76 replies to this topic

[AplusWebMaster]

FYI...

Thunderbird 24.6 released
- http://www.securityt....com/id/1030386
CVE Reference: CVE-2014-1533, CVE-2014-1534, CVE-2014-1536, CVE-2014-1537, CVE-2014-1538, CVE-2014-1541
Jun 11 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 24.6 ...
Impact: A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (24.6)...

- https://www.mozilla....-US/thunderbird

- https://www.mozilla....0/releasenotes/
v.24.6.0, released: June 10, 2014

Security Advisories
- https://www.mozilla....thunderbird24.6
Fixed in Thunderbird 24.6
MFSA 2014-52 Use-after-free with SMIL Animation Controller
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla....erbird/all.html
 

[AplusWebMaster]

FYI...

Thunderbird 31.0 released
- http://www.securityt....com/id/1030620
CVE Reference: CVE-2014-1547, CVE-2014-1548, CVE-2014-1549, CVE-2014-1550, CVE-2014-1551, CVE-2014-1552, CVE-2014-1555, CVE-2014-1556, CVE-2014-1557, CVE-2014-1558, CVE-2014-1559, CVE-2014-1560
Jul 22 2014
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 31.0 ...

- https://www.mozilla....-US/thunderbird

- https://www.mozilla....0/releasenotes/
v31.0, released: July 22, 2014

Security Advisories
- https://www.mozilla....l#thunderbird31
Fixed in Thunderbird 31
MFSA 2014-66 IFRAME sandbox same-origin access through redirect
MFSA 2014-65 Certificate parsing broken by non-standard character encoding
MFSA 2014-64 Crash in Skia library when scaling high quality images
MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache
MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library
MFSA 2014-61 Use-after-free with FireOnStateChange event
MFSA 2014-59 Use-after-free in DirectWrite font handling
MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering
MFSA 2014-57 Buffer overflow during Web Audio buffering for playback
MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla....erbird/all.html
 

[AplusWebMaster]

FYI...

Thunderbird 31.1 released
- http://www.securityt....com/id/1030794
CVE Reference: CVE-2014-1553, CVE-2014-1554, CVE-2014-1562, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567
Sep 3 2014
Impact: Disclosure of system information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 24.8, 31.1 ...
Solution: The vendor has issued a fix (24.8, 31.1).

- https://www.mozilla....-US/thunderbird

- https://www.mozilla....0/releasenotes/
v.31.1.0, released: Sep 2, 2014

Security Advisories
- https://www.mozilla....rbird.html#31.1
Fixed in Thunderbird 31.1
MFSA 2014-72 Use-after-free setting text directionality
MFSA 2014-70 Out-of-bounds read in Web Audio audio timeline
MFSA 2014-69 Uninitialized memory use during GIF rendering
MFSA 2014-68 Use-after-free during DOM interactions with SVG
MFSA 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8)

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla....erbird/all.html
 

[AplusWebMaster]

FYI...

Thunderbird v31.2 released
- http://www.securityt....com/id/1031030
CVE Reference: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1578, CVE-2014-1581, CVE-2014-1583, CVE-2014-1585, CVE-2014-1586
Oct 15 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 31.2 ...
Solution: The vendor has issued a fix (31.2)...

- https://www.mozilla....-US/thunderbird

- https://www.mozilla....0/releasenotes/
v.31.2.0, released: Oct 14, 2014

Security Advisories
- https://www.mozilla....thunderbird31.2
Fixed in Thunderbird 31.2
MFSA 2014-81 Inconsistent video sharing within iframe
MFSA 2014-79 Use-after-free interacting with text directionality
MFSA 2014-77 Out-of-bounds write with WebM video
MFSA 2014-76 Web Audio memory corruption issues with custom waveforms
MFSA 2014-75 Buffer overflow during CSS manipulation
MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla....erbird/all.html
 

Edited by AplusWebMaster, 15 October 2014 - 11:06 AM.

[AplusWebMaster]

FYI...

Thunderbird 31.3 released
- https://www.mozilla....0/releasenotes/
Dec 1, 2014

Fixed in Thunderbird 31.3
- https://www.mozilla....thunderbird31.3
2014-90 Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory
2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer
2014-88 Buffer overflow while parsing media content
2014-87 Use-after-free during HTML5 parsing
2014-85 XMLHttpRequest crashes with some input streams
2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla....erbird/all.html
___

- http://www.securityt....com/id/1031287
CVE Reference: CVE-2014-1587, CVE-2014-1588, CVE-2014-1590, CVE-2014-1592, CVE-2014-1593, CVE-2014-1594, CVE-2014-1595
Dec 3 2014
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 31.3 ...
Solution: The vendor has issued a fix (31.3).
 

Edited by AplusWebMaster, 03 December 2014 - 06:02 AM.

[AplusWebMaster]

FYI...

Thunderbird 31.4.0 released
- https://www.mozilla....0/releasenotes/
Jan 13, 2015

- https://www.mozilla....thunderbird31.4
Fixed in Thunderbird 31.4
2015-04 Cookie injection through Proxy Authenticate responses
2015-03 sendBeacon requests lack an Origin header
2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla....erbird/all.html
___

- http://www.securityt....com/id/1031534
CVE Reference: CVE-2014-8634, CVE-2014-8635, CVE-2014-8638, CVE-2014-8639
Jan 14 2015
Impact: Execution of arbitrary code via network, Modification of authentication information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 31.4 ...
 

[AplusWebMaster]

FYI...

Thunderbird 31.5 released
- https://www.mozilla....0/releasenotes/
Feb 24, 2015

- https://www.mozilla....thunderbird31.5
Fixed in Thunderbird 31.5
2015-24 Reading of local files through manipulation of form autocomplete
2015-19 Out-of-bounds read and write while rendering SVG content
2015-16 Use-after-free in IndexedDB
2015-12 Invoking Mozilla updater will load locally stored DLL files
2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla....erbird/all.html
___

 

- http://www.securityt....com/id/1031792
CVE Reference: CVE-2015-0822, CVE-2015-0827, CVE-2015-0831, CVE-2015-0833, CVE-2015-0835, CVE-2015-0836
Feb 24 2015
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 31.5 ...
 

[AplusWebMaster]

FYI...

Thunderbird 31.6 released
- https://www.mozilla....0/releasenotes/
March 31, 2015

- https://www.mozilla....thunderbird31.6
Fixed in Thunderbird 31.6
2015-40 Same-origin bypass through anchor navigation
2015-37 CORS requests should not follow 30x redirections after preflight
2015-33 resource:// documents can load privileged pages
2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla....erbird/all.html
___

- http://www.securityt....com/id/1032000
CVE Reference: CVE-2015-0801, CVE-2015-0807, CVE-2015-0813, CVE-2015-0814, CVE-2015-0815, CVE-2015-0816
Apr 1 2015
Impact: Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 31.6...
 

Edited by AplusWebMaster, 03 April 2015 - 09:18 AM.

[AplusWebMaster]

FYI...

Thunderbird 38 - delayed ...
- http://emailmafia.ne...ird-38-delayed/
May 12, 2015 - "... Thunderbird 38.0 will -not- ship on the same date as Firefox 38.0 but will likely be delayed a couple of weeks... there are still a number of regressions that we are working on, and last week’s beta was the first beta that was feature complete. That means we will not be ready to ship according to the original schedule.
A current estimate of when we will ship Thunderbird 38.0 is approximately May 26."
___

Thunderbird 31.7 released

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla....thunderbird31.7
Fixed in Thunderbird 31.7
2015-57 Privilege escalation through IPC channel messages
2015-54 Buffer overflow when parsing compressed XML
2015-51 Use-after-free during text processing with vertical text enabled
2015-48 Buffer overflow with SVG content and CSS
2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)

Thunderbird 31.7 download:
- https://www.mozilla....hunderbird/all/
___

- http://www.securityt....com/id/1032303
CVE Reference: CVE-2011-3079, CVE-2015-0797, CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2713, CVE-2015-2716
May 13 2015
Impact: Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 31.7
 

Edited by AplusWebMaster, 18 May 2015 - 10:15 AM.

[AplusWebMaster]

FYI...

Thunderbird 38.1 released

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla....thunderbird38.1
Fixed in Thunderbird 38.1
2015-71 NSS incorrectly permits skipping of ServerKeyExchange
2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites
2015-67 Key pinning is ignored when overridable errors are encountered
2015-66 Vulnerabilities found through code inspection
2015-63 Use-after-free in Content Policy due to microtask execution error
2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)

Download:
- https://www.mozilla....hunderbird/all/
___

- http://www.securityt....com/id/1032784
CVE Reference: CVE-2015-2721, CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-4000
Jul 3 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 38.0 and prior ...
Solution: The vendor has issued a fix (38.1)...
___

Thunderbird 38.2

Download: https://www.mozilla....hunderbird/all/

- https://www.mozilla....thunderbird38.2
Aug 11, 2015
Fixed in Thunderbird 38.2
Vulnerabilities found through code inspection
2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
2015-85 Out-of-bounds write with Updater and malicious MAR file
2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links
2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
 

Edited by AplusWebMaster, 27 September 2015 - 04:48 PM.

[AplusWebMaster]

FYI...

Thunderbird 38.4 released

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla....0/releasenotes/
Nov 23, 2015

Fixed in Thunderbird 38.4
- https://www.mozilla....thunderbird38.4
2015-133 NSS and NSPR memory corruption issues
2015-132 Mixed content WebSocket policy bypass through workers
2015-131 Vulnerabilities found through code inspection
2015-128 Memory corruption in libjar through zip files
2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received
2015-123 Buffer overflow during image interactions in canvas
2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy
2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)

- https://www.mozilla....rbird/releases/

Download:
- https://www.mozilla....hunderbird/all/
___

- http://www.securityt....com/id/1034260
CVE Reference: CVE-2015-4513, CVE-2015-7189, CVE-2015-7193, CVE-2015-7197, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200
Nov 26 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Thunderbird version 38.4.0 ...
 

Edited by AplusWebMaster, 16 December 2015 - 02:07 PM.

[AplusWebMaster]

FYI...

Thunderbird 38.5 released

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla....0/releasenotes/
Dec 23, 2015

Fixed in Thunderbird 38.5
- https://www.mozilla....thunderbird38.5
2015-149 Cross-site reading attack through data and view-source URIs
2015-146 Integer overflow in MP4 playback in 64-bit versions
2015-145 Underflow through code inspection
2015-139 Integer overflow allocating extremely large textures
2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)

- https://www.mozilla....rbird/releases/

Download:
- https://www.mozilla....hunderbird/all/
___

Version 38.5.1
- https://www.mozilla....1/releasenotes/
Jan 7, 2016
What’s New:
    Changed: Use a SHA-256 signing certificate for Windows builds, to meet new signing requirements
Known Issues:
    unresolved: Windows XP SP2 will no longer install Thunderbird (workaround: Install Thunderbird 38.5.0 then update)
 

Edited by AplusWebMaster, 11 January 2016 - 08:58 AM.

[AplusWebMaster]

FYI...

Thunderbird 45.1.1 released
- https://www.mozilla....1/releasenotes/
May 31, 2016
What’s New:
Fixed: When entering members into a mailing list, the enter key dismissed the panel instead of just moving onto the next line
Fixed: Email without HTML elements was sent as HTML, despite "Delivery Format: Auto-detect" option
Fixed: Options applied to a template were lost when the template was used.
Fixed: Contacts could not be deleted when they were found through a search
Fixed: Views from global searches did not respect "mail.threadpane.use_correspondents"

- https://www.mozilla....es/thunderbird/

> https://www.mozilla....rbird/releases/

>> https://www.mozilla....hunderbird/all/
___

Thunderbird 45.1.0 released
- https://www.mozilla....0/releasenotes/
May 10, 2016
What’s New
Fixed:
- Drag & Drop a contact name from Thunderbird address book (list view) to address box in a new message “compose” window failed.
- UI elements became larger when moused over on retina displays/monitor on Mac OS X
- Automatic correspondents column upgrade disabled
- DIGEST-MD5 authentication in JS-XMPP failed for some users (now disabled).
- Font indicator in compose falsely claimed certain fonts were not installed.
- Printing failed in composition window.
- Various security fixes*
- Various improvements in handling of message compose in paragraph mode.
* https://www.mozilla....thunderbird45.1
Fixed in Thunderbird 45.1
2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

> https://www.mozilla....rbird/releases/

>> https://www.mozilla....hunderbird/all/
___

Thunderbird 45.0
- https://www.mozilla....0/releasenotes/
Apr 12, 2016
What’s New:
- Add a Correspondents column combining Sender and Recipient
- Much better support for XMPP chatrooms and commands.
- Implement option to always use HTML formatting to prevent unexpected format loss when converting messages to plain text.
- Use OpenStreetmap for maps (even allow the user to choose from list of map services)
- Allow spell checking and dictionary selection in the subject line
- Add dropdown in compose to allow specific setting of font size.
- Return/Enter in composer will now insert a new paragraph by default (shift-Enter will insert a line break)
- Mail.ru supports OAuth authentication.
- Improved options for remote content exceptions (but previous settings based on the sender's email address are not migrated, so these need to be added again by users).
- Allow editing of From when composing a message.
- Allow copying of name and email address from the message header of an email
Fixed:
- When sending e-mail which was composed using Chinese, Japanese or Korean characters, unwanted extra spaces were inserted within the text.
- XMPP had connection problems for users with large rosters
- Spell checker checked spelling in invisible HTML parts of the message.
- When saving a draft that is edited as new message, original draft was overwritten.
- External images not displayed in reply/forward
- Properly preserve pre-formatted blocks in message replies.
- Crashed in some cases while parsing IMAP messages.
- Copy/paste from a plain text editor lost white-space (multiple spaces/blanks, tabs, newlines)
- "Open Draft"/"Forward"/"Edit As New"/"Reply" created message composition with incorrect character encoding.
- Grouped By view sort direction change was broken, plus enabled custom column grouping.
- New emails into a mailbox did not adhere to sort order by received.
- Box.com attachments failed to upload.
- Drag and drop of multiple attachments failed to OS file folder.
Known Issues:
- unresolved - Outlook and Eudora import non-functional.

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla..../#thunderbird45
Fixed in Thunderbird 45
... fixes dtd. March 8, 2016 ?

> https://www.mozilla....rbird/releases/
___

Thunderbird v38.7 released
- https://www.mozilla....0/releasenotes/
March 14, 2016
Fixed: Various security fixes*
* https://www.mozilla....thunderbird38.7
Fixed in Thunderbird 38.7
2016-37 Font vulnerabilities in the Graphite 2 library
2016-35 Buffer overflow during ASN.1 decoding in NSS
2016-34 Out-of-bounds read in HTML parser following a failed allocation
2016-31 Memory corruption with malicious NPAPI plugin
2016-27 Use-after-free during XML transformations
2016-24 Use-after-free in SetBody
2016-23 Use-after-free in HTML5 string parser
2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
2016-17 Local file overwriting and potential privilege escalation through CSP reports
2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)

... 60 bugs found.
> http://preview.tinyurl.com/jhljn2x

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla....hunderbird/all/

- https://www.mozilla....rbird/releases/
___

Thunderbird 38.7.1
- https://www.mozilla....1/releasenotes/
Mar 25, 2016
> Disabled Graphite font shaping library
 

Edited by AplusWebMaster, 22 June 2016 - 01:50 PM.

[AplusWebMaster]

FYI...

Thunderbird v45.2.0 released
- https://www.mozilla....0/releasenotes/
June 30, 2016
Fixed: Invitations to events could not be printed.
Fixed: Dragging and dropping of contacts from the contact list onto an addressbook while All Addressbooks is selected moved only one contact
Fixed: Falsely reported not enough disk space during compacting
Fixed: Links were not always detected properly in the message body (terminated early on "|", some long links not detected at all)

> https://www.mozilla....thunderbird45.2
Fixed in Thunderbird 45.2
2016-49 Miscellaneous memory safety hazards (rv:47.0/rv:45.2)

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla....rbird/releases/

Download
- https://www.mozilla....hunderbird/all/
 

[AplusWebMaster]

FYI...

Thunderbird 45.4.0 released
- https://www.mozilla....0/releasenotes/
Oct 3, 2016
What’s New:
Fixed:     
- Display name was truncated if no separating space before email address.
- Recipient addresses were shown in red despite being inserted from the address book in some circumstances.
- Additional spaces were inserted when drafts were edited.
- Mail saved as template copied In-Reply-To and References from original email.
- Threading broken when editing message draft, due to loss of Message-ID
- "Apply columns to..." did not honor special folders

... 12 bugs fixed.

Automated Updates: https://support.mozi...ing-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla....rbird/releases/

Download
- https://www.mozilla....hunderbird/all/

Add-ons
- https://addons.mozil...US/thunderbird/