Overview

File _patchinfo of Package patchinfo.15203

<patchinfo incident="15203">
  <issue tracker="bnc" id="1178894">VUL-0: MozillaThunderbird: update to 78.5 (MFSA 2020-52)</issue>
  <issue tracker="cve" id="2020-26958"/>
  <issue tracker="cve" id="2020-26960"/>
  <issue tracker="cve" id="2020-26965"/>
  <issue tracker="cve" id="2020-26959"/>
  <issue tracker="cve" id="2020-26956"/>
  <issue tracker="cve" id="2020-16012"/>
  <issue tracker="cve" id="2020-26966"/>
  <issue tracker="cve" id="2020-26961"/>
  <issue tracker="cve" id="2020-26968"/>
  <issue tracker="cve" id="2020-26951"/>
  <issue tracker="cve" id="2020-15999"/>
  <issue tracker="cve" id="2020-26953"/>
  <packager>MSirringhaus</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for MozillaThunderbird</summary>
  <description>This update for MozillaThunderbird fixes the following issues:

    TODO
- Mozilla Thunderbird 78.5.0
  * new: OpenPGP: Added option to disable attaching the public
    key to a signed message (bmo#1654950)
  * new: MailExtensions: "compose_attachments" context added to
    Menus API (bmo#1670822)
  * new: MailExtensions: Menus API now available on displayed
    messages (bmo#1670825)
  * changed: MailExtensions: browser.tabs.create will now wait
    for "mail-delayed-startup-finished" event (bmo#1674407)
  * fixed: OpenPGP: Support for inline PGP messages improved
    (bmo#1672851)
  * fixed: OpenPGP: Message security dialog showed unverified
    keys as unavailable (bmo#1675285)
  * fixed: Chat: New chat contact menu item did not function
    (bmo#1663321)
  * fixed: Various theme and usability improvements (bmo#1673861)
  * fixed: Various security fixes
  MFSA 2020-52 (bsc#1178894)
  * CVE-2020-26951 (bmo#1667113)
    Parsing mismatches could confuse and bypass security
    sanitizer for chrome privileged code
  * CVE-2020-16012 (bmo#1642028)
    Variable time processing of cross-origin images during
    drawImage calls
  * CVE-2020-26953 (bmo#1656741)
    Fullscreen could be enabled without displaying the security UI
  * CVE-2020-26956 (bmo#1666300)
    XSS through paste (manual and clipboard API)
  * CVE-2020-26958 (bmo#1669355)
    Requests intercepted through ServiceWorkers lacked MIME type
    restrictions
  * CVE-2020-26959 (bmo#1669466)
    Use-after-free in WebRequestService
  * CVE-2020-26960 (bmo#1670358)
    Potential use-after-free in uses of nsTArray
  * CVE-2020-15999 (bmo#1672223)
    Heap buffer overflow in freetype
  * CVE-2020-26961 (bmo#1672528)
    DoH did not filter IPv4 mapped IP Addresses
  * CVE-2020-26965 (bmo#1661617)
    Software keyboards may have remembered typed passwords
  * CVE-2020-26966 (bmo#1663571)
    Single-word search queries were also broadcast to local
    network
  * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,
    bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479,
    bmo#1671923)
    Memory safety bugs fixed in Thunderbird 78.5

- Mozilla Thunderbird 78.4.3 
  * fixed: User interface was inconsistent when switching from
    the default theme to the dark theme and back to the default
    theme (bmo#1659282)
  * fixed: Email subject would disappear when hovering over it
    with the mouse when using Windows 7 Classic theme
    (bmo#1675970)

This update was imported from the SUSE:SLE-15:Update update project.</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places