Changelog:
24.1.
FIXED
Fixed an issue where signatures were shown in too lighter grey making them difficult to read (bug 917906)
FIXED
Fixed an issue where Auto CC for reply might not work if the cc address is the same as the sending address (bug 917231)
FIXED
Security fixes can be found here
Fixed in Thunderbird 24.0
MFSA 2013-92 GC hazard with default compartments and frame chain restoration
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-85 Uninitialized data in IonMonkey
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-81 Use-after-free with select element
MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-77 Improper state in HTML5 Tree Builder with templates
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)
24.0
NEW
Message threads can now be ignored or watched
NEW
Emails can now be sent to IDN based email addresses
NEW
Zoom functionality is now available in the compose window
CHANGED
In the Compose window, ctrl/cmd + and ctrl/cmd - now change the zoom setting rather than the font size
CHANGED
In Twitter, replying to a tweet now replies to all users, just like on the Twitter website
FIXED
Interactions in the filter list dialogs have been improved
FIXED
In Chat user nicknames are now highlighted when mentioned
FIXED
In IRC, long messages will now be sent in multiple parts instead of being cut off
FIXED
Various security fixes
Fixed in Thunderbird 24.1
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)
pax -rw, the destination directory must exist. pax in NetBSD creates it if
not, pax in MirBSD complains. I read through all pkgsrc Makefiles that use
pax and added an entry to INSTALLATION_DIRS, or an INSTALL_DATA_DIR
invocation.
I did not test all the changes but they should be fairly safe. If you notice
any breakage because of this change, please contact me.
Changelog:
The following security bug fixes should be applied to thunderbird-17.0.9.
But I cannot find any documents.
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)
MFSA 2013-65 Buffer underflow when generating CRMF requests
Changelog:
Security bugfixes.
MFSA 2013-75 Local Java applets may read contents of local file system
MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
MFSA 2013-71 Further Privilege escalation through Mozilla Updater
MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
MFSA 2013-68 Document URI misrepresentation and masquerading
MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)
Changelog:
FIXED
Security fixes can be found here
Fixed in Thunderbird 17.0.7
MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context
MFSA 2013-56 PreserveWrapper has inconsistent behavior
MFSA 2013-55 SVG filters can lead to information disclosure
MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
MFSA 2013-53 Execution of unmapped memory through onreadystatechange event
MFSA 2013-51 Privileged content access and execution via XBL
MFSA 2013-50 Memory corruption found using Address Sanitizer
MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)
to address issues with NetBSD-6(and earlier)'s fontconfig not being
new enough for pango.
While doing that, also bump freetype2 dependency to current pkgsrc
version.
Suggested by tron in PR 47882
Changelog:
FIXED
Security fixes can be found here
FIXED
Thunderbird now supports the Twitter API version 1.1 ahead of Twitter closing the 1.0 version (Bug 857049)
Fixed in Thunderbird 17.0.6
MFSA 2013-48 Memory corruption found using Address Sanitizer
MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent
MFSA 2013-46 Use-after-free with video and onresize event
MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service
MFSA 2013-42 Privileged access for content level constructor
MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)
Changelog:
FIXED
Security fixes can be found here
FIXED
Adjusting font size when composing emails should be easier (Bug 824926)
Fixed in Thunderbird 17.0.5
MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations
MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes
MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux
MFSA 2013-34 Privilege escalation through Mozilla Updater
MFSA 2013-32 Privilege escalation through Mozilla Maintenance Service
MFSA 2013-31 Out-of-bounds write in Cairo library
MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)
1.) Fix broken "yasm" version check which only accepts version numbers
like "a.b.c.d" but not like "a.b.c" and therefore fails with
Yasm 1.2.0. This probably affects other platforms (e.g. Linux
as well).
2.) Use "-R" instead of non-portable "-rpath" linker option.
The build under Solaris 10 fails now during the build phase and not
already in the configuration phase.
Changelog:
FIXED
Security fixes can be found here
FIXED
Attachments sometimes could not be removed from the composition window using the keyboard, this is now fixed (799451)
Fixed in Thunderbird 17.0.3
MFSA 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer
MFSA 2013-27 Phishing on HTTPS connection through malicious proxy
MFSA 2013-26 Use-after-free in nsImageLoadingContent
MFSA 2013-25 Privacy leak in JavaScript Workers
MFSA 2013-24 Web content bypass of COW and SOW security wrappers
MFSA 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)
Changelog:
FIXED
Security fixes can be found here
FIXED
Pressing the 'x' button on Windows now closes only one window rather than the whole application (805185)
FIXED
An issue that caused occasional corruption in local folders after filtering is now fixed (815012)
FIXED
An issue that caused deletion of drafts saved in IMAP folders whilst in offline mode is now fixed (805626)
For security fix, see http://www.mozilla.org/en-US/thunderbird/17.0.2/releasenotes/ .
Changelog:
FIXED
Security fixes can be found here
FIXED
Pressing the 'x' button on Windows now closes only one window rather than the whole application (805185)
FIXED
An issue that caused occasional corruption in local folders after filtering is now fixed (815012)
FIXED
An issue that caused deletion of drafts saved in IMAP folders whilst in offline mode is now fixed (805626)
For security fix, see http://www.mozilla.org/en-US/thunderbird/17.0.2/releasenotes/ .
Changelog:
NEW
A Menu Button is now shown to new users by default
NEW
Tabs are now drawn in the title bar on Windows
FIXED
An issue causing spell-checking only parts of words in Thunderbird 16 is now fixed (790475)
FIXED
An issue causing Thunderbird 16 to repeatedly download emails is now fixed (806760)
FIXED
RSS feeds can now be viewed in the Wide View Layout (531397)
FIXED
Various fixes and performance improvements
FIXED
Various security fixes
CHANGED
Mac OS X 10.5 is no longer supported
Security fixes:
Fixed in Thunderbird 17
MFSA 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer
MFSA 2012-105 Use-after-free and buffer overflow issues found using Address Sanitizer
MFSA 2012-103 Frames can shadow top.location
MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset
MFSA 2012-100 Improper security filtering for cross-origin wrappers
MFSA 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment
MFSA 2012-97 XMLHttpRequest inherits incorrect principal within sandbox
MFSA 2012-96 Memory corruption in str_unescape
MFSA 2012-94 Crash when combining SVG text on path with CSS
MFSA 2012-93 evalInSanbox location context incorrectly applied
MFSA 2012-92 Buffer overflow while rendering GIF images
MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)
Changelog:
Fixed in Thunderbird 16.0.2
MFSA 2012-90 Fixes for Location object issues
MFSA 2012-67 Installer will launch incorrect executable following new installation
Changelog:
FIXED
16.0.1: Vulnerability outlined here
https://blog.mozilla.org/security/2012/10/10/security-vulnerability-in-firefox-16/
NEW
We have now added box.com to the list of online storage services that are available for use with Thunderbird Filelink
NEW
Silent, background updates. Thunderbird will now download and apply updates in the background allowing you to start quickly the next time Thunderbird starts up.
FIXED
Various fixes and performance improvements
FIXED
Various security fixes
Fixed in Thunderbird 16.0.1
MFSA 2012-89 defaultValue security checks not applied
MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)
Fixed in Thunderbird 16
MFSA 2012-87 Use-after-free in the IME State Manager
MFSA 2012-86 Heap memory corruption issues found using Address Sanitizer
MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer
MFSA 2012-84 Spoofing and script injection through location.hash
MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties
MFSA 2012-82 top object and location property accessible by plugins
MFSA 2012-81 GetProperty function can bypass security checks
MFSA 2012-80 Crash with invalid cast when using instanceof operator
MFSA 2012-79 DOS and crash with full screen and history navigation
MFSA 2012-77 Some DOMWindowUtils methods bypass security checks
MFSA 2012-76 Continued access to initial origin after setting document.domain
MFSA 2012-75 select element persistance allows for attacks
MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)
* Update Mozilla Lightning to 1.7
* Update Enigmail to 1.4.4 (functionality is not tested yet; should
be updated)
* Regen patches
Changelog:
NEW Multi-Channel Chat: You now can enjoy real time conversation with your contacts, right from your favorite messaging application.
NEW Do Not Track: This option has been implemented as an addition to Search the Web.
NEW Ubuntu One is now supported in Filelink - the option to upload large attachments to online storage services.
NEW New User Interface: Thunderbird is replicating the new look and feel of Mozilla Firefox in an effort to provide a similar user experience across all Mozilla software desktop or mobile and all platforms.
FIXED Various fixes and performance improvements
FIXED Various security fixes
MFSA 2012-72 Web console eval capable of executing chrome-privileged code
MFSA 2012-70 Location object security checks bypassed by chrome code
MFSA 2012-68 DOMParser loads linked resources in extensions when parsing text/html
MFSA 2012-67 Installer will launch incorrect executable following new installation
MFSA 2012-65 Out-of-bounds read in format-number in XSLT
MFSA 2012-64 Graphite 2 memory corruption
MFSA 2012-63 SVG buffer overflow and use-after-free issues
MFSA 2012-62 WebGL use-after-free and memory corruption
MFSA 2012-61 Memory corruption with bitmap format images with negative height
MFSA 2012-59 Location object can be shadowed using Object.defineProperty
MFSA 2012-58 Use-after-free issues found using Address Sanitizer
MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)
* Update enigmail to 1.4.2
* Update Lightning to 1.5
Changelog:
* Filelink: Upload your files to an online storage service and send links
to your friends, avoiding bounce back due to large attachments. We have
partnered with YouSendIt to bring this feature, but additional partners
will be added in the near future.
* In partnership with Gandi and Hover, you can now sign up for a
personalized email address from within Thunderbird. Along with your new
email address, Thunderbird will be automatically set up and ready to
send and receive messages. We are working with additional suppliers to
cover more areas of the world and to provide more options in the future.
* Various security fixes
MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer
MFSA 2012-39 NSS parsing errors with zero length items
MFSA 2012-38 Use-after-free while replacing/inserting a node in a document
MFSA 2012-37 Information disclosure though Windows file shares and shortcut files
MFSA 2012-36 Content Security Policy inline-script bypass
MFSA 2012-35 Privilege escalation through Mozilla Updater and Windows Updater Service
MFSA 2012-34 Miscellaneous memory safety hazards
* The minimum system requirements for Windows are now Windows XP Service
Pack 2 or later.
Fix PR pkg/46427
Changelog:
* Fix various issues relating to new mail notifications and filtering
on POP3 based accounts
* Fixes an occasional startup crash seen in TB 12.0
* Fixes an issue with corrrupted message bodies when using movemail
* Remove unused option.
* Update enigmail to 1.4.1
Changelog:
* Global Search results now include message extracts in the results
* Various security fixes
* Various improvements to RSS feed subscription and general feed handling
* Thunderbird now supports add-ons that provide different types of
local mail storage
* Update Lightning to 1.3 from 1.3b1
Changelog:
* Support for Apple iCloud and Chandler servers improved
* Support for high contrast themes (needs to be enabled in the preferences)
* New toolbar to adapt to Thunderbird's Tabs-on-Top
thing happens from time to time with python27 as with python26.
Whatever's going on apparently strikes randomly, so changing something
and rebuilding successfully doesn't prove that you've fixed it.
8.0 changes:
Thunderbird is based on the new Mozilla Gecko 8 engine
Add-ons installed by third party programs are now disabled by default
New Search and Find Shortcuts
Improved accessibility of the attachment list
Folder switching pane widget has been removed, can be added back with the
Folder Pane View Switcher Add-on
Numerous platform fixes to stability
Fixed several security issues
7.0 changes:
Thunderbird is based on the new Mozilla Gecko 7 engine
Several user interface fixes and improvements
Several fixes to attachment handling
Ability to print a summary of selected email messages
Platform improvements to Address Book
Fixed several security issues
Numerous platform fixes that improve speed, performance and stability
Release notes for 6.0:
Thunderbird is based on the new Mozilla Gecko 6 engine
Several theme improvements for Windows 7
Support for Windows 7 Jump lists
Several fixes when importing email from Microsoft Outlook
Default mail client check now works with newer Linux distributions
Various other user interface fixes and improvements
Numerous platform fixes that improve speed, performance, stability and security
Release notes for 5.0:
More responsive and faster to start up and use
Thunderbird is based on the new Mozilla Gecko 5 engine
New Add-ons Manager
Revised account creation wizard to improve email setup
New Troubleshooting Information page
Tabs can now be reordered and dragged to different windows
Attachment sizes now displayed along with attachments
Plugins can now be loaded in RSS feeds by default
There are several theme fixes for Windows Vista and Windows 7
Support for Mac 32/64 bit Universal builds (Thunderbird no longer supports PowerPC on Mac)
Over 390 platform fixes that improve speed, performance, stability and security
- Several fixes to improve performance, stability and security
- Several fixes to improve handling of large folder files stored locally.
- Several fixes to improve corruption in local copy of IMAP mailboxes.
- MFSA 2010-78 Add support for OTS font sanitizer
- MFSA 2010-75 Buffer overflow while line breaking after document.write
with long string
- MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)
* Several fixes to improve stability.
* Several fixes to the user interface.
* Several security fixes:
MFSA 2010-63 Information leak via XMLHttpRequest statusText
MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS
MFSA 2010-61 UTF-7 XSS by overriding document charset using <object> type
attribute
MFSA 2010-59 SJOW creates scope chains ending in outer object
MFSA 2010-58 Crash on Mac using fuzzed font in data: URL
MFSA 2010-57 Crash and remote code execution in normalizeDocument
MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-55 XUL tree removal crash and remote code execution
MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection
MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
MFSA 2010-52 Windows XP DLL loading vulnerability
MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array
MFSA 2010-50 Frameset integer overflow vulnerability
MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
(Since pkgsrc-2010Q2 has the 3.0 branch of thunderbird I will send a
separate diff to releng for the 3.0.6 security update.)
MFSA 2010-47 Cross-origin data leakage from script filename in error messages
MFSA 2010-46 Cross-domain data theft using CSS
MFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent
character to vanish
MFSA 2010-43 Same-origin bypass using canvas context
MFSA 2010-42 Cross-origin data disclosure via Web Workers and importScripts
MFSA 2010-41 Remote code execution using malformed PNG image
MFSA 2010-40 nsTreeSelection dangling pointer remote code execution
MFSA 2010-39 nsCSSValue::Array index integer overflow
MFSA 2010-38 Arbitrary code execution using SJOW and fast native function
MFSA 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)
- Update bundled enigmail to 1.1.2
- Update mozilla branch patches to 1.9.2 (from devel/xulrunner)
- While here fix PR pkg/43598 PLIST problem w/ enigmail
---8<---
Thunderbird 3.1 is based on the Gecko 1.9.2 platform to provide improved
performance, stability, web compatibility, and code simplification and
sustainability.
New features include:
Faster Search Results and Quick Filter Toolbar
* Faster Search Results
* Quick Filter Toolbar
User Experience Improvements
* New Migration Assistant
* Saved Files Manager
* Mail Account Setup Wizard
Performance Improvements
* Improvements to Stability, Memory, and Password Handling
(missed those and *emacs* the first time round because they pull
in their png dependencies via default-on options; they were included
in the test bulk build though)
The 2.x version is still available in mail/thunderbird2.
Major changes:
- New Mail Account Setup Wizard
- Redesigned Mail Toolbar
- Tabbed Email Messages
- Smart Folders
- New Message Summary View
- Column Headings
- Message Archive
- Activity Manager
- New Add-ons Manager
- Improved Address Book
- Improved Gmail Integration
Full release notes:
http://www.mozillamessaging.com/en-US/thunderbird/3.0rc1/releasenotes/
Shared directories can now be created independently by the pacakges
needing them and will be removed automatically by pkg_delete when empty.
Packages needing empty directories can use the @pkgdir command in PLIST.
Discussed and ok'd in thread starting at
http://mail-index.netbsd.org/tech-pkg/2009/06/30/msg003546.html
Security fixes in this version:
MFSA 2009-33 Crash viewing multipart/alternative message with text/enhanced part
MFSA 2009-32 JavaScript chrome privilege escalation
MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)
MFSA 2009-17 Same-origin violations when Adobe Flash loaded via view-source: scheme
MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)
For more info, see http://www.mozilla.com/en-US/thunderbird/2.0.0.22/releasenotes/
Pkgsrc changes:
o For the benefit of 64-bit strict alignment archs using gcc, such
as NetBSD/sparc64, ensure that the specially crafted double values
are properly aligned. Thanks to martin@ for pointing to the problem.
This should stop regxpcom from dropping core on NetBSD/sparc64.
OK'ed by wiz@
Security fixes in this version:
MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)
For more info, see http://www.mozilla.com/en-US/thunderbird/2.0.0.21/releasenotes/
Security fixes in this version:
MFSA 2008-68 XSS and JavaScript privilege escalation
MFSA 2008-67 Escaped null characters ignored by CSS parser
MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
MFSA 2008-65 Cross-domain data theft via script redirect error message
MFSA 2008-64 XMLHttpRequest 302 response disclosure
MFSA 2008-61 Information stealing via loadBindingDocument
MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
For more info, see http://www.mozilla.com/en-US/thunderbird/2.0.0.19/releasenotes/
Security fixes in this version:
MFSA 2008-34 Remote code execution by overflowing CSS reference counter
MFSA 2008-33 Crash and remote code execution in block reflow
MFSA 2008-31 Peer-trusted certs can use alt names to spoof
MFSA 2008-29 Faulty .properties file results in uninitialized memory being used
MFSA 2008-26 Buffer length checks in MIME processing
MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
MFSA 2008-24 Chrome script loading from fastload file
MFSA 2008-21 Crashes with evidence of memory corruption
For more info, see http://www.mozilla.com/en-US/thunderbird/2.0.0.16/releasenotes/
stay on par with Firefox version numbering?)
Security fixes in this version:
MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution
For more info, see http://www.mozilla.com/en-US/thunderbird/2.0.0.14/releasenotes/
Security fixes in this version:
MFSA 2008-12 Heap buffer overflow in external MIME bodies
MFSA 2008-07 Possible information disclosure in BMP decoder
MFSA 2008-05 Directory traversal via chrome: URI
MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12)
For more info, see http://www.mozilla.com/en-US/thunderbird/2.0.0.12/releasenotes/
There are three types Mozilla mirrors.
(http://www.mozilla.org/mirroring.html)
* mozilla-current
contains only the current version of Firefox and Thunderbird
* mozilla-release
contains Firefox, Thunderbird, and Sunbird releases
* mozilla-all
complete archive
Define following variables for mozilla master sites:
MASTER_SITE_MOZILLA_ALL = mozilla-all
MASTER_SITE_MOZILLA = mozilla-release
and change some packages to use appropriate variable.
Update contents of MASTER_SITE_MOZILLA with master and primary mirrors
taken from http://www.mozilla.org/mirrors.html and add some sample definitions.
security problems:
- MFSA 2007-36 URIs with invalid %-encoding mishandled by Windows
- MFSA 2007-29 Crashes with evidence of memory corruption (rv:1.8.1.8)
(2.0.0.1-2.0.0.3 skipped to keep the version on par with Firefox?)
Security fixes in this version:
MFSA 2007-15 Security Vulnerability in APOP Authentication
MFSA 2007-12 Crashes with evidence of memory corruption
For more info, see http://www.mozilla.com/en-US/thunderbird/2.0.0.4/releasenotes/
What's New in Thunderbird 2
* Message Tags: Create your own tags for organizing email. Messages can be
assigned any number of tags. Tags can be combined with saved searches and
mail views to make it easier to organize email.
* Visual Theme: Thunderbird 2's theme and user interface have been updated to
improve usability and maximize screen real estate.
* Session History Navigation: Back and Forward buttons allow navigation through
message history.
* Advanced Folder Views: Customize the folder pane to show favorite, unread or
recent folders.
* Easy Access to Popular Web Mail Services: Gmail and .Mac users can access
their accounts in Thunderbird by simply providing their user names and
passwords.
* Improved Support For Extensions: Extensions can now add custom columns to the
message list pane in addition to storing custom message data in the mail
database.
* Improved New Mail Notification Alerts: New mail alerts include information
such as the subject, sender and message preview text.
* Folder Summary Popups: Mouse over a folder with new messages to see a summary
of the new messages in that folder.
* Saved Search Folder Performance: Search results for saved search folders are
now cached, improving folder loading performance.
* Find As You Type: Finds and highlights message text as you type.
* Improved Filing Tools: Recent folder menu items for moving and copying
messages to recently used folders. Move / Copy again functionality.
* Updates to the Extension System: The extension system has been updated to
provide enhanced security and to allow for easier localization of extensions.
The Rumbling Edge has a more detailed list of notable bug fixes:
http://weblogs.mozillazine.org/rumblingedge/archives/2007/03/tb_2.html
the exact names of the freebl libraries depends on the platform and they
have a habit of changing even on minor releases. This causes these mozilla
packages to be broken quite a lot on platforms other than NetBSD/i386.
Hopefully this fix will last longer than previous ones. pkgrevision bumps
all around.
two issues. The PLIST was incorrect and since the PLIST is used by
the "moz-install" script, anything missing from the PLIST is never
installed even when building from source. When libfreebl* were not
installed it caused the clients to fail to load the security component
and fail with "The browser failed to load its security component".
The second issue is that many installations of solaris-2.9 include
various glib/gtk/gnome libraries in /usr/lib. This causes failures
because the pkgsrc ones were used at link time and the /usr/lib ones
at run time. Work around this by setting a LD_LIBRARY_PATH that includes
the pkgsrc lib directory first.
pkgrevision bumps all around.
MFSA 2006-74 Mail header processing heap overflows
MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
MFSA 2006-72 XSS by setting img.src to javascript: URI
MFSA 2006-71 LiveConnect crash finalizing JS objects
MFSA 2006-70 Privilege escallation using watch point
MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)
For more info, see http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.9.html
talking to ipv4 addresses using ipv6 addresses isn't allowed, which is
the default on NetBSD. Patch to use a v4 socket when talking to an ipv4
ldap server. Fixes my PR 33511.
seamonkey/firefox/sunbird have the same code so make the same patch.
OKed ghen. Bump PKGREVISION.
MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
MFSA 2006-63 JavaScript execution in mail via XBL
MFSA 2006-60 RSA Signature Forgery
MFSA 2006-59 Concurrency-related vulnerability
MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
MFSA 2006-57 JavaScript Regular Expression Heap Corruption
For more info, see http://www.mozilla.com/thunderbird/releases/1.5.0.7.html
mail/thunderbird-gtk1 to 1.5.0.4, and www/seamonkey, www/seamonkey-gtk1
and www/seamonkey-bin to 1.0.2 (salo has already updated www/firefox-bin).
Note that thunderbird skipped one release number (again) to stay on par
with firefox.
These updates provide:
* improvements to product stability,
* several important security fixes (see below).
Fixed in Firefox 1.5.0.4:
MFSA 2006-43 Privilege escalation using addSelectionListener
MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-41 File stealing by changing input type (variant)
MFSA 2006-39 "View Image" local resource linking (Windows)
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-36 PLUGINSPAGE privileged JavaScript execution 2
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-34 XSS viewing javascript: frames or images from context menu
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
Fixed in Thunderbird 1.5.0.4:
MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-40 Double-free on malformed VCard
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
Fixed in SeaMonkey 1.0.2:
MFSA 2006-43 Privilege escalation using addSelectionListener
MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-41 File stealing by changing input type (variant)
MFSA 2006-40 Double-free on malformed VCard
MFSA 2006-39 "View Image" local resource linking (Windows)
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-34 XSS viewing javascript: frames or images from context menu
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
Firefox).
Thunderbird 1.5.0.2 offers improved stability, and several security fixes:
MFSA 2006-28 Security check of js_ValueToFunctionObject() can be circumvented
MFSA 2006-27 Table Rebuilding Code Execution Vulnerability
MFSA 2006-26 Mail Multiple Information Disclosure
MFSA 2006-25 Privilege escalation through Print Preview
MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest
MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability
MFSA 2006-21 JavaScript execution in mail when forwarding in-line
MFSA 2006-20 Crashes with evidence of memory corruption (rv:1.8.0.2)
MFSA 2006-08 "AnyName" entrainment and access control hazard
MFSA 2006-07 Read beyond buffer while parsing XML
MFSA 2006-06 Integer overflows in E4X, SVG and Canvas
MFSA 2006-05 Localstore.rdf XML injection through XULDocument.persist()
MFSA 2006-04 Memory corruption via QueryInterface on Location, Navigator objects
MFSA 2006-02 Changing postion:relative to static corrupts memory
MFSA 2006-01 JavaScript garbage-collection hazards
For a detailed ChangeLog, see:
http://weblogs.mozillazine.org/rumblingedge/archives/2006/02/1-5-0-2.html
What's new:
* Automated update to streamline product upgrades. Notification of an
update is more prominent, and updates to Thunderbird may now be half a
megabyte or smaller. Updating extensions has also improved.
* Sort address autocomplete results by how often you send e-mail to each recipient.
* Spell check as you type.
* Saved Search Folders can now search across multiple accounts.
* Built in phishing detector to help protect users against email scams.
* Podcasting and other RSS Improvements.
* Deleting attachments from messages.
* Integration with server side spam filtering.
* Reply and forward actions for message filters.
* Kerberos Authentication.
* Auto save as draft for mail composition.
* Message aging.
* Filters for Global Inbox.
* Improvements to product usability including redesigned options interface,
and SMTP server management.
* Many security enhancements.
For a more detailed list of changes, see http://weblogs.mozillazine.org/rumblingedge/archives/2006/01/1-5.html
Ok with wiz.
What's New in Thunderbird 1.0.7 (from Release Notes)
Thunderbird 1.0.7 is a security and stability update that is
part of our ongoing program to provide a safe Internet experience
for our customers. We recommend that all users upgrade to this
latest version.
NetBSD the thread safe resolver is only available on __NetBSD_Version__
>= 299000900. Fixes runtime usage on NetBSD 2.1. New Versions:
- firefox-1.0.6nb2
- firefox-gtk1-1.0.6nb2
- mozilla-1.7.11nb1
- mozilla-gtk2-1.7.11nb1
- thunderbird-1.0.6nb1
- thunderbird-gtk1-1.0.6nb1
Here are some of the new features to look for in Thunderbird:
* Adaptive Junk Mail Controls
* RSS Integration
* Saved Search Folders
Saved Search Folders display messages based on previously set search
criteria. For example, instead of filtering messages into a new
folder, you can create a Saved Search Folder that lists all the
messages received from a certain person over the past 30 days, even if
those messages are stored in different folders and subfolders.
* Global Inbox Support
POP3 users can now combine all of their POP3 accounts into a single
global inbox under local folders.
* Message Grouping
You can now group messages in a folder by attributes such as date,
sender, priority or a custom label. For instance, a folder grouped by
date will group messages from today, yesterday, last week, etc. into
self-contained groups in the message list pane. (View > Sort By >
Grouped By Sort)
* Privacy Protection
In order to help protect your privacy, Thunderbird now automatically
blocks remote image requests in emails from senders you don't know.
* Comprehensive Mail Migration from other Mail Clients
Switching to Thunderbird has never been easier since Thunderbird can
now migrate all of your email data including settings, mail folders
and address book data from common mail applications such as the
Mozilla 1.x Suite, Outlook Express, Outlook and Eudora.
2)sync patches from www/mozilla.
- update patch-ab
from commit log
>> date: 2004/08/31 02:37:57; author: danw; state: Exp; lines: +13 -6
>> darwin fixes (tested against firefox-gtk2)
- update patch-ac
- update patch-bx
- add patch-bz
- add patch-ca
- add patch-cb
from commit log
>> date: 2004/07/07 09:08:31; author: aymeric; state: Exp; lines: +14 -7
>> . on PowerPC, update files so that Mozilla works properly when compiled with
>> gcc version 3+.
>> . generally reduce diffs to Linux version
>> . retain compatibility with older ABI (AIX-like) thanks to useful comments
>> from Charles Hannum
>>
>> Thanks to Matthew Green for the fruitful discussion. This should address
>> PR#23240 as far as mozilla is concerned.
- remove patch-bn
enable HAVE_SOCKLEN_T
- update patch-br
from commit log
>> date: 2004/10/04 11:52:45; author: grant; state: Exp; lines: +10 -6
>> bring across a patch in Firefox for using thread-safe resolver library
>> functions on NetBSD >=2.0F.
- update patch-cc
make mozilla work on NetBSD-current/alpha
3)bump PKGREVISION
Here are the highlights for this Thunderbird release:
* Saved Search Folders
- Saved Search Folders display messages based on previously set search
criteria. For example, instead of filtering messages into a new
folder, you could create a Saved Search Folder that lists all the
messages received from a certain person over the past 30 days, even if
those messages are stored in different folders and subfolders.
* Message Grouping
- You can now group messages in a folder by attributes such as date,
sender, priority or a custom label. For instance, a folder grouped by
date will group messages from today, yesterday, last week, etc. into
self-contained groups in the message list pane. (View > Sort By >
Grouped By Sort)
* Other New Features
- Messages with attachments now get marked as such in the message list
pane immediately and not when the message is displayed.
- Improvements to Thunderbird's Global Inbox support for POP3 users.
- The new quick search bar introduced in 0.8 now features a clear
button when search text is present inside the quick search box.
- Fixed a regression introduced in 0.8 where a user could not change
the local folder path in the Account Manager.
- Improved offline support including fixes for common offline-related
problems.
- Improved privacy controls block remote content in e-mail messages
from senders not in your address book.
- Long file attachment names are no longer truncated in the message
pane.
- Bug fixes too numerous to mention!
What's new from Release Notes:
* Global Inbox
POP3 users can now combine all of their POP3 accounts into a single
global inbox under local folders.
* Comprehensive Data Migration
Switching to Thunderbird has never been easier since Thunderbird can
now migrate all of your e-mail data including settings, mail folders
and address book data from common mail applications such as the
Mozilla 1.x Suite, Outlook Express, Outlook and Eudora.
* RSS Integration
Thunderbird now features a built in RSS reader which allows you to
easily subscribe to and read news and weblogs that support RSS.
* Improved Privacy Controls
In order to help protect your privacy, Thunderbird now automatically
blocks remote image requests in e-mails from senders you don't know.
* Improved Quick Search
Thunderbird now makes it even easier to manage your e-mail. Quick
search now supports many different types of search criteria including
the ability to search message body text. Thunderbird can also
highlight the quick search terms in the message body.
* Other New Features
Support for using a master password to encrypt saved e-mail account passwords.
Linux GNOME users can now make Thunderbird their default e-mail client
(Tools > Options > General).
If your network uses proxy authentication for HTTP, Thunderbird now
correctly prompts for proxy authentication instead of silently
failing.
Bug fixes too numerous to mention!
---
Several security holes have been fixed. See the page bellow for
detail.
http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3
From the article from mozillazine.org:
mozilla.org today released upgrades to both Firefox 0.9 (0.9.1) and
Thunderbird 0.7 (0.7.1) to fix some minor bugs present in both
releases. Both releases correct some flaws in the extension system
that some users may have been experiencing, as well as a new icon set
for the navigation toolbar on Windows and Linux in Firefox 0.9.1. All
users of both products should get this upgrade.
Here are the highlights for this release of Thunderbird:
* Smaller and Faster
The Windows Installer is now only a 5.9MB download. Significant
performance improvements on Windows, Linux and Mac OS X!
* New Themes and Extension Manager
Provides a convenient and secure way to manage and update the many
add-ons that set Thunderbird apart from other e-mail clients.
* Crash Analysis Tools (Talkback)
Help us help you! Integration with Mozilla Talkback allows users to
submit crash reports which makes it easier for us to find Thunderbird
top crashes.
* Other New Features...
New user interface for viewing vCards.
New Profile Manager which also supports running from a USB device.
Color quoting for quoted message parts.
Thunderbird now supports a user interface for creating multiple
identities per e-mail account. This makes it easy to have several
e-mail addresses which end up going into the same account.
* Recently Fixed Bugs
Fix for an occassional hang when reading IMAP mail over SSL.
Our LDAP support works against older version 2 LDAP servers again in
addition to version 3.
Thunderbird can handle mailto urls that contain raw spaces in the
subject.
Other bug fixes too numerous to mention!
What's new from release notes:
* Improved Junk Mail Controls
The algorithm for the adaptive junk mail controls has been heavily
redesigned to learn faster and catch more spam.
* New Brand Identity
To be consistent with the Mozilla Foundation's goal of brand identity,
Thunderbird has a new logo and supporting artwork thanks to the fine
work of the Mozilla Visual Identity team.
* Other New Features...
- IMAP users can now benefit from support for the IMAP IDLE command
which allows the mail server to push notifications such as new mail
arriving as soon as it arrives.
- Thunderbird supports server-wide news filters that apply to all
newsgroups on a server.
- Thunderbird includes Secure Password Authentication using a new
cross-platform NTLM authentication mechanism for IMAP, POP3 and SMTP.
- Mail filters can now mark messages as junk.
- Tools > Options > Compose > HTML Options allows you to set up
default HTML compose options such as font, size and color.
- Attachments can be opened directly from the compose window to verify
their contents before sending.
- Thunderbird now supports the notion of multiple identities per mail
account. This makes it easy to have several e-mail addresses which end
up going into the same account. Read More about how to set this up.
* Recently Fixed Bugs
- In the case of a failure when copying a message to an online Sent
folder, Thunderbird will now ask if you would like it to try again.
- Pasting data from an OpenOffice.org spreadsheet no longer pastes
random HTML garbage before the actual spreadsheet data into HTML
compose.
- Fixed several situations where LDAP connections were left open when
using LDAP auto complete or performing searches on LDAP directories.
- Improved view source behavior.
- Mail notification for POP3 messages that are marked deleted or
marked read by mail filters no longer occurs.
- The "Mark All Read" keyboard shortcut now works for Linux GTK2.
Mozilla Thunderbird is a redesign of the Mozilla mail component. The
goal is to produce a cross platform stand alone mail application using
the XUL user interface language.
