thunderbird-102.12.0

[Bruce Dubbs]

New minor version.

[Xi Ruoyao]

Will 102.12 be released soon?

I plan to update the book to LLVM-16.0.5 and Rustc-1.70.0 today or tomorrow. I've prepared the needed patch for Firefox 102.12, but TB 102.11 will need more than the patch (102.11 lacks bindgen workaround for LLVM 16).

[ken@…]

Replying to Xi Ruoyao:

Will 102.12 be released soon?

I plan to update the book to LLVM-16.0.5 and Rustc-1.70.0 today or tomorrow. I've prepared the needed patch for Firefox 102.12, but TB 102.11 will need more than the patch (102.11 lacks bindgen workaround for LLVM 16).

It usually follows shortly after the firefox 'minor' release. January was 3 days later (102.7.0), April (102.10.0) was 1 day later, February (102.8.0) and May (102.11.0) were two days after firefox.

I should also mention that, at least for firefox, the release occasionally does not match the candidate (102.8 - extra security fixes in the release re shipped nss).

There is a candidate at ​https://archive.mozilla.org/pub/thunderbird/candidates/102.12.0-candidates/

[Douglas R. Reno]

Going to toss this back so it can be done with rust/llvm

[Xi Ruoyao]

Wait for 102.12 then.

[ken@…]

thunderbird-102.12.0 now available, I guess the release notes will appear tomorrow.

[Douglas R. Reno]

Thunderbird 102.11.0:

Fixes

During Account Setup, the "Checking password..." message was not removed after a failure

Miscellaneous UI fixes

Security fixes

Thunderbird-102.11.1

Fixes

POP message retrieval stopped after a network error occurred and connectivity was 
restored

Reused SMTP connections sometimes silently disconnected, causing timeouts

Thunderbird could freeze if saving a sent message to IMAP failed

Creating OpenPGP keys with no expiration was not possible

News reader did not always issue GROUP command after authentication with remote server, 
preventing Thundebird from displaying or refreshing news from the server

Thunderbird-102.11.3

Fixes

Thunderbird 102.11.1 contained POP3 client regressions with offline mode and TLS 
certificate overrides

Thunderbird-102.12.0

Fixes

"Searching the directory for recipients certificates" popup could block compose window 
when "S/MIME reminder" was enabled and using an LDAP address book

Some elements still used animations with "prefers-reduced-motion" set

Visual and theme improvements

Security fixes

Security Fixes (102.11)

CVE-2023-32205: Browser prompts could have been obscured by popups

Impact
    high

Description

In multiple cases browser prompts could have been obscured by popups controlled by 
content. These could have led to potential user confusion and spoofing attacks.

CVE-2023-32206: Crash in RLBox Expat driver

Impact
    high

Description

An out-of-bound read could have led to a crash in the RLBox Expat driver.

CVE-2023-32207: Potential permissions request bypass via clickjacking

Impact
    high

Description

A missing delay in popup notifications could have made it possible for an attacker to 
trick a user into granting permissions.

CVE-2023-32211: Content process crash due to invalid wasm code

Impact
    moderate

Description

A type checking bug would have led to invalid code being compiled.

CVE-2023-32212: Potential spoof due to obscured address bar

Impact
    moderate

Description

An attacker could have positioned a datalist element to obscure the address bar.

CVE-2023-32213: Potential memory corruption in FileReader::DoReadData()

Impact
    moderate

Description

When reading a file, an uninitialized value could have been used as read limit.

CVE-2023-32215: Memory safety bugs fixed in Thunderbird 102.11

Impact
    high

Description

Mozilla developers and community members Gabriele Svelto, Andrew Osmond, Emily 
McDonough, Sebastian Hengst, Andrew McCreight and the Mozilla Fuzzing Team reported 
memory safety bugs present in Thunderbird 102.10. Some of these bugs showed evidence of 
memory corruption and we presume that with enough effort some of these could have been 
exploited to run arbitrary code.

Security Fixes (102.12)

CVE-2023-34414: Click-jacking certificate exceptions through rendering lag

Impact
    high

Description

The error page for sites with invalid TLS certificates was missing the activation-delay 
Thunderbird uses to protect prompts and permission dialogs from attacks that exploit 
human response time delays. If a malicious page elicited user clicks in precise 
locations immediately before navigating to a site with a certificate error and made the 
renderer extremely busy at the same time, it could create a gap between when the error 
page was loaded and when the display actually refreshed. With the right timing the 
elicited clicks could land in that gap and activate the button that overrides the 
certificate error for that site.

CVE-2023-34416: Memory safety bugs fixed in Thunderbird 102.12

Impact
    high

Description

Mozilla developers and community members Gabriele Svelto, Andrew McCreight, the Mozilla 
Fuzzing Team, Sean Feng, and Sebastian Hengst reported memory safety bugs present in 
Thunderbird 102.11. Some of these bugs showed evidence of memory corruption and we 
presume that with enough effort some of these could have been exploited to run 
arbitrary code.

[Douglas R. Reno]

Fixed at 3586f4f32a1965b7c59c6a0842614ddcf2749136

Security advisory coming soon

[Douglas R. Reno]

SA-11.3-042 issued

[Bruce Dubbs]

Milestone renamed