
Superseded in experimental-release
thunderbird (1:78.0.1-1) experimental; urgency=medium

  * [5450d8d] d/control: increase B-D for libnss3
  * [9749d1d] d/control: drop B-D on python2 and move over to python3
  * [b31360b] d/xpi-pack.sh: adding xpi-pack shell script
  * [89ede80] Drop mozilla-devscripts as B-D
  * [f3b2ced] New upstream version 78.0.1
  * [1847202] d/tb.lintian-overrides: ignore warning about none versioned
              breaks
  * [d56c922] d/lightning.links: removing left over sequencer file

 -- Carsten Schoenert <email address hidden>  Wed, 22 Jul 2020 20:11:25 +0200
Published in stretch-release
thunderbird (1:68.10.0-1~deb9u1) stretch-security; urgency=medium

  * Rebuild for stretch-security

 -- Carsten Schoenert <email address hidden>  Sat, 04 Jul 2020 19:01:37 +0200
Superseded in experimental-release
thunderbird (1:78.0-1) experimental; urgency=medium

  * [1016cc5] New upstream version 78.0
    Fixed CVE issues in upstream version 78.0 (MFSA 2020-29):
    CVE-2020-12415: AppCache manifest poisoning due to url encoded character
                    processing
    CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster
    CVE-2020-12417: Memory corruption due to missing sign-extension for
                    ValueTags on ARM64
    CVE-2020-12418: Information disclosure due to manipulated URL object
    CVE-2020-12419: Use-after-free in nsGlobalWindowInner
    CVE-2020-12420: Use-After-Free when trying to connect to a STUN server
    CVE-2020-15648: X-Frame-Options bypass using object or embed tags
    CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack
    CVE-2020-12421: Add-On updates did not respect the same certificate trust
                    rules as software updates
    CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer
    CVE-2020-12424: WebRTC permission prompt could have been bypassed by a
                    compromised content process
    CVE-2020-12425: Out of bound read in Date.parse()
    CVE-2020-12426: Memory safety bugs fixed in Thunderbird 78
  * [ad66b04] rebuild patch queue from patch-queue branch
    reworked patch:
    porting-kfreebsd-hurd/LDAP-support-building-on-GNU-kFreeBSD-and-GNU-Hurd.patch
  * [4a2039c] d/mozconfig.default: enable OpenPGP feature build

 -- Carsten Schoenert <email address hidden>  Thu, 16 Jul 2020 19:15:25 +0200
Superseded in sid-release
thunderbird (1:68.10.0-1) unstable; urgency=medium

  * [7537684] New upstream version 68.10.0
    Fixed CVE issues in upstream version 68.10.0 (MFSA 2020-26):
    CVE-2020-12417: Memory corruption due to missing sign-extension for
                    ValueTags on ARM64
    CVE-2020-12418: Information disclosure due to manipulated URL object
    CVE-2020-12419: Use-after-free in nsGlobalWindowInner
    CVE-2020-12420: Use-After-Free when trying to connect to a STUN server
    MFSA-2020-0001: Automatic account setup leaks Microsoft Exchange login
                    credentials
    CVE-2020-12421: Add-On updates did not respect the same certificate trust
                    rules as software updates

 -- Carsten Schoenert <email address hidden>  Sat, 04 Jul 2020 10:55:31 +0200
76150 of 229 results