Changelog:
changed
Thunderbird will now prompt to compact IMAP folders even if the account is online. Note: Under certain circumstances an incorrect estimate of the expected gain is shown.
fixed
Complete fix of the EFAIL vulnerability: 1) Removing some HTML crafted to carry out an attack. 2) Optionally: Not decrypting subordinate message parts that otherwise might reveal decrypted content to the attacker. Preference mailnews.p7m_subparts_external needs to be set to true for added security.
fixed
Various problems when forwarding messages inline when using "simple" HTML view
fixed
Deleting or detaching attachments corrupted messages under certain circumstances (not working only in Thunderbird version 52.9.0)
fixed
Various security fixes
Security fixes:
#CVE-2018-12359: Buffer overflow using computed size of canvas element
#CVE-2018-12360: Use-after-free when using focus()
#CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML emails
#CVE-2018-12373: S/MIME plaintext can be leaked through HTML reply/forward
#CVE-2018-12362: Integer overflow in SSSE3 scaler
#CVE-2018-12363: Use-after-free when appending DOM nodes
#CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
#CVE-2018-12365: Compromised IPC child process can list local filenames
#CVE-2018-12366: Invalid data handling during QCMS transformations
#CVE-2018-12368: No warning when opening executable SettingContent-ms files
#CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing enter in form field
#CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 52.9
Changelog:
#CVE-2018-5183: Backport critical security fixes in Skia
#CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack
#CVE-2018-5154: Use-after-free with SVG animations and clip paths
#CVE-2018-5155: Use-after-free with SVG animations and text paths
#CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
#CVE-2018-5161: Hang via malformed headers
#CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
#CVE-2018-5170: Filename spoofing for external attachments
#CVE-2018-5168: Lightweight themes can be installed without user interaction
#CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior
for downloaded files in Windows 10 April 2018 Update
#CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion
through legacy extension
#CVE-2018-5185: Leaking plaintext through HTML forms
#CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8,
and Thunderbird 52.8
Changelog:
Fixed Searching message bodies of messages in local folders,
including filter and quick filter operations, did not find
content in message attachments
Fixed Better error handling for Yahoo accounts
Fixed Various security fixes
#CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
#CVE-2018-5129: Out-of-bounds write with malformed IPC messages
#CVE-2018-5144: Integer overflow during Unicode conversion
#CVE-2018-5146: Out of bounds memory write in libvorbis
#CVE-2018-5125: Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7,
and Thunderbird 52.7
#CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7 and
Thunderbird 52.7
Changelog:
Fixed Searching message bodies of messages in local folders, including
filter and quick filter operations, not working reliably:
Content not found in base64-encode message parts, non-ASCII text
not found and false positives found.
Fixed Defective messages (without at least one expected header) not shown
in IMAP folders but shown on mobile devices
Fixed Calendar: Unintended task deletion if numlock is enabled
Fixed Various security fixes
Security fixes:
#CVE-2018-5095: Integer overflow in Skia library during edge builder allocation
#CVE-2018-5096: Use-after-free while editing form elements
#CVE-2018-5097: Use-after-free when source document is manipulated during XSLT
#CVE-2018-5098: Use-after-free while manipulating form input elements
#CVE-2018-5099: Use-after-free with widget listener
#CVE-2018-5102: Use-after-free in HTML media elements
#CVE-2018-5103: Use-after-free during mouse event handling
#CVE-2018-5104: Use-after-free during font face manipulation
#CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
#CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6,
and Thunderbird 52.6
Changelog:
Fix
This releases fixes the "Mailsploit" vulnerability and other vulnerabilities
detected by the "Cure53" audit. For details and various other security
fixes see here.
CVE-2017-7845: Buffer overflow when drawing and validating elements with
ANGLE library using Direct 3D 9
CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin
CVE-2017-7847: Local path string can be leaked from RSS feed
CVE-2017-7848: RSS Feed vulnerable to new line Injection
CVE-2017-7829: Mailsploit part 1: From address with encoded null character
is cut off in message header display
Unsorted entries in PLIST files have generated a pkglint warning for at
least 12 years. Somewhat more recently, pkglint has learned to sort
PLIST files automatically. Since pkglint 5.4.23, the sorting is only
done in obvious, simple cases. These have been applied by running:
pkglint -Cnone,PLIST -Wnone,plist-sort -r -F
Changelog:
#CVE-2017-7828: Use-after-free of PressShell while restyling layout
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still in use.
This results in a potentially exploitable crash during these operations.
References
Bug 1406750
Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource Timing API
Reporter
Jun Kokatsu
Impact
high
Description
The Resource Timing API incorrectly revealed navigations in cross-origin
iframes. This is a same-origin policy violation and could allow for data
theft of URLs loaded by users.
References
Bug 1408990
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5,
and Thunderbird 52.5
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, David Keeler,
Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer, Philipp,
Nicholas Nethercote, Oriol Brufau, André Bargull, Bob Clary,
Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and Ryan VanderMeulen
reported memory safety bugs present in Firefox 56, Firefox ESR 52.4, and
Thunderbird 52.4. Some of these bugs showed evidence of memory corruption
and we presume that with enough effort that some of these could be
exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5,
and Thunderbird 52.5
Chagelog:
New
In Thunderbird 52 a new behavior was introduced for replies to mailing
list posts: "When replying to a mailing list, reply will be sent to
address in From header ignoring Reply-to header". A new preference
mail.override_list_reply_to allows to restore the previous behavior.
Fixed
Under certain circumstances (image attachment and non-image attachment),
attached images were shown truncated in messages stored in IMAP
folders not synchronised for offline use.
Fixed
IMAP UIDs > 0x7FFFFFFF not handled properly
Security fixes:
#CVE-2017-7793: Use-after-free with Fetch API
Reporter
Abhishek Arya
Impact
high
Description
A use-after-free vulnerability can occur in the Fetch API when the
worker or the associated window are freed when still in use,
resulting in a potentially exploitable crash.
References
Bug 1371889
#CVE-2017-7818: Use-after-free during ARIA array manipulation
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when manipulating arrays of
Accessible Rich Internet Applications (ARIA) elements within containers
through the DOM. This results in a potentially exploitable crash.
References
Bug 1363723
#CVE-2017-7819: Use-after-free while resizing images in design mode
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur in design mode when image
objects are resized if objects referenced during the resizing have
been freed from memory. This results in a potentially exploitable crash.
References
Bug 1380292
#CVE-2017-7824: Buffer overflow when drawing and validating elements
with ANGLE
Reporter
Omair, Andre Weissflog
Impact
high
Description
A buffer overflow occurs when drawing and validating elements with
the ANGLE graphics library, used for WebGL content. This is due to
an incorrect value being passed within the library during checks and
results in a potentially exploitable crash.
References
Bug 1398381
#CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes
Reporter
Martin Thomson
Impact
high
Description
During TLS 1.2 exchanges, handshake hashes are generated which point
to a message buffer. This saved data is used for later messages but
in some cases, the handshake transcript can exceed the space available
in the current buffer, causing the allocation of a new buffer. This
leaves a pointer pointing to the old, freed buffer, resulting in
a use-after-free when handshake hashes are then calculated afterwards.
This can result in a potentially exploitable crash.
References
Bug 1377618
#CVE-2017-7814: Blob and data URLs bypass phishing and malware
protection warnings
Reporter
François Marier
Impact
moderate
Description
File downloads encoded with blob: and data: URL elements bypassed
normal file download checks though the Phishing and Malware Protection
feature and its block lists of suspicious sites and files. This
would allow malicious sites to lure users into downloading executables
that would otherwise be detected as suspicious.
References
Bug 1376036
#CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode
characters as spaces
Reporter
Khalil Zhani
Impact
moderate
Description
Several fonts on OS X display some Tibetan and Arabic characters
as whitespace. When used in the addressbar as part of an IDN
this can be used for domain name spoofing attacks.
Note: This attack only affects OS X operating systems. Other
operating systems are unaffected.
References
Bug 1393624
Bug 1390980
#CVE-2017-7823: CSP sandbox directive did not create a unique origin
Reporter
Jun Kokatsu
Impact
moderate
Description
The content security policy (CSP) sandbox directive did not
create a unique origin for the document, causing it to behave as
if the allow-same-origin keyword were always specified. This could
allow a Cross-Site Scripting (XSS) attack to be launched from
unsafe content.
References
Bug 1396320
#CVE-2017-7810: Memory safety bugs fixed in Firefox 56, Firefox ESR 52.4,
and Thunderbird 52.4
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christoph Diehl, Jan de Mooij,
Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian
Hengst reported memory safety bugs present in Firefox 55, Firefox
ESR 52.3, and Thunderbird 52.3. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
Changelog:
Fixed
Unwanted inline images shown in rogue SPAM messages
Fixed
Deleting message from the POP3 server not working when maildir storage was used
Fixed
Message disposition flag (replied / forwarded) lost when reply or forwarded message was stored as draft and draft was sent later
Fixed
Inline images not scaled to fit when printing
Fixed
Selected text from another message sometimes included in a reply
Fixed
No authorisation prompt displayed when inserting image into email body although image URL requires authentication
Fixed
Large attachments taking a long time to open under some circumstances
Fixed
Various security fixes
Changelog:
52.2.1
Fixed Problems with Gmail (folders not showing, repeated email download, etc.) introduced in version 52.2.0.
52.2.0
Fixed Embedded images not shown in email received from Hotmail/Outlook webmailer
Fixed Detection of non-ASCII font names in font selector
Fixed Attachment not forwarded correctly under certain circumstances
Fixed Multiple requests for master password when GMail OAuth2 is enabled
Fixed Large number of blank pages being printed under certain circumstances when invalid preferences were present
Fixed Messages sent via the Simple MAPI interface are forced to HTML
Fixed Calendar: Invitations can't be printed
Fixed Mailing list (group) not accessible from macOS or Outlook address book
Fixed Clicking on links with references/anchors where target doesn't exist in the message not opening in external browser
Fixed Various security fixes
#CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
#CVE-2017-7749: Use-after-free during docshell reloading
#CVE-2017-7750: Use-after-free with track elements
#CVE-2017-7751: Use-after-free with content viewer listeners
#CVE-2017-7752: Use-after-free with IME input
#CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
#CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
#CVE-2017-7757: Use-after-free in IndexedDB
#CVE-2017-7758: Out-of-bounds read in Opus encoder
#CVE-2017-7763: Mac fonts render some unicode characters as spaces
#CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
#CVE-2017-7765: Mark of the Web bypass when saving executable files
#CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2, and Thunderbird 52.2
52.1.1
Fixed Large attachments may not be shown or saved correctly if the message is stored in an IMAP folder which is not synchronized for offline use
Fixed Unable to load full message via POP if message was downloaded partially (or only headers) before
Fixed Some attachments can't be opened or saved if the message body is empty
Fixed Crash when compacting IMAP folder
Changelog:
Fixed
* Background images not working and other issues related to embedded images when composing email
* Google Oauth setup can sometimes not progress to the next step
Changelog:
52.0.1:
Fixed
Clicking on a link in an email may not open this link in the external browser.
Crash due to incompatibility with McAfee Anti-SPAM add-on. Add-on is blocked in 52.0.1
52.0:
New
Folder pane toolbar and folder view selector (replacement for folder view arrows)
Optionally remove corresponding data files when removing an account from Thunderbird
Import settings from Becky! Internet Mail
Possibility to copy message filter
Dictionary setting is restored when editing a draft. Content-Language header (RFC 3282) transmitted with message
Calendar: Event can now be created and edited in a tab
Calendar: Processing of received invitation counter proposals
Chat: Support Twitter Direct Messages
Chat: Liking and favoriting in Twitter
Chat: XMPP: Support SASL SCRAM authentication mechanism
Chat: Support Jabber/XMPP Message Carbons (XEP-280)
Changed
IMPORTANT: The way images are included in a compose window has changed. Images are now included as data URIs and not as references to parts of other messages or operating system files. This allows better interoperability with office packages such as MS Office or LibreOffice. Images linked from locations on the internet will no longer be downloaded and attached to the message automatically. This can be changed for each image individually via the Image Properties dialog or globally by setting the preference mail.compose.attach_http_images.
Correspondents column now default for all new folders, can be switched off with preference mail.threadpane.use_correspondents
When replying to a mailing list, reply will be sent to address in From header ignoring Reply-to header
On Linux PulseAudio is now required to play sound
Formatting toolbar is now left in place when delivery format is switched to plain text only
Messages in IMAP folders read on external device are now filtered by default
Folders backed by mbox storage larger than 4GB are supported without warning (unless preference mailnews.allowMboxOver4GB is set to false)
IMAP caching now uses Mozilla's latest caching technology
The keyboard shortcut to insert hyperlinks into a compose window was changed from CTRL+L to CTRL+K to align with Office applications
Chat: Removed Yahoo! Messenger support (since Yahoo removed support)
Fixed
Message preview pane non-functional after IMAP folder was renamed or moved
Fixed
Editing in paragraph format: Pressing Shift+Enter sometimes doesn't move the cursor to the next line
Various corrections when composing messages in paragraph format
Paste as quotation doesn't always work
Long lines in plain text replies not properly wrapped
Undesired white-space before signature in paragraph mode
When attachment unavailable, compose shows endless "Attaching..." message instead of error
Text encoding of reply sometimes incorrect (uses encoding of last viewed message)
Text encoding of message display, reply or forwarded message sometimes incorrect (uses encoding of attachment)
Delivery Format not preserved for saved drafts (Auto-Detect|Plaintext|HTML|Both)
Reply to own e-mail does not reply with the correct identity
IMAP message part caching
Links with escaped non-ASCII (international) characters can't be clicked
Calendar: Events specified in timezone "local time" generate alerts in UTC time
Chat: XMPP Resource collisions
Various security fixes
Security fixes:
#CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
#CVE-2017-5401: Memory Corruption when handling ErrorResult
#CVE-2017-5402: Use-after-free working with events in FontFace objects
#CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object
#CVE-2017-5404: Use-after-free working with ranges in selections
#CVE-2017-5406: Segmentation fault in Skia with canvas operations
#CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
#CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
#CVE-2017-5411: Use-after-free in Buffer Storage in libGLES
#CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
#CVE-2017-5412: Buffer overflow read in SVG filters
#CVE-2017-5413: Segmentation fault during bidirectional operations
#CVE-2017-5414: File picker can choose incorrect default directory
#CVE-2017-5416: Null dereference crash in HttpChannel
#CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access
#CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running
#CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses
#CVE-2017-5419: Repeated authentication prompts lead to DOS attack
#CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
#CVE-2017-5421: Print preview spoofing
#CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink
#CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52
#CVE-2017-5398: Memory safety bugs fixed in Thunderbird 52 and Thunderbird 45.8
Changelog:
#CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
#CVE-2017-5401: Memory Corruption when handling ErrorResult
#CVE-2017-5402: Use-after-free working with events in FontFace objects
#CVE-2017-5404: Use-after-free working with ranges in selections
#CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
#CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
#CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
#CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
#CVE-2017-5398: Memory safety bugs fixed in Thunderbird 45.8
Changelog:
Fixed Message preview pane non-functional after IMAP folder was renamed or moved
Fixed "Move To" button on "Search Messages" panel not working
Fixed Message sent to "undisclosed recipients" shows no recipient (non-functional since Thunderbird version 38)
Fixed Calendar: No way to accept/decline email invitations when sent and received messages are stored in the same folder
Fixed Various security fixes
Security fixes:
#CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
#CVE-2017-5376: Use-after-free in XSL
#CVE-2017-5378: Pointer and frame data leakage of Javascript objects
#CVE-2017-5380: Potential use-after-free during DOM manipulations
#CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer
#CVE-2017-5396: Use-after-free with Media Decoder
#CVE-2017-5383: Location bar spoofing with unicode characters
#CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7
Changelog:
Fixed The system integration dialog was shown every time when starting Thunderbird
Fixed Various security fixes
Security vulnerabilities fixed in Thunderbird 45.6
#CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements
#CVE-2016-9895: CSP bypass using marquee tag
#CVE-2016-9897: Memory corruption in libGLES
#CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees
#CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs
#CVE-2016-9904: Cross-origin information leak in shared atoms
#CVE-2016-9905: Crash in EnumerateSubDocuments
#CVE-2016-9893: Memory safety bugs fixed in Thunderbird 45.6
Changelog:
45.5.1:
#CVE-2016-9079: Use-after-free in SVG Animation
45.5.0:
#CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
#CVE-2016-5294: Arbitrary target directory for result files of update process
#CVE-2016-5297: Incorrect argument length checking in JavaScript
#CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
#CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
#CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
#CVE-2016-5290: Memory safety bugs fixed in Thunderbird 45.5
Changelog:
Fixed "Apply columns to..." did not honor special folders
Fixed Threading broken when editing message draft, due to loss of Message-ID
Fixed Mail saved as template copied In-Reply-To and References from original email.
Fixed Additional spaces were inserted when drafts were edited.
Fixed Recipient addresses were shown in red despite being inserted from the address book in some circumstances.
Fixed Display name was truncated if no separating space before email address.
Changelog:
Fixed Certain messages caused corruption of the drafts summary database.
Fixed "edit as new message" on a received message pre-filled the sender as the composing identity.
Fixed Disposition-Notification-To could not be used in mail.compose.other.header
Fixed Various security fixes
Fixed in Thunderbird 45.3
2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)
Changelog:
Fixed Invitations to events could not be printed.
Fixed Dragging and dropping of contacts from the contact list onto an addressbook while All Addressbooks is selected moved only one contact
Fixed Falsely reported not enough disk space during compacting
Fixed Links were not always detected properly in the message body (terminated early on "|", some long links not detected at all)
Fixed in Thunderbird 45.2
2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
Changelog:
Fixed When entering members into a mailing list, the enter key dismissed the panel instead of just moving onto the next line
Fixed Email without HTML elements was sent as HTML, despite "Delivery Format: Auto-detect" option
Fixed Options applied to a template were lost when the template was used.
Fixed Contacts could not be deleted when they were found through a search
Fixed Views from global searches did not respect "mail.threadpane.use_correspondents"
Changelog:
Fixed in Thunderbird 45.1
2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
Christian Holler, Tyson Smith, and Phil Ringalda reported memory safety problems and crashes that are fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46.
Memory safety bugs fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46 (CVE-2016-2807)
Gary Kwong, Christian Holler, Jesse Ruderman, Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter, and Randell Jesup reported memory safety problems and crashes that are fixed in Firefox ESR 45.1 and Firefox 46.
Memory safety bugs fixed in Firefox ESR 45.1 and Firefox 46 (CVE-2016-2806)
Gary Kwong, Christian Holler, Andrew McCreight, Boris Zbarsky, and Steve Fink reported memory safety problems and crashes that are fixed in Firefox 46.
Memory safety bugs fixed in Firefox 46 (CVE-2016-2804)
Christian Holler reported a memory safety problem that is fixed in Firefox ESR 38.8.
Memory safety bug fixed in Firefox ESR 38.8 (CVE-2016-2805)
