Opened 3 years ago
Closed 3 years ago
#15621 closed enhancement (fixed)
thunderbird-91.2.1
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New point version.
Change History (6)
comment:1 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 3 years ago
91.1.2
Changes changed Thunderbird will now warn if an S/MIME encrypted message includes BCC recipients Fixes fixed Message Security popup did not display all recipients due a missing scrollbar fixed Delivery Status Notifications were only shown for the first recipient fixed Composing a message from a template with attachments failed due to a temporary file being removed fixed Attachment sizes were no longer included on printed emails fixed A message sent with multiple attachments sometimes only sent one fixed Thunderbird sometimes attached the wrong messages when forwarding multiple messages by attachment fixed Thunderbird did not re-prompt for an SMTP username if one was not provided fixed Messages with BCC recipients that were held in the Outbox did not retain the BCC header when moved to the Sent folder fixed Thunderbird displayed reminders for events that were cancelled or declined fixed New Feed Account dialog did not honor dark mode
comment:3 by , 3 years ago
| Priority: | normal → elevated |
|---|
91.2.0
Changes changed Saving a single message as .eml now uses a unique filename Fixes fixed New mail notifications did not properly take subfolders into account fixed Decrypting binary attachments when using an external GnuPG configuration failed fixed Account name fields in the account manager were not big enough for long names fixed LDAP searches using an extensibleMatch filter returned no results fixed Read-only CalDAV calendars and CardDAV address books were not detected fixed Multipart messages containing a calendar invite did not display any of the human-readable alternatives fixed Some calendar days were displayed incorrectly or duplicated (eg. two "29th" days of a particular month) fixed Phantom event was shown at the end of each day in Calendar week view fixed Various security fixes
The security fixes involved:
Mozilla Foundation Security Advisory 2021-47
Security Vulnerabilities fixed in Thunderbird 91.2
Announced
October 6, 2021
Impact
high
Products
Thunderbird
Fixed in
Thunderbird 91.2
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2021-38502: Downgrade attack on SMTP STARTTLS connections
Reporter
Mattias Jacobsson
Impact
high
Description
Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too.
References
Bug 1733366
#CVE-2021-38496: Use-after-free in MessageTask
Reporter
Yangkang of 360 ATA Team
Impact
high
Description
During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash.
References
Bug 1725335
#CVE-2021-38497: Validation message could have been overlaid on another origin
Reporter
Irvan Kurniawan
Impact
moderate
Description
Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks.
References
Bug 1726621
#CVE-2021-38498: Use-after-free of nsLanguageAtomService object
Reporter
Yangkang of 360 ATA Team
Impact
moderate
Description
During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash.
References
Bug 1729642
#CVE-2021-32810: Data race in crossbeam-deque
Reporter
Maor Kleinberger
Impact
moderate
Description
In the crossbeam crate, one or more tasks in the worker queue could have been be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this could have caused a double free and a memory leak.
References
Bug 1729813
Bug https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw
#CVE-2021-38500: Memory safety bugs fixed in Thunderbird 91.2
Reporter
Mozilla developers
Impact
high
Description
Mozilla developers and community members Andreas Pehrson and Christian Holler reported memory safety bugs present in Thunderbird 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
Memory safety bugs fixed in Thunderbird 91.2
#CVE-2021-38501: Memory safety bugs fixed in Thunderbird 91.2
Reporter
Mozilla developers
Impact
high
Description
Mozilla developers and community members Kevin Brosnan, Mihai Alexandru Michis, and Christian Holler reported memory safety bugs present in Thunderbird 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
Memory safety bugs fixed in Thunderbird 91.2
At least a couple of these are Thunderbird specific.
comment:4 by , 3 years ago
91.2.1
What’s New new Preference added to disable automatic pausing RSS feed updates after a fetch failure Fixes fixed Recipeint address pills in an error state could incorrectly merge with mailing list pills when expanding the list fixed BCC-only messages could not be sent from the Outbox fixed Default DSN request was not set when using "Edit as New Message" fixed Vertical scrollbar in "Conversations" chat panel did not work correctly fixed Chat account "Advanced Options" dialog had no clickable buttons on macOS fixed RSS feed attachments could not be saved fixed Public ICS calendars served with an incorrect Content-Type could not be added fixed Setting a CalDAV calendar to manually update had no effect fixed CalDAV calendars set to read-only became writable after restarting Thunderbird fixed Saving a copy of a calendar invite (More -> Save As Copy) did not work fixed Events in the first or last week of a month were not always printed when printing a month view fixed Accessibility improvements; clearer display of area of focus fixed Various theme improvements, HiDPI improvements fixed "Attachments" menu panels for attached files were empty fixed Stability improvements
comment:6 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Grab this set of tickets.