seamonkey-2.53.20

[Douglas R. Reno]

New point version

[Douglas R. Reno]

What's New in SeaMonkey 2.53.20

SeaMonkey 2.53.20 contains (among other changes) the following changes relative to SeaMonkey 2.53.19:

• Use Services.focus for bookmarking from mailnews in SeaMonkey bug 1925033.
• Replace the Bookmark Manager with the Firefox Library in SeaMonkey: Another followup bug bug 1932731.
• Port bug 1458385 - Update SeaMonkey's confvars.sh bug 1913633.
• Tidy up channels code in cZ bug 1920565.
• Sometimes tag data from an IRC server doesn't contain a pair bug 1923211.
• Fix call to updateUsers in network onAway in cZbug 1923213.
• Remove unused XTLabelRecord from tree-utils.js in cZbug 1923215.
• Remove unused code from connection-xpcom.js in cZbug 1923219.
• Remove unusued code from utils.js in cZbug 1923221.
• Switch from using arrayContains helper to using JS Array includes method in cZ bug 1923224.
• Switch from using arrayIndexOf helper to using JS Array includes and indexOf methods in cZ bug 1923225.
• Switch from using arrayRemoveAt and arrayInsertAt helpers to using JS Array splice and unshift methods in cZbug 1923227.
• Switch from using stringTrim helper to using JS string trim method in cZ bug 1923229.
• Inline newObject function in cZ bug 1924338.
• Remove getWindowByType function from cZ bug 1924586.
• Inline viewCert function in cZ bug 1924587.
• Remove getSpecialDirectory function and use Services.dirsvc in cZ bug 1924588.
• Remove getNSSErrorClass function and tidy up NSS related code in cZ bug 1924589.
• Tidy message manager code in cZ bug 1924592.
• Remove getService helper and tidy up code around its callers in cZ bug 1924595.
• Remove use of NSGetModule in cZ bug 1925871.
• Tidy up chatzilla-service.js bug 1926406.
• Use Intl.DateTimeFormat in cZ's strftime function bug 1927348.
• Remove unused code from pref-manager.js in cZ bug 1927370.
• Use Services.scriptloader in cZ bug 1927374.
• Use more Services in cZ bug 1927376.
• Tidy up some Components.* code in static.js in cZ bug 1927377.
• Switch to using listbox instead of tree for cZ chat window bug 1927582.
• Away status isn't reflected correctly in channel userlist in cZ bug 1928749.
• Fix too much recursion and missing variable in cmdSave in cZ bug 1930391.
• Replace confirm helper with Services.prompt.confirm in cZ bug 1930396.
• Use Services.prompt in confirmEx, prompt and promptPassword helpers in cZ bug 1930540.
• Use Services.prompt.alert and remove alert helper in cZ bug 1931705.
• Simplify getListFIle in cZ bug 1931707.
• Remove various const from file-utils.js in cZ bug 1931708.
• Remove unused 2nd argument from mkdir helper in file-utils.js in cZ bug 1931709.
• Use LocalFile directly rather via helper fopen in cZ bug 1931710.
• Tidy up picker code in file-utils.js in cZ bug 1931712.
• Remove unnecessary type attributes in cZ bug 1933043.
• Clean up Components usage in cZ bug 1933081.
• Remove unused encodeForXMLAttribute function for cZ utils.js bug 1933083.
• Move renameProperty helper into lib/irc.js for cZ bug 1933084.
• Move formatDateOffset helper into handlers.js in cZ bug 1933085.
• Move objectContains helper into command-manager.js in cZ bug 1933086.
• Move splitLongWord helper into mungers.js in cZ bug 1933087.
• Move randomString helper into commands.js in cZ bug 1933089.
• Move Clone helper into commands.js in cZ bug 1933090.
• Move equalsObject helper into channels.js in cZ bug 1933092.
• Move matchEntry helper into static.js in cZ bug 1933093.
• Move getCommonPfx helper to handlers.js in cZ bug 1933342.
• Remove some code duplication in getSISize and getSISpeed helpers and improve coding in scaleNumbersBy1024 in cZ bug 1933346.
• Fix secure IRC protcol handler in cZ bug 1937700.
• UI: Link for download of Themes leads to Themes for Thunderbird bug 1656564.
• Add ESR 128 links to debugQA bug 1909855.
• Port changes needed from |Bug 1476333 - Consolidate the ways that we reference "browser.xul" across the tree| to SeaMonkey bug 1911841.
• Switch from boxObject to getBoundingClientRect in utilityOverlay bug 1911844.
• Align the SeaMonkey switchToTabHavingURI() call syntax with Firefox and toolkit bug 1925037.
• Empty out SeaMonkey's removed-files.in (port bug 1392913) bug 1913579.
• Update SeaMonkey installer to register as handler for media types bug 1925023.
• Remove obsolete chat services from SeaMonkey address book part2 bug 1909853.
• Add UI for browser.display.prefers_color_scheme to the SeaMonkey colors prefpane bug 1909743.
• Update SeaMonkey wikipedia icon bug 1925021.
• Show specific placeholders for bookmarks and history in SeaMonkey sidebar search bug 1925025.
• Adjust dragOver method of tabbrowser.xml to be closer to Firefox version bug 1911845.
• Avoid boxObject where appropriate in tabbrowser bug 1911847.
• Simplify tab drop indicator code and styling bug 1911848.

Additional important security fixes up to Current Firefox 115.19 and Thunderbird 115.19 ESR plus many enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to.

Please be advised that the minimum requirements for running SeaMonkey under Linux have changed. We are building on Rocky 8 Linux now and the dependencies are picked up from the builder library levels. The new minimum requiements are glibc 2.28, glib 2.56, gtk+2 2.24, gtk3 3.22.30 and pixman 0.36. See Linux compatibility matrix. This only applies for the official binary releases from our server. Distribution specific versions might have different minimum version requirements.

If you are using macOS 15.1.x please update to 15.2. Because of a bug in the OS SeaMonkey can not be started via Finder or Dock without workarounds. This applies to older versions too.

We are aware of numerous websites breaking because of only supporting the latest Chrome or Firefox versions. We are trying to address this and progress has been made in a different source code branch but the code is not ready for general distribution yet.

[Douglas R. Reno]

Unfortunately all of the build fixes are still required, but this is starting to get code from the 128esr branch of the Mozilla products at least in a different branch. In the other branch though, tweaks for Python 3.12 and Python 3.13, ICU, and Clang have been accumulated, and it looks to be a rebase on top of Firefox 128.

[Douglas R. Reno]

For now though, it looks like I'll need to take care of this tonight due to the security issues. :(

Another thing noted during the initial build process is changes to our mozconfig are required (so far, --disable-gconf is no longer supported)

[Douglas R. Reno]

--with-system-bz2 is no longer supported either.

[Douglas R. Reno]

Security fixes:

• CVE-2024-8381: Type confusion when looking up a property name in a "with" block (High)
• CVE-2024-8382: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran (Moderate)
• CVE-2024-8383: Firefox did not ask before openings news: links in an external application (Moderate)
• CVE-2024-8384: Garbage collection could mis-color cross-compartment objects in OOM conditions (Moderate)
• CVE-2024-9392: Compromised content process can bypass site isolation (High)
• CVE-2024-9393: Cross-origin access to PDF contents through multipart responses (High)
• CVE-2024-9394: Cross-origin access to JSON contents through multipart responses (High)
• CVE-2024-9401: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (High)
• CVE-2024-9680: Use-after-free in Animation timeline (Critical - exploit in the wild)
• CVE-2024-10458: Permission leak via embed or object elements (High)
• CVE-2024-10459: Use-after-free in layout with accessibility (High)
• CVE-2024-10463: Cross origin video frame leak (Moderate)
• CVE-2024-11694: CSP Bypass and XSS Exposure via Web Compatibility Shims (Moderate)
• CVE-2025-0238: Use-after-free when breaking lines in text (Moderate)
• CVE-2025-0242: Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6 (High)

Surprisingly this is up to date with the Firefox/Thunderbird versions that I'm putting in the book along side this!

[Douglas R. Reno]

Fixed at cbcab3901a43a4e0e9ce9770a5bab4afa1b9b573

SA-12.2-060 issued