Pkgsrc changes:
* Checksum changes.
* Minor adjustment to patches.
Upstream changes:
102.8.0:
New:
- Added option to build RNP library with OpenSSL backend (use
"--with-librnp-backend=openssl" configure option)
Changes:
- Thunderbird now warns user that OpenPGP is disabled if RNP
library is outdated or missing
Fixes:
- "Get Messages" did not retrieve messages from Gmail accounts
using a local folder as a deferred inbox
- Various visual and UX improvements
Security fixes:
CVE-2023-0616: User Interface lockup with messages combining S/MIME and OpenPGP
CVE-2023-25728: Content security policy leak in violation reports using iframes
CVE-2023-25730: Screen hijack via browser fullscreen mode
CVE-2023-0767: Arbitrary memory write via PKCS 12 in NSS
CVE-2023-25735: Potential use-after-free from compartment mismatch in SpiderMonkey
CVE-2023-25737: Invalid downcast in SVGUtils::SetupStrokeGeometry
CVE-2023-25738: Printing on Windows could potentially crash Thunderbird with some device drivers
CVE-2023-25739: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
CVE-2023-25729: Extensions could have opened external schemes withotu user knowledge
CVE-2023-25732: Out of bounds memory write from EncodeInputStream
CVE-2023-25734: Opening local.url files could cause unexpected network loads
CVE-2023-25742: Web Crypto ImportKey crashes tab
CVE-2023-25746: Memory safety bugs fixed in Thunderbird 102.8
102.7.2:
Fixes:
- Various crash fixes
102.7.1:
Fixes:
- Microsoft Office 365 accounts were unable to authenticate
- Switching identities caused remote images in HTML signatures to
not be shown
- Thunderbird failed to import vCards that contained "\r\r\n" line endings
- Contribution button for add-ons opened Contribution page in a
Thunderbird tab, instead of the external browser
- XMPP did not respond to unrecognized IQ queries, causing some
servers to close the connection
- Window titlebar buttons (minimize/maximize/close) were not
displayed in Windows 10 "Dark" color mode
Security fixes:
CVE-2023-0430: Revocations tatus of S/Mime signature certificates was not checked
102.7.0:
New:
- Enterprise policies now support Thunderbird-specific preferences.
Fixes:
- Localized builds and langpacks now use "comm-l10n" repository;
downstream builds using official langpacks should not need to make
changes
- Having too many folders open at startup caused loss of MSF files
- Copying an email from one local folder to another local folder
sometimes caused "Another Operation is using the folder" error on
Windows 7
- Email address pill allowed for incorrectly formatted email addresses
- Creating security exceptions for messages sent using a self-signed
certificate failed if hostname contained uppercase letters
- S/MIME certificate verification was prohibitively slow
- OpenPGP key import failed for key blocks with comments that
contain Unicode characters
- Chat conversation sidebar was too wide under certain circumstances,
making scrollbar unusable
- On Mac, deleting events from Today Pane with "Backspace" key
deleted selected messages instead
Security fixes:
CVE-2022-46871: libusrsctp library out of date
CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux
CVE-2023-23599: Malicious command could be hidden in devtools output on Windows
CVE-2023-23601: URL being dragged from cross-origin iframe into same tab triggers navigation
CVE-2023-23602: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers
CVE-2022-46877: Fullscreen notification bypass
CVE-2023-23603: Calls to console.log allowed bypassing Content Security Policy via format directive
CVE-2023-23605: Memory safety bugs fixed in Thunderbird 102.7
Known issues:
- OAuth2 authentication not working for Microsoft 365 Enterprise
accounts. See the Blog post
(https://blog.thunderbird.net/2023/01/important-message-for-microsoft-office-365-enterprise-users/)
for additional information. Bug 1810760
6.9 (2023-02-10)
Differences between Mew 6.9 and Mew 6.8
* Mew now supports Emacs 26.1 or later only.
* Supporting coming Emacs 29.
* Supporting "stunnel" 5.15.
* Supporting native compilation.
* `mew-smtp-port` now supports Unix domain socket. If it is set to an
absolute pathname such as "/var/run/msp.sock", Mew will use it as a
Unix domain socket which supports SOCK_STREAM and understands SMTP.
The value of `mew-smtp-server` will be ignored. This feature requires
`make-network-process` introduced since Emacs 22.
* Some bug fixes.
This version does not build with newer versions of rust,
probably because rust has moved too far and this version
is too old. This is therefore a precursor to to upgrading
the thunderbird package proper to a newer version.
1.6.1 (2022-01-23)
* Kill session if refreshing oauth token fails (#8734)
* Fix various PHP 8.1 warnings (#8628, #8644, #8667, #8656, #8647)
* Password: Remove references to %c variable that has been removed before
(#8633)
* Fix anchor links in HTML mail (#8632)
* Fix bug where config creation in Installer did ignore options in the form
(#8634)
* Fix bug where renamed options were removed from the config on installto.sh
(update.sh) run (#8643)
* Fix favicon rewrite rule in .htaccess (#8654)
* Fix various PHP 8.2 warnings
* Fix bug where it wasn't possible to create more than one response record
on SQLite and Postgres (#8664)
* Fix support for ManageSieve over implicit SSL (#8670)
* Fix bug where "about:blank" page could trigger "load error" (#8554)
* Fix bug where setting 'Clear Trash on Logout' to 'all messages' didn't
work (#8687)
* Fix bug where the attachment menu wouldn't disappear after an action is
selected (#8691)
* Fix bug where some dialogs in an eml attachment preview would not close on
mobile (#8627)
* Fix bug where multiline data:image URI's in emails were stripped from the
message on display (#8613)
* Fix fatal error on identity page if Enigma plugin is misconfigured (#8719)
* Fix so N property always exists in a vCard export (#8771)
* Fix authenticating to Courier IMAP with passwords containing a '~'
character (#8772)
* Fix handling of smtp/imap port options on configuration file update
(#8756)
* Fix bug where array values could not be saved in utils/save_pref action
(#8781)
* Add workaround for using Roundcube behind a reverse proxy with a subpath:
'request_path' option (#8738, #8770)
* Fix bug where "Invalid skin name" error was logged on preferences save if
there's only one skin (#8825)
* Fix SIGBUS raised in ImageMagick when more than one process tried to
generate a thumbnail of the same image attachment (#8511)
* Fix bug where updater does not update the vendor packages (#8642)
* Fix missing mail composing textarea on reply/draft with a long plain text
content (#8866)
Postfix 3.7.4 (2023-01-22)
* Workaround: with OpenSSL 3 and later always turn on
SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed
opportunities for TLS session reuse. This is safe because the SMTP
protocol implements application-level framing, and is therefore not
affected by TLS truncation attacks. Fix by Viktor Dukhovni.
* Workaround: OpenSSL 3.x EVP_get_digestbyname() can return
lazily-bound handles for digest implementations. In sufficiently
hostile configurations, Postfix could mistakenly believe that a digest
algorithm is available, and fail when it is not. A similar workaround
may be needed for EVP_get_cipherbyname(). Fix by Viktor Dukhovni.
* Bugfix (bug introduced in Postfix 2.11): the checkok() macro in
tls/tls_fprint.c evaluated its argument unconditionally; it should
evaluate the argument only if there was no prior error. Found during
code review.
* Bugfix (bug introduced in Postfix 2.8): postscreen died with a
segmentation violation when postscreen_dnsbl_threshold < 1. It
should reject such input with a fatal error instead. Discovered by
Benny Pedersen.
* Bitrot: fixes for linker warnings from newer Darwin (MacOS)
versions. Viktor Dukhovni.
* Portability: Linux 6 support.
* Added missing documentation that cidr:, pcre: and regexp: tables
support inline specification only in Postfix 3.7 and later.
Upstream changes:
version 1.01: Fri 11 Feb 11:25:41 CET 2022
Fixes:
- Coercion from Mail::Address to Mail::Message::Full::Address is
too lazy. Mail::Message issue #4
Upstream changes:
1.24
Thu 15 Dec 2022 12:28:00 GMT released
- [145263] Make no reply to MTA from the abort callback.
Such replies seem to cause problems for Postfix.
Upstream changes:
version 2.24: Wed 28 Dec 13:06:23 CET 2022
Fixes:
- vnd.gentoo officially took 'tar' and 'tbz2', but 'application/
x-tar' resp 'x-gtar' prevails. [Andreas Koenig]
version 2.23: Thu 22 Dec 17:20:33 CET 2022
Changes:
- iana updates
Upstream changes:
2.218 2023-01-08 19:49:09-05:00 America/New_York
- update author contact info
- bump version required to v5.12.0 (it was already effectively that
after some upstream changes)
2.217 2020-11-02 19:13:16-05:00 America/New_York (TRIAL RELEASE)
- add ->header_rename to header object
- issue a warning on non-ASCII codepoints added to message (thanks,
Pali Rohar)
Upstream changes:
1.953 2023-01-08 19:02:24-05:00 America/New_York
- as promised, this release no longer works on v5.8; in fact, due to
some upstream libraries, it hasn't in some time
- documentation has been cleaned up to stop referencing long-dead other
libraries or methods
- some small code changes to benefit from v5.10 and v5.12 improvements
Upstream changes:
1.008 2023-01-13 21:44:14-05:00 America/New_York
- use the version of Time::Local that doesn't guess at whether a year
is 99 or 1999
- skip tests on Win32 that never pass
- modernize just a bit of code
1.007 2022-12-31 21:19:59-05:00 America/New_York
- update author info
Upstream changes:
1.913 2023-01-09 19:41:25-05:00 America/New_York
- as ever, you should probably use Email::Address::XS instead
- this version now requires Perl v5.12
- some small tweaks to the code to take advantage of v5.12 made
- update distribution metadata
3.1.0
* Switch to libidn2.
* Debian/Ubuntu: update lintian overrides
3.0.9
* Adjust deb packaging. Check /etc/lsb-release and include the
distribution release in the deb package version, to faciliate
updating to the same version of the package in an updated release.
Fix build dependencies.
* Update deliverquota man page.
3.0.8
* gcc 12 and autotools update. OpenSSL 3.0 update.
* Add scripts to create installable .deb packages, update
documentation.
3.0.7
* configure.ac: Fix configure check for pcre2
3.0.6
* Fix linking failure on some Linux distributions.
3.0.5
* Fix linking failure on some Linux distributions.
3.0.4
* maildrop: update to pcre2
* Minor code tweaks, make it compileable with -Wall -Werror.
3.0.3
* Add maildirwatch helper tool.
* Fully install the maildirwatch tool, its man page, as well as the
maildirkw man page and tool, which should be packaged with maildrop
too.
3.0.2
* spec file: add BuildRequires: %{__make} (will be required in F34).
3.0.1
* courier-authlib API update.
Rails 7.0.4.2 (2023-01-24)
* Fix `domain: :all` for two letter TLD
This fixes a compatibility issue introduced in our previous security
release when using `domain: :all` with a two letter but single level top
level domain domain (like `.ca`, rather than `.co.uk`).
Rails 6.1.7.2 (2023-01-24)
www/ruby-actionpack61
* Fix `domain: :all` for two letter TLD
This fixes a compatibility issue introduced in our previous security
release when using `domain: :all` with a two letter but single level top
level domain domain (like `.ca`, rather than `.co.uk`).
On 2023-01-04, fetchmail 6.4.35 has been released. It updates translations and
bumps SSL/TLS library version requirements.
OpenSSL 1.1.1s and 3.0.7 and wolfSSL 5.5.1 (or newer on the respective
compatible branches - note that OpenSSL 1.1.1q and 3.0.6 were withdrawn) remain
supported.
Changes:
Version 1.4.17:
- Added a new configuration command 'eval' to replace the current configuration
file line with the output of a command (similar to passwordeval, but more
general).
Version 1.4.16:
- No significant changes.
Version 1.4.15:
- Added mpopd, a minimal POP3 server that delivers mails from a local mailbox
in maildir format. It can be used by end users as a way to handle incoming
mail via mpop with mail clients that insist on using POP3.
Version 1.4.14:
- No significant changes.
Version 1.4.13:
- Added support for SCRAM-SHA-256 authentication via GNU SASL
Version 1.4.12:
- Added support for libtls as an alternative to GnuTLS
Version 1.4.11:
- Added support for XOAUTH2, the predecessor of OAUTHBEARER.
- The passwordeval command can now handle very long input, which can be
necessary for OAUTHBEARER and XOAUTH2.
- GnuTLS >= 3.4 is required
Rails 7.0.4.1 (2023-01-17)
devel/ruby-activesupport70
* Avoid regex backtracking in Inflector.underscore
[CVE-2023-22796]
www/ruby-actionpack70
* Fix sec issue with _url_host_allowed?
Disallow certain strings from `_url_host_allowed?` to avoid a redirect
to malicious sites.
[CVE-2023-22797]
* Avoid regex backtracking on If-None-Match header
[CVE-2023-22795]
* Use string#split instead of regex for domain parts
[CVE-2023-22792]
databases/ruby-activerecord70
* Make sanitize_as_sql_comment more strict
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
* Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
[CVE-2022-44566]
Rails 6.1.7.1 (2023-01-17)
devel/ruby-activesupport61
* Avoid regex backtracking in Inflector.underscore
[CVE-2023-22796]
www/ruby-actionpack61
* Avoid regex backtracking on If-None-Match header
[CVE-2023-22795]
* Use string#split instead of regex for domain parts
[CVE-2023-22792]
databases/ruby-activerecord61
* Make sanitize_as_sql_comment more strict
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
* Added integer width check to PostgreSQL::Quoting
Given a value outside the range for a 64bit signed integer type
PostgreSQL will treat the column type as numeric. Comparing
integer values against numeric values can result in a slow
sequential scan.
This behavior is configurable via
ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.
[CVE-2022-44566]
Only databases/ruby-activerecord61 has updated.
Rails 6.0.6.1 (2023-01-17)
* Make `sanitize_as_sql_comment` more strict
Though this method was likely never meant to take user input, it was
attempting sanitization. That sanitization could be bypassed with
carefully crafted input.
This commit makes the sanitization more robust by replacing any
occurrances of "/*" or "*/" with "/ *" or "* /". It also performs a
first pass to remove one surrounding comment to avoid compatibility
issues for users relying on the existing removal.
This also clarifies in the documentation of annotate that it should not
be provided user input.
[CVE-2023-22794]
The alpine's Makefile has source string substitution for panic( to Panic(.
However, both the file name search pattern and the replacement string search
pattern is no longer complete, causing some alpine_panic() to still exist,
while the definition has changed to alpine_Panic().
From kflu via github.
ClosesNetBSD/pkgsrc#113