-
thunderbird (1:91.12.0-1~deb10u1) buster-security; urgency=medium
* Rebuild for buster-security
-- Carsten Schoenert <email address hidden> Sat, 30 Jul 2022 10:47:10 +0200
-
thunderbird (1:78.14.0-1~deb10u1) buster-security; urgency=medium
* Rebuild for buster-security
-- Carsten Schoenert <email address hidden> Thu, 09 Sep 2021 19:34:41 +0200
-
thunderbird (1:78.8.0-1~deb10u1) stable-security; urgency=medium
* Rebuild for buster-security
-- Carsten Schoenert <email address hidden> Sat, 27 Feb 2021 09:57:18 +0100
-
thunderbird (1:78.6.0-1~deb10u1) stable-security; urgency=medium
* Rebuild for buster-security
-- Carsten Schoenert <email address hidden> Wed, 16 Dec 2020 08:37:39 +0100
-
thunderbird (1:78.5.0-1~deb10u1) stable-security; urgency=medium
* Rebuild for buster-security
-- Carsten Schoenert <email address hidden> Fri, 20 Nov 2020 17:38:25 +0100
-
thunderbird (1:68.12.0-1~deb10u1) stable-security; urgency=medium
* Rebuild for buster-security
* [32b3711] Revert "d/xpi-pack.sh: adding xpi-pack shell script"
* [b50609a] Revert "Drop mozilla-devscripts as B-D"
* [fd054fc] Revert "Drop python-{minimal,ply} from B-D"
* [5a2a88c] Revert "d/control: tb manually set dep on libnss3 to 2:3.55"
-- Carsten Schoenert <email address hidden> Sat, 29 Aug 2020 08:52:22 +0200
-
thunderbird (1:68.10.0-1~deb10u1) stable-security; urgency=medium
* Rebuild for buster-security
-- Carsten Schoenert <email address hidden> Sat, 04 Jul 2020 15:29:15 +0200
-
thunderbird (1:68.7.0-1~deb10u1) stable-security; urgency=medium
* Rebuild for buster-security
-- Carsten Schoenert <email address hidden> Sun, 12 Apr 2020 10:21:40 +0200
-
thunderbird (1:68.4.1-1~deb10u1) stable-security; urgency=medium
* Rebuild for buster-security
-- Carsten Schoenert <email address hidden> Sat, 15 Jan 2020 17:48:09 +0100
-
thunderbird (1:60.9.0-1~deb10u1) buster-security; urgency=medium
* Rebuild for buster-security
* [9802e1d] Revert "Use gcc-8 and g++-8 due broken build with GCC-9"
-- Carsten Schoenert <email address hidden> Thu, 12 Sep 2019 16:52:34 +0200
-
thunderbird (1:60.8.0-1~deb10u1) buster-security; urgency=medium
[ Carsten Schoenert ]
* Rebuild for buster-security
-- Carsten Schoenert <email address hidden> Sat, 13 Jul 2019 08:27:42 +0200
-
thunderbird (1:60.7.2-1) unstable; urgency=medium
* [d6c79ed] New upstream version 60.7.2
Fixed CVE issues in upstream version 60.7.2 (MFSA 2019-20
CVE-2019-11707: Type confusion in Array.pop
CVE-2019-11708: sandbox escape using Prompt:Open
-- Carsten Schoenert <email address hidden> Fri, 21 Jun 2019 18:48:43 +0200
-
thunderbird (1:60.7.1-1) unstable; urgency=high
* [f791dee] New upstream version 60.7.1
Fixed CVE issues in upstream version 60.7.1 (MFSA 2019-17)
CVE-2019-11703: Heap buffer overflow in icalparser.c
CVE-2019-11704: Heap buffer overflow in icalvalue.c
CVE-2019-11705: Stack buffer overflow in icalrecur.c
CVE-2019-11706: Type confusion in icalproperty.c
-- Carsten Schoenert <email address hidden> Fri, 14 Jun 2019 07:25:35 +0200
-
thunderbird (1:60.7.0-1) unstable; urgency=medium
* [f6dd130] New upstream version 60.7.0
Fixed CVE issues in upstream version 60.7.0 (MFSA 2019-15)
CVE-2019-9816: Type confusion with object groups and UnboxedObjects
CVE-2019-9817: Stealing of cross-domain images using canvas
CVE-2019-9819: Compartment mismatch with fetch API
CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell
CVE-2019-11691: Use-after-free in XMLHttpRequest
CVE-2019-11692: Use-after-free removing listeners in the event listener
manager
CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
CVE-2019-7317: Use-after-free in png_image_free of libpng library
CVE-2019-9797: Cross-origin theft of images with createImageBitmap
CVE-2018-18511: Cross-origin theft of images with
ImageBitmapRenderingContext
CVE-2019-11698: Theft of user history data through drag and drop of
hyperlinks to and from bookmarks
CVE-2019-5798: Out-of-bounds read in Skia
CVE-2019-9800: Memory safety bugs fixed in Firefox 67, Firefox ESR 60.7,
and Thunderbird 60.7
* [4106d54] rebuild patch queue from patch-queue branch
added patch:
fixes/rust-ignore-not-available-documentation.patch
-- Carsten Schoenert <email address hidden> Thu, 23 May 2019 17:03:27 +0200
-
thunderbird (1:60.6.1-1) unstable; urgency=medium
[ intrigeri ]
* [2013645] d/rules: drop useless usage of dpkg-parsechangelog
[ Carsten Schoenert ]
* [daf1252] New upstream version 60.6.1
Fixed CVE issues in upstream version 60.6.0 (MFSA 2019-11)
CVE-2019-9790: Use-after-free when removing in-use DOM elements
CVE-2019-9791: Type inference is incorrect for constructors entered
through on-stack replacement with IonMonkey
CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled
CVE-2019-9794: Command line arguments not discarded during execution
CVE-2019-9795: Type-confusion in IonMonkey JIT compiler
CVE-2019-9796: Use-after-free with SMIL animation controller
CVE-2018-18506: Proxy Auto-Configuration file can define localhost access
to be proxied
CVE-2019-9788: Memory safety bugs fixed in Firefox 66, Firefox ESR 60.6,
and Thunderbird 60.6
Fixed CVE issues in upstream version 60.6.1 (MFSA 2019-12)
CVE-2019-9810: IonMonkey MArraySlice has incorrect alias information
CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations
* [f88a505] rebuild patch queue from patch-queue branch
added patch:
fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
-- Carsten Schoenert <email address hidden> Wed, 27 Mar 2019 18:22:51 +0100
-
thunderbird (1:60.5.1-1) unstable; urgency=medium
[ Alexander Nitsch ]
* [c9775d4] Make the logo SVG square
The original SVG source isn't completely square, modifying the SVG file
so all generated other files from the input are also exactly square.
* [6096812] Add script for generating PNGs from logo SVG
* [4e9e5cc] Update icon PNGs to be properly scaled
[ Carsten Schoenert ]
* [9e5527d] d/source.filter: add some configure scripts
Filter out some files that are named 'configure', they are rebuild later
anyway. The filtering of these files is moved from gbp.conf to
source.filter.
* [b63f2a2] Revert "d/gbp.conf: ignore configure script while importing"
Reverting this commit as we need to move the files to filter to
source.filter as the behaviour wasn't the expected outcome.
* [4965c2a] New upstream version 60.5.1
Fixed CVE issues in upstream version 60.5.0 (MFSA 2019-06)
CVE-2018-18356: Use-after-free in Skia
CVE-2019-5785: Integer overflow in Skia
CVE-2018-18335: Buffer overflow in Skia with accelerated Canvas 2D
CVE-2018-18509: S/MIME signature spoofing
-- Carsten Schoenert <email address hidden> Thu, 14 Feb 2019 20:01:03 +0100
-
thunderbird (1:60.5.0-3) unstable; urgency=medium
* [3e274d8] d/rules: move disable debug option into configure step
Adding the option '--disable-debug-symbols' to the file mozconfig.default
in case the build is running on a 32bit architecture instead of expanding
the variable 'CONFIGURE_FLAGS'. The configuration approach for this option
taken from firefox-esr was not working for the thunderbird package.
* [b3d82d3] d/rules: reorder LDFLAGS for better readability
Make the used additional options for LDFLAGS better readable by reordering
the various used options. Also adding the option '-Wl, --as-needed' to the
list of used options here.
* [62d11e3] d/rules: use 'compress-debug-sections' only on 64bit
Do not set 'LDFLAGS += -Wl,--compress-debug-sections=zlib' globally, lets
use this option only if we are on a 64bit architecture as otherwise the
build is failing on 32bit architectures again. We don't want to build any
debug information on 32bit anyway so we don't need this option on these
platforms.
* [6225c44] d/mozconfig.default: adding option for mipsel
We don't have set up any options for the mipsel platform before, but the
build needs some additional options too on this platform to succeed.
* [4e348d9] d/mozconfig.default: disable ion on mips and mipsel
The build will fail on mips{,el} if we have enabled ION, the JaveScript
JIT compiler on these platforms will loose some performance by this.
-- Carsten Schoenert <email address hidden> Tue, 05 Feb 2019 17:11:25 +0100
-
thunderbird (1:60.4.0-1) unstable; urgency=medium
* [2e5a9d0] d/control: don't hard code LLVM packages in B-D
(Closes: #912797)
* [3aaa4a6] New upstream version 60.4.0
No MFSA published yet by Mozilla Security while packaging this version.
(Closes: #913645)
* [12d3be3] debian/control: increase Standards-Version to 4.3.0
No further changes needed.
-- Carsten Schoenert <email address hidden> Mon, 24 Dec 2018 17:04:10 +0100
-
thunderbird (1:60.3.1-1) unstable; urgency=medium
* [e1b489a] New upstream version 60.3.1
* [f376b38] lightning: use ${source:Version} in Breaks and Recommends
(Closes: #914175)
* [7e560b3] Revert "lintian: adding a semi automated lintian-override"
The override about a misspelled word Synopsys isn't needed any more.
* [893c0e6] rebuild patch queue from patch-queue branch
modified patches:
debian-hacks/Don-t-build-testing-suites-and-stuff.patch
debian-hacks/Don-t-build-testing-suites-and-stuff-part-2.patch
* [20d8827] d/source.filter: update the filter sequences
-- Carsten Schoenert <email address hidden> Sun, 25 Nov 2018 10:02:50 +0100
-
thunderbird (1:60.3.0-1) unstable; urgency=medium
[ intrigeri ]
* [7949b31] AppArmor: update profile from upstream at commit f3d9a8b
(Closes: #903898)
* [e31dc14] AppArmor: update profile from upstream at commit 81c9457
(Closes: #908206)
[ Carsten Schoenert ]
* [0dcbe22] d/control: add xul-ext-gnome-keyring to Breaks for thunderbird
(Closes: #907979)
* [65db00d] armel: adding extra LDFLAGS so rust compiler isn't confused
The settings that are builtin within rust are conflicting with the GCC.
* [9c65884] New upstream version 60.3.0
Fixed CVE issues in upstream version 60.3.0 (MFSA 2018-28)
CVE-2018-12392: Crash with nested event loops
CVE-2018-12393: Integer overflow during Unicode conversion while loading
JavaScript
CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3 and
Thunderbird 60.3
CVE-2018-12390: Memory safety bugs fixed in Firefox 63, Firefox ESR 60.3,
and Thunderbird 60.3
* [8726bb1] rebuild patch queue from patch-queue branch
removed patches (included upstream)
fixes/Bug-1479540-Accept-triplet-strings-with-only-two-parts-in.patch
fixes/Bug-1492064-Disable-baseline-JIT-when-SSE2-is-not-support.patch
fixes/Bug-1492065-Use-Swizzle-fallback-when-SSE2-is-not-support.patch
porting-mips/Add-struct-ucred-for-Linux-on-MIPS.patch
-- Carsten Schoenert <email address hidden> Thu, 01 Nov 2018 12:19:34 +0100
-
thunderbird (1:52.9.1-1) unstable; urgency=high
[ intrigeri ]
* [1259eaa] AppArmor: update profile from upstream (at commit edc9487)
(Closes: #901471)
[ Carsten Schoenert ]
* [d706f5b] debian/control: increase Standards-Version to 4.1.5
No further changes needed.
* [f5a3eb2] New upstream version 52.9.1
(Closes: #903160)
-- Carsten Schoenert <email address hidden> Tue, 10 Jul 2018 19:40:41 +0200
-
thunderbird (1:52.8.0-1) unstable; urgency=high
[ intrigeri ]
* [4656ebf] AppArmor: update profile from upstream
(Closes: #882048, #882122)
[ Agustin Henze ]
* [840cbc8] apparmor: allow access to @{HOME}/.gnupg/tofu.db
(Closes: #894907)
[ Carsten Schoenert ]
* [514e9e8] New upstream version 52.8.0
Fixed CVE issues in upstream version 52.8 (MFSA 2018-13)
CVE-2018-5183: Backport critical security fixes in Skia
CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext
attack (aka Efail)
CVE-2018-5154: Use-after-free with SVG animations and clip paths
CVE-2018-5155: Use-after-free with SVG animations and text paths
CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
CVE-2018-5161: Hang via malformed headers
CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
(aka Efail)
CVE-2018-5170: Filename spoofing for external attachments
CVE-2018-5168: Lightweight themes can be installed without user
interaction
CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion
through legacy extension
CVE-2018-5185: Leaking plaintext through HTML forms (aka Efail)
CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8,
and Thunderbird 52.8
(Closes: #898631)
* [7845229] ICU: don't build the Paragraph Layout library
Disable the build of the layout library in the internal ICU build as we
don't need this and can cause build issues.
* [e0a79fc] debian/control: increase Standards-Version to 4.1.4
No further changes needed.
-- Carsten Schoenert <email address hidden> Thu, 17 May 2018 21:04:15 +0200
-
thunderbird (1:52.7.0-1) unstable; urgency=medium
* [9eb2692] New upstream version 52.7.0
Fixed CVE issues in upstream version 52.7 (MFSA 2018-09)
CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
CVE-2018-5129: Out-of-bounds write with malformed IPC messages
CVE-2018-5144: Integer overflow during Unicode conversion
CVE-2018-5146: Out of bounds memory write in libvorbis
CVE-2018-5125: Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7,
and Thunderbird 52.7
CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7 and
Thunderbird 52.7
* [a01cf4b] Revert "Use gcc-6 and g++-6 due broken GUI with GCC-7"
Switching now back to GCC7 as we don't have any longer issues with
broken visuals in the GUI.
(Closes: #892404)
-- Carsten Schoenert <email address hidden> Mon, 26 Mar 2018 17:21:40 +0200
-
thunderbird (1:52.6.0-1) unstable; urgency=high
* [97e1cd7] New upstream version 52.6.0
Fixed CVE issues in upstream version 52.6 (MFSA 2018-04)
CVE-2018-5095: Integer overflow in Skia library during edge builder
allocation
CVE-2018-5096: Use-after-free while editing form elements
CVE-2018-5097: Use-after-free when source document is manipulated
during XSLT
CVE-2018-5098: Use-after-free while manipulating form input elements
CVE-2018-5099: Use-after-free with widget listener
CVE-2018-5102: Use-after-free in HTML media elements
CVE-2018-5103: Use-after-free during mouse event handling
CVE-2018-5104: Use-after-free during font face manipulation
CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6,
and Thunderbird 52.6
* [0300242] rebuild patch queue from patch-queue branch
Added patch debian-hacks/icu-use-locale.h-instead-of-xlocale.h.patch
that fixes the build of the included ICU source against glibc 2.26.
(Closes: #887766)
* [4bf22e0] debian/control: increase Standards-Version to 4.1.3
No further changes needed.
* [3616443] adjust Vcs fields to salsa.debian.org
The Vcs for Thunderbird packaging live now on Salsa as Alioth will be
shutdown in the future.
* [c2f3e14] lintian: ignore non multiarch install folder for thunderbird.pc
Ignore a lintian warning about unavailable pkg-config file thunderbird.pc
as the ESR versions 52.x are the last series which will have a
thunderbird-dev. The next ESR version will be 60.x which uses
webextension and makes thunderbird-dev obsolete.
-- Carsten Schoenert <email address hidden> Thu, 25 Jan 2018 20:21:10 +0100
-
thunderbird (1:52.5.2-2) unstable; urgency=medium
[ Carsten Schoenert ]
* [f597157] Revert "d/thunderbird.postinst: reload AA profile on updates"
The trigger automatics for appamor already is handling the
needed reload on profile updates for the applications.
(Closes: #885158)
* [8ebdb96] debian/control: increase Standards-Version to 4.1.2
No further changes needed.
* [81a8c00] use inverse logic on version for AA profile status check
By this change we don't enforce the disabled profile from the
previous version in some cases and can also handle possible
version strings from -security and -backports.
(Closes: #885157)
-- Carsten Schoenert <email address hidden> Tue, 26 Dec 2017 14:56:40 +0100
-
thunderbird (1:52.4.0-1) unstable; urgency=medium
[ Guido Günther ]
* [da3c5cc] Simplify endianness selection for ICU
Since we need to build ICU on the various Debian releases we
need to ensure the architecture detection isn't to strict.
Thanks Guido for helping out here!
[ Carsten Schoenert ]
* [47748ca] debian/control: be more relaxed on Breaks for enigmail
* [6a54666] thunderbird-wrapper: fix small typo in help output
A small typo was happen in the example call with the JS console.
* [6d5266e] README.Debian: update info around tls fallback-limit
The default behavior on the TLS fallback has changed some
versions ago, document this accordingly.
* [24ad883] debian/control: change maintainer
Thanks Christoph for the work over the past years!
* [c78200e] debian/control: move src pkg name to thunderbird
By this version we move the source package name also back to
thunderbird. This follows the changes that are already made to
the binary package names and we can call the source package now
also again thunderbird.
(Closes: #857075)
* [c26133d] debian/gbp.conf: rename components to real used names
Due the changes of the source package the names for the
sub-folders within the additional tarballs can also be changed
to be closer on the real upstream used names.
* [a5ce4f7] New upstream version 52.4.0
(Closes: #878845, #878870)
Fixed CVE issues in upstream version 52.0 (MFSA 2017-23)
CVE-2017-7793: Use-after-free with Fetch API
CVE-2017-7818: Use-after-free during ARIA array manipulation
CVE-2017-7819: Use-after-free while resizing images in design mode
CVE-2017-7824: Buffer overflow when drawing and validating elements with
ANGLE
CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes
CVE-2017-7814: Blob and data URLs bypass phishing and malware protection
warnings
CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters
as spaces
CVE-2017-7823: CSP sandbox directive did not create a unique origin
CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4,
and Thunderbird 52.4
* [104b4e5] rebuild patch queue from patch-queue branch
* [d63662a] lintian: move oldlibs/extra -> oldlibs/optional
By moving all transitional package to oldlibs/optional we can
help deborphan to detect better not needed packages.
* [fb56001] d/rules: reflect changes from renamed component tarballs
The additional tarballs are stored in folders which reflect
the upstream names of those components. This also needs to be
respected for the build instructions of the package.
* [61288fb] debian/control: change Vcs* fields due the src name change
Addressing the changed source package name in the Git Vcs urls.
* [ef95ab5] debian/control: increase Standards-Version to 4.1.1
No further changes needed.
* [45e8fe2] apparmor: update profile from upstream
Thanks to Simon Deziel and intrigeri we can simply use the
apparmor profile changes done for the Ubuntu releases.
* [6b1649c] lintian: adding a override for thunderbird-l10n-all
* [ceab93f] debian/README.source: reflect src package name change
-- Carsten Schoenert <email address hidden> Fri, 17 Oct 2017 18:20:29 +0200
