Mozilla Thunderbird is a redesign of the Mozilla mail component. The
goal is to produce a cross platform stand alone mail application using
the XUL user interface language. This version uses the gtk2 toolkit.
This package tracks 24 ESR release branch.
Changelog:
24.1.
FIXED
Fixed an issue where signatures were shown in too lighter grey making them difficult to read (bug 917906)
FIXED
Fixed an issue where Auto CC for reply might not work if the cc address is the same as the sending address (bug 917231)
FIXED
Security fixes can be found here
Fixed in Thunderbird 24.0
MFSA 2013-92 GC hazard with default compartments and frame chain restoration
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-85 Uninitialized data in IonMonkey
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-81 Use-after-free with select element
MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-77 Improper state in HTML5 Tree Builder with templates
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)
24.0
NEW
Message threads can now be ignored or watched
NEW
Emails can now be sent to IDN based email addresses
NEW
Zoom functionality is now available in the compose window
CHANGED
In the Compose window, ctrl/cmd + and ctrl/cmd - now change the zoom setting rather than the font size
CHANGED
In Twitter, replying to a tweet now replies to all users, just like on the Twitter website
FIXED
Interactions in the filter list dialogs have been improved
FIXED
In Chat user nicknames are now highlighted when mentioned
FIXED
In IRC, long messages will now be sent in multiple parts instead of being cut off
FIXED
Various security fixes
Fixed in Thunderbird 24.1
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)
* Some usage of passdb checkpassword could have been exploitable by
local users. You may need to modify your setup to keep it working.
See http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security
+ auth: Added ability to truncate values logged by
auth_verbose_passwords (see 10-logging.conf comment)
+ mdbox: Added "mdbox_deleted" storage, which can be used to access
messages with refcount=0. For example: doveadm import
mdbox_deleted:~/mdbox "" mailbox inbox subject oops
+ ssl-params: Added ssl_dh_parameters_length setting.
- master process was doing a hostname.domain lookup for each created
process, which may have caused a lot of unnecessary DNS lookups.
- dsync: Syncing over 100 messages at once caused problems in some
situations, causing messages to get new UIDs.
- fts-solr: Different Solr hosts for different users didn't work.
- Possible to build again with OpenSSL older than version 1.0.1 (was a
requirement for the previous release due to new protocols TLS 1.1/1.2).
- Support for reading the configuration from the standard input stream.
- New makefile dist target, which can be used to create distribution archives.
1. New command-line option -bI:sieve will list all supported sieve extensions
of this Exim build on standard output, one per line.
ManageSieve (RFC 5804) providers managing scripts for use by Exim should
query this to establish the correct list to include in the protocol's
SIEVE capability line.
2. If the -n option is combined with the -bP option, then the name of an
emitted option is not output, only the value (if visible to you).
For instance, "exim -n -bP pid_file_path" should just emit a pathname
followed by a newline, and no other text.
3. When built with SUPPORT_TLS and USE_GNUTLS, the SMTP transport driver now
has a "tls_dh_min_bits" option, to set the minimum acceptable number of
bits in the Diffie-Hellman prime offered by a server (in DH ciphersuites)
acceptable for security. (Option accepted but ignored if using OpenSSL).
Defaults to 1024, the old value. May be lowered only to 512, or raised as
far as you like. Raising this may hinder TLS interoperability with other
sites and is not currently recommended. Lowering this will permit you to
establish a TLS session which is not as secure as you might like.
Unless you really know what you are doing, leave it alone.
4. If not built with DISABLE_DNSSEC, Exim now has the main option
dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library
to send the DO flag to your recursive resolver. If you have a recursive
resolver, which can set the Authenticated Data (AD) flag in results, Exim
can now detect this. Exim does not perform validation itself, instead
relying upon a trusted path to the resolver.
Current status: work-in-progress; $sender_host_dnssec variable added.
5. DSCP support for outbound connections: on a transport using the smtp driver,
set "dscp = ef", for instance, to cause the connections to have the relevant
DSCP (IPv4 TOS or IPv6 TCLASS) value in the header.
Similarly for inbound connections, there is a new control modifier, dscp,
so "warn control = dscp/ef" in the connect ACL, or after authentication.
Supported values depend upon system libraries. "exim -bI:dscp" to list the
ones Exim knows of. You can also set a raw number 0..0x3F.
6. The -G command-line flag is no longer ignored; it is now equivalent to an
ACL setting "control = suppress_local_fixups". The -L command-line flag
is now accepted and forces use of syslog, with the provided tag as the
process name. A few other flags used by Sendmail are now accepted and
ignored.
7. New cutthrough routing feature. Requested by a "control = cutthrough_delivery"
ACL modifier; works for single-recipient mails which are recieved on and
deliverable via SMTP. Using the connection made for a recipient verify,
if requested before the verify, or a new one made for the purpose while
the inbound connection is still active. The bulk of the mail item is copied
direct from the inbound socket to the outbound (as well as the spool file).
When the source notifies the end of data, the data acceptance by the destination
is negociated before the acceptance is sent to the source. If the destination
does not accept the mail item, for example due to content-scanning, the item
is not accepted from the source and therefore there is no need to generate
a bounce mail. This is of benefit when providing a secondary-MX service.
The downside is that delays are under the control of the ultimate destination
system not your own.
The Recieved-by: header on items delivered by cutthrough is generated
early in reception rather than at the end; this will affect any timestamp
included. The log line showing delivery is recorded before that showing
reception; it uses a new ">>" tag instead of "=>".
To support the feature, verify-callout connections can now use ESMTP and TLS.
The usual smtp transport options are honoured, plus a (new, default everything)
hosts_verify_avoid_tls.
New variable families named tls_in_cipher, tls_out_cipher etc. are introduced
for specific access to the information for each connection. The old names
are present for now but deprecated.
Not yet supported: IGNOREQUOTA, SIZE, PIPELINING.
8. New expansion operators ${listnamed:name} to get the content of a named list
and ${listcount:string} to count the items in a list.
9. New global option "gnutls_allow_auto_pkcs11", defaults false. The GnuTLS
rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11
modules. For some situations this is desirable, but we expect admin in
those situations to know they want the feature. More commonly, it means
that GUI user modules get loaded and are broken by the setuid Exim being
unable to access files specified in environment variables and passed
through, thus breakage. So we explicitly inhibit the PKCS11 initialisation
unless this new option is set.
Some older OS's with earlier versions of GnuTLS might not have pkcs11 ability,
so have also added a build option which can be used to build Exim with GnuTLS
but without trying to use any kind of PKCS11 support. Uncomment this in the
Local/Makefile:
AVOID_GNUTLS_PKCS11=yes
10. The "acl = name" condition on an ACL now supports optional arguments.
New expansion item "${acl {name}{arg}...}" and expansion condition
"acl {{name}{arg}...}" are added. In all cases up to nine arguments
can be used, appearing in $acl_arg1 to $acl_arg9 for the called ACL.
Variable $acl_narg contains the number of arguments. If the ACL sets
a "message =" value this becomes the result of the expansion item,
or the value of $value for the expansion condition. If the ACL returns
accept the expansion condition is true; if reject, false. A defer
return results in a forced fail.
11. Routers and transports can now have multiple headers_add and headers_remove
option lines. The concatenated list is used.
12. New ACL modifier "remove_header" can remove headers before message gets
handled by routers/transports.
13. New dnsdb lookup pseudo-type "a+". A sequence of "a6" (if configured),
"aaaa" and "a" lookups is done and the full set of results returned.
14. New expansion variable $headers_added with content from ACL add_header
modifier (but not yet added to messsage).
15. New 8bitmime status logging option for received messages. Log field "M8S".
16. New authenticated_sender logging option, adding to log field "A".
17. New expansion variables $router_name and $transport_name. Useful
particularly for debug_print as -bt commandline option does not
require privilege whereas -d does.
18. If built with EXPERIMENTAL_PRDR, per-recipient data responses per a
proposed extension to SMTP from Eric Hall.
19. The pipe transport has gained the force_command option, to allow
decorating commands from user .forward pipe aliases with prefix
wrappers, for instance.
20. Callout connections can now AUTH; the same controls as normal delivery
connections apply.
21. Support for DMARC, using opendmarc libs, can be enabled. It adds new
options: dmarc_forensic_sender, dmarc_history_file, and dmarc_tld_file.
It adds new expansion variables $dmarc_ar_header, $dmarc_status,
$dmarc_status_text, and $dmarc_used_domain. It adds a new acl modifier
dmarc_status. It adds new control flags dmarc_disable_verify and
dmarc_enable_forensic.
22. Add expansion variable $authenticated_fail_id, which is the username
provided to the authentication method which failed. It is available
for use in subsequent ACL processing (typically quit or notquit ACLs).
23. New ACL modifer "udpsend" can construct a UDP packet to send to a given
UDP host and port.
24. New ${hexquote:..string..} expansion operator converts non-printable
characters in the string to \xNN form.
25. Experimental TPDA (Transport Post Delivery Action) function added.
Patch provided by Axel Rau.
26. Experimental Redis lookup added. Patch provided by Warren Baker.
Changes since 2.61 are difficult to ascertain. There is no useful
upstream changelog, and the full Debian one primarily includes
packaging changes only. However, there appear to have at least been
some security fixes.
RELEASE 0.9.5
-------------
- Fix failing vCard import when email address field contains spaces (#1489386)
- Fix default spell-check configuration after Google suspended their spell service
- Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
- Fix iframe onload for upload errors handling (#1489379)
- Fix address matching in Return-Path header on identity selection (#1489374)
- Fix text wrapping issue with long unwrappable lines (#1489371)
- Fixed mispelling: occured -> occurred (#1489366)
- Fixed issues where HTML comments inside style tag would hang Internet Explorer
- Fix setting domain in virtualmin password driver (#1489332)
- Hide Delivery Status Notification option when smtp_server is unset (#1489336)
- Display full attachment name using title attribute when name is too long to display (#1489320)
- Fix attachment icon issue when rare font/language is used (#1489326)
- Fix expanded thread root message styling after refreshing messages list (#1489327)
- Fix issue where From address was removed from Cc and Bcc fields when editing a draft (#1489319)
- Fix error_reporting directive check (#1489323)
- Fix de_DE localization of "About" label in Help plugin (#1489325)
pax -rw, the destination directory must exist. pax in NetBSD creates it if
not, pax in MirBSD complains. I read through all pkgsrc Makefiles that use
pax and added an entry to INSTALLATION_DIRS, or an INSTALL_DATA_DIR
invocation.
I did not test all the changes but they should be fairly safe. If you notice
any breakage because of this change, please contact me.
* Fix fallback for titles that contain malformed HTML.
* Fix atomic saves to avoid garbling config and data files if the disk is full.
* Convert the `friendly-name` boolean to the new `name-format`
setting. This allow users to customize how the friendly name is
constructed.
* Demote guessed encodings logs from 'error' to 'warning'.
* Incompatible change in Sieve doveadm plugin: the root attribute for
Sieve scripts is changed. Make sure that you update both sides of a
dsync setup simultaneously when Sieve is involved, otherwise
synchronization will likely fail.
+ Added support for sending Sieve vacation replies with an actual
sender, rather than the default <> sender. Check the updated
doc/extensions/vacation.txt for more information.
- Fixed a binary code read problem in the `set' command of the Sieve
variables extension. Using the set command with a modifier and an
empty string value would cause code corruption problems while running
the script.
- Various fixes for doveadm-sieve plugin, mostly crashes. These include
a fix for the `Invalid value for default sieve attribute' problem.
- Various fixes for compiler and static analyzer warnings, e.g. as
reported by CLang and on 32 bit systems.
- Fixed the implementation of the new :options flag for the Sieve
include extension.
- Fixed potential segfault bug at deinitialization of the lda-sieve
plugin.
- Fixed messed up hex output for sieve-dump tool.
* acl: If public/shared namespace has a shared subscriptions file for
all users, don't list subscription entries that are not visible to
the user accessing it.
+ doveadm: Added "auth lookup" command for doing passdb lookup.
+ login_log_format_elements: Added %{orig_user}, %{orig_username}
and %{orig_domain} expanding to the username exactly as sent by
the client (before any changes auth process made).
+ Added ssl_prefer_server_ciphers setting.
+ auth_verbose_passwords: Log the password also for unknown users.
+ Linux: Added optional support for SO_REUSEPORT with
inet_listener { reuse_port=yes }
- director: v2.2.5 changes caused "SYNC lost" errors
- dsync: Many fixes and error handling improvements
- doveadm -A: Don't waste CPU by doing a separate config lookup
for each user
- Long-running ssl-params process no longer prevents Dovecot restart
- mbox: Fixed mailbox_list_index=yes to work correctly
Based on PR pkg/48254 by Leonardo Taccari.
pkgsrc changes:
* add options.mk: now fdm supports "debug" and "pcre" options (previously the
PCRE support was always included).
Changes:
* Add mbox tags for messages fetched from a mbox
* Detect GMail's XYZZY capability for IMAP and use it to try and workaround
some of their broken behaviour (incorrectly reported message sizes).
* Print a warning on missing maildirs when fetching from them rather than
crashing or giving an error. Reported by Frank Terbeck.
* Introduce a configure script and tidy up build infrastructure.
* GMail IMAP doesn't correctly set the \Seen flag after UID FETCH BODY[], so
explicitly set it with STORE when mail is kept. Reported by Patrice Clement.
* Properly count mails when polling multiple folders on a single IMAP server,
reported by Claudio M. Alessi.
* Support user and pass on NNTP, requested by Michael Hamann.
* Escape . properly when delivering to SMTP.
* Don't be as strict about format at the end of messages when using IMAP -
accept additional information as well as FLAGS. Reported by rivo nurges.
2.10.2
* TLS Interoperability workaround: turn on SHA-2 digests by force. This
improves interoperability with clients and servers that deploy SHA-2 digests
without the required support for TLSv1.2-style digest negotiation.
* TLS Performance workaround: the Postfix SMTP server TLS session cache had
become ineffective because recent OpenSSL versions enable session tickets by
default, resulting in a different ticket encryption key for each smtpd(8)
process. The workaround turns off session tickets. Postfix 2.11 will enable
session tickets properly.
* TLS Interoperability workaround: Debian Exim versions before 4.80-3 may fail
to communicate with Postfix and possibly other MTAs, with the following Exim
SMTP client error message:
TLS error on connection to server-name [server-address]
(gnutls_handshake): The Diffie-Hellman prime sent by the server is not
acceptable (not long enough)
See the RELEASE_NOTES file for a Postfix SMTP server configuration
workaround.
* Bugfix (defect introduced: 1997): memory leak while forwarding mail with the
local(8) delivery agent, in code that handles a cleanup(8) server error.
2.10.1
* Workaround: down-stream maintainers fail to install the new
smtpd_relay_restrictions safety net, causing breakage that could have been
avoided. We now hard-code the safety net instead.
2.10.0
* Separation of relay policy (with smtpd_relay_restrictions) from spam policy
(with smtpd_{client, helo, sender, recipient}_restrictions), which makes
accidental open relay configuration less likely. The default is backwards
compatible.
* HAproxy load-balancer support for postscreen(8) and smtpd(8). The nginx
proxy was already supported by Postfix 2.9 smtpd(8), using XCLIENT commands.
* Support for the TLSv1 and TLSv2 protocols, as well as support to turn them
off if needed for inter-operability.
* Laptop-friendly configuration. By default, Postfix now uses UNIX-domain
sockets instead of FIFOs, and thus avoids MTIME file system updates on an
idle mail system.
* Revised postconf(1) command. The "-x" option expands $name in a parameter
value (both main.cf and master.cf); the "-o name=value" option overrides a
main.cf parameter setting; and postconf(1) now warns about a $name that has
no name=value setting.
* Sendmail-style "socketmap" lookup tables.
Changelog:
The following security bug fixes should be applied to thunderbird-17.0.9.
But I cannot find any documents.
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)
MFSA 2013-65 Buffer underflow when generating CRMF requests
based on mail/gmime before updated to incompatible 2.6, with patches for new
glib2 borrowed by mail/gmime24.
approved by wiz@ dureing freeze.
GMime is a set of utilities for parsing and creating messages using the
Multipurpose Internet Mail Extension (MIME) as defined by the following RFCs:
* 0822: Standard for the Format of Arpa Internet Text Messages
* 1521: MIME (Multipurpose Internet Mail Extensions) Part One: Mechanisms for
Specifying and Describing the Format of Internet Message Bodies
* 1847: Security Multiparts for MIME: Multipart/Signed and Multipart/Encrypted
* 1864: The Content-MD5 Header Field (Obsoletes rfc1544)
* 2015: MIME Security with Pretty Good Privacy (PGP)
* 2045: Multipurpose Internet Mail Extensions (MIME) Part One:
Format of Internet Message Bodies
* 2046: Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types
* 2047: Multipurpose Internet Mail Extensions (MIME) Part Three:
Message Header Extensions for Non-ASCII Text
* 2048: Multipurpose Internet Mail Extensions (MIME) Part Four:
Registration Procedures
* 2049: Multipurpose Internet Mail Extensions (MIME) Part Five:
Conformance Criteria and Examples
* 2183: Communicating Presentation Information in Internet Messages:
The Content-Disposition Header Field
* 2184: MIME Parameter Value and Encoded Word Extensions: Character
Sets, Languages, and Continuations
* 2231: MIME Parameter Value and Encoded Word Extensions: Character
Sets, Languages, and Continuations (Obsoletes rfc2184)
* 3156: MIME Security with OpenPGP (Updates rfc2015)
option for sendmail.cf. it is required in order to remove weak ciphers,
and enforce Forward Secrecy on modern MUA
Usage example:
O CipherList=DH@STRENGTH:HIGH:!MD5:!DES:!aNULL:!eNULL
== 1.25 / 2013-08-30
* New Features:
* Adding lazy loading and caching functionality to the default data based on
work done by Greg Brockman (gdb).
* Bugs:
* Force the default internal application encoding to be used when reading the
MIME types database. Based on a change by briangamble, found in the rapid7
fork.
* New extensions:
* mjpeg (video/x-motion-jpeg) based on a change by punkrats, found in the
vidibus fork.
* Modernized MiniTest configuration.
== 1.24 / 2013-08-14
* Code Climate:
* Working on improving the quality of the mime-types codebase through the use
of Code Climate. https://codeclimate.com/github/halostatue/mime-types
* Simplified MIME::Type.from_array to make more assumptions about assignment.
* Documentation:
* LeoYoung <mrleoyoung@gmail.com> pointed out that the README.rdoc contained
examples that could never possibly work because MIME::Types#[] returns (for
all the versions I have handy) an array, not a single type. I have updated
README.rdoc to reflect this.
* Removed Nokogiri as a declared development dependency. It is still required
if you're going to use the IANA parser functionality, but it is not necessary
for most development purposes. This has been removed to ensure that Travis CI
passes on Ruby 1.8.7.
* New MIME Types:
* 7zip (application/x-7z-compressed). Fixes a request by kodram.
https://github.com/halostatue/mime-types/issues/32
* application/x-www-form-urlencoded. Fixes a request by alexkwolfe.
https://github.com/halostatue/mime-types/issues/39
* Various new MIME types from IANA:
* application/mbms-schedule\+xml from 3GPP and Turcotte.
* application/provenance\+xml from W3C and Herman.
* application/session-info from 3GPP and Firmin.
* application/urc-grpsheet\+xml, application/urc-targetdesc\+xml,
application/uisocketdesc\+xml from Zimmermann.
* application/api\+json from Klabnik.
* application/vnd.etsi.pstn\+xml from Han and Belling.
* application/vnd.fujixerox.docuworks.container from Tashiro.
* application/vnd.windows.devicepairing from Dandawate.
* video/vnd.radgamettools.bink and video/vnd.radgamettools.smacker from
Andersson.
* Updated MIME Types:
* RFC 6960 was adopted (application/ocsp-request and application/ocsp-response).
pkgsrc changes:
* Make installer work.
* Add various dependency to PHP extensions.
RELEASE 0.9.4
-------------
- Make identities matching case insensitive (#1485480)
- Fix issue where too big message data was stored in cache causing sql errors
(#1489316)
- Fix iframe scrollbars on webkit desktop browsers (#1489306)
- Fix issue where legacy config was overriden by default config (#1489288)
- Fix newmail_notifier issue where favicon wasn't changed back to default
(#1489313)
- Fix setting of Junk and NonJunk flags by markasjunk plugin (#1489285)
- Fix lack of Reply-To address in header of forwarded message body (#1489298)
- Fix bugs when invoking contact creation form when read-only addressbook is
selected (#1489296)
- Fix identity selection on reply (#1489291)
- Fix so additional headers are added to all messages sent (#1489284)
- Fix display issue after moving folder in Folder Manager (#1489293)
- Fix handling of non-default date formats (#1489294)
- Fix unquoted path in PREG expression on Windows (#1489290)
- Fix Junk folder icon alignment when it's nested in inbox folder (#1489292)
- Fix wrong close tag in /template/mail.html (#1489295)
