-
thunderbird (1:115.12.0-1) unstable; urgency=medium
* [3d303c4] d/c-u-t.py: Ignore one more version
* [2e7f143] New upstream version 115.12.0
Fixed CVE issues in upstream version 115.12 (MFSA 2024-28):
CVE-2024-5702: Use-after-free in networking
CVE-2024-5688: Use-after-free in JavaScript object transplant
CVE-2024-5690: External protocol handlers leaked by timing attack
CVE-2024-5691: Sandboxed iframes were able to bypass sandbox restrictions
to open a new window
CVE-2024-5692: Bypass of file name restrictions during saving
CVE-2024-5693: Cross-Origin Image leak via Offscreen Canvas
CVE-2024-5696: Memory Corruption in Text Fragments
CVE-2024-5700: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12,
and Thunderbird 115.12
* [9afc3a0] d/logo/thunderbird: Update PNG files from newer SVG
(Closes: #1071824)
* [a92c8d1] d/thunderbird.install: Install the newer correct SVG graphic
-- Carsten Schoenert <email address hidden> Fri, 14 Jun 2024 13:26:00 +0200
-
thunderbird (1:115.11.0-1) unstable; urgency=medium
* [47bb447] d/c-u-t.py: Ignore potentially non ESR versions
* [f008566] New upstream version 115.11.0
Fixed CVE issues in upstream version 115.11 (MFSA 2024-23):
CVE-2024-4367: Arbitrary JavaScript execution in PDF.js
CVE-2024-4767: IndexedDB files retained in private browsing mode
CVE-2024-4768: Potential permissions request bypass via clickjacking
CVE-2024-4769: Cross-origin responses could be distinguished between
script and non-script content-types
CVE-2024-4770: Use-after-free could occur when printing to PDF
CVE-2024-4777: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11,
and Thunderbird 115.11
* [b029857] d/control: Re-add build and binary dep on rnp library
(Closes: #1070871)
-- Carsten Schoenert <email address hidden> Tue, 14 May 2024 21:28:37 +0200
-
thunderbird (1:115.10.1-1) unstable; urgency=medium
[ William Desportes ]
* [d0cbb66] Fix a typo in the wrapper file
[ Carsten Schoenert ]
* [47d140b] New upstream version 115.10.1
Fixed CVE issues in upstream version 115.10 (MFSA 2024-20):
CVE-2024-3852: GetBoundName in the JIT returned the wrong object
CVE-2024-3854: Out-of-bounds-read after mis-optimized switch statement
CVE-2024-3857: Incorrect JITting of arguments led to use-after-free
during garbage collection
CVE-2024-2609: Permission prompt input delay could expire when not in
focus
CVE-2024-3859: Integer-overflow led to out-of-bounds-read in the
OpenType sanitizer
CVE-2024-3861: Potential use-after-free due to AlignedBuffer self-move
CVE-2024-3302: Denial of Service using HTTP/2 CONTINUATION frames
CVE-2024-3864: Memory safety bug fixed in Firefox 125, Firefox ESR 115.10,
and Thunderbird 115.10
* [5612f7b] d/control: Move libotr5 to libotr5t64 for bin:thunderbird
(Closes: #1069337)
* [195482a] d/mozconfig.default: Use internal shipped librnp version
The Debian package has a RC bug for longer time which would prevent the
migration of the thunderbird package to testing.
* [cd4de72] d/control: Drop dependencies on librnp{0,-dev}
* [761eb83] d/thunderbird.install: Install local built rnp tools
* [ce212a8] d/control: Increase Standards-Version to 4.7.0
No further changes needed.
-- Carsten Schoenert <email address hidden> Sat, 20 Apr 2024 19:35:18 +0200
-
thunderbird (1:115.9.0-1) unstable; urgency=medium
* [c122f7d] New upstream version 115.9.0
Fixed CVE issues in upstream version 115.9 (MFSA 2024-14):
CVE-2024-0743: Crash in NSS TLS method
CVE-2024-2607: JIT code failed to save return registers on Armv7-A
CVE-2024-2608: Integer overflow could have led to out of bounds write
CVE-2024-2616: Improve handling of out-of-memory conditions in ICU
CVE-2023-5388: NSS susceptible to timing attack against RSA decryption
CVE-2024-2610: Improper handling of html and body tags enabled CSP nonce
leakage
CVE-2024-2611: Clickjacking vulnerability could have led to a user
accidentally granting permissions
CVE-2024-2612: Self referencing object could have potentially led to a
use-after-free
CVE-2024-2614: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9,
and Thunderbird 115.9
-- Carsten Schoenert <email address hidden> Tue, 19 Mar 2024 16:55:17 +0100
-
thunderbird (1:115.8.1-1) unstable; urgency=medium
* [b9b4842] New upstream version 115.8.1
Fixed CVE issues in upstream version 115.8.1 (MFSA 2024-11):
CVE-2024-1936: Leaking of encrypted email subjects to other conversations
-- Carsten Schoenert <email address hidden> Mon, 04 Mar 2024 19:13:14 +0100
-
thunderbird (1:115.8.0-1) unstable; urgency=medium
* [68f2fbe] New upstream version 115.8.0
Fixed CVE issues in upstream version 115.8 (MFSA 2024-07):
CVE-2024-1546: Out-of-bounds memory read in networking channels
CVE-2024-1547: Alert dialog could have been spoofed on another site
CVE-2024-1548: Fullscreen Notification could have been hidden by select
element
CVE-2024-1549: Custom cursor could obscure the permission dialog
CVE-2024-1550: Mouse cursor re-positioned unexpectedly could have led to
unintended permission grants
CVE-2024-1551: Multipart HTTP Responses would accept the Set-Cookie
header in response parts
CVE-2024-1552: Incorrect code generation on 32-bit ARM devices
CVE-2024-1553: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8,
and Thunderbird 115.8
-- Carsten Schoenert <email address hidden> Tue, 21 Feb 2024 17:18:14 +0100
-
thunderbird (1:115.7.0-1) unstable; urgency=medium
* [6e0c26c] New upstream version 115.7.0
Fixed CVE issues in upstream version 115.7 (MFSA 2024-04):
CVE-2024-0741: Out of bounds write in ANGLE
CVE-2024-0742: Failure to update user input timestamp
CVE-2024-0746: Crash when listing printers on Linux
CVE-2024-0747: Bypass of Content Security Policy when directive
unsafe-inline was set
CVE-2024-0749: Phishing site popup could show local origin in address bar
CVE-2024-0750: Potential permissions request bypass via clickjacking
CVE-2024-0751: Privilege escalation through devtools
CVE-2024-0753: HSTS policy on subdomain could bypass policy of upper domain
CVE-2024-0755: Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7,
and Thunderbird 115.7
-- Carsten Schoenert <email address hidden> Tue, 23 Jan 2024 16:56:31 +0100
-
thunderbird (1:115.6.0-1) unstable; urgency=medium
* [aea3623] New upstream version 115.6.0
Fixed CVE issues in upstream version 115. (MFSA 2023-55):
CVE-2023-50762: Truncated signed text was shown with a valid OpenPGP
signature
CVE-2023-50761: S/MIME signature accepted despite mismatching message
date
CVE-2023-6856: Heap-buffer-overflow affecting WebGL DrawElementsInstanced
method with Mesa VM driver
CVE-2023-6857: Symlinks may resolve to smaller than expected buffers
CVE-2023-6858: Heap buffer overflow in nsTextFragment
CVE-2023-6859: Use-after-free in PR_GetIdentitiesLayer
CVE-2023-6860: Potential sandbox escape due to VideoBridge lack
of texture validation
CVE-2023-6861: Heap buffer overflow affected nsWindow::PickerOpen(void)
in headless mode
CVE-2023-6862: Use-after-free in nsDNSService
CVE-2023-6863: Undefined behavior in ShutdownObserver()
CVE-2023-6864: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6,
and Thunderbird 115.6
* [6ecaa01] d/control: Remove B-D on libiw-dev
(Closes: #1058737)
-- Carsten Schoenert <email address hidden> Tue, 19 Dec 2023 20:24:02 +0100
-
thunderbird (1:115.5.2-1) unstable; urgency=medium
* [34f6404] New upstream version 115.5.2
-- Carsten Schoenert <email address hidden> Fri, 08 Dec 2023 21:21:26 +0100
-
thunderbird (1:115.5.1-1) unstable; urgency=medium
* [eec913b] New upstream version 115.5.1
-- Carsten Schoenert <email address hidden> Wed, 29 Nov 2023 18:13:11 +0100
-
thunderbird (1:115.5.0-1) unstable; urgency=medium
[ intrigeri ]
* [a6be3ab] AppArmor: update profile from upstream at commit
9d3fa88cdab512e45f6fd80f067337f200d356bc
[ Carsten Schoenert ]
* [ed61fd6] New upstream version 115.5.0
Fixed CVE issues in upstream version 115.5 (MFSA 2023-52):
CVE-2023-6204: Out-of-bound memory access in WebGL2 blitFramebuffer
CVE-2023-6205: Use-after-free in MessagePort::Entangled
CVE-2023-6206: Clickjacking permission prompts using the fullscreen
transition
CVE-2023-6207: Use-after-free in ReadableByteStreamQueueEntry::Buffer
CVE-2023-6208: Using Selection API would copy contents into X11 primary
selection.
CVE-2023-6209: Incorrect parsing of relative URLs starting with "///"
CVE-2023-6212: Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5,
and Thunderbird 115.5
-- Carsten Schoenert <email address hidden> Wed, 22 Nov 2023 21:50:16 +0000
-
thunderbird (1:115.5.0-1~deb12u1) bookworm-security; urgency=medium
* Rebuild for bookworm-security
-- Carsten Schoenert <email address hidden> Thu, 23 Nov 2023 14:33:32 +0000
-
thunderbird (1:115.4.1-1) unstable; urgency=medium
* [c51ab77] New upstream version 115.4.1
Fixed CVE issues in upstream version 115.4.1 (MFSA 2023-47):
CVE-2023-5721: Queued up rendering could have allowed websites to
clickjack
CVE-2023-5732: Address bar spoofing via bidirectional characters
CVE-2023-5724: Large WebGL draw could have led to a crash
CVE-2023-5725: WebExtensions could open arbitrary URLs
CVE-2023-5728: Improper object tracking during GC in the JavaScript
engine could have led to a crash.
CVE-2023-5730: Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4,
and Thunderbird 115.4.1
-- Carsten Schoenert <email address hidden> Wed, 25 Oct 2023 21:05:23 +0200
-
thunderbird (1:115.3.1-1) unstable; urgency=medium
* [276a53a] New upstream version 115.3.1
Fixed CVE issues in upstream version 115.3.1 (MFSA 2023-44):
CVE-2023-5217: Heap buffer overflow in libvpx
* [a360abf] d/control: Point VCS links to debian/sid
-- Carsten Schoenert <email address hidden> Fri, 29 Sep 2023 19:26:42 +0200
-
thunderbird (1:115.3.0-1) unstable; urgency=medium
* [2e67467] New upstream version 115.3.0
Fixed CVE issues in upstream version 115.3 (MFSA 2023-43):
CVE-2023-5168: Out-of-bounds write in FilterNodeD2D1
CVE-2023-5169: Out-of-bounds write in PathOps
CVE-2023-5171: Use-after-free in Ion Compiler
CVE-2023-5176: Memory safety bugs fixed in Firefox 118, Firefox
ESR 115.3, and Thunderbird 115.3
-- Carsten Schoenert <email address hidden> Wed, 27 Sep 2023 19:07:47 +0200
-
thunderbird (1:115.2.2-1) unstable; urgency=medium
* [08bc8c9] d/thunderbird.desktop: Update data with upstream data
(Closes: #1042912, #1051261)
* [2fd665b] New upstream version 115.2.2
Fixed CVE issues in upstream version 115.2.2 (MFSA 2023-40):
CVE-2023-4863: Heap buffer overflow in libwebp
* [7b862be] d/copyright: Update content due upstream changes
* [140b77d] d/s/lintian-overrides: Update data for overrides
-- Carsten Schoenert <email address hidden> Wed, 13 Sep 2023 22:59:59 +0530
-
thunderbird (1:115.2.0-1) unstable; urgency=medium
* [1415d01] New upstream version 115.2.0
Fixed CVE issues in upstream version 115.2 (MFSA 2023-36):
CVE-2023-4573: Memory corruption in IPC CanvasTranslator
CVE-2023-4574: Memory corruption in IPC ColorPickerShownCallback
CVE-2023-4575: Memory corruption in IPC FilePickerShownCallback
CVE-2023-4576: Integer Overflow in RecordedSourceSurfaceCreation
CVE-2023-4577: Memory corruption in JIT UpdateRegExpStatics
CVE-2023-4051: Full screen notification obscured by file open dialog
CVE-2023-4578: Error reporting methods in SpiderMonkey could have
triggered an Out of Memory Exception
CVE-2023-4053: Full screen notification obscured by external program
CVE-2023-4580: Push notifications saved to disk unencrypted
CVE-2023-4581: XLL file extensions were downloadable without warnings
CVE-2023-4582: Buffer Overflow in WebGL glGetProgramiv
CVE-2023-4583: Browsing Context potentially not cleared when closing
Private Window
CVE-2023-4584: Memory safety bugs fixed in Firefox 117, Firefox ESR
102.15, Firefox ESR 115.2, Thunderbird 102.15, and
Thunderbird 115.2
CVE-2023-4585: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2,
and Thunderbird 115.2
-- Christoph Goehre <email address hidden> Wed, 30 Aug 2023 17:41:36 +0200
-
thunderbird (1:115.1.1-1) unstable; urgency=medium
[ Christoph Goehre ]
* [880cabe] ship glxtest and vaapitest binaries
(Closes: #1043057)
[ Carsten Schoenert ]
* [8474b9b] d/thunderbird.install: Use upstream graphics for icons
* [85f99a2] d/c-u-t.py: Use Version() from python3-packaging
* [86e3335] d/thunderbird.desktop: Sort MimeType entries alphabetically
* [2bc5f47] New upstream version 115.1.1
* [ddec51f] Revert "d/mozconfig.default: Use internal shipped librnp
version"
* [3ef27e2] Revert "d/control: Drop librnp0 package from Depends"
* [9011502] Revert "d/thunderbird.install: Install rnp tools too"
* [d5eef62] d/control: Bump version of librnp{0,-dev}
(Closes: #1041409)
[ Max Nikulin ]
* [0e04b0e] d/thunderbird.desktop: Add IANA MIME type for .vcf vcard
* [ce01092] d/thunderbird.desktop: Add mid: URI to MIME types
(Closes: #1008159)
* [c11a22f] d/thunderbird.desktop: Add news: URI to MIME types
* [bf5586f] d/thunderbird.desktop: Add webcal: URI to MIME types
-- Carsten Schoenert <email address hidden> Wed, 16 Aug 2023 17:18:04 +0200
-
thunderbird (1:115.1.0-1) unstable; urgency=medium
* [8c11865] d/gbp.conf: Adjust upstream branch to new ESR cycle
* [fb76340] New upstream version 115.1.0
Fixed CVE issues in upstream version 115.1 (MFSA 2023-33):
CVE-2023-4045: Offscreen Canvas could have bypassed cross-origin
restrictions
CVE-2023-4046: Incorrect value used during WASM compilation
CVE-2023-4047: Potential permissions request bypass via clickjacking
CVE-2023-4048: Crash in DOMParser due to out-of-memory conditions
CVE-2023-4049: Fix potential race conditions when releasing platform
objects
CVE-2023-4050: Stack buffer overflow in StorageManager
CVE-2023-4055: Cookie jar overflow caused unexpected cookie jar state
CVE-2023-4056: Memory safety bugs fixed in Firefox 116,
Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1,
and Thunderbird 102.14
CVE-2023-4057: Memory safety bugs fixed in Firefox 116,
Firefox ESR 115.1, and Thunderbird 115.1
* [b562827] Rebuild patch queue from patch-queue branch
Removed patches (included upstream):
fixes/Bug-1840931-More-properly-handle-files-4GB-in-elfhack.-r-.patch
fixes/Bug-1842933-Use-NEON_FLAGS-instead-of-VPX_ASFLAGS-for-lib.patch
porting-mips/Bug-1841197-Undefine-the-mips-builtin-macro-on-mips-in-sk.patch
porting-mips64el/Bug-1841201-Work-around-tail-call-optimization-not-happen.patch
porting-ppc64el/Work-around-bz-1775202-to-fix-FTBFS-on-ppc64el.patch
-- Carsten Schoenert <email address hidden> Tue, 01 Aug 2023 19:19:27 +0200
-
thunderbird (1:102.13.1-1) unstable; urgency=medium
* [e803b54] New upstream version 102.13.1
Fixed CVE issues in upstream version 102.13.1 (MFSA 2023-28):
CVE-2023-3417: File Extension Spoofing using the Text Direction
Override Character
* [456ce20] Rebuild patch queue from patch-queue branch
Added patch:
fixes/gfx-Fix-inclusion-of-C-header.patch
fixes/toolkit-Fix-inclusion-of-C-header.patch
(Closes: #1037872)
-- Carsten Schoenert <email address hidden> Wed, 26 Jul 2023 19:48:59 +0200
-
thunderbird (1:102.13.0-1) unstable; urgency=medium
* [7168011] New upstream version 102.13.0
Fixed CVE issues in upstream version 102.12 (MFSA 2023-24):
CVE-2023-37201: Use-after-free in WebRTC certificate generation
CVE-2023-37202: Potential use-after-free from compartment mismatch in
SpiderMonkey
CVE-2023-37207: Fullscreen notification obscured
CVE-2023-37208: Lack of warning when opening Diagcab files
CVE-2023-37211: Memory safety bugs fixed in Firefox 115, Firefox ESR
102.13, and Thunderbird 102.13
(Closes: #971790, #1006432)
-- Carsten Schoenert <email address hidden> Sat, 08 Jul 2023 06:15:04 +0200
-
thunderbird (1:102.12.0-1) unstable; urgency=medium
* [a285966] New upstream version 102.12.0
(Upstream has published a MFSA yet.)
* [73c48d4] d/control: Add libotr5 to Depends
-- Carsten Schoenert <email address hidden> Mon, 05 Jun 2023 18:51:11 +0200
-
thunderbird (1:102.11.0-1) unstable; urgency=medium
[ intrigeri ]
* [f3e5479] AppArmor: update profile from upstream at
commit a03a894c6c30b7a566aa74645802de1cea580bca
[ Carsten Schoenert ]
* [0626d72] New upstream version 102.11.0
Fixed CVE issues in upstream version 102.11 (MFSA 2023-18):
CVE-2023-32205: Browser prompts could have been obscured by popups
CVE-2023-32206: Crash in RLBox Expat driver
CVE-2023-32207: Potential permissions request bypass via clickjacking
CVE-2023-32211: Content process crash due to invalid wasm code
CVE-2023-32212: Potential spoof due to obscured address bar
CVE-2023-32213: Potential memory corruption in FileReader::DoReadData()
CVE-2023-32215: Memory safety bugs fixed in Thunderbird 102.11
-- Carsten Schoenert <email address hidden> Fri, 12 May 2023 17:11:29 +0200
-
thunderbird (1:102.10.0-1) unstable; urgency=medium
* [8afefce] New upstream version 102.10.0
Fixed CVE issues in upstream version 102.10 (MFSA 2023-15):
CVE-2023-29532: Mozilla Maintenance Service Write-lock bypass
CVE-2023-29533: Fullscreen notification obscured
CVE-2023-1999: Double-free in libwebp
CVE-2023-29535: Potential Memory Corruption following Garbage Collector
compaction
CVE-2023-29536: Invalid free from JavaScript code
CVE-2023-0547: Revocation status of S/Mime recipient certificates was
not checked
CVE-2023-29479: Hang when processing certain OpenPGP messages
CVE-2023-29539: Content-Disposition filename truncation leads to
Reflected File Download
CVE-2023-29541: Files with malicious extensions could have been
downloaded unsafely on Linux
CVE-2023-29542: Bypass of file download extension restrictions
CVE-2023-1945: Memory Corruption in Safe Browsing Code
CVE-2023-29548: Incorrect optimization result on ARM64
CVE-2023-29550: Memory safety bugs fixed in Thunderbird 102.10
-- Carsten Schoenert <email address hidden> Mon, 17 Apr 2023 21:32:45 +0200
-
thunderbird (1:102.9.1-1) unstable; urgency=medium
[ Timothy Pearson ]
* [de7c4f8] Explicitly set SQLite endianness on ppc64el
(Closes: #1033534)
[ Carsten Schoenert ]
* [06059fb] New upstream version 102.9.1
Fixed CVE issues in upstream version 102.9.1 (MFSA 2023-12):
CVE-2023-28427: Matrix SDK bundled with Thunderbird vulnerable to
denial-of-service attack
-- Carsten Schoenert <email address hidden> Wed, 29 Mar 2023 17:34:39 +0200
-
thunderbird (1:102.9.0-1) unstable; urgency=medium
* [ad8cc7c] New upstream version 102.9.0
Fixed CVE issues in upstream version 102.9 (MFSA 2023-11):
CVE-2023-25751: Incorrect code generation during JIT compilation
CVE-2023-28164: URL being dragged from a removed cross-origin iframe
into the same tab triggered navigation
CVE-2023-28162: Invalid downcast in Worklets
CVE-2023-25752: Potential out-of-bounds when accessing throttled streams
CVE-2023-28176: Memory safety bugs fixed in Thunderbird 102.9
* [b0a22c0] d/control: Increase Standards-Version to 4.6.2
No further changes needed.
-- Carsten Schoenert <email address hidden> Wed, 15 Mar 2023 19:54:53 +0100
-
thunderbird (1:102.8.0-1) unstable; urgency=medium
* [b130936] New upstream version 102.8.0
Fixed CVE issues in upstream version 102.8.0 (MFSA 2023-07):
CVE-2023-0616: User Interface lockup with messages combining S/MIME and
OpenPGP
CVE-2023-25728: Content security policy leak in violation reports using
iframes
CVE-2023-25730: Screen hijack via browser fullscreen mode
CVE-2023-0767: Arbitrary memory write via PKCS 12 in NSS
CVE-2023-25735: Potential use-after-free from compartment mismatch in
SpiderMonkey
CVE-2023-25737: Invalid downcast in SVGUtils::SetupStrokeGeometry
CVE-2023-25739: Use-after-free in
mozilla::dom::ScriptLoadContext::~ScriptLoadContext
CVE-2023-25729: Extensions could have opened external schemes without
user knowledge
CVE-2023-25732: Out of bounds memory write from EncodeInputStream
CVE-2023-25742: Web Crypto ImportKey crashes tab
CVE-2023-25746: Memory safety bugs fixed in Thunderbird 102.8
* [66e2335] Rebuild patch queue from patch-queue branch
Removed patch (included upstream):
debian-hacks/Python-3.11-Don-t-use-mode-rU-any-more.patch
-- Carsten Schoenert <email address hidden> Fri, 17 Feb 2023 20:17:32 +0100
-
thunderbird (1:102.7.2-1) unstable; urgency=medium
* [468e468] New upstream version 102.7.2
-- Carsten Schoenert <email address hidden> Wed, 08 Feb 2023 18:34:59 +0100
-
thunderbird (1:102.7.1+1-1) unstable; urgency=medium
* [5ce0e7d] New upstream version 102.7.1+1
Fixed CVE issues in upstream version 102.7.1 (MFSA 2023-04):
CVE-2023-0430: Revocation status of S/Mime signature certificates was
not checked
Note: The previous version 1:102.7.1-1 was build on top of a release
candidate which does not fixed CVE-2023-0430 fully.
(Closes: #1029594, #1029606)
* [c7c81a5] apparmor: Expand profile folder about .mozilla-thunderbird
(Closes: #1030532)
-- Carsten Schoenert <email address hidden> Sun, 05 Feb 2023 17:27:40 +0100
-
thunderbird (1:102.7.1-1) unstable; urgency=medium
* [dbc3385] New upstream version 102.7.1
Fixed CVE issues in upstream version 102.7 (MFSA 2023-03):
CVE-2022-46871: libusrsctp library out of date
CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux
CVE-2023-23601: URL being dragged from cross-origin iframe into same
tab triggers navigation
CVE-2023-23602: Content Security Policy wasn't being correctly applied
to WebSockets in WebWorkers
CVE-2022-46877: Fullscreen notification bypass
CVE-2023-23603: Calls to <code>console.log</code> allowed bypasing
Content Security Policy via format directive
CVE-2023-23605: Memory safety bugs fixed in Thunderbird 102.7
Fixed CVE issues in upstream version 102.7.1 (MFSA not yet released):
CVE-2023-0430: Revocation status of S/Mime signature certificates was
not checked
* [af92a36] Rebuild patch queue from patch-queue branch
Added patch:
debian-hacks/Python-3.11-Don-t-use-mode-rU-any-more.patch
(Closes: #1028885)
-- Carsten Schoenert <email address hidden> Tue, 24 Jan 2023 16:32:06 +0100
-
thunderbird (1:102.6.0-1) unstable; urgency=medium
[ Paul Gevers ]
* [6bbbd94] tests: thunderbird no longer builds on armel and armhf, so
let's not fail while trying to test there
* [d9e09a0] tests: help.sh is really a very superficial test, so let's
mark it as such
[ Carsten Schoenert ]
* [43b90d6] New upstream version 102.6.0
Fixed CVE issues in upstream version 102.6 (MFSA 2022-53):
CVE-2022-46880: Use-after-free in WebGL
CVE-2022-46872: Arbitrary file read from a compromised content process
CVE-2022-46881: Memory corruption in WebGL
CVE-2022-46874: Drag and Dropped Filenames could have been truncated to
malicious extensions
CVE-2022-46882: Use-after-free in WebGL
CVE-2022-46878: Memory safety bugs fixed in Thunderbird 102.6
* [745c1a3] Rebuild patch queue from patch-queue branch
Removed patches (included upstream):
fixes/Bug-1773070-Rename-remove-some-eventState-s-variables.-r-.patch
fixes/Bug-1782988-Avoid-build-bustage-when-building-against-gli.patch
fixes/Bug-1782988-Fix-use-of-arc4random_buf-use-in-ping.cpp.-r-.patch
* [1e74214] d/control: Increase buid dep on libnss3-dev to 3.79.2
-- Carsten Schoenert <email address hidden> Tue, 13 Dec 2022 19:40:57 +0100
-
thunderbird (1:102.5.1-1) unstable; urgency=medium
* [ae4d1ff] New upstream version 102.5.1
Fixed CVE issues in upstream version 102.5.1 (MFSA 2022-50):
CVE-2022-45414: Quoting from an HTML email with certain tags will trigger
network requests and load remote content, regardless of
a configuration to block remote content
-- Carsten Schoenert <email address hidden> Wed, 30 Nov 2022 12:27:38 +0100
-
thunderbird (1:102.5.0-1) unstable; urgency=medium
* [2f04265] New upstream version 102.5.0
Fixed CVE issues in upstream version 102.5 (MFSA 2022-49):
CVE-2022-45403: Service Workers might have learned size of cross-origin
media files
CVE-2022-45404: Fullscreen notification bypass
CVE-2022-45405: Use-after-free in InputStream implementation
CVE-2022-45406: Use-after-free of a JavaScript Realm
CVE-2022-45408: Fullscreen notification bypass via windowName
CVE-2022-45409: Use-after-free in Garbage Collection
CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite
cookie policy
CVE-2022-45411: Cross-Site Tracing was possible via non-standard
override headers
CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers
CVE-2022-45416: Keystroke Side-Channel Leakage
CVE-2022-45418: Custom mouse cursor could have been drawn over
browser UI
CVE-2022-45420: Iframe contents could be rendered outside the iframe
CVE-2022-45421: Memory safety bugs fixed in Thunderbird 102.5
* [57e94ac] Rebuild patch queue from patch-queue branch
Added patches:
fixes/Bug-1782988-Avoid-build-bustage-when-building-against-gli.patch
fixes/Bug-1782988-Fix-use-of-arc4random_buf-use-in-ping.cpp.-r-.patch
(Closes: #1023789)
-- Carsten Schoenert <email address hidden> Sat, 15 Nov 2022 19:34:55 +0100
-
thunderbird (1:102.4.1-1) unstable; urgency=medium
[ intrigeri ]
* [37c5b01] AppArmor: update profile from upstream at commit
09fa2669dc95cb336d133a6b96cac227e3aa73dc
This allows running Thunderbird as a native Wayland application.
[ Carsten Schoenert ]
* [031c4a2] New upstream version 102.4.1
-- Carsten Schoenert <email address hidden> Mon, 31 Oct 2022 18:50:44 +0100
-
thunderbird (1:102.4.0-1) unstable; urgency=medium
* [6bfe8cd] New upstream version 102.4.0
Fixed CVE issues in upstream version 102.4 (MFSA 2022-46):
CVE-2022-42927: Same-origin policy violation could have leaked
cross-origin URLs
CVE-2022-42928: Memory Corruption in JS Engine
CVE-2022-42929: Denial of Service via window.print
CVE-2022-42932: Memory safety bugs fixed in Thunderbird 102.4
-- Carsten Schoenert <email address hidden> Mon, 24 Oct 2022 22:33:05 +0200
-
thunderbird (1:102.3.3-1) unstable; urgency=medium
* [6729f5d] New upstream version 102.3.3
-- Carsten Schoenert <email address hidden> Thu, 13 Oct 2022 16:09:50 +0200
-
thunderbird (1:102.3.2-1) unstable; urgency=medium
* [db7a24f] New upstream version 102.3.2
-- Carsten Schoenert <email address hidden> Thu, 06 Oct 2022 20:34:42 +0200
-
thunderbird (1:102.3.1-1) unstable; urgency=medium
* [f845126] New upstream version 102.3.1
* [4555808] Rebuild patch queu from patch-queue branch
debian-hacks/Use-remoting-name-for-call-to-gdk_set_program_class.patch
fixes/Properly-launch-applications-set-in-HOME-.mailcap.patch
* [344dbfa] d/copyright: Add info about code from Matrix
-- Carsten Schoenert <email address hidden> Thu, 29 Sep 2022 19:09:02 +0200
-
thunderbird (1:102.3.0-1) unstable; urgency=medium
* [0e841a7] New upstream version 102.3.0
Fixed CVE issues in upstream version 102.3 (MFSA 2022-42):
CVE-2022-40959: Bypassing FeaturePolicy restrictions on transient pages
CVE-2022-40960: Data-race when parsing non-UTF-8 URLs in threads
CVE-2022-40958: Bypassing Secure Context restriction for cookies with
__Host and __Secure prefix
CVE-2022-40956: Content-Security-Policy base-uri bypass
CVE-2022-40957: Incoherent instruction cache when building WASM on ARM64
CVE-2022-40962: Memory safety bugs fixed in Thunderbird 102.3
-- Carsten Schoenert <email address hidden> Fri, 16 Sep 2022 16:56:20 +0200
-
thunderbird (1:102.2.2-1) unstable; urgency=medium
* [f1dc81f] New upstream version 102.2.2
-- Carsten Schoenert <email address hidden> Thu, 08 Sep 2022 17:25:57 +0200
-
thunderbird (1:102.2.1-1) unstable; urgency=medium
* [e1d0f74] New upstream version 102.2.1
Fixed CVE issues in upstream version 102. (MFSA 2022-38):
CVE-2022-3033: Leaking of sensitive information when composing a response
to an HTML email with a META refresh tag
CVE-2022-3032: Remote content specified in an HTML document that was
nested inside an iframe's srcdoc attribute was not blocked
CVE-2022-3034: An iframe element in an HTML email could trigger a
network request
CVE-2022-36059: Matrix SDK bundled with Thunderbird vulnerable to
denial-of-service attack
-- Carsten Schoenert <email address hidden> Thu, 01 Sep 2022 07:52:16 +0200
-
thunderbird (1:102.2.0-1) unstable; urgency=medium
[ Amr Ibrahim ]
* [02a3990] thunderbird.desktop: Update StartupWMClass
(Closes: #1017420, #1014748)
[ Carsten Schoenert ]
* [f7b62a8] d-create-upstream-tarballs.py: Use correct variable
* [7194457] New upstream version 102.2.0
Fixed CVE issues in upstream version 102. (MFSA 2022-36):
CVE-2022-38472: Address bar spoofing via XSLT error handling
CVE-2022-38473: Cross-origin XSLT Documents would have inherited the
parent's permissions
CVE-2022-38476: Data race and potential use-after-free in PK11_ChangePW
CVE-2022-38477: Memory safety bugs fixed in Thunderbird 102.2
CVE-2022-38478: Memory safety bugs fixed in Thunderbird 102.2, and
Thunderbird 91.13
-- Carsten Schoenert <email address hidden> Sun, 28 Aug 2022 17:23:50 +0200
-
thunderbird (1:102.1.2-1) unstable; urgency=medium
* [78f2899] d/copyright: Update content due upstream changes
* [55dba1d] d/source.filter: Update content to filter out
* [3e19497] Lintian: Adjust overrides for thunderbird package
* [567e0c4] Lintian: Adjust overrides for source package
* [c201484] New upstream version 102.1.2
(Closes: #1016944)
-- Carsten Schoenert <email address hidden> Thu, 11 Aug 2022 16:37:07 +0200
-
thunderbird (1:102.1.1-1) unstable; urgency=medium
* [2c1b12f] d/create-upstream-tarballs.py: Adding new helper script
* [a9633b9] d/README.source: Update information on importing data
* [1d2cdc0] d/source.filter: Relax filter rule for old-configure
* [f1afe9b] d/repack.py: Don't exit(1) if unused filter items exist
* [165593a] d/create-thunderbird-l10n-tarball.sh: Drop old helper
* [b4d73ee] d/gbp.conf: Drop 'import-orig' section
* [d186832] d/source.filter: Add files named *.orig and *.rej
* [933b099] New upstream version 102.1.1
(Closes: #1014675:)
-- Carsten Schoenert <email address hidden> Sat, 06 Aug 2022 11:26:44 +0200
-
thunderbird (1:102.1.0-1) unstable; urgency=medium
* [3b7bb0d] New upstream version 102.1.0
Fixed CVE issues in upstream version 102.1 (MFSA 2022-32):
CVE-2022-36319: Mouse Position spoofing with CSS transforms
CVE-2022-36318: Directory indexes for bundled resources reflected URL
parameters
CVE-2022-2505: Memory safety bugs fixed in Thunderbird 102.1
(Closes: #1016083, #1014745, #1014675, #1014638)
-- Carsten Schoenert <email address hidden> Fri, 29 Jul 2022 17:00:53 +0200
-
thunderbird (1:102.0.2-1) unstable; urgency=medium
* [079e135] d/repack.py: Small rework and adjustments
* [fc2518e] d/control: Readjust Vcs links to unstable
* [a7b09b3] d/gbp.conf: Sign tags automatically
* [faf115d] New upstream version 102.0.2
-- Carsten Schoenert <email address hidden> Tue, 12 Jul 2022 18:41:04 +0200
-
thunderbird (1:102.0.1-1) unstable; urgency=medium
* [68c9410] d/gbp.conf: Adjust upstream branch to new ESR cycle
* [45eca79] New upstream version 102.0.1
Fixed CVE issues in upstream version 102.0 (MFSA 2022-26):
CVE-2022-34479: A popup window could be resized in a way to overlay the
address bar with web content
CVE-2022-34470: Use-after-free in nsSHistory
CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed
via retargeted javascript: URI
CVE-2022-2226: An email with a mismatching OpenPGP signature date was
accepted as valid
CVE-2022-34481: Potential integer overflow in ReplaceElementsAt
CVE-2022-31744: CSP bypass enabling stylesheet injection
CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being
blocked
CVE-2022-2200: Undesired attributes could be set as part of prototype
pollution
CVE-2022-34484: Memory safety bugs fixed in Thunderbird 91.11 and
Thunderbird 102
* [1842425] d/watch: Look now for versions starting with 3 digits
* [0a32bb3] d/control: Add package thunderbird-l10n-es-mx
-- Carsten Schoenert <email address hidden> Fri, 08 Jul 2022 17:47:21 +0200
-
thunderbird (1:91.11.0-1) unstable; urgency=medium
* [05a947d] New upstream version 91.11.0
Fixed CVE issues in upstream version 91.11 (MFSA 2022-26:
CVE-2022-34479: A popup window could be resized in a way to overlay the
address bar with web content
CVE-2022-34470: Use-after-free in nsSHistory
CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed
via retargeted javascript: URI
CVE-2022-2226: An email with a mismatching OpenPGP signature date was
accepted as valid
CVE-2022-34481: Potential integer overflow in ReplaceElementsAt
CVE-2022-31744: CSP bypass enabling stylesheet injection
CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being
blocked
CVE-2022-2200: Undesired attributes could be set as part of prototype
pollution
CVE-2022-34484: Memory safety bugs fixed in Thunderbird 91.11 and
Thunderbird 102
(Closes: #1014004)
* [4c4944d] Rebuild patch queue from patch-queue branch
Added patch:
fixes/Bug-1773070-Rename-remove-some-eventState-s-variables.-r-.patch
-- Carsten Schoenert <email address hidden> Fri, 01 Jul 2022 20:12:40 +0200
-
thunderbird (1:91.10.0-1) unstable; urgency=medium
* [969960a] New upstream version 91.10.0
Fixed CVE issues in upstream version 91.9.1 (MFSA 2022-19):
CVE-2022-1802: Prototype pollution in Top-Level Await implementation
CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading
to prototype pollution
Fixed CVE issues in upstream version 91.10 (MFSA 2022-22):
CVE-2022-31736: Cross-Origin resource's length leaked
CVE-2022-31737: Heap buffer overflow in WebGL
CVE-2022-31738: Browser window spoof using fullscreen mode
CVE-2022-31739: Attacker-influenced path traversal when saving downloaded
files
CVE-2022-31740: Register allocation problem in WASM on arm64
CVE-2022-31741: Uninitialized variable leads to invalid memory read
CVE-2022-1834: Braille space character caused incorrect sender email to be
shown for a digitally signed email
CVE-2022-31742: Querying a WebAuthn token with a large number of
allowCredential entries may have leaked cross-origin
information
CVE-2022-31747: Memory safety bugs fixed in Thunderbird 91.10
* [4b55e16] d/control: Increase Standards-Version to 4.6.0
No further changes needed.
-- Carsten Schoenert <email address hidden> Mon, 30 May 2022 19:36:06 +0200
-
thunderbird (1:91.9.0-1) unstable; urgency=medium
* [88b99d1] New upstream version 91.9.0
Fixed CVE issues in upstream version 91.9 (MFSA 2022-18):
CVE-2022-1520: Incorrect security status shown after viewing an attached
email
CVE-2022-29914: Fullscreen notification bypass using popups
CVE-2022-29909: Bypassing permission prompt in nested browsing contexts
CVE-2022-29916: Leaking browser history with CSS variables
CVE-2022-29911: iframe sandbox bypass
CVE-2022-29912: Reader mode bypassed SameSite cookies
CVE-2022-29913: Speech Synthesis feature not properly disabled
CVE-2022-29917: Memory safety bugs fixed in Thunderbird 91.9
-- Carsten Schoenert <email address hidden> Mon, 16 May 2022 13:51:59 +0200
-
thunderbird (1:91.8.1-1) unstable; urgency=medium
* [b57406c] New upstream version 91.8.1
(Closes: #1009321)
-- Carsten Schoenert <email address hidden> Tue, 19 Apr 2022 20:27:13 +0200
-
thunderbird (1:91.8.0-1) unstable; urgency=medium
* [06619c5] New upstream version 91.8.0
Fixed CVE issues in upstream version 91.8 (MFSA 2022-15):
CVE-2022-1097: Use-after-free in NSSToken objects
CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions
CVE-2022-1197: OpenPGP revocation information was ignored
CVE-2022-1196: Use-after-free after VR Process destruction
CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument
CVE-2022-28285: Incorrect AliasSet used in JIT Codegen
CVE-2022-28286: iframe contents could be rendered outside the border
CVE-2022-24713: Denial of Service via complex regular expressions
CVE-2022-28289: Memory safety bugs fixed in Thunderbird 91.8
-- Carsten Schoenert <email address hidden> Wed, 06 Apr 2022 20:08:25 +0200
-
thunderbird (1:91.7.0-2) unstable; urgency=medium
* [c348b62] Rebuild patch-queue from patch queue branch
Added patch:
fixes/Bug-1494436-Unset-MOZ_APP_LAUNCHER-for-external-MIME-hand.patch
(Closes: #948691)
Thanks go out to Simon McVittie for preparing this patch!
-- Carsten Schoenert <email address hidden> Wed, 16 Mar 2022 06:55:46 +0100
-
thunderbird (1:91.7.0-1) unstable; urgency=medium
* [952f6d0] New upstream version 91.7.0
Fixed CVE issues in upstream version 91.7 (MFSA 2022-12):
CVE-2022-26383: Browser window spoof using fullscreen mode
CVE-2022-26384: iframe allow-scripts sandbox bypass
CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on
signatures
CVE-2022-26381: Use-after-free in text reflows
CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other
local users
-- Carsten Schoenert <email address hidden> Tue, 15 Mar 2022 17:54:46 +0100
-
thunderbird (1:91.6.2-1) unstable; urgency=medium
* [2f95b97] New upstream version 91.6.2
Fixed CVE issues in upstream version 91.6.2 (MFSA 2022-09):
CVE-2022-26485: Use-after-free in XSLT parameter processing
CVE-2022-26486: Use-after-free in WebGPU IPC Framework
-- Carsten Schoenert <email address hidden> Tue, 08 Mar 2022 08:40:12 +0100
-
thunderbird (1:91.6.1-1) unstable; urgency=medium
* [3edb855] New upstream version 91.6.1
Fixed CVE issues in upstream version 91.6.1 (MFSA 2022-07):
CVE-2022-0566: Crafted email could trigger an out-of-bounds write
-- Carsten Schoenert <email address hidden> Sat, 19 Feb 2022 11:01:46 +0100
-
thunderbird (1:91.6.0-1) unstable; urgency=medium
* [884ccb6] New upstream version 91.6.0
Fixed CVE issues in upstream version 91.6 (MFSA 2022-06):
CVE-2022-22754: Extensions could have bypassed permission confirmation
during update
CVE-2022-22756: Drag and dropping an image could have resulted in the
dropped object being an executable
CVE-2022-22759: Sandboxed iframes could have executed script if the parent
appended elements
CVE-2022-22760: Cross-Origin responses could be distinguished between
script and non-script content-types
CVE-2022-22761: frame-ancestors Content Security Policy directive was not
enforced for framed extension pages
CVE-2022-22763: Script Execution during invalid object state
CVE-2022-22764: Memory safety bugs fixed in Thunderbird 91.6
(Closes: #1004951)
-- Carsten Schoenert <email address hidden> Fri, 11 Feb 2022 18:50:23 +0100
-
thunderbird (1:91.5.1-1) unstable; urgency=medium
* [130bab2] New upstream version 91.5.1
-- Carsten Schoenert <email address hidden> Sun, 23 Jan 2022 18:41:12 +0100
-
thunderbird (1:91.5.0-2) unstable; urgency=medium
* [fd07163] autopkgtest: Run check-global-config-path.py only on Intel
-- Carsten Schoenert <email address hidden> Wed, 12 Jan 2022 20:46:54 +0100
-
thunderbird (1:91.5.0-1) unstable; urgency=medium
[ Carsten Schoenert ]
* [8d4e5f8] New upstream version 91.5.0
Fixed CVE issues in upstream version 91.5 (MFSA 2022-03):
CVE-2022-22743: Browser window spoof using fullscreen mode
CVE-2022-22742: Out-of-bounds memory access when inserting text in edit
mode
CVE-2022-22741: Browser window spoof using fullscreen mode
CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner
CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur
CVE-2022-22737: Race condition when playing audio files
CVE-2021-4140: Iframe sandbox bypass with XSLT
CVE-2022-22748: Spoofed origin on external protocol launch dialog
CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation
event
CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully
escape website-controlled data, potentially leading to
command injection
CVE-2022-22747: Crash when handling empty pkcs7 sequence
CVE-2022-22739: Missing throttling on external protocol launch dialog
CVE-2022-22751: Memory safety bugs fixed in Thunderbird 91.5
* [a86c0b4] Rebuild patch queue from patch-queue branch
Modified patch:
debian-hacks/Add-another-preferences-directory-for-applications-p.patch
Reworking the patch so LoadDirIntoArray is working again that is adding
an additional syspref folder for global settings to use.
(Closes: #997841, #1003280)
* [442988b] autopkgtest: Adding check for accessing syspref folder
[ Jochen Sprickerhof ]
* [5b5d508] d/thunderbird-wrapper.sh: Use 'command -v'
(Closes:#1002570 )
-- Carsten Schoenert <email address hidden> Tue, 11 Jan 2022 19:12:50 +0100
-
thunderbird (1:91.4.1-1) unstable; urgency=medium
* [c5b36d3] New upstream version 91.4.1
Fixed CVE issues in upstream version 91.4.1 (MFSA 2021-55):
CVE-2021-4126: OpenPGP signature status doesn't consider additional
message content
CVE-2021-44538: Matrix chat library libolm bundled with Thunderbird
vulnerable to a buffer overflow
* [b66bebb] d/changelog: Update some MOZ-* entries with assigned CVEs
-- Carsten Schoenert <email address hidden> Mon, 20 Dec 2021 16:05:02 +0100
-
thunderbird (1:91.4.0-1) unstable; urgency=medium
* [7752be0] d/source.filter: Small updates to filtering list
* [0899850] New upstream version 91.4.0
Fixed CVE issues in upstream version 91.4 (MFSA 2021-54):
CVE-2021-43536: URL leakage when navigating while executing asynchronous
function
CVE-2021-43537: Heap buffer overflow when using structured clone
CVE-2021-43538: Missing fullscreen and pointer lock notification when
requesting both
CVE-2021-43539: GC rooting failure when calling wasm instance methods
CVE-2021-43541: External protocol handler parameters were unescaped
CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence
of an external protocol handler
CVE-2021-43543: Bypass of CSP sandbox directive when embedding
CVE-2021-43545: Denial of Service when using the Location API in a loop
CVE-2021-43546: Cursor spoofing could overlay user interface when native
cursor is zoomed
CVE-2021-43528: JavaScript unexpectedly enabled for the composition area
MOZ-2021-0009: Memory safety bugs fixed in Thunderbird 91.4.0
* [afd7750] d/t.lintian-overrides: Update entries due renamed tags
Some Lintan tags were renamed, thus requires am adjustment of the existing
overrides.
* [30a387c] d/s/lintian-overrides: Adjust most of the existing entries
Same as before but for the source package.
-- Carsten Schoenert <email address hidden> Tue, 07 Dec 2021 18:26:44 +0100
-
thunderbird (1:91.3.2-1) unstable; urgency=medium
* [7fd56f0] New upstream version 91.3.2
* [4fccecb] Rebuild patch queue from patch-queue branch
Added patch:
debian-hacks/Fix-Floating-Point-Normalization-breakage-on-32bit-Linux.patch
-- Carsten Schoenert <email address hidden> Sun, 21 Nov 2021 18:29:42 +0100
-
thunderbird (1:91.3.0-1) unstable; urgency=medium
* [1d3e0b1] Revert "Rebuild patch queue from patch-queue branch"
The patch for fixing the broken build on i386 breaks other architectures,
so reverting for now.
* [66755b4] New upstream version 91.3.0
Fixed CVE issues in upstream version 91.3 (MFSA 2021-50):
CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets
CVE-2021-38504: Use-after-free in file picker dialog
CVE-2021-38506: Thunderbird could be coaxed into going into fullscreen
mode without notification or warning
CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass
the Same-Origin-Policy on services hosted on other ports
MOZ-2021-0008: Use-after-free in HTTP2 Session object (no CVE assigned yet)
CVE-2021-38508: Permission Prompt could be overlaid, resulting in user
confusion and potential spoofing
CVE-2021-38509: Javascript alert box could have been spoofed onto an
arbitrary domain
MOZ-2021-0007: Memory safety bugs fixed in Thunderbird ESR 91.3 (no CVE
assigned yet)
-- Carsten Schoenert <email address hidden> Wed, 03 Nov 2021 18:14:09 +0100
-
thunderbird (1:91.2.1-1) unstable; urgency=medium
[ Carsten Schoenert ]
* [bcb5677] d/gbp.conf: Adjust to upstream-91.x
* [12a433a] New upstream version 91.2.1
* [f935b52] Rebuild patch queue from patch-queue branch
Added patch:
debian-hacks/Fix-Floating-Point-Normalization-breakage-on-32bit-Linux.patch
* [3faba71] Disable usage of system icu package
The system packages of libicu-dev are to old for Thunderbird, we need to
use the internel pre-shipped ICU sources.
-- Carsten Schoenert <email address hidden> Sat, 23 Oct 2021 08:59:32 +0200
-
thunderbird (1:78.14.0-1) unstable; urgency=medium
* [6dc6817] d/changelog: Correct TB version for referenced MFSA
* [38f01f4] d/rules: Don't run dh_autoreconf
(Closes: #993494)
* [09c4cde] New upstream version 78.14.0
Fixed CVE issues in upstream version 78.14.0 (MFSA 2021-42):
CVE-2021-38493: Memory safety bugs fixed in Thunderbird 78.14 and
Thunderbird 91.1
-- Carsten Schoenert <email address hidden> Wed, 08 Sep 2021 19:57:22 +0200
-
thunderbird (1:78.13.0-1) unstable; urgency=medium
* [b4498b0] New upstream version 78.13.0
Fixed CVE issues in upstream version 78.12 (MFSA 2021-35):
CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
CVE-2021-29988: Memory corruption as a result of incorrect style treatment
CVE-2021-29984: Incorrect instruction reordering during JIT optimization
CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
CVE-2021-29985: Use-after-free media channels
CVE-2021-29989: Memory safety bugs fixed in Thunderbird 78.13
-- Carsten Schoenert <email address hidden> Thu, 12 Aug 2021 16:13:25 +0200
-
thunderbird (1:78.12.0-1) unstable; urgency=medium
* [74d3cdb] New upstream version 78.12.0
Fixed CVE issues in upstream version 78.12 (MFSA 2021-30):
CVE-2021-29969: IMAP server responses sent by a MITM prior to STARTTLS
could be processed
CVE-2021-29970: Use-after-free in accessibility features of a document
CVE-2021-30547: Out of bounds write in ANGLE
CVE-2021-29976: Memory safety bugs fixed in Thunderbird 78.12
-- Carsten Schoenert <email address hidden> Sat, 17 Jul 2021 09:33:28 +0200
-
thunderbird (1:78.11.0-2) unstable; urgency=medium
[ Carsten Schoenert ]
* [241e539] d/thunderbird.1: Correct debugger option
Remove parts that are no longer valid, especially there is no dedicated
shell script any more the user has to start, calling 'thunderbird -g' is
enough to start a GDB call.
* [66deb37] thunderbird: Use internal NSS source while package built
(Closes: #989839, #989843, #989979, #989983, #989922, #990012)
* [07fb6ef] d/thunderbird-wrapper.sh: Use '${}' syntax for variables
[ Kevin Locke ]
* [d003e26] d/thunderbird-wrapper.sh: Make gdb call more fail safe
(Closes: #942799)
-- Carsten Schoenert <email address hidden> Sun, 20 Jun 2021 07:20:41 +0200
-
thunderbird (1:78.11.0-1) unstable; urgency=medium
* [42c4a87] New upstream version 78.11.0
Fixed CVE issues in upstream version 78.11 (MFSA 2021-26):
CVE-2021-29967: Memory safety bugs fixed in Thunderbird 78.11
-- Carsten Schoenert <email address hidden> Thu, 03 Jun 2021 17:22:34 +0200
-
thunderbird (1:78.10.2-1) unstable; urgency=medium
* [69552d8] New upstream version 78.10.2
Fixed CVE issues in upstream version 78.10.2 (MFSA 2021-22):
CVE-2021-29957: Partial protection of inline OpenPGP message not indicated
CVE-2021-29956: Thunderbird stored OpenPGP secret keys without master
password protection
-- Carsten Schoenert <email address hidden> Wed, 19 May 2021 21:57:11 +0200
-
thunderbird (1:78.10.0-1) unstable; urgency=medium
* [f38d78f] New upstream version 78.10.0
Fixed CVE issues in upstream version 78.10 (MFSA 2021-15):
CVE-2021-23994: Out of bound write due to lazy initialization
CVE-2021-23995: Use-after-free in Responsive Design Mode
CVE-2021-23998: Secure Lock icon could have been spoofed
CVE-2021-23961: More internal network hosts could have been probed by a
malicious webpage
CVE-2021-23999: Blob URLs may have been granted additional privileges
CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an
encoded URL
CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead
to null-reads (This issue only affected x86-32 platforms.)
CVE-2021-29946: Port blocking could be bypassed
CVE-2021-29948: Race condition when reading from disk while verifying
signatures
-- Carsten Schoenert <email address hidden> Mon, 19 Apr 2021 20:00:32 +0200
-
thunderbird (1:78.9.0-1) unstable; urgency=medium
[ Colomban Wendling ]
* [7d454de] d/thunderbird.desktop: Switch StartupWMClass
(Closes: #985366)
[ Carsten Schoenert ]
* [23fe9ce] d/source.filter: small update to filtering list
* [828b9d7] New upstream version 78.9.0
Fixed CVE issues in upstream version 78.9 (MFSA 2021-12):
CVE-2021-23981: Texture upload into an unbound backing buffer resulted in
an out-of-bound read
CVE-2021-23982: Internal network hosts could have been probed by a
malicious webpage
CVE-2021-23984: Malicious extensions could have spoofed popup information
CVE-2021-23987: Memory safety bugs fixed in Thunderbird 78.9
* [cf4fbde] rebuild patch queue from patch-queue branch
Removed patch (included upstream):
porting-s390x/Explicitly-instantiate-TIntermTraverser-traverse-TIntermN.patch
-- Carsten Schoenert <email address hidden> Tue, 23 Mar 2021 15:55:43 +0100
-
thunderbird (1:78.8.0-1) unstable; urgency=medium
[ Pino Toscano ]
* [f2f1f3f] thunderbird: Stop shipping /u/s/p/thunderbird.png symlink
[ Carsten Schoenert ]
* [f5707a7] New upstream version 78.8.0
Fixed CVE issues in upstream version 78.8 (MFSA 2021-09):
CVE-2021-23969: Content Security Policy violation report could have
contained the destination of a redirect
CVE-2021-23968: Content Security Policy violation report could have
contained the destination of a redirect
CVE-2021-23973: MediaError message property could have leaked information
about cross-origin resources
CVE-2021-23978: Memory safety bugs fixed in Thunderbird 78.8
-- Carsten Schoenert <email address hidden> Sun, 21 Feb 2021 14:58:05 +0100
-
thunderbird (1:78.7.1-1) unstable; urgency=medium
* [406f9d7] New upstream version 78.7.1
-- Carsten Schoenert <email address hidden> Fri, 05 Feb 2021 20:12:59 +0100
-
thunderbird (1:78.7.0-1) unstable; urgency=medium
* [8751354] New upstream version 78.7.0
Fixed CVE issues in upstream version 78.7 (MFSA 2021-05):
CVE-2021-23953: Cross-origin information leakage via redirected PDF
requests
CVE-2021-23954: Type confusion when using logical assignment operators in
JavaScript switch statements
CVE-2020-15685: IMAP Response Injection when using STARTTLS
CVE-2020-26976: HTTPS pages could have been intercepted by a registered
service worker when they should not have been
CVE-2021-23960: Use-after-poison for incorrectly redeclared JavaScript
variables during GC
CVE-2021-23964: Memory safety bugs fixed in Thunderbird 78.7
* [4b0c0a7] rebuild patch queue from patch-queue branch
removed patch (included upstream):
porting-mips/Bug-1642265-MIPS64-Add-branchTestSymbol-and-fallibleUnbox.patch
-- Carsten Schoenert <email address hidden> Fri, 29 Jan 2021 20:45:49 +0100
-
thunderbird (1:78.6.1-1) unstable; urgency=medium
[ Carsten Schoenert ]
* [67f6117] Add Apache2 notice for third_party/python/coverage
* [38b9ff7] lintian: adding override for false positive in SVG file
[ Carles Pina i Estany ]
* [529d53a] d/thunderbird-wrapper.sh: Unset DEBUG/DEBUGGER variables
(Closes: #960230)
* [6d48708] d/thunderbird-wrapper-helper.sh: Adjust help text
[ Carsten Schoenert ]
* [5309e91] d/thunderbird-wrapper*.sh: Prefixing some local variables
* [07b4733] New upstream version 78.6.1
Fixed CVE issues in upstream version 78.6.1 (MFSA 2021-02):
CVE-2020-16044: Use-after-free write when handling a malicious
COOKIE-ECHO SCTP chunk
-- Carsten Schoenert <email address hidden> Sat, 16 Jan 2021 14:59:02 +0100
-
thunderbird (1:78.6.0-1) unstable; urgency=medium
* [1410f1e] d/watch: update to version 4
* [a8303b7] d/rules: use python3 explicitly while calling mach
* [f3f535e] New upstream version 78.6.0
Fixed CVE issues in upstream version 78.6 (MFSA 2020-56):
CVE-2020-16042: Operations on a BigInt could have caused uninitialized
memory to be exposed
CVE-2020-26971: Heap buffer overflow in WebGL
CVE-2020-26973: CSS Sanitizer performed incorrect sanitization
CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
CVE-2020-26978: Internal network hosts could have been probed by a
malicious webpage
CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs
CVE-2020-35112: Opening an extension-less download may have inadvertently
launched an executable instead
CVE-2020-35113: Memory safety bugs fixed in Thunderbird 78.6
(Closes: #972072, #973697)
* [16a7ab7] /u/l/thunderbird: Correct escape sequencing for gdb calling
We need to do a better escaping of values of the '-ex' option otherwise
the shell is refusing the concatenated string we want to use as call.
(Closes: #976979)
-- Carsten Schoenert <email address hidden> Tue, 15 Dec 2020 10:12:34 +0100
-
thunderbird (1:78.5.1-1) unstable; urgency=medium
* [08556c2] New upstream version 78.5.1
Fixed CVE issues in upstream version 78.5.1 (MFSA 2020-53):
CVE-2020-26970: Stack overflow due to incorrect parsing of SMTP server
response codes
* [7047340] rebuild patch queue from patch-queue branch
removed patch (included upstream):
fixes/fix-function-nsMsgComposeAndSend-to-respect-Replo.patch
* [40663bb] debian/control: increase Standards-Version to 4.5.1
No further changes needed.
-- Carsten Schoenert <email address hidden> Thu, 03 Dec 2020 05:35:04 +0100
-
thunderbird (1:78.5.0-1) unstable; urgency=medium
* [7842f02] New upstream version 78.5.0
Fixed CVE issues in upstream version 78.5 (MFSA 2020-51):
CVE-2020-26951: Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
CVE-2020-16012: Variable time processing of cross-origin images during
drawImage calls
CVE-2020-26953: Fullscreen could be enabled without displaying the
security UI
CVE-2020-26956: XSS through paste (manual and clipboard API)
CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME
type restrictions
CVE-2020-26959: Use-after-free in WebRequestService
CVE-2020-26960: Potential use-after-free in uses of nsTArray
CVE-2020-15999: Heap buffer overflow in freetype
CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
CVE-2020-26965: Software keyboards may have remembered typed passwords
CVE-2020-26966: Single-word search queries were also broadcast to local
network
CVE-2020-26968: Memory safety bugs fixed in Thunderbird 78.5
* [e19743e] rebuild patch queue from patch-queue branch
removed patch (included upstream):
fixes/Bug-1663715-Update-syn-and-proc-macro2-so-that-Firefox-ca.patch
-- Carsten Schoenert <email address hidden> Wed, 18 Nov 2020 20:06:09 +0100
-
thunderbird (1:78.4.2-1) unstable; urgency=medium
* [c7f4ed2] New upstream version 78.4.2
Fixed CVE issues in upstream version 78.4 (MFSA 2020-49):
CVE-2020-26950: Write side effects in MCallGetProperty opcode not
accounted for
* [c3a617d] rebuild patch queue from patch-queue branch
added patch:
fixes/Bug-1663715-Update-syn-and-proc-macro2-so-that-Firefox-ca.patch
* [8e4e7ad] thunderbird-l10n-all: add thunderbird-l10n-cy
(Closes: #974127)
-- Carsten Schoenert <email address hidden> Tue, 10 Nov 2020 21:19:15 +0100
-
thunderbird (1:78.4.1-1) unstable; urgency=medium
* [cf8bf1e] New upstream version 78.4.1
* [529000c] rebuild patch queue from patch-queue branch
added patches:
fixes/Bug-1650299-Unify-the-inclusion-of-the-ICU-data-file.-r-f.patch
fixes/Don-t-build-ICU-in-parallel.patch
Patches are picked from Firefox and fixing FTBFS on s390x within buster.
-- Carsten Schoenert <email address hidden> Fri, 06 Nov 2020 21:53:24 +0100
-
thunderbird (1:78.4.0-1) unstable; urgency=medium
[ Emilio Pozuelo Monfort ]
* [652f8de] install the apparmor profile in thunderbird.install
[ Carsten Schoenert ]
* [5240d53] Revert "thunderbird.install: adjust.desktop renamed file name"
(Closes: #972601)
* [861b21a] Revert "Rename .desktop file for AppStream compliance"
(Closes: #972578)
* [ffc5818] New upstream version 78.4.0
Fixed CVE issues in upstream version 78.4 (MFSA 2020-47):
CVE-2020-15969: Use-after-free in usersctp
CVE-2020-15683: Memory safety bugs fixed in Thunderbird 78.4
* [81396e3] rebuild patch queue from patch-queue branch
removed patches (fixed upstream):
porting-mips/Bug-1649655-MIPS-Add-CodeGenerator-visitWasmRegisterResul.patch
porting/Bug-1666646-Bump-CodeAlignment-to-8-in-MacroAssembler-non.patch
modified patches:
fixes/Appdata-Adding-some-German-translations.patch
fixes/Appdata-Fix-up-AppStream-error-by-adding-missing-field.patch
Minor fine tuning to the AppStream specific parts but also revert some
translation entries as they are not intend to be translatable.
These modification also in correlation with the mentioned bug reports above
which are closed by the other adjustments.
-- Carsten Schoenert <email address hidden> Thu, 22 Oct 2020 18:48:25 +0200
-
thunderbird (1:78.3.3-1) unstable; urgency=medium
[ Emilio Pozuelo Monfort ]
* [6f18974] Remove duplicated --disable-debug-symbols flag
* [1119d50] Print a verbose build log by not calling the mach wrapper
* [fcf7c11] Exclude -g from CXXFLAGS as well
[ Carsten Schoenert ]
* [9eb159f] New upstream version 78.3.3
* [47171dc] rebuild patch queue from patch-queue branch
added patches:
fixes/Appdata-Adding-some-German-translations.patch
fixes/Appdata-Fix-up-AppStream-error-by-adding-missing-field.patch
* [1474d91] Rename .desktop file for AppStream compliance
* [10e49a9] thunderbird.install: adjust.desktop renamed file name
* [018bbc1] thunderbird.pc: remove left over cruft
-- Carsten Schoenert <email address hidden> Sun, 18 Oct 2020 08:49:20 +0200
-
thunderbird (1:78.3.2-1) unstable; urgency=medium
* [0b2f19f] d/rules: remove hand crafted icu build
Cherry-picked from debian/buster branch.
The possible required build of the ICU if the usage of an external ICU
library is now handled by the upstream build system.
* [1583517] d/rules: rewrite dpkg_buildflags to remove option '-g'
Cherry-picked from debian/buster branch.
We need to remove the option '-g' from the dpkg_buildflags variable for
real if we want a build without debugging information (e.g. on 32bit
architectures).
* [fb4c9c4] New upstream version 78.3.2
* [9d5e2b9] d/rules: install the language Add-ons into /u/l/t/e
Do not install the thunderbird-l10n packages into /usr/share/thunderbird
any more, install them directly into /usr/libt/thunderbird/extensions.
This simplifies the package structures as there is no real need to install
the packages into /usr/share/thunderbird and linking them back.
-- Carsten Schoenert <email address hidden> Fri, 09 Oct 2020 19:49:45 +0200
-
thunderbird (1:78.3.1-2) unstable; urgency=medium
* [649f664] rebuild patch queue from patch-queue branch
added patches:
fixes/reduce-the-rust-debuginfo-level-on-selected-architectures.patch
porting-s390x/Explicitly-instantiate-TIntermTraverser-traverse-TIntermN.patch
-- Carsten Schoenert <email address hidden> Wed, 30 Sep 2020 19:10:27 +0200
-
thunderbird (1:78.3.1-1) unstable; urgency=medium
[ Carsten Schoenert ]
* [6bd965f] New upstream version 78.3.1
Fixed CVE issues in upstream version 78.3.1 (MFSA 2020-44):
CVE-2020-15677: Download origin spoofing via redirect
CVE-2020-15676: XSS when pasting attacker-controlled data into a
contenteditable element
CVE-2020-15678: When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential
use-after-free scenario
CVE-2020-15673: Memory safety bugs fixed in Thunderbird 78.3
* [8ba13c5] rebuild patch queue from patch-queue branch
added patches(picked from firefox packaging):
fixes/Add-missing-bindings-for-mips-in-the-authenticator-crate.patch
porting-mips/Bug-1642265-MIPS64-Add-branchTestSymbol-and-fallibleUnbox.patch
porting-mips/Bug-1649655-MIPS-Add-CodeGenerator-visitWasmRegisterResul.patch
porting/Bug-1666646-Bump-CodeAlignment-to-8-in-MacroAssembler-non.patch
removed patch(fixed upstream):
fixes/Bug-1664607-Don-t-try-to-load-what-s-new-page-when-built-.patch
* [c6d282d] calendar-google-provider*: removing left over cruft
There are two left over sequencer files from the calendar-google-package,
not need any more since 1:68.2.2-1
* [cf37615] d/README.Debian: Update and adding new information
Some updated information regarding the now included OpenPGP support, also
updating some grammar for 'Add-on'.
* [faf225b] thunderbird.NEWS: Add hint about integration of OpenPGP support
Giving the user a information about the OpenPGP status within Thunderbird
since the version 78.0.
* [d6f4f0e] Revert "d/tb.lintian-overrides: ignore warning about none
versioned breaks"
* [9e6cbec] d/copyright: update content
-- Carsten Schoenert <email address hidden> Sun, 27 Sep 2020 09:08:29 +0200
-
thunderbird (1:68.12.0-1) unstable; urgency=medium
* [103cab7] New upstream version 68.12.0
Fixed CVE issues in upstream version 68.11.0 (MFSA 2020-35):
CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
CVE-2020-15664: Attacker-induced prompt for extension installation
CVE-2020-15669: Use-After-Free when aborting an operation
-- Carsten Schoenert <email address hidden> Thu, 27 Aug 2020 21:23:55 +0200
-
thunderbird (1:68.11.0-3) unstable; urgency=medium
* [28707fd] d/xpi-pack.sh: adding xpi-pack shell script
As we can't depend on mozilla-devscripts anymore we pick up the shell
script from that package as this builds XPI files we need.
* [037212e] Drop mozilla-devscripts as B-D
mozilla-devscripts isn't ported to Python3 yet and depends on Python2 so.
We don't need that package as B-D as we picked the main shell script from
that and we can drop that package from the build dependencies.
* [31eda41] Drop python-{minimal,ply} from B-D
These packages are removed from teh archive and we don't need them for
building Thunderbird as long we have python2 as package available.
(Closes: #967223)
-- Carsten Schoenert <email address hidden> Tue, 04 Aug 2020 19:06:20 +0200
-
thunderbird (1:68.11.0-2) unstable; urgency=medium
* [110a375] d/control: increase B-D for libnss3
* [73fa23e] d/control: tb manually set dep on libnss3 to 2:3.55
(Closes: #966806)
-- Carsten Schoenert <email address hidden> Sun, 02 Aug 2020 20:12:49 +0200
-
thunderbird (1:68.11.0-1) unstable; urgency=medium
* [093b080] New upstream version 68.11.0
Fixed CVE issues in upstream version 68.11.0 (MFSA 2020-35):
CVE-2020-15652: Potential leak of redirect targets when loading scripts
in a worker
CVE-2020-6514: WebRTC data channel leaks internal address to peer
CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
CVE-2020-15659: Memory safety bugs fixed in Thunderbird 68.11
-- Carsten Schoenert <email address hidden> Wed, 29 Jul 2020 22:26:14 +0200
-
thunderbird (1:68.10.0-1) unstable; urgency=medium
* [7537684] New upstream version 68.10.0
Fixed CVE issues in upstream version 68.10.0 (MFSA 2020-26):
CVE-2020-12417: Memory corruption due to missing sign-extension for
ValueTags on ARM64
CVE-2020-12418: Information disclosure due to manipulated URL object
CVE-2020-12419: Use-after-free in nsGlobalWindowInner
CVE-2020-12420: Use-After-Free when trying to connect to a STUN server
MFSA-2020-0001: Automatic account setup leaks Microsoft Exchange login
credentials
CVE-2020-12421: Add-On updates did not respect the same certificate trust
rules as software updates
-- Carsten Schoenert <email address hidden> Sat, 04 Jul 2020 10:55:31 +0200
-
thunderbird (1:68.9.0-1) unstable; urgency=medium
[ intrigeri ]
* [fd13825] AppArmor: update profile from upstream at commit 860d2d9
(Closes: #960465)
[ Carsten Schoenert ]
* [c310c40] New upstream version 68.9.0
Fixed CVE issues in upstream version 68.9.0 (MFSA 2020-22):
CVE-2020-12399: Timing attack on DSA signatures in NSS library
CVE-2020-12405: Use-after-free in SharedWorkerService
CVE-2020-12406: JavaScript Type confusion with NativeTypes
CVE-2020-12410: Memory safety bugs fixed in Thunderbird 68.9.0
CVE-2020-12398: Security downgrade with IMAP STARTTLS leads to
information leakage
-- Carsten Schoenert <email address hidden> Fri, 05 Jun 2020 20:29:35 +0200
-
thunderbird (1:68.8.1-1) unstable; urgency=medium
* [7495e7a] New upstream version 68.8.1
-- Carsten Schoenert <email address hidden> Fri, 22 May 2020 19:04:20 +0200
-
thunderbird (1:68.8.0-1) unstable; urgency=medium
* [9b5ae46] New upstream version 68.8.0
Fixed CVE issues in upstream version 68.8.0 (MFSA 2020-18):
CVE-2020-12397: Sender Email Address Spoofing using encoded Unicode
characters
CVE-2020-12387: Use-after-free during worker shutdown
CVE-2020-6831: Buffer overflow in SCTP chunk input validation
CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command
injection
CVE-2020-12395: Memory safety bugs fixed in Thunderbird 68.8.0
-- Carsten Schoenert <email address hidden> Tue, 05 May 2020 20:47:29 +0200
-
thunderbird (1:68.7.0-1) unstable; urgency=medium
* [c0052af] New upstream version 68.7.0
Fixed CVE issues in upstream version 68.7.0 (MFSA 2020-14):
CVE-2020-6819: Use-after-free while running the nsDocShell destructor
CVE-2020-6820: Use-after-free when handling a ReadableStream
CVE-2020-6821: Uninitialized memory could be read when using the WebGL
copyTexSubImage method
CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large
images
CVE-2020-6825: Memory safety bugs fixed in Thunderbird 68.7
-- Carsten Schoenert <email address hidden> Sun, 12 Apr 2020 07:40:41 +0200
-
thunderbird (1:68.6.0-1) unstable; urgency=medium
* [5709774] New upstream version 68.6.0
Fixed CVE issues in upstream version 68.6.0 (MFSA 2020-10):
CVE-2019-20503: Out of bounds reads in sctp_load_addresses_from_init
CVE-2020-6805: Use-after-free when removing data about origins
CVE-2020-6806: BodyStream::OnInputStreamReady was missing protections
against state confusion
CVE-2020-6807: Use-after-free in cubeb during stream destruction
CVE-2020-6811: Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to
command injection
CVE-2020-6812: The names of AirPods with personally identifiable
information were exposed to websites with camera or
microphone permission
CVE-2020-6814: Memory safety bugs fixed in Thunderbird 68.6
-- Carsten Schoenert <email address hidden> Mon, 16 Mar 2020 20:01:29 +0100
-
thunderbird (1:68.5.0-1) unstable; urgency=medium
* [d79bf82] New upstream version 68.5.0
Fixed CVE issues in upstream version 68.5.0 (MFSA 2020-07):
CVE-2020-6793: Out-of-bounds read when processing certain email messages
CVE-2020-6794: Setting a master password post-Thunderbird 52 does not
delete unencrypted previously stored passwords
CVE-2020-6795: Crash processing S/MIME messages with multiple signatures
CVE-2020-6798: Incorrect parsing of template tag could result in
JavaScript injection
CVE-2020-6792: Message ID calculcation was based on uninitialized data
CVE-2020-6800: Memory safety bugs fixed in Thunderbird 68.5
(Closes: #891848)
* [0884df6] d/control: increase Standards-Version to 4.5.0
No further changes needed.
-- Carsten Schoenert <email address hidden> Thu, 13 Feb 2020 17:58:44 +0100
-
thunderbird (1:68.4.2-1) unstable; urgency=medium
* [7ab7786] d/gbp.conf: add some more files we need to filter out
* [9c02c34] New upstream version 68.4.2
-- Carsten Schoenert <email address hidden> Sun, 26 Jan 2020 13:13:49 +0100
-
thunderbird (1:68.4.1-1) unstable; urgency=medium
* [a00f3e9] New upstream version 68.4.1
Fixed CVE issues in upstream version 68.4.1 (MFSA 2020-04):
CVE-2019-17026: IonMonkey type confusion with StoreElementHole and
FallibleStoreElement
CVE-2019-17015: Memory corruption in parent process during new content
process initialization on Windows
CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting
CVE-2019-17017: Type Confusion in XPCVariant.cpp
CVE-2019-17022: CSS sanitization does not escape HTML tags
CVE-2019-17024: Memory safety bugs fixed in Thunderbird 68.4.1
* [6b1fd82] rebuild patch queue from patch-queue branch
removed patch (included upstream)
fixes/Update-bindgen-in-ESR68.-r-glandium-a-RyanVM.patch
-- Carsten Schoenert <email address hidden> Fri, 10 Jan 2020 18:33:43 +0100
-
thunderbird (1:68.3.1-1) unstable; urgency=medium
[ Emilio Pozuelo Monfort ]
* [6f59313] Fix MOZ_BUILD_DATE to have the expected format
[ Carsten Schoenert ]
* [5d0f4b1] d/rules: don't use SOURCE_DATE_EPOCH for MOZ_BUILD_DATE
(Closes: #946588)
* [1467af5] New upstream version 68.3.1
-- Carsten Schoenert <email address hidden> Wed, 18 Dec 2019 15:54:44 +0100
-
thunderbird (1:68.3.0-2) unstable; urgency=medium
* [0625d30] rebuild patch queue from patch-queue branch
added patches:
fixes/Bug-1531309-Don-t-use-__PRETTY_FUNCTION__-or-__FUNCTION__.patch
fixes/Update-bindgen-in-ESR68.-r-glandium-a-RyanVM.patch
* [ea8d98c] Breaks: add versioned birdtray package
-- Carsten Schoenert <email address hidden> Mon, 09 Dec 2019 18:22:15 +0100
-
thunderbird (1:68.3.0-1) unstable; urgency=medium
* [fe289ec] /u/b/thunderbird: export variable DICPATH before start
(Closes: #944295)
* [a9a48c6] New upstream version 68.3.0
Fixed CVE issues in upstream version 68.3 (MFSA 2019-38):
CVE-2019-17008: Use-after-free in worker destruction
CVE-2019-13722: Stack corruption due to incorrect number of arguments in
WebRTC code
CVE-2019-11745: Out of bounds write in NSS when encrypting with a block
cipher
CVE-2019-17009: Updater temporary files accessible to unprivileged
processes
CVE-2019-17010: Use-after-free when performing device orientation checks
CVE-2019-17005: Buffer overflow in plain text serializer
CVE-2019-17011: Use-after-free when retrieving a document in
antitracking
CVE-2019-17012: Memory safety bugs fixed in Firefox 71, Firefox ESR
68.3, and Thunderbird 68.3
* [fb23473] d/control: increase B-D version on NSS to 3.44.3
* [6f59938] Breaks: adding more non compatible packaged AddOns
-- Carsten Schoenert <email address hidden> Thu, 05 Dec 2019 10:03:22 +0100
-
thunderbird (1:68.2.2-1) unstable; urgency=medium
* [198d539] xul-ext-compactheader: allow also version << 3.0.0
* [0e93753] d/control: add incompatibility with jsunit << 0.2.2
* [87c84cb] New upstream version 68.2.2
This upstream version has removed the source for calendar-google-provider,
thus we can't provide the related binary package any more.
* [a3cea2a] rebuild patch queue from patch-queue branch
rebuild patch queue from patch-queue branch
removed patches (included upstream):
debian/patches/fixes/Bug-1470701-Use-run-time-page-size-when-changing-map.patch
debian/patches/fixes/Bug-1505608-Try-to-ensure-the-bss-section-of-the-elf.patch
debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
debian/patches/fixes/Build-also-gdata-provider-as-xpi-file.patch
debian/patches/fixes/rust-ignore-not-available-documentation.patch
debian/patches/porting-kfreebsd-hurd/Fix-GNU-non-Linux-failure-to-build-because-of-ipc-ch.patch
debian/patches/porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch
debian/patches/porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch
debian/patches/porting-powerpc/powerpc-Don-t-use-static-page-sizes-on-powerpc.patch
debian/patches/porting-sparc64/Bug-1434726-Early-startup-crash-on-Linux-sparc64-in-HashI.patch
* [1730f5f] d/control: remove references to calendar-google-provider
Don't build calendar-google-provider any more and remove any references
from other binary packages.
* [1b0bbb8] d/rules: remove any calendar-google-provider stuff
* [92f681c] thunderbird.NEWS: Adding hint about removal of gdata
Give out an announcement about the removal of a possible previously
installed package calendar-google-provider.
-- Carsten Schoenert <email address hidden> Sun, 10 Nov 2019 12:09:17 +0100
-
thunderbird (1:68.2.1-1) unstable; urgency=medium
[ intrigeri ]
* [c48e2cb] AppArmor: update profile from upstream at commit a27a1a5
(Closes: #941290)
[ Carsten Schoenert ]
* [98497ae] New upstream version 68.2.0
Fixed CVE issues in upstream version 68.2 (MFSA 2019-35):
CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber
CVE-2019-11757: Use-after-free when creating index updates in IndexedDB
CVE-2019-11758: Potentially exploitable crash due to 360 Total Security
CVE-2019-11759: Stack buffer overflow in HKDF output
CVE-2019-11760: Stack buffer overflow in WebRTC networking
CVE-2019-11761: Unintended access to a privileged JSONView object
CVE-2019-11762: document.domain-based origin isolation has
same-origin-property violation
CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique
CVE-2019-11764: Memory safety bugs fixed in Thunderbird 68.2
(Closes: #925841)
* [a104c51] d/control: increase Standards-Version to 4.4.1
* [6c9d012] xul-ext-dispmua: set current min usable version
* [b3bf16f] New upstream version 68.2.1
* [8f89b90] d/control: decrease build architecture list
Decreasing the current list of build architectures. Not meant to keep this
forever, removed RC architectures needing support and volunteering to get
them back.
(Closes: #921258)
-- Carsten Schoenert <email address hidden> Fri, 01 Nov 2019 20:36:59 +0100
-
thunderbird (1:60.9.0-1) unstable; urgency=medium
* [5f7ba31] New upstream version 60.9.0
Fixed CVE issues in upstream version 60.8.0 (MFSA 2019-29)
CVE-2019-11746: Use-after-free while manipulating video
CVE-2019-11744: XSS by breaking out of title and textarea elements using
innerHTML
CVE-2019-11742: Same-origin policy violation with SVG filters and canvas
to steal cross-origin images
CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB
CVE-2019-11743: Cross-origin access to unload event attributes
CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1,
Firefox ESR 60.9, and Thunderbird 60.9
-- Carsten Schoenert <email address hidden> Wed, 11 Sep 2019 17:54:10 +0200
-
thunderbird (1:60.8.0-2) unstable; urgency=medium
* [41e9047] d/rules: work around carge needs a HOME dir
* [c67707c] Use gcc-8 and g++-8 due broken build with GCC-9
-- Carsten Schoenert <email address hidden> Fri, 23 Aug 2019 20:30:17 +0200
-
thunderbird (1:60.8.0-1) unstable; urgency=medium
* [49f4e91] New upstream version 60.8.0
Fixed CVE issues in upstream version 60.8.0 (MFSA 2019-23)
CVE-2019-9811: Sandbox escape via installation of malicious language pack
CVE-2019-11711: Script injection within domain through inner window reuse
CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins
by following 308 redirects
CVE-2019-11713: Use-after-free with HTTP/2 cached stream
CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a
segmentation fault
CVE-2019-11715: HTML parsing error can contribute to content XSS
CVE-2019-11717: Caret character improperly escaped in origins
CVE-2019-11719: Out-of-bounds read when importing curve25519 private key
CVE-2019-11730: Same-origin policy treats all files in a directory as
having the same-origin
CVE-2019-11709: Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8,
and Thunderbird 60.8
-- Carsten Schoenert <email address hidden> Tue, 09 Jul 2019 22:09:04 +0200
-
thunderbird (1:60.7.2-1) unstable; urgency=medium
* [d6c79ed] New upstream version 60.7.2
Fixed CVE issues in upstream version 60.7.2 (MFSA 2019-20
CVE-2019-11707: Type confusion in Array.pop
CVE-2019-11708: sandbox escape using Prompt:Open
-- Carsten Schoenert <email address hidden> Fri, 21 Jun 2019 18:48:43 +0200
-
thunderbird (1:60.7.1-1) unstable; urgency=high
* [f791dee] New upstream version 60.7.1
Fixed CVE issues in upstream version 60.7.1 (MFSA 2019-17)
CVE-2019-11703: Heap buffer overflow in icalparser.c
CVE-2019-11704: Heap buffer overflow in icalvalue.c
CVE-2019-11705: Stack buffer overflow in icalrecur.c
CVE-2019-11706: Type confusion in icalproperty.c
-- Carsten Schoenert <email address hidden> Fri, 14 Jun 2019 07:25:35 +0200
-
thunderbird (1:60.7.0-1) unstable; urgency=medium
* [f6dd130] New upstream version 60.7.0
Fixed CVE issues in upstream version 60.7.0 (MFSA 2019-15)
CVE-2019-9816: Type confusion with object groups and UnboxedObjects
CVE-2019-9817: Stealing of cross-domain images using canvas
CVE-2019-9819: Compartment mismatch with fetch API
CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell
CVE-2019-11691: Use-after-free in XMLHttpRequest
CVE-2019-11692: Use-after-free removing listeners in the event listener
manager
CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
CVE-2019-7317: Use-after-free in png_image_free of libpng library
CVE-2019-9797: Cross-origin theft of images with createImageBitmap
CVE-2018-18511: Cross-origin theft of images with
ImageBitmapRenderingContext
CVE-2019-11698: Theft of user history data through drag and drop of
hyperlinks to and from bookmarks
CVE-2019-5798: Out-of-bounds read in Skia
CVE-2019-9800: Memory safety bugs fixed in Firefox 67, Firefox ESR 60.7,
and Thunderbird 60.7
* [4106d54] rebuild patch queue from patch-queue branch
added patch:
fixes/rust-ignore-not-available-documentation.patch
-- Carsten Schoenert <email address hidden> Thu, 23 May 2019 17:03:27 +0200
-
thunderbird (1:60.6.1-1) unstable; urgency=medium
[ intrigeri ]
* [2013645] d/rules: drop useless usage of dpkg-parsechangelog
[ Carsten Schoenert ]
* [daf1252] New upstream version 60.6.1
Fixed CVE issues in upstream version 60.6.0 (MFSA 2019-11)
CVE-2019-9790: Use-after-free when removing in-use DOM elements
CVE-2019-9791: Type inference is incorrect for constructors entered
through on-stack replacement with IonMonkey
CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled
CVE-2019-9794: Command line arguments not discarded during execution
CVE-2019-9795: Type-confusion in IonMonkey JIT compiler
CVE-2019-9796: Use-after-free with SMIL animation controller
CVE-2018-18506: Proxy Auto-Configuration file can define localhost access
to be proxied
CVE-2019-9788: Memory safety bugs fixed in Firefox 66, Firefox ESR 60.6,
and Thunderbird 60.6
Fixed CVE issues in upstream version 60.6.1 (MFSA 2019-12)
CVE-2019-9810: IonMonkey MArraySlice has incorrect alias information
CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations
* [f88a505] rebuild patch queue from patch-queue branch
added patch:
fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
-- Carsten Schoenert <email address hidden> Wed, 27 Mar 2019 18:22:51 +0100
-
thunderbird (1:60.5.1-1) unstable; urgency=medium
[ Alexander Nitsch ]
* [c9775d4] Make the logo SVG square
The original SVG source isn't completely square, modifying the SVG file
so all generated other files from the input are also exactly square.
* [6096812] Add script for generating PNGs from logo SVG
* [4e9e5cc] Update icon PNGs to be properly scaled
[ Carsten Schoenert ]
* [9e5527d] d/source.filter: add some configure scripts
Filter out some files that are named 'configure', they are rebuild later
anyway. The filtering of these files is moved from gbp.conf to
source.filter.
* [b63f2a2] Revert "d/gbp.conf: ignore configure script while importing"
Reverting this commit as we need to move the files to filter to
source.filter as the behaviour wasn't the expected outcome.
* [4965c2a] New upstream version 60.5.1
Fixed CVE issues in upstream version 60.5.0 (MFSA 2019-06)
CVE-2018-18356: Use-after-free in Skia
CVE-2019-5785: Integer overflow in Skia
CVE-2018-18335: Buffer overflow in Skia with accelerated Canvas 2D
CVE-2018-18509: S/MIME signature spoofing
-- Carsten Schoenert <email address hidden> Thu, 14 Feb 2019 20:01:03 +0100
-
thunderbird (1:60.5.0-3) unstable; urgency=medium
* [3e274d8] d/rules: move disable debug option into configure step
Adding the option '--disable-debug-symbols' to the file mozconfig.default
in case the build is running on a 32bit architecture instead of expanding
the variable 'CONFIGURE_FLAGS'. The configuration approach for this option
taken from firefox-esr was not working for the thunderbird package.
* [b3d82d3] d/rules: reorder LDFLAGS for better readability
Make the used additional options for LDFLAGS better readable by reordering
the various used options. Also adding the option '-Wl, --as-needed' to the
list of used options here.
* [62d11e3] d/rules: use 'compress-debug-sections' only on 64bit
Do not set 'LDFLAGS += -Wl,--compress-debug-sections=zlib' globally, lets
use this option only if we are on a 64bit architecture as otherwise the
build is failing on 32bit architectures again. We don't want to build any
debug information on 32bit anyway so we don't need this option on these
platforms.
* [6225c44] d/mozconfig.default: adding option for mipsel
We don't have set up any options for the mipsel platform before, but the
build needs some additional options too on this platform to succeed.
* [4e348d9] d/mozconfig.default: disable ion on mips and mipsel
The build will fail on mips{,el} if we have enabled ION, the JaveScript
JIT compiler on these platforms will loose some performance by this.
-- Carsten Schoenert <email address hidden> Tue, 05 Feb 2019 17:11:25 +0100
-
thunderbird (1:60.5.0-2) unstable; urgency=medium
* [aa2dbe3] d/changelog: update MFSA information for 60.5.0
The MFSA gut published shortly after the upload of the previous version.
Adding the CVE numbers for MFSA 2019-03 to the changelog accordingly like
happen for 1:60.4.0-1 too.
* [71807dc] rebuild patch queue from patch-queue branch
Due greater changes to the source the previous rebuild and refreshing of
the patch queue wasn't correctly nor complete. Some more rework was needed
and some patches got cherry-picked from firefox-esr.
readded patches (not included upstream):
porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch
porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch
cherry-picked from firefox-esr:
fixes/Bug-1470701-Use-run-time-page-size-when-changing-map.patch
fixes/Bug-1505608-Try-to-ensure-the-bss-section-of-the-elf.patch
porting-powerpc/powerpc-Don-t-use-static-page-sizes-on-powerpc.patch
removed patches (included upstream):
porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch
* [eaa065b] apparmor: update profile from upstream (commit 7ace41b1)
* [c761425] d/rules: make dh_clean more robust
Remove some regenerated files in dh_clean to the build will not fail in
case the buils needs to be started twice within the same build environment.
* [aa7b033] d/gbp.conf: ignore configure script while importing
The shipped scripts '*configure' in the toplevel folder and also in js/src
aren't needed and we can them filter out while importing the tarballs.
These scripts got (re)created by dh_auto_configure nevertheless.
* [9f0acb2] d/rules: tweek LDFLAGS more to reduce RAM usage
Reduce RAM usage while linking by using compressed sections.
(picked from firefox-esr)
* [62f195d] d/rules: Don't build debug symbols on non 64bit platforms
Reduce even more RAM usage while linking by don't build debugging symbols
if we build on non 64bit architectures.
(picked from firefox-esr)
-- Carsten Schoenert <email address hidden> Fri, 01 Feb 2019 09:24:30 +0100
-
thunderbird (1:60.5.0-1) unstable; urgency=medium
* d/source.filter: update filter list
Updating the list of files to filter out while repacking the upstream
tarball based on recent work done in debian/experimental.
Unfortunately a lot of semi minimized *.js files from the original
upstream tarball are later needed within some integrated consoles like the
AddOn debugger or the error console. Don't filter out such files for now.
(Closes: #911198)
* [edab34d] d/changelog: update MFSA information for 60.4.0
While releasing and uploading the Debian version 1:60.4.0-1 no MFSA
information was available, adding this information now into the changelog
entry for 1:60.4.0-1.
* [f3f44a3] New upstream version 60.5.0
No dedicated MFSA announcement for this Thunderbird version provided.
* [ccac089] rebuild patch queue from patch-queue branch
removed patches (included upstream):
porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch
porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch
removed patches (dropped by us):
debian-hacks/Don-t-build-testing-suites-and-stuff.patch
debian-hacks/Don-t-build-testing-suites-and-stuff-part-2.patch
refreshed patches:
debian-hacks/Add-another-preferences-directory-for-applications-p.patch
porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch
porting-kfreebsd-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch
porting-m68k/Add-m68k-support-to-Thunderbird.patch
porting-s390x/FTBFS-s390x-Use-jit-none-AtomicOperations-sparc.h-on-s390.patch
porting-sparc64/Bug-1434726-Early-startup-crash-on-Linux-sparc64-in-HashI.patch
* [43c28c2] d/s/lintian-overrides: more files to ignore
Related to [4201f43] the override list for the source needs to be adjusted
as we have now more files included there Lintian is complaining about
missing source. These files are no 'real' minimized JS files, but the have
mostly some long lines that are triggered the Lintian check.
-- Carsten Schoenert <email address hidden> Tue, 29 Jan 2019 20:24:29 +0100
-
thunderbird (1:60.4.0-1) unstable; urgency=medium
* [2e5a9d0] d/control: don't hard code LLVM packages in B-D
(Closes: #912797)
* [3aaa4a6] New upstream version 60.4.0
No MFSA published yet by Mozilla Security while packaging this version.
(Closes: #913645)
* [12d3be3] debian/control: increase Standards-Version to 4.3.0
No further changes needed.
-- Carsten Schoenert <email address hidden> Mon, 24 Dec 2018 17:04:10 +0100
-
thunderbird (1:60.3.1-1) unstable; urgency=medium
* [e1b489a] New upstream version 60.3.1
* [f376b38] lightning: use ${source:Version} in Breaks and Recommends
(Closes: #914175)
* [7e560b3] Revert "lintian: adding a semi automated lintian-override"
The override about a misspelled word Synopsys isn't needed any more.
* [893c0e6] rebuild patch queue from patch-queue branch
modified patches:
debian-hacks/Don-t-build-testing-suites-and-stuff.patch
debian-hacks/Don-t-build-testing-suites-and-stuff-part-2.patch
* [20d8827] d/source.filter: update the filter sequences
-- Carsten Schoenert <email address hidden> Sun, 25 Nov 2018 10:02:50 +0100
-
thunderbird (1:60.3.0-1) unstable; urgency=medium
[ intrigeri ]
* [7949b31] AppArmor: update profile from upstream at commit f3d9a8b
(Closes: #903898)
* [e31dc14] AppArmor: update profile from upstream at commit 81c9457
(Closes: #908206)
[ Carsten Schoenert ]
* [0dcbe22] d/control: add xul-ext-gnome-keyring to Breaks for thunderbird
(Closes: #907979)
* [65db00d] armel: adding extra LDFLAGS so rust compiler isn't confused
The settings that are builtin within rust are conflicting with the GCC.
* [9c65884] New upstream version 60.3.0
Fixed CVE issues in upstream version 60.3.0 (MFSA 2018-28)
CVE-2018-12392: Crash with nested event loops
CVE-2018-12393: Integer overflow during Unicode conversion while loading
JavaScript
CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3 and
Thunderbird 60.3
CVE-2018-12390: Memory safety bugs fixed in Firefox 63, Firefox ESR 60.3,
and Thunderbird 60.3
* [8726bb1] rebuild patch queue from patch-queue branch
removed patches (included upstream)
fixes/Bug-1479540-Accept-triplet-strings-with-only-two-parts-in.patch
fixes/Bug-1492064-Disable-baseline-JIT-when-SSE2-is-not-support.patch
fixes/Bug-1492065-Use-Swizzle-fallback-when-SSE2-is-not-support.patch
porting-mips/Add-struct-ucred-for-Linux-on-MIPS.patch
-- Carsten Schoenert <email address hidden> Thu, 01 Nov 2018 12:19:34 +0100
-
thunderbird (1:60.2.1-2~deb9u1) stretch-security; urgency=medium
[ Carsten Schoenert ]
* Rebuild for stretch-security
Resync binary packages to build against the version in unstable/testing:
Upstream isn't shipping localization for bn-bd and ta-lk for Thunderbird
60.x. Thus the packages {icedove,thunderbird}-l10n-bn-bd,
{icedove,thunderbird}-l10n-ta-lk got dropped. The localization for pa-in
was removed for Thunderbird earlier but the transitional packages
{icedove,iceowl}-l10n-pa-in aren't until now.
icedove-dev got dropped as we don't have also the referring package
thunderbird-dev since version 59.
Besides this localization for cy was added by upstream, reflecting this in
a new package thunderbird-l10n-cy.
(Closes: #911292, #911504)
-- Carsten Schoenert <email address hidden> Sun, 21 Oct 2018 09:42:27 +0200
-
thunderbird (1:60.2.1-1) unstable; urgency=medium
* [ba75ca3] logo: move old TB graphics into dedicated folder
* [ba47234] logo: adding new TB icon *.png graphics
Like Firefox Thunderbird has also got a reworked logo. As we use some own
icon created from a SVG graphic this commit adds the new icons in the
various sizes. The source of the SVG graphic is taken from
https://demo.identihub.co/thunderbird#/view/icon/element/612
(Closes: #909108)
* [0b16a87] d/source.filter: don't remove react files from source
(Closes: #909046)
* [d01dfd6] rebuild patch queue from patch-queue branch
added patches:
fixes/Bug-1479540-Accept-triplet-strings-with-only-two-parts-in.patch
fixes/Bug-1482248-don-t-crash-on-empty-file-name-in-nsMsgLocalS.patch
fixes/Bug-1492064-Disable-baseline-JIT-when-SSE2-is-not-support.patch
fixes/Bug-1492065-Use-Swizzle-fallback-when-SSE2-is-not-support.patch
(Closes: #909628, #909039, #906816)
* [bf64065] New upstream version 60.2.1
Fixed CVE issues in upstream version 60.2.1 (MFSA 2018-25)
CVE-2018-12377: Use-after-free in refresh driver timers
CVE-2018-12378: Use-after-free in IndexedDB
CVE-2018-12379: Out-of-bounds write with malicious MAR file
CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
CVE-2018-12385: Crash in TransportSecurityInfo due to cached data
CVE-2018-12383: Setting a master password post-Firefox 58 does not delete
unencrypted previously stored passwords
* [b4712af] rebuild patch queue from patch-queue branch
removed patches (fixed upstream):
fixes/Bug-1482248-don-t-crash-on-empty-file-name-in-nsMsgLocalS.patch
* [79057f6] d/control: make lightning-l10n packages transitional
The l10n content for Lightning and a specific language is now much more
related to the Thunderbird l10n content. By this the existing lightning
l10n packages are not really useful any more as we move the Lightning
l10n content into the respective Thunderbird l10n package a we need to
turn the existing Lightning l10n packages into transitional packages.
* [a0ac3b7] d/control: adding Replaces, Breaks, Provides to thunderbird-l10n-*
Related to the previous commit the Thunderbird l10n packages need some
more fields in the control file so the transition from lightning-l10n into
thunderbird-l10n can work.
* [c82ee7c] d/rules: install lightning l10n into thunderbird-l10n-* packages
The content for the lightning l10n stuff needs now to be installed into
thunderbird-l10n packages.
* [72cd535] d/control: add thunderbird-l10n-cy
Oops, seems like we never have introduced this language for Thunderbird
before. Now required to provide the l10n content for Lightning.
* [510bea6] d/thunderbird-wrapper.sh: improve GDB switch
Since TB 60 upstream isn't installing the old wrapper script
run-mozilla.sh any more. By this we need to adjust our starting wrapper
so the call to start Thunderbird within the GDB debugger is working.
-- Carsten Schoenert <email address hidden> Fri, 05 Oct 2018 17:43:49 +0200
-
thunderbird (1:60.0-3) unstable; urgency=medium
* [daa0dd7] locale: use 'intl.locale.requested' correctly
Thanks to hint from Sven Joachim we can use the preference setting
'intl.locale.requested' in way that users don't need to use this setting
within their prefs.js to control the language of the Thunderbird UI.
'intl.locale.requested' is somehow the successor of 'intl.locale.matchOS'.
(Closes: #908034)
* [f8ac1b2] debian/control: increase Standards-Version to 4.2.1
No further changes needed.
* [a001579] d/control: remove empty 'Replaces' in thunderbird-l10n-da
We can remove that line of Replaces without any key.
-- Carsten Schoenert <email address hidden> Thu, 06 Sep 2018 18:46:31 +0200
-
thunderbird (1:60.0-2) unstable; urgency=medium
[ Carsten Schoenert ]
* [71ac5e7] rebuild patch queue from patch-queue branch
added patches:
porting-mips/Add-struct-ucred-for-Linux-on-MIPS.patch
porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch
porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch
* [d94e5dc] d/control: B-D on {lib}clang-6.0* and llvm-6.0-dev
(Closes: #906707)
-- Carsten Schoenert <email address hidden> Mon, 20 Aug 2018 17:57:07 +0200
-
thunderbird (1:60.0-2~deb9u1) stretch-security; urgency=medium
[ Carsten Schoenert ]
* Rebuild for stretch-security
* [fd4e834] d/mozconfig.default: use internal libraries
* [29621ed] d/control: remove no longer needed Build-Depends
-- Carsten Schoenert <email address hidden> Tue, 04 Sep 2018 20:14:34 +0200
-
thunderbird (1:60.0-1) unstable; urgency=medium
[ Cyril Brulebois ]
* [4f1fcd4] Bump B-D libsqlite3-dev version
Upstream requires a more recent version that is already available in
unstable but not in Stretch later e.g.
* [5a790c2] Add libicu-dev to Build-Depends (required for icu-i18n.pc)
This package was pulled from some other package already but we need this
explicit now again as we don't use the internal ICU version any more.
* [8c86207] Bump libhunspell-dev version
The same as for libsqlite3-dev, adding the correct B-D version.
(Closes: #905465)
[ Carsten Schoenert ]
* [901f257] New upstream version 60.0
Fixed CVE issues in upstream version 60.0 (MFSA 2018-19)
CVE-2018-12359: Buffer overflow using computed size of canvas element
CVE-2018-12360: Use-after-free when using focus()
CVE-2018-12361: Integer overflow in SwizzleData
CVE-2018-12362: Integer overflow in SSSE3 scaler
CVE-2018-5156: Media recorder segmentation fault when track type is
changed during capture
CVE-2018-12363: Use-after-free when appending DOM nodes
CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
CVE-2018-12365: Compromised IPC child process can list local filenames
CVE-2018-12371: Integer overflow in Skia library during edge builder
allocation
CVE-2018-12366: Invalid data handling during QCMS transformations
CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming
CVE-2018-5187: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1,
and Thunderbird 60
CVE-2018-5188: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1,
Firefox ESR 52.9, and Thunderbird 60
* [44ab834] rebuild patch queue from patch-queue branch
removed patches (applied upstream):
porting-arm64/Bug-1453892-Only-use-SkJumper-s-arm64-half-float-optimiza.patch
porting-arm64/Bug-1463036-Use-HAVE_ARM_NEON-instead-of-BUILD_ARM_NEON-f.patch
porting-armel/Bug-1463036-Add-mfloat-abi-softfp-to-NEON_FLAGS-when-it-m.patch
* [3168b29] debian/control: increase Standards-Version to 4.2.0
No further changes needed.
* [f2f206e] d/rules: use MOZ_LANGPACK_ID instead of hard coding
* [996352a] d/rules: ensure l10n MOZ_LANGPACK_ID matches variable from
makefile
Previous beta versions for the thunderbird-l10n data have used
'@firefox.mozilla.org' within their application.id setting. Thunderbird
now expects '@thunderbird.mozilla.org' instead. Make the build more
flexible so we can detect mismatches here.
(Closes: #906176)
-- Carsten Schoenert <email address hidden> Sun, 19 Aug 2018 11:32:11 +0200
-
thunderbird (1:52.9.1-1) unstable; urgency=high
[ intrigeri ]
* [1259eaa] AppArmor: update profile from upstream (at commit edc9487)
(Closes: #901471)
[ Carsten Schoenert ]
* [d706f5b] debian/control: increase Standards-Version to 4.1.5
No further changes needed.
* [f5a3eb2] New upstream version 52.9.1
(Closes: #903160)
-- Carsten Schoenert <email address hidden> Tue, 10 Jul 2018 19:40:41 +0200
-
thunderbird (1:52.9.0-1) unstable; urgency=high
[ intrigeri ]
* [c33dba2] Revert "apparmor: allow access to @{HOME}/.gnupg/tofu.db"
* [cb64397] AppArmor: update profile from upstream (Closes: #900840)
* [b5d6545] AppArmor: update profile from upstream (at commit 104da32)
[ Carsten Schoenert ]
* [099b525] d/source.filter: add some more files to filter
There are some more files we want to filter out.
* [376e5f3] New upstream version 52.9.0
Fixed CVE issues in upstream version 52.9 (MFSA 2018-18)
CVE-2018-12359: Buffer overflow using computed size of canvas element
CVE-2018-12360: Use-after-free when using focus()
CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML
emails
CVE-2018-12373: S/MIME plaintext can be leaked through HTML reply/forward
CVE-2018-12362: Integer overflow in SSSE3 scaler
CVE-2018-12363: Use-after-free when appending DOM nodes
CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
CVE-2018-12365: Compromised IPC child process can list local filenames
CVE-2018-12366: Invalid data handling during QCMS transformations
CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing
enter in form field
CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1,
Firefox ESR 52.9, and Thunderbird 52.9
* [83a9c9b] rebuild patch queue from patch-queue branch
As we have filtered more files out from the source we need to modify the
list of tests we won't to built while built the source too so a small
adjustment on that.
Also fixing some spelling issues which Lintian has found.
modified patches:
debian-hacks/Don-t-build-testing-suites-and-stuff.patch
porting-alpha/fix-FTBFS-on-alpha.patch
porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
porting-kfreebsd-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch
renamed patches:
Allow-to-override-ICU_DATA_FILE-from-the-environment.patch ->
Allow-one-to-override-ICU_DATA_FILE-from-the-environment.patch
fix-function-nsMsgComposeAndSend-to-to-respect-Replo.patch ->
fix-function-nsMsgComposeAndSend-to-respect-ReploToSend.patch
* [d5254e2] Removed unneded lintian override about brace expansion
-- Carsten Schoenert <email address hidden> Wed, 04 Jul 2018 21:44:26 +0200
-
thunderbird (1:52.8.0-1) unstable; urgency=high
[ intrigeri ]
* [4656ebf] AppArmor: update profile from upstream
(Closes: #882048, #882122)
[ Agustin Henze ]
* [840cbc8] apparmor: allow access to @{HOME}/.gnupg/tofu.db
(Closes: #894907)
[ Carsten Schoenert ]
* [514e9e8] New upstream version 52.8.0
Fixed CVE issues in upstream version 52.8 (MFSA 2018-13)
CVE-2018-5183: Backport critical security fixes in Skia
CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext
attack (aka Efail)
CVE-2018-5154: Use-after-free with SVG animations and clip paths
CVE-2018-5155: Use-after-free with SVG animations and text paths
CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
CVE-2018-5161: Hang via malformed headers
CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
(aka Efail)
CVE-2018-5170: Filename spoofing for external attachments
CVE-2018-5168: Lightweight themes can be installed without user
interaction
CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion
through legacy extension
CVE-2018-5185: Leaking plaintext through HTML forms (aka Efail)
CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8,
and Thunderbird 52.8
(Closes: #898631)
* [7845229] ICU: don't build the Paragraph Layout library
Disable the build of the layout library in the internal ICU build as we
don't need this and can cause build issues.
* [e0a79fc] debian/control: increase Standards-Version to 4.1.4
No further changes needed.
-- Carsten Schoenert <email address hidden> Thu, 17 May 2018 21:04:15 +0200
-
thunderbird (1:52.8.0-1~deb9u1) stretch-security; urgency=medium
[ Carsten Schoenert ]
* Rebuild for stretch-security
[ intrigeri ]
* [703c9ec] Revert "apparmor: allow access to @{HOME}/.gnupg/tofu.db"
(Cherry-picked from debian/sid to not differ the Apparmor settings
between the Debian releases)
-- Carsten Schoenert <email address hidden> Mon, 21 May 2018 17:31:53 +0200
-
thunderbird (1:52.7.0-1) unstable; urgency=medium
* [9eb2692] New upstream version 52.7.0
Fixed CVE issues in upstream version 52.7 (MFSA 2018-09)
CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
CVE-2018-5129: Out-of-bounds write with malformed IPC messages
CVE-2018-5144: Integer overflow during Unicode conversion
CVE-2018-5146: Out of bounds memory write in libvorbis
CVE-2018-5125: Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7,
and Thunderbird 52.7
CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7 and
Thunderbird 52.7
* [a01cf4b] Revert "Use gcc-6 and g++-6 due broken GUI with GCC-7"
Switching now back to GCC7 as we don't have any longer issues with
broken visuals in the GUI.
(Closes: #892404)
-- Carsten Schoenert <email address hidden> Mon, 26 Mar 2018 17:21:40 +0200
-
thunderbird (1:52.6.0-1) unstable; urgency=high
* [97e1cd7] New upstream version 52.6.0
Fixed CVE issues in upstream version 52.6 (MFSA 2018-04)
CVE-2018-5095: Integer overflow in Skia library during edge builder
allocation
CVE-2018-5096: Use-after-free while editing form elements
CVE-2018-5097: Use-after-free when source document is manipulated
during XSLT
CVE-2018-5098: Use-after-free while manipulating form input elements
CVE-2018-5099: Use-after-free with widget listener
CVE-2018-5102: Use-after-free in HTML media elements
CVE-2018-5103: Use-after-free during mouse event handling
CVE-2018-5104: Use-after-free during font face manipulation
CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6,
and Thunderbird 52.6
* [0300242] rebuild patch queue from patch-queue branch
Added patch debian-hacks/icu-use-locale.h-instead-of-xlocale.h.patch
that fixes the build of the included ICU source against glibc 2.26.
(Closes: #887766)
* [4bf22e0] debian/control: increase Standards-Version to 4.1.3
No further changes needed.
* [3616443] adjust Vcs fields to salsa.debian.org
The Vcs for Thunderbird packaging live now on Salsa as Alioth will be
shutdown in the future.
* [c2f3e14] lintian: ignore non multiarch install folder for thunderbird.pc
Ignore a lintian warning about unavailable pkg-config file thunderbird.pc
as the ESR versions 52.x are the last series which will have a
thunderbird-dev. The next ESR version will be 60.x which uses
webextension and makes thunderbird-dev obsolete.
-- Carsten Schoenert <email address hidden> Thu, 25 Jan 2018 20:21:10 +0100
-
thunderbird (1:52.6.0-1~deb9u1) stretch-security; urgency=medium
[ Carsten Schoenert ]
* Rebuild for stretch-security
-- Carsten Schoenert <email address hidden> Sun, 28 Jan 2018 08:05:28 +0100
-
thunderbird (1:52.5.2-2) unstable; urgency=medium
[ Carsten Schoenert ]
* [f597157] Revert "d/thunderbird.postinst: reload AA profile on updates"
The trigger automatics for appamor already is handling the
needed reload on profile updates for the applications.
(Closes: #885158)
* [8ebdb96] debian/control: increase Standards-Version to 4.1.2
No further changes needed.
* [81a8c00] use inverse logic on version for AA profile status check
By this change we don't enforce the disabled profile from the
previous version in some cases and can also handle possible
version strings from -security and -backports.
(Closes: #885157)
-- Carsten Schoenert <email address hidden> Tue, 26 Dec 2017 14:56:40 +0100
-
thunderbird (1:52.5.2-1) unstable; urgency=high
[ intrigeri ]
* [b791221] AppArmor: support new thunderbird executable path
(Closes: #883561, #884217)
[ Carsten Schoenert ]
* [1f46308] New upstream version 52.5.2
Fixed CVE issues in upstream version 52.5 (MFSA 2017-30)
CVE-2017-7829: Mailsploit part 1: From address with encoded null character
is cut off in message header display
CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin
CVE-2017-7847: Local path string can be leaked from RSS feed
CVE-2017-7848: RSS Feed vulnerable to new line Injection
* [0dd21b9] d/thunderbird.postinst: reload AA profile on updates
* [8c57218] don't disable AA profile on package updates
As people want to re-enable the AA profile a update of
thunderbird doesn't have to disable this again.
(Closes: #884191)
-- Carsten Schoenert <email address hidden> Sun, 24 Dec 2017 11:30:09 +0100
-
thunderbird (1:52.5.0-1) unstable; urgency=high
[ intrigeri ]
* [48e6b65] AppArmor: fix the Crash Reporter and avoid noisy denial logs
(Closes: #880953)
* [ad8b3b5] AppArmor: fix compatibility with NVIDIA hardware
(Closes: #880532)
* [d8ff6b6] Disable the AppArmor profile by default
Due the various side effects by the enabled AppArmor profile in
Thunderbird it's currently better for a user experience we
disabling the AppArmor profile for to not get people get mad with
to many broken things.
Users can always enable the profile by themselves again.
(Closes: #882672)
* [e50eac5] README.Debian: document how to opt-in for AppArmor confinement
* [860d325] README.Debian: document how one can debug the AppArmor profile
[Guido Günther]
* [50a8f60] Drop myself from maintainers
Thank you Guido for always helping out if we had some questions!
[ Carsten Schoenert ]
* [b64509b] New upstream version 52.5.0
Fixed CVE issues in upstream version 52.5 (MFSA 2017-26)
CVE-2017-7828: Use-after-free of PressShell while restyling layout
CVE-2017-7830: Cross-origin URL information leak through Resource Timing API
CVE-2017-7826: Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5,
and Thunderbird 52.5
* [3166018] thunderbird.links: let thunderbird pointing to thunderbird-bin
(Closes: #856492)
* [6fff70c] [buster] tb-wrapper: searching the correct dbgsym package
* [4763ca6] adding a NEWS file for thunderbird package
Giving a note about the now disabled AppArmor profile.
* [0b9d656] disabling crashreporter for now
Also don't build and ship the Crashreporter any more, it's useless
until we can collect all symbols correctly.
* [a285647] move AppArmor specific things into own README file
Put all AppArmor related information into one dedicated file.
* [5d56439] d/thunderbird.js: prepare a line for extra X-Debbugs-Cc
A really old bug report ... building a compromise and put the
requested extra header config into the configuration file but keep
it deactivated as default.
(Closes: #379304)
-- Carsten Schoenert <email address hidden> Sun, 03 Dec 2017 19:58:57 +0100
-
thunderbird (1:52.4.0-1) unstable; urgency=medium
[ Guido Günther ]
* [da3c5cc] Simplify endianness selection for ICU
Since we need to build ICU on the various Debian releases we
need to ensure the architecture detection isn't to strict.
Thanks Guido for helping out here!
[ Carsten Schoenert ]
* [47748ca] debian/control: be more relaxed on Breaks for enigmail
* [6a54666] thunderbird-wrapper: fix small typo in help output
A small typo was happen in the example call with the JS console.
* [6d5266e] README.Debian: update info around tls fallback-limit
The default behavior on the TLS fallback has changed some
versions ago, document this accordingly.
* [24ad883] debian/control: change maintainer
Thanks Christoph for the work over the past years!
* [c78200e] debian/control: move src pkg name to thunderbird
By this version we move the source package name also back to
thunderbird. This follows the changes that are already made to
the binary package names and we can call the source package now
also again thunderbird.
(Closes: #857075)
* [c26133d] debian/gbp.conf: rename components to real used names
Due the changes of the source package the names for the
sub-folders within the additional tarballs can also be changed
to be closer on the real upstream used names.
* [a5ce4f7] New upstream version 52.4.0
(Closes: #878845, #878870)
Fixed CVE issues in upstream version 52.0 (MFSA 2017-23)
CVE-2017-7793: Use-after-free with Fetch API
CVE-2017-7818: Use-after-free during ARIA array manipulation
CVE-2017-7819: Use-after-free while resizing images in design mode
CVE-2017-7824: Buffer overflow when drawing and validating elements with
ANGLE
CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes
CVE-2017-7814: Blob and data URLs bypass phishing and malware protection
warnings
CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters
as spaces
CVE-2017-7823: CSP sandbox directive did not create a unique origin
CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4,
and Thunderbird 52.4
* [104b4e5] rebuild patch queue from patch-queue branch
* [d63662a] lintian: move oldlibs/extra -> oldlibs/optional
By moving all transitional package to oldlibs/optional we can
help deborphan to detect better not needed packages.
* [fb56001] d/rules: reflect changes from renamed component tarballs
The additional tarballs are stored in folders which reflect
the upstream names of those components. This also needs to be
respected for the build instructions of the package.
* [61288fb] debian/control: change Vcs* fields due the src name change
Addressing the changed source package name in the Git Vcs urls.
* [ef95ab5] debian/control: increase Standards-Version to 4.1.1
No further changes needed.
* [45e8fe2] apparmor: update profile from upstream
Thanks to Simon Deziel and intrigeri we can simply use the
apparmor profile changes done for the Ubuntu releases.
* [6b1649c] lintian: adding a override for thunderbird-l10n-all
* [ceab93f] debian/README.source: reflect src package name change
-- Carsten Schoenert <email address hidden> Fri, 17 Oct 2017 18:20:29 +0200