Opened 20 months ago
Closed 20 months ago
#16938 closed enhancement (fixed)
thunderbird-102.2.0
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.2 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New minor version.
Change History (4)
comment:1 by , 20 months ago
| Priority: | normal → elevated |
|---|
comment:2 by , 20 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 20 months ago
comment:4 by , 20 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
What’s New
Config setting added to disable OpenPGP "encryption is possible" reminder: mail.openpgp.remind_encryption_possible
Changes
Thunderbird on macOS will now prompt for Primary Password on startup if set
Thunderbird will no longer offer to import OpenPGP keys that are incomplete
Selecting or unselecting a dictionary in the Spelling compose toolbar button will no longer immediately close the menu; Making dictionary changes via the editor context menu will continue to close the context menu
Contact address lines are now adjusted to appear in the expected order
Custom1-4 fields restored to Address Book UI; existing data is preserved from pre-102 profiles
Fixes
Thunderbird startup performance improvements
ALT+<numpad digits> keypress events were intercepted by the Spaces Toolbar, preventing special character entry on Windows
Searching on attachment status did not work in Message Search dialog
Repairing IMAP folders in Offline mode removed local copy of the folders
POP3 message download progress bar was not displayed
POP Fetch headers only mode did not work for some server configurations
POP accounts using GSSAPI or NTLM authentication were not able to log into the server
A TLS certificate override dialog for self-signed certificates was not shown for IMAP accounts
Saving attachments from newsgroups did not work
Setting contact type to "None" was not possible if a type was previously set
Editing a contact without Name fields populated filled in the email address into the name fields
Address book toolbar buttons were not keyboard accessible
Auto-detection of CalDAV and CardDAV via DNS records used server domain leading to failures
Various visual and theme improvements
Various security fixes
Mozilla Foundation Security Advisory 2022-36 Security Vulnerabilities fixed in Thunderbird 102.2
Announced
Impact
Products
Fixed in
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2022-38472: Address bar spoofing via XSLT error handling
Impact
Description
An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. References
#CVE-2022-38473: Cross-origin XSLT Documents would have inherited the parent's permissions
Impact
Description
A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). References
#CVE-2022-38476: Data race and potential use-after-free in PK11_ChangePW
Impact
Description
A data race could occur in the PK11_ChangePW function, potentially leading to a use-after-free vulnerability. In Thunderbird, this lock protected the data when a user changed their master password. References
#CVE-2022-38477: Memory safety bugs fixed in Thunderbird 102.2
Impact
Description
Mozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References
#CVE-2022-38478: Memory safety bugs fixed in Thunderbird 102.2, and Thunderbird 91.13
Impact
Description
Members the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.1 and Thunderbird 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References