Changelog:
68.3.1
Changes
changed
In dark theme unread messages no longer shown in blue to distinguish from tagged messages
changed
Account setup is now using client side DNS MX lookup instead of relying on a server.
Fixes
fixed
Searching LDAP address book crashed in some circumstances
fixed
Message navigation with backward and forward buttons did not work in some circumstances
fixed
WebExtension toolbar icons were displayed too small
fixed
Calendar: Tasks due today were not listed in bold
fixed
Calendar: Last day of long-running events was not shown
68.3.0
What’s New
new
Message display toolbar action WebExtension API
new
Navigation buttons are now available in content tabs, for example those opened via an add-on search
Changes
changed
"New email" icon in Windows systray changed from in-tray with arrow to envelope
Fixes
fixed
Icons of attachments in the attachment pane of the Write window not always correct
fixed
Toolbar buttons of add-ons in the menubar not shown after startup
fixed
LDAP lookup not working when SSL was enabled. LDAP search not working when "All Address Books" was selected.
fixed
Scam link confirmation panel not working
fixed
In Write window, the Link Properties dialog wasn't showing named anchors in context menu
fixed
Calendar: Start-up failed if the application menu is not on the calendar toolbars
fixed
Chat: Account reordering via drag-and-drop not working on Instant messaging status dialog (Show Accounts)
fixed
Various security fixes
Security fixes:
#CVE-2019-17008: Use-after-free in worker destruction
#CVE-2019-13722: Stack corruption due to incorrect number of arguments in WebRTC code
#CVE-2019-11745: Out of bounds write in NSS when encrypting with a block cipher
#CVE-2019-17009: Updater temporary files accessible to unprivileged processes
#CVE-2019-17010: Use-after-free when performing device orientation checks
#CVE-2019-17005: Buffer overflow in plain text serializer
#CVE-2019-17011: Use-after-free when retrieving a document in antitracking
#CVE-2019-17012: Memory safety bugs fixed in Firefox 71, Firefox ESR 68.3, and Thunderbird 68.3
Changelog:
new
A language for the user interface can now be chosen in the advanced settings (multilingual UI)
fixed
Problem with Google authentication (OAuth2)
fixed
Selected or unread messages not shown in the correct color in the thread pane (message list) under some circumstances
fixed
When using a language pack, names of standard folders weren't localized
fixed
Address book default startup directory in preferences panel not persisted
fixed
Various visual glitches: Conditions in filter editor not high enough, folder location widget not showing folder name, problem with menubar customization, add-on home page links accumulating, theme issues on Windows 7
fixed
Chat: Extended context menu on Instant messaging status dialog (Show Accounts)
Changelog:
new
Message Display WebExtension API
new
Message Search WebExtension API
fixed
Better visual feedback for unread messages when using the dark theme
fixed
Various issues when editing mailing lists
fixed
Integration with macOS addressbook and notifications not working after introduction of notarization
fixed
Application windows not maintaining their size after restart
fixed
Issues when upgrading from a 32bit version of Thunderbird to a 64bit
version. Note: If your profile is still not recognised, selected it
by visiting about:profiles in the Troubleshooting Information.
fixed
Various security fixes
Security fixes:
#CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber
#CVE-2019-11757: Use-after-free when creating index updates in IndexedDB
#CVE-2019-11758: Potentially exploitable crash due to 360 Total Security
#CVE-2019-11759: Stack buffer overflow in HKDF output
#CVE-2019-11760: Stack buffer overflow in WebRTC networking
#CVE-2019-11761: Unintended access to a privileged JSONView object
#CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation
#CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique
#CVE-2019-11764: Memory safety bugs fixed in Thunderbird 68.2
Local changes
=============
Cherry-pick a pending patch to fix build with the recent rust version (1.38.0).
esr68 branch fails to build with rust 1.38
https://bugzilla.mozilla.org/show_bug.cgi?id=1585099
Cherry-pick patch from:
https://marc.info/?l=openbsd-ports&m=156984549605237&w=2
Upstream changelog
==================
What's New
fixed Visual glitches: Missing context menu in filter, downloads, password manager and Config Editor search boxes, unwanted scrollbars and cut-off text in Account Manager, incorrect colors in Calendar agenda scrollbars, theme issues on Windows 7
fixed Some attachments couldn't be opened in messages originating from MS Outlook 2016
fixed Address book import form CSV
fixed Performance problem in message body search
fixed Ctrl+Enter to send a message would open an attachment if the attachment pane had focus
fixed Calendar: Issues with "Today Pane" start-up
fixed Calendar: Glitches with custom repeat and reminder number input
fixed Calendar: Problems with WCAP provider
https://www.thunderbird.net/en-US/thunderbird/68.1.2/releasenotes/
Changelog:
fixed Issues with attachments in IMAP messages
fixed Gmail accounts ignored a non-standard trash folder
selection. Note: If non-standard trash folder was selected
previously in the account settings, this setting will now take
effect which may be unexpected.
fixed Entering/pasting lists of recipients into the addressing
widget or mailing list not working reliably, especially when
lists contained multiple commas or semicolons
fixed Edit mailing list not working
fixed Various theme fixes, especially dark theme improvements
for Calendar
fixed Contrast between tag label and background not optimal
fixed Account Central pane always loaded at start-up
fixed "Config Editor" button not removed if blocked by policy
fixed Calendar: Free/busy information in attendees dialog not
scrolled correctly. Note: Scroll arrows still not behaving
correctly.
fixed Various security fixes
#CVE-2019-11755: Spoofing a message author via a crafted S/MIME
message
Changelog:
new
Offer to configure Exchange accounts for Office365. A third-party add-on is required for this account type. IMAP still exists as alternative.
fixed
Edit tag not working
fixed
Write window: "Insert > Characters and Symbols" not working
fixed
Moving/dragging messages from "Search Messages" result dialog not working
fixed
Command line -compose "attachment=" not working
fixed
Custom views not working
fixed
Issues with list of content types/actions for incoming attachments
fixed
"Learn More" links in Error Console not working
fixed
Visual glitches: Quick Filter Bar tag buttons too tall, missing scroll
bar on Connection Setting subdialog, LDAP server selection after "New",
"Edit" and "Delete"
fixed
Calendar: Parts of CalDAV dialog not working
fixed
Various security fixes
Security fixes:
CVE-2019-11739: Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message
#CVE-2019-11746: Use-after-free while manipulating video
#CVE-2019-11744: XSS by breaking out of title and textarea elements using innerHTML
#CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to steal cross-origin images
#CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB
#CVE-2019-11743: Cross-origin access to unload event attributes
#CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, Firefox ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9
Changelog:
Fixed
No prompt for smartcard PIN when S/MIME signing is used
Security fixes:
#CVE-2019-11703: Heap buffer overflow in icalparser.c
#CVE-2019-11704: Heap buffer overflow in icalvalue.c
#CVE-2019-11705: Stack buffer overflow in icalrecur.c
#CVE-2019-11706: Type confusion in icalproperty.c
Changelog:
changed
Attachment pane of Write window no longer focussed when attaching files using a keyboard shortcut
fixed
Various security fixes
#CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS
#CVE-2019-9816: Type confusion with object groups and UnboxedObjects
#CVE-2019-9817: Stealing of cross-domain images using canvas
#CVE-2019-9818: Use-after-free in crash generation server
#CVE-2019-9819: Compartment mismatch with fetch API
#CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell
#CVE-2019-11691: Use-after-free in XMLHttpRequest
#CVE-2019-11692: Use-after-free removing listeners in the event listener manager
#CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
#CVE-2019-7317: Use-after-free in png_image_free of libpng library
#CVE-2019-9797: Cross-origin theft of images with createImageBitmap
#CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext
#CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox
#CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks
#CVE-2019-5798: Out-of-bounds read in Skia
#CVE-2019-9800: Memory safety bugs fixed in Firefox 67, Firefox ESR 60.7, and Thunderbird 60.7
Changelog:
60.6.0
fixed
Calendar: Can't create repeating event with end date when using certain time zones, for example Europe/Minsk
60.5.3
fixed
Problem when using "Send to > Mail recipient" on Windows introduced in version 60.5.2.
If files with non-ASCII characters in their name still cause a malfunction, use one of the following two alternative solutions:
Reset this registry entry
HKLM\SOFTWARE\Clients\Mail\Mozilla Thunderbird - SupportUTF8 to 0. Also reset HKLM\SOFTWARE\Wow6432Node\Clients\Mail\Mozilla Thunderbird - SupportUTF8 if present.
On Windows 10, set the system code page to UTF-8 (beta feature, see Region Settings, system locale)
Changelog:
60.5.1
Fixed
CalDav access to some servers not working
#CVE-2018-18500: Use-after-free parsing HTML5 stream
#CVE-2018-18505: Privilege escalation through IPC channel messages
#CVE-2016-5824: DoS (use-after-free) via a crafted ics file
#CVE-2018-18501: Memory safety bugs fixed in Firefox 65, Firefox ESR 60.5, and Thunderbird 60.5
60.5.0
New
FileLink provider WeTransfer to upload large attachments
Thunderbird now allows the addition of OpenSearch search engines from a local XML file using a minimal user inferface: [+] button to select a file an add, [-] to remove.
More search engines: Google and DuckDuckGo available by default in some locales
During account creation, Thunderbird will now detect servers using the Microsoft Exchange protocol. It will offer the installation of a 3rd party add-on (Owl) which supports that protocol.
Fixed
Thunderbird now compatible with other WebExtension-based FileLink add-ons like the Dropbox add-on
Crash when using custom sound for new email notification
WebExtension-based dictionaries from addons.mozilla.org not working in Thunderbird
Calendar: Printing of calendars not working
#CVE-2018-18356: Use-after-free in Skia
#CVE-2019-5785: Integer overflow in Skia
#CVE-2018-18335: Buffer overflow in Skia with accelerated Canvas 2D
#CVE-2018-18509: S/MIME signature spoofing
Changelog:
new
WebExtensions FileLink API to facilitate FileLink add-ons. For the future
version Thunderbird 60.5.0: WeTransfer will be included in Thunderbird 60.5.0
and the Dropbox add-on will be compatible with Thunderbird 60.5.0.
fixed
Decoding problems for messages with less common charsets (cp932, cp936)
fixed
New messages in the drafts folder (and other special or virtual folders)
will no longer be included in the new messages notification
Changelog:
60.3.3:
mitigated
Thunderbird 60 will migrate security databases (key3.db, cert8.db to
key4.db, cert9.db). Thunderbird 60.3.2 and earlier contained a fault
that potentially deleted saved passwords and private certificate keys
for users using a master password. Version 60.3.3 will prevent the loss
of data; affected users who have already upgraded to version 60.3.2 or
earlier can restore the deleted key3.db file from backup to complete
the migration.
fixed
Address book search and auto-complete slowness introduced in
Thunderbird 60.3.2
Plain text markup with * for bold, / for italics, _ for underline and |
for code did not work when the enclosed text contained non-ASCII
characters
While composing a message, a link not removed when link location was
removed in the link properties panel
60.3.2:
fixed
Under some circumstances Thunderbird on Mac will send attachments using
the so-called AppleDouble format which can lead to problems with mail
servers and recipients
Encoding problems when exporting address books or messages using the
system charset. Messages are now always exported using the UTF-8 encoding.
If the "Date" header of a message was invalid, Jan 1970 or Dec 1969 was
displayed. Now using date from "Received" header instead.
Body search/filtering didn't reliably ignore content of tags
Inappropriate warning "Thunderbird prevented the site
(addons.thunderbird.net) from asking you to install software on your
computer" when installing add-ons
Incorrect display of correspondents column since own email address was
not always detected
Spurious 
 (encoded newline) inserted into drafts and sent email
New email not inserted in correct sort order in threaded unified view
or search folder
60.3.1:
fixed
Double-clicking on a word in the Write window sometimes launched the
Advanced Property Editor or Link Properties dialog
Cookie removal (not working since Thunderbird version 52)
"Download rest of message" not working if global inbox was used
Encoding problems for users (especially in Poland) when a file was sent
via a folder using "Sent to > Mail recipient" due to a problem in the
Thunderbird MAPI interface
According to RFC 4616 and RFC 5721, passwords containing non-ASCII
characters are encoded using UTF-8 which can lead to problems with
non-compliant providers, for example office365.com. The SMTP LOGIN
and POP3 USER/PASS authentication methods are now using a Latin-1
encoding again to work around this issue.
Shutdown crash/hang after entering an empty IMAP password
60.3.0:
fixed
Various Theme fixes where incorrect colors, backgrounds, etc. were
displayed
Add-on Options menu not working on Mac
Shift+PageUp/PageDown in Write window
Saving content of Write windows didn't overwrite existing file
Issues related to "Edit Template" command
Gloda attachment filtering
Mailing list address auto-complete enter/return handling
Thunderbird hung if HTML signature references non-existent image
Filters not working for headers that appear more than once
Various security fixes
Secirity fixes:
#CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin
#CVE-2018-12392: Crash with nested event loops
#CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript
#CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3 and Thunderbird 60.3
#CVE-2018-12390: Memory safety bugs fixed in Firefox 63, Firefox ESR 60.3, and Thunderbird 60.3
60.2.1:
Changed
Calendar: Default values for the first day of the week and working days
are now derived from the selected datetime formatting locale (restart
after changing locale in the OS required)
Calendar: Switch to a Photon-style icon set for all platforms
Multiple requests for master password when Google Mail or Calendar
OAuth2 is enabled
Scrollbar of the address entry auto-complete popup does not work
Security info dialog in compose window does not show certificate status
Links in the Add-on Manager's search results and theme browsing tabs
open in external browser
Localized versions of Thunderbird didn't show a localized name for
the "Drafts" and "Sent" folders for certain IMAP providers
(particularly in France)
Replying to a message with an empty subject inserted Re: twice (not
working in Thunderbird 60.0)
Spellcheck marks disappeared erroneously for words with an apostrophe
(not working in Thunderbird 60.0)
Calendar: First day of the week cannot be set
Calendar: Several fixes related to cutting/deleting of events and email
scheduling
Various security fixes
Security fixes:
#CVE-2018-12377: Use-after-free in refresh driver timers
#CVE-2018-12378: Use-after-free in IndexedDB
#CVE-2018-12379: Out-of-bounds write with malicious MAR file
#CVE-2017-16541: Proxy bypass using automount and autofs
#CVE-2018-12385: Crash in TransportSecurityInfo due to cached data
#CVE-2018-12383: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords
#CVE-2018-12376: Memory safety bugs fixed in Firefox 62, Firefox ESR 60.2, and Thunderbird 60.2.1
60.0:
new
When writing a message, a delete button now allows the removal of a
recipient. This delete button is displayed when hovering the To/Cc/Bcc
selector.
Many improvements to attachments handling during compose: Attachments
can now be reordered using a dialog, keyboard shortcuts, or drag and
drop. The "Attach" button moved to the right to be above the attachment
pane. The access key of the attachment pane (e.g. Alt+M, may vary
depending on localization, Ctrl+M on Mac) now also works to show or
hide the pane. The attachment pane can also be shown initially when
composing a new message. Right-click on the header to enable this
option. Hiding a non-empty attachment pane will now show a placeholder
paperclip to indicate the presence of attachments and avoid sending
them accidentally.
"Edit Template" command. This also solves various problems when saving
as template (duplicates created, message ID lost).
"New Message from Template" command
Allow changing the Spellcheck Language from status bar
Light and Dark themes
WebExtension themes are now enabled in Thunderbird
A default startup directory in the address book window can now be
configured
Individual feed update interval
An option under "Tools > Options, Advanced, General" now allows to
select whether date/time display will follow the application locale
(adjusted by operating system's format settings for that locale) or
the locale selected in the operating system's regional settings.
In other words, an US English Thunderbird can use, for example,
German formats.
OAuth2 authentication for Yahoo and AOL
FIDO U2F support
Thunderbird now allows the conversion of folders from mbox to maildir
format and vice versa. This is an experimental feature that needs to
be enabled by setting the preference mail.store_conversion_enabled.
Note that this functionality does not not work if the option "Allow
Windows Search/Spotlight to search messages" is selected.
Calendar: Allow copying, cutting or deleting of a selected occurrence
or the entire series for recurring events
Calendar: Provide an option to display locations for events in calendar
day and week views
Calendar: Provide the ability for sending/not sending meeting
notifications directly instead of showing a popup
Calendar: Option to select the target calendar when pasting an event
or task
Calendar: Allow email scheduling for CalDAV servers supporting
server-side scheduling
Thunderbird Chat now contains multiple built-in message themes
changed
IMPORTANT: Add-ons not marked as compatible with Thunderbird 60
by their authors will be disabled (this can be reverted via preference
extensions.strictCompatibility)
IMAP: When after sending a message storing that sent message fails,
the message can now be stored in a local folder
Add-on options can no longer be configured from the Add-on Manager page.
A new menu item "Add-on Options" is now available on the Tools menu.
When messages are composed in paragraph format, "body text" and split
mail quotes are converted to paragraphs when pressing the enter key
"Edit As New Message" will now use the account's default compose format,
either HTML or plain text ignoring the format of the message. Plain
text messages will be converted to HTML and vice versa. Then using
the modifier, the format choice will be reverted.
The "Edit Draft" command now also honors the use of the shift key to
convert HTML to plain text or vice versa when editing a draft
The plain text to HTML conversion has been improved where such a
conversion is necessary for "Edit As New Message" or when the shift
modifier is used for "Edit Draft" or "New Message from Template".
During address entry, the matching part of the address is now shown in
bold. Preference mail.autoComplete.commentColumn allows to display
the address book where the address is stored.
When attaching a message via drag and drop, the subject of the message
is now used as attachment name instead of "Attached Message"
Better address book photo handling: Photos can be added by drag and
drop and a copy of all photos will be stored in the Thunderbird profile
On first start, Thunderbird now shows the account setup dialog, no longer
the account provisioner dialog
Thunderbird follows Firefox' Photon design with rectangular tabs and
many other theme improvements
When customizing the From: address, Thunderbird will now use this address
for the SMTP "MAIL FROM" command. Previously the address configured
in the identity was used. The preference
mail.smtp.useSenderForSmtpMailFrom allows return to the previous
behavior.
Native notifications on Linux are now re-enabled
Thunderbird now uses Mozilla's latest proxy technology (add-on FoxyProxy
now supported)
Thunderbird now uses the latest Rust-based Mozilla technology, including
Quantum's CSS engine (based on Servo) and encoding_rs, for displaying
and encoding messages
All certificates issued by Symantec roots before 2016-06-01 are
distrusted for use in TLS secured traffic in Thunderbird 60 and above.
This applies to all brands Symantec operated: Thawte, RapidSSL,
GeoTrust, Verisign, and Symantec. For usage in S/MIME the certificates
remain valid. Details here.
Calendar: Removal of capability to send email invitations compatible
to Outlook 2002 and earlier
Calendar: Reminders on read-only calendars can now be dismissed, while
reminders for missed events will now only be displayed for writable
calendars if option "Show missed reminders for writable calendars" is
selected
Thunderbird Chat: Nicknames inside of messages are colored to match
the participants list
fixed
When many Thunderbird clients or other email clients accessed the same
IMAP draft folder, messages were sometimes sent with the wrong
identity. This has been corrected and the user will be notified if
none of their identities matches the draft.
Various problems related to handling the IMAP trash folder: Under
certain circumstances the selection of the trash folder didn't persist,
for example when the name contained non-ASCII characters, or in
localized versions of Thunderbird. At times unwanted adtext menu behavior
Better error handling for Gmail authentication to avoid re-downloading
of folders
Thunderbird used a stale cached password after user edited a saved
password
Calendar: Wrong time formatting for some time zones
Calendar: Can't copy information from event dialog for received invitations
Various security fixes
Security fixes:
#CVE-2018-12359: Buffer overflow using computed size of canvas element
#CVE-2018-12360: Use-after-free when using focus()
#CVE-2018-12361: Integer overflow in SwizzleData
#CVE-2018-12362: Integer overflow in SSSE3 scaler
#CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture
#CVE-2018-12363: Use-after-free when appending DOM nodes
#CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
#CVE-2018-12365: Compromised IPC child process can list local filenames
#CVE-2018-12371: Integer overflow in Skia library during edge builder allocation
#CVE-2018-12366: Invalid data handling during QCMS transformations
#CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming
#CVE-2018-12368: No warning when opening executable SettingContent-ms files
#CVE-2018-5187: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Thunderbird 60
#CVE-2018-5188: Memory sa60
Changelog:
changed
Thunderbird will now prompt to compact IMAP folders even if the account is online. Note: Under certain circumstances an incorrect estimate of the expected gain is shown.
fixed
Complete fix of the EFAIL vulnerability: 1) Removing some HTML crafted to carry out an attack. 2) Optionally: Not decrypting subordinate message parts that otherwise might reveal decrypted content to the attacker. Preference mailnews.p7m_subparts_external needs to be set to true for added security.
fixed
Various problems when forwarding messages inline when using "simple" HTML view
fixed
Deleting or detaching attachments corrupted messages under certain circumstances (not working only in Thunderbird version 52.9.0)
fixed
Various security fixes
Security fixes:
#CVE-2018-12359: Buffer overflow using computed size of canvas element
#CVE-2018-12360: Use-after-free when using focus()
#CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML emails
#CVE-2018-12373: S/MIME plaintext can be leaked through HTML reply/forward
#CVE-2018-12362: Integer overflow in SSSE3 scaler
#CVE-2018-12363: Use-after-free when appending DOM nodes
#CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
#CVE-2018-12365: Compromised IPC child process can list local filenames
#CVE-2018-12366: Invalid data handling during QCMS transformations
#CVE-2018-12368: No warning when opening executable SettingContent-ms files
#CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing enter in form field
#CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 52.9
Changelog:
#CVE-2018-5183: Backport critical security fixes in Skia
#CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack
#CVE-2018-5154: Use-after-free with SVG animations and clip paths
#CVE-2018-5155: Use-after-free with SVG animations and text paths
#CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
#CVE-2018-5161: Hang via malformed headers
#CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
#CVE-2018-5170: Filename spoofing for external attachments
#CVE-2018-5168: Lightweight themes can be installed without user interaction
#CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior
for downloaded files in Windows 10 April 2018 Update
#CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion
through legacy extension
#CVE-2018-5185: Leaking plaintext through HTML forms
#CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8,
and Thunderbird 52.8
Changelog:
Fixed Searching message bodies of messages in local folders,
including filter and quick filter operations, did not find
content in message attachments
Fixed Better error handling for Yahoo accounts
Fixed Various security fixes
#CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
#CVE-2018-5129: Out-of-bounds write with malformed IPC messages
#CVE-2018-5144: Integer overflow during Unicode conversion
#CVE-2018-5146: Out of bounds memory write in libvorbis
#CVE-2018-5125: Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7,
and Thunderbird 52.7
#CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7 and
Thunderbird 52.7
Changelog:
Fixed Searching message bodies of messages in local folders, including
filter and quick filter operations, not working reliably:
Content not found in base64-encode message parts, non-ASCII text
not found and false positives found.
Fixed Defective messages (without at least one expected header) not shown
in IMAP folders but shown on mobile devices
Fixed Calendar: Unintended task deletion if numlock is enabled
Fixed Various security fixes
Security fixes:
#CVE-2018-5095: Integer overflow in Skia library during edge builder allocation
#CVE-2018-5096: Use-after-free while editing form elements
#CVE-2018-5097: Use-after-free when source document is manipulated during XSLT
#CVE-2018-5098: Use-after-free while manipulating form input elements
#CVE-2018-5099: Use-after-free with widget listener
#CVE-2018-5102: Use-after-free in HTML media elements
#CVE-2018-5103: Use-after-free during mouse event handling
#CVE-2018-5104: Use-after-free during font face manipulation
#CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
#CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6,
and Thunderbird 52.6
Changelog:
Fix
This releases fixes the "Mailsploit" vulnerability and other vulnerabilities
detected by the "Cure53" audit. For details and various other security
fixes see here.
CVE-2017-7845: Buffer overflow when drawing and validating elements with
ANGLE library using Direct 3D 9
CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin
CVE-2017-7847: Local path string can be leaked from RSS feed
CVE-2017-7848: RSS Feed vulnerable to new line Injection
CVE-2017-7829: Mailsploit part 1: From address with encoded null character
is cut off in message header display
Unsorted entries in PLIST files have generated a pkglint warning for at
least 12 years. Somewhat more recently, pkglint has learned to sort
PLIST files automatically. Since pkglint 5.4.23, the sorting is only
done in obvious, simple cases. These have been applied by running:
pkglint -Cnone,PLIST -Wnone,plist-sort -r -F
Changelog:
#CVE-2017-7828: Use-after-free of PressShell while restyling layout
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still in use.
This results in a potentially exploitable crash during these operations.
References
Bug 1406750
Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource Timing API
Reporter
Jun Kokatsu
Impact
high
Description
The Resource Timing API incorrectly revealed navigations in cross-origin
iframes. This is a same-origin policy violation and could allow for data
theft of URLs loaded by users.
References
Bug 1408990
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5,
and Thunderbird 52.5
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, David Keeler,
Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer, Philipp,
Nicholas Nethercote, Oriol Brufau, André Bargull, Bob Clary,
Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and Ryan VanderMeulen
reported memory safety bugs present in Firefox 56, Firefox ESR 52.4, and
Thunderbird 52.4. Some of these bugs showed evidence of memory corruption
and we presume that with enough effort that some of these could be
exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5,
and Thunderbird 52.5
Chagelog:
New
In Thunderbird 52 a new behavior was introduced for replies to mailing
list posts: "When replying to a mailing list, reply will be sent to
address in From header ignoring Reply-to header". A new preference
mail.override_list_reply_to allows to restore the previous behavior.
Fixed
Under certain circumstances (image attachment and non-image attachment),
attached images were shown truncated in messages stored in IMAP
folders not synchronised for offline use.
Fixed
IMAP UIDs > 0x7FFFFFFF not handled properly
Security fixes:
#CVE-2017-7793: Use-after-free with Fetch API
Reporter
Abhishek Arya
Impact
high
Description
A use-after-free vulnerability can occur in the Fetch API when the
worker or the associated window are freed when still in use,
resulting in a potentially exploitable crash.
References
Bug 1371889
#CVE-2017-7818: Use-after-free during ARIA array manipulation
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when manipulating arrays of
Accessible Rich Internet Applications (ARIA) elements within containers
through the DOM. This results in a potentially exploitable crash.
References
Bug 1363723
#CVE-2017-7819: Use-after-free while resizing images in design mode
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur in design mode when image
objects are resized if objects referenced during the resizing have
been freed from memory. This results in a potentially exploitable crash.
References
Bug 1380292
#CVE-2017-7824: Buffer overflow when drawing and validating elements
with ANGLE
Reporter
Omair, Andre Weissflog
Impact
high
Description
A buffer overflow occurs when drawing and validating elements with
the ANGLE graphics library, used for WebGL content. This is due to
an incorrect value being passed within the library during checks and
results in a potentially exploitable crash.
References
Bug 1398381
#CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes
Reporter
Martin Thomson
Impact
high
Description
During TLS 1.2 exchanges, handshake hashes are generated which point
to a message buffer. This saved data is used for later messages but
in some cases, the handshake transcript can exceed the space available
in the current buffer, causing the allocation of a new buffer. This
leaves a pointer pointing to the old, freed buffer, resulting in
a use-after-free when handshake hashes are then calculated afterwards.
This can result in a potentially exploitable crash.
References
Bug 1377618
#CVE-2017-7814: Blob and data URLs bypass phishing and malware
protection warnings
Reporter
François Marier
Impact
moderate
Description
File downloads encoded with blob: and data: URL elements bypassed
normal file download checks though the Phishing and Malware Protection
feature and its block lists of suspicious sites and files. This
would allow malicious sites to lure users into downloading executables
that would otherwise be detected as suspicious.
References
Bug 1376036
#CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode
characters as spaces
Reporter
Khalil Zhani
Impact
moderate
Description
Several fonts on OS X display some Tibetan and Arabic characters
as whitespace. When used in the addressbar as part of an IDN
this can be used for domain name spoofing attacks.
Note: This attack only affects OS X operating systems. Other
operating systems are unaffected.
References
Bug 1393624
Bug 1390980
#CVE-2017-7823: CSP sandbox directive did not create a unique origin
Reporter
Jun Kokatsu
Impact
moderate
Description
The content security policy (CSP) sandbox directive did not
create a unique origin for the document, causing it to behave as
if the allow-same-origin keyword were always specified. This could
allow a Cross-Site Scripting (XSS) attack to be launched from
unsafe content.
References
Bug 1396320
#CVE-2017-7810: Memory safety bugs fixed in Firefox 56, Firefox ESR 52.4,
and Thunderbird 52.4
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christoph Diehl, Jan de Mooij,
Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian
Hengst reported memory safety bugs present in Firefox 55, Firefox
ESR 52.3, and Thunderbird 52.3. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
Changelog:
Fixed
Unwanted inline images shown in rogue SPAM messages
Fixed
Deleting message from the POP3 server not working when maildir storage was used
Fixed
Message disposition flag (replied / forwarded) lost when reply or forwarded message was stored as draft and draft was sent later
Fixed
Inline images not scaled to fit when printing
Fixed
Selected text from another message sometimes included in a reply
Fixed
No authorisation prompt displayed when inserting image into email body although image URL requires authentication
Fixed
Large attachments taking a long time to open under some circumstances
Fixed
Various security fixes
