Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#12687 closed enhancement (fixed)

thunderbird-68.2.0

Reported by: Douglas R. Reno Owned by: Bruce Dubbs
Priority: high Milestone: 9.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version

Change History (5)

comment:1 by Bruce Dubbs, 5 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:3 by Bruce Dubbs, 5 years ago

Wow. Build size is now 8.6G. Let's hear it for rust...

Install is still a large 151 MB, but that's only a 5 MB increase.

sed commands are no longer needed.

comment:4 by Bruce Dubbs, 5 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 22315.

comment:5 by Douglas R. Reno, 5 years ago

Priority: normalhigh
Thunderbird Release Notes
Version 68.2.0, first offered to channel users on October 22, 2019

Check out "What’s New" and "Known Issues" for this version of Thunderbird below. As always, you’re encouraged to tell us what you think, or file a bug in Bugzilla. If interested, please see the complete list of changes in this release.

Thunderbird version 68.2.0 provides an automatic update from Thunderbird version 60. If you have installed Lightning, Thunderbird's calendar add-on, it will automatically be updated to match the new version of Thunderbird. Refer to this Calendar troubleshooting article in case of problems.

System Requirements: • Window: Windows 7, Windows Server 2008 R2 or later • Mac: Mac OS X 10.9 or later • Linux: GTK+ 3.4 or higher. Details here.

Please refer to Release Notes for version 68.0 to see the list of improvements and fixed issues.

What’s New

    new

    Message Display WebExtension API
    new

    Message Search WebExtension API
    fixed

    Better visual feedback for unread messages when using the dark theme
    fixed

    Various issues when editing mailing lists
    fixed

    Integration with macOS addressbook and notifications not working after introduction of notarization
    fixed

    Application windows not maintaining their size after restart
    fixed

    Issues when upgrading from a 32bit version of Thunderbird to a 64bit version. Note: If your profile is still not recognised, selected it by visiting about:profiles in the Troubleshooting Information.
    fixed

    Various security fixes

Known Issues

    unresolved

    When using a language pack, names of standard folders aren't localized (will be fixed in TB 68.2.1)
    unresolved

    LDAP lookup not working when SSL is enabled. Workaround: Disable SSL or switch off option "Query OSCP responder servers" in the certificate settings in advanced options.
Mozilla Foundation Security Advisory 2019-35
Security vulnerabilities fixed in - Thunderbird 68.2

Announced
    October 22, 2019
Impact
    critical
Products
    Thunderbird
Fixed in

        Thunderbird 68.2

#CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber

Reporter
    Sebastian Pipping
Impact
    high

Description

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early. A subsequent call to XML_GetCurrentLineNumber or XML_GetCurrentColumnNumber then resulted in a heap-based buffer over-read.
References

    Bug 1584907

#CVE-2019-11757: Use-after-free when creating index updates in IndexedDB

Reporter
    Zhanjia Song
Impact
    high

Description

When following the value's prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it. This resulted in a use-after-free and a potentially exploitable crash.
References

    Bug 1577107

#CVE-2019-11758: Potentially exploitable crash due to 360 Total Security

Reporter
    Mozilla developers and community
Impact
    high

Description

Mozilla community member Philipp reported a memory safety bug present in Firefox 68 when 360 Total Security was installed. This bug showed evidence of memory corruption in the accessibility engine and we presume that with enough effort that it could be exploited to run arbitrary code.
References

    Bug 1536227

#CVE-2019-11759: Stack buffer overflow in HKDF output

Reporter
    Guido Vranken
Impact
    moderate

Description

An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the stack. This could be used by an attacker to execute arbitrary code or more likely lead to a crash.
References

    Bug 1577953

#CVE-2019-11760: Stack buffer overflow in WebRTC networking

Reporter
    Nils
Impact
    moderate

Description

A fixed-size stack buffer could overflow in nrappkit when doing WebRTC signaling. This resulted in a potentially exploitable crash in some instances.
References

    Bug 1577719

#CVE-2019-11761: Unintended access to a privileged JSONView object

Reporter
    Cody Crews
Impact
    moderate

Description

By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms.
References

    Bug 1561502

#CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation

Reporter
    Kris Maglione
Impact
    moderate

Description

If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window.
References

    Bug 1582857

#CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique

Reporter
    Gareth Heyes
Impact
    moderate

Description

Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mask the actual characters of interest from filters.
References

    Bug 1584216

#CVE-2019-11764: Memory safety bugs fixed in Thunderbird 68.2

Reporter
    Mozilla developers and community
Impact
    critical

Description

Mozilla developers and community members Bob Clary, Jason Kratzer, Aaron Klotz, Iain Ireland, Tyson Smith, Christian Holler, Steve Fink, Honza Bambas, Byron Campen, and Cristian Brindusan reported memory safety bugs present in Firefox 69 and Firefox ESR 68.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2

Retroactively bump to high

Note: See TracTickets for help on using tickets.