All checksums have been double-checked against existing RMD160 and
SHA512 hashes
The following distfiles were unfetchable (possibly fetched
conditionally?):
./mail/qmail/distinfo netqmail-1.05-TAI-leapsecs.patch
Changelog:
Fixes:
Sending an email containing HTML links with spaces in the URL sometimes
resulted in broken links
Folder Pane display theme fixes for macOS
Chat account settings did not always save as expected
RSS feed subscriptions sometimes lost
Calendar: A parsing error for alarm triggers of type "DURATION" caused sync
problems for some users
Various security fixes
Security fixes:
#CVE-2021-29969: IMAP server responses sent by a MITM prior to STARTTLS could
be processed
#CVE-2021-29970: Use-after-free in accessibility features of a document
#CVE-2021-30547: Out of bounds write in ANGLE
#CVE-2021-29976: Memory safety bugs fixed in Thunderbird 78.12
Changelog:
Fixes
OpenPGP could not be disabled for an account if a key was previously configured
Recipients were unable to decrypt some messages when the sender had changed the
message encryption from OpenPGP to S/MIME
Contacts moved between CardDAV address books were not synced to the new server
CardDAV compatibility fixes for Google Contacts
Folder pane had no clear indication of focus on macOS
Windows theme improvements
Various security fixes
Security fixes:
#CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message
#CVE-2021-29967: Memory safety bugs fixed in Thunderbird 78.11
Changelog:
78.10.2
What's New
Added support for importing OpenPGP keys without a primary secret key
Add-ons manager displays a preferences icon for mail extensions that include an
options page
Fixes
OpenPGP messages with a high compression ratio (over 10x) could not be
decrypted
Selected OpenPGP key was lost after opening the Key Properties dialog in
Account Settings
Parsing some OpenPGP user IDs failed
Various improvements to OpenPGP partial encryption reminders
Troubleshooting information page did not display row labels on macOS
Mail toolbar buttons were too big when displaying both icons and text
Various security fixes
Security fixes:
#CVE-2021-29957: Partial protection of inline OpenPGP message not indicated
#CVE-2021-29956: Thunderbird stored OpenPGP secret keys without master password
protection
78.10.1
Changes
Removed the fix for bug 1689804 introduced in Thunderbird 78.9.0, restoring the
previous behavior
Fixes
Various security fixes
Security fixes:
#CVE-2021-29951: Thunderbird Maintenance Service could have been started or
stopped by domain users
Changelog:
Fixes:
Usability & theme improvements on Windows
Various security fixes
Security fixes:
#CVE-2021-23994: Out of bound write due to lazy initialization
#CVE-2021-23995: Use-after-free in Responsive Design Mode
#CVE-2021-23998: Secure Lock icon could have been spoofed
#CVE-2021-23961: More internal network hosts could have been probed by a
malicious webpage
#CVE-2021-23999: Blob URLs may have been granted additional privileges
#CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an
encoded URL
#CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to
null-reads
#CVE-2021-29948: Race condition when reading from disk while verifying
signatures
Changelog:
Fixes
New mail notification displayed old messages that were unread
Spaces following soft line breaks in messages using quoted-printable and format
=flowed were incorrectly encoded; existing messages which were previously
incorrectly encoded may now display with some words not separated by a space
Some fields were unreadable in the Dark theme in the General preferences panel
Sending a message containing an anchor tag with an invalid data URI failed
When switching tabs, input focus was not moved to the new tab
Address Book: Syncing a read-only Google address book via CardDAV failed
Address Book: Importing VCards with non-ascii characters would fail
Address Book: Some values may not have been parsed when syncing from Google
address books.
Add-ons Manager did not show if an addon used experiment APIs
Calendar: Removing a recurring task was not possible
Various security fixes
Security fixes:
#CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an
out-of-bound read
#MOZ-2021-0002: Angle graphics library out of date
#CVE-2021-23982: Internal network hosts could have been probed by a malicious
webpage
#CVE-2021-23984: Malicious extensions could have spoofed popup information
Changelog:
Fixes
New mail notification did not occur for newly arrived messages if previously
received mail was unread
Directory for saving multiple attachments was not remembered between saves
Opening a message from the command-line using "-mail <URL>" failed
Automatic account setup did not use the provider email and display name
Newly-added identities were not listed in the account manager until it was
closed and reopened
Account provisioner did not properly handle UTF-8 data
Copying a large message to an IMAP server would sometimes prematurely display a
time-out error
OpenPGP: Various errors when importing keys
OpenPGP: Public keys attached to an outgoing email did not have
"Content-Description" set
Address Book: CardDAV sync errors did not retry until Thunderbird was restarted
Calendar: Changing the cache mode of a CalDAV calendar connection would lose
the username of the account
Calendar: Add-on calendars were sometimes not visible after restarting
Calendar: The preview for a recurring task did not use all available space in
the dialog window
Installer: Option to keep distribution directory on upgrade did not work
Changelog:
Fixes
Importing an address book from a CSV file always reported an error
Security information for S/MIME messages was not displayed correctly prior to a
draft being saved
Calendar: FileLink UI fixes for Caldav calendars
Recurring tasks were always marked incomplete; unable to use filters
Various UI widgets not working
Dark theme improvements
Extension manager was missing link to addon support web page
Various security fixes
Security fixes:
#CVE-2021-23969: Content Security Policy violation report could have contained
the destination of a redirect
#CVE-2021-23968: Content Security Policy violation report could have contained
the destination of a redirect
#CVE-2021-23973: MediaError message property could have leaked information
about cross-origin resources
#CVE-2021-23978: Memory safety bugs fixed in Thunderbird 78.8
Changelog:
What's New
CardDAV address books now support OAuth2 and Google Contacts.
Changes
Thunderbird will no longer allow installation of addons that use the legacy API
Fixes
Send message button sometimes remained enabled when it should be disabled
Pressing command+enter to send a message on macOS did not work
OpenPGP: Failed to save attachments that contained binary data after decryption
Global search UI fixes
Various theme and color fixes to improve ease of use
Changelog:
What's New
Extension API: Compose API now supports editing messages and templates as new
messages
Extension API: composeHtml is now exposed in MailIdentity
Extension API: windows.update and windows.create now support titlePreface
Extension API: new Accounts API functions: accounts.getDefault() and
accounts.getDefaultIdentity(accountId)
Changes
Extension API: body and plainTextBody are now used as compose mode selectors in
setComposeDetails and begin* functions in Compose API
Theme: removed the double border around the task description field on the Tasks
tab
Fixes
Account Manager: When deleting the last remaining account, the default account
was not getting cleared and still pointed to the no-longer-existing account
OpenPGP: Verification of an inline signed message would fail if it contained
leading whitespace
OpenPGP: Various other minor bug and stability fixes
Mail Window: Quickfilter bar buttons disappear when hovered on Windows 10 High
Contrast Black theme
Theme: folder properties dialog contained black text on a black background in
dark mode
Theme: recipient pills in compose window were not visible in high contrast dark
theme on Windows 10
Extension API: browserAction buttons were not restored after restart if they
were moved outside the default toolbar
Extension API: browser.compose.beginNew could not override identity plaintext
setting
Extension API: browser.compose.beginForward was ignoring ComposeDetails
Extension API: browser.compose.setComposeDetails did not properly handle
Windows-style line endings
Various security fixes
Security fixes:
#CVE-2021-23953: Cross-origin information leakage via redirected PDF requests
#CVE-2021-23954: Type confusion when using logical assignment operators in
JavaScript switch statements
#CVE-2020-15685: IMAP Response Injection when using STARTTLS
#CVE-2020-26976: HTTPS pages could have been intercepted by a registered
service worker when they should not have been
#CVE-2021-23960: Use-after-poison for incorrectly redeclared JavaScript
variables during GC
#CVE-2021-23964: Memory safety bugs fixed in Thunderbird 78.7
* Fix build with devel/cbindgen-0.16.0.
Changelog:
New
MailExtensions: Added browser.windows.openDefaultBrowser()
Changes
Thunderbird now only shows quota exceeded indications on the main window
MailExtensions: menus API enabled in messages being composed
MailExtensions: Honor allowScriptsToClose argument in windows.create API
function
MailExtensions: APIs that returned an accountId will reflect the account the
message belongs to, not what is stored in message headers
Fixes
Keyboard shortcut for toggling message "read" status not shown in menus
OpenPGP: After importing a secret key, Key Manager displayed properties of the
wrong key
OpenPGP: Inline PGP parsing improvements
OpenPGP: Discovering keys online via Key Manager sometimes failed on Linux
OpenPGP: Encrypted attachment "Decrypt and Open/Save As" did not work
OpenPGP: Importing keys failed on macOS
OpenPGP: Verification of clear signed UTF-8 text failed
Address book: Some columns incorrectly displayed no data
Address book: The address book view did not update after changing the name
format in the menu
Calendar: Could not import an ICS file into a CalDAV calendar
Calendar: Two "Home" calendars were visible on a new profile
Calendar: Dark theme was incomplete on Linux
Dark theme did not apply to new mail notification popups
Folder icon, message list, and contact side bar visual improvements
MailExtensions: HTTP refresh in browser content tabs did not work
MailExtensions: messageDisplayScripts failed to run in main window
Various security fixes
Security fixes:
#CVE-2020-16042: Operations on a BigInt could have caused uninitialized memory to be exposed
#CVE-2020-26971: Heap buffer overflow in WebGL
#CVE-2020-26973: CSS Sanitizer performed incorrect sanitization
#CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free
#CVE-2020-26978: Internal network hosts could have been probed by a malicious webpage
#CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs
#CVE-2020-35112: Opening an extension-less download may have inadvertently launched an executable instead
#CVE-2020-35113: Memory safety bugs fixed in Thunderbird 78.6
Changelog:
What's New
OpenPGP: Added option to disable email subject encryption
Changes
OpenPGP public key import now supports multi-file selection and bulk accepting imported keys
MailExtensions: getComposeDetails will wait for "compose-editor-ready" event
Fixes
New mail icon was not removed from the system tray at shutdown
"Place replies in the folder of the message being replied to" did not work when using "Reply to List"
Thunderbird did not honor the "Run search on server" option when searching messages
Highlight color for folders with unread messages wasn't visible in dark theme
OpenPGP: Key were missing from Key Manager
OpenPGP: Option to import keys from clipboard always disabled
The "Link" button on the large attachments info bar failed to open up Filelink section in Options if the user had not yet configured Filelink
Address book: Printing members of a mailing list resulted in incorrect output
Unable to connect to LDAP servers configured with a self-signed SSL certificate
Autoconfig via LDAP did not work as expected
Calendar: Pressing Ctrl-Enter in the new event dialog would create duplicate events
Various security fixes
Security fixes:
#CVE-2020-26970: Stack overflow due to incorrect parsing of SMTP server response codes
* Fix build with lang/rust-1.47.0.
Changelog:
78.5.0
What's New
OpenPGP: Added option to disable attaching the public key to a signed message
MailExtensions: "compose_attachments" context added to Menus API
MailExtensions: Menus API now available on displayed messages
Changes
MailExtensions: browser.tabs.create will now wait for "mail-delayed-startup-finished" event
Fixes
OpenPGP: Support for inline PGP messages improved
OpenPGP: Message security dialog showed unverified keys as unavailable
Chat: New chat contact menu item did not function
Various theme and usability improvements
Various security fixes
#CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
#CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
#CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
#CVE-2020-26956: XSS through paste (manual and clipboard API)
#CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
#CVE-2020-26959: Use-after-free in WebRequestService
#CVE-2020-26960: Potential use-after-free in uses of nsTArray
#CVE-2020-15999: Heap buffer overflow in freetype
#CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
#CVE-2020-26965: Software keyboards may have remembered typed passwords
#CVE-2020-26966: Single-word search queries were also broadcast to local network
#CVE-2020-26968: Memory safety bugs fixed in Thunderbird 78.5
78.4.3
Fixes
User interface was inconsistent when switching from the default theme to the dark theme and back to the default theme
Email subject would disappear when hovering over it with the mouse when using Windows 7 Classic theme
78.4.2
Fixes
Security fix
#CVE-2020-26950: Write side effects in MCallGetProperty opcode not accounted for
78.4.1
What's New
Thunderbird prompts for an address to use when starting an email from an address book entry with multiple addresses
Fixes
Searching global search results did not work
Link location was not focused by default when adding a hyperlink in message composer
Advanced address book search dialog was unusable
Encrypted draft reply emails lost "Re:" prefix
Replying to a newsgroup message did not open the compose window
Unable to delete multiple newsgroup messages
Appmenu displayed visual glitches
Visual glitches when selecting multiple messages in the message pane and using Ctrl+click
Switching between dark and light mode could lead to unreadable text on macOS
78.4.0
What's New
MailExtensions: browser.tabs.sendMessage API added
MailExtensions: messageDisplayScripts API added
Changes
Yahoo and AOL mail users using password authentication will be migrated to OAuth2
MailExtensions: messageDisplay APIs extended to support multiple selected messages
MailExtensions: compose.begin functions now support creating a message with attachments
Fixes
Thunderbird could freeze when updating global search index
Multiple issues with handling of self-signed SSL certificates addressed
Recipient address fields in compose window could expand to fill all available space
Inserting emoji characters in message compose window caused unexpected behavior
Button to restore default folder icon color was not keyboard accessible
Various keyboard navigation fixes
Various color-related theme fixes
MailExtensions: Updating attachments with onBeforeSend.addListener() did not work
Various security fixes
Security fixes:
#CVE-2020-15969: Use-after-free in usersctp
#CVE-2020-15683: Memory safety bugs fixed in Thunderbird 78.4
78.3.3
Fixes
OpenPGP: Improved support for encrypting with subkeys
OpenPGP message status icons were not visible in message header pane
OpenPGP Key Manager was missing from Tools menu on macOS
Creating a new calendar event did not require an event title
78.3.2
Changes
Thunderbird will no longer automatically install updates when Preferences tab is opened
Fixed
OpenPGP: Improved support for encrypting with subkeys
OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly
Single-click deletion of recipient pills with middle mouse button restored
Searching an address book list did not display results
Windows installer was unreadable with Windows in high contrast mode
Dark mode, high contrast, and Windows theming fixes
Changelog:
Changes
Thunderbird will no longer automatically install updates when Preferences tab is opened
Fixes
OpenPGP: Improved support for encrypting with subkeys
OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly
Single-click deletion of recipient pills with middle mouse button restored
Searching an address book list did not display results
Windows installer was unreadable with Windows in high contrast mode
Dark mode, high contrast, and Windows theming fixes
Changelog:
78.3.1
Fixes
Thunderbird crashed after updating to 78.3.0
78.3.0
Changes
OpenPGP: Improved decryption performance with large messages
OpenPGP: Do not show external key UI when disabled by preference
Account setup wizard will now open a popup when connecting to a server with a
self-signed SSL/TLS certificate
Installation of "legacy" MailExtensions now disabled
Reply-To header moved in compose window; now appears under From header
Calendar: Sidebar UI improvements
Fixes
Selecting "Cancel" on the Master Password prompt at startup incorrectly
reported corrupted OpenPGP data
OpenPGP: Creating a new key pair did not automatically select it for use
Dragging & Dropping recipient pills resulted in lost pills when an error was
present
Spellcheck suggestions were unreadable in dark theme
Calendar: Multiple password prompts opened
Linux Distributions: UI was not rendered completely when built without updater
MailExtensions: browser.folders.delete failed on IMAP folders
Various security fixes
Security fixes:
Mozilla Foundation Security Advisory 2020-44
#CVE-2020-15677: Download origin spoofing via redirect
#CVE-2020-15676: XSS when pasting attacker-controlled data into
a contenteditable element
#CVE-2020-15678: When recursing through layers while scrolling, an iterator may
have become invalid, resulting in a potential use-after-free scenario
#CVE-2020-15673: Memory safety bugs fixed in Thunderbird 78.3
* Runtime depend on chat/libotr.
Changelog:
What's New
new Drag and Drop reordering of recipient pills now supported
Changes
changed OpenPGP: Some signature states reported as "mismatch" now report "unknown"
changed Privacy policy now displayed in a tab when updated
changed Chat: Non-functional Twitter support removed
Fixes
fixed OpenPGP: Improvements to key importing when failures occur
fixed OpenPGP: Decryption did not work with certain HTTP proxy configurations
fixed OpenPGP: "Discover keys online" option did not work when searching for an email address
fixed Email filters reported failure when moving a message to original folder
fixed Message filters: Filters shown as enabled in configuration dialog were not always enabled
fixed vCard 2.1 attachments not handled properly
fixed Sending messages sometimes failed when recipients were in LDAP address book
fixed Non-functional help menu items removed
fixed Adding custom headers in the addressing widget (preference mail.compose.other.header) did not work
fixed Calendar: Event reminder details were unreadable
fixed Windows 10 high-contrast theme fixes
fixed More theme fixes and improvements
* Lightning cannot be disabled by users in build time.
Remove mozilla-lightning option.
Changelog:
78.2.1
Changes
changed OpenPGP enabled by default
changed OpenPGP: Disabled the use of MD5/SM2/SM3 algorithms
Fixes
fixed OpenPGP: Users with sub-identities were unable to encrypt or sign messages when switching identities
fixed OpenPGP message security window did not support dark mode
78.2.0
Changes
changed OpenPGP Key generation now disabled when there is no default mail account configured
changed OpenPGP: Encrypt saved drafts when OpenPGP is enabled
changed Twitter search removed
changed Calendar: Event summary dialog is now themeable
changed MailExtensions: Some APIs now use defineLazyPreferenceGetter in order to benefit from caching
Fixes
fixed OpenPGP Key Manager search function did not work
fixed OpenPGP Key Properties dialog was sometimes too small
fixed OpenPGP: Encrypted email would not send if address contained uppercase characters
fixed OpenPGP: "Key ID" column could not be resized in Key Manage
fixed OpenPGP: Keys containing invalid UTF-8 strings could not be imported
fixed OpenPGP: Enable automatic signing for encrypted messages in additional scenarios
fixed Many more OpenPGP bug fixes and improvements
fixed IMAP fetch chunk size was always 65536 bytes
fixed IMAP server capabilities were not rechecked after upgrading to SSL/TLS connection
fixed Message Composer: Order of attachments could not be modified using drag & drop
fixed Composing messages with a "fixed width" font did not work
fixed Drag and drop of address book contacts did not work in some situations
fixed Address book migration failed when there was a dot in the file name
fixed Address book: "Always prefer display name over message header" was always checked when editing a contact
fixed Address book performance optimizations
fixed Dialog to add a new mail account from "Account Settings" did not open
fixed "Select All" (Ctrl+A) in message source did not work until focused with a mouse click
fixed Ctrl+scroll wheel not zooming in message reader
fixed Setting/changing a signature from a file lost when closing account settings
fixed Adaptive Junk Mail settings could not be disabled
fixed Message filter dialog fixes: Missing scrollbar, drop-down list not wide enough
fixed Various UX and theme improvements
78.1.1
Changes
changed Building OpenPGP shared library linked to system libraries now supported
changed MailExtension errors now shown in Developer Tools console by default
changed MailExtensions: Dynamic registration of calendar providers now supported
Fixesr
fixed OpenPGP improvements
fixed Message preview was sometimes blank after upgrading from Thunderbird 68
fixed Email addresses whitelisted for remote content not displayed in preferences
fixed Importing data from Seamonkey did not work
fixed Renaming a mail list did not update the side bar
fixed MailExtensions: messenger.* namespace was undefined
78.1.0
What's New
new OpenPGP support is now feature complete. Improvements: new Key Wizard, online searching for OpenPGP keys, and more
new The preferences tab now has a search field
Changes
changed Dark background in message reader is now disabled
Fixes
fixed Thunderbird startup was slow when using folder color customizations with many folders. Previously configured colors will not be migrated.
fixed Mail quota usage in status bar did not support terabyte folder sizes
fixed Changing Junk mail settings with keyboard toggled wrong setting
fixed Advanced IMAP server preferences not saved in Account Manager
fixed Address book migration updates and fixes
fixed Address book: Last Modified Date was not updated
fixed Dark mode improvements
fixed Various security fixes
Security fixes:
#CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker
#CVE-2020-6514: WebRTC data channel leaks internal address to peer
#CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy
#CVE-2020-15653: Bypassing iframe sandbox when allowing popups
#CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
#CVE-2020-15656: Type confusion for special arguments in IonMonkey
#CVE-2020-15658: Overriding file type when saving to disk
#CVE-2020-15657: DLL hijacking due to incorrect loading path
#CVE-2020-15654: Custom cursor can overlay user interface
#CVE-2020-15659: Memory safety bugs fixed in Thunderbird 78.1
78.0.1
What's New
new OpenPGP: Key revocation, extending key expiration, and secret key backup
Fixes
fixed Drag & Drop multiple attachments to macOS Finder created duplicate files
fixed Faceted search date and relevance settings not saved
fixed FileLink attachments included as a link and file when added from a network drive via drag & drop
fixed About Thunderbird dialog keyboard shortcuts did not work
fixed CC'd recipients sometimes displayed collapsed in header pane
fixed Incremental search in contacts sidebar did not always display local results when an LDAP server was also in use
fixed Contacts sidebar search results cleared after removing a contact
fixed OpenPGP: Messages with long Armor Header lines did not display
fixed OpenPGP: Messages containing non-UTF-8 text were not supported
fixed Various UI and theming fixes
fixed Chat: Participants list did not display operator flags
Changelog:
Fixes
fixed Chat: Topics displayed some characters improperly
fixed Calendar: Filtering tasks did not work when "Incomplete Tasks" was selected
Security fixes:
CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64
#CVE-2020-12418: Information disclosure due to manipulated URL object
#CVE-2020-12419: Use-after-free in nsGlobalWindowInner
#CVE-2020-12420: Use-After-Free when trying to connect to a STUN server
#MFSA-2020-0001: Automatic account setup leaks Microsoft Exchange login credentials
#CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates
Changelog:
Fixes
fixed Custom headers added for searching or filtering could not be removed
fixed Calendar: Today Pane updated prior to loading all data
fixed Stability improvements
fixed Various security fixes
Security fixes:
#CVE-2020-12399: Timing attack on DSA signatures in NSS library
#CVE-2020-12405: Use-after-free in SharedWorkerService
#CVE-2020-12406: JavaScript Type confusion with NativeTypes
#CVE-2020-12410: Memory safety bugs fixed in Thunderbird 68.9.0
#CVE-2020-12398: Security downgrade with IMAP STARTTLS leads to information leakage
Changelog:
Fixes:
fixed IMAP stability improvements
fixed HTML tags in IRC topic changes were rendered incorrectly
fixed MailExtensions: Websockets could not be used
Thunderbird is no longer Mozilla-branded. It no longer uses gtk2.
Future versions of Thunderbird will not have ESR releases because
every Thunderbird release is now an ESR release.
Changelog:
Fixes
Account Manager: text fields were too small in some cases
Account Manager: Authentication method did not update when selecting an SMTP server
Links with embedded credentials did not open on Windows
Messages were sometimes sent with a badly formed address when filled from the address book
Accessibility: Screen readers were reporting too many activities from the status bar
MailExtensions: Setting IMAP messages as read with browser.messages.updated failed to persist
Various security fixes
Security fixes:
#CVE-2020-12397: Sender Email Address Spoofing using encoded Unicode characters
#CVE-2020-12387: Use-after-free during worker shutdown
#CVE-2020-6831: Buffer overflow in SCTP chunk input validation
#CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
#CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
#CVE-2020-12395: Memory safety bugs fixed in Thunderbird 68.8.0
Changelog:
What's New
new MailExtensions: Raw message source available to MailExtensions
Changes
changed MailExtensions: messages.update function extended to mark messages as junk or not junk
changed MailExtensions: browser.compose.begin functions no longer expand mailing lists
Fixes
fixed Various improvements to account setup when connecting to an Exchange server
fixed Thread collapsed when opening news message in a new window
fixed Addons not automatically updated to compatible version after upgrade from Thunderbird 60
fixed Updating addons did not prompt when requesting new permissions
fixed Extra recipients panel not keyboard-accessible
fixed Accessibility: Status bar was not detected by screenreaders
fixed MailExtensions: messages.query by folder name did not require accountsRead permission
fixed Calendar: Invitations with embedded null bytes did not always decode correctly
fixed Calendar: Cancelled events didn't show with a line-through
fixed Various security fixes
Security fixes:
#CVE-2020-6819: Use-after-free while running the nsDocShell destructor
#CVE-2020-6820: Use-after-free when handling a ReadableStream
#CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method
#CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large images
#CVE-2020-6825: Memory safety bugs fixed in Thunderbird 68.7.0
CVhangelog:
68.6.0
new
Thunderbird now displays a popup window when starting up on a new
profile
changed
Thunderbird now provides partial updates resulting in smaller
downloads
fixed
Searching in message bodies led to false negatives under some
circumstances in quoted-printable encoded HTML bodies
"Get New Messages for All Accounts" not working for OAuth2-authenticated
IMAP accounts
Various security fixes
#CVE-2020-6805: Use-after-free when removing data about origins
#CVE-2020-6806: BodyStream::OnInputStreamReady was missing protections against state confusion
#CVE-2020-6807: Use-after-free in cubeb during stream destruction
#CVE-2020-6811: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
#CVE-2019-20503: Out of bounds reads in sctp_load_addresses_from_init
#CVE-2020-6812: The names of AirPods with personally identifiable information were exposed to websites with camera or microphone permission
#CVE-2020-6814: Memory safety bugs fixed in Thunderbird 68.6
68.0.5
new
Support for Client Identity IMAP/SMTP Service Extension
Support for OAuth 2.0 authentication for POP3 accounts
fixed
Status area goes blank during account setup
Calendar: Could not remove color for default categories
Calendar: Prevent calendar component loading multiple times
Calendar: Today pane did not retain width between sessions
Various security fixes
#CVE-2020-6793: Out-of-bounds read when processing certain email messages
#CVE-2020-6794: Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords
#CVE-2020-6795: Crash processing S/MIME messages with multiple signatures
#CVE-2020-6797: Extensions granted downloads.open permission could open arbitrary applications on Mac OSX
#CVE-2020-6798: Incorrect parsing of template tag could result in JavaScript injection
#CVE-2020-6792: Message ID calculcation was based on uninitialized data
#CVE-2020-6800: Memory safety bugs fixed in Thunderbird 68.5
Changelog:
changed
Calendar: Task and Event tree colours adjusted for the dark theme
fixed
Retrieval of S/MIME certificates from LDAP failed
Address-parsing crash on some IMAP servers when preference mail.imap.use_envelope_cmd was set
Incorrect forwarding of HTML messages caused SMTP servers to respond with a timeout
Calendar: Various parts of the calendar UI stopped working when a second Thunderbird window opened
