-
mozilla-thunderbird (1.5.0.13+1.5.0.15~prepatch080614k-0ubuntu0.6.06.1) dapper-security; urgency=low
* RELEASE security/stability backports for tbird 1.5 as of 2.0.0.21
(USN-741-1)
- http://people.ubuntu.com/~asac/mozilla-security/1.8.1.21tb+3.0.7/moz_1.8.0.15prepatches080614k.tar.gz
-- Alexander Sack <email address hidden> Thu, 19 Mar 2009 10:58:17 +0100
-
mozilla-thunderbird (1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1) dapper-security; urgency=low
* RELEASE security/stability backports for tbird 1.5 as of 2.0.0.19
(USN-701-2)
- http://people.ubuntu.com/~asac/mozilla-security/1.8.1.19/moz_1.8.0.15prepatches080614i.tar.gz
-- Alexander Sack <email address hidden> Mon, 05 Jan 2009 12:53:51 +0100
-
mozilla-thunderbird (1.5.0.13+1.5.0.15~prepatch080614h-0ubuntu0.6.06.1) dapper-security; urgency=low
* RELEASE security/stability backports for tbird 1.5 as of 2.0.0.18
(USN-668-1)
- http://people.ubuntu.com/~asac/mozilla-security/1.8.1.18/moz_1.8.0.15prepatches080614h.tar.gz
-- Alexander Sack <email address hidden> Tue, 25 Nov 2008 11:25:59 +0100
-
mozilla-thunderbird (1.5.0.13+1.5.0.15~prepatch080614g-0ubuntu0.6.06.1) dapper-security; urgency=low
* RELEASE security/stability backports for tbird 1.5 as of 2.0.0.17
(USN-647-1)
- http://people.ubuntu.com/~asac/mozilla-security/1.8.1.17/moz_1.8.0.15prepatches080614g.tar.gz
-- Alexander Sack <email address hidden> Thu, 24 Jul 2008 08:55:01 +0200
-
mozilla-thunderbird (1.5.0.13+1.5.0.15~prepatch080614d-0ubuntu0.6.06.1) dapper-security; urgency=low
* RELEASE security/stability backports for tbird 1.5 as of 2.0.0.16
(USN-629-1)
- http://people.ubuntu.com/~asac/mozilla-security/1.8.1.16/moz_1.8.0.15prepatches080614d.tar.gz
- http://people.ubuntu.com/~asac/mozilla-security/1.8.1.16/xulrunner_1.5.0.15pre080614d-source.tar.bz2
* debian/patches/00list: disable 10_visibility_hidden_patch.dpatch - which is now shipped
in upstream tarballs.
-- Alexander Sack <email address hidden> Thu, 24 Jul 2008 08:55:01 +0200
-
mozilla-thunderbird (1.5.0.13+1.5.0.15~prepatch080417a-0ubuntu0.6.06.1) dapper-security; urgency=low
* RELEASE security/stability backports for tbird 1.5 as of 2.0.0.14
(USN-605-1)
- http://people.ubuntu.com/~asac/mozilla-security/1.8.1.14/moz_1.8.0.15prepatches080417a.tar.gz
* drop patches applied upstream from debian/patches
- 0071_279505-attachment-297724-fix-396613-regression.dpatch
-- Alexander Sack <email address hidden> Fri, 02 May 2008 11:20:00 +0200
-
mozilla-thunderbird (1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1) dapper-security; urgency=low
* fix memory access regression (LP: #197504)
- add debian/patches/0071_279505-attachment-297724-(fix-396613-regression).dpatch
- update debian/patches/00list
-- Alexander Sack <email address hidden> Tue, 04 Mar 2008 12:52:02 +0100
-
mozilla-thunderbird (1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.0) dapper-security; Urgency=low
* release security backports for 1.8.0.12 (including previously not released
firefox patches for 1.8.0.10/11)
* add distro version patch to indicate post-EOL maintainence release
- add debian/patches/98_ubuntu_eol_distro_version.dpatch
- update debian/patches/00list
-- Alexander Sack <email address hidden> Wed, 27 Feb 2008 09:51:09 +0100
-
mozilla-thunderbird (1.5.0.13+1.5.0.14b-0ubuntu0.6.06) dapper-security; urgency=low
* New upstream security/stability update:
* MFSA 2007-29 aka CVE-2007-5339 (browser), CVE-2007-5340 (javascript)
* MFSA 2007-30 aka CVE-2007-1095
* MFSA 2007-31 aka CVE-2007-2292
* MFSA 2007-32 aka CVE-2007-3511, CVE-2006-2894
* MFSA 2007-33 aka CVE-2007-5334
* MFSA 2007-34 aka CVE-2007-5337
* MFSA 2007-35 aka CVE-2007-5338
* MFSA 2007-36 aka CVE-2007-4841 (windows only)
-- Alexander Sack <email address hidden> Mon, 22 Oct 2007 10:49:42 +0200
-
mozilla-thunderbird (1.5.0.13-0ubuntu0.6.06) dapper-security; urgency=low
* New upstream security/stability update:
- CVE-2007-3734, CVE-2007-3735 - MFSA 2007-18: Crashes with evidence of
memory corruption (rv:1.8.0.13/1.8.1.5)
- CVE-2007-3670 - MFSA 2007-23: Remote code execution by launching Firefox
from Internet Explorer.
- CVE-2007-3844 - MFSA 2007-26: Privilege escalation through chrome-loaded
about:blank windows.
- CVE-2007-3845 - MFSA 2007-27: Unescaped URIs passed to external
programs.
-- Alexander Sack <email address hidden> Fri, 24 Aug 2007 11:53:42 +0200
-
mozilla-thunderbird (1.5.0.12-0ubuntu0.6.06) dapper-security; urgency=low
* New upstream security/stability update:
- CVE-2007-2867, CVE-2007-2868, MFSA 2007-12: Crashes with evidence of
memory corruption (rv:1.8.0.12/1.8.1.4)
- CVE-2007-1558, MFSA 2007-15: Security Vulnerability in APOP
Authentication
-- Alexander Sack <email address hidden> Mon, 4 Jun 2007 10:19:00 +0200
-
mozilla-thunderbird (1.5.0.10-0ubuntu0.6.06) dapper-security; urgency=low
* New upstream security update:
- CVE-2007-0008, MFSA 2006-06: SSLv2 Client Integer Underflow
Vulnerability
- CVE-2007-0009, MFSA 2006-06: SSLv2 Server Stack Overflow
Vulnerability
- CVE-2007-0775, CVE-2007-0776, CVE-2007-0777, MFSA 2007-01:
Crashes with evidence of memory corruption
* drop patches applied upstream: 90_ppc64-build-fix
-- Alexander Sack <email address hidden> Mon, 5 Mar 2007 11:30:00 +0100
-
mozilla-thunderbird (1.5.0.9-0ubuntu0.6.06) dapper-security; urgency=low
* New upstream security update:
- CVE-2006-6505, MFSA 2006-74: Mail header processing heap overflows.
- CVE-2006-6503, MFSA 2006-72: XSS by setting img.src to javascript: URI.
- CVE-2006-6502, MFSA 2006-71: LiveConnect crash finalizing JS objects.
- CVE-2006-6501, MFSA 2006-70: Privilege escallation using watch point.
- CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, MFSA 2006-68: Crashes
with evidence of memory corruption.
-- Kees Cook <email address hidden> Wed, 3 Jan 2007 10:57:25 -0800
-
mozilla-thunderbird (1.5.0.8-0ubuntu0.6.06) dapper-security; urgency=low
* New upstream security update:
- CVE-2006-5463, MFSA 2006-67: Running Script can be recompiled.
- CVE-2006-5462, MFSA 2006-66: RSA signature forgery (variant).
- CVE-2006-5464, CVE-2006-5747, CVE-2006-5748, MFSA 2006-65: Crashes with
evidence of memory corruption.
-- Kees Cook <email address hidden> Tue, 14 Nov 2006 16:54:37 -0800
-
mozilla-thunderbird (1.5.0.7-0ubuntu0.6.06) dapper-security; urgency=low
* New upstream security update:
- MFSA 2006-64, CVE-2006-4571: Crashes with evidence of memory corruption
(rv:1.8.0.7)
- MFSA 2006-63, CVE-2006-4570: JavaScript execution in mail via XBL
- MFSA 2006-60, CVE-2006-4340: RSA Signature Forgery
- MFSA 2006-59, CVE-2006-4253: Concurrency-related vulnerability
- MFSA 2006-58, CVE-2006-4567: Auto-Update compromise through DNS and SSL
spoofing
- MFSA 2006-57, CVE-2006-4565, CVE-2006-4566: JavaScript Regular Expression
Heap Corruption
-- Martin Pitt <email address hidden> Fri, 15 Sep 2006 08:16:50 +0000
-
mozilla-thunderbird (1.5.0.5-0ubuntu0.6.06) dapper-security; urgency=low
* New upstream security update:
- MFSA 2006-46, CVE-2006-3113: Memory corruption with simultaneous
events [does not affect 1.0]
- MFSA 2006-47, CVE-2006-3802: Native DOM methods can be hijacked
across domains [does not affect 1.0]
- MFSA 2006-48, CVE-2006-3803: JavaScript new Function race
condition [does not affect 1.0]
- MFSA 2006-49, CVE-2006-3804: Heap buffer overwrite on malformed
VCard
- MFSA 2006-50, CVE-2006-3805, CVE-2006-3806: JavaScript engine
vulnerabilities
- MFSA 2006-51, CVE-2006-3807: Privilege escalation using
named-functions and redefined "new Object()"
- MFSA 2006-53, CVE-2006-3809: UniversalBrowserRead privilege
escalation
- MFSA 2006-54, CVE-2006-3810: XSS with XPCNativeWrapper
(window).Function(...) [does not affect 1.0]
- MFSA 2006-55, CVE-2006-3811: Crashes with evidence of memory
corruption (rv:1.8.0.5)
- MFSA 2006-56, CVE-2006-3812: chrome: scheme loading remote
content
* debian/patches/10_pangoxft_linkage.dpatch: Adapted to new upstream
version.
-- Martin Pitt <email address hidden> Fri, 28 Jul 2006 12:41:29 +0000
-
mozilla-thunderbird (1.5.0.4-0ubuntu6.06.1) dapper-security; urgency=low
* Bumped maxVersion of extensions to 1.5.0.99. (see LP#48084)
-- Martin Pitt <email address hidden> Thu, 15 Jun 2006 08:27:15 +0000
-
mozilla-thunderbird (1.5.0.4-0ubuntu6.06) dapper-security; urgency=low
* New upstream incremental security and bugfix release:
- MFSA 2006-42, CVE-2006-2783: Web site XSS using BOM on UTF-8
pages
- MFSA 2006-40, CVE-2006-2781: Double-free on malformed VCard
- MFSA 2006-38, CVE-2006-2778: Buffer overflow in
crypto.signText()
- MFSA 2006-37, CVE-2006-2776: Remote compromise via
content-defined setter on object prototypes
- MFSA 2006-35, CVE-2006-2775: Privilege escalation through XUL
persist
- MFSA 2006-33, CVE-2006-2786: HTTP response smuggling
- MFSA 2006-32, CVE-2006-2779, CVE-2006-2780: Fixes for crashes with
potential memory corruption
- MFSA 2006-31, CVE-2006-2787: EvalInSandbox escape (Proxy
Autoconfig, Greasemonkey)
-- Martin Pitt <email address hidden> Mon, 12 Jun 2006 14:03:35 +0200
-
mozilla-thunderbird (1.5.0.2-0ubuntu2) dapper; urgency=low
* Ship SVG and PNG icons alongside the XPM icons for window managers that
can deal with those. Also, use the SVG icon internally, rather than
the XPM, making the taskbar icon less ugly (closes: launchpad.net/45492)
* Include a slightly tweaked profile-manager icon for the (still disabled)
mozilla-thunderbird profile manager desktop entry, based on tango icons.
-- Adam Conrad <email address hidden> Mon, 22 May 2006 07:05:28 +1000
-
mozilla-thunderbird (1.5.0.2-0ubuntu1) dapper; urgency=low
* New upstream incremental security and bugfix release (launchpad.net/41096):
- MFSA 2006-28, CVE-2006-1726: Security check of js_ValueToFunctionObject()
can be circumvented
- MFSA 2006-27, CVE-2006-0748: Table Rebuilding Code Execution Vuln
- MFSA 2006-26, CVE-2006-1045: Mail Multiple Information Disclosure
- MFSA 2006-25, CVE-2006-1727: Privilege escalation through Print Preview
- MFSA 2006-24, CVE-2006-1728: Privilege escalation using
crypto.generateCRMFRequest
- MFSA 2006-22, CVE-2006-1730: CSS Letter-Spacing Heap Overflow Vuln
- MFSA 2006-21, CVE-2006-0884: JavaScript execution in mail when
forwarding in-line
- MFSA 2006-20, CVE-2006-1529, CVE-2006-1530, CVE-2006-1531,
CVE-2006-1723, CVE-2006-1724: Crashes with memory corruption.
- MFSA 2006-08, CVE-2006-0299: "AnyName" entrainment and access control
hazard
- MFSA 2006-07, CVE-2006-0298: Read beyond buffer while parsing XML
- MFSA 2006-06, CVE-2006-0297: Integer overflows in E4X, SVG and Canvas
- MFSA 2006-05, CVE-2006-0296: Localstore.rdf XML injection through
XULDocument.persist()
- MFSA 2006-04, CVE-2006-0295: Memory corruption via QueryInterface on
Location, Navigator objects
- MFSA 2006-02, CVE-2006-0294: Changing postion:relative to static
corrupts memory
- MFSA 2006-01, CVE-2006-0292: JavaScript garbage-collection hazards
* New upstream should have restored the ability to send attachments
via the command line interface (launchpad.net/35690)
* Add the (at this point, very well-tested) GNOME/MIME handling patch
from Firefox, so we get GNOME MIME definitions (launchpad.net/30375)
* Sync 91_fontsfix_359763.dpatch from Debian, to use the generic font
aliases instead of demanding "Times", "Courier", and "Helvetica".
* Sync isolated arch build failure fixes from Debian as well, for people
who feel the urge to port dapper after it's released: 50_arch_*.dpatch
* Drop all references to mozilla-thunderbird-update-chrome, and the *.d
directories in /var/lib/mozilla-thunderbird and stop shipping them, as
they've been obsolete and broken since 1.5 (launchpad.net/{35465,25997})
* Stop shipping /tmp in the typeaheadfind package (launchpad.net/43470)
* Rework the Debconf www-browser selection so it automatically chooses to
use gnome-control-center's choice if it detects it installed, otherwise
falling back to x-www-browser (launchpad.net/{31841,34546,41706,25704})
* Drop suggests on xprint, which we stopped using (launchpad.net/33307)
* Depend on "myspell-en-us | myspell-dictionary", since we now appear to
require it unconditionally for operation (launchpad.net/{35212,37825})
* Fix the default theme so it shows up in themes list, so you can remove
added themes, since they're not the "last one" (launchpad.net/43022)
* Hide the Profile Manager menu icon by default (launchpad.net/12874)
* Add proper branding (Yay, we're Thunderbird again, not Mail/News, and we
have an icon and an about box, oh my!), icon thanks to Andy Fitzsimon,
integration mangling thanks to Alexander Sack. (launchpad.net/19439)
-- Adam Conrad <email address hidden> Sun, 14 May 2006 04:50:44 +1000
-
mozilla-thunderbird (1.5-0ubuntu6) dapper; urgency=low
* debian/mozilla-thunderbird.desktop:
- change menu title from "Thunderbird Mail Client" to "Thunderbird Mail"
-- Sebastien Bacher <email address hidden> Thu, 9 Mar 2006 12:57:55 +0000
-
mozilla-thunderbird (1.5-0ubuntu5) dapper; urgency=low
* debian/global-config.js: Set intl.locale.matchOS by default to make locale
packages work.
-- Martin Pitt <email address hidden> Tue, 28 Feb 2006 11:19:46 +0100
-
mozilla-thunderbird (1.5-0ubuntu4) dapper; urgency=low
* Re-enable patch 20_mailnews_mime_makefile_in.dpatch to export proper
headers to our -dev package so we can get engimail building again.
* Re-enable pango support, adding 10_pangoxft_linkage.dpatch, which
fixes the build to link pangoxft, which we directly include and use.
-- Adam Conrad <email address hidden> Mon, 13 Feb 2006 14:29:43 +1100
-
mozilla-thunderbird (1.5-0ubuntu3) dapper; urgency=low
* Revert pango support for now. We appear to be calling into libpangoxft
without linking to it, and I don't have time this week to sort it out.
-- Adam Conrad <email address hidden> Fri, 20 Jan 2006 01:48:13 +1100
-
mozilla-thunderbird (1.0.7-0ubuntu1) breezy; urgency=low
* SECURITY UPDATE: Update to 1.0.7 to resolve multiple issues:
+ CAN-2005-2871, MFSA-2005-57 - IDN heap overrun
+ CAN-2005-2701, MFSA-2005-58 - Heap overrun in XBM image processing
+ CAN-2005-2702, MFSA-2005-58 - Crash on "zero-width non-joiner" sequence
+ CAN-2005-2703, MFSA-2005-58 - XMLHttpRequest header spoofing
+ CAN-2005-2704, MFSA-2005-58 - Object spoofing using XBL <implements>
+ CAN-2005-2705, MFSA-2005-58 - JavaScript integer overflow
+ CAN-2005-2706, MFSA-2005-58 - Privilege escalation using about: scheme
+ CAN-2005-2707, MFSA-2005-58 - Chrome window spoofing
* CAN-2005-2968, MFSA-2005-59 (Command-line shell execution vulnerability)
was addressed in Debian in 1.0.6-4, and we're preferring their patch
over upstream's, as it allows us to update with the minimum amount of
fuss, without re-diffing all our other patches (see Debian bug #329667)
* Drop 81_security-idn-normalization.dpatch, now included upstream.
* Compile with -fno-strict-aliasing (as discussed in Ubuntu bug #17276)
-- Adam Conrad <email address hidden> Mon, 10 Oct 2005 18:39:53 +1000
