#18541 closed enhancement (fixed)
thunderbird-115.2.2
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 12.1 |
| Component: | BOOK | Version: | git |
| Severity: | critical | Keywords: | |
| Cc: |
Description
New point version.
Change History (9)
comment:1 by , 8 months ago
| Priority: | normal → high |
|---|---|
| Severity: | normal → critical |
| Summary: | thunderbird-115.2.1 → thunderbird-115.2.2 |
comment:2 by , 8 months ago
115.2.1
new
Column separators are now shown between all columns in tree view
Fixes
Crash reporter did not work in Thunderbird Flatpak
New mail notification always opened message in message pane, even if pane was disabled
After moving an IMAP message to another folder, the incorrect message was selected in the message list
Adding a tag to an IMAP message opened in a tab failed
Junk/Spam folders were not always shown in Unified Folders mode
Middle-clicking a folder or message did not open it in a background tab, as in previous versions
Settings tab visual improvements: Advanced Fonts dialog, Section headers hidden behind search box
Various visual and style fixes
115.2.2
Fixes
Security fixes: Not yet available for 115.2.2
comment:3 by , 8 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:4 by , 8 months ago
Security fix now published:
Thunderbird 102.15.1, and Thunderbird 115.2.2
Announced
September 12, 2023
Impact
critical
Products
Firefox, Firefox ESR, Thunderbird
Fixed in
Firefox 117.0.1 Firefox ESR 102.15.1 Firefox ESR 115.2.1 Thunderbird 102.15.1 Thunderbird 115.2.2
#CVE-2023-4863: Heap buffer overflow in libwebp
Reporter
Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto's Munk School
Impact
critical
Description
Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild.
comment:5 by , 8 months ago
| Priority: | high → normal |
|---|
That was fixed with the libwebp patch that Ken added. :)
comment:6 by , 8 months ago
| Priority: | normal → high |
|---|
Upon further investigation, we've determined that we're using bundled webp for Thunderbird.
Because of this we need to both upgrade *and* mention to use system webp, and mention both in the security advisory since we shipped it this way in 12.0
comment:7 by , 8 months ago
Book updated at 19e0a87ffbde34613a6d1dd042ba528f2875b94a
SA to come soon
comment:9 by , 8 months ago
Sent an update on this to the mailing lists.
If you are using Thunderbird on any version of BLFS, you need to upgrade to 115.2.2 immediately.
Now 115.2.2 for the same reason as Firefox.