thunderbird (1:115.12.0-1~deb12u1) bookworm-security; urgency=medium
* Rebuild for bookworm-security
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 14 Jun 2024 17:18:31 +0200
thunderbird (1:115.12.0-1) unstable; urgency=medium
* [3d303c4] d/c-u-t.py: Ignore one more version
* [2e7f143] New upstream version 115.12.0
Fixed CVE issues in upstream version 115.12 (MFSA 2024-28):
CVE-2024-5702: Use-after-free in networking
CVE-2024-5688: Use-after-free in JavaScript object transplant
CVE-2024-5690: External protocol handlers leaked by timing attack
CVE-2024-5691: Sandboxed iframes were able to bypass sandbox restrictions
to open a new window
CVE-2024-5692: Bypass of file name restrictions during saving
CVE-2024-5693: Cross-Origin Image leak via Offscreen Canvas
CVE-2024-5696: Memory Corruption in Text Fragments
CVE-2024-5700: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12,
and Thunderbird 115.12
* [9afc3a0] d/logo/thunderbird: Update PNG files from newer SVG
(Closes: #1071824)
* [a92c8d1] d/thunderbird.install: Install the newer correct SVG graphic
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 14 Jun 2024 13:26:00 +0200
thunderbird (1:115.11.0-1~deb12u1) bookworm-security; urgency=medium
* Rebuild for bookworm-security
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 15 May 2024 17:49:39 +0200
thunderbird (1:115.11.0-1) unstable; urgency=medium
* [47bb447] d/c-u-t.py: Ignore potentially non ESR versions
* [f008566] New upstream version 115.11.0
Fixed CVE issues in upstream version 115.11 (MFSA 2024-23):
CVE-2024-4367: Arbitrary JavaScript execution in PDF.js
CVE-2024-4767: IndexedDB files retained in private browsing mode
CVE-2024-4768: Potential permissions request bypass via clickjacking
CVE-2024-4769: Cross-origin responses could be distinguished between
script and non-script content-types
CVE-2024-4770: Use-after-free could occur when printing to PDF
CVE-2024-4777: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11,
and Thunderbird 115.11
* [b029857] d/control: Re-add build and binary dep on rnp library
(Closes: #1070871)
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 14 May 2024 21:28:37 +0200
thunderbird (1:115.10.1-1~deb12u1) bookworm-security; urgency=medium
* Rebuild for bookworm-security
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 21 Apr 2024 10:16:07 +0200
thunderbird (1:115.10.1-1) unstable; urgency=medium
[ William Desportes ]
* [d0cbb66] Fix a typo in the wrapper file
[ Carsten Schoenert ]
* [47d140b] New upstream version 115.10.1
Fixed CVE issues in upstream version 115.10 (MFSA 2024-20):
CVE-2024-3852: GetBoundName in the JIT returned the wrong object
CVE-2024-3854: Out-of-bounds-read after mis-optimized switch statement
CVE-2024-3857: Incorrect JITting of arguments led to use-after-free
during garbage collection
CVE-2024-2609: Permission prompt input delay could expire when not in
focus
CVE-2024-3859: Integer-overflow led to out-of-bounds-read in the
OpenType sanitizer
CVE-2024-3861: Potential use-after-free due to AlignedBuffer self-move
CVE-2024-3302: Denial of Service using HTTP/2 CONTINUATION frames
CVE-2024-3864: Memory safety bug fixed in Firefox 125, Firefox ESR 115.10,
and Thunderbird 115.10
* [5612f7b] d/control: Move libotr5 to libotr5t64 for bin:thunderbird
(Closes: #1069337)
* [195482a] d/mozconfig.default: Use internal shipped librnp version
The Debian package has a RC bug for longer time which would prevent the
migration of the thunderbird package to testing.
* [cd4de72] d/control: Drop dependencies on librnp{0,-dev}
* [761eb83] d/thunderbird.install: Install local built rnp tools
* [ce212a8] d/control: Increase Standards-Version to 4.7.0
No further changes needed.
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 20 Apr 2024 19:35:18 +0200
thunderbird (1:115.9.0-1~deb12u1) bookworm-security; urgency=medium
* Rebuild for bookworm-security
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 19 Mar 2024 18:40:55 +0100
thunderbird (1:115.9.0-1) unstable; urgency=medium
* [c122f7d] New upstream version 115.9.0
Fixed CVE issues in upstream version 115.9 (MFSA 2024-14):
CVE-2024-0743: Crash in NSS TLS method
CVE-2024-2607: JIT code failed to save return registers on Armv7-A
CVE-2024-2608: Integer overflow could have led to out of bounds write
CVE-2024-2616: Improve handling of out-of-memory conditions in ICU
CVE-2023-5388: NSS susceptible to timing attack against RSA decryption
CVE-2024-2610: Improper handling of html and body tags enabled CSP nonce
leakage
CVE-2024-2611: Clickjacking vulnerability could have led to a user
accidentally granting permissions
CVE-2024-2612: Self referencing object could have potentially led to a
use-after-free
CVE-2024-2614: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9,
and Thunderbird 115.9
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 19 Mar 2024 16:55:17 +0100
thunderbird (1:115.8.1-1) unstable; urgency=medium
* [b9b4842] New upstream version 115.8.1
Fixed CVE issues in upstream version 115.8.1 (MFSA 2024-11):
CVE-2024-1936: Leaking of encrypted email subjects to other conversations
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 04 Mar 2024 19:13:14 +0100
thunderbird (1:115.8.0-1~deb12u1) bookworm-security; urgency=medium
* Rebuild for bookworm-security
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 21 Feb 2024 18:33:54 +0100
thunderbird (1:115.8.0-1) unstable; urgency=medium
* [68f2fbe] New upstream version 115.8.0
Fixed CVE issues in upstream version 115.8 (MFSA 2024-07):
CVE-2024-1546: Out-of-bounds memory read in networking channels
CVE-2024-1547: Alert dialog could have been spoofed on another site
CVE-2024-1548: Fullscreen Notification could have been hidden by select
element
CVE-2024-1549: Custom cursor could obscure the permission dialog
CVE-2024-1550: Mouse cursor re-positioned unexpectedly could have led to
unintended permission grants
CVE-2024-1551: Multipart HTTP Responses would accept the Set-Cookie
header in response parts
CVE-2024-1552: Incorrect code generation on 32-bit ARM devices
CVE-2024-1553: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8,
and Thunderbird 115.8
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 21 Feb 2024 17:18:14 +0100
thunderbird (1:115.7.0-1~deb12u1) bookworm-security; urgency=medium
* Rebuild for bookworm-security
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 23 Jan 2024 17:40:44 +0100
thunderbird (1:115.7.0-1) unstable; urgency=medium
* [6e0c26c] New upstream version 115.7.0
Fixed CVE issues in upstream version 115.7 (MFSA 2024-04):
CVE-2024-0741: Out of bounds write in ANGLE
CVE-2024-0742: Failure to update user input timestamp
CVE-2024-0746: Crash when listing printers on Linux
CVE-2024-0747: Bypass of Content Security Policy when directive
unsafe-inline was set
CVE-2024-0749: Phishing site popup could show local origin in address bar
CVE-2024-0750: Potential permissions request bypass via clickjacking
CVE-2024-0751: Privilege escalation through devtools
CVE-2024-0753: HSTS policy on subdomain could bypass policy of upper domain
CVE-2024-0755: Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7,
and Thunderbird 115.7
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 23 Jan 2024 16:56:31 +0100
thunderbird (1:115.6.0-1~deb12u1) bookworm-security; urgency=medium
* Rebuild patch queue from patch-queue branch
Added patch:
debian-hacks/Allow-to-build-oxilangtag-ffi-with-rustc-1.65.patch
* Rebuild for bookworm-security
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 19 Dec 2023 21:23:24 +0100
thunderbird (1:115.6.0-1) unstable; urgency=medium
* [aea3623] New upstream version 115.6.0
Fixed CVE issues in upstream version 115.6 (MFSA 2023-55):
CVE-2023-50762: Truncated signed text was shown with a valid OpenPGP
signature
CVE-2023-50761: S/MIME signature accepted despite mismatching message
date
CVE-2023-6856: Heap-buffer-overflow affecting WebGL DrawElementsInstanced
method with Mesa VM driver
CVE-2023-6857: Symlinks may resolve to smaller than expected buffers
CVE-2023-6858: Heap buffer overflow in nsTextFragment
CVE-2023-6859: Use-after-free in PR_GetIdentitiesLayer
CVE-2023-6860: Potential sandbox escape due to VideoBridge lack
of texture validation
CVE-2023-6861: Heap buffer overflow affected nsWindow::PickerOpen(void)
in headless mode
CVE-2023-6862: Use-after-free in nsDNSService
CVE-2023-6863: Undefined behavior in ShutdownObserver()
CVE-2023-6864: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6,
and Thunderbird 115.6
* [6ecaa01] d/control: Remove B-D on libiw-dev
(Closes: #1058737)
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 19 Dec 2023 20:24:02 +0100
thunderbird (1:115.5.2-1) unstable; urgency=medium
* [34f6404] New upstream version 115.5.2
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 08 Dec 2023 21:21:26 +0100
thunderbird (1:115.5.1-1) unstable; urgency=medium
* [eec913b] New upstream version 115.5.1
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 29 Nov 2023 18:13:11 +0100
thunderbird (1:115.5.0-1~deb12u1) bookworm-security; urgency=medium
* Rebuild for bookworm-security
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 23 Nov 2023 14:33:32 +0000
thunderbird (1:115.5.0-1) unstable; urgency=medium
[ intrigeri ]
* [a6be3ab] AppArmor: update profile from upstream at commit
9d3fa88cdab512e45f6fd80f067337f200d356bc
[ Carsten Schoenert ]
* [ed61fd6] New upstream version 115.5.0
Fixed CVE issues in upstream version 115.5 (MFSA 2023-52):
CVE-2023-6204: Out-of-bound memory access in WebGL2 blitFramebuffer
CVE-2023-6205: Use-after-free in MessagePort::Entangled
CVE-2023-6206: Clickjacking permission prompts using the fullscreen
transition
CVE-2023-6207: Use-after-free in ReadableByteStreamQueueEntry::Buffer
CVE-2023-6208: Using Selection API would copy contents into X11 primary
selection.
CVE-2023-6209: Incorrect parsing of relative URLs starting with "///"
CVE-2023-6212: Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5,
and Thunderbird 115.5
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 22 Nov 2023 21:50:16 +0000
thunderbird (1:115.4.1-1~deb12u1) bookworm-security; urgency=medium
* Rebuild for bookworm-security
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 26 Oct 2023 19:15:36 +0200
thunderbird (1:115.4.1-1) unstable; urgency=medium
* [c51ab77] New upstream version 115.4.1
Fixed CVE issues in upstream version 115.4.1 (MFSA 2023-47):
CVE-2023-5721: Queued up rendering could have allowed websites to
clickjack
CVE-2023-5732: Address bar spoofing via bidirectional characters
CVE-2023-5724: Large WebGL draw could have led to a crash
CVE-2023-5725: WebExtensions could open arbitrary URLs
CVE-2023-5728: Improper object tracking during GC in the JavaScript
engine could have led to a crash.
CVE-2023-5730: Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4,
and Thunderbird 115.4.1
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 25 Oct 2023 21:05:23 +0200
thunderbird (1:115.3.1-1~deb12u1) bookworm-security; urgency=medium
* Rebuild for bookworm-security
* [6d72841] d/mozconfig.default: Use internal shipped librnp version
* [fb349c5] d/control: Drop librnp0 package from Depends
* [0a8206b] d/thunderbird.install: Install local build rnp tools
* [e556e49] d/mozconfig.default: Use internal shipped nss version
* [73412b7] d/control: Adjust the Build-Depends packages
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 29 Sep 2023 22:24:58 +0200
thunderbird (1:115.3.1-1) unstable; urgency=medium
* [276a53a] New upstream version 115.3.1
Fixed CVE issues in upstream version 115.3.1 (MFSA 2023-44):
CVE-2023-5217: Heap buffer overflow in libvpx
* [a360abf] d/control: Point VCS links to debian/sid
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 29 Sep 2023 19:26:42 +0200
thunderbird (1:115.3.0-1) unstable; urgency=medium
* [2e67467] New upstream version 115.3.0
Fixed CVE issues in upstream version 115.3 (MFSA 2023-43):
CVE-2023-5168: Out-of-bounds write in FilterNodeD2D1
CVE-2023-5169: Out-of-bounds write in PathOps
CVE-2023-5171: Use-after-free in Ion Compiler
CVE-2023-5176: Memory safety bugs fixed in Firefox 118, Firefox
ESR 115.3, and Thunderbird 115.3
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 27 Sep 2023 19:07:47 +0200
thunderbird (1:115.2.2-1) unstable; urgency=medium
* [08bc8c9] d/thunderbird.desktop: Update data with upstream data
(Closes: #1042912, #1051261)
* [2fd665b] New upstream version 115.2.2
Fixed CVE issues in upstream version 115.2.2 (MFSA 2023-40):
CVE-2023-4863: Heap buffer overflow in libwebp
* [7b862be] d/copyright: Update content due upstream changes
* [140b77d] d/s/lintian-overrides: Update data for overrides
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 13 Sep 2023 22:59:59 +0530
thunderbird (1:115.2.0-1) unstable; urgency=medium
* [1415d01] New upstream version 115.2.0
Fixed CVE issues in upstream version 115.2 (MFSA 2023-36):
CVE-2023-4573: Memory corruption in IPC CanvasTranslator
CVE-2023-4574: Memory corruption in IPC ColorPickerShownCallback
CVE-2023-4575: Memory corruption in IPC FilePickerShownCallback
CVE-2023-4576: Integer Overflow in RecordedSourceSurfaceCreation
CVE-2023-4577: Memory corruption in JIT UpdateRegExpStatics
CVE-2023-4051: Full screen notification obscured by file open dialog
CVE-2023-4578: Error reporting methods in SpiderMonkey could have
triggered an Out of Memory Exception
CVE-2023-4053: Full screen notification obscured by external program
CVE-2023-4580: Push notifications saved to disk unencrypted
CVE-2023-4581: XLL file extensions were downloadable without warnings
CVE-2023-4582: Buffer Overflow in WebGL glGetProgramiv
CVE-2023-4583: Browsing Context potentially not cleared when closing
Private Window
CVE-2023-4584: Memory safety bugs fixed in Firefox 117, Firefox ESR
102.15, Firefox ESR 115.2, Thunderbird 102.15, and
Thunderbird 115.2
CVE-2023-4585: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2,
and Thunderbird 115.2
-- Christoph Goehre <chris@sigxcpu.org> Wed, 30 Aug 2023 17:41:36 +0200
thunderbird (1:115.1.1-1) unstable; urgency=medium
[ Christoph Goehre ]
* [880cabe] ship glxtest and vaapitest binaries
(Closes: #1043057)
[ Carsten Schoenert ]
* [8474b9b] d/thunderbird.install: Use upstream graphics for icons
* [85f99a2] d/c-u-t.py: Use Version() from python3-packaging
* [86e3335] d/thunderbird.desktop: Sort MimeType entries alphabetically
* [2bc5f47] New upstream version 115.1.1
* [ddec51f] Revert "d/mozconfig.default: Use internal shipped librnp
version"
* [3ef27e2] Revert "d/control: Drop librnp0 package from Depends"
* [9011502] Revert "d/thunderbird.install: Install rnp tools too"
* [d5eef62] d/control: Bump version of librnp{0,-dev}
(Closes: #1041409)
[ Max Nikulin ]
* [0e04b0e] d/thunderbird.desktop: Add IANA MIME type for .vcf vcard
* [ce01092] d/thunderbird.desktop: Add mid: URI to MIME types
(Closes: #1008159)
* [c11a22f] d/thunderbird.desktop: Add news: URI to MIME types
* [bf5586f] d/thunderbird.desktop: Add webcal: URI to MIME types
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 16 Aug 2023 17:18:04 +0200
thunderbird (1:115.1.0-1) unstable; urgency=medium
* [8c11865] d/gbp.conf: Adjust upstream branch to new ESR cycle
* [fb76340] New upstream version 115.1.0
Fixed CVE issues in upstream version 115.1 (MFSA 2023-33):
CVE-2023-4045: Offscreen Canvas could have bypassed cross-origin
restrictions
CVE-2023-4046: Incorrect value used during WASM compilation
CVE-2023-4047: Potential permissions request bypass via clickjacking
CVE-2023-4048: Crash in DOMParser due to out-of-memory conditions
CVE-2023-4049: Fix potential race conditions when releasing platform
objects
CVE-2023-4050: Stack buffer overflow in StorageManager
CVE-2023-4055: Cookie jar overflow caused unexpected cookie jar state
CVE-2023-4056: Memory safety bugs fixed in Firefox 116,
Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1,
and Thunderbird 102.14
CVE-2023-4057: Memory safety bugs fixed in Firefox 116,
Firefox ESR 115.1, and Thunderbird 115.1
* [b562827] Rebuild patch queue from patch-queue branch
Removed patches (included upstream):
fixes/Bug-1840931-More-properly-handle-files-4GB-in-elfhack.-r-.patch
fixes/Bug-1842933-Use-NEON_FLAGS-instead-of-VPX_ASFLAGS-for-lib.patch
porting-mips/Bug-1841197-Undefine-the-mips-builtin-macro-on-mips-in-sk.patch
porting-mips64el/Bug-1841201-Work-around-tail-call-optimization-not-happen.patch
porting-ppc64el/Work-around-bz-1775202-to-fix-FTBFS-on-ppc64el.patch
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 01 Aug 2023 19:19:27 +0200
thunderbird (1:115.0.1-2) experimental; urgency=medium
[ Carsten Schoenert ]
* [39b1576] d/create-upstream-tarballs.py: Catch non existing versions
* [f663f6a] d/create-upstream-tarballs.py: Running black formatter
* [8e6d7fe] d/create-upstream-tarballs.py: Use speaking variable name
[ Christoph Goehre ]
* [cdab989] Rebuild patch queue from patch-queue branch
Added patch:
porting-mips64el/Bug-1841201-Work-around-tail-call-optimization-not-happen.patch
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 29 Jul 2023 09:22:57 +0200
thunderbird (1:115.0.1-1) experimental; urgency=medium
* [30f2fcc] New upstream version 115.0.1
Fixed CVE issues in upstream version 115.0.1 (MFSA 2023-27):
CVE-2023-3600: Use-after-free in workers
CVE-2023-3417: File Extension Spoofing using the Text Direction
Override Character
* [efbb370] Rebuild patch queue from patch-queue branch
Added patches:
debian-hacks/rnp-Fix-include-for-format-specifiers-for-uint32_t.patch
fixes/skia-Cast-SkEndian_SwapBE32-n-to-uint32_t-on-big-endian.patch
porting-mips64el/skia-Disable-musttail-on-mips64.patch
porting-ppc64el/skia-Disable-musttail-on-ppc64el.patch
* [f78b777] d/mozconfig.default: Use internal shipped librnp version
* [a606cdb] d/control: Drop librnp0 package from Depends
* [104bf35] d/thunderbird.install: Install rnp tools too
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 23 Jul 2023 09:07:08 +0200
thunderbird (1:115.0-1) experimental; urgency=medium
[ Carsten Schoenert ]
* [3a6b0eb] New upstream version 115.0
* [1c11a15] Rebuild patch queue from patch-queue branch
Dropped patches:
debian-hacks/Decrease-Cargo-minimal-version-to-1.46.0.patch
debian-hacks/Fix-Floating-Point-Normalization-breakage-on-32bit-Linux.patch
debian-hacks/Use-remoting-name-for-call-to-gdk_set_program_class.patch
fixes/Bug-1556197-amend-Bug-1544631-for-fixing-mips32.patch
fixes/Bug-628252-os2.cc-fails-to-compile-against-GCC-4.6-m.patch
porting-armhf/Bug-1526653-Include-struct-definitions-for-user_vfp-and-u.patch
porting-kfreebsd-hurd/Allow-ipc-code-to-build-on-GNU-hurd.patch
porting-kfreebsd-hurd/Allow-ipc-code-to-build-on-GNU-kfreebsd.patch
porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
porting-kfreebsd-hurd/LDAP-support-building-on-GNU-kFreeBSD-and-GNU-Hurd.patch
porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch
porting-kfreebsd-hurd/ipc-chromium-fix-if-define-for-kFreeBSD-and-Hurd.patch
porting-ppc64el/work-around-a-build-failure-with-clang-on-ppc64el.patch
porting/Work-around-GCC-ICE-on-mips-i386-and-s390x.patch
Added patches:
fixes/Bug-1840931-More-properly-handle-files-4GB-in-elfhack.-r-.patch
fixes/Bug-1842933-Use-NEON_FLAGS-instead-of-VPX_ASFLAGS-for-lib.patch
fixes/Fix-math_private.h-for-i386-FTBFS.patch
porting-mips/Bug-1841197-Undefine-the-mips-builtin-macro-on-mips-in-sk.patch
porting-ppc64el/Work-around-GCC-ICE-on-ppc64el.patch
porting-ppc64el/Work-around-bz-1775202-to-fix-FTBFS-on-ppc64el.patch
* [8d1d0e0] d/source.filter: Add build/android to list
[ Bo YU ]
* [ddf55dc] riscv64: Add build support for Riscv64 (Closes: #1026118)
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 16 Jul 2023 12:22:50 +0200
thunderbird (1:115.0~b6-1) experimental; urgency=medium
* [1d7c51d] New upstream version 115.0~b6
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 29 Jun 2023 20:13:46 +0200
thunderbird (1:115.0~b4-1) experimental; urgency=medium
* [5685662] New upstream version 115.0~b4
* [0ff4fd0] Rebuild patch queue from patch-queue branch
Updated patches:
porting-kfreebsd-hurd/Allow-ipc-code-to-build-on-GNU-hurd.patch
porting-kfreebsd-hurd/Allow-ipc-code-to-build-on-GNU-kfreebsd.patch
* [67def1f] d/control: Add libotr5 to Depends
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 23 Jun 2023 16:03:31 +0200
thunderbird (1:114.0~b2-1) experimental; urgency=medium
* [1f5bec1] New upstream version 114.0~b2
* [df5220a] Rebuild patch queue from patch-queue branch
Updated patches:
porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
porting/Work-around-GCC-ICE-on-mips-i386-and-s390x.patch
* [71e654b] d/rules: Add 2 files to dh_missing
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 16 May 2023 21:38:11 +0200
thunderbird (1:113.0~b3-1) experimental; urgency=medium
[ Carsten Schoenert ]
* [569da29] apparmor: Expand profile folder about .mozilla-thunderbird
(Closes: #1030532)
* [777be0a] New upstream version 113.0~b3
* [ae90792] Rebuild patch queue from patch-queue branch
Dropped patch (included upstream):
debian-hacks/Make-Thunderbird-build-reproducible.patch
[ Timothy Pearson ]
* [5dff12c] Explicitly set SQLite endianness on ppc64el
[ intrigeri ]
* [c0ea3f9] AppArmor: update profile from upstream at
commit a03a894c6c30b7a566aa74645802de1cea580bca
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 21 Apr 2023 19:11:41 +0200
thunderbird (1:112.0~b1-1) experimental; urgency=medium
* [c89a60d] d/source.filter: Update content to filter out
* [12cd2c8] New upstream version 112.0~b1
* [6655d37] Rebuild patch queue from patch-queue branch
Removed patch:
debian-hacks/Relax-minimum-supporter-rust-version-to-1.63.patch
* [c4744df] d/control: Increade B-D on rustc to >= 1.65
* [ad73ef1] d/thunderbird.docs: Readd Apache-2 related Notice file
* [ebf44e8] d/control: Adjust B-D to libfontconfig-dev
* [6cea088] d/control: Increase Standards-Version to 4.6.2
* [2d0d8ee] d/copyright: Update content due upstream changes
* [268ee53] Lintian: Update overrides for source package
* [28ffd63] Lintian: Update overrides for thunderbird package
* [200f86d] Lintian: Update override for thunderbird-l10n-all
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 18 Mar 2023 19:31:18 +0100
thunderbird (1:110.0~b4-1) experimental; urgency=medium
[ Amr Ibrahim ]
* [22b9eb7] thunderbird.desktop: Update StartupWMClass
[ Carsten Schoenert ]
* [afe6c6a] d/copyright: Update content due upstream changes
* [7b31b9d] d/source.filter: Update content to filter out
* [03b50b4] Lintian: Adjust overrides for thunderbird package
* [d3510d8] Lintian: Adjust overrides for source package
* [57839a2] d/control: Increase version in B-D for libnss-dev
* [958648e] d-create-upstream-tarballs.py: Use correct variable
* [208f93e] New upstream version 110.0~b4
(Closes: #1031541)
* [ba87378] Rebuild patch queue from patch-queue branch
Added patch:
debian-hacks/Relax-minimum-supporter-rust-version-to-1.63.patch
Adjusted patch:
debian-hacks/Fix-Floating-Point-Normalization-breakage-on-32bit-Linux.patch
porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
* [3104ede] Drop usage of autoconf calls
* [42a2545] d/control: Increase some versions in B-D
* [551a17f] d/rules: Don't remove configure on dh_clean
* [3b7b408] d/source.filter: Don't filter configure from upstream data
* [48913d3] d/thunderbird.docs: Drop install of NOTICE file
* [44589db] d/mozconfig.default: Use internal version of ICU
* [3eba559] d/control: Drop libicu-dev from B-D for now
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 07 Mar 2023 16:41:43 +0100
thunderbird (1:104.0~b2-1) experimental; urgency=medium
* [92670b2] d/repack.py: Small rework and adjustments
* [06fb656] d/create-upstream-tarballs.py: Adding new helper script
* [331247d] d/README.source: Update information on importing data
* [57a6dd7] d/source.filter: Relax filter rule for old-configure
* [36696b6] d/repack.py: Don't exit(1) if unused filter items exist
* [3b14d11] d/create-thunderbird-l10n-tarball.sh: Drop old helper
* [5468bb8] d/gbp.conf: Drop 'import-orig' section
* [fd4d5c1] d/source.filter: Add files named *.orig and *.rej
* [5035e50] New upstream version 104.0~b2
* [cc89049] Rebuild patch queue from patch-queue branch
Removed patch:
debian-hacks/Lower-down-required-NSS-version.patch
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 06 Aug 2022 09:13:35 +0200
thunderbird (1:103.0~b5-1) experimental; urgency=medium
* [a060ea2] d/gbp.conf: Sign tags automatically
(cherry-picked from debian/sid)
* [ac331c8] New upstream version 103.0~b5
* [00dd354] Rebuild patch queue from patch-queue branch
Added patch:
debian-hacks/Lower-down-required-NSS-version.patch
* [5c35afb] d/watch: Look now for versions starting with 3 digits
(cherry-picked from debian/sid)
* [a897f48] d/control: Add package thunderbird-l10n-es-mx
(cherry-picked from debian/sid)
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 13 Jul 2022 18:08:16 +0200
thunderbird (1:102.15.1-1~deb12u1) bookworm-security; urgency=medium
* [59acecf] New upstream version 102.15.1
Fixed CVE issues in upstream version 102.15.1 (MFSA 2023-40):
CVE-2023-4863: Heap buffer overflow in libwebp
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 14 Sep 2023 09:12:52 +0530
thunderbird (1:102.15.0-1~deb12u1) bookworm-security; urgency=medium
* [6c701df] New upstream version 102.15.0
Fixed CVE issues in upstream version 102.15 (MFSA 2023-35):
CVE-2023-4573: Memory corruption in IPC CanvasTranslator
CVE-2023-4574: Memory corruption in IPC ColorPickerShownCallback
CVE-2023-4575: Memory corruption in IPC FilePickerShownCallback
CVE-2023-4576: Integer Overflow in RecordedSourceSurfaceCreation
CVE-2023-4581: XLL file extensions were downloadable without warnings
CVE-2023-4584: Memory safety bugs fixed in Firefox 117, Firefox ESR
102.15, Firefox ESR 115.2, Thunderbird 102.15, and
Thunderbird 115.2
-- Christoph Goehre <chris@sigxcpu.org> Thu, 31 Aug 2023 17:15:52 +0200
thunderbird (1:102.14.0-1~deb12u1) bookworm-security; urgency=medium
* [bcc7c87] New upstream version 102.14.0
Fixed CVE issues in upstream version 102.14 (MFSA 2023-32):
CVE-2023-4045: Offscreen Canvas could have bypassed cross-origin restrictions
CVE-2023-4046: Incorrect value used during WASM compilation
CVE-2023-4047: Potential permissions request bypass via clickjacking
CVE-2023-4048: Crash in DOMParser due to out-of-memory conditions
CVE-2023-4049: Fix potential race conditions when releasing platform objects
CVE-2023-4050: Stack buffer overflow in StorageManager
CVE-2023-4055: Cookie jar overflow caused unexpected cookie jar state
CVE-2023-4056: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
* Rebuild for bookworm-security
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 04 Aug 2023 19:48:57 +0200
thunderbird (1:102.13.1-1~deb12u1) bookworm-security; urgency=medium
* Rebuild for bookworm-security
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 28 Jul 2023 16:02:28 +0200
thunderbird (1:102.13.1-1) unstable; urgency=medium
* [e803b54] New upstream version 102.13.1
Fixed CVE issues in upstream version 102.13.1 (MFSA 2023-28):
CVE-2023-3417: File Extension Spoofing using the Text Direction
Override Character
* [456ce20] Rebuild patch queue from patch-queue branch
Added patch:
fixes/gfx-Fix-inclusion-of-C-header.patch
fixes/toolkit-Fix-inclusion-of-C-header.patch
(Closes: #1037872)
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 26 Jul 2023 19:48:59 +0200
thunderbird (1:102.13.0-1~deb12u1) bookworm-security; urgency=medium
* Rebuild for bookworm-security
(Closes: #971790, #1006432)
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 08 Jul 2023 08:15:29 +0200
thunderbird (1:102.13.0-1) unstable; urgency=medium
* [7168011] New upstream version 102.13.0
Fixed CVE issues in upstream version 102.13 (MFSA 2023-24):
CVE-2023-37201: Use-after-free in WebRTC certificate generation
CVE-2023-37202: Potential use-after-free from compartment mismatch in
SpiderMonkey
CVE-2023-37207: Fullscreen notification obscured
CVE-2023-37208: Lack of warning when opening Diagcab files
CVE-2023-37211: Memory safety bugs fixed in Firefox 115, Firefox ESR
102.13, and Thunderbird 102.13
(Closes: #971790, #1006432)
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 08 Jul 2023 06:15:04 +0200
thunderbird (1:102.12.0-1~deb12u1) bookworm-security; urgency=medium
* Rebuild for bookworm-security
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 10 Jun 2023 08:23:12 +0200
thunderbird (1:102.12.0-1) unstable; urgency=medium
* [a285966] New upstream version 102.12.0
Fixed CVE issues in upstream version 102.12 (MFSA 2023-21):
CVE-2023-34414: Click-jacking certificate exceptions through rendering lag
CVE-2023-34416: Memory safety bugs fixed in Thunderbird 102.12
* [73c48d4] d/control: Add libotr5 to Depends
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 05 Jun 2023 18:51:11 +0200
thunderbird (1:102.11.0-1) unstable; urgency=medium
[ intrigeri ]
* [f3e5479] AppArmor: update profile from upstream at
commit a03a894c6c30b7a566aa74645802de1cea580bca
[ Carsten Schoenert ]
* [0626d72] New upstream version 102.11.0
Fixed CVE issues in upstream version 102.11 (MFSA 2023-18):
CVE-2023-32205: Browser prompts could have been obscured by popups
CVE-2023-32206: Crash in RLBox Expat driver
CVE-2023-32207: Potential permissions request bypass via clickjacking
CVE-2023-32211: Content process crash due to invalid wasm code
CVE-2023-32212: Potential spoof due to obscured address bar
CVE-2023-32213: Potential memory corruption in FileReader::DoReadData()
CVE-2023-32215: Memory safety bugs fixed in Thunderbird 102.11
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 12 May 2023 17:11:29 +0200
thunderbird (1:102.10.0-1) unstable; urgency=medium
* [8afefce] New upstream version 102.10.0
Fixed CVE issues in upstream version 102.10 (MFSA 2023-15):
CVE-2023-29532: Mozilla Maintenance Service Write-lock bypass
CVE-2023-29533: Fullscreen notification obscured
CVE-2023-1999: Double-free in libwebp
CVE-2023-29535: Potential Memory Corruption following Garbage Collector
compaction
CVE-2023-29536: Invalid free from JavaScript code
CVE-2023-0547: Revocation status of S/Mime recipient certificates was
not checked
CVE-2023-29479: Hang when processing certain OpenPGP messages
CVE-2023-29539: Content-Disposition filename truncation leads to
Reflected File Download
CVE-2023-29541: Files with malicious extensions could have been
downloaded unsafely on Linux
CVE-2023-29542: Bypass of file download extension restrictions
CVE-2023-1945: Memory Corruption in Safe Browsing Code
CVE-2023-29548: Incorrect optimization result on ARM64
CVE-2023-29550: Memory safety bugs fixed in Thunderbird 102.10
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 17 Apr 2023 21:32:45 +0200
thunderbird (1:102.9.1-1) unstable; urgency=medium
[ Timothy Pearson ]
* [de7c4f8] Explicitly set SQLite endianness on ppc64el
(Closes: #1033534)
[ Carsten Schoenert ]
* [06059fb] New upstream version 102.9.1
Fixed CVE issues in upstream version 102.9.1 (MFSA 2023-12):
CVE-2023-28427: Matrix SDK bundled with Thunderbird vulnerable to
denial-of-service attack
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 29 Mar 2023 17:34:39 +0200
thunderbird (1:102.9.0-1) unstable; urgency=medium
* [ad8cc7c] New upstream version 102.9.0
Fixed CVE issues in upstream version 102.9 (MFSA 2023-11):
CVE-2023-25751: Incorrect code generation during JIT compilation
CVE-2023-28164: URL being dragged from a removed cross-origin iframe
into the same tab triggered navigation
CVE-2023-28162: Invalid downcast in Worklets
CVE-2023-25752: Potential out-of-bounds when accessing throttled streams
CVE-2023-28176: Memory safety bugs fixed in Thunderbird 102.9
* [b0a22c0] d/control: Increase Standards-Version to 4.6.2
No further changes needed.
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 15 Mar 2023 19:54:53 +0100
thunderbird (1:102.8.0-1) unstable; urgency=medium
* [b130936] New upstream version 102.8.0
Fixed CVE issues in upstream version 102.8.0 (MFSA 2023-07):
CVE-2023-0616: User Interface lockup with messages combining S/MIME and
OpenPGP
CVE-2023-25728: Content security policy leak in violation reports using
iframes
CVE-2023-25730: Screen hijack via browser fullscreen mode
CVE-2023-0767: Arbitrary memory write via PKCS 12 in NSS
CVE-2023-25735: Potential use-after-free from compartment mismatch in
SpiderMonkey
CVE-2023-25737: Invalid downcast in SVGUtils::SetupStrokeGeometry
CVE-2023-25739: Use-after-free in
mozilla::dom::ScriptLoadContext::~ScriptLoadContext
CVE-2023-25729: Extensions could have opened external schemes without
user knowledge
CVE-2023-25732: Out of bounds memory write from EncodeInputStream
CVE-2023-25742: Web Crypto ImportKey crashes tab
CVE-2023-25746: Memory safety bugs fixed in Thunderbird 102.8
* [66e2335] Rebuild patch queue from patch-queue branch
Removed patch (included upstream):
debian-hacks/Python-3.11-Don-t-use-mode-rU-any-more.patch
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 17 Feb 2023 20:17:32 +0100
thunderbird (1:102.7.2-1) unstable; urgency=medium
* [468e468] New upstream version 102.7.2
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 08 Feb 2023 18:34:59 +0100
thunderbird (1:102.7.1+1-1) unstable; urgency=medium
* [5ce0e7d] New upstream version 102.7.1+1
Fixed CVE issues in upstream version 102.7.1 (MFSA 2023-04):
CVE-2023-0430: Revocation status of S/Mime signature certificates was
not checked
Note: The previous version 1:102.7.1-1 was build on top of a release
candidate which does not fixed CVE-2023-0430 fully.
(Closes: #1029594, #1029606)
* [c7c81a5] apparmor: Expand profile folder about .mozilla-thunderbird
(Closes: #1030532)
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 05 Feb 2023 17:27:40 +0100
thunderbird (1:102.7.1-1) unstable; urgency=medium
* [dbc3385] New upstream version 102.7.1
Fixed CVE issues in upstream version 102.7 (MFSA 2023-03):
CVE-2022-46871: libusrsctp library out of date
CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux
CVE-2023-23601: URL being dragged from cross-origin iframe into same
tab triggers navigation
CVE-2023-23602: Content Security Policy wasn't being correctly applied
to WebSockets in WebWorkers
CVE-2022-46877: Fullscreen notification bypass
CVE-2023-23603: Calls to <code>console.log</code> allowed bypasing
Content Security Policy via format directive
CVE-2023-23605: Memory safety bugs fixed in Thunderbird 102.7
* [af92a36] Rebuild patch queue from patch-queue branch
Added patch:
debian-hacks/Python-3.11-Don-t-use-mode-rU-any-more.patch
(Closes: #1028885)
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 24 Jan 2023 16:32:06 +0100
thunderbird (1:102.6.0-1) unstable; urgency=medium
[ Paul Gevers ]
* [6bbbd94] tests: thunderbird no longer builds on armel and armhf, so
let's not fail while trying to test there
* [d9e09a0] tests: help.sh is really a very superficial test, so let's
mark it as such
[ Carsten Schoenert ]
* [43b90d6] New upstream version 102.6.0
Fixed CVE issues in upstream version 102.6 (MFSA 2022-53):
CVE-2022-46880: Use-after-free in WebGL
CVE-2022-46872: Arbitrary file read from a compromised content process
CVE-2022-46881: Memory corruption in WebGL
CVE-2022-46874: Drag and Dropped Filenames could have been truncated to
malicious extensions
CVE-2022-46882: Use-after-free in WebGL
CVE-2022-46878: Memory safety bugs fixed in Thunderbird 102.6
* [745c1a3] Rebuild patch queue from patch-queue branch
Removed patches (included upstream):
fixes/Bug-1773070-Rename-remove-some-eventState-s-variables.-r-.patch
fixes/Bug-1782988-Avoid-build-bustage-when-building-against-gli.patch
fixes/Bug-1782988-Fix-use-of-arc4random_buf-use-in-ping.cpp.-r-.patch
* [1e74214] d/control: Increase buid dep on libnss3-dev to 3.79.2
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 13 Dec 2022 19:40:57 +0100
thunderbird (1:102.5.1-1) unstable; urgency=medium
* [ae4d1ff] New upstream version 102.5.1
Fixed CVE issues in upstream version 102.5.1 (MFSA 2022-50):
CVE-2022-45414: Quoting from an HTML email with certain tags will trigger
network requests and load remote content, regardless of
a configuration to block remote content
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 30 Nov 2022 12:27:38 +0100
thunderbird (1:102.5.0-1) unstable; urgency=medium
* [2f04265] New upstream version 102.5.0
Fixed CVE issues in upstream version 102.5 (MFSA 2022-49):
CVE-2022-45403: Service Workers might have learned size of cross-origin
media files
CVE-2022-45404: Fullscreen notification bypass
CVE-2022-45405: Use-after-free in InputStream implementation
CVE-2022-45406: Use-after-free of a JavaScript Realm
CVE-2022-45408: Fullscreen notification bypass via windowName
CVE-2022-45409: Use-after-free in Garbage Collection
CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite
cookie policy
CVE-2022-45411: Cross-Site Tracing was possible via non-standard
override headers
CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers
CVE-2022-45416: Keystroke Side-Channel Leakage
CVE-2022-45418: Custom mouse cursor could have been drawn over
browser UI
CVE-2022-45420: Iframe contents could be rendered outside the iframe
CVE-2022-45421: Memory safety bugs fixed in Thunderbird 102.5
* [57e94ac] Rebuild patch queue from patch-queue branch
Added patches:
fixes/Bug-1782988-Avoid-build-bustage-when-building-against-gli.patch
fixes/Bug-1782988-Fix-use-of-arc4random_buf-use-in-ping.cpp.-r-.patch
(Closes: #1023789)
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 15 Nov 2022 19:34:55 +0100
thunderbird (1:102.4.1-1) unstable; urgency=medium
[ intrigeri ]
* [37c5b01] AppArmor: update profile from upstream at commit
09fa2669dc95cb336d133a6b96cac227e3aa73dc
This allows running Thunderbird as a native Wayland application.
[ Carsten Schoenert ]
* [031c4a2] New upstream version 102.4.1
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 31 Oct 2022 18:50:44 +0100
thunderbird (1:102.4.0-1) unstable; urgency=medium
* [6bfe8cd] New upstream version 102.4.0
Fixed CVE issues in upstream version 102.4 (MFSA 2022-46):
CVE-2022-42927: Same-origin policy violation could have leaked
cross-origin URLs
CVE-2022-42928: Memory Corruption in JS Engine
CVE-2022-42929: Denial of Service via window.print
CVE-2022-42932: Memory safety bugs fixed in Thunderbird 102.4
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 24 Oct 2022 22:33:05 +0200
thunderbird (1:102.3.3-1) unstable; urgency=medium
* [6729f5d] New upstream version 102.3.3
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 13 Oct 2022 16:09:50 +0200
thunderbird (1:102.3.2-1) unstable; urgency=medium
* [db7a24f] New upstream version 102.3.2
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 06 Oct 2022 20:34:42 +0200
thunderbird (1:102.3.1-1) unstable; urgency=medium
* [f845126] New upstream version 102.3.1
Fixed CVE issues in upstream version 102.3.1 (MFSA 2022-43):
CVE-2022-39249: Matrix SDK bundled with Thunderbird vulnerable to an
impersonation attack by malicious server administrators
CVE-2022-39250: Matrix SDK bundled with Thunderbird vulnerable to a device
verification attack
CVE-2022-39251: Matrix SDK bundled with Thunderbird vulnerable to an
impersonation attack
CVE-2022-39236: Matrix SDK bundled with Thunderbird vulnerable to a data
corruption issue
* [4555808] Rebuild patch queu from patch-queue branch
debian-hacks/Use-remoting-name-for-call-to-gdk_set_program_class.patch
fixes/Properly-launch-applications-set-in-HOME-.mailcap.patch
* [344dbfa] d/copyright: Add info about code from Matrix
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 29 Sep 2022 19:09:02 +0200
thunderbird (1:102.3.0-1) unstable; urgency=medium
* [0e841a7] New upstream version 102.3.0
Fixed CVE issues in upstream version 102.3 (MFSA 2022-42):
CVE-2022-40959: Bypassing FeaturePolicy restrictions on transient pages
CVE-2022-40960: Data-race when parsing non-UTF-8 URLs in threads
CVE-2022-40958: Bypassing Secure Context restriction for cookies with
__Host and __Secure prefix
CVE-2022-40956: Content-Security-Policy base-uri bypass
CVE-2022-40957: Incoherent instruction cache when building WASM on ARM64
CVE-2022-40962: Memory safety bugs fixed in Thunderbird 102.3
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 16 Sep 2022 16:56:20 +0200
thunderbird (1:102.2.2-1) unstable; urgency=medium
* [f1dc81f] New upstream version 102.2.2
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 08 Sep 2022 17:25:57 +0200
thunderbird (1:102.2.1-1) unstable; urgency=medium
* [e1d0f74] New upstream version 102.2.1
Fixed CVE issues in upstream version 102.2.1 (MFSA 2022-38):
CVE-2022-3033: Leaking of sensitive information when composing a response
to an HTML email with a META refresh tag
CVE-2022-3032: Remote content specified in an HTML document that was
nested inside an iframe's srcdoc attribute was not blocked
CVE-2022-3034: An iframe element in an HTML email could trigger a
network request
CVE-2022-36059: Matrix SDK bundled with Thunderbird vulnerable to
denial-of-service attack
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 01 Sep 2022 07:52:16 +0200
thunderbird (1:102.2.0-1) unstable; urgency=medium
[ Amr Ibrahim ]
* [02a3990] thunderbird.desktop: Update StartupWMClass
(Closes: #1017420, #1014748)
[ Carsten Schoenert ]
* [f7b62a8] d-create-upstream-tarballs.py: Use correct variable
* [7194457] New upstream version 102.2.0
Fixed CVE issues in upstream version 102.2 (MFSA 2022-36):
CVE-2022-38472: Address bar spoofing via XSLT error handling
CVE-2022-38473: Cross-origin XSLT Documents would have inherited the
parent's permissions
CVE-2022-38476: Data race and potential use-after-free in PK11_ChangePW
CVE-2022-38477: Memory safety bugs fixed in Thunderbird 102.2
CVE-2022-38478: Memory safety bugs fixed in Thunderbird 102.2, and
Thunderbird 91.13
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 28 Aug 2022 17:23:50 +0200
thunderbird (1:102.1.2-1) unstable; urgency=medium
* [78f2899] d/copyright: Update content due upstream changes
* [55dba1d] d/source.filter: Update content to filter out
* [3e19497] Lintian: Adjust overrides for thunderbird package
* [567e0c4] Lintian: Adjust overrides for source package
* [c201484] New upstream version 102.1.2
(Closes: #1016944)
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 11 Aug 2022 16:37:07 +0200
thunderbird (1:102.1.1-1) unstable; urgency=medium
* [2c1b12f] d/create-upstream-tarballs.py: Adding new helper script
* [a9633b9] d/README.source: Update information on importing data
* [1d2cdc0] d/source.filter: Relax filter rule for old-configure
* [f1afe9b] d/repack.py: Don't exit(1) if unused filter items exist
* [165593a] d/create-thunderbird-l10n-tarball.sh: Drop old helper
* [b4d73ee] d/gbp.conf: Drop 'import-orig' section
* [d186832] d/source.filter: Add files named *.orig and *.rej
* [933b099] New upstream version 102.1.1
(Closes: #1014675:)
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 06 Aug 2022 11:26:44 +0200
thunderbird (1:102.1.0-1) unstable; urgency=medium
* [3b7bb0d] New upstream version 102.1.0
Fixed CVE issues in upstream version 102.1 (MFSA 2022-32):
CVE-2022-36319: Mouse Position spoofing with CSS transforms
CVE-2022-36318: Directory indexes for bundled resources reflected URL
parameters
CVE-2022-2505: Memory safety bugs fixed in Thunderbird 102.1
(Closes: #1016083, #1014745, #1014675, #1014638)
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 29 Jul 2022 17:00:53 +0200
thunderbird (1:102.0.2-1) unstable; urgency=medium
* [079e135] d/repack.py: Small rework and adjustments
* [fc2518e] d/control: Readjust Vcs links to unstable
* [a7b09b3] d/gbp.conf: Sign tags automatically
* [faf115d] New upstream version 102.0.2
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 12 Jul 2022 18:41:04 +0200
thunderbird (1:102.0.1-1) unstable; urgency=medium
* [68c9410] d/gbp.conf: Adjust upstream branch to new ESR cycle
* [45eca79] New upstream version 102.0.1
Fixed CVE issues in upstream version 102.0 (MFSA 2022-26):
CVE-2022-34479: A popup window could be resized in a way to overlay the
address bar with web content
CVE-2022-34470: Use-after-free in nsSHistory
CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed
via retargeted javascript: URI
CVE-2022-2226: An email with a mismatching OpenPGP signature date was
accepted as valid
CVE-2022-34481: Potential integer overflow in ReplaceElementsAt
CVE-2022-31744: CSP bypass enabling stylesheet injection
CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being
blocked
CVE-2022-2200: Undesired attributes could be set as part of prototype
pollution
CVE-2022-34484: Memory safety bugs fixed in Thunderbird 91.11 and
Thunderbird 102
* [1842425] d/watch: Look now for versions starting with 3 digits
* [0a32bb3] d/control: Add package thunderbird-l10n-es-mx
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 08 Jul 2022 17:47:21 +0200
thunderbird (1:102.0~b7-1) experimental; urgency=medium
* [edf32aa] New upstream version 102.0~b7
* [c9dd3e0] d/control: Remove not required B-D
* [ac2ec70] d/mozconfig.default: Remove commented out options
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 21 Jun 2022 19:06:58 +0200
thunderbird (1:102.0~b4-1) experimental; urgency=medium
* [8f34a01] d/source.filter: Small updates to filtering list
* [e1d4c7c] New upstream version 102.0~b4
* [c97416b] Rebuild patch-queue from patch queue branch
Removed patch (needs update):
fixes/Bug-1494436-Unset-MOZ_APP_LAUNCHER-for-external-MIME-hand.patch
Removed patch (fixed upstream):
porting-armhf/Don-t-use-LLVM-internal-assembler-on-armhf.patch
* [68712eb] d/mozconfig.default: Disable wasm sandboxing
* [a1df764] d/mozconfig.default: Remove openpgp option
Supporting OpenPGP functionality is now set on by default.
* [607c321] d/mozconfig.default: Add/Update some configure options
* [efc728e] d/rules: Add new needed variable MOZBUILD_STATE_PATH
* [7b0d743] d/rules: Ensure python is used from the environment
* [26053f1] Build against system librnp library
Unfortunately using librnp-dev requires the usage of the internal
versions of botan, bz2 and jsonc.
(Closes: #998848)
* [5e904d8] d/control: Bump various build dependencies
* [94ee0da] d/thunderbird.docs: Update content to install
* [477f949] d/control: Increase Standards-Version to 4.6.1
No further changes needed.
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 15 Jun 2022 16:47:29 +0200
thunderbird (1:91.11.0-1) unstable; urgency=medium
* [05a947d] New upstream version 91.11.0
Fixed CVE issues in upstream version 91.11 (MFSA 2022-26):
CVE-2022-34479: A popup window could be resized in a way to overlay the
address bar with web content
CVE-2022-34470: Use-after-free in nsSHistory
CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed
via retargeted javascript: URI
CVE-2022-2226: An email with a mismatching OpenPGP signature date was
accepted as valid
CVE-2022-34481: Potential integer overflow in ReplaceElementsAt
CVE-2022-31744: CSP bypass enabling stylesheet injection
CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being
blocked
CVE-2022-2200: Undesired attributes could be set as part of prototype
pollution
CVE-2022-34484: Memory safety bugs fixed in Thunderbird 91.11 and
Thunderbird 102
(Closes: #1014004)
* [4c4944d] Rebuild patch queue from patch-queue branch
Added patch:
fixes/Bug-1773070-Rename-remove-some-eventState-s-variables.-r-.patch
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 01 Jul 2022 20:12:40 +0200
thunderbird (1:91.10.0-1) unstable; urgency=medium
* [969960a] New upstream version 91.10.0
Fixed CVE issues in upstream version 91.9.1 (MFSA 2022-19):
CVE-2022-1802: Prototype pollution in Top-Level Await implementation
CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading
to prototype pollution
Fixed CVE issues in upstream version 91.10 (MFSA 2022-22):
CVE-2022-31736: Cross-Origin resource's length leaked
CVE-2022-31737: Heap buffer overflow in WebGL
CVE-2022-31738: Browser window spoof using fullscreen mode
CVE-2022-31739: Attacker-influenced path traversal when saving downloaded
files
CVE-2022-31740: Register allocation problem in WASM on arm64
CVE-2022-31741: Uninitialized variable leads to invalid memory read
CVE-2022-1834: Braille space character caused incorrect sender email to be
shown for a digitally signed email
CVE-2022-31742: Querying a WebAuthn token with a large number of
allowCredential entries may have leaked cross-origin
information
CVE-2022-31747: Memory safety bugs fixed in Thunderbird 91.10
* [4b55e16] d/control: Increase Standards-Version to 4.6.0
No further changes needed.
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 30 May 2022 19:36:06 +0200
thunderbird (1:91.9.0-1) unstable; urgency=medium
* [88b99d1] New upstream version 91.9.0
Fixed CVE issues in upstream version 91.9 (MFSA 2022-18):
CVE-2022-1520: Incorrect security status shown after viewing an attached
email
CVE-2022-29914: Fullscreen notification bypass using popups
CVE-2022-29909: Bypassing permission prompt in nested browsing contexts
CVE-2022-29916: Leaking browser history with CSS variables
CVE-2022-29911: iframe sandbox bypass
CVE-2022-29912: Reader mode bypassed SameSite cookies
CVE-2022-29913: Speech Synthesis feature not properly disabled
CVE-2022-29917: Memory safety bugs fixed in Thunderbird 91.9
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 16 May 2022 13:51:59 +0200
thunderbird (1:91.8.1-1) unstable; urgency=medium
* [b57406c] New upstream version 91.8.1
(Closes: #1009321)
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 19 Apr 2022 20:27:13 +0200
thunderbird (1:91.8.0-1) unstable; urgency=medium
* [06619c5] New upstream version 91.8.0
Fixed CVE issues in upstream version 91.8 (MFSA 2022-15):
CVE-2022-1097: Use-after-free in NSSToken objects
CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions
CVE-2022-1197: OpenPGP revocation information was ignored
CVE-2022-1196: Use-after-free after VR Process destruction
CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument
CVE-2022-28285: Incorrect AliasSet used in JIT Codegen
CVE-2022-28286: iframe contents could be rendered outside the border
CVE-2022-24713: Denial of Service via complex regular expressions
CVE-2022-28289: Memory safety bugs fixed in Thunderbird 91.8
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 06 Apr 2022 20:08:25 +0200
thunderbird (1:91.7.0-2) unstable; urgency=medium
* [c348b62] Rebuild patch-queue from patch queue branch
Added patch:
fixes/Bug-1494436-Unset-MOZ_APP_LAUNCHER-for-external-MIME-hand.patch
(Closes: #948691)
Thanks go out to Simon McVittie for preparing this patch!
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 16 Mar 2022 06:55:46 +0100
thunderbird (1:91.7.0-1) unstable; urgency=medium
* [952f6d0] New upstream version 91.7.0
Fixed CVE issues in upstream version 91.7 (MFSA 2022-12):
CVE-2022-26383: Browser window spoof using fullscreen mode
CVE-2022-26384: iframe allow-scripts sandbox bypass
CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on
signatures
CVE-2022-26381: Use-after-free in text reflows
CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other
local users
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 15 Mar 2022 17:54:46 +0100
thunderbird (1:91.6.2-1) unstable; urgency=medium
* [2f95b97] New upstream version 91.6.2
Fixed CVE issues in upstream version 91.6.2 (MFSA 2022-09):
CVE-2022-26485: Use-after-free in XSLT parameter processing
CVE-2022-26486: Use-after-free in WebGPU IPC Framework
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 08 Mar 2022 08:40:12 +0100
thunderbird (1:91.6.1-1) unstable; urgency=medium
* [3edb855] New upstream version 91.6.1
Fixed CVE issues in upstream version 91.6.1 (MFSA 2022-07):
CVE-2022-0566: Crafted email could trigger an out-of-bounds write
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 19 Feb 2022 11:01:46 +0100
thunderbird (1:91.6.0-1) unstable; urgency=medium
* [884ccb6] New upstream version 91.6.0
Fixed CVE issues in upstream version 91.6 (MFSA 2022-06):
CVE-2022-22754: Extensions could have bypassed permission confirmation
during update
CVE-2022-22756: Drag and dropping an image could have resulted in the
dropped object being an executable
CVE-2022-22759: Sandboxed iframes could have executed script if the parent
appended elements
CVE-2022-22760: Cross-Origin responses could be distinguished between
script and non-script content-types
CVE-2022-22761: frame-ancestors Content Security Policy directive was not
enforced for framed extension pages
CVE-2022-22763: Script Execution during invalid object state
CVE-2022-22764: Memory safety bugs fixed in Thunderbird 91.6
(Closes: #1004951)
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 11 Feb 2022 18:50:23 +0100
thunderbird (1:91.5.1-1) unstable; urgency=medium
* [130bab2] New upstream version 91.5.1
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 23 Jan 2022 18:41:12 +0100
thunderbird (1:91.5.0-2) unstable; urgency=medium
* [fd07163] autopkgtest: Run check-global-config-path.py only on Intel
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 12 Jan 2022 20:46:54 +0100
thunderbird (1:91.5.0-1) unstable; urgency=medium
[ Carsten Schoenert ]
* [8d4e5f8] New upstream version 91.5.0
Fixed CVE issues in upstream version 91.5 (MFSA 2022-03):
CVE-2022-22743: Browser window spoof using fullscreen mode
CVE-2022-22742: Out-of-bounds memory access when inserting text in edit
mode
CVE-2022-22741: Browser window spoof using fullscreen mode
CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner
CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur
CVE-2022-22737: Race condition when playing audio files
CVE-2021-4140: Iframe sandbox bypass with XSLT
CVE-2022-22748: Spoofed origin on external protocol launch dialog
CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation
event
CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully
escape website-controlled data, potentially leading to
command injection
CVE-2022-22747: Crash when handling empty pkcs7 sequence
CVE-2022-22739: Missing throttling on external protocol launch dialog
CVE-2022-22751: Memory safety bugs fixed in Thunderbird 91.5
* [a86c0b4] Rebuild patch queue from patch-queue branch
Modified patch:
debian-hacks/Add-another-preferences-directory-for-applications-p.patch
Reworking the patch so LoadDirIntoArray is working again that is adding
an additional syspref folder for global settings to use.
(Closes: #997841, #1003280)
* [442988b] autopkgtest: Adding check for accessing syspref folder
[ Jochen Sprickerhof ]
* [5b5d508] d/thunderbird-wrapper.sh: Use 'command -v'
(Closes:#1002570 )
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 11 Jan 2022 19:12:50 +0100
thunderbird (1:91.4.1-1) unstable; urgency=medium
* [c5b36d3] New upstream version 91.4.1
Fixed CVE issues in upstream version 91.4.1 (MFSA 2021-55):
CVE-2021-4126: OpenPGP signature status doesn't consider additional
message content
CVE-2021-44538: Matrix chat library libolm bundled with Thunderbird
vulnerable to a buffer overflow
* [b66bebb] d/changelog: Update some MOZ-* entries with assigned CVEs
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 20 Dec 2021 16:05:02 +0100
thunderbird (1:91.4.0-1) unstable; urgency=medium
* [7752be0] d/source.filter: Small updates to filtering list
* [0899850] New upstream version 91.4.0
Fixed CVE issues in upstream version 91.4 (MFSA 2021-54):
CVE-2021-43536: URL leakage when navigating while executing asynchronous
function
CVE-2021-43537: Heap buffer overflow when using structured clone
CVE-2021-43538: Missing fullscreen and pointer lock notification when
requesting both
CVE-2021-43539: GC rooting failure when calling wasm instance methods
CVE-2021-43541: External protocol handler parameters were unescaped
CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence
of an external protocol handler
CVE-2021-43543: Bypass of CSP sandbox directive when embedding
CVE-2021-43545: Denial of Service when using the Location API in a loop
CVE-2021-43546: Cursor spoofing could overlay user interface when native
cursor is zoomed
CVE-2021-43528: JavaScript unexpectedly enabled for the composition area
CVE-2021-4129: Memory safety bugs fixed in Thunderbird 91.4.0
* [afd7750] d/t.lintian-overrides: Update entries due renamed tags
Some Lintan tags were renamed, thus requires am adjustment of the existing
overrides.
* [30a387c] d/s/lintian-overrides: Adjust most of the existing entries
Same as before but for the source package.
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 07 Dec 2021 18:26:44 +0100
thunderbird (1:91.3.2-1) unstable; urgency=medium
* [7fd56f0] New upstream version 91.3.2
* [4fccecb] Rebuild patch queue from patch-queue branch
Added patch:
debian-hacks/Fix-Floating-Point-Normalization-breakage-on-32bit-Linux.patch
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 21 Nov 2021 18:29:42 +0100
thunderbird (1:91.3.0-1) unstable; urgency=medium
* [1d3e0b1] Revert "Rebuild patch queue from patch-queue branch"
The patch for fixing the broken build on i386 breaks other architectures,
so reverting for now.
* [66755b4] New upstream version 91.3.0
Fixed CVE issues in upstream version 91.3 (MFSA 2021-50):
CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets
CVE-2021-38504: Use-after-free in file picker dialog
CVE-2021-38506: Thunderbird could be coaxed into going into fullscreen
mode without notification or warning
CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass
the Same-Origin-Policy on services hosted on other ports
CVE-2021-43535: Use-after-free in HTTP2 Session object
CVE-2021-38508: Permission Prompt could be overlaid, resulting in user
confusion and potential spoofing
CVE-2021-38509: Javascript alert box could have been spoofed onto an
arbitrary domain
CVE-2021-43534: Memory safety bugs fixed in Thunderbird ESR 91.3
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 03 Nov 2021 18:14:09 +0100
thunderbird (1:91.2.1-1) unstable; urgency=medium
[ Carsten Schoenert ]
* [bcb5677] d/gbp.conf: Adjust to upstream-91.x
* [12a433a] New upstream version 91.2.1
* [f935b52] Rebuild patch queue from patch-queue branch
Added patch:
debian-hacks/Fix-Floating-Point-Normalization-breakage-on-32bit-Linux.patch
* [3faba71] Disable usage of system icu package
The system packages of libicu-dev are to old for Thunderbird, we need to
use the internel pre-shipped ICU sources.
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 23 Oct 2021 08:59:32 +0200
thunderbird (1:91.2.0-1) experimental; urgency=medium
* [3c88844] New upstream version 91.2.0
Fixed CVE issues in upstream version 91.2 (MFSA 2021-47):
CVE-2021-38502: Downgrade attack on SMTP STARTTLS connections
CVE-2021-38496: Use-after-free in MessageTask
CVE-2021-38497: Validation message could have been overlaid on another
origin
CVE-2021-38498: Use-after-free of nsLanguageAtomService object
CVE-2021-32810: Data race in crossbeam-deque
CVE-2021-38500: Memory safety bugs fixed in Thunderbird 91.2
CVE-2021-38501: Memory safety bugs fixed in Thunderbird 91.2
(Closes: #973042)
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 16 Oct 2021 08:27:55 +0200
thunderbird (1:91.1.1-1) experimental; urgency=medium
* [73e3b75] New upstream version 91.1.1
* [3413d35] Rebuild patch queue from patch-queue branch
Removed patch:
fixes/Bug-1727113-Never-require-that-addons-are-signed-for-Thun.patch
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 20 Sep 2021 20:43:25 +0200
thunderbird (1:91.1.0-1) experimental; urgency=medium
* [0b1d9f9] New upstream version 91.1.0
Fixed CVE issues in upstream version 91.1 (MFSA 2021-41):
CVE-2021-38495: Memory safety bugs fixed in Thunderbird 91.1
* [4313e64] Rebuild patch queue from patch-queue branch
Added patch:
fixes/Bug-1727113-Never-require-that-addons-are-signed-for-Thun.patch
(Closes: #993594)
Modified patch:
porting-armhf/Bug-1526653-Include-struct-definitions-for-user_vfp-and-u.patch
* [234c566] d/rules: Don't run dh_autoreconf
(Closes: #993494)
* [bce15d7] thunderbird: Set package x11-utils as fallback
Install x11-utils only if kdialog or zenity aren't present on the system.
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 05 Sep 2021 07:36:10 +0200
thunderbird (1:91.0.2-1) experimental; urgency=medium
* [a5efefd] New upstream version 91.0.2
Fixed CVE issues in upstream version 91.0.1 (MFSA 2021-37):
CVE-2021-29991: Header Splitting possible with HTTP/3 Responses
* [b21a07b] d/control: increase Standards-Version to 4.6.0
No further changes needed.
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 23 Aug 2021 20:05:01 +0200
thunderbird (1:91.0-1) experimental; urgency=medium
* [3be73b6] d/source.filter: some updates to filtering list
* [5c87a00] New upstream version 91.0
Fixed CVE issues in upstream version 91.0 (MFSA 2021-36):
CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
CVE-2021-29981: Live range splitting could have led to conflicting
assignments in the JIT
CVE-2021-29988: Memory corruption as a result of incorrect style treatment
CVE-2021-29984: Incorrect instruction reordering during JIT optimization
CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
CVE-2021-29985: Use-after-free media channels
CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
type confusion
CVE-2021-29989: Memory safety bugs fixed in Thunderbird 91
(Closes: #640927, #944208, #958433, #952853, #971722, #982670)
* [0157fe4] d/control: Add new package thunderbird-l10n-af
Upstream ships localizations for Africaans.
* [f23e9e0] d/control: Add new package thunderbird-l10n-en-ca
Upstream ships localizations for English (Canada).
* [8b3cee9] d/control: Add new package thunderbird-l10n-lv
Upstream ships localizations for Latvian.
* [cad58ea] d/control: Add new package thunderbird-l10n-pa-in
Upstream ships localizations for Punjabi (Gurmukhi).
* [aecc2da] d/control: Add new package thunderbird-l10n-th
Upstream ships localizations for Thai.
* [9707e8a] Moving over to debhelper-compat
Switch over to recent debhelper-compat 13.
* [2934049] d/rules: Customize dh_missing call
Due debhelper-compat dh_missing needs some aditional tweaking as we need
to ignore some files which are built and installed into the tempory
install folder but not installed into the package(s).
* [7df72c6] d/rules: Don't use dwz
Running and using dwz is bringing no gain and produces issues to, can be
ignored for now.
* [1709f28] d/control: Remove non existing packages from Breaks
xul-ext-firetray and xul-ext-quotecolors are gone from the supported
releases.
* [f160918] d/control: Adding Rules-Requires-Root: no
No specific root access required so far while package build.
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 14 Aug 2021 18:27:21 +0200
thunderbird (1:91.0~b5-1) experimental; urgency=medium
* [119a49f] d/control: Adjust VCS links to branch debian/experimental
* [7ae6acc] d/source.filter: some updates to filtering list
* [e28b2f9] New upstream version 91.0~b5
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 01 Aug 2021 09:21:27 +0200
thunderbird (1:91.0~b3-1) experimental; urgency=medium
* [90a153b] New upstream version 91.0~b3
* [ada2cf0] d/control: Remove transitional package lightning
* [3e5087f] d/control: Remove obsolete lightning-l10-* packages
* [6eac520] d/control: Remove Suggests on libgtk2.0-0 fur thunderbird
(Closes: #967771)
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 24 Jul 2021 10:37:52 +0200
thunderbird (1:91.0~b1-1) experimental; urgency=medium
* [78f0ddb] d/source.filter: some updates to filtering list
* [3d29fcf] New upstream version 91.0~b1
(Closes: #990631)
* [daa7fab] d/control: Increase some Build-Depends
* [f4bfd22] d/control: Remove libgtk2.0-dev from Build-Depends
* [ad4e281] d/s/lintian-overrides: Adding one more file to ignore
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 19 Jul 2021 22:04:15 +0200
thunderbird (1:90.0~b2-1) experimental; urgency=medium
[ Carsten Schoenert ]
* [3cc0d66] d/source.filter: some updates to filtering list
* [3c76a94] New upstream version 90.0~b2
* [46718fe] rebuild patch queue from patch-queue branch
removed patches:
fixes/reduce-the-rust-debuginfo-level-on-selected-architectures.patch
debian-hacks/Work-around-Debian-bug-844357.patch
* [156d3c9] d/thunderbird.1: Correct debugger option
* [ca7daca] /u/l/thunderbird: Correct escape sequencing for gdb calling
(Closes: #976979)
* [f310330] d/thunderbird-wrapper.sh: Use '${}' syntax for variables
* [0ef3788] d/thunderbird.install: Remove gtk2 cruft
* [17b0510] d/copyright: Update due removed content
* [feca305] d/s/lintian-override: Remove two no longer existing entries
[ Kevin Locke ]
* [dbe3c3e] d/thunderbird-wrapper.sh: Make gdb call more fail safe
(Closes:#942799)
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 20 Jun 2021 14:51:49 +0200
thunderbird (1:89.0~b2-1) experimental; urgency=medium
* [74911c7] New upstream version 89.0~b2
* [b4fef2a] rebuild patch queue from patch-queue branch
modified patches:
debian-hacks/Don-t-register-plugins-if-the-MOZILLA_DISABLE_PLUGIN.patch
porting-armhf/Don-t-use-LLVM-internal-assembler-on-armhf.patch
porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
removed patches:
debian-hacks/Don-t-register-plugins-if-the-MOZILLA_DISABLE_PLUGIN.patch
* [ea6a29e] d/control: Increase B-D for cbindgen and libnss3-dev
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 03 Jun 2021 19:40:08 +0200
thunderbird (1:88.0~b2-1) experimental; urgency=medium
[ Carsten Schoenert ]
* [7af1a0b] New upstream version 88.0~b2
* [30d1d48] rebuild patch queue from patch-queue branch
modified patch:
debian-hacks/Add-another-preferences-directory-for-applications-p.patch
porting-armhf/Don-t-use-LLVM-internal-assembler-on-armhf.patch
removed patches (included upstream):
porting-arm/Reduce-memory-usage-while-linking-on-arm-el-hf-platforms.patch
porting-s390x/Explicitly-instantiate-TIntermTraverser-traverse-TIntermN.patch
renamed patch:
fixes/Load-dependent-libraries-with-their-real-path-to-avo.patch ->
fixes/Load-dependent-libraries-with-their-real-path.patch
* [f45da92] d/control: Increase B-D for libnss3-dev
[ Colomban Wendling ]
* [bbf78cb] d/thunderbird.desktop: Switch StartupWMClass (Closes: #985366)
[ Carsten Schoenert ]
* [a2cc9e0] d/control: Adding nasm to Build-Depends
* [41fad62] d/copyright: update due removed content
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 11 Apr 2021 13:50:27 +0200
thunderbird (1:86.0~b3-1) experimental; urgency=medium
[ Carsten Schoenert ]
* [002f597,fe0515b] d/source.filter: updating the filtering list
* [dfafc89,35d050f] d/copyright: updates due upstream changes
Add Apache2 notice for third_party/python/coverage
* [24c009c] lintian: adding override for false positive in SVG file
* [d316a1c] New upstream version 86.0~b3
* [20dc687] rebuild patch queue from patch-queue branch
modified patch:
debian/patches/porting-kfreebsd-hurd/adding-missed-HURD-adoptions.patch
* [21b86f0] d/copyright: update due removed content
* [7fc9755] d/s/lintian-override: path for TeXZilla.js has changed
* [33c5d5a] d/s/lintian-override: remove JS file
* [825a440] d/control: Increase B-D for cbindgen
[ Pino Toscano ]
* [35c3c3b] thunderbird: Stop shipping /u/s/p/thunderbird.png symlink
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 13 Feb 2021 13:41:36 +0100
thunderbird (1:85.0~b3-1) experimental; urgency=medium
* [b142ac6] New upstream version 85.0~b3
* [0d2221a] d/control: Increase various B-D versions
* [e4eb52e] rebuild patch queue from patch-queue branch
added patch:
debian-hacks/Decrease-Cargo-minimal-version-to-1.46.0.patch
updated patches:
debian-hacks/Use-remoting-name-for-call-to-gdk_set_program_class.patch
fixes/reduce-the-rust-debuginfo-level-on-selected-architectures.patch
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 31 Dec 2020 20:39:53 +0100
thunderbird (1:84.0~b3-1) experimental; urgency=medium
* [fad5103] calendar-google-provider*: removing left over cruft
* [b095d8e] thunderbird.NEWS: Add hint about integration of OpenPGP support
* [0f6bdf3] Revert "d/tb.lintian-overrides: ignore warning about none
versioned breaks"
* [f10f80c] d/copyright: update content
* [9c3fb20] d/source.filter: some updates to filtering list
* [c9b8274] New upstream version 84.0~b3
* [adf3835] rebuild patch queue from patch-queue branch
removed patches:
fixes/Add-missing-bindings-for-mips-in-the-authenticator-crate.patch
fixes/fix-function-nsMsgComposeAndSend-to-respect-Replo.patch
porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
porting-mips/Bug-1642265-MIPS64-Add-branchTestSymbol-and-fallibleUnbox.patch
porting-s390x/Use-more-recent-embedded-version-of-sqlite3.patch
porting-m68k/Add-m68k-support-to-Thunderbird.patch
porting-sh4/Add-sh4-support-to-Thunderbird.patch
* [3ff9c9d] thunderbird-l10n-all: add thunderbird-l10n-cy
(Closes: #974127)
* [393490c] d/control: remove l10n package for Sinhala
* [1f4e966] d/control: increase Standards-Version to 4.5.1
No further changes needed.
* [288afdd] d/rules: use python3 explicitly while calling mach
Using the Python 3 interpreter is needed otherwise the Mozilla magic tries
to use a non existing virtualenv environment.
* [a509bdf] d/watch: update to version 4
No further changes needed.
* [fc6b358] d/copyright: update some more content
Updating the copyright information due upstream modifications.
* [3bd5713] d/s/lintian-overrides: Adding more file to ignore
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 14 Dec 2020 15:24:59 +0100
thunderbird (1:78.14.0-1) unstable; urgency=medium
* [6dc6817] d/changelog: Correct TB version for referenced MFSA
* [38f01f4] d/rules: Don't run dh_autoreconf
(Closes: #993494)
* [09c4cde] New upstream version 78.14.0
Fixed CVE issues in upstream version 78.14.0 (MFSA 2021-42):
CVE-2021-38493: Memory safety bugs fixed in Thunderbird 78.14 and
Thunderbird 91.1
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 08 Sep 2021 19:57:22 +0200
thunderbird (1:78.13.0-1) unstable; urgency=medium
* [b4498b0] New upstream version 78.13.0
Fixed CVE issues in upstream version 78.13.0 (MFSA 2021-35):
CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
CVE-2021-29988: Memory corruption as a result of incorrect style treatment
CVE-2021-29984: Incorrect instruction reordering during JIT optimization
CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
CVE-2021-29985: Use-after-free media channels
CVE-2021-29989: Memory safety bugs fixed in Thunderbird 78.13
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 12 Aug 2021 16:13:25 +0200
thunderbird (1:78.12.0-1) unstable; urgency=medium
* [74d3cdb] New upstream version 78.12.0
Fixed CVE issues in upstream version 78.12 (MFSA 2021-30):
CVE-2021-29969: IMAP server responses sent by a MITM prior to STARTTLS
could be processed
CVE-2021-29970: Use-after-free in accessibility features of a document
CVE-2021-30547: Out of bounds write in ANGLE
CVE-2021-29976: Memory safety bugs fixed in Thunderbird 78.12
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 17 Jul 2021 09:33:28 +0200
thunderbird (1:78.11.0-2) unstable; urgency=medium
[ Carsten Schoenert ]
* [241e539] d/thunderbird.1: Correct debugger option
Remove parts that are no longer valid, especially there is no dedicated
shell script any more the user has to start, calling 'thunderbird -g' is
enough to start a GDB call.
* [66deb37] thunderbird: Use internal NSS source while package built
(Closes: #989839, #989843, #989979, #989983, #989922, #990012)
* [07fb6ef] d/thunderbird-wrapper.sh: Use '${}' syntax for variables
[ Kevin Locke ]
* [d003e26] d/thunderbird-wrapper.sh: Make gdb call more fail safe
(Closes: #942799)
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 20 Jun 2021 07:20:41 +0200
thunderbird (1:78.11.0-1) unstable; urgency=medium
* [42c4a87] New upstream version 78.11.0
Fixed CVE issues in upstream version 78.11 (MFSA 2021-26):
CVE-2021-29967: Memory safety bugs fixed in Thunderbird 78.11
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 03 Jun 2021 17:22:34 +0200
thunderbird (1:78.10.2-1) unstable; urgency=medium
* [69552d8] New upstream version 78.10.2
Fixed CVE issues in upstream version 78.10.2 (MFSA 2021-22):
CVE-2021-29957: Partial protection of inline OpenPGP message not indicated
CVE-2021-29956: Thunderbird stored OpenPGP secret keys without master
password protection
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 19 May 2021 21:57:11 +0200
thunderbird (1:78.10.0-1) unstable; urgency=medium
* [f38d78f] New upstream version 78.10.0
Fixed CVE issues in upstream version 78.10 (MFSA 2021-15):
CVE-2021-23994: Out of bound write due to lazy initialization
CVE-2021-23995: Use-after-free in Responsive Design Mode
CVE-2021-23998: Secure Lock icon could have been spoofed
CVE-2021-23961: More internal network hosts could have been probed by a
malicious webpage
CVE-2021-23999: Blob URLs may have been granted additional privileges
CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an
encoded URL
CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead
to null-reads (This issue only affected x86-32 platforms.)
CVE-2021-29946: Port blocking could be bypassed
CVE-2021-29948: Race condition when reading from disk while verifying
signatures
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 19 Apr 2021 20:00:32 +0200
thunderbird (1:78.9.0-1) unstable; urgency=medium
[ Colomban Wendling ]
* [7d454de] d/thunderbird.desktop: Switch StartupWMClass
(Closes: #985366)
[ Carsten Schoenert ]
* [23fe9ce] d/source.filter: small update to filtering list
* [828b9d7] New upstream version 78.9.0
Fixed CVE issues in upstream version 78.9 (MFSA 2021-12):
CVE-2021-23981: Texture upload into an unbound backing buffer resulted in
an out-of-bound read
CVE-2021-23982: Internal network hosts could have been probed by a
malicious webpage
CVE-2021-23984: Malicious extensions could have spoofed popup information
CVE-2021-23987: Memory safety bugs fixed in Thunderbird 78.9
* [cf4fbde] rebuild patch queue from patch-queue branch
Removed patch (included upstream):
porting-s390x/Explicitly-instantiate-TIntermTraverser-traverse-TIntermN.patch
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 23 Mar 2021 15:55:43 +0100
thunderbird (1:78.8.0-1) unstable; urgency=medium
[ Pino Toscano ]
* [f2f1f3f] thunderbird: Stop shipping /u/s/p/thunderbird.png symlink
[ Carsten Schoenert ]
* [f5707a7] New upstream version 78.8.0
Fixed CVE issues in upstream version 78.8 (MFSA 2021-09):
CVE-2021-23969: Content Security Policy violation report could have
contained the destination of a redirect
CVE-2021-23968: Content Security Policy violation report could have
contained the destination of a redirect
CVE-2021-23973: MediaError message property could have leaked information
about cross-origin resources
CVE-2021-23978: Memory safety bugs fixed in Thunderbird 78.8
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 21 Feb 2021 14:58:05 +0100
thunderbird (1:78.7.1-1) unstable; urgency=medium
* [406f9d7] New upstream version 78.7.1
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 05 Feb 2021 20:12:59 +0100
thunderbird (1:78.7.0-1) unstable; urgency=medium
* [8751354] New upstream version 78.7.0
Fixed CVE issues in upstream version 78.7 (MFSA 2021-05):
CVE-2021-23953: Cross-origin information leakage via redirected PDF
requests
CVE-2021-23954: Type confusion when using logical assignment operators in
JavaScript switch statements
CVE-2020-15685: IMAP Response Injection when using STARTTLS
CVE-2020-26976: HTTPS pages could have been intercepted by a registered
service worker when they should not have been
CVE-2021-23960: Use-after-poison for incorrectly redeclared JavaScript
variables during GC
CVE-2021-23964: Memory safety bugs fixed in Thunderbird 78.7
* [4b0c0a7] rebuild patch queue from patch-queue branch
removed patch (included upstream):
porting-mips/Bug-1642265-MIPS64-Add-branchTestSymbol-and-fallibleUnbox.patch
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 29 Jan 2021 20:45:49 +0100
thunderbird (1:78.6.1-1) unstable; urgency=medium
[ Carsten Schoenert ]
* [67f6117] Add Apache2 notice for third_party/python/coverage
* [38b9ff7] lintian: adding override for false positive in SVG file
[ Carles Pina i Estany ]
* [529d53a] d/thunderbird-wrapper.sh: Unset DEBUG/DEBUGGER variables
(Closes: #960230)
* [6d48708] d/thunderbird-wrapper-helper.sh: Adjust help text
[ Carsten Schoenert ]
* [5309e91] d/thunderbird-wrapper*.sh: Prefixing some local variables
* [07b4733] New upstream version 78.6.1
Fixed CVE issues in upstream version 78.6.1 (MFSA 2021-02):
CVE-2020-16044: Use-after-free write when handling a malicious
COOKIE-ECHO SCTP chunk
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 16 Jan 2021 14:59:02 +0100
thunderbird (1:78.6.0-1) unstable; urgency=medium
* [1410f1e] d/watch: update to version 4
* [a8303b7] d/rules: use python3 explicitly while calling mach
* [f3f535e] New upstream version 78.6.0
Fixed CVE issues in upstream version 78.6 (MFSA 2020-56):
CVE-2020-16042: Operations on a BigInt could have caused uninitialized
memory to be exposed
CVE-2020-26971: Heap buffer overflow in WebGL
CVE-2020-26973: CSS Sanitizer performed incorrect sanitization
CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
CVE-2020-26978: Internal network hosts could have been probed by a
malicious webpage
CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs
CVE-2020-35112: Opening an extension-less download may have inadvertently
launched an executable instead
CVE-2020-35113: Memory safety bugs fixed in Thunderbird 78.6
(Closes: #972072, #973697)
* [16a7ab7] /u/l/thunderbird: Correct escape sequencing for gdb calling
We need to do a better escaping of values of the '-ex' option otherwise
the shell is refusing the concatenated string we want to use as call.
(Closes: #976979)
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 15 Dec 2020 10:12:34 +0100
thunderbird (1:78.5.1-1) unstable; urgency=medium
* [08556c2] New upstream version 78.5.1
Fixed CVE issues in upstream version 78.5.1 (MFSA 2020-53):
CVE-2020-26970: Stack overflow due to incorrect parsing of SMTP server
response codes
* [7047340] rebuild patch queue from patch-queue branch
removed patch (included upstream):
fixes/fix-function-nsMsgComposeAndSend-to-respect-Replo.patch
* [40663bb] debian/control: increase Standards-Version to 4.5.1
No further changes needed.
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 03 Dec 2020 05:35:04 +0100
thunderbird (1:78.5.0-1) unstable; urgency=medium
* [7842f02] New upstream version 78.5.0
Fixed CVE issues in upstream version 78.5 (MFSA 2020-51):
CVE-2020-26951: Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
CVE-2020-16012: Variable time processing of cross-origin images during
drawImage calls
CVE-2020-26953: Fullscreen could be enabled without displaying the
security UI
CVE-2020-26956: XSS through paste (manual and clipboard API)
CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME
type restrictions
CVE-2020-26959: Use-after-free in WebRequestService
CVE-2020-26960: Potential use-after-free in uses of nsTArray
CVE-2020-15999: Heap buffer overflow in freetype
CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
CVE-2020-26965: Software keyboards may have remembered typed passwords
CVE-2020-26966: Single-word search queries were also broadcast to local
network
CVE-2020-26968: Memory safety bugs fixed in Thunderbird 78.5
* [e19743e] rebuild patch queue from patch-queue branch
removed patch (included upstream):
fixes/Bug-1663715-Update-syn-and-proc-macro2-so-that-Firefox-ca.patch
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 18 Nov 2020 20:06:09 +0100
thunderbird (1:78.4.2-1) unstable; urgency=medium
* [c7f4ed2] New upstream version 78.4.2
Fixed CVE issues in upstream version 78.4 (MFSA 2020-49):
CVE-2020-26950: Write side effects in MCallGetProperty opcode not
accounted for
* [c3a617d] rebuild patch queue from patch-queue branch
added patch:
fixes/Bug-1663715-Update-syn-and-proc-macro2-so-that-Firefox-ca.patch
* [8e4e7ad] thunderbird-l10n-all: add thunderbird-l10n-cy
(Closes: #974127)
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 10 Nov 2020 21:19:15 +0100
thunderbird (1:78.4.1-1) unstable; urgency=medium
* [cf8bf1e] New upstream version 78.4.1
* [529000c] rebuild patch queue from patch-queue branch
added patches:
fixes/Bug-1650299-Unify-the-inclusion-of-the-ICU-data-file.-r-f.patch
fixes/Don-t-build-ICU-in-parallel.patch
Patches are picked from Firefox and fixing FTBFS on s390x within buster.
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 06 Nov 2020 21:53:24 +0100
thunderbird (1:78.4.0-1) unstable; urgency=medium
[ Emilio Pozuelo Monfort ]
* [652f8de] install the apparmor profile in thunderbird.install
[ Carsten Schoenert ]
* [5240d53] Revert "thunderbird.install: adjust.desktop renamed file name"
(Closes: #972601)
* [861b21a] Revert "Rename .desktop file for AppStream compliance"
(Closes: #972578)
* [ffc5818] New upstream version 78.4.0
Fixed CVE issues in upstream version 78.4 (MFSA 2020-47):
CVE-2020-15969: Use-after-free in usersctp
CVE-2020-15683: Memory safety bugs fixed in Thunderbird 78.4
* [81396e3] rebuild patch queue from patch-queue branch
removed patches (fixed upstream):
porting-mips/Bug-1649655-MIPS-Add-CodeGenerator-visitWasmRegisterResul.patch
porting/Bug-1666646-Bump-CodeAlignment-to-8-in-MacroAssembler-non.patch
modified patches:
fixes/Appdata-Adding-some-German-translations.patch
fixes/Appdata-Fix-up-AppStream-error-by-adding-missing-field.patch
Minor fine tuning to the AppStream specific parts but also revert some
translation entries as they are not intend to be translatable.
These modification also in correlation with the mentioned bug reports above
which are closed by the other adjustments.
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 22 Oct 2020 18:48:25 +0200
thunderbird (1:78.3.3-1) unstable; urgency=medium
[ Emilio Pozuelo Monfort ]
* [6f18974] Remove duplicated --disable-debug-symbols flag
* [1119d50] Print a verbose build log by not calling the mach wrapper
* [fcf7c11] Exclude -g from CXXFLAGS as well
[ Carsten Schoenert ]
* [9eb159f] New upstream version 78.3.3
* [47171dc] rebuild patch queue from patch-queue branch
added patches:
fixes/Appdata-Adding-some-German-translations.patch
fixes/Appdata-Fix-up-AppStream-error-by-adding-missing-field.patch
* [1474d91] Rename .desktop file for AppStream compliance
* [10e49a9] thunderbird.install: adjust.desktop renamed file name
* [018bbc1] thunderbird.pc: remove left over cruft
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 18 Oct 2020 08:49:20 +0200
thunderbird (1:78.3.2-1) unstable; urgency=medium
* [0b2f19f] d/rules: remove hand crafted icu build
Cherry-picked from debian/buster branch.
The possible required build of the ICU if the usage of an external ICU
library is now handled by the upstream build system.
* [1583517] d/rules: rewrite dpkg_buildflags to remove option '-g'
Cherry-picked from debian/buster branch.
We need to remove the option '-g' from the dpkg_buildflags variable for
real if we want a build without debugging information (e.g. on 32bit
architectures).
* [fb4c9c4] New upstream version 78.3.2
* [9d5e2b9] d/rules: install the language Add-ons into /u/l/t/e
Do not install the thunderbird-l10n packages into /usr/share/thunderbird
any more, install them directly into /usr/libt/thunderbird/extensions.
This simplifies the package structures as there is no real need to install
the packages into /usr/share/thunderbird and linking them back.
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 09 Oct 2020 19:49:45 +0200
thunderbird (1:78.3.1-2) unstable; urgency=medium
* [649f664] rebuild patch queue from patch-queue branch
added patches:
fixes/reduce-the-rust-debuginfo-level-on-selected-architectures.patch
porting-s390x/Explicitly-instantiate-TIntermTraverser-traverse-TIntermN.patch
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 30 Sep 2020 19:10:27 +0200
thunderbird (1:78.3.1-1) unstable; urgency=medium
[ Carsten Schoenert ]
* [6bd965f] New upstream version 78.3.1
Fixed CVE issues in upstream version 78.3.1 (MFSA 2020-44):
CVE-2020-15677: Download origin spoofing via redirect
CVE-2020-15676: XSS when pasting attacker-controlled data into a
contenteditable element
CVE-2020-15678: When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential
use-after-free scenario
CVE-2020-15673: Memory safety bugs fixed in Thunderbird 78.3
* [8ba13c5] rebuild patch queue from patch-queue branch
added patches(picked from firefox packaging):
fixes/Add-missing-bindings-for-mips-in-the-authenticator-crate.patch
porting-mips/Bug-1642265-MIPS64-Add-branchTestSymbol-and-fallibleUnbox.patch
porting-mips/Bug-1649655-MIPS-Add-CodeGenerator-visitWasmRegisterResul.patch
porting/Bug-1666646-Bump-CodeAlignment-to-8-in-MacroAssembler-non.patch
removed patch(fixed upstream):
fixes/Bug-1664607-Don-t-try-to-load-what-s-new-page-when-built-.patch
* [c6d282d] calendar-google-provider*: removing left over cruft
There are two left over sequencer files from the calendar-google-package,
not need any more since 1:68.2.2-1
* [cf37615] d/README.Debian: Update and adding new information
Some updated information regarding the now included OpenPGP support, also
updating some grammar for 'Add-on'.
* [faf225b] thunderbird.NEWS: Add hint about integration of OpenPGP support
Giving the user a information about the OpenPGP status within Thunderbird
since the version 78.0.
* [d6f4f0e] Revert "d/tb.lintian-overrides: ignore warning about none
versioned breaks"
* [9e6cbec] d/copyright: update content
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 27 Sep 2020 09:08:29 +0200
thunderbird (1:78.2.2-1) experimental; urgency=medium
* [c6592e8] New upstream version 78.2.2
* [28f5fce] rebuild patch queue from patch-queue branch
added patches:
fixes/Bug-1664607-Don-t-try-to-load-what-s-new-page-when-built-.patch
porting-s390x/Use-more-recent-embedded-version-of-sqlite3.patch
* [4866c06] d/mozconfig.default: add extra config options for ppc64el
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 13 Sep 2020 08:58:44 +0200
thunderbird (1:78.2.1-1) experimental; urgency=medium
* [1f3f76b] d/rules: drop C{,XX}FLAGS originally intended for GCC6
* [4490e37] d/mozconfig.default: add options for mips64el
* [17b4e5c] d/rules: Don't build debug symbols on 32Bit arch
* [6dff7e0] d/rules: adding -Wl,--as-needed to linker flags
* [a213a7f] New upstream version 78.2.1
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 30 Aug 2020 14:38:17 +0200
thunderbird (1:78.2.0-1) experimental; urgency=medium
[ intrigeri ]
* [f6fcafd] d/control: drop hard dependency on libgtk2.0-0
(Closes: #908654)
* [85b7a2e] autopkgtests: fix typo in comment
* [4bd70ae] d/mozconfig.default: fix typos in comments
* [d986a6d] d/control: allow Enigmail 2.2.0 and newer
(Closes: #968707)
[ Carsten Schoenert ]
* [52b4006] d/control: increase B-D for libnss3
(Closes: #966805)
* [7794563] New upstream version 78.2.0
Fixed CVE issues in upstream version 78.2.0 (MFSA 2020-41):
CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
CVE-2020-15664: Attacker-induced prompt for extension installation
CVE-2020-15670: Memory safety bugs fixed in Thunderbird 78.2
* [623f853] rebuild patch queue from patch-queue branch
No modifications made, just updating the index.
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 26 Aug 2020 20:41:28 +0200
thunderbird (1:78.1.1-1) experimental; urgency=medium
* [5fb842b] d/mozconfig.default: adding new option regarding Add-Ons
Adding additional options --allow-addon-sideload and
--with-unsigned-addon-scopes=app,system. These option are adopted and
taken from the firefox package.
* [8de0b35] New upstream version 78.1.1
* [4abe5ed] d/copyright: update content
Some small updates to the copyright information.
* [3caa541] d/control: adding new B-D for botan and json-c
The upstream source now offers the possibility to use the system
libraries for botan and json-c, for this we need to have both libraries
installed for building Thunderbird.
* [251d524] d/mozconfig.default: use botan and json-c system libraries
Turn on the configuration flags for botan and also for json-c that let
the build use the installed provided system libraries instead of using
internal versions.
* [a32a163] rebuild patch queue from patch-queue branch
removed patch:
debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch
Upstream has now (again) a configure option for using a installed system
bzip2 library that makes our added patch for this not needed anymore.
* [16c91c0] lintian: remove override for embedded bzip2 in librnp.so
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 08 Aug 2020 19:16:08 +0200
thunderbird (1:78.1.0-1) experimental; urgency=medium
* [c4099cd] New upstream version 78.1.0
Fixed CVE issues in upstream version 78.1.0 (MFSA 2020-33):
CVE-2020-15652: Potential leak of redirect targets when loading scripts in
a worker
CVE-2020-6514: WebRTC data channel leaks internal address to peer
CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy
CVE-2020-15653: Bypassing iframe sandbox when allowing popups
CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
CVE-2020-15656: Type confusion for special arguments in IonMonkey
CVE-2020-15658: Overriding file type when saving to disk
CVE-2020-15657: DLL hijacking due to incorrect loading path
CVE-2020-15654: Custom cursor can overlay user interface
CVE-2020-15659: Memory safety bugs fixed in Thunderbird 78.1
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 31 Jul 2020 19:35:57 +0200
thunderbird (1:78.0.1-1) experimental; urgency=medium
* [5450d8d] d/control: increase B-D for libnss3
* [9749d1d] d/control: drop B-D on python2 and move over to python3
* [b31360b] d/xpi-pack.sh: adding xpi-pack shell script
* [89ede80] Drop mozilla-devscripts as B-D
* [f3b2ced] New upstream version 78.0.1
* [1847202] d/tb.lintian-overrides: ignore warning about none versioned
breaks
* [d56c922] d/lightning.links: removing left over sequencer file
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 22 Jul 2020 20:11:25 +0200
thunderbird (1:78.0-1) experimental; urgency=medium
* [1016cc5] New upstream version 78.0
Fixed CVE issues in upstream version 78.0 (MFSA 2020-29):
CVE-2020-12415: AppCache manifest poisoning due to url encoded character
processing
CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster
CVE-2020-12417: Memory corruption due to missing sign-extension for
ValueTags on ARM64
CVE-2020-12418: Information disclosure due to manipulated URL object
CVE-2020-12419: Use-after-free in nsGlobalWindowInner
CVE-2020-12420: Use-After-Free when trying to connect to a STUN server
CVE-2020-15648: X-Frame-Options bypass using object or embed tags
CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack
CVE-2020-12421: Add-On updates did not respect the same certificate trust
rules as software updates
CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer
CVE-2020-12424: WebRTC permission prompt could have been bypassed by a
compromised content process
CVE-2020-12425: Out of bound read in Date.parse()
CVE-2020-12426: Memory safety bugs fixed in Thunderbird 78
* [ad66b04] rebuild patch queue from patch-queue branch
reworked patch:
porting-kfreebsd-hurd/LDAP-support-building-on-GNU-kFreeBSD-and-GNU-Hurd.patch
* [4a2039c] d/mozconfig.default: enable OpenPGP feature build
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 16 Jul 2020 19:15:25 +0200
thunderbird (1:78.0~b2-1) experimental; urgency=medium
* [c8da927] d/source.filter: fix obviously happen typo
* [c513a96] New upstream version 78.0~b2
* [6e9104e] d/control: tb, adding binary version to lightning provides
Make the Provides for Lightning a versioned provide.
* [8adec8f] enigmail: let any version of Enigmail break
We now can break on any Enigmail version, the Enigmail functions are now
included in Thunderbird and don't want to have an Enigmail package get
installed in parallel.
* [696b1fc] xul-ext-*/webext-*: adding more extensions to break
Quite all of the current packaged Thunderbird extensions will not work
for now with Thunderbird 78.*, adding/renaming the current know packages
with recent versions to Breaks for thunderbird.
* [e488d0c] thunderbird: remove some non-existing packages from Breaks
The listed packages
xul-ext-foxyproxy-standard
xul-ext-gnome-keyring
xul-ext-nostalgy
aren't in any supported release so we don't need them any more within a
Breaks for thunderbird.
* [039ee90] thunderbird: remove outdated myspell packages from Breaks
All previously listed myspell packages in Breaks for thunderbird aren't
reachable with the given version any more. We can remove them safely.
* [08ea0ba] thunderbird: remove outdated hunspell packages from Breaks
The same is true for the hunspell packages that were listed in the Breaks
field for thunderbird.
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 20 Jun 2020 18:04:59 +0200
thunderbird (1:78.0~b1-1) experimental; urgency=medium
[ Carsten Schoenert ]
* [625efa9] d/source.filter: some updates to filtering list
Recent modification of the shipped files in the upstream tarball do
require small updates of the filter list we use to repack the tarball.
* [967ee19] New upstream version 78.0~b1
* [240991e] rebuild patch queue from patch-queue branch
removed patch:
debian-hacks/use-icudt-b-l-.dat-depending-on-architecture.patch
This will require some additional adjustment later for the stable-security
uploads as this patch was required to get a recent ICU version build
before the build of the thunderbird sources did start.
reworked patch:
debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch
* [07cab53] d/mozconfig.default: remove no longer existing options
By this release a lot of old configure options are kicked out, some of
them we have used until now. We need to remove these from the config.
* [df2e99b] d/copyright: update content
As usual some required update of the copyright file, more files are not
shipped anymore.
[ intrigeri ]
* [82a4b03] AppArmor: update profile from upstream at commit 860d2d9
(cherry-picked from unstable)
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 13 Jun 2020 20:01:39 +0200
thunderbird (1:77.0~b3-1) experimental; urgency=medium
* [82de2f6] New upstream version 77.0~b3
* [8beaf6f] rebuild patch queue from patch-queue branch
removed patch (included upstream):
fixes/Bug-1634994-fix-disable-av1-r-tnikkel.patch
* [ab2d7a2] d/copyright: Add license for appstream xml file
* [1533187] d/source.filter: Remove some *.wasm files as well
* [7cdfe03] d/thunderbird.lintian-overrides: Some more needed overrides
We need currently the included bzip library. Also add a false positive
about the misread postinst script.
* [9385fd4b] d/control: Remove doubled listed package libglib2.0-dev
Drop a doubled listed package libglib2.0-dev within B-D.
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 20 May 2020 20:58:09 +0200
thunderbird (1:77.0~b2-1) experimental; urgency=medium
* [185d4f7] New upstream version 77.0~b2
* [e918036] rebuild patch queue from patch-queue branch
removed patch:
fixes/Bug-1635671-Upgrade-typename-to-1.12.0.-r-emilio.patch
* [c1979ce] d/mozconfig.default: Remove obsolete options
Drop the options '--with-distribution-id' and '--with-user-appdir'.
The former is basically only supporting the given default 'org.mozilla'
and the latter was set to the default '.mozilla' anyway.
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 16 May 2020 14:04:02 +0200
thunderbird (1:77.0~b1-1) experimental; urgency=medium
* [ee06e6e] New upstream version 77.0~b1
* [a21b649] rebuild patch queue from patch-queue branch
removed patches (not needed any more):
lower-down-required-version-on-NSS3.patch
added patches:
fixes/Bug-1634994-fix-disable-av1-r-tnikkel.patch
fixes/Bug-1635671-Upgrade-typename-to-1.12.0.-r-emilio.patch
* [295cc4d] d/control: increase B-D for libnss3
The build requires now libnss3-dev >= 2:3.52.
* [f998baf] lintian-overrides: remove overrides for kinto-http-client.js
No override needed for this file, it's not included any more.
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 08 May 2020 15:18:44 +0200
thunderbird (1:76.0~b2-1) experimental; urgency=medium
* [87988db] d/control: increase B-D for cargo to 0.42
* [b9b0dfd] rebuild patch queue from patch-queue branch
removed patch:
debian-hacks/Ignore-version-check-for-cargo.patch
* [8386db0] d/control: Remove B-D on libjson-dev and libsqlite3-dev
The built uses internal copies for libjson and libsqlite as there are
made modifications to them. For now we can decrease the list of build
dependencies by removing this two packages.
* [6324222] New upstream version 76.0~b2
* [629b3bb] d/rules: Remove default compiler flag
No needed for '-Wl,--as-needed' any more, it's default now.
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 27 Apr 2020 09:55:43 +0200
thunderbird (1:76.0~b1-1) experimental; urgency=medium
* [b52cd52] d/c-thunderbird-l10n-tarball.sh: change upstream resource
Upstream has changed the folder were we can find the language providing
XPI packages. They simply moved over from linux-i686 to linux-x86_64.
* [22e697a] d/rules: drop set up of LIGHTNING_VERSION variable
We don't need this variable any more for building the packages (like all
the lightning-foo named stuff), there is no dedicated Lighting named stuff
around.
* [4ad871b] d/gbp.conf: Remove additional tarball for lightning-l10n
git-buildpackage won't find this additional tarball as it's not needed
starting by the import of the next upstream version (this is 76.0b1).
* [25d8d42] d/c-l-l10n-t.sh: Remove helper script
We also don't need to build the l10n specific additional tarball for
Lighting related parts any more. Dropping this helper script.
* [9d33d06] d/README.source: Remove part of lightning-l10n
* [b063d7f] New upstream version 76.0~b1
* [e7a23ec] rebuild patch queue from patch-queue branch
removed patches (not needed or included upstream):
debian-hacks/Build-against-system-libjsoncpp.patch
debian-hacks/Downgrade-SQlite-version-to-3.27.2.patch
fixes/Bug-1531309-Don-t-use-__PRETTY_FUNCTION__-or-__FUNCTION__.patch
fixes/Bug-1560340-Only-add-confvars.sh-as-a-dependency-to-confi.patch
added patches:
debian-hacks/Ignore-version-check-for-cargo.patch
lower-down-required-version-on-NSS3.patch
* [94d8593] d/control: adding new packages thunderbird-l10n-{cak,kab,uz}
After the final release of Thunderbird 68.0 new l10n support for the
languages Kacqhikel, Georgian and Uzbek was added. Reflect this by adding
new binary packages for those languages.
* [5397182] d/mozconfig.default: remove option for system-sqlite
Upstream is using their own version of an modified SQLite now and has
dropping the additional configure option about this.
* [abb0ded] d/control: increase various versions in B-D
The current source requires some more recent versions of the helping tools
for building the sources as usual.
* [abfc8b2] d/rules: remove any action related to old lightning stuff
As the sources doesn't have any Lightning specific parts any more we need
to adjust the build process within debian/rules a bit. Thus dropping all
the rules around Lighting things.
* [f95b3ad] d/control: Turn lightning into transitional package
For now switch the behaviour of the lightning package into a transitional
one. We might can drop the whole package rather soon.
* [c3062cb] d/thunderbird.install: Remove blocklist.xml
Don't install the file blocklist.xml any more, it's now not shipped by
upstream any more.
* [856e99e] d/mozconfig.thunderbird: Remove --enable-calendar
Previously the build of the Lightning extension was needed to get enabled
to built this as an extension. Now it's fully integrated into the core
this configure option isn't needed any longer.
* [5551a8a] d/copyright: update content
As usual there is some moving within the source code between the major
versions, reflect this by adjusting the content of the copyright file.
* [21e9b7f] lintian-overrides: adjust overrides for needed files
Also the override file for the source is needing some adjustments.
* [f25ddc4] d/source.filter: update the filter sequences
The control for filtering non needed stuff from the upstream tarball must
also get adjusted due changed versions, moved folders etc.
* [e4a81ba] d/thunderbird.install: Install also appdata.xml
Upstream is providing an AppStream data file which we want install mow
also.
* [80385c9] d/source.filter: Sorting entries alphabetically
No functional modifications, just sorting entries to find stuff more easily.
* [585cf0a] d/thunderbird.lintian-overrides: update after config changes
We also need to modify the content for Lintian overrides for the
thunderbird package a bit. Thunderbird comes now (again) with own versions
of the libraries libtheora and libjsoncpp. Mostly because Mozilla has made
some own modifications within these libraries.
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 18 Apr 2020 08:28:25 +0200
thunderbird (1:68.12.0-1) unstable; urgency=medium
* [103cab7] New upstream version 68.12.0
Fixed CVE issues in upstream version 68.11.0 (MFSA 2020-35):
CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
CVE-2020-15664: Attacker-induced prompt for extension installation
CVE-2020-15669: Use-After-Free when aborting an operation
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 27 Aug 2020 21:23:55 +0200
thunderbird (1:68.11.0-3) unstable; urgency=medium
* [28707fd] d/xpi-pack.sh: adding xpi-pack shell script
As we can't depend on mozilla-devscripts anymore we pick up the shell
script from that package as this builds XPI files we need.
* [037212e] Drop mozilla-devscripts as B-D
mozilla-devscripts isn't ported to Python3 yet and depends on Python2 so.
We don't need that package as B-D as we picked the main shell script from
that and we can drop that package from the build dependencies.
* [31eda41] Drop python-{minimal,ply} from B-D
These packages are removed from teh archive and we don't need them for
building Thunderbird as long we have python2 as package available.
(Closes: #967223)
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 04 Aug 2020 19:06:20 +0200
thunderbird (1:68.11.0-2) unstable; urgency=medium
* [110a375] d/control: increase B-D for libnss3
* [73fa23e] d/control: tb manually set dep on libnss3 to 2:3.55
(Closes: #966806)
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 02 Aug 2020 20:12:49 +0200
thunderbird (1:68.11.0-1) unstable; urgency=medium
* [093b080] New upstream version 68.11.0
Fixed CVE issues in upstream version 68.11.0 (MFSA 2020-35):
CVE-2020-15652: Potential leak of redirect targets when loading scripts
in a worker
CVE-2020-6514: WebRTC data channel leaks internal address to peer
CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
CVE-2020-15659: Memory safety bugs fixed in Thunderbird 68.11
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 29 Jul 2020 22:26:14 +0200
thunderbird (1:68.10.0-1) unstable; urgency=medium
* [7537684] New upstream version 68.10.0
Fixed CVE issues in upstream version 68.10.0 (MFSA 2020-26):
CVE-2020-12417: Memory corruption due to missing sign-extension for
ValueTags on ARM64
CVE-2020-12418: Information disclosure due to manipulated URL object
CVE-2020-12419: Use-after-free in nsGlobalWindowInner
CVE-2020-12420: Use-After-Free when trying to connect to a STUN server
MFSA-2020-0001: Automatic account setup leaks Microsoft Exchange login
credentials
CVE-2020-12421: Add-On updates did not respect the same certificate trust
rules as software updates
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 04 Jul 2020 10:55:31 +0200
thunderbird (1:68.9.0-1) unstable; urgency=medium
[ intrigeri ]
* [fd13825] AppArmor: update profile from upstream at commit 860d2d9
(Closes: #960465)
[ Carsten Schoenert ]
* [c310c40] New upstream version 68.9.0
Fixed CVE issues in upstream version 68.9.0 (MFSA 2020-22):
CVE-2020-12399: Timing attack on DSA signatures in NSS library
CVE-2020-12405: Use-after-free in SharedWorkerService
CVE-2020-12406: JavaScript Type confusion with NativeTypes
CVE-2020-12410: Memory safety bugs fixed in Thunderbird 68.9.0
CVE-2020-12398: Security downgrade with IMAP STARTTLS leads to
information leakage
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 05 Jun 2020 20:29:35 +0200
thunderbird (1:68.8.1-1) unstable; urgency=medium
* [7495e7a] New upstream version 68.8.1
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 22 May 2020 19:04:20 +0200
thunderbird (1:68.8.0-1) unstable; urgency=medium
* [9b5ae46] New upstream version 68.8.0
Fixed CVE issues in upstream version 68.8.0 (MFSA 2020-18):
CVE-2020-12397: Sender Email Address Spoofing using encoded Unicode
characters
CVE-2020-12387: Use-after-free during worker shutdown
CVE-2020-6831: Buffer overflow in SCTP chunk input validation
CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command
injection
CVE-2020-12395: Memory safety bugs fixed in Thunderbird 68.8.0
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 05 May 2020 20:47:29 +0200
thunderbird (1:68.7.0-1) unstable; urgency=medium
* [c0052af] New upstream version 68.7.0
Fixed CVE issues in upstream version 68.7.0 (MFSA 2020-14):
CVE-2020-6819: Use-after-free while running the nsDocShell destructor
CVE-2020-6820: Use-after-free when handling a ReadableStream
CVE-2020-6821: Uninitialized memory could be read when using the WebGL
copyTexSubImage method
CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large
images
CVE-2020-6825: Memory safety bugs fixed in Thunderbird 68.7
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 12 Apr 2020 07:40:41 +0200
thunderbird (1:68.6.0-1) unstable; urgency=medium
* [5709774] New upstream version 68.6.0
Fixed CVE issues in upstream version 68.6.0 (MFSA 2020-10):
CVE-2019-20503: Out of bounds reads in sctp_load_addresses_from_init
CVE-2020-6805: Use-after-free when removing data about origins
CVE-2020-6806: BodyStream::OnInputStreamReady was missing protections
against state confusion
CVE-2020-6807: Use-after-free in cubeb during stream destruction
CVE-2020-6811: Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to
command injection
CVE-2020-6812: The names of AirPods with personally identifiable
information were exposed to websites with camera or
microphone permission
CVE-2020-6814: Memory safety bugs fixed in Thunderbird 68.6
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 16 Mar 2020 20:01:29 +0100
thunderbird (1:68.5.0-1) unstable; urgency=medium
* [d79bf82] New upstream version 68.5.0
Fixed CVE issues in upstream version 68.5.0 (MFSA 2020-07):
CVE-2020-6793: Out-of-bounds read when processing certain email messages
CVE-2020-6794: Setting a master password post-Thunderbird 52 does not
delete unencrypted previously stored passwords
CVE-2020-6795: Crash processing S/MIME messages with multiple signatures
CVE-2020-6798: Incorrect parsing of template tag could result in
JavaScript injection
CVE-2020-6792: Message ID calculcation was based on uninitialized data
CVE-2020-6800: Memory safety bugs fixed in Thunderbird 68.5
(Closes: #891848)
* [0884df6] d/control: increase Standards-Version to 4.5.0
No further changes needed.
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 13 Feb 2020 17:58:44 +0100
thunderbird (1:68.4.2-1) unstable; urgency=medium
* [7ab7786] d/gbp.conf: add some more files we need to filter out
* [9c02c34] New upstream version 68.4.2
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 26 Jan 2020 13:13:49 +0100
thunderbird (1:68.4.1-1) unstable; urgency=medium
* [a00f3e9] New upstream version 68.4.1
Fixed CVE issues in upstream version 68.4.1 (MFSA 2020-04):
CVE-2019-17026: IonMonkey type confusion with StoreElementHole and
FallibleStoreElement
CVE-2019-17015: Memory corruption in parent process during new content
process initialization on Windows
CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting
CVE-2019-17017: Type Confusion in XPCVariant.cpp
CVE-2019-17022: CSS sanitization does not escape HTML tags
CVE-2019-17024: Memory safety bugs fixed in Thunderbird 68.4.1
* [6b1fd82] rebuild patch queue from patch-queue branch
removed patch (included upstream)
fixes/Update-bindgen-in-ESR68.-r-glandium-a-RyanVM.patch
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 10 Jan 2020 18:33:43 +0100
thunderbird (1:68.3.1-1) unstable; urgency=medium
[ Emilio Pozuelo Monfort ]
* [6f59313] Fix MOZ_BUILD_DATE to have the expected format
[ Carsten Schoenert ]
* [5d0f4b1] d/rules: don't use SOURCE_DATE_EPOCH for MOZ_BUILD_DATE
(Closes: #946588)
* [1467af5] New upstream version 68.3.1
-- Carsten Schoenert <c.schoenert@t-online.de> Wed, 18 Dec 2019 15:54:44 +0100
thunderbird (1:68.3.0-2) unstable; urgency=medium
* [0625d30] rebuild patch queue from patch-queue branch
added patches:
fixes/Bug-1531309-Don-t-use-__PRETTY_FUNCTION__-or-__FUNCTION__.patch
fixes/Update-bindgen-in-ESR68.-r-glandium-a-RyanVM.patch
* [ea8d98c] Breaks: add versioned birdtray package
-- Carsten Schoenert <c.schoenert@t-online.de> Mon, 09 Dec 2019 18:22:15 +0100
thunderbird (1:68.3.0-1) unstable; urgency=medium
* [fe289ec] /u/b/thunderbird: export variable DICPATH before start
(Closes: #944295)
* [a9a48c6] New upstream version 68.3.0
Fixed CVE issues in upstream version 68.3 (MFSA 2019-38):
CVE-2019-17008: Use-after-free in worker destruction
CVE-2019-13722: Stack corruption due to incorrect number of arguments in
WebRTC code
CVE-2019-11745: Out of bounds write in NSS when encrypting with a block
cipher
CVE-2019-17009: Updater temporary files accessible to unprivileged
processes
CVE-2019-17010: Use-after-free when performing device orientation checks
CVE-2019-17005: Buffer overflow in plain text serializer
CVE-2019-17011: Use-after-free when retrieving a document in
antitracking
CVE-2019-17012: Memory safety bugs fixed in Firefox 71, Firefox ESR
68.3, and Thunderbird 68.3
* [fb23473] d/control: increase B-D version on NSS to 3.44.3
* [6f59938] Breaks: adding more non compatible packaged AddOns
-- Carsten Schoenert <c.schoenert@t-online.de> Thu, 05 Dec 2019 10:03:22 +0100
thunderbird (1:68.2.2-1) unstable; urgency=medium
* [198d539] xul-ext-compactheader: allow also version << 3.0.0
* [0e93753] d/control: add incompatibility with jsunit << 0.2.2
* [87c84cb] New upstream version 68.2.2
This upstream version has removed the source for calendar-google-provider,
thus we can't provide the related binary package any more.
* [a3cea2a] rebuild patch queue from patch-queue branch
rebuild patch queue from patch-queue branch
removed patches (included upstream):
debian/patches/fixes/Bug-1470701-Use-run-time-page-size-when-changing-map.patch
debian/patches/fixes/Bug-1505608-Try-to-ensure-the-bss-section-of-the-elf.patch
debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
debian/patches/fixes/Build-also-gdata-provider-as-xpi-file.patch
debian/patches/fixes/rust-ignore-not-available-documentation.patch
debian/patches/porting-kfreebsd-hurd/Fix-GNU-non-Linux-failure-to-build-because-of-ipc-ch.patch
debian/patches/porting-mips/Bug-1444303-MIPS-Fix-build-failures-after-Bug-1425580-par.patch
debian/patches/porting-mips/Bug-1444834-MIPS-Stubout-MacroAssembler-speculationBarrie.patch
debian/patches/porting-powerpc/powerpc-Don-t-use-static-page-sizes-on-powerpc.patch
debian/patches/porting-sparc64/Bug-1434726-Early-startup-crash-on-Linux-sparc64-in-HashI.patch
* [1730f5f] d/control: remove references to calendar-google-provider
Don't build calendar-google-provider any more and remove any references
from other binary packages.
* [1b0bbb8] d/rules: remove any calendar-google-provider stuff
* [92f681c] thunderbird.NEWS: Adding hint about removal of gdata
Give out an announcement about the removal of a possible previously
installed package calendar-google-provider.
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 10 Nov 2019 12:09:17 +0100
thunderbird (1:68.2.1-1) unstable; urgency=medium
[ intrigeri ]
* [c48e2cb] AppArmor: update profile from upstream at commit a27a1a5
(Closes: #941290)
[ Carsten Schoenert ]
* [98497ae] New upstream version 68.2.0
Fixed CVE issues in upstream version 68.2 (MFSA 2019-35):
CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber
CVE-2019-11757: Use-after-free when creating index updates in IndexedDB
CVE-2019-11758: Potentially exploitable crash due to 360 Total Security
CVE-2019-11759: Stack buffer overflow in HKDF output
CVE-2019-11760: Stack buffer overflow in WebRTC networking
CVE-2019-11761: Unintended access to a privileged JSONView object
CVE-2019-11762: document.domain-based origin isolation has
same-origin-property violation
CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique
CVE-2019-11764: Memory safety bugs fixed in Thunderbird 68.2
(Closes: #925841)
* [a104c51] d/control: increase Standards-Version to 4.4.1
* [6c9d012] xul-ext-dispmua: set current min usable version
* [b3bf16f] New upstream version 68.2.1
* [8f89b90] d/control: decrease build architecture list
Decreasing the current list of build architectures. Not meant to keep this
forever, removed RC architectures needing support and volunteering to get
them back.
(Closes: #921258)
-- Carsten Schoenert <c.schoenert@t-online.de> Fri, 01 Nov 2019 20:36:59 +0100
thunderbird (1:68.1.2-1~exp1) experimental; urgency=medium
* [81f4144] xul-ext-compactheader: increase minimal usable version
* [a815589] Update the global information about TB in Debian
* [bb5f5f7] rebuild patch queue from patch-queue branch
* [6fe7d3f] xul-ext-sogo-connector: increase minimal usable version
* [2e29af5] New upstream version 68.1.2
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 26 Oct 2019 08:41:50 +0200
thunderbird (1:68.1.1-1~exp1) experimental; urgency=medium
[ intrigeri ]
* [3f49653] AppArmor: update profile from upstream at commit ed52e4a
[ Carsten Schoenert ]
* [348f476] New upstream version 68.0~b5
* [2a2f101] New upstream version 68.1.1
Fixed CVE issues in upstream version 68.1 (MFSA 2019-20):
CVE-2019-11711: Script injection within domain through inner window reuse
CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins
by following 308 redirects
CVE-2019-11713: Use-after-free with HTTP/2 cached stream
CVE-2019-11714: NeckoChild can trigger crash when accessed off of main
thread
CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a
segmentation fault
CVE-2019-11715: HTML parsing error can contribute to content XSS
CVE-2019-11716: globalThis not enumerable until accessed
CVE-2019-11717: Caret character improperly escaped in origins
CVE-2019-11719: Out-of-bounds read when importing curve25519 private key
CVE-2019-11720: Character encoding XSS vulnerability
CVE-2019-11721: Domain spoofing through unicode latin 'kra' character
CVE-2019-11730: Same-origin policy treats all files in a directory as
having the same-origin
CVE-2019-11723: Cookie leakage during add-on fetching across private
browsing boundaries
CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting
permissions
CVE-2019-11725: Websocket resources bypass safebrowsing protections
CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3
CVE-2019-11728: Port scanning through Alt-Svc header
CVE-2019-11710: Memory safety bugs fixed in Firefox 68 and Thunderbird 68
CVE-2019-11709: Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8,
and Thunderbird 68
Fixed CVE issues in upstream version 68.1 (MFSA 2019-20):
CVE-2019-11739: Covert Content Attack on S/MIME encryption using a crafted
multipart/alternative message
CVE-2019-11746: Use-after-free while manipulating video
CVE-2019-11744: XSS by breaking out of title and textarea elements using
innerHTML
CVE-2019-11742: Same-origin policy violation with SVG filters and canvas
to steal cross-origin images
CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB
CVE-2019-11743: Cross-origin access to unload event attributes
CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1,
Firefox ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9
Fixed CVE issues in upstream version 68.1.1 (MFSA 2019-32):
CVE-2019-11755: Spoofing a message author via a crafted S/MIME message
* [9342624] rebuild patch queue from patch-queue branch
added patches:
debian-hacks/Set-program-name-from-the-remoting-name.patch
debian-hacks/Use-remoting-name-for-call-to-gdk_set_program_class.patch
debian-hacks/Work-around-Debian-bug-844357.patch
fixes/Allow-.js-preference-files-to-set-locked-prefs-with-lockP.patch
fixes/Bug-1556197-amend-Bug-1544631-for-fixing-mips32.patch
fixes/Bug-1560340-Only-add-confvars.sh-as-a-dependency-to-confi.patch
porting-armhf/Bug-1526653-Include-struct-definitions-for-user_vfp-and-u.patch
removed patch (fixed upstream):
porting-mips/Fix-CPU_ARCH-test-for-libjpeg-on-mips.patch
porting/Work-around-GCC-ICE-on-mips-i386-and-s390x.patch
* [25cb500] d/control: increase various versions in B-D
* [ee5b713] d/control: remove B-D on librust-cbindgen-dev
Use librust-toml-dev instead, we only need some files from this package,
librust-cbindgen-dev is a metapackage which is broken while packaging.
* [442a6b1] d/rules: work around cargo needs a HOME dir
* [4894a4c] d/control: increase Standards-Version to 4.4.0
No further changes needed.
* [bb47b68] d/control: update upstream homepage for Thunderbird
Since some time Mozilla Thunderbird has a new homepage placed on URI
https://www.thunderbird.net/
* [a3b680e] d/source.filter: update the filter sequences
New Thunderbird upstream versions bringing some new unwanted files within
the source.
* [7290ff4] d/control: remove transitional lightning l10n packages
The Lightning l10n packages moved into transitional packages before Buster
was released, now after the Buster release removing these transitional
packages. All required l10n files are available in the packages
thunderbird-$(locale) even for Lightning.
* [3d1d27d] enigmail: increase minimal usable version
Thunderbird 68.x needs at least Enigmal in version 2.1, but increase the
version on Enigmail to the most recent version which is released while
packaging.
* [66069d9] calendar-exchange-provider: removed from Breaks
This package isn't alive in unstable and testing.
* [3b9f936] d/control: remove Xb-Xul-AppId field
Thunderbird don't has any Xul based AddOns since version 68.0
* [7d8cd7d] lintian-overrides: remove not needed overrides
-- Carsten Schoenert <c.schoenert@t-online.de> Sat, 28 Sep 2019 15:38:28 +0200
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog thunderbird`.
Generated by dwww version 1.15 on Thu Jun 27 22:45:20 CEST 2024.