#12687 closed enhancement (fixed)
thunderbird-68.2.0
Reported by: | Douglas R. Reno | Owned by: | Bruce Dubbs |
---|---|---|---|
Priority: | high | Milestone: | 9.1 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description
New minor version
Change History (5)
comment:1 by , 5 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 5 years ago
comment:3 by , 5 years ago
Wow. Build size is now 8.6G. Let's hear it for rust...
Install is still a large 151 MB, but that's only a 5 MB increase.
sed commands are no longer needed.
comment:5 by , 5 years ago
Priority: | normal → high |
---|
Thunderbird Release Notes Version 68.2.0, first offered to channel users on October 22, 2019 Check out "What’s New" and "Known Issues" for this version of Thunderbird below. As always, you’re encouraged to tell us what you think, or file a bug in Bugzilla. If interested, please see the complete list of changes in this release. Thunderbird version 68.2.0 provides an automatic update from Thunderbird version 60. If you have installed Lightning, Thunderbird's calendar add-on, it will automatically be updated to match the new version of Thunderbird. Refer to this Calendar troubleshooting article in case of problems. System Requirements: • Window: Windows 7, Windows Server 2008 R2 or later • Mac: Mac OS X 10.9 or later • Linux: GTK+ 3.4 or higher. Details here. Please refer to Release Notes for version 68.0 to see the list of improvements and fixed issues. What’s New new Message Display WebExtension API new Message Search WebExtension API fixed Better visual feedback for unread messages when using the dark theme fixed Various issues when editing mailing lists fixed Integration with macOS addressbook and notifications not working after introduction of notarization fixed Application windows not maintaining their size after restart fixed Issues when upgrading from a 32bit version of Thunderbird to a 64bit version. Note: If your profile is still not recognised, selected it by visiting about:profiles in the Troubleshooting Information. fixed Various security fixes Known Issues unresolved When using a language pack, names of standard folders aren't localized (will be fixed in TB 68.2.1) unresolved LDAP lookup not working when SSL is enabled. Workaround: Disable SSL or switch off option "Query OSCP responder servers" in the certificate settings in advanced options.
Mozilla Foundation Security Advisory 2019-35 Security vulnerabilities fixed in - Thunderbird 68.2 Announced October 22, 2019 Impact critical Products Thunderbird Fixed in Thunderbird 68.2 #CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber Reporter Sebastian Pipping Impact high Description In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early. A subsequent call to XML_GetCurrentLineNumber or XML_GetCurrentColumnNumber then resulted in a heap-based buffer over-read. References Bug 1584907 #CVE-2019-11757: Use-after-free when creating index updates in IndexedDB Reporter Zhanjia Song Impact high Description When following the value's prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it. This resulted in a use-after-free and a potentially exploitable crash. References Bug 1577107 #CVE-2019-11758: Potentially exploitable crash due to 360 Total Security Reporter Mozilla developers and community Impact high Description Mozilla community member Philipp reported a memory safety bug present in Firefox 68 when 360 Total Security was installed. This bug showed evidence of memory corruption in the accessibility engine and we presume that with enough effort that it could be exploited to run arbitrary code. References Bug 1536227 #CVE-2019-11759: Stack buffer overflow in HKDF output Reporter Guido Vranken Impact moderate Description An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the stack. This could be used by an attacker to execute arbitrary code or more likely lead to a crash. References Bug 1577953 #CVE-2019-11760: Stack buffer overflow in WebRTC networking Reporter Nils Impact moderate Description A fixed-size stack buffer could overflow in nrappkit when doing WebRTC signaling. This resulted in a potentially exploitable crash in some instances. References Bug 1577719 #CVE-2019-11761: Unintended access to a privileged JSONView object Reporter Cody Crews Impact moderate Description By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. References Bug 1561502 #CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation Reporter Kris Maglione Impact moderate Description If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. References Bug 1582857 #CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique Reporter Gareth Heyes Impact moderate Description Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mask the actual characters of interest from filters. References Bug 1584216 #CVE-2019-11764: Memory safety bugs fixed in Thunderbird 68.2 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Bob Clary, Jason Kratzer, Aaron Klotz, Iain Ireland, Tyson Smith, Christian Holler, Steve Fink, Honza Bambas, Byron Campen, and Cristian Brindusan reported memory safety bugs present in Firefox 69 and Firefox ESR 68.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
Retroactively bump to high
Note:
See TracTickets
for help on using tickets.
Release notes are at https://www.thunderbird.net/en-US/thunderbird/68.2.0/releasenotes/