Commit graph

341 commits

Author SHA1 Message Date
tron
7bdf978c1c Update home page URL 2018-08-07 22:48:17 +00:00
ryoon
2a81e2a7c5 Update to 52.9.1
Changelog:
    changed
    Thunderbird will now prompt to compact IMAP folders even if the account is online. Note: Under certain circumstances an incorrect estimate of the expected gain is shown.

    fixed
    Complete fix of the EFAIL vulnerability: 1) Removing some HTML crafted to carry out an attack. 2) Optionally: Not decrypting subordinate message parts that otherwise might reveal decrypted content to the attacker. Preference mailnews.p7m_subparts_external needs to be set to true for added security.

    fixed
    Various problems when forwarding messages inline when using "simple" HTML view

    fixed
    Deleting or detaching attachments corrupted messages under certain circumstances (not working only in Thunderbird version 52.9.0)

    fixed
    Various security fixes

Security fixes:
#CVE-2018-12359: Buffer overflow using computed size of canvas element
#CVE-2018-12360: Use-after-free when using focus()
#CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML emails
#CVE-2018-12373: S/MIME plaintext can be leaked through HTML reply/forward
#CVE-2018-12362: Integer overflow in SSSE3 scaler
#CVE-2018-12363: Use-after-free when appending DOM nodes
#CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
#CVE-2018-12365: Compromised IPC child process can list local filenames
#CVE-2018-12366: Invalid data handling during QCMS transformations
#CVE-2018-12368: No warning when opening executable SettingContent-ms files
#CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing enter in form field
#CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 52.9
2018-07-30 19:51:47 +00:00
ryoon
4fea36abc2 Recursive revbump from audio/pulseaudio 2018-07-06 15:06:40 +00:00
ryoon
05065f34dd Update to 52.8.0
Changelog:
#CVE-2018-5183: Backport critical security fixes in Skia
#CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack
#CVE-2018-5154: Use-after-free with SVG animations and clip paths
#CVE-2018-5155: Use-after-free with SVG animations and text paths
#CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
#CVE-2018-5161: Hang via malformed headers
#CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
#CVE-2018-5170: Filename spoofing for external attachments
#CVE-2018-5168: Lightweight themes can be installed without user interaction
#CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior
 for downloaded files in Windows 10 April 2018 Update
#CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion
 through legacy extension
#CVE-2018-5185: Leaking plaintext through HTML forms
#CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8,
 and Thunderbird 52.8
2018-06-01 19:49:40 +00:00
wiz
8ee21bdcf0 Recursive bump for new fribidi dependency in pango. 2018-04-16 14:33:44 +00:00
wiz
39da2ae3f9 thunderbird: fix SUBST* and patch so it actually does something. 2018-03-29 10:19:30 +00:00
wiz
9e81e4116a thunderbird: fix path to file in SUBST* 2018-03-28 20:13:55 +00:00
ryoon
f652d6ab10 Update to 52.7.0
Changelog:
    Fixed Searching message bodies of messages in local folders,
          including filter and quick filter operations, did not find
          content in message attachments
    Fixed Better error handling for Yahoo accounts
    Fixed Various security fixes

#CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
#CVE-2018-5129: Out-of-bounds write with malformed IPC messages
#CVE-2018-5144: Integer overflow during Unicode conversion
#CVE-2018-5146: Out of bounds memory write in libvorbis
#CVE-2018-5125: Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7,
                and Thunderbird 52.7
#CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7 and
                Thunderbird 52.7
2018-03-28 13:34:19 +00:00
rin
35471638db Fix from upstream for Bug 1444371:
mail.label_ascii_only_mail_as_us_ascii does not work with ISO-2022-JP

Bump PKGREVISION.
2018-03-23 05:29:11 +00:00
wiz
c57215a7b2 Recursive bumps for fontconfig and libzip dependency changes. 2018-03-12 11:15:24 +00:00
ryoon
ebc093bf2e Update to 52.6.0
Changelog:
    Fixed Searching message bodies of messages in local folders, including
            filter and quick filter operations, not working reliably:
            Content not found in base64-encode message parts, non-ASCII text
            not found and false positives found.
    Fixed Defective messages (without at least one expected header) not shown
            in IMAP folders but shown on mobile devices
    Fixed Calendar: Unintended task deletion if numlock is enabled
    Fixed Various security fixes

Security fixes:
#CVE-2018-5095: Integer overflow in Skia library during edge builder allocation
#CVE-2018-5096: Use-after-free while editing form elements
#CVE-2018-5097: Use-after-free when source document is manipulated during XSLT
#CVE-2018-5098: Use-after-free while manipulating form input elements
#CVE-2018-5099: Use-after-free with widget listener
#CVE-2018-5102: Use-after-free in HTML media elements
#CVE-2018-5103: Use-after-free during mouse event handling
#CVE-2018-5104: Use-after-free during font face manipulation
#CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
#CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6,
                  and Thunderbird 52.6
2018-03-03 22:20:39 +00:00
wiz
bff4597ffc Bump PKGREVISION for gdbm shlib major bump 2018-01-28 20:10:34 +00:00
ryoon
a899fccaf0 Update to 52.5.2
Changelog:
Fix
 This releases fixes the "Mailsploit" vulnerability and other vulnerabilities
 detected by the "Cure53" audit. For details and various other security
 fixes see here.

CVE-2017-7845: Buffer overflow when drawing and validating elements with
  ANGLE library using Direct 3D 9
CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin
CVE-2017-7847: Local path string can be leaked from RSS feed
CVE-2017-7848: RSS Feed vulnerable to new line Injection
CVE-2017-7829: Mailsploit part 1: From address with encoded null character
  is cut off in message header display
2018-01-24 16:39:02 +00:00
rillig
b381c6e2f3 Sort PLIST files.
Unsorted entries in PLIST files have generated a pkglint warning for at
least 12 years. Somewhat more recently, pkglint has learned to sort
PLIST files automatically. Since pkglint 5.4.23, the sorting is only
done in obvious, simple cases. These have been applied by running:

  pkglint -Cnone,PLIST -Wnone,plist-sort -r -F
2018-01-01 22:29:15 +00:00
ryoon
cb36a0e1c0 Update to 52.5.0
Changelog:
#CVE-2017-7828: Use-after-free of PressShell while restyling layout

Reporter
    Nils
Impact
    critical

Description
A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still in use.
This results in a potentially exploitable crash during these operations.

References
    Bug 1406750
    Bug 1412252

#CVE-2017-7830: Cross-origin URL information leak through Resource Timing API

Reporter
    Jun Kokatsu
Impact
    high

Description
The Resource Timing API incorrectly revealed navigations in cross-origin
iframes. This is a same-origin policy violation and could allow for data
theft of URLs loaded by users.

References
    Bug 1408990

#CVE-2017-7826: Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5,
and Thunderbird 52.5

Reporter
    Mozilla developers and community
Impact
    critical

Description
Mozilla developers and community members Christian Holler, David Keeler,
Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer, Philipp,
Nicholas Nethercote, Oriol Brufau, André Bargull, Bob Clary,
Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and Ryan VanderMeulen
reported memory safety bugs present in Firefox 56, Firefox ESR 52.4, and
Thunderbird 52.4. Some of these bugs showed evidence of memory corruption
and we presume that with enough effort that some of these could be
exploited to run arbitrary code.

References
    Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5,
    and Thunderbird 52.5
2017-11-27 23:36:39 +00:00
wiz
20f7c989fe recursive bump for libxkbcommon removal from at-spi2-core 2017-11-23 17:19:40 +00:00
ryoon
d712c7beef Update to 52.4.0
Chagelog:
New
In Thunderbird 52 a new behavior was introduced for replies to mailing
list posts: "When replying to a mailing list, reply will be sent to
address in From header ignoring Reply-to header". A new preference
mail.override_list_reply_to allows to restore the previous behavior.

Fixed
Under certain circumstances (image attachment and non-image attachment),
attached images were shown truncated in messages stored in IMAP
folders not synchronised for offline use.

Fixed
IMAP UIDs > 0x7FFFFFFF not handled properly

Security fixes:
#CVE-2017-7793: Use-after-free with Fetch API

Reporter
    Abhishek Arya
Impact
    high

Description

A use-after-free vulnerability can occur in the Fetch API when the
worker or the associated window are freed when still in use,
resulting in a potentially exploitable crash.

References
    Bug 1371889

#CVE-2017-7818: Use-after-free during ARIA array manipulation

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur when manipulating arrays of
Accessible Rich Internet Applications (ARIA) elements within containers
through the DOM. This results in a potentially exploitable crash.

References
    Bug 1363723

#CVE-2017-7819: Use-after-free while resizing images in design mode

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur in design mode when image
objects are resized if objects referenced during the resizing have
been freed from memory. This results in a potentially exploitable crash.

References
    Bug 1380292

#CVE-2017-7824: Buffer overflow when drawing and validating elements
with ANGLE

Reporter
    Omair, Andre Weissflog
Impact
    high

Description

A buffer overflow occurs when drawing and validating elements with
the ANGLE graphics library, used for WebGL content. This is due to
an incorrect value being passed within the library during checks and
results in a potentially exploitable crash.

References
    Bug 1398381

#CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes

Reporter
    Martin Thomson
Impact
    high

Description

During TLS 1.2 exchanges, handshake hashes are generated which point
to a message buffer. This saved data is used for later messages but
in some cases, the handshake transcript can exceed the space available
in the current buffer, causing the allocation of a new buffer. This
leaves a pointer pointing to the old, freed buffer, resulting in
a use-after-free when handshake hashes are then calculated afterwards.
This can result in a potentially exploitable crash.

References
    Bug 1377618

#CVE-2017-7814: Blob and data URLs bypass phishing and malware
protection warnings

Reporter
    François Marier
Impact
    moderate

Description

File downloads encoded with blob: and data: URL elements bypassed
normal file download checks though the Phishing and Malware Protection
feature and its block lists of suspicious sites and files. This
would allow malicious sites to lure users into downloading executables
that would otherwise be detected as suspicious.

References
    Bug 1376036

#CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode
characters as spaces

Reporter
    Khalil Zhani
Impact
    moderate

Description

Several fonts on OS X display some Tibetan and Arabic characters
as whitespace. When used in the addressbar as part of an IDN
this can be used for domain name spoofing attacks.
Note: This attack only affects OS X operating systems. Other
operating systems are unaffected.

References
    Bug 1393624
    Bug 1390980

#CVE-2017-7823: CSP sandbox directive did not create a unique origin

Reporter
    Jun Kokatsu
Impact
    moderate

Description

The content security policy (CSP) sandbox directive did not
create a unique origin for the document, causing it to behave as
if the allow-same-origin keyword were always specified. This could
allow a Cross-Site Scripting (XSS) attack to be launched from
unsafe content.

References
    Bug 1396320

#CVE-2017-7810: Memory safety bugs fixed in Firefox 56, Firefox ESR 52.4,
and Thunderbird 52.4

Reporter
    Mozilla developers and community
Impact
    critical

Description

Mozilla developers and community members Christoph Diehl, Jan de Mooij,
Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian
Hengst reported memory safety bugs present in Firefox 55, Firefox
ESR 52.3, and Thunderbird 52.3. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.

References
    Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
2017-11-17 00:49:20 +00:00
ryoon
d7876e8e90 Remove removed inclusion. Pointed by oster@. Thank you 2017-10-27 18:01:43 +00:00
maya
33ebf687dc revbump for requiring ICU 59.x 2017-09-18 09:52:56 +00:00
ryoon
5bd9ca4ef6 Recursive revbump from audio/pulseaudio-11.0 2017-09-08 02:38:35 +00:00
wiz
1fc957a0ce Follow some redirects. 2017-09-06 09:02:59 +00:00
ryoon
426dd73f54 Update to 52.3.0
Changelog:
    Fixed
    Unwanted inline images shown in rogue SPAM messages

    Fixed
    Deleting message from the POP3 server not working when maildir storage was used

    Fixed
    Message disposition flag (replied / forwarded) lost when reply or forwarded message was stored as draft and draft was sent later

    Fixed
    Inline images not scaled to fit when printing

    Fixed
    Selected text from another message sometimes included in a reply

    Fixed
    No authorisation prompt displayed when inserting image into email body although image URL requires authentication

    Fixed
    Large attachments taking a long time to open under some circumstances

    Fixed
    Various security fixes
2017-08-19 04:19:03 +00:00
ryoon
5787752e92 Update to 52.2.1
Changelog:
52.2.1
    Fixed Problems with Gmail (folders not showing, repeated email download, etc.) introduced in version 52.2.0.

52.2.0
    Fixed Embedded images not shown in email received from Hotmail/Outlook webmailer
    Fixed Detection of non-ASCII font names in font selector
    Fixed Attachment not forwarded correctly under certain circumstances
    Fixed Multiple requests for master password when GMail OAuth2 is enabled
    Fixed Large number of blank pages being printed under certain circumstances when invalid preferences were present
    Fixed Messages sent via the Simple MAPI interface are forced to HTML
    Fixed Calendar: Invitations can't be printed
    Fixed Mailing list (group) not accessible from macOS or Outlook address book
    Fixed Clicking on links with references/anchors where target doesn't exist in the message not opening in external browser
    Fixed Various security fixes

#CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
#CVE-2017-7749: Use-after-free during docshell reloading
#CVE-2017-7750: Use-after-free with track elements
#CVE-2017-7751: Use-after-free with content viewer listeners
#CVE-2017-7752: Use-after-free with IME input
#CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
#CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
#CVE-2017-7757: Use-after-free in IndexedDB
#CVE-2017-7758: Out-of-bounds read in Opus encoder
#CVE-2017-7763: Mac fonts render some unicode characters as spaces
#CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
#CVE-2017-7765: Mark of the Web bypass when saving executable files
#CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2, and Thunderbird 52.2

52.1.1
    Fixed Large attachments may not be shown or saved correctly if the message is stored in an IMAP folder which is not synchronized for offline use
    Fixed Unable to load full message via POP if message was downloaded partially (or only headers) before
    Fixed Some attachments can't be opened or saved if the message body is empty
    Fixed Crash when compacting IMAP folder
2017-07-03 16:37:52 +00:00
ryoon
43804589b7 Update to 52.1.0
Changelog:
Fixed
* Background images not working and other issues related to embedded images when composing email
* Google Oauth setup can sometimes not progress to the next step
2017-05-01 05:50:08 +00:00
ryoon
9e3ff7c2ce Update to 52.0.1
Changelog:
52.0.1:
    Fixed

    Clicking on a link in an email may not open this link in the external browser.
    Crash due to incompatibility with McAfee Anti-SPAM add-on. Add-on is blocked in 52.0.1


52.0:
    New

    Folder pane toolbar and folder view selector (replacement for folder view arrows)
    Optionally remove corresponding data files when removing an account from Thunderbird
    Import settings from Becky! Internet Mail
    Possibility to copy message filter
    Dictionary setting is restored when editing a draft. Content-Language header (RFC 3282) transmitted with message
    Calendar: Event can now be created and edited in a tab
    Calendar: Processing of received invitation counter proposals
    Chat: Support Twitter Direct Messages
    Chat: Liking and favoriting in Twitter
    Chat: XMPP: Support SASL SCRAM authentication mechanism
    Chat: Support Jabber/XMPP Message Carbons (XEP-280)

    Changed

    IMPORTANT: The way images are included in a compose window has changed. Images are now included as data URIs and not as references to parts of other messages or operating system files. This allows better interoperability with office packages such as MS Office or LibreOffice. Images linked from locations on the internet will no longer be downloaded and attached to the message automatically. This can be changed for each image individually via the Image Properties dialog or globally by setting the preference mail.compose.attach_http_images.
    Correspondents column now default for all new folders, can be switched off with preference mail.threadpane.use_correspondents
    When replying to a mailing list, reply will be sent to address in From header ignoring Reply-to header
    On Linux PulseAudio is now required to play sound
    Formatting toolbar is now left in place when delivery format is switched to plain text only
    Messages in IMAP folders read on external device are now filtered by default
    Folders backed by mbox storage larger than 4GB are supported without warning (unless preference mailnews.allowMboxOver4GB is set to false)
    IMAP caching now uses Mozilla's latest caching technology
    The keyboard shortcut to insert hyperlinks into a compose window was changed from CTRL+L to CTRL+K to align with Office applications
    Chat: Removed Yahoo! Messenger support (since Yahoo removed support)

    Fixed

    Message preview pane non-functional after IMAP folder was renamed or moved
    Fixed
    Editing in paragraph format: Pressing Shift+Enter sometimes doesn't move the cursor to the next line
    Various corrections when composing messages in paragraph format
    Paste as quotation doesn't always work
    Long lines in plain text replies not properly wrapped
    Undesired white-space before signature in paragraph mode
    When attachment unavailable, compose shows endless "Attaching..." message instead of error
    Text encoding of reply sometimes incorrect (uses encoding of last viewed message)
    Text encoding of message display, reply or forwarded message sometimes incorrect (uses encoding of attachment)
    Delivery Format not preserved for saved drafts (Auto-Detect|Plaintext|HTML|Both)
    Reply to own e-mail does not reply with the correct identity
    IMAP message part caching
    Links with escaped non-ASCII (international) characters can't be clicked
    Calendar: Events specified in timezone "local time" generate alerts in UTC time
    Chat: XMPP Resource collisions
    Various security fixes

Security fixes:
 #CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
 #CVE-2017-5401: Memory Corruption when handling ErrorResult
 #CVE-2017-5402: Use-after-free working with events in FontFace objects
 #CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object
 #CVE-2017-5404: Use-after-free working with ranges in selections
 #CVE-2017-5406: Segmentation fault in Skia with canvas operations
 #CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
 #CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
 #CVE-2017-5411: Use-after-free in Buffer Storage in libGLES
 #CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
 #CVE-2017-5412: Buffer overflow read in SVG filters
 #CVE-2017-5413: Segmentation fault during bidirectional operations
 #CVE-2017-5414: File picker can choose incorrect default directory
 #CVE-2017-5416: Null dereference crash in HttpChannel
 #CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access
 #CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running
 #CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses
 #CVE-2017-5419: Repeated authentication prompts lead to DOS attack
 #CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
 #CVE-2017-5421: Print preview spoofing
 #CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink
 #CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52
 #CVE-2017-5398: Memory safety bugs fixed in Thunderbird 52 and Thunderbird 45.8
2017-04-27 13:32:40 +00:00
adam
75a9285105 Revbump after icu update 2017-04-22 21:03:07 +00:00
ryoon
6d2435165d Update to 45.8.0
Changelog:
 #CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
 #CVE-2017-5401: Memory Corruption when handling ErrorResult
 #CVE-2017-5402: Use-after-free working with events in FontFace objects
 #CVE-2017-5404: Use-after-free working with ranges in selections
 #CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
 #CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
 #CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
 #CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
 #CVE-2017-5398: Memory safety bugs fixed in Thunderbird 45.8
2017-03-26 04:05:40 +00:00
ryoon
d6beaf4425 Update to 45.7.1
Changelog:
Fixed
	Crash when viewing certain IMAP messages (introduced in 45.7.0)
2017-03-01 13:30:19 +00:00
ryoon
72c3cb198b Recursive revbump from fonts/harfbuzz 2017-02-12 06:24:36 +00:00
ryoon
37cb01262b Update to 45.7.0
Changelog:
    Fixed Message preview pane non-functional after IMAP folder was renamed or moved
    Fixed "Move To" button on "Search Messages" panel not working
    Fixed Message sent to "undisclosed recipients" shows no recipient (non-functional since Thunderbird version 38)
    Fixed Calendar: No way to accept/decline email invitations when sent and received messages are stored in the same folder
    Fixed Various security fixes

Security fixes:
 #CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
 #CVE-2017-5376: Use-after-free in XSL
 #CVE-2017-5378: Pointer and frame data leakage of Javascript objects
 #CVE-2017-5380: Potential use-after-free during DOM manipulations
 #CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer
 #CVE-2017-5396: Use-after-free with Media Decoder
 #CVE-2017-5383: Location bar spoofing with unicode characters
 #CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7
2017-02-11 08:09:08 +00:00
wiz
7ac05101c6 Recursive bump for harfbuzz's new graphite2 dependency. 2017-02-06 13:54:36 +00:00
ryoon
f62b809c5a Recursive revbump from audio/pulseaudio-10.0 2017-01-21 20:06:44 +00:00
wiz
c761d409e7 Recursive bump for libvpx shlib major change. 2017-01-16 23:45:10 +00:00
ryoon
59376aa72e Update to 45.6.0
Changelog:
    Fixed The system integration dialog was shown every time when starting Thunderbird
    Fixed Various security fixes

Security vulnerabilities fixed in Thunderbird 45.6
 #CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements
 #CVE-2016-9895: CSP bypass using marquee tag
 #CVE-2016-9897: Memory corruption in libGLES
 #CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees
 #CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs
 #CVE-2016-9904: Cross-origin information leak in shared atoms
 #CVE-2016-9905: Crash in EnumerateSubDocuments
 #CVE-2016-9893: Memory safety bugs fixed in Thunderbird 45.6
2017-01-02 23:59:21 +00:00
ryoon
36ed025474 Recursive revbump from textproc/icu 58.1 2016-12-04 05:17:03 +00:00
ryoon
f6ba818556 Update to 45.5.1
Changelog:
45.5.1:
 #CVE-2016-9079: Use-after-free in SVG Animation

45.5.0:
 #CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
 #CVE-2016-5294: Arbitrary target directory for result files of update process
 #CVE-2016-5297: Incorrect argument length checking in JavaScript
 #CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
 #CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
 #CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
 #CVE-2016-5290: Memory safety bugs fixed in Thunderbird 45.5
2016-12-03 11:14:48 +00:00
ryoon
e4741fd625 Update to 45.4.0
Changelog:
    Fixed "Apply columns to..." did not honor special folders
    Fixed Threading broken when editing message draft, due to loss of Message-ID
    Fixed Mail saved as template copied In-Reply-To and References from original email.
    Fixed Additional spaces were inserted when drafts were edited.
    Fixed Recipient addresses were shown in red despite being inserted from the address book in some circumstances.
    Fixed Display name was truncated if no separating space before email address.
2016-10-26 22:50:13 +00:00
ryoon
48fc153b7f Update to 45.3.0
Changelog:
    Fixed Certain messages caused corruption of the drafts summary database.
    Fixed "edit as new message" on a received message pre-filled the sender as the composing identity.
    Fixed Disposition-Notification-To could not be used in mail.compose.other.header
    Fixed Various security fixes

Fixed in Thunderbird 45.3
    2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)
2016-09-18 12:35:06 +00:00
ryoon
82f67120a8 Recursive revbump from multimedia/libvpx uppdate 2016-08-17 00:06:39 +00:00
ryoon
e37b97fe3c Recursive revbump from audio/pulseaudio 2016-08-04 17:03:30 +00:00
adam
77b8ed74db Revbump after graphics/gd update 2016-08-03 10:22:08 +00:00
ryoon
b26e388ac2 Update to 45.2.0
Changelog:
Fixed Invitations to events could not be printed.
Fixed Dragging and dropping of contacts from the contact list onto an addressbook while All Addressbooks is selected moved only one contact
Fixed Falsely reported not enough disk space during compacting
Fixed Links were not always detected properly in the message body (terminated early on "|", some long links not detected at all)

Fixed in Thunderbird 45.2
    2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
2016-07-20 11:45:59 +00:00
ryoon
17beabbebd Update to 45.1.1
Changelog:
    Fixed When entering members into a mailing list, the enter key dismissed the panel instead of just moving onto the next line
    Fixed Email without HTML elements was sent as HTML, despite "Delivery Format: Auto-detect" option
    Fixed Options applied to a template were lost when the template was used.
    Fixed Contacts could not be deleted when they were found through a search
    Fixed Views from global searches did not respect "mail.threadpane.use_correspondents"
2016-06-19 06:34:26 +00:00
wiz
f468b1ab4a Fix paths in previous. 2016-06-11 12:10:00 +00:00
wiz
4f4c1ba8c7 Mark bin/thunderbird as not-mprotect-safe. Bump PKGREVISION. 2016-06-11 06:29:30 +00:00
joerg
ead108e81f Repeat after me: unwind.h is in already on the generated wrapper list. 2016-05-31 21:33:50 +00:00
ryoon
37c0e593bc Update to 45.1.0
Changelog:
Fixed in Thunderbird 45.1
    2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

Christian Holler, Tyson Smith, and Phil Ringalda reported memory safety problems and crashes that are fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46.
    Memory safety bugs fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46 (CVE-2016-2807)

Gary Kwong, Christian Holler, Jesse Ruderman, Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter, and Randell Jesup reported memory safety problems and crashes that are fixed in Firefox ESR 45.1 and Firefox 46.
    Memory safety bugs fixed in Firefox ESR 45.1 and Firefox 46 (CVE-2016-2806)

Gary Kwong, Christian Holler, Andrew McCreight, Boris Zbarsky, and Steve Fink reported memory safety problems and crashes that are fixed in Firefox 46.
    Memory safety bugs fixed in Firefox 46 (CVE-2016-2804)

Christian Holler reported a memory safety problem that is fixed in Firefox ESR 38.8.
    Memory safety bug fixed in Firefox ESR 38.8 (CVE-2016-2805)
2016-05-21 23:22:16 +00:00
ryoon
c231a0eadf Include firefox45 common Make fragment to provide gstreamer1
Reported by wiz@. Thank you.
2016-04-29 08:51:16 +00:00
ryoon
96ec7752a3 Remove unused patch 2016-04-17 18:42:27 +00:00
ryoon
daab6f9f81 Update to 45.0
* Regen patch names

Changelog:
    New Add a Correspondents column combining Sender and Recipient
    New Much better support for XMPP chatrooms and commands.
    New Remote content exceptions: Improved options to add exceptions.
    New Implement option to always use HTML formatting to prevent unexpected format loss when converting messages to plain text.
    New Use OpenStreetmap for maps (even allow the user to choose from list of map services)
    New Allow spell checking and dictionary selection in the subject line
    New Add dropdown in compose to allow specific setting of font size.
    New Return/Enter in composer will now insert a new paragraph by default (shift-Enter will insert a line break)
    New Mail.ru supports OAuth authentication.
    New Allow copying of name and email address from the message header of an email
    New Allow editing of From when composing a message.
    Fixed Fixed: When sending e-mail which was composed using Chinese, Japanese or Korean characters, unwanted extra spaces were inserted within the text.
    Fixed Spell checker checked spelling in invisible HTML parts of the message.
    Fixed When saving a draft that is edited as new message, original draft was overwritten.
    Fixed External images not displayed in reply/forward
    Fixed Properly preserve pre-formatted blocks in message replies.
    Fixed Crashed in some cases while parsing IMAP messages.
    Fixed Copy/paste from a plain text editor lost white-space (multiple spaces/blanks, tabs, newlines)
    Fixed "Open Draft"/"Forward"/"Edit As New"/"Reply" created message composition with incorrect character encoding.
    Fixed Fixed: Grouped By view sort direction change was broken, plus enabled custom column grouping.
    Fixed Fixed: New emails into a mailbox did not adhere to sort order by received.
    Fixed Fixed: Box.com attachments failed to upload.
    Fixed Fixed: Drag and drop of multiple attachments failed to OS file folder.
    Fixed XMPP had connection problems for users with large rosters

Security bugs:
Fixed in Thunderbird 45
    2016-37 Font vulnerabilities in the Graphite 2 library
    2016-36 Use-after-free during processing of DER encoded keys in NSS
    2016-35 Buffer overflow during ASN.1 decoding in NSS
    2016-34 Out-of-bounds read in HTML parser following a failed allocation
    2016-27 Use-after-free during XML transformations
    2016-24 Use-after-free in SetBody
    2016-23 Use-after-free in HTML5 string parser
    2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
    2016-19 Linux video memory DOS with Intel drivers
    2016-18 CSP reports fail to strip location information for embedded iframe pages
    2016-17 Local file overwriting and potential privilege escalation through CSP reports
    2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
2016-04-17 18:33:50 +00:00