Changelog:
52.2.1
Fixed Problems with Gmail (folders not showing, repeated email download, etc.) introduced in version 52.2.0.
52.2.0
Fixed Embedded images not shown in email received from Hotmail/Outlook webmailer
Fixed Detection of non-ASCII font names in font selector
Fixed Attachment not forwarded correctly under certain circumstances
Fixed Multiple requests for master password when GMail OAuth2 is enabled
Fixed Large number of blank pages being printed under certain circumstances when invalid preferences were present
Fixed Messages sent via the Simple MAPI interface are forced to HTML
Fixed Calendar: Invitations can't be printed
Fixed Mailing list (group) not accessible from macOS or Outlook address book
Fixed Clicking on links with references/anchors where target doesn't exist in the message not opening in external browser
Fixed Various security fixes
#CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
#CVE-2017-7749: Use-after-free during docshell reloading
#CVE-2017-7750: Use-after-free with track elements
#CVE-2017-7751: Use-after-free with content viewer listeners
#CVE-2017-7752: Use-after-free with IME input
#CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
#CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
#CVE-2017-7757: Use-after-free in IndexedDB
#CVE-2017-7758: Out-of-bounds read in Opus encoder
#CVE-2017-7763: Mac fonts render some unicode characters as spaces
#CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
#CVE-2017-7765: Mark of the Web bypass when saving executable files
#CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2, and Thunderbird 52.2
52.1.1
Fixed Large attachments may not be shown or saved correctly if the message is stored in an IMAP folder which is not synchronized for offline use
Fixed Unable to load full message via POP if message was downloaded partially (or only headers) before
Fixed Some attachments can't be opened or saved if the message body is empty
Fixed Crash when compacting IMAP folder
Changelog:
Fixed
* Background images not working and other issues related to embedded images when composing email
* Google Oauth setup can sometimes not progress to the next step
Changelog:
52.0.1:
Fixed
Clicking on a link in an email may not open this link in the external browser.
Crash due to incompatibility with McAfee Anti-SPAM add-on. Add-on is blocked in 52.0.1
52.0:
New
Folder pane toolbar and folder view selector (replacement for folder view arrows)
Optionally remove corresponding data files when removing an account from Thunderbird
Import settings from Becky! Internet Mail
Possibility to copy message filter
Dictionary setting is restored when editing a draft. Content-Language header (RFC 3282) transmitted with message
Calendar: Event can now be created and edited in a tab
Calendar: Processing of received invitation counter proposals
Chat: Support Twitter Direct Messages
Chat: Liking and favoriting in Twitter
Chat: XMPP: Support SASL SCRAM authentication mechanism
Chat: Support Jabber/XMPP Message Carbons (XEP-280)
Changed
IMPORTANT: The way images are included in a compose window has changed. Images are now included as data URIs and not as references to parts of other messages or operating system files. This allows better interoperability with office packages such as MS Office or LibreOffice. Images linked from locations on the internet will no longer be downloaded and attached to the message automatically. This can be changed for each image individually via the Image Properties dialog or globally by setting the preference mail.compose.attach_http_images.
Correspondents column now default for all new folders, can be switched off with preference mail.threadpane.use_correspondents
When replying to a mailing list, reply will be sent to address in From header ignoring Reply-to header
On Linux PulseAudio is now required to play sound
Formatting toolbar is now left in place when delivery format is switched to plain text only
Messages in IMAP folders read on external device are now filtered by default
Folders backed by mbox storage larger than 4GB are supported without warning (unless preference mailnews.allowMboxOver4GB is set to false)
IMAP caching now uses Mozilla's latest caching technology
The keyboard shortcut to insert hyperlinks into a compose window was changed from CTRL+L to CTRL+K to align with Office applications
Chat: Removed Yahoo! Messenger support (since Yahoo removed support)
Fixed
Message preview pane non-functional after IMAP folder was renamed or moved
Fixed
Editing in paragraph format: Pressing Shift+Enter sometimes doesn't move the cursor to the next line
Various corrections when composing messages in paragraph format
Paste as quotation doesn't always work
Long lines in plain text replies not properly wrapped
Undesired white-space before signature in paragraph mode
When attachment unavailable, compose shows endless "Attaching..." message instead of error
Text encoding of reply sometimes incorrect (uses encoding of last viewed message)
Text encoding of message display, reply or forwarded message sometimes incorrect (uses encoding of attachment)
Delivery Format not preserved for saved drafts (Auto-Detect|Plaintext|HTML|Both)
Reply to own e-mail does not reply with the correct identity
IMAP message part caching
Links with escaped non-ASCII (international) characters can't be clicked
Calendar: Events specified in timezone "local time" generate alerts in UTC time
Chat: XMPP Resource collisions
Various security fixes
Security fixes:
#CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
#CVE-2017-5401: Memory Corruption when handling ErrorResult
#CVE-2017-5402: Use-after-free working with events in FontFace objects
#CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object
#CVE-2017-5404: Use-after-free working with ranges in selections
#CVE-2017-5406: Segmentation fault in Skia with canvas operations
#CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
#CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
#CVE-2017-5411: Use-after-free in Buffer Storage in libGLES
#CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
#CVE-2017-5412: Buffer overflow read in SVG filters
#CVE-2017-5413: Segmentation fault during bidirectional operations
#CVE-2017-5414: File picker can choose incorrect default directory
#CVE-2017-5416: Null dereference crash in HttpChannel
#CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access
#CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running
#CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses
#CVE-2017-5419: Repeated authentication prompts lead to DOS attack
#CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
#CVE-2017-5421: Print preview spoofing
#CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink
#CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52
#CVE-2017-5398: Memory safety bugs fixed in Thunderbird 52 and Thunderbird 45.8
Changelog:
#CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
#CVE-2017-5401: Memory Corruption when handling ErrorResult
#CVE-2017-5402: Use-after-free working with events in FontFace objects
#CVE-2017-5404: Use-after-free working with ranges in selections
#CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
#CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
#CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
#CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
#CVE-2017-5398: Memory safety bugs fixed in Thunderbird 45.8
Changelog:
Fixed Message preview pane non-functional after IMAP folder was renamed or moved
Fixed "Move To" button on "Search Messages" panel not working
Fixed Message sent to "undisclosed recipients" shows no recipient (non-functional since Thunderbird version 38)
Fixed Calendar: No way to accept/decline email invitations when sent and received messages are stored in the same folder
Fixed Various security fixes
Security fixes:
#CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
#CVE-2017-5376: Use-after-free in XSL
#CVE-2017-5378: Pointer and frame data leakage of Javascript objects
#CVE-2017-5380: Potential use-after-free during DOM manipulations
#CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer
#CVE-2017-5396: Use-after-free with Media Decoder
#CVE-2017-5383: Location bar spoofing with unicode characters
#CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7
Changelog:
Fixed The system integration dialog was shown every time when starting Thunderbird
Fixed Various security fixes
Security vulnerabilities fixed in Thunderbird 45.6
#CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements
#CVE-2016-9895: CSP bypass using marquee tag
#CVE-2016-9897: Memory corruption in libGLES
#CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees
#CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs
#CVE-2016-9904: Cross-origin information leak in shared atoms
#CVE-2016-9905: Crash in EnumerateSubDocuments
#CVE-2016-9893: Memory safety bugs fixed in Thunderbird 45.6
Changelog:
45.5.1:
#CVE-2016-9079: Use-after-free in SVG Animation
45.5.0:
#CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
#CVE-2016-5294: Arbitrary target directory for result files of update process
#CVE-2016-5297: Incorrect argument length checking in JavaScript
#CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
#CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
#CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
#CVE-2016-5290: Memory safety bugs fixed in Thunderbird 45.5
Changelog:
Fixed "Apply columns to..." did not honor special folders
Fixed Threading broken when editing message draft, due to loss of Message-ID
Fixed Mail saved as template copied In-Reply-To and References from original email.
Fixed Additional spaces were inserted when drafts were edited.
Fixed Recipient addresses were shown in red despite being inserted from the address book in some circumstances.
Fixed Display name was truncated if no separating space before email address.
Changelog:
Fixed Certain messages caused corruption of the drafts summary database.
Fixed "edit as new message" on a received message pre-filled the sender as the composing identity.
Fixed Disposition-Notification-To could not be used in mail.compose.other.header
Fixed Various security fixes
Fixed in Thunderbird 45.3
2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)
Changelog:
Fixed Invitations to events could not be printed.
Fixed Dragging and dropping of contacts from the contact list onto an addressbook while All Addressbooks is selected moved only one contact
Fixed Falsely reported not enough disk space during compacting
Fixed Links were not always detected properly in the message body (terminated early on "|", some long links not detected at all)
Fixed in Thunderbird 45.2
2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
Changelog:
Fixed When entering members into a mailing list, the enter key dismissed the panel instead of just moving onto the next line
Fixed Email without HTML elements was sent as HTML, despite "Delivery Format: Auto-detect" option
Fixed Options applied to a template were lost when the template was used.
Fixed Contacts could not be deleted when they were found through a search
Fixed Views from global searches did not respect "mail.threadpane.use_correspondents"
Changelog:
Fixed in Thunderbird 45.1
2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
Christian Holler, Tyson Smith, and Phil Ringalda reported memory safety problems and crashes that are fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46.
Memory safety bugs fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46 (CVE-2016-2807)
Gary Kwong, Christian Holler, Jesse Ruderman, Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter, and Randell Jesup reported memory safety problems and crashes that are fixed in Firefox ESR 45.1 and Firefox 46.
Memory safety bugs fixed in Firefox ESR 45.1 and Firefox 46 (CVE-2016-2806)
Gary Kwong, Christian Holler, Andrew McCreight, Boris Zbarsky, and Steve Fink reported memory safety problems and crashes that are fixed in Firefox 46.
Memory safety bugs fixed in Firefox 46 (CVE-2016-2804)
Christian Holler reported a memory safety problem that is fixed in Firefox ESR 38.8.
Memory safety bug fixed in Firefox ESR 38.8 (CVE-2016-2805)
* Regen patch names
Changelog:
New Add a Correspondents column combining Sender and Recipient
New Much better support for XMPP chatrooms and commands.
New Remote content exceptions: Improved options to add exceptions.
New Implement option to always use HTML formatting to prevent unexpected format loss when converting messages to plain text.
New Use OpenStreetmap for maps (even allow the user to choose from list of map services)
New Allow spell checking and dictionary selection in the subject line
New Add dropdown in compose to allow specific setting of font size.
New Return/Enter in composer will now insert a new paragraph by default (shift-Enter will insert a line break)
New Mail.ru supports OAuth authentication.
New Allow copying of name and email address from the message header of an email
New Allow editing of From when composing a message.
Fixed Fixed: When sending e-mail which was composed using Chinese, Japanese or Korean characters, unwanted extra spaces were inserted within the text.
Fixed Spell checker checked spelling in invisible HTML parts of the message.
Fixed When saving a draft that is edited as new message, original draft was overwritten.
Fixed External images not displayed in reply/forward
Fixed Properly preserve pre-formatted blocks in message replies.
Fixed Crashed in some cases while parsing IMAP messages.
Fixed Copy/paste from a plain text editor lost white-space (multiple spaces/blanks, tabs, newlines)
Fixed "Open Draft"/"Forward"/"Edit As New"/"Reply" created message composition with incorrect character encoding.
Fixed Fixed: Grouped By view sort direction change was broken, plus enabled custom column grouping.
Fixed Fixed: New emails into a mailbox did not adhere to sort order by received.
Fixed Fixed: Box.com attachments failed to upload.
Fixed Fixed: Drag and drop of multiple attachments failed to OS file folder.
Fixed XMPP had connection problems for users with large rosters
Security bugs:
Fixed in Thunderbird 45
2016-37 Font vulnerabilities in the Graphite 2 library
2016-36 Use-after-free during processing of DER encoded keys in NSS
2016-35 Buffer overflow during ASN.1 decoding in NSS
2016-34 Out-of-bounds read in HTML parser following a failed allocation
2016-27 Use-after-free during XML transformations
2016-24 Use-after-free in SetBody
2016-23 Use-after-free in HTML5 string parser
2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
2016-19 Linux video memory DOS with Intel drivers
2016-18 CSP reports fail to strip location information for embedded iframe pages
2016-17 Local file overwriting and potential privilege escalation through CSP reports
2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
Changelog:
Fixed in Thunderbird 38.7
2016-37 Font vulnerabilities in the Graphite 2 library
2016-35 Buffer overflow during ASN.1 decoding in NSS
2016-34 Out-of-bounds read in HTML parser following a failed allocation
2016-31 Memory corruption with malicious NPAPI plugin
2016-27 Use-after-free during XML transformations
2016-24 Use-after-free in SetBody
2016-23 Use-after-free in HTML5 string parser
2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
2016-17 Local file overwriting and potential privilege escalation through CSP reports
2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
Changelog:
Fixed Various security fixes.
Fixed Filters ran on a different folder than selected
Fixed For Windows systems on roaming profiles, could not display messages after Thunderbird update (related to Lightning updates)
Fixed in Thunderbird 38.6
2016-14 Vulnerabilities in Graphite 2
2016-03 Buffer overflow in WebGL after out of memory allocation
2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)
2015-150 MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature
Changelog:
38.5.0:
Not available
38.4.0:
Fixed Various security fixes
Fixed Fixed issue where messages moves of multiple messages from a maildir folder to an mbox folder failed.
Fixed in Thunderbird 38.4
2015-133 NSS and NSPR memory corruption issues
2015-132 Mixed content WebSocket policy bypass through workers
2015-131 Vulnerabilities found through code inspection
2015-128 Memory corruption in libjar through zip files
2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received
2015-123 Buffer overflow during image interactions in canvas
2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy
2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)
Changelog:
New Saved files tab now implements Search field and Clear button.
Fixed (Right-)Clicking on a newsgroup now allows directly composing a message again
Fixed Importing to the address book from CSV now works with international characters
Fixed Thunderbird no longer crashes when executing filter rules when using maildir
Fixed When using the maildir storage format, the INBOX folder is no longer deleted
Fixed Emails with long References headers are now decoded correctly
Fixed Checking for new messages correctly works after hibernation again
Fixed Chat entries are no longer sometimes lost in global database at shutdown.
It might still be possible that pkgsrc needs adjustments for gmp loading
if/when we adopt some gmp packages, but until then they serve no purpose
and in fact appear to be harmful. Fixes Firefox startup error message:
addons.manager ERROR Exception calling provider GMPProvider.startup
Changelog:
Changed Hardware acceleration is now disabled by default to avoid crashing Thunderbird
Fixed A few bugs have been fixed to avoid crashing Thunderbird
Fixed in Thunderbird 38.2
2015-90 Vulnerabilities found through code inspection
2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
2015-85 Out-of-bounds write with Updater and malicious MAR file
2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links
2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
* Fix mozilla-common.mk inclusion.
Changelog:
What's New
Fixed Copy/Paste into plain text editor deletes newlines from quoted text (bug 1143570)
Fixed Cross-posts won't send because Newsgroups: groups are separated with comma+space, not just comma (bug 1151448)
Fixed Cannot send email through exchange server (NTLM) (bug 1174159)
Fixed Doesn't display GB2312 encoded texts correctly for Chinese Characters (bug 1174580)
Fixed OAuth2 authentication for GMail does not work when specified server is imap.gmail.com or smtp.gmail.com. (bug 1176773)
Known Issues
unresolved Import from Outlook and Eudora disabled, code currently not working (bug 1175055)
Changelog:
What's New
New GMail supports OAuth2 authentication, removing the need to manually select "allow less secure applications" in Google options for the account. (bug 849540)
New Ship Lightning calendar addon with Thunderbird and enable with an opt-out dialog (bug 1113183)
New Filter sent messages (bug 11039)
New Filter messages when archived (bug 479823)
New Enable search in multiple/all address books (bug 170270)
New Add support for Yahoo Messenger in Chat (bug 955574)
New Support Internationalized domain name URLs for RSS feeds (Bug 1018589)
New Show expanded columns in folder pane (bug 464973)
New Allow file-per-message (maildir) local message storage (bug 845952)
New Add a Learn more link to the support page in feeds subscribe dialog (bug 1053782)
New Add reading position marker line to conversations (bug 760762)
New The editor for twitter should show inputtable character count (bug 736002)
Changed Thunderbird will no longer use SHA-1 to sign messages (bug 1018259)
Changed Removed rarely used character sets: T.61-8bit, non-encoding Mac encoders, VISCII, x-viet-tcvn5712, x-viet-vps x-johab, ARMSCII8 , map us-ascii to windows-1252, ISO-8859-6-I and -E and ISO-8859-8-E, (bug 1068505 and others.)
Changed Disable CONDSTORE support for IMAP to prevent discrepancies in IMAP message status (deleted, unread) on some servers (bug 912216)
Changed Make OpenSearch queries open in the user's default browser (bug 1120777)
Changed Default to using SSL for XMPP and IRC. This might cause issues for self-signed certificates (bug 1122567, bug 1122666)
Fixed Replied/forwarded icons disappear after folder repair, detach/delete (bug 840418)
Fixed Attachment "Save As" files are displayed in Tools/Saved Files (bug 914517)
Fixed Adding unknown email addresses to Mailing list, then deleting ghost duplicate entries from contacts pane, caused dataloss in mailing list (bug 628035)
Fixed Web site from RSS feed was not rendered correctly (bug 662907)
Fixed Email address with leading/trailing whitespace displayed wrongly with added quotes when composing ["foo"@bar.com] (bug 286760)
Fixed Force display of Sender header if S/MIME sender is the signer (bug 332639)
Fixed Addressing autocomplete widget: Typed text in red despite results/matches found if suggestions change by last input (bug 1042561)
Fixed Status bar not accessible (bug 934875)
Fixed Wrong folder may be deleted when requesting junk delete (bug 1018960)
Fixed Severe UI stutter or freezes getting new mail for very large folders (bug 870556)
Fixed Automatically rejoin multi-user conversations on reconnect for XMPP (bug 1014472)
Fixed Various improvements when using IRC on moznet (bug 1083768 and others)
Fixed Significantly improve XMPP support (bug 1085022 and others)
Fixed Fixes for connecting to non-standard IRC networks (bug 870556 and others)
Fixed Automatically reclaim IRC nicks during a reconnect (bug 1087566)
Fixed Changing location in editor doesn't preserve the font when returning to end of text/line (bug 756984)
Fixed Inline spell checker loses red underlines after a backspace is used (bug 1100966)
Known Issues
unresolved Automatic addon compatibility update checks were not completed, so existing addon compatibilities may not be accurate.
unresolved Copy/Paste into plain text editor deletes newlines from quoted text (bug 1143570)
unresolved Importing data from Outlook or Eudora crashes (bug 917961)
Security:
Fixed in Thunderbird 38.0.1
2015-58 Mozilla Windows updater can be run outside of application directory
2015-57 Privilege escalation through IPC channel messages
2015-54 Buffer overflow when parsing compressed XML
2015-51 Use-after-free during text processing with vertical text enabled
2015-48 Buffer overflow with SVG content and CSS
2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
Changelog:
Fixed in Thunderbird 31.7
2015-57 Privilege escalation through IPC channel messages
2015-54 Buffer overflow when parsing compressed XML
2015-51 Use-after-free during text processing with vertical text enabled
2015-48 Buffer overflow with SVG content and CSS
2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
CHangelog:
Fixed in Thunderbird 31.6
2015-40 Same-origin bypass through anchor navigation
2015-37 CORS requests should not follow 30x redirections after preflight
2015-33 resource:// documents can load privileged pages
2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)
Changelog:
Fixed in Firefox/Thunderbird ESR 31.5
2015-24 Reading of local files through manipulation of form autocomplete
2015-19 Out-of-bounds read and write while rendering SVG content
2015-16 Use-after-free in IndexedDB
2015-12 Invoking Mozilla updater will load locally stored DLL files
2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)
Changelog:
Fixed The previous issues with jp mac builds have now been fixed, and Thunderbird will no longer need to be run in 32-bit mode.
Fixed Security fixes can be found here
Fixed Installing extensions within Thunderbird no longer requires download and installing as a file (Bug 1081190)
Fixed Autocomplete suggestion sort order was adjusted to prioritize entries where the search string matches the beginning of a word (Bug 970456)
Fixed in Thunderbird 31.4
2015-04 Cookie injection through Proxy Authenticate responses
2015-03 sendBeacon requests lack an Origin header
2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)
Changelog:
Fixed Fixes an issue where using LDAP autocomplete could end up with blank entries in the compose addressing list (Bug 1045753)
Fixed Fixes an issue where IRC participants were not removed from the display on leaving a channel.
Fixed Fixes a regression where Thunderbird wasn't respecting the skip integration option on the default client dialog.
Fixed Security fixes can be found here
Fixed in Thunderbird 31.3
2014-90 Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory
2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer
2014-88 Buffer overflow while parsing media content
2014-87 Use-after-free during HTML5 parsing
2014-85 XMLHttpRequest crashes with some input streams
2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)
Changelog:
31.2.0:
Fixed
Fixed a case where having a contact and card in an address book with the same name could send to the mailing list (Bug 1008718)
Fixed
Invalid certificate issue with mozilla::pkix (see bug 1042889)
Fixed
Importing an RSA private key fails if p < q (see bug 1049435)
Fixed
Security fixes can be found here
31.1.2:
Fixed
Fixed an issue where anchor links would not work in HTML emails (Bug 974857)
Fixed
Security fixes can be found here
31.1.1:
Fixed
Fixed an issue where mailing lists with spaces in their names couldn't be autocompleted (Bug 1060901)
Fixed
Fixed an occasional startup crash (Bug 1005336)
31.1.0:
Fixed
Security fixes can be found here
Fixed
Improved performance of autocomplete for large address books (Bug 984875)
Fixed
Fixed an issue with IMAP being slow when looking for folders on certain server types (Bug 799821, Bug 859269)
Fixed
Fixed various theme issues relating to titlebars and toolbars (Bug 1007225, Bug 1026608, Bug 1041211, Bug 1046563, Bug 1054260)
# Fixed in Thunderbird 31.2
2014-81 Inconsistent video sharing within iframe
2014-79 Use-after-free interacting with text directionality
2014-77 Out-of-bounds write with WebM video
2014-76 Web Audio memory corruption issues with custom waveforms
2014-75 Buffer overflow during CSS manipulation
2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)
# Fixed in Thunderbird 31.1.2
2014-73 RSA Signature Forgery in NSS
# Fixed in Thunderbird 31.1
2014-72 Use-after-free setting text directionality
2014-70 Out-of-bounds read in Web Audio audio timeline
2014-69 Uninitialized memory use during GIF rendering
2014-68 Use-after-free during DOM interactions with SVG
2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8)
* Update enigmail to 1.7
Changelog:
NEW
Autocompleting email addresses now matches against any part of the name or email (bug 529584)
NEW
Composing a mail to a newsgroup will now autocomplete newsgroup names (bug 61491)
FIXED
Insecure NTLM (pre-NTLMv2) authentication disabled (see 828183)
Fixed in Thunderbird 31
MFSA 2014-66 IFRAME sandbox same-origin access through redirect
MFSA 2014-65 Certificate parsing broken by non-standard character encoding
MFSA 2014-64 Crash in Skia library when scaling high quality images
MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache
MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library
MFSA 2014-61 Use-after-free with FireOnStateChange event
MFSA 2014-59 Use-after-free in DirectWrite font handling
MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering
MFSA 2014-57 Buffer overflow during Web Audio buffering for playback
MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)
Changelog:
Fixed in Thunderbird 24.6
MFSA 2014-52 Use-after-free with SMIL Animation Controller
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)
The following security problems were fixed in this release:
- MFSA 2014-46 Use-after-free in nsHostResolve
- MFSA 2014-44 Use-after-free in imgLoader while resizing images
- MFSA 2014-43 Cross-site scripting (XSS) using history navigations
- MFSA 2014-42 Privilege escalation through Web Notification API
- MFSA 2014-38 Buffer overflow when using non-XBL object as XBL
- MFSA 2014-37 Out of bounds read while decoding JPG images
- MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service
Installer
- MFSA 2014-34 Miscellaneous memory safety hazards
Changelog:
Fixed in Thunderbird 24.4
MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering
MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
MFSA 2014-30 Use-after-free in TypeObject
MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs
MFSA 2014-28 SVG filters information disclosure through feDisplacementMap
MFSA 2014-27 Memory corruption in Cairo during PDF font rendering
MFSA 2014-26 Information disclosure through polygon rendering in MathML
MFSA 2014-17 Out of bounds read during WAV file decoding
MFSA 2014-16 Files extracted during updates are not always read only
MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)
Changelog:
FIXED
Security fixes can be found here
FIXED
Fixed an issue where long messages with multiple signatures could end up unreadable (bug 929006)
FIXED
Fixed an issue where editing account settings was not possible in some non-standard configurations of local folder set-ups (bug 921371)
Fixed in Thunderbird 24.2
MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate
MFSA 2013-116 JPEG information leak
MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
MFSA 2013-114 Use-after-free in synthetic mouse movement
MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
MFSA 2013-111 Segmentation violation when replacing ordered list elements
MFSA 2013-109 Use-after-free during Table Editing
MFSA 2013-108 Use-after-free in event listeners
MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)
Fixed in Thunderbird 24.1.1
MFSA 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities
TODO: put sdk common files into their own PLIST in order to simplify updates to
PLIST.enigmail and PLIST.lightning.
Changelog:
24.1.
FIXED
Fixed an issue where signatures were shown in too lighter grey making them difficult to read (bug 917906)
FIXED
Fixed an issue where Auto CC for reply might not work if the cc address is the same as the sending address (bug 917231)
FIXED
Security fixes can be found here
Fixed in Thunderbird 24.0
MFSA 2013-92 GC hazard with default compartments and frame chain restoration
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-85 Uninitialized data in IonMonkey
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-81 Use-after-free with select element
MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-77 Improper state in HTML5 Tree Builder with templates
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)
24.0
NEW
Message threads can now be ignored or watched
NEW
Emails can now be sent to IDN based email addresses
NEW
Zoom functionality is now available in the compose window
CHANGED
In the Compose window, ctrl/cmd + and ctrl/cmd - now change the zoom setting rather than the font size
CHANGED
In Twitter, replying to a tweet now replies to all users, just like on the Twitter website
FIXED
Interactions in the filter list dialogs have been improved
FIXED
In Chat user nicknames are now highlighted when mentioned
FIXED
In IRC, long messages will now be sent in multiple parts instead of being cut off
FIXED
Various security fixes
Fixed in Thunderbird 24.1
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)
