thunderbird-115.1.1

[Douglas R. Reno]

New point version

[Tim Tassonis]

Ok, I'll have another go. But this time, I'll backup ~./thunderbird first..

[Tim Tassonis]

• Message list was not updated when message was deleted from server outside of Thunderbird

• Scrolling behaved unexpectedly when moving to next message unread message in another folder

• Scrolling animation was unnecessarily used when switching or toggling the sort column in message list

• Attempting to delete a message and then cancelling the action still marked the message as read

• Unified Toolbar could not be customized under certain tabs

• Selecting a folder with one or more subfolders and pressing enter did not expand folder

• Tooltips did not appear when hovering over folders

• Deleting large amounts of messages from Trash folder consumed excessive time and memory

• Message Summary header buttons were not keyboard accessible

• "New" button in Message Filters dialog was not keyboard accessible

• Backing up secret keys from OpenPGP Key Manager dialog silently failed

• Various visual and UX improvements

• Security fixes

[Tim Tassonis]

Compiled ok, but still looks quite unusable. Currently, there is:

• No "New Mail" button
• Calendar does not show
• Sending mails hangs when saving to Sent folder.

Douglas mentioned a patch for icu, I'm gonna try that, but for now, I'd really not recommend the 115 stuff to people caring about their mails.

[Bruce Dubbs]

Milestone renamed

[Tim Tassonis]

I now compiled 115.1.0 without system icu, and the calendar problems are gone. Will look into it a bot more.

[Bruce Dubbs]

Now version 115.1.0.

Release notes are at ​https://www.thunderbird.net/en-US/thunderbird/115.1.0/releasenotes/

[Bruce Dubbs]

Builds OK. No patches or seds needed. Tested using IRC and it seems OK.

1058.2 Elapsed Time -  thunderbird-115.1.0.source
 
md5sum : 5e4eeb644474bac2114d0af8a4ad4591  /usr/src/thunderbird/thunderbird-115.1.0.source.tar.xz
520304 /usr/src/thunderbird/thunderbird-115.1.0.source.tar.xz SIZE (508.109 MB)
6764124 kilobytes BUILD SIZE (6605.589 MB)
SBU=9.201 at -j24

I did comment --with-system-icu in mozconfig.

[Bruce Dubbs]

Investigating icu, the included version appears to be from git right around the time icu-73.1 was released.

Testing seemed to be OK, but needed configuration. I started testing over ssh, but the configuration didn't seem to work well that way with a 4K monitor. It was OK when run locally on a 2K monitor.

There is a bit of a learning curve for the new UI.

[Joe Locash]

Replying to Bruce Dubbs:

There is a bit of a learning curve for the new UI.

I find it helps to set mail.tabs.drawInTitlebar to false. If you have custom css scripts you might also have to set toolkit.legacyUserProfileCustomizations.stylesheets to true.

[Tim Tassonis]

Sorry, I'm dropping this ticket, I just don't feel comfortable enough with it at the moment, also because my GUI test system is not fully up-to-date.

[Douglas R. Reno]

Now 115.1.1

[Douglas R. Reno]

Looking at the CVEs here, I'm going to upgrade this ticket to High priority from Elevated. There is a security vulnerability here that allows for Thunderbird to mischaracterize executable files as documents inside of attachments, and from a bit of research it seems that it'd work for compressed files too.

This update includes all of the Firefox CVEs too, but there are two in here that I'm concerned about:

CVE-2023-3417: File Extension Spoofing using the Text Direction Override Character

and

CVE-2023-3600: Use-after-free in workers

There's a proof of concept available for both of these, but in the case of 3600 you can cause Thunderbird to repeatedly crash as long as a malicious HTML mail is inside of your mailbox.

[Douglas R. Reno]

115.1.0 Release Notes

• Quick Filter bar is now hidden by default
• Mail tab toolbar and Unified toolbar heights adjusted to be more consistent
• Message-ID header used account domain instead of "From" field domain
• Zooming did not work in multi-message view
• "Clear Recent History" dialog did not resize correctly to fit content
• Tooltip containing full message title did not appear when hovering over message in card view
• Message List column headers became transparent in increased contrast mode
• Message List card padding was incorrect in compact view
• Total message counts and folder sizes were also hidden when "Hide Local Folders" was selected in Folder Pane options
• Messages in deeply nested IMAP folders were inaccessible
• Thunderbird Flatpak could not be executed from terminal using command "thunderbird"
• CardDAV address book dialog did not resize properly to show all available address books
• Various visual and style fixes

115.1.1 Release Notes

• Some HTML emails printed headers on first page and message on subsequent pages
• Deleting messages from message list sometimes scrolled list to bottom, selecting bottommost message
• Width of icon columns (like Junk or Starred) in message list did not adjust when UI density was changed
• Old OpenPGP secret keys could not be used to decrypt messages under certain circumstances
• When multiple folder modes were active, tab focus navigated through all folder mode options before reaching message list
• Unread message count badge was not displayed on parent folders of subfolder containing unread messages
• "Undo archive" (via Ctrl-Z) did not un-archive previously archived messages
• "New" button dropdown menu in "Message Filters" dialog could not be opened via keyboard navigation
• "Show New Mail Alert for" input field in "Customize New Mail Alert" dialog had zero width when using certain language packs
• "Account Wizard" dialog was too narrow when adding a news server, partially hiding confirmation buttons
• Link Properties and Image Properties dialogs in the composer were too wide
• Thunderbird version number and details in "About" dialog were not automatically read by screen readers when first opening dialog
• Flatpak improvements and bug fixes
• Various visual and UX improvements

115.1.0 Security Vulnerabilities

• CVE-2023-4045: Offscreen Canvas could have bypassed cross-origin restrictions
• CVE-2023-4046: Incorrect value used during WASM compilation
• CVE-2023-4047: Potential permissions request bypass via clickjacking
• CVE-2023-4048: Crash in DOMParser due to out-of-memory conditions
• CVE-2023-4049: Fix potential race conditions when releasing platform objects
• CVE-2023-4050: Stack buffer overflow in StorageManager
• CVE-2023-4055: Cookie jar overflow caused unexpected cookie jar state
• CVE-2023-4056: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
• CVE-2023-4057: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1

We seem to have missed the security vulnerabilities fixed in 102.13, 102.13.1, and 102.14 because 115.0's release notes did not document them. Those will be:

• CVE-2023-37201: Use-after-free in WebRTC certificate generation
• CVE-2023-37202: Potential use-after-free from compartment mismatch in SpiderMonkey
• CVE-2023-37207: Fullscreen notification obscured
• CVE-2023-37208: Lack of warning when opening Diagcab files
• CVE-2023-37211: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13

[Douglas R. Reno]

Fixed at 0bab4c8a14e49117d18d4eaa0eb3654693e655b4

Security Advisory coming shortly

[Douglas R. Reno]

SA-11.3-081 issued