Opened 2 months ago

Closed 5 weeks ago

#15621 closed enhancement (fixed)

thunderbird-91.2.1

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: elevated Milestone: 11.1
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (6)

comment:1 by Douglas R. Reno, 2 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

Grab this set of tickets.

comment:2 by Douglas R. Reno, 5 weeks ago

91.1.2

Changes
changed

Thunderbird will now warn if an S/MIME encrypted message includes BCC recipients
Fixes
fixed

Message Security popup did not display all recipients due a missing scrollbar
fixed

Delivery Status Notifications were only shown for the first recipient
fixed

Composing a message from a template with attachments failed due to a temporary file being removed
fixed

Attachment sizes were no longer included on printed emails
fixed

A message sent with multiple attachments sometimes only sent one
fixed

Thunderbird sometimes attached the wrong messages when forwarding multiple messages by attachment
fixed

Thunderbird did not re-prompt for an SMTP username if one was not provided
fixed

Messages with BCC recipients that were held in the Outbox did not retain the BCC header when moved to the Sent folder
fixed

Thunderbird displayed reminders for events that were cancelled or declined
fixed

New Feed Account dialog did not honor dark mode

comment:3 by Douglas R. Reno, 5 weeks ago

Priority: normalelevated

91.2.0

Changes
changed

Saving a single message as .eml now uses a unique filename
Fixes
fixed

New mail notifications did not properly take subfolders into account
fixed

Decrypting binary attachments when using an external GnuPG configuration failed
fixed

Account name fields in the account manager were not big enough for long names
fixed

LDAP searches using an extensibleMatch filter returned no results
fixed

Read-only CalDAV calendars and CardDAV address books were not detected
fixed

Multipart messages containing a calendar invite did not display any of the human-readable alternatives
fixed

Some calendar days were displayed incorrectly or duplicated (eg. two "29th" days of a particular month)
fixed

Phantom event was shown at the end of each day in Calendar week view
fixed

Various security fixes

The security fixes involved:

Mozilla Foundation Security Advisory 2021-47
Security Vulnerabilities fixed in Thunderbird 91.2

Announced
    October 6, 2021
Impact
    high
Products
    Thunderbird
Fixed in

        Thunderbird 91.2

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2021-38502: Downgrade attack on SMTP STARTTLS connections

Reporter
    Mattias Jacobsson
Impact
    high

Description

Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too.
References

    Bug 1733366

#CVE-2021-38496: Use-after-free in MessageTask

Reporter
    Yangkang of 360 ATA Team
Impact
    high

Description

During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash.
References

    Bug 1725335

#CVE-2021-38497: Validation message could have been overlaid on another origin

Reporter
    Irvan Kurniawan
Impact
    moderate

Description

Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks.
References

    Bug 1726621

#CVE-2021-38498: Use-after-free of nsLanguageAtomService object

Reporter
    Yangkang of 360 ATA Team
Impact
    moderate

Description

During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash.
References

    Bug 1729642

#CVE-2021-32810: Data race in crossbeam-deque

Reporter
    Maor Kleinberger
Impact
    moderate

Description

In the crossbeam crate, one or more tasks in the worker queue could have been be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this could have caused a double free and a memory leak.
References

    Bug 1729813
    Bug https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw

#CVE-2021-38500: Memory safety bugs fixed in Thunderbird 91.2

Reporter
    Mozilla developers
Impact
    high

Description

Mozilla developers and community members Andreas Pehrson and Christian Holler reported memory safety bugs present in Thunderbird 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Thunderbird 91.2

#CVE-2021-38501: Memory safety bugs fixed in Thunderbird 91.2

Reporter
    Mozilla developers
Impact
    high

Description

Mozilla developers and community members Kevin Brosnan, Mihai Alexandru Michis, and Christian Holler reported memory safety bugs present in Thunderbird 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Thunderbird 91.2

At least a couple of these are Thunderbird specific.

comment:4 by Douglas R. Reno, 5 weeks ago

91.2.1

What’s New
new

Preference added to disable automatic pausing RSS feed updates after a fetch failure
Fixes
fixed

Recipeint address pills in an error state could incorrectly merge with mailing list pills when expanding the list
fixed

BCC-only messages could not be sent from the Outbox
fixed

Default DSN request was not set when using "Edit as New Message"
fixed

Vertical scrollbar in "Conversations" chat panel did not work correctly
fixed

Chat account "Advanced Options" dialog had no clickable buttons on macOS
fixed

RSS feed attachments could not be saved
fixed

Public ICS calendars served with an incorrect Content-Type could not be added
fixed

Setting a CalDAV calendar to manually update had no effect
fixed

CalDAV calendars set to read-only became writable after restarting Thunderbird
fixed

Saving a copy of a calendar invite (More -> Save As Copy) did not work
fixed

Events in the first or last week of a month were not always printed when printing a month view
fixed

Accessibility improvements; clearer display of area of focus
fixed

Various theme improvements, HiDPI improvements
fixed

"Attachments" menu panels for attached files were empty
fixed

Stability improvements

comment:5 by Douglas R. Reno, 5 weeks ago

Summary: thunderbird-91.1.2thunderbird-91.2.1

Now 91.2.1

comment:6 by Douglas R. Reno, 5 weeks ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.