Chagelog:
New
In Thunderbird 52 a new behavior was introduced for replies to mailing
list posts: "When replying to a mailing list, reply will be sent to
address in From header ignoring Reply-to header". A new preference
mail.override_list_reply_to allows to restore the previous behavior.
Fixed
Under certain circumstances (image attachment and non-image attachment),
attached images were shown truncated in messages stored in IMAP
folders not synchronised for offline use.
Fixed
IMAP UIDs > 0x7FFFFFFF not handled properly
Security fixes:
#CVE-2017-7793: Use-after-free with Fetch API
Reporter
Abhishek Arya
Impact
high
Description
A use-after-free vulnerability can occur in the Fetch API when the
worker or the associated window are freed when still in use,
resulting in a potentially exploitable crash.
References
Bug 1371889
#CVE-2017-7818: Use-after-free during ARIA array manipulation
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when manipulating arrays of
Accessible Rich Internet Applications (ARIA) elements within containers
through the DOM. This results in a potentially exploitable crash.
References
Bug 1363723
#CVE-2017-7819: Use-after-free while resizing images in design mode
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur in design mode when image
objects are resized if objects referenced during the resizing have
been freed from memory. This results in a potentially exploitable crash.
References
Bug 1380292
#CVE-2017-7824: Buffer overflow when drawing and validating elements
with ANGLE
Reporter
Omair, Andre Weissflog
Impact
high
Description
A buffer overflow occurs when drawing and validating elements with
the ANGLE graphics library, used for WebGL content. This is due to
an incorrect value being passed within the library during checks and
results in a potentially exploitable crash.
References
Bug 1398381
#CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes
Reporter
Martin Thomson
Impact
high
Description
During TLS 1.2 exchanges, handshake hashes are generated which point
to a message buffer. This saved data is used for later messages but
in some cases, the handshake transcript can exceed the space available
in the current buffer, causing the allocation of a new buffer. This
leaves a pointer pointing to the old, freed buffer, resulting in
a use-after-free when handshake hashes are then calculated afterwards.
This can result in a potentially exploitable crash.
References
Bug 1377618
#CVE-2017-7814: Blob and data URLs bypass phishing and malware
protection warnings
Reporter
François Marier
Impact
moderate
Description
File downloads encoded with blob: and data: URL elements bypassed
normal file download checks though the Phishing and Malware Protection
feature and its block lists of suspicious sites and files. This
would allow malicious sites to lure users into downloading executables
that would otherwise be detected as suspicious.
References
Bug 1376036
#CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode
characters as spaces
Reporter
Khalil Zhani
Impact
moderate
Description
Several fonts on OS X display some Tibetan and Arabic characters
as whitespace. When used in the addressbar as part of an IDN
this can be used for domain name spoofing attacks.
Note: This attack only affects OS X operating systems. Other
operating systems are unaffected.
References
Bug 1393624
Bug 1390980
#CVE-2017-7823: CSP sandbox directive did not create a unique origin
Reporter
Jun Kokatsu
Impact
moderate
Description
The content security policy (CSP) sandbox directive did not
create a unique origin for the document, causing it to behave as
if the allow-same-origin keyword were always specified. This could
allow a Cross-Site Scripting (XSS) attack to be launched from
unsafe content.
References
Bug 1396320
#CVE-2017-7810: Memory safety bugs fixed in Firefox 56, Firefox ESR 52.4,
and Thunderbird 52.4
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christoph Diehl, Jan de Mooij,
Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian
Hengst reported memory safety bugs present in Firefox 55, Firefox
ESR 52.3, and Thunderbird 52.3. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
Changelog:
Fixed
Unwanted inline images shown in rogue SPAM messages
Fixed
Deleting message from the POP3 server not working when maildir storage was used
Fixed
Message disposition flag (replied / forwarded) lost when reply or forwarded message was stored as draft and draft was sent later
Fixed
Inline images not scaled to fit when printing
Fixed
Selected text from another message sometimes included in a reply
Fixed
No authorisation prompt displayed when inserting image into email body although image URL requires authentication
Fixed
Large attachments taking a long time to open under some circumstances
Fixed
Various security fixes
Changelog:
52.2.1
Fixed Problems with Gmail (folders not showing, repeated email download, etc.) introduced in version 52.2.0.
52.2.0
Fixed Embedded images not shown in email received from Hotmail/Outlook webmailer
Fixed Detection of non-ASCII font names in font selector
Fixed Attachment not forwarded correctly under certain circumstances
Fixed Multiple requests for master password when GMail OAuth2 is enabled
Fixed Large number of blank pages being printed under certain circumstances when invalid preferences were present
Fixed Messages sent via the Simple MAPI interface are forced to HTML
Fixed Calendar: Invitations can't be printed
Fixed Mailing list (group) not accessible from macOS or Outlook address book
Fixed Clicking on links with references/anchors where target doesn't exist in the message not opening in external browser
Fixed Various security fixes
#CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
#CVE-2017-7749: Use-after-free during docshell reloading
#CVE-2017-7750: Use-after-free with track elements
#CVE-2017-7751: Use-after-free with content viewer listeners
#CVE-2017-7752: Use-after-free with IME input
#CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
#CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
#CVE-2017-7757: Use-after-free in IndexedDB
#CVE-2017-7758: Out-of-bounds read in Opus encoder
#CVE-2017-7763: Mac fonts render some unicode characters as spaces
#CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
#CVE-2017-7765: Mark of the Web bypass when saving executable files
#CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2, and Thunderbird 52.2
52.1.1
Fixed Large attachments may not be shown or saved correctly if the message is stored in an IMAP folder which is not synchronized for offline use
Fixed Unable to load full message via POP if message was downloaded partially (or only headers) before
Fixed Some attachments can't be opened or saved if the message body is empty
Fixed Crash when compacting IMAP folder
Changelog:
Fixed
* Background images not working and other issues related to embedded images when composing email
* Google Oauth setup can sometimes not progress to the next step
Changelog:
52.0.1:
Fixed
Clicking on a link in an email may not open this link in the external browser.
Crash due to incompatibility with McAfee Anti-SPAM add-on. Add-on is blocked in 52.0.1
52.0:
New
Folder pane toolbar and folder view selector (replacement for folder view arrows)
Optionally remove corresponding data files when removing an account from Thunderbird
Import settings from Becky! Internet Mail
Possibility to copy message filter
Dictionary setting is restored when editing a draft. Content-Language header (RFC 3282) transmitted with message
Calendar: Event can now be created and edited in a tab
Calendar: Processing of received invitation counter proposals
Chat: Support Twitter Direct Messages
Chat: Liking and favoriting in Twitter
Chat: XMPP: Support SASL SCRAM authentication mechanism
Chat: Support Jabber/XMPP Message Carbons (XEP-280)
Changed
IMPORTANT: The way images are included in a compose window has changed. Images are now included as data URIs and not as references to parts of other messages or operating system files. This allows better interoperability with office packages such as MS Office or LibreOffice. Images linked from locations on the internet will no longer be downloaded and attached to the message automatically. This can be changed for each image individually via the Image Properties dialog or globally by setting the preference mail.compose.attach_http_images.
Correspondents column now default for all new folders, can be switched off with preference mail.threadpane.use_correspondents
When replying to a mailing list, reply will be sent to address in From header ignoring Reply-to header
On Linux PulseAudio is now required to play sound
Formatting toolbar is now left in place when delivery format is switched to plain text only
Messages in IMAP folders read on external device are now filtered by default
Folders backed by mbox storage larger than 4GB are supported without warning (unless preference mailnews.allowMboxOver4GB is set to false)
IMAP caching now uses Mozilla's latest caching technology
The keyboard shortcut to insert hyperlinks into a compose window was changed from CTRL+L to CTRL+K to align with Office applications
Chat: Removed Yahoo! Messenger support (since Yahoo removed support)
Fixed
Message preview pane non-functional after IMAP folder was renamed or moved
Fixed
Editing in paragraph format: Pressing Shift+Enter sometimes doesn't move the cursor to the next line
Various corrections when composing messages in paragraph format
Paste as quotation doesn't always work
Long lines in plain text replies not properly wrapped
Undesired white-space before signature in paragraph mode
When attachment unavailable, compose shows endless "Attaching..." message instead of error
Text encoding of reply sometimes incorrect (uses encoding of last viewed message)
Text encoding of message display, reply or forwarded message sometimes incorrect (uses encoding of attachment)
Delivery Format not preserved for saved drafts (Auto-Detect|Plaintext|HTML|Both)
Reply to own e-mail does not reply with the correct identity
IMAP message part caching
Links with escaped non-ASCII (international) characters can't be clicked
Calendar: Events specified in timezone "local time" generate alerts in UTC time
Chat: XMPP Resource collisions
Various security fixes
Security fixes:
#CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
#CVE-2017-5401: Memory Corruption when handling ErrorResult
#CVE-2017-5402: Use-after-free working with events in FontFace objects
#CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object
#CVE-2017-5404: Use-after-free working with ranges in selections
#CVE-2017-5406: Segmentation fault in Skia with canvas operations
#CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
#CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
#CVE-2017-5411: Use-after-free in Buffer Storage in libGLES
#CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
#CVE-2017-5412: Buffer overflow read in SVG filters
#CVE-2017-5413: Segmentation fault during bidirectional operations
#CVE-2017-5414: File picker can choose incorrect default directory
#CVE-2017-5416: Null dereference crash in HttpChannel
#CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access
#CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running
#CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses
#CVE-2017-5419: Repeated authentication prompts lead to DOS attack
#CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
#CVE-2017-5421: Print preview spoofing
#CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink
#CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52
#CVE-2017-5398: Memory safety bugs fixed in Thunderbird 52 and Thunderbird 45.8
Changelog:
#CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
#CVE-2017-5401: Memory Corruption when handling ErrorResult
#CVE-2017-5402: Use-after-free working with events in FontFace objects
#CVE-2017-5404: Use-after-free working with ranges in selections
#CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
#CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
#CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
#CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
#CVE-2017-5398: Memory safety bugs fixed in Thunderbird 45.8
Changelog:
Fixed Message preview pane non-functional after IMAP folder was renamed or moved
Fixed "Move To" button on "Search Messages" panel not working
Fixed Message sent to "undisclosed recipients" shows no recipient (non-functional since Thunderbird version 38)
Fixed Calendar: No way to accept/decline email invitations when sent and received messages are stored in the same folder
Fixed Various security fixes
Security fixes:
#CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
#CVE-2017-5376: Use-after-free in XSL
#CVE-2017-5378: Pointer and frame data leakage of Javascript objects
#CVE-2017-5380: Potential use-after-free during DOM manipulations
#CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer
#CVE-2017-5396: Use-after-free with Media Decoder
#CVE-2017-5383: Location bar spoofing with unicode characters
#CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7
Changelog:
Fixed The system integration dialog was shown every time when starting Thunderbird
Fixed Various security fixes
Security vulnerabilities fixed in Thunderbird 45.6
#CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements
#CVE-2016-9895: CSP bypass using marquee tag
#CVE-2016-9897: Memory corruption in libGLES
#CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees
#CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs
#CVE-2016-9904: Cross-origin information leak in shared atoms
#CVE-2016-9905: Crash in EnumerateSubDocuments
#CVE-2016-9893: Memory safety bugs fixed in Thunderbird 45.6
Changelog:
45.5.1:
#CVE-2016-9079: Use-after-free in SVG Animation
45.5.0:
#CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
#CVE-2016-5294: Arbitrary target directory for result files of update process
#CVE-2016-5297: Incorrect argument length checking in JavaScript
#CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
#CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
#CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
#CVE-2016-5290: Memory safety bugs fixed in Thunderbird 45.5
Changelog:
Fixed "Apply columns to..." did not honor special folders
Fixed Threading broken when editing message draft, due to loss of Message-ID
Fixed Mail saved as template copied In-Reply-To and References from original email.
Fixed Additional spaces were inserted when drafts were edited.
Fixed Recipient addresses were shown in red despite being inserted from the address book in some circumstances.
Fixed Display name was truncated if no separating space before email address.
Changelog:
Fixed Certain messages caused corruption of the drafts summary database.
Fixed "edit as new message" on a received message pre-filled the sender as the composing identity.
Fixed Disposition-Notification-To could not be used in mail.compose.other.header
Fixed Various security fixes
Fixed in Thunderbird 45.3
2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)
Changelog:
Fixed Invitations to events could not be printed.
Fixed Dragging and dropping of contacts from the contact list onto an addressbook while All Addressbooks is selected moved only one contact
Fixed Falsely reported not enough disk space during compacting
Fixed Links were not always detected properly in the message body (terminated early on "|", some long links not detected at all)
Fixed in Thunderbird 45.2
2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
Changelog:
Fixed When entering members into a mailing list, the enter key dismissed the panel instead of just moving onto the next line
Fixed Email without HTML elements was sent as HTML, despite "Delivery Format: Auto-detect" option
Fixed Options applied to a template were lost when the template was used.
Fixed Contacts could not be deleted when they were found through a search
Fixed Views from global searches did not respect "mail.threadpane.use_correspondents"
Changelog:
Fixed in Thunderbird 45.1
2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
Christian Holler, Tyson Smith, and Phil Ringalda reported memory safety problems and crashes that are fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46.
Memory safety bugs fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46 (CVE-2016-2807)
Gary Kwong, Christian Holler, Jesse Ruderman, Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter, and Randell Jesup reported memory safety problems and crashes that are fixed in Firefox ESR 45.1 and Firefox 46.
Memory safety bugs fixed in Firefox ESR 45.1 and Firefox 46 (CVE-2016-2806)
Gary Kwong, Christian Holler, Andrew McCreight, Boris Zbarsky, and Steve Fink reported memory safety problems and crashes that are fixed in Firefox 46.
Memory safety bugs fixed in Firefox 46 (CVE-2016-2804)
Christian Holler reported a memory safety problem that is fixed in Firefox ESR 38.8.
Memory safety bug fixed in Firefox ESR 38.8 (CVE-2016-2805)
* Regen patch names
Changelog:
New Add a Correspondents column combining Sender and Recipient
New Much better support for XMPP chatrooms and commands.
New Remote content exceptions: Improved options to add exceptions.
New Implement option to always use HTML formatting to prevent unexpected format loss when converting messages to plain text.
New Use OpenStreetmap for maps (even allow the user to choose from list of map services)
New Allow spell checking and dictionary selection in the subject line
New Add dropdown in compose to allow specific setting of font size.
New Return/Enter in composer will now insert a new paragraph by default (shift-Enter will insert a line break)
New Mail.ru supports OAuth authentication.
New Allow copying of name and email address from the message header of an email
New Allow editing of From when composing a message.
Fixed Fixed: When sending e-mail which was composed using Chinese, Japanese or Korean characters, unwanted extra spaces were inserted within the text.
Fixed Spell checker checked spelling in invisible HTML parts of the message.
Fixed When saving a draft that is edited as new message, original draft was overwritten.
Fixed External images not displayed in reply/forward
Fixed Properly preserve pre-formatted blocks in message replies.
Fixed Crashed in some cases while parsing IMAP messages.
Fixed Copy/paste from a plain text editor lost white-space (multiple spaces/blanks, tabs, newlines)
Fixed "Open Draft"/"Forward"/"Edit As New"/"Reply" created message composition with incorrect character encoding.
Fixed Fixed: Grouped By view sort direction change was broken, plus enabled custom column grouping.
Fixed Fixed: New emails into a mailbox did not adhere to sort order by received.
Fixed Fixed: Box.com attachments failed to upload.
Fixed Fixed: Drag and drop of multiple attachments failed to OS file folder.
Fixed XMPP had connection problems for users with large rosters
Security bugs:
Fixed in Thunderbird 45
2016-37 Font vulnerabilities in the Graphite 2 library
2016-36 Use-after-free during processing of DER encoded keys in NSS
2016-35 Buffer overflow during ASN.1 decoding in NSS
2016-34 Out-of-bounds read in HTML parser following a failed allocation
2016-27 Use-after-free during XML transformations
2016-24 Use-after-free in SetBody
2016-23 Use-after-free in HTML5 string parser
2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
2016-19 Linux video memory DOS with Intel drivers
2016-18 CSP reports fail to strip location information for embedded iframe pages
2016-17 Local file overwriting and potential privilege escalation through CSP reports
2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
Changelog:
Fixed in Thunderbird 38.7
2016-37 Font vulnerabilities in the Graphite 2 library
2016-35 Buffer overflow during ASN.1 decoding in NSS
2016-34 Out-of-bounds read in HTML parser following a failed allocation
2016-31 Memory corruption with malicious NPAPI plugin
2016-27 Use-after-free during XML transformations
2016-24 Use-after-free in SetBody
2016-23 Use-after-free in HTML5 string parser
2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
2016-17 Local file overwriting and potential privilege escalation through CSP reports
2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
Changelog:
Fixed Various security fixes.
Fixed Filters ran on a different folder than selected
Fixed For Windows systems on roaming profiles, could not display messages after Thunderbird update (related to Lightning updates)
Fixed in Thunderbird 38.6
2016-14 Vulnerabilities in Graphite 2
2016-03 Buffer overflow in WebGL after out of memory allocation
2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)
2015-150 MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature
Changelog:
38.5.0:
Not available
38.4.0:
Fixed Various security fixes
Fixed Fixed issue where messages moves of multiple messages from a maildir folder to an mbox folder failed.
Fixed in Thunderbird 38.4
2015-133 NSS and NSPR memory corruption issues
2015-132 Mixed content WebSocket policy bypass through workers
2015-131 Vulnerabilities found through code inspection
2015-128 Memory corruption in libjar through zip files
2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received
2015-123 Buffer overflow during image interactions in canvas
2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy
2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)
Changelog:
New Saved files tab now implements Search field and Clear button.
Fixed (Right-)Clicking on a newsgroup now allows directly composing a message again
Fixed Importing to the address book from CSV now works with international characters
Fixed Thunderbird no longer crashes when executing filter rules when using maildir
Fixed When using the maildir storage format, the INBOX folder is no longer deleted
Fixed Emails with long References headers are now decoded correctly
Fixed Checking for new messages correctly works after hibernation again
Fixed Chat entries are no longer sometimes lost in global database at shutdown.
