Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

MozillaThunderbird-buildsymbols-52.9.1-lp150.3.11.1 RPM for x86_64

From OpenSuSE Leap 15.0 updates for x86_64

Name: MozillaThunderbird-buildsymbols Distribution: openSUSE Leap 15.0
Version: 52.9.1 Vendor: openSUSE
Release: lp150.3.11.1 Build date: Wed Jul 11 01:24:00 2018
Group: Development/Debug Build host: build75
Size: 45314076 Source RPM: MozillaThunderbird-52.9.1-lp150.3.11.1.src.rpm
Summary: Breakpad buildsymbols for MozillaThunderbird
This subpackage contains the Breakpad created and compatible debugging
symbols meant for upload to Mozilla's crash collector database.






* Tue Jul 10 2018
  - update to Thunderbird 52.9.1
    * Deleting or detaching attachments corrupted messages under certain
      circumstances (bmo#1473893, bsc#1100780)
* Mon Jul 02 2018
  - update to Thunderbird 52.9.0:
    MFSA 2018-16 (bsc#1098998)
    * CVE-2018-12359 (bmo#1459162)
      Buffer overflow using computed size of canvas element
    * CVE-2018-12360 (bmo#1459693)
      Use-after-free when using focus()
    * CVE-2018-12372 (bmo#1419417, bsc#1100082)
      S/MIME and PGP decryption oracles can be built with HTML emails
    * CVE-2018-12373 (bmo#1464667, bmo#1464056, bsc#1100079)
      S/MIME plaintext can be leaked through HTML reply/forward
    * CVE-2018-12362 (bmo#1452375)
      Integer overflow in SSSE3 scaler
    * CVE-2018-12363 (bmo#1464784)
      Use-after-free when appending DOM nodes
    * CVE-2018-12364 (bmo#1436241)
      CSRF attacks through 307 redirects and NPAPI plugins
    * CVE-2018-12365 (bmo#1459206)
      Compromised IPC child process can list local filenames
    * CVE-2018-12366 (bmo#1464039)
      Invalid data handling during QCMS transformations
    * CVE-2018-12374 (bmo#1462910, bsc#1100081)
      Using form to exfiltrate encrypted mail part by pressing enter in form field
    * CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
      Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
    * Thunderbird will now prompt to compact IMAP folders even if the
      account is online
    * Option for not decrypting subordinate message parts that
      otherwise might reveal decryted content to the attacker.
      Preference mailnews.p7m_subparts_external needs to be set to
      true for added security.
    * Fix various problems when forwarding messages inline when using
      "simple" HTML view
  - correct requires and provides handling (boo#1076907)
  - reduce memory footprint with %ix86 at linking time via additional
    compiler flags (boo#1091376)
* Sun Jul 01 2018
  - Build from upstream source archive and verify source signature
* Sat May 19 2018
  - update to Thunderbird 52.8 (bsc#1092548)
    MFSA 2018-13
    * CVE-2018-5183 (bmo#1454692)
      Backport critical security fixes in Skia
    * CVE-2018-5184 (bmo#1411592, bsc#1093152)
      Full plaintext recovery in S/MIME via chosen-ciphertext attack
    * CVE-2018-5154 (bmo#1443092)
      Use-after-free with SVG animations and clip paths
    * CVE-2018-5155 (bmo#1448774)
      Use-after-free with SVG animations and text paths
    * CVE-2018-5159 (bmo#1441941)
      Integer overflow and out-of-bounds write in Skia
    * CVE-2018-5161 (bmo#1411720)
      Hang via malformed headers
    * CVE-2018-5162 (bmo#1457721, bsc#1093152)
      Encrypted mail leaks plaintext through src attribute
    * CVE-2018-5170 (bmo#1411732)
      Filename spoofing for external attachments
    * CVE-2018-5168 (bmo#1449548)
      Lightweight themes can be installed without user interaction
    * CVE-2018-5174 (bmo#1447080) (Windows only)
      Windows Defender SmartScreen UI runs with less secure behavior
      for downloaded files in Windows 10 April 2018 Update
    * CVE-2018-5178 (bmo#1443891)
      Buffer overflow during UTF-8 to Unicode string conversion
      through legacy extension
    * CVE-2018-5185 (bmo#1450345)
      Leaking plaintext through HTML forms
    * CVE-2018-5150 (bmo#1388020,bmo#1433609,bmo#1409440,bmo#1448705,
      Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8 and
      Thunderbird 52.8
* Tue Mar 27 2018
  - Exclude bigendian archs for now, have not built
    since version 45.8.0
    ExcludeArch: ppc ppc64 s390 s390x
* Fri Mar 23 2018
  - update to Thunderbird 52.7
    * Searching message bodies of messages in local folders, including
      filter and quick filter operations, did not find content in
      message attachments
    * Better error handling for Yahoo accounts
  - The following security fixes are included as part of the mozilla
    platform. In general, these flaws cannot be exploited through
    email in the Thunderbird product because scripting is disabled
    when reading mail, but are potentially risks in browser or
    browser-like contexts (MFSA 2018-09, bsc#1085130, bsc#1085671):
    * CVE-2018-5127 (bmo#1430557)
      Buffer overflow manipulating SVG animatedPathSegList
    * CVE-2018-5129 (bmo#1428947)
      Out-of-bounds write with malformed IPC messages
    * CVE-2018-5144 (bmo#1440926)
      Integer overflow during Unicode conversion
    * CVE-2018-5146 (bmo#1446062)
      Out of bounds memory write in libvorbis
    * CVE-2018-5125 (bmo1416529,bmo#1434580,bmo#1434384,bmo#1437450,
      Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7, and
      Thunderbird 52.7
    * CVE-2018-5145 (bmo#1261175,bmo#1348955)
      Memory safety bugs fixed in Firefox ESR 52.7 and Thunderbird
* Wed Jan 24 2018
  - update to Thunderbird 52.6 (bsc#1077291)
    * Searching message bodies of messages in local folders, including
      filter and quick filter operations, not working reliably: Content
      not found in base64-encode message parts, non-ASCII text not found
      and false positives found.
    * Defective messages (without at least one expected header) not shown
      in IMAP folders but shown on mobile devices
    * Calendar: Unintended task deletion if numlock is enabled
    * Mozilla platform security fixes
    MFSA 2018-04
    * CVE-2018-5095 (bmo#1418447)
      Integer overflow in Skia library during edge builder allocation
    * CVE-2018-5096 (bmo#1418922)
      Use-after-free while editing form elements
    * CVE-2018-5097 (bmo#1387427)
      Use-after-free when source document is manipulated during XSLT
    * CVE-2018-5098 (bmo#1399400)
      Use-after-free while manipulating form input elements
    * CVE-2018-5099 (bmo#1416878)
      Use-after-free with widget listener
    * CVE-2018-5102 (bmo#1419363)
      Use-after-free in HTML media elements
    * CVE-2018-5103 (bmo#1423159)
      Use-after-free during mouse event handling
    * CVE-2018-5104 (bmo#1425000)
      Use-after-free during font face manipulation
    * CVE-2018-5117 (bmo#1395508)
      URL spoofing with right-to-left text aligned left-to-right
    * CVE-2018-5089
      Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
  - dropped obsolete mozilla-ucontext.patch
* Sat Dec 23 2017
  - update to Thunderbird 52.5.2
    * This releases fixes the "Mailsploit" vulnerability and other
      vulnerabilities detected by the "Cure53" audit
    MFSA 2017-30
    * CVE-2017-7845 (bmo#1402372)
      Buffer overflow when drawing and validating elements with ANGLE
      library using Direct 3D 9
    * CVE-2017-7846 (bmo#1411716, bsc#1074043)
      JavaScript Execution via RSS in mailbox:// origin
    * CVE-2017-7847 (bmo#1411708, bsc#1074044)
      Local path string can be leaked from RSS feed
    * CVE-2017-7848 (bmo#1411699, bsc#1074045)
      RSS Feed vulnerable to new line Injection
    * CVE-2017-7829 (bmo#1423432, bsc#1074046)
      Mailsploit part 1: From address with encoded null character is
      cut off in message header display
* Fri Dec 08 2017
  - Explicitly buildrequires python2-xml: The build system relies on
    it. We wrongly relied on other packages pulling it in for us.
* Thu Dec 07 2017
  - Escape the usage of %{VERSION} when calling out to rpm.
    RPM 4.14 has %{VERSION} defined as 'the main packages version'.
* Wed Nov 22 2017
  - update to Thunderbird 52.5.0 (bsc#1068101)
    * Better support for Charter/Spectrum IMAP: Thunderbird will now
      detect Charter's IMAP service and send an additional IMAP select
      command to the server. Check the various preferences ending in
      "force_select" to see whether auto-detection has discovered this case.
    * In search folders spanning multiple base folders clicking on a
      message sometimes marked another message as read
    * IMAP alerts have been corrected and now show the correct server
      name in case of connection problems
    * POP alerts have been corrected and now indicate connection problems
      in case the configured POP server cannot be found
    MFSA 2017-26
    * CVE-2017-7828 (bmo#1406750. bmo#1412252)
      Use-after-free of PressShell while restyling layout
    * CVE-2017-7830 (bmo#1408990)
      Cross-origin URL information leak through Resource Timing API
    * CVE-2017-7826
      Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
* Fri Nov 10 2017
  - Drop obsolete libgnomeui-devel BuildRequires: No longer needed.
  - Add explicit pkgconfig(gconf-2.0), pkgconfig(gobject-2.0),
    pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
    pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
    pkgconfig(gdk-x11-2.0) BuildRequires: Previously pulled in by
    libgnomeui-devel, and is what configure really checks for.
* Wed Oct 04 2017
  - Mozilla Thunderbird 52.4.0 (bsc#1060445)
    * new behavior was introduced for replies to mailing list posts:
      "When replying to a mailing list, reply will be sent to address
      in From header ignoring Reply-to header". A new preference
      mail.override_list_reply_to allows to restore the previous behavior.
    * Under certain circumstances (image attachment and non-image
      attachment), attached images were shown truncated in messages
      stored in IMAP folders not synchronised for offline use.
    * IMAP UIDs > 0x7FFFFFFF now handled properly
    Security fixes from Gecko 52.4esr
    * CVE-2017-7793 (bmo#1371889)
      Use-after-free with Fetch API
    * CVE-2017-7818 (bmo#1363723)
      Use-after-free during ARIA array manipulation
    * CVE-2017-7819 (bmo#1380292)
      Use-after-free while resizing images in design mode
    * CVE-2017-7824 (bmo#1398381)
      Buffer overflow when drawing and validating elements with ANGLE
    * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
      Use-after-free in TLS 1.2 generating handshake hashes
    * CVE-2017-7814 (bmo#1376036)
      Blob and data URLs bypass phishing and malware protection warnings
    * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
      OS X fonts render some Tibetan and Arabic unicode characters as spaces
    * CVE-2017-7823 (bmo#1396320)
      CSP sandbox directive did not create a unique origin
    * CVE-2017-7810
      Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
* Thu Sep 28 2017
  - Add alsa-devel BuildRequires: we care for ALSA support to be
    built and thus need to ensure we get the dependencies in place.
    In the past, alsa-devel was pulled in by accident: we
    buildrequire libgnome-devel. This required esound-devel and that
    in turn pulled in alsa-devel for us. libgnome is being fixed to
    no longer require esound-devel.
* Tue Aug 15 2017
  - update to Thunderbird 52.3 (boo#1052829)
    Fixed issues:
    * Unwanted inline images shown in rogue SPAM messages
    * Deleting message from the POP3 server not working when maildir
      storage was used
    * Message disposition flag (replied / forwarded) lost when reply or
      forwarded message was stored as draft and draft was sent later
    * Inline images not scaled to fit when printing
    * Selected text from another message sometimes included in a reply
    * No authorisation prompt displayed when inserting image into email
      body although image URL requires authentication
    * Large attachments taking a long time to open under some circumstances
    Security fixes from Gecko 52.3esr
    * CVE-2017-7798 (bmo#1371586, bmo#1372112)
      XUL injection in the style editor in devtools
    * CVE-2017-7800 (bmo#1374047)
      Use-after-free in WebSockets during disconnection
    * CVE-2017-7801 (bmo#1371259)
      Use-after-free with marquee during window resizing
    * CVE-2017-7784 (bmo#1376087)
      Use-after-free with image observers
    * CVE-2017-7802 (bmo#1378147)
      Use-after-free resizing image elements
    * CVE-2017-7785 (bmo#1356985)
      Buffer overflow manipulating ARIA attributes in DOM
    * CVE-2017-7786 (bmo#1365189)
      Buffer overflow while painting non-displayable SVG
    * CVE-2017-7753 (bmo#1353312)
      Out-of-bounds read with cached style data and pseudo-elements#
    * CVE-2017-7787 (bmo#1322896)
      Same-origin policy bypass with iframes through page reloads
    * CVE-2017-7807 (bmo#1376459)
      Domain hijacking through AppCache fallback
    * CVE-2017-7792 (bmo#1368652)
      Buffer overflow viewing certificates with an extremely long OID
    * CVE-2017-7804 (bmo#1372849)
      Memory protection bypass through WindowsDllDetourPatcher
    * CVE-2017-7791 (bmo#1365875)
      Spoofing following page navigation with data: protocol and modal alerts
    * CVE-2017-7782 (bmo#1344034)
      WindowsDllDetourPatcher allocates memory without DEP protections
    * CVE-2017-7803 (bmo#1377426)
      CSP containing 'sandbox' improperly applied
    * CVE-2017-7779
      Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
* Wed Aug 09 2017
  - mozilla-ucontext.patch: use ucontext_t instead of struct ucontext
* Wed Jun 28 2017
  - mozilla-disable-neon-option.patch has been dropped silently, so
    remove the --disable-neon option as it is not available anymore.
* Sun Jun 25 2017
  - update to Thunderbird 52.2.1
    * Problems with Gmail fixed (folders not showing, repeated email
      download, etc.) introduced in version 52.2.0. (boo#1045895)
* Wed Jun 14 2017
  - update to Thunderbird 52.2 (boo#1043960)
    * Embedded images not shown in email received from Hotmail/Outlook
    * Detection of non-ASCII font names in font selector
    * Attachment not forwarded correctly under certain circumstances
    * Multiple requests for master password when GMail OAuth2 is enabled
    * Large number of blank pages being printed under certain
      circumstances when invalid preferences were present
    * Messages sent via the Simple MAPI interface are forced to HTML
    * Calendar: Invitations can't be printed
    * Mailing list (group) not accessible from macOS or Outlook address book
    * Clicking on links with references/anchors where target doesn't
      exist in the message not opening in external browser
    MFSA 2017-17
    * CVE-2017-5472 (bmo#1365602)
      Use-after-free using destroyed node when regenerating trees
    * CVE-2017-7749 (bmo#1355039)
      Use-after-free during docshell reloading
    * CVE-2017-7750 (bmo#1356558)
      Use-after-free with track elements
    * CVE-2017-7751 (bmo#1363396)
      Use-after-free with content viewer listeners
    * CVE-2017-7752 (bmo#1359547)
      Use-after-free with IME input
    * CVE-2017-7754 (bmo#1357090)
      Out-of-bounds read in WebGL with ImageInfo object
    * CVE-2017-7756 (bmo#1366595)
      Use-after-free and use-after-scope logging XHR header errors
    * CVE-2017-7757 (bmo#1356824)
      Use-after-free in IndexedDB
    * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,
      CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,
      Vulnerabilities in the Graphite 2 library
    * CVE-2017-7758 (bmo#1368490)
      Out-of-bounds read in Opus encoder
    * CVE-2017-7763 (bmo#1360309)
      Mac fonts render some unicode characters as spaces (MacOS only)
    * CVE-2017-7764 (bmo#1364283)
      Domain spoofing with combination of Canadian Syllabics and other
      unicode blocks
    * CVE-2017-7765 (bmo#1273265)
      Mark of the Web bypass when saving executable files (Windows only)
    * CVE-2017-5470
      Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
  - requires NSS 3.28.5
* Sun Jun 04 2017
  - remove legacy -Os optimization breaking gcc7/i586 (boo#1042090)
* Thu Jun 01 2017
  - explicitely optimize with -O2 for openSUSE > 13.2/Leap 42 to work
    with gcc7 (boo#1040105, boo#1042090)
* Thu May 11 2017
  - update to Thunderbird 52.1.1
    * fixed crash when compacting IMAP folder (boo#1038753)
    * Some attachments could not be opened or saved if the message
      body is empty
    * Unable to load full message via POP if message was downloaded
      partially (or only headers) before
    * Large attachments may not be shown or saved correctly if the
      message is stored in an IMAP folder which is not synchronized
      for offline use
* Mon May 01 2017
  - update to Thunderbird 52.1.0
    * Background images not working and other issues related to
      embedded images when composing email have been fixed
    * Google Oauth setup can sometimes not progress to the next step
    * requires NSS >= 3.28.4
  - security fixes (boo#1035082), MFSA 2017-13
    * CVE-2017-5443 (bmo#1342661)
      Out-of-bounds write during BinHex decoding
    * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
      bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
      Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
      Firefox ESR 52.1
    * CVE-2017-5464 (bmo#1347075)
      Memory corruption with accessibility and DOM manipulation
    * CVE-2017-5465 (bmo#1347617)
      Out-of-bounds read in ConvolvePixel
    * CVE-2017-5466 (bmo#1353975)
      Origin confusion when reloading isolated data:text/html URL
    * CVE-2017-5467 (bmo#1347262)
      Memory corruption when drawing Skia content
    * CVE-2017-5460 (bmo#1343642)
      Use-after-free in frame selection
    * CVE-2017-5461 (bmo#1344380)
      Out-of-bounds write in Base64 encoding in NSS
    * CVE-2017-5449 (bmo#1340127)
      Crash during bidirectional unicode manipulation with animation
    * CVE-2017-5446 (bmo#1343505)
      Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
    * CVE-2017-5447 (bmo#1343552)
      Out-of-bounds read during glyph processing
    * CVE-2017-5444 (bmo#1344461)
      Buffer overflow while parsing application/http-index-format content
    * CVE-2017-5445 (bmo#1344467)
      Uninitialized values used while parsing application/http-index-format
    * CVE-2017-5442 (bmo#1347979)
      Use-after-free during style changes
    * CVE-2017-5469 (bmo#1292534)
      Potential Buffer overflow in flex-generated code
    * CVE-2017-5440 (bmo#1336832)
      Use-after-free in txExecutionState destructor during XSLT processing
    * CVE-2017-5441 (bmo#1343795)
      Use-after-free with selection during scroll events
    * CVE-2017-5439 (bmo#1336830)
      Use-after-free in nsTArray Length() during XSLT processing
    * CVE-2017-5438 (bmo#1336828)
      Use-after-free in nsAutoPtr during XSLT processing
    * CVE-2017-5437 (bmo#1343453)
      Vulnerabilities in Libevent library
    * CVE-2017-5436 (bmo#1345461)
      Out-of-bounds write with malicious font in Graphite 2
    * CVE-2017-5435 (bmo#1350683)
      Use-after-free during transaction processing in the editor
    * CVE-2017-5434 (bmo#1349946)
      Use-after-free during focus handling
    * CVE-2017-5433 (bmo#1347168)
      Use-after-free in SMIL animation functions
    * CVE-2017-5432 (bmo#1346654)
      Use-after-free in text input selection
    * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
      bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140,
      bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476)
      Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
    * CVE-2017-5459 (bmo#1333858)
      Buffer overflow in WebGL
    * CVE-2017-5462 (bmo#1345089)
      DRBG flaw in NSS
    * CVE-2017-5454 (bmo#1349276)
      Sandbox escape allowing file system read access through file
    * CVE-2017-5451 (bmo#1273537)
      Addressbar spoofing with onblur event
* Mon Apr 17 2017
  - update to Thunderbird 52.0.1
    * Clicking on a link in an email may not open this link in the
      external browser
    * addon blocklist updates
  - enable ALSA for systems w/o PA
  - require libffi explicitely to fix PPC64LE build where a system
    library is required
* Sat Mar 18 2017
  - update to Thunderbird 52.0
    * Optionally remove corresponding data files when removing an account
    * Possibility to copy message filter
    * Calendar: Event can now be created and edited in a tab
    * Calendar: Processing of received invitation counter proposals
    * Chat: Support Twitter Direct Messages
    * Chat: Liking and favoriting in Twitter
    * Chat: Removed Yahoo! Messenger support
    * serveral bugfixes
  - security fixes (bsc#1028391, MFSA 2017-09):
    In general, these flaws cannot be exploited through email because
    scripting is disabled when reading mail, but are potentially
    risks in browser or browser-like contexts.
    * CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933)
    * CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861)
    * CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876)
    * CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186)
    * CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138)
    * CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890)
    * CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622)
    * CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687)
    * CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711)
    * CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
    * CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504)
    * CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370)
    * CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
    * CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361)
    * CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876)
    * CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243)
    * CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699)
    * CVE-2017-5421: Print preview spoofing (bmo#1301876)
    * CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002)
    * CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52
    * CVE-2017-5398: Memory safety bugs fixed in Thunderbird 52 and Thunderbird 45.8
  - removed obsolete patches
    * mozilla-aarch64-48bit-va.patch
    * mozilla-binutils-visibility.patch
    * mozilla-flex_buffer_overrun.patch
    * mozilla-gcc6.patch
  - added generic mozilla patches
    * mozilla-aarch64-startup-crash.patch
  - require newer versions of NSPR and NSS
  - use Gtk3 for Tumbleweed
* Tue Mar 07 2017
  - update to Thunderbird 45.8.0 (boo#1028391)
    * MFSA 2017-07
      CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
      CVE-2017-5401: Memory Corruption when handling ErrorResult
      CVE-2017-5402: Use-after-free working with events in FontFace
      objects (bmo#1334876)
      CVE-2017-5404: Use-after-free working with ranges in selections
      CVE-2017-5407: Pixel and history stealing via floating-point
      timing side channel with SVG filters (bmo#1336622)
      CVE-2017-5410: Memory corruption during JavaScript garbage
      collection incremental sweeping (bmo#1330687)
      CVE-2017-5408: Cross-origin reading of video captions in violation
      of CORS (bmo#1313711)
      CVE-2017-5405: FTP response codes can cause use of
      uninitialized values for ports (bmo#1336699)
      CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and
      Firefox ESR 45.8
* Thu Feb 09 2017
  - update to Thunderbird 45.7.1
    * fixed Crash when viewing certain IMAP messages (introduced in 45.7.0)
* Tue Jan 24 2017
  - update to Thunderbird 45.7.0
    * Message preview pane non-functional after IMAP folder was renamed
      or moved
    * "Move To" button on "Search Messages" panel not working
    * Message sent to "undisclosed recipients" shows no recipient
      (non-functional since Thunderbird version 38)
    * Security updates from MFSA 2017-03 (Gecko 45.7.0) boo#1021991.
      In general, these flaws cannot be exploited through email in
      Thunderbird because scripting is disabled when reading mail,
      but are potentially risks in browser or browser-like contexts:
      CVE-2017-5375: Excessive JIT code allocation allows bypass of
      ASLR and DEP (bmo#1325200, boo#1021814)
      CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
      CVE-2017-5378: Pointer and frame data leakage of Javascript objects
      (bmo#1312001, bmo#1330769, boo#1021818)
      CVE-2017-5380: Potential use-after-free during DOM manipulations
      (bmo#1322107, boo#1021819)
      CVE-2017-5390: Insecure communication methods in Developer Tools
      JSON viewer (bmo#1297361, boo#1021820)
      CVE-2017-5396: Use-after-free with Media Decoder
      (bmo#1329403, boo#1021821)
      CVE-2017-5383: Location bar spoofing with unicode characters
      (bmo#1323338, bmo#1324716, boo#1021822)
      CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7
* Thu Dec 29 2016
  - update to Thunderbird 45.6.0 (boo#1015422)
    * The system integration dialog was shown every time when starting
    * MFSA 2016-96
      CVE-2016-9899: Use-after-free while manipulating DOM events and
      audio elements (bmo#1317409)
      CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272)
      CVE-2016-9897: Memory corruption in libGLES (bmo#1301381)
      CVE-2016-9898: Use-after-free in Editor while manipulating DOM
      subtrees (bmo#1314442)
      CVE-2016-9900: Restricted external resources can be loaded by
      SVG images through data URLs (bmo#1319122)
      CVE-2016-9904: Cross-origin information leak in shared atoms
      CVE-2016-9905: Crash in EnumerateSubDocuments (bmo#1293985)
      CVE-2016-9893: Memory safety bugs fixed in Thunderbird 45.6
* Thu Dec 01 2016
  - Mozilla Thunderbird 45.5.1:
    * CVE-2016-9079: SVG Animation Remote Code Execution
      (MFSA 2016-92, bsc#1012964, bmo#1321066)
* Sat Nov 19 2016
  - Mozilla Thunderbird 45.5.0 (boo#1009026)
    * Fixes for security flaws that cannot be exploited through email
      because scripting is disabled when reading mail, but are
      potentially risks in browser or browser-like contexts:
      CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
      CVE-2016-5297: Incorrect argument length checking in Javascript
      CVE-2016-9066: Integer overflow leading to a buffer overflow in
      nsScriptLoadHandler (bsc#1010404)
      CVE-2016-5291: Same-origin policy violation using local HTML file
      and saved shortcut file (bsc#1010410)
      CVE-2016-5290: Memory safety bugs fixed in Thunderbird ESR 45.5
  - Changed behavior:
    * Changed recipient address entry: Arrow-keys now copy the pop-up
      value to the input field. Mouse-hovered pop-up value can no
      longer be confirmed with tab or enter key. This restores the
      behavior of Thunderbird 24.
    * Support changes to character limit in Twitter
  - Bugs fixed:
    * Reply with selected text containing quote resulted in wrong
      quoting level indication
    * Email invitation might not be displayed when description
      contains non-ASCII characters
    * Attempting to sort messages on the Date field whilst a quick
      filter is applied got stuck on sort descending
    * Mail address display at header pane displayed incorrectly if
      the address contains UTF-8 according to RFC 6532
* Sat Oct 01 2016
  - update to Thunderbird 45.4.0 (boo#999701)
    * Display name was truncated if no separating space before email
    * Recipient addresses were shown in wrong color in some circumstances.
    * Additional spaces were inserted when drafts were edited.
    * Mail saved as template copied In-Reply-To and References from
      original email.
    * Threading broken when editing message draft, due to loss of Message-ID
    * "Apply columns to..." did not honor special folders
* Tue Aug 30 2016
  - update to Thunderbird 45.3.0 (boo#991809)
    * Disposition-Notification-To could not be used in
    * "edit as new message" on a received message pre-filled the sender
      as the composing identity.
    * Certain messages caused corruption of the drafts summary database.
    security fixes:
    * MFSA 2016-62/CVE-2016-2836
      Miscellaneous memory safety hazards
    * MFSA 2016-63/CVE-2016-2830 (bmo#1255270)
      Favicon network connection can persist when page is closed
    * MFSA 2016-64/CVE-2016-2838 (bmo#1279814)
      Buffer overflow rendering SVG with bidirectional content
    * MFSA 2016-65/CVE-2016-2839 (bmo#1275339)
      Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
    * MFSA 2016-67/CVE-2016-5252 (bmo#1268854)
      Stack underflow during 2D graphics rendering
    * MFSA 2016-70/CVE-2016-5254 (bmo#1266963)
      Use-after-free when using alt key and toplevel menus
    * MFSA 2016-72/CVE-2016-5258 (bmo#1279146)
      Use-after-free in DTLS during WebRTC session shutdown
    * MFSA 2016-73/CVE-2016-5259 (bmo#1282992)
      Use-after-free in service workers with nested sync events
    * MFSA 2016-76/CVE-2016-5262 (bmo#1277475)
      Scripts on marquee tag can execute in sandboxed iframes
    * MFSA 2016-77/CVE-2016-2837 (bmo#1274637)
      Buffer overflow in ClearKey Content Decryption Module (CDM)
      during video playback
    * MFSA 2016-78/CVE-2016-5263 (bmo#1276897)
      Type confusion in display transformation
    * MFSA 2016-79/CVE-2016-5264 (bmo#1286183)
      Use-after-free when applying SVG effects
    * MFSA 2016-80/CVE-2016-5265 (bmo#1278013)
      Same-origin policy violation using local HTML file and saved shortcut file
* Fri Aug 05 2016
  - Fix for possible buffer overrun (bsc#990856)
    CVE-2016-6354 (bmo#1292534)
* Thu Jul 21 2016
  - add a screenshot to appdata.xml
* Thu Jun 30 2016
  - update to Thunderbird 45.2 (boo#983549)
    Security fixes:
    * CVE-2016-2818, CVE-2016-2815: Memory safety bugs (MFSA2016-49)
  - drop mozilla-flexible-array-member-in-union.patch, upstream
* Fri Jun 24 2016
  - mozilla-binutils-visibility.patch to fix build issues with
    gcc/binutils combination used in Leap 42.2 (boo#984637)
* Thu Jun 23 2016
  - build with -fno-delete-null-pointer-checks for Tumbleweed/gcc6
    as long as underlying issues have been addressed upstream
* Mon Jun 13 2016
  - Fix running on 48bit va aarch64 (bsc#984126)
    - Add patch mozilla-aarch64-48bit-va.patch
* Fri May 27 2016
  - update to Thunderbird 45.1.1
    * When entering members into a mailing list, the enter key
      dismissed the panel instead of just moving onto the next line
    * Email without HTML elements was sent as HTML, despite
      "Delivery Format: Auto-detect" option
    * Options applied to a template were lost when the template was used
    * Contacts could not be deleted when they were found through a search
    * Views from global searches did not respect
* Wed May 25 2016
  - The conditional testing for gcc was failing for different
    openSUSE versions, drop it and apply patches unconditionally.
* Tue May 24 2016
  - Add patches to fix building with gcc >= 6:
    + mozilla-gcc6.patch: patch taken from fedora's git and is
      essentially identical to upstream firefox patch:
    + mozilla-flexible-array-member-in-union.patch: patch taken
      from upstream bmo#1272649.
* Thu May 12 2016
  - Copy the icons to /usr/share/icons instead of symlinking them:
    in preparation for containerized apps (e.g. xdg-app) as well as
    AppStream metadata extraction, there are a couple locations that
    need to be real files for system integration (.desktop files,
    icons, mime-type info).
* Sat May 07 2016
  - update to Thunderbird 45.1.0 (boo#977333)
    * MFSA 2016-39/CVE-2016-2806/CVE-2016-2807 (boo#977375, boo#977376)
      Miscellaneous memory safety hazards
* Wed Apr 27 2016
  - For openSUSE > 13.2, the build fails for i586 as it goes out of
    memory. Prevent this from happening by disabing parallel build
    in this particular case (i.e. do not pass
    mk_add_options MOZ_MAKE_FLAGS%{?jobs:-j%jobs}).
* Sat Apr 16 2016
  - update to Thunderbird 45.0 (boo#969894)
    * Add a Correspondents column combining Sender and Recipient
    * Much better support for XMPP chatrooms and commands
    * Remote content exceptions: Improved options to add exceptions
    * Implement option to always use HTML formatting to prevent
      unexpected format loss when converting messages to plain text
    * Use OpenStreetmap for maps (even allow the user to choose from
      list of map services)
    * Allow spell checking and dictionary selection in the subject line
    * Allow editing of From when composing a message
    * Add dropdown in compose to allow specific setting of font size
    * Return/Enter in composer will now insert a new paragraph by
      default (shift-Enter will insert a line break)
    * Allow copying of name and email address from the message header
      of an email
    * supports OAuth authentication
    * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
      Miscellaneous memory safety hazards
    * MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
      Local file overwriting and potential privilege escalation through
      CSP reports
    * MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
      CSP reports fail to strip location information for embedded iframe pages
    * MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
      Linux video memory DOS with Intel drivers
    * MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
      Memory leak in libstagefright when deleting an array during MP4
    * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
      Use-after-free in HTML5 string parser
    * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
      Use-after-free in SetBody
    * MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
      Use-after-free during XML transformations
    * MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
      Out-of-bounds read in HTML parser following a failed allocation
    * MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
      Buffer overflow during ASN.1 decoding in NSS
      (fixed by requiring 3.21.1)
    * MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
      Use-after-free during processing of DER encoded keys in NSS
      (fixed by requiring 3.21.1)
    * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
      Font vulnerabilities in the Graphite 2 library
  - remove obsolete patches:
    * mozilla-arm-disable-edsp.patch
    * mozilla-icu-strncat.patch
    * mozilla-arm64-libjpeg-turbo.patch
  - added required mozilla platform patches:
    * mozilla-no-stdcxx-check.patch
* Wed Apr 06 2016
  - update to Thunderbird 38.7.2
    * disable Graphite font shaping library (same upstream changelog
      as 38.7.1)
* Fri Mar 25 2016
  - update to Thunderbird 38.7.1
    * disabled Graphite font shaping library
* Fri Mar 11 2016
  - update to Thunderbird 38.7.0 (boo#969894)
    * MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
      Use-after-free in MediaStream playback
    * MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
      Same-origin policy violation using performance.getEntries and
      history navigation
    * MFSA 2016-16/CVE-2016-1952
      Miscellaneous memory safety hazards
    * MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
      Local file overwriting and potential privilege escalation through
      CSP reports
    * MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
      Memory leak in libstagefright when deleting an array during MP4
    * MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
      Displayed page address can be overridden
    * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
      Use-after-free in HTML5 string parser
    * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
      Use-after-free in SetBody
    * MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
      Use-after-free when using multiple WebRTC data channels
    * MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
      Use-after-free during XML transformations
    * MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
      Addressbar spoofing though history navigation and Location protocol
    * MFSA 2016-31/CVE-2016-1966 (bmo#1246054)
      Memory corruption with malicious NPAPI plugin
    * MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
      Out-of-bounds read in HTML parser following a failed allocation
    * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
      Font vulnerabilities in the Graphite 2 library
* Fri Feb 26 2016
  - adjust _constraints to current peak build memory and disk usage
* Sat Feb 13 2016
  - update to Thunderbird 38.6.0 (boo#963520)
    * Filters ran on a different folder than selected
    * MFSA 2016-01/CVE-2016-1930
      Miscellaneous memory safety hazards
    * MFSA 2016-03/CVE-2016-1935 (bmo#1220450)
      Buffer overflow in WebGL after out of memory allocation
* Mon Jan 25 2016
  - Using -g for CFLAGS is controlled via project settings, it should
    not be enforced by the mozilla buildsystem.
* Mon Jan 18 2016
  - Add build conditionals for valgrind and -Os
  - Convert existing conditions for kde to bcond
* Tue Dec 29 2015
  - update to Thunderbird 38.5.1
    * requires NSS 3.20.2 to fix
      MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
      MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
      server signature
  - explicitely require libXcomposite-devel
* Wed Dec 23 2015
  - update to Thunderbird 38.5.0 (bnc#959277)
    * MFSA 2015-134/CVE-2015-7201
      Miscellaneous memory safety hazards
    * MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
      Use-after-free in WebRTC when datachannel is used after being
    * MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
      Integer overflow allocating extremely large textures
    * MFSA 2015-145/CVE-2015-7205 (bmo#1220493)
      Underflow through code inspection
    * MFSA 2015-146/CVE-2015-7213 (bmo#1206211)
      Integer overflow in MP4 playback in 64-bit versions
    * MFSA 2015-147/CVE-2015-7222 (bmo#1216748)
      Integer underflow and buffer overflow processing MP4 metadata in
    * MFSA 2015-149/CVE-2015-7214 (bmo#1228950)
      Cross-site reading attack through data and view-source URIs
* Tue Nov 17 2015
  - update to Thunderbird 38.4.0 (bnc#952810)
    * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
      Miscellaneous memory safety hazards
    * MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
      Trailing whitespace in IP address hostnames can bypass same-origin policy
    * MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
      Buffer overflow during image interactions in canvas
    * MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
      CORS preflight is bypassed when non-standard Content-Type headers
      are received
    * MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
      Memory corruption in libjar through zip files
    * MFSA 2015-130/CVE-2015-7196 (bmo#1140616)
      JavaScript garbage collection crash with Java applet
    * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
      (bmo#1188010, bmo#1204061, bmo#1204155)
      Vulnerabilities found through code inspection
    * MFSA 2015-132/CVE-2015-7197 (bmo#1204269)
      Mixed content WebSocket policy bypass through workers
    * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
      (bmo#1202868, bmo#1205157)
      NSS and NSPR memory corruption issues
      (fixed in mozilla-nspr and mozilla-nss packages)
  - requires NSPR 4.10.10 and NSS
  - added explicit appdata provides (bnc#952325)
* Mon Oct 05 2015
  - fix build on aarch64 by reusing the crashreporter conditional
    from MozillaFirefox
* Mon Sep 28 2015
  - update to Thunderbird 38.3.0 (bnc#947003)
    * MFSA 2015-96/CVE-2015-4500
      Miscellaneous memory safety hazards
    * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
      Arbitrary file manipulation by local user through Mozilla updater
    * MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
      Buffer overflow in libvpx while parsing vp9 format video
    * MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
      Buffer overflow while decoding WebM video
    * MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
      Use-after-free while manipulating HTML media content
    * MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
      Dragging and dropping images exposes final URL after redirects
    * MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
      Errors in the handling of CORS preflight request headers
    * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
      Vulnerabilities found through code inspection
    * MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
      bmo#1190526) (Windows only)
      Memory safety errors in libGLES in the ANGLE graphics library
  - rebased patches
* Sat Aug 15 2015
  - update to Thunderbird 38.2.0 (bnc#940806)
    * MFSA 2015-79/CVE-2015-4473
      Miscellaneous memory safety hazards
    * MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
      Out-of-bounds read with malformed MP3 file
    * MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
      Redefinition of non-configurable JavaScript object properties
    * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
      Overflow issues in libstagefright
    * MFSA 2015-84/CVE-2015-4481 (bmo1171518)
      Arbitrary file overwriting through Mozilla Maintenance Service
      with hard links (only affected Windows)
    * MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
      Out-of-bounds write with Updater and malicious MAR file
      (does not affect openSUSE RPM packages which do not ship the
    * MFSA 2015-87/CVE-2015-4484 (bmo#1171540)
      Crash when using shared memory in JavaScript
    * MFSA 2015-88/CVE-2015-4491 (bmo#1184009)
      Heap overflow in gdk-pixbuf when scaling bitmap images
    * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
      Buffer overflows on Libvpx when decoding WebM video
    * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
      Vulnerabilities found through code inspection
    * MFSA 2015-92/CVE-2015-4492 (bmo#1185820)
      Use-after-free in XMLHttpRequest with shared workers
* Wed Jul 08 2015
  - update to Thunderbird 38.1.0 (bnc#935979)
    * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725
      Miscellaneous memory safety hazards
    * MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
      Local files or privileged URLs in pages can be opened into new tabs
    * MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
      Type confusion in Indexed Database Manager
    * MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
      Out-of-bound read while computing an oscillator rendering range in Web Audio
    * MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
      Use-after-free in Content Policy due to microtask execution error
    * MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
      ECDSA signature validation fails to handle some signatures correctly
      (this fix is shipped by NSS 3.19.1 externally)
    * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
      Use-after-free in workers while using XMLHttpRequest
    * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
      Vulnerabilities found through code inspection
    * MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
      Key pinning is ignored when overridable errors are encountered
    * MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
      Privilege escalation in PDF.js
    * MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
      NSS accepts export-length DHE keys with regular DHE cipher suites
      (this fix is shipped by NSS 3.19.1 externally)
    * MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
      NSS incorrectly permits skipping of ServerKeyExchange
      (this fix is shipped by NSS 3.19.1 externally)
  - requires NSS 3.19.2
* Fri Jun 19 2015
  - update to Thunderbird 38.0.1
    * includes Lightning as default extension
  - rebased patches
  - removed obsolete patches:
    * mozilla-ppc.patch
    * mozilla-nullptr-gcc45.patch
    * mozilla-bug1024492.patch
  - dropped openSUSE specific patches
    * thunderbird-shared-nss-db.patch
    * mozilla-shared-nss-db.patch
      the provided feature seems not to be used and its maintenance
      is not worth the ongoing efforts
  - tb-develdirs.patch is now mozilla-develdirs.patch as it is a
    platform configuration now
* Thu Jun 18 2015
  - mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration
* Thu May 28 2015
  - add mozilla-bug1024492.patch:
    * Fixes build against GCC 5.x
* Sat May 09 2015
  - update to Thunderbird 31.7.0 (bnc#930622)
    * MFSA 2015-46/CVE-2015-2708
      Miscellaneous memory safety hazards
    * MFSA 2015-47/VE-2015-0797 (bmo#1080995)
      Buffer overflow parsing H.264 video with Linux Gstreamer
    * MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
      Buffer overflow with SVG content and CSS
    * MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
      Use-after-free during text processing with vertical text enabled
    * MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
      Buffer overflow when parsing compressed XML
    * MFSA 2015-57/CVE-2011-3079 (bmo#1087565)
      Privilege escalation through IPC channel messages
* Tue Mar 31 2015
  - update to Thunderbird 31.6.0 (bnc#925368)
    * MFSA 2015-30/CVE-2015-0815
      Miscellaneous memory safety hazards
    * MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
      Use-after-free when using the Fluendo MP3 GStreamer plugin
    * MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
      resource:// documents can load privileged pages
    * MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
      CORS requests should not follow 30x redirections after preflight
    * MFSA-2015-40/CVE-2015-0801 (bmo#1146339)
      Same-origin bypass through anchor navigation
* Mon Feb 23 2015
  - update to Thunderbird 31.5.0 (bnc#917597)
    * MFSA 2015-11/CVE-2015-0836
      Miscellaneous memory safety hazards
    * MFSA 2015-12/CVE-2015-0833 (bmo#945192)
      Invoking Mozilla updater will load locally stored DLL files
      (Windows only)
    * MFSA 2015-16/CVE-2015-0831 (bmo#1130514)
      Use-after-free in IndexedDB
    * MFSA 2015-19/CVE-2015-0827 (bmo#1117304)
      Out-of-bounds read and write while rendering SVG content
    * MFSA 2015-24/CVE-2015-0822 (bmo#1110557)
      Reading of local files through manipulation of form autocomplete
* Sat Jan 10 2015
  - update to Thunderbird 31.4.0 (bnc#910669)
    * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
      Miscellaneous memory safety hazards
    * MFSA 2015-03/CVE-2014-8638 (bmo#1080987)
      sendBeacon requests lack an Origin header
    * MFSA 2015-04/CVE-2014-8639 (bmo#1095859)
      Cookie injection through Proxy Authenticate responses
  - added mozilla-icu-strncat.patch to fix post build checks
* Sun Nov 30 2014
  - update to Thunderbird 31.3.0 (bnc#908009)
    * MFSA 2014-83/CVE-2014-1587
      Miscellaneous memory safety hazards
    * MFSA 2014-85/CVE-2014-1590 (bmo#1087633)
      XMLHttpRequest crashes with some input streams
    * MFSA 2014-87/CVE-2014-1592 (bmo#1088635)
      Use-after-free during HTML5 parsing
    * MFSA 2014-88/CVE-2014-1593 (bmo#1085175)
      Buffer overflow while parsing media content
    * MFSA 2014-89/CVE-2014-1594 (bmo#1074280)
      Bad casting from the BasicThebesLayer to BasicContainerLayer
* Sun Nov 16 2014 Led <>
  - fix bashism in script
* Tue Nov 04 2014
  - Limit RAM usage during link for ARM
* Sat Oct 25 2014
  - remove and use /usr/share/myspell directly
* Sun Oct 12 2014
  - update to Thunderbird 31.2.0 (bnc#900941)
    * MFSA 2014-74/CVE-2014-1574
      Miscellaneous memory safety hazards
    * MFSA 2014-75/CVE-2014-1576 (bmo#1041512)
      Buffer overflow during CSS manipulation
    * MFSA 2014-76/CVE-2014-1577 (bmo#1012609)
      Web Audio memory corruption issues with custom waveforms
    * MFSA 2014-77/CVE-2014-1578 (bmo#1063327)
      Out-of-bounds write with WebM video
    * MFSA 2014-79/CVE-2014-1581 (bmo#1068218)
      Use-after-free interacting with text directionality
    * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
      Inconsistent video sharing within iframe
  - added basic appdata definition
* Wed Sep 24 2014
  - update to Thunderbird 31.1.2
* Tue Sep 09 2014
  - update to Thunderbird 31.1.1
    * Fixed an issue where mailing lists with spaces in their names
      couldn't be autocompleted (bmo#1060901)
    * Fixed an occasional startup crash (bmo#1005336)
* Fri Aug 29 2014
  - update to Thunderbird 31.1.0 (bnc#894370)
    * MFSA 2014-67/CVE-2014-1553/CVE-2014-1562
      Miscellaneous memory safety hazards
    * MFSA 2014-68/CVE-2014-1563 (bmo#1018524)
      Use-after-free during DOM interactions with SVG
    * MFSA 2014-69/CVE-2014-1564 (bmo#1045977)
      Uninitialized memory use during GIF rendering
    * MFSA 2014-70/CVE-2014-1565 (bmo#1047831)
      Out-of-bounds read in Web Audio audio timeline
    * MFSA 2014-72/CVE-2014-1567 (bmo#1037641)
      Use-after-free setting text directionality
  - added mozilla-nullptr-gcc45.patch to build on gcc 4.5 dists
    (e.g. openSUSE 11.4)
* Sun Jul 27 2014
  - update to Thunderbird 31.0
    * based on Gecko 31
    * Autocompleting email addresses now matches against any part of
      the name or email
    * Composing a mail to a newsgroup will now autocomplete newsgroup
    * Insecure NTLM (pre-NTLMv2) authentication disabled
  - rebased patches
  - removed enigmail entirely from source package
  - removed obsolete patches
    * libffi-ppc64le.patch
    * ppc64le-support.patch
    * xpcom-ppc64le.patch
  - use GStreamer 1.0 after 13.1
  - switched source archives to use xz instead of bz2
* Sun Jul 20 2014
  - update to Thunderbird 24.7.0 (bnc#887746)
    * MFSA 2014-56/CVE-2014-1547/CVE-2014-1548
      Miscellaneous memory safety hazards
    * MFSA 2014-61/CVE-2014-1555 (bmo#1023121)
      Use-after-free with FireOnStateChange event
    * MFSA 2014-62/CVE-2014-1556 (bmo#1028891)
      Exploitable WebGL crash with Cesium JavaScript library
    * MFSA 2014-63/CVE-2014-1544 (bmo#963150)
      Use-after-free while when manipulating certificates in the trusted cache
      (solved with NSS 3.16.2 requirement)
    * MFSA 2014-64/CVE-2014-1557 (bmo#913805)
      Crash in Skia library when scaling high quality images
  - disabled enigmail build as with version 1.7 it's a standalone
    source package
* Sat Jun 07 2014
  - update to Thunderbird 24.6.0 (bnc#881874)
    * MFSA 2014-48/CVE-2014-1533/CVE-2014-1534
      (bmo#921622, bmo#967354, bmo#969517, bmo#969549, bmo#973874,
      bmo#978652, bmo#978811, bmo#988719, bmo#990868, bmo#991981,
      bmo#992274, bmo#994907, bmo#995679, bmo#995816, bmo#995817,
      bmo#996536, bmo#996715, bmo#999651, bmo#1000598,
      bmo#1000960, bmo#1002340, bmo#1005578, bmo#1007223,
      bmo#1009952, bmo#1011007)
      Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)
    * MFSA 2014-49/CVE-2014-1536/CVE-2014-1537/CVE-2014-1538
      (bmo#989994, bmo#999274, bmo#1005584)
      Use-after-free and out of bounds issues found using Address Sanitizer
    * MFSA 2014-52/CVE-2014-1541 (bmo#1000185)
      Use-after-free with SMIL Animation Controller
    * MFSA 2014-55/CVE-2014-1545 (bmo#1018783)
      Out of bounds write in NSPR
  - require NSPR 4.10.6 because of MFSA 2014-55/CVE-2014-1545
* Fri Apr 25 2014
  - update to Thunderbird 24.5.0 (bnc#875378)
    * MFSA 2014-34/CVE-2014-1518
      Miscellaneous memory safety hazards
    * MFSA 2014-37/CVE-2014-1523 (bmo#969226)
      Out of bounds read while decoding JPG images
    * MFSA 2014-38/CVE-2014-1524 (bmo#989183)
      Buffer overflow when using non-XBL object as XBL
    * MFSA 2014-42/CVE-2014-1529 (bmo#987003)
      Privilege escalation through Web Notification API
    * MFSA 2014-43/CVE-2014-1530 (bmo#895557)
      Cross-site scripting (XSS) using history navigations
    * MFSA 2014-44/CVE-2014-1531 (bmo#987140)
      Use-after-free in imgLoader while resizing images
    * MFSA 2014-46/CVE-2014-1532 (bmo#966006)
      Use-after-free in nsHostResolver
  - use shipped-locales as the authoritative source for supported
    locales (some unsupported locales disappear from -other package)
* Tue Mar 18 2014
  - update to Thunderbird 24.4.0 (bnc#868603)
    * MFSA 2014-15/CVE-2014-1493/CVE-2014-1494
      Miscellaneous memory safety hazards
    * MFSA 2014-17/CVE-2014-1497 (bmo#966311)
      Out of bounds read during WAV file decoding
    * MFSA 2014-26/CVE-2014-1508 (bmo#963198)
      Information disclosure through polygon rendering in MathML
    * MFSA 2014-27/CVE-2014-1509 (bmo#966021)
      Memory corruption in Cairo during PDF font rendering
    * MFSA 2014-28/CVE-2014-1505 (bmo#941887)
      SVG filters information disclosure through feDisplacementMap
    * MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909)
      Privilege escalation using WebIDL-implemented APIs
    * MFSA 2014-30/CVE-2014-1512 (bmo#982957)
      Use-after-free in TypeObject
    * MFSA 2014-31/CVE-2014-1513 (bmo#982974)
      Out-of-bounds read/write through neutering ArrayBuffer objects
    * MFSA 2014-32/CVE-2014-1514 (bmo#983344)
      Out-of-bounds write through TypedArrayObject after neutering
* Mon Feb 03 2014
  - update to Thunderbird 24.3.0 (bnc#861847)
    * MFSA 2014-01/CVE-2014-1477/CVE-2014-1478
      Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
    * MFSA 2014-02/CVE-2014-1479 (bmo#911864)
      Clone protected content with XBL scopes
    * MFSA 2014-04/CVE-2014-1482 (bmo#943803)
      Incorrect use of discarded images by RasterImage
    * MFSA 2014-08/CVE-2014-1486 (bmo#942164)
      Use-after-free with imgRequestProxy and image proccessing
    * MFSA 2014-09/CVE-2014-1487 (bmo#947592)
      Cross-origin information leak through web workers
    * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491
      (bmo#934545, bmo#930874, bmo#930857)
      NSS ticket handling issues
    * MFSA 2014-13/CVE-2014-1481(bmo#936056)
      Inconsistent JavaScript handling of access to Window objects
  - requires NSS 3.15.4
  - renamed ppc64le patches to streamline with Firefox package
* Fri Dec 13 2013
  - Add support for powerpc64le-linux.
    * ppc64le-support.patch: general support
    * libffi-ppc64le.patch: libffi backport
    * xpcom-ppc64le.patch: port xpcom
* Sun Dec 08 2013
  - update to Thunderbird 24.2.0 (bnc#854370)
    * requires NSS or higher
    * MFSA 2013-104/CVE-2013-5609/CVE-2013-5610
      Miscellaneous memory safety hazards
    * MFSA 2013-108/CVE-2013-5616 (bmo#938341)
      Use-after-free in event listeners
    * MFSA 2013-109/CVE-2013-5618 (bmo#926361)
      Use-after-free during Table Editing
    * MFSA 2013-111/CVE-2013-6671 (bmo#930281)
      Segmentation violation when replacing ordered list elements
    * MFSA 2013-113/CVE-2013-6673 (bmo#970380)
      Trust settings for built-in roots ignored during EV certificate
    * MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449)
      Use-after-free in synthetic mouse movement
    * MFSA 2013-115/CVE-2013-5615 (bmo#929261)
      GetElementIC typed array stubs can be generated outside observed
    * MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693)
      JPEG information leak
    * MFSA 2013-117 (bmo#946351)
      Mis-issued ANSSI/DCSSI certificate
      (fixed via NSS
* Tue Nov 19 2013
  - update to Thunderbird 24.1.1
    * requires NSPR 4.10.2 and NSS 3.15.3 for security reasons
    * fix binary compatibility issues for patch level updates
* Thu Oct 24 2013
  - update to Thunderbird 24.1.0 (bnc#847708)
    * requires NSS 3.15.2 or above
    * MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592
      Miscellaneous memory safety hazards
    * MFSA 2013-94/CVE-2013-5593 (bmo#868327)
      Spoofing addressbar through SELECT element
    * MFSA 2013-95/CVE-2013-5604 (bmo#914017)
      Access violation with XSLT and uninitialized data
    * MFSA 2013-96/CVE-2013-5595 (bmo#916580)
      Improperly initialized memory and overflows in some JavaScript
    * MFSA 2013-97/CVE-2013-5596 (bmo#910881)
      Writing to cycle collected object during image decoding
    * MFSA 2013-98/CVE-2013-5597 (bmo#918864)
      Use-after-free when updating offline cache
    * MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601
      (bmo#915210, bmo#915576, bmo#916685)
      Miscellaneous use-after-free issues found through ASAN fuzzing
    * MFSA 2013-101/CVE-2013-5602 (bmo#897678)
      Memory corruption in workers
    * MFSA 2013-102/CVE-2013-5603 (bmo#916404)
      Use-after-free in HTML document templates
* Thu Oct 10 2013
  - update to Thunderbird 24.0.1
    * fqdn for smtp server name was not accepted (bmo#913785)
    * fixed crash in PL_strncasecmp (bmo#917955)
  - update Enigmail to 1.6
    * The passphrase timeout configuration in Enigmail is now read and
      written from/to gpg-agent.
    * New dialog to change the expiry date of keys
    * New function to search for the OpenPGP keys of all Address Book
      entries on a keyserver
    * removed obsolete enigmail-build.patch
* Sat Sep 14 2013
  - update to Thunderbird 24.0 (bnc#840485)
    * MFSA 2013-76/CVE-2013-1718/CVE-2013-1719
      Miscellaneous memory safety hazards
    * MFSA 2013-77/CVE-2013-1720 (bmo#888820)
      Improper state in HTML5 Tree Builder with templates
    * MFSA 2013-79/CVE-2013-1722 (bmo#893308)
      Use-after-free in Animation Manager during stylesheet cloning
    * MFSA 2013-80/CVE-2013-1723 (bmo#891292)
      NativeKey continues handling key messages after widget is destroyed
    * MFSA 2013-81/CVE-2013-1724 (bmo#894137)
      Use-after-free with select element
    * MFSA 2013-82/CVE-2013-1725 (bmo#876762)
      Calling scope for new Javascript objects can lead to memory corruption
    * MFSA 2013-85/CVE-2013-1728 (bmo#883686)
      Uninitialized data in IonMonkey
    * MFSA 2013-88/CVE-2013-1730 (bmo#851353)
      Compartment mismatch re-attaching XBL-backed nodes
    * MFSA 2013-89/CVE-2013-1732 (bmo#883514)
      Buffer overflow with multi-column, lists, and floats
    * MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301)
      Memory corruption involving scrolling
    * MFSA 2013-91/CVE-2013-1737 (bmo#907727)
      User-defined properties on DOM proxies get the wrong "this" object
    * MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897)
      GC hazard with default compartments and frame chain restoration
  - moved greek to common translation package
  - require NSPR 4.10 and NSS 3.15.1
  - add GStreamer build requirements for Gecko
  - added enigmail-build.patch to fix TB packaging (bmo#886095)
  - removed obsolete patches:
    * enigmail-old-gcc.patch
    * mozilla-gcc43-enums.patch
    * mozilla-gcc43-template_hacks.patch
    * mozilla-gcc43-templates_instantiation.patch
    * ppc-xpcshell.patch
* Fri Aug 02 2013
  - update to Thunderbird 17.0.8 (bnc#833389)
    * MFSA 2013-63/CVE-2013-1701
      Miscellaneous memory safety hazards
    * MFSA 2013-68/CVE-2013-1709 (bmo#838253)
      Document URI misrepresentation and masquerading
    * MFSA 2013-69/CVE-2013-1710 (bmo#871368)
      CRMF requests allow for code execution and XSS attacks
    * MFSA 2013-72/CVE-2013-1713 (bmo#887098)
      Wrong principal used for validating URI for some Javascript
    * MFSA 2013-73/CVE-2013-1714 (bmo#879787)
      Same-origin bypass with web workers and XMLHttpRequest
    * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
      Local Java applets may read contents of local file system
* Wed Jul 17 2013
  - update Enigmail to 1.5.2
    * bugfix release
* Mon Jun 24 2013
  - update to Thunderbird 17.0.7 (bnc#825935)
    * MFSA 2013-49/CVE-2013-1682
      Miscellaneous memory safety hazards
    * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686
      Memory corruption found using Address Sanitizer
    * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)
      Privileged content access and execution via XBL
    * MFSA 2013-53/CVE-2013-1690 (bmo#857883)
      Execution of unmapped memory through onreadystatechange event
    * MFSA 2013-54/CVE-2013-1692 (bmo#866915)
      Data in the body of XHR HEAD requests leads to CSRF attacks
    * MFSA 2013-55/CVE-2013-1693 (bmo#711043)
      SVG filters can lead to information disclosure
    * MFSA 2013-56/CVE-2013-1694 (bmo#848535)
      PreserveWrapper has inconsistent behavior
    * MFSA 2013-59/CVE-2013-1697 (bmo#858101)
      XrayWrappers can be bypassed to run user defined methods in a
      privileged context
* Tue Jun 04 2013
  - prevent xpc-shell crashing on powerpc
* Sat May 11 2013
  - update to Thunderbird 17.0.6 (bnc#819204)
    * MFSA 2013-41/CVE-2013-0801/CVE-2013-1669
      Miscellaneous memory safety hazards
    * MFSA 2013-42/CVE-2013-1670 (bmo#853709)
      Privileged access for content level constructor
    * MFSA 2013-46/CVE-2013-1674 (bmo#860971)
      Use-after-free with video and onresize event
    * MFSA 2013-47/CVE-2013-1675 (bmo#866825)
      Uninitialized functions in DOMSVGZoomEvent
    * MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/
      Memory corruption found using Address Sanitizer
* Fri Mar 29 2013
  - update to Thunderbird 17.0.5 (bnc#813026)
    * requires NSPR 4.9.5 and NSS 3.14.3
    * MFSA 2013-30/CVE-2013-0788/CVE-2013-0789
      Miscellaneous memory safety hazards
    * MFSA 2013-31/CVE-2013-0800 (bmo#825721)
      Out-of-bounds write in Cairo library
    * MFSA 2013-35/CVE-2013-0796 (bmo#827106)
      WebGL crash with Mesa graphics driver on Linux
    * MFSA 2013-36/CVE-2013-0795 (bmo#825697)
      Bypass of SOW protections allows cloning of protected nodes
    * MFSA 2013-38/CVE-2013-0793 (bmo#803870)
      Cross-site scripting (XSS) using timed history navigations
* Fri Mar 08 2013
  - update to Thunderbird 17.0.4 (bnc#808243)
    * MFSA 2013-29/CVE-2013-0787 (bmo#848644)
      Use-after-free in HTML Editor
* Sun Feb 17 2013
  - update to Thunderbird 17.0.3 (bnc#804248)
    * MFSA 2013-21/CVE-2013-0783
      Miscellaneous memory safety hazards
    * MFSA 2013-24/CVE-2013-0773 (bmo#809652)
      Web content bypass of COW and SOW security wrappers
    * MFSA 2013-25/CVE-2013-0774 (bmo#827193)
      Privacy leak in JavaScript Workers
    * MFSA 2013-26/CVE-2013-0775 (bmo#831095)
      Use-after-free in nsImageLoadingContent
    * MFSA 2013-27/CVE-2013-0776 (bmo#796475)
      Phishing on HTTPS connection through malicious proxy
    * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782
      Use-after-free, out of bounds read, and buffer overflow issues
      found using Address Sanitizer
* Mon Feb 11 2013
  - update Enigmail to 1.5.1
    * The release fixes the regressions found in the past few
* Sat Jan 05 2013
  - update to Thunderbird 17.0.2 (bnc#796895)
    * MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770
      Miscellaneous memory safety hazards
    * MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767
      Use-after-free and buffer overflow issues found using Address Sanitizer
    * MFSA 2013-03/CVE-2013-0768 (bmo#815795)
      Buffer Overflow in Canvas
    * MFSA 2013-04/CVE-2012-0759 (bmo#802026)
      URL spoofing in addressbar during page loads
    * MFSA 2013-05/CVE-2013-0744 (bmo#814713)
      Use-after-free when displaying table with many columns and column groups
    * MFSA 2013-07/CVE-2013-0764 (bmo#804237)
      Crash due to handling of SSL on threads
    * MFSA 2013-08/CVE-2013-0745 (bmo#794158)
      AutoWrapperChanger fails to keep objects alive during garbage collection
    * MFSA 2013-09/CVE-2013-0746 (bmo#816842)
      Compartment mismatch with quickstubs returned values
    * MFSA 2013-10/CVE-2013-0747 (bmo#733305)
      Event manipulation in plugin handler to bypass same-origin policy
    * MFSA 2013-11/CVE-2013-0748 (bmo#806031)
      Address space layout leaked in XBL objects
    * MFSA 2013-12/CVE-2013-0750 (bmo#805121)
      Buffer overflow in Javascript string concatenation
    * MFSA 2013-13/CVE-2013-0752 (bmo#805024)
      Memory corruption in XBL with XML bindings containing SVG
    * MFSA 2013-14/CVE-2013-0757 (bmo#813901)
      Chrome Object Wrapper (COW) bypass through changing prototype
    * MFSA 2013-15/CVE-2013-0758 (bmo#813906)
      Privilege escalation through plugin objects
    * MFSA 2013-16/CVE-2013-0753 (bmo#814001)
      Use-after-free in serializeToStream
    * MFSA 2013-17/CVE-2013-0754 (bmo#814026)
      Use-after-free in ListenerManager
    * MFSA 2013-18/CVE-2013-0755 (bmo#814027)
      Use-after-free in Vibrate
    * MFSA 2013-19/CVE-2013-0756 (bmo#814029)
      Use-after-free in Javascript Proxy objects
  - requires NSS 3.14.1 (MFSA 2013-20, CVE-2013-0743)
  - update Enigmail to 1.5.0
* Mon Nov 26 2012
  - fix KDE integration for file dialogs
  - fix some rpmlint warnings (mkdir.done files)
  - build on SLE11
    * mozilla-gcc43-enums.patch
    * mozilla-gcc43-template_hacks.patch
    * mozilla-gcc43-templates_instantiation.patch
* Tue Nov 20 2012
  - update to Thunderbird 17.0 (bnc#790140)
    * MFSA 2012-91/CVE-2012-5842/CVE-2012-5843
      Miscellaneous memory safety hazards
    * MFSA 2012-92/CVE-2012-4202 (bmo#758200)
      Buffer overflow while rendering GIF images
    * MFSA 2012-93/CVE-2012-4201 (bmo#747607)
      evalInSanbox location context incorrectly applied
    * MFSA 2012-94/CVE-2012-5836 (bmo#792857)
      Crash when combining SVG text on path with CSS
    * MFSA 2012-96/CVE-2012-4204 (bmo#778603)
      Memory corruption in str_unescape
    * MFSA 2012-97/CVE-2012-4205 (bmo#779821)
      XMLHttpRequest inherits incorrect principal within sandbox
    * MFSA 2012-99/CVE-2012-4208 (bmo#798264)
      XrayWrappers exposes chrome-only properties when not in chrome
    * MFSA 2012-100/CVE-2012-5841 (bmo#805807)
      Improper security filtering for cross-origin wrappers
    * MFSA 2012-101/CVE-2012-4207 (bmo#801681)
      Improper character decoding in HZ-GB-2312 charset
    * MFSA 2012-102/CVE-2012-5837 (bmo#800363)
      Script entered into Developer Toolbar runs with chrome privileges
    * MFSA 2012-103/CVE-2012-4209 (bmo#792405)
      Frames can shadow top.location
    * MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/
      Use-after-free and buffer overflow issues found using Address
    * MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2012-5838
      Use-after-free, buffer overflow, and memory corruption issues
      found using Address Sanitizer
  - rebased patches
  - disabled WebRTC since build is broken (bmo#776877)
  - update Enigmail to 1.4.6
* Sat Oct 27 2012
  - update to Thunderbird 16.0.2 (bnc#786522)
    * MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196
      (bmo#800666, bmo#793121, bmo#802557)
      Fixes for Location object issues
* Thu Oct 11 2012
  - update to Thunderbird 16.0.1 (bnc#783533)
    * MFSA 2012-88/CVE-2012-4191 (bmo#798045)
      Miscellaneous memory safety hazards
    * MFSA 2012-89/CVE-2012-4192/CVE-2012-4193 (bmo#799952, bmo#720619)
      defaultValue security checks not applied
* Mon Oct 08 2012
  - update to Thunderbird 16.0 (bnc#783533)
    * MFSA 2012-74/CVE-2012-3982/CVE-2012-3983
      Miscellaneous memory safety hazards
    * MFSA 2012-75/CVE-2012-3984 (bmo#575294)
      select element persistance allows for attacks
    * MFSA 2012-76/CVE-2012-3985 (bmo#655649)
      Continued access to initial origin after setting document.domain
    * MFSA 2012-77/CVE-2012-3986 (bmo#775868)
      Some DOMWindowUtils methods bypass security checks
    * MFSA 2012-79/CVE-2012-3988 (bmo#725770)
      DOS and crash with full screen and history navigation
    * MFSA 2012-80/CVE-2012-3989 (bmo#783867)
      Crash with invalid cast when using instanceof operator
    * MFSA 2012-81/CVE-2012-3991 (bmo#783260)
      GetProperty function can bypass security checks
    * MFSA 2012-82/CVE-2012-3994 (bmo#765527)
      top object and location property accessible by plugins
    * MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370)
      Chrome Object Wrapper (COW) does not disallow acces to privileged
      functions or properties
    * MFSA 2012-84/CVE-2012-3992 (bmo#775009)
      Spoofing and script injection through location.hash
    * MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/
      Use-after-free, buffer overflow, and out of bounds read issues
      found using Address Sanitizer
    * MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/
      Heap memory corruption issues found using Address Sanitizer
    * MFSA 2012-87/CVE-2012-3990 (bmo#787704)
      Use-after-free in the IME State Manager
  - update Enigmail to version 1.4.5
* Sun Aug 26 2012
  - update to Thunderbird 15.0 (bnc#777588)
    * MFSA 2012-57/CVE-2012-1970
      Miscellaneous memory safety hazards
    * MFSA 2012-58/CVE-2012-1972/CVE-2012-1973/CVE-2012-1974/CVE-2012-1975
      Use-after-free issues found using Address Sanitizer
    * MFSA 2012-59/CVE-2012-1956 (bmo#756719)
      Location object can be shadowed using Object.defineProperty
    * MFSA 2012-61/CVE-2012-3966 (bmo#775794, bmo#775793)
      Memory corruption with bitmap format images with negative height
    * MFSA 2012-62/CVE-2012-3967/CVE-2012-3968
      WebGL use-after-free and memory corruption
    * MFSA 2012-63/CVE-2012-3969/CVE-2012-3970
      SVG buffer overflow and use-after-free issues
    * MFSA 2012-64/CVE-2012-3971
      Graphite 2 memory corruption
    * MFSA 2012-65/CVE-2012-3972 (bmo#746855)
      Out-of-bounds read in format-number in XSLT
    * MFSA 2012-68/CVE-2012-3975 (bmo#770684)
      DOMParser loads linked resources in extensions when parsing
    * MFSA 2012-70/CVE-2012-3978 (bmo#770429)
      Location object security checks bypassed by chrome code
    * MFSA 2012-72/CVE-2012-3980 (bmo#771859)
      Web console eval capable of executing chrome-privileged code
  - update Enigmail to 1.4.4
* Sun Jul 29 2012
  - Fix mozilla-kde.patch to include sys/resource.h for getrlimit etc (glibc 2.16)
* Sun Jul 15 2012
  - update to Thunderbird 14.0 (bnc#771583)
    * MFSA 2012-42/CVE-2012-1949/CVE-2012-1948
      Miscellaneous memory safety hazards
    * MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1952
      Gecko memory corruption
    * MFSA 2012-45/CVE-2012-1955 (bmo#757376)
      Spoofing issue with location
    * MFSA 2012-47/CVE-2012-1957 (bmo#750096)
      Improper filtering of javascript in HTML feed-view
    * MFSA 2012-48/CVE-2012-1958 (bmo#750820)
      use-after-free in nsGlobalWindow::PageHidden
    * MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559)
      Same-compartment Security Wrappers can be bypassed
    * MFSA 2012-50/CVE-2012-1960 (bmo#761014)
      Out of bounds read in QCMS
    * MFSA 2012-51/CVE-2012-1961 (bmo#761655)
      X-Frame-Options header ignored when duplicated
    * MFSA 2012-52/CVE-2012-1962 (bmo#764296)
      JSDependentString::undepend string conversion results in memory
    * MFSA 2012-53/CVE-2012-1963 (bmo#767778)
      Content Security Policy 1.0 implementation errors cause data
    * MFSA 2012-56/CVE-2012-1967 (bmo#758344)
      Code execution through javascript: URLs
    * relicensed to MPL-2.0
  - update Enigmail to 1.4.3
* Thu Jul 05 2012
  - no crashreport on %arm, fixing build
* Fri Jun 15 2012
  - update to Thunderbird 13.0.1
    * bugfix release
* Sat Jun 02 2012
  - update to Thunderbird 13.0 (bnc#765204)
    * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101
      Miscellaneous memory safety hazards
    * MFSA 2012-36/CVE-2012-1944 (bmo#751422)
      Content Security Policy inline-script bypass
    * MFSA 2012-37/CVE-2012-1945 (bmo#670514)
      Information disclosure though Windows file shares and shortcut
    * MFSA 2012-38/CVE-2012-1946 (bmo#750109)
      Use-after-free while replacing/inserting a node in a document
    * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941
      Buffer overflow and use-after-free issues found using Address
  - require NSS 3.13.4
    * MFSA 2012-39/CVE-2012-0441 (bmo#715073)
  - fix build with system NSPR (mozilla-system-nspr.patch)
  - add dependentlibs.list for improved XRE startup
  - update enigmail to 1.4.2
* Wed May 16 2012
  - reenabled crashreporter for Factory/12.2
    (fix in mozilla-gcc47.patch)
* Mon Apr 30 2012
  - update to Thunderbird 12.0.1
    * fix regressions
    - POP3 filters (bmo#748090)
    - Message Body not loaded when using "Fetch Headers Only"
    - Received messages contain parts of other messages with
      movemail account (bmo#748726)
    - New mail notification issue (bmo#748997)
    - crash in nsMsgDatabase::MatchDbName (bmo#748432)
* Fri Apr 27 2012
  - fixed build with gcc 4.7
* Sat Apr 21 2012
  - update to Thunderbird 12.0 (bnc#758408)
    * MFSA 2012-20/CVE-2012-0467/CVE-2012-0468
      Miscellaneous memory safety hazards
    * MFSA 2012-22/CVE-2012-0469 (bmo#738985)
      use-after-free in IDBKeyRange
    * MFSA 2012-23/CVE-2012-0470 (bmo#734288)
      Invalid frees causes heap corruption in gfxImageSurface
    * MFSA 2012-24/CVE-2012-0471 (bmo#715319)
      Potential XSS via multibyte content processing errors
    * MFSA 2012-25/CVE-2012-0472 (bmo#744480)
      Potential memory corruption during font rendering using cairo-dwrite
    * MFSA 2012-26/CVE-2012-0473 (bmo#743475)
      WebGL.drawElements may read illegal video memory due to
      FindMaxUshortElement error
    * MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307)
      Page load short-circuit can lead to XSS
    * MFSA 2012-28/CVE-2012-0475 (bmo#694576)
      Ambiguous IPv6 in Origin headers may bypass webserver access
    * MFSA 2012-29/CVE-2012-0477 (bmo#718573)
      Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
    * MFSA 2012-30/CVE-2012-0478 (bmo#727547)
      Crash with WebGL content using textImage2D
    * MFSA 2012-31/CVE-2011-3062 (bmo#739925)
      Off-by-one error in OpenType Sanitizer
    * MFSA 2012-32/CVE-2011-1187 (bmo#624621)
      HTTP Redirections and remote content can be read by javascript errors
    * MFSA 2012-33/CVE-2012-0479 (bmo#714631)
      Potential site identity spoofing when loading RSS and Atom feeds
  - update Enigmail to 1.4.1
  - added mozilla-revert_621446.patch
  - added mozilla-libnotify.patch (bmo#737646)
  - added mailnew-showalert.patch (bmo#739146)
  - added mozilla-gcc47.patch and mailnews-literals.patch to fix
    compilation issues with recent gcc 4.7
  - disabled crashreporter temporarily for Factory (gcc 4.7 issue)
* Tue Mar 27 2012
  - update to Thunderbird 11.0.1 (bnc#755060)
    * Fixing an issue where filters can get messed up (bmo#735940)
    * Fixes a hang when switching IMAP folders, or doing other
      imap functions (bmo#733731)
* Fri Mar 09 2012
  - update to Thunderbird 11.0 (bnc#750044)
    * MFSA 2012-13/CVE-2012-0455 (bmo#704354)
      XSS with Drag and Drop and Javascript: URL
    * MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103)
      SVG issues found with Address Sanitizer
    * MFSA 2012-15/CVE-2012-0451 (bmo#717511)
      XSS with multiple Content Security Policy headers
    * MFSA 2012-16/CVE-2012-0458
      Escalation of privilege with Javascript: URL as home page
    * MFSA 2012-17/CVE-2012-0459 (bmo#723446)
      Crash when accessing keyframe cssText after dynamic modification
    * MFSA 2012-18/CVE-2012-0460 (bmo#727303)
      window.fullScreen writeable by untrusted content
    * MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/
      Miscellaneous memory safety hazards
  - update enigmail to 1.4
  - added KDE integration patches (bnc#749440)
* Mon Feb 27 2012
  - update enigmail to 1.3.99 (1.4a1pre)
* Thu Feb 16 2012
  - update to Thunderbird 10.0.2 (bnc#747328)
    * CVE-2011-3026 (bmo#727401)
      libpng: integer overflow leading to heap-buffer overflow
* Thu Feb 09 2012
  - update to version 10.0.1 (bnc#746616)
    * MFSA 2012-10/CVE-2012-0452 (bmo#724284)
      use after free in nsXBLDocumentInfo::ReadPrototypeBindings
  - Use YARR interpreter instead of PCRE on platforms where YARR JIT
    is not supported, since PCRE doesnt build (bmo#691898)
  - fix ppc64 build (bmo#703534)
* Sun Jan 29 2012
  - update to version 10.0 (bnc#744275)
    * MFSA 2012-01/CVE-2012-0442/CVE-2012-0443
      Miscellaneous memory safety hazards
    * MFSA 2012-03/CVE-2012-0445 (bmo#701071)
      <iframe> element exposed across domains via name attribute
    * MFSA 2012-04/CVE-2011-3659 (bmo#708198)
      Child nodes from nsDOMAttribute still accessible after removal
      of nodes
    * MFSA 2012-05/CVE-2012-0446 (bmo#705651)
      Frame scripts calling into untrusted objects bypass security
    * MFSA 2012-06/CVE-2012-0447 (bmo#710079)
      Uninitialized memory appended when encoding icon images may
      cause information disclosure
    * MFSA 2012-07/CVE-2012-0444 (bmo#719612)
      Potential Memory Corruption When Decoding Ogg Vorbis files
    * MFSA 2012-08/CVE-2012-0449 (bmo#701806, bmo#702466)
      Crash with malformed embedded XSLT stylesheets
  - update enigmail to 1.3.5
  - added mozilla-disable-neon-option.patch to be able to disable
    neon on ARM
  - removed obsolete PPC64 patch
* Sun Dec 18 2011
  - update to version 9.0 (bnc#737533)
    * MFSA 2011-53/CVE-2011-3660
      Miscellaneous memory safety hazards (rv:9.0)
    * MFSA 2011-54/CVE-2011-3661 (bmo#691299)
      Potentially exploitable crash in the YARR regular expression
    * MFSA 2011-55/CVE-2011-3658 (bmo#708186)
      nsSVGValue out-of-bounds access
    * MFSA 2011-56/CVE-2011-3663 (bmo#704482)
      Key detection without JavaScript via SVG animation
    * MFSA 2011-58/VE-2011-3665 (bmo#701259)
      Crash scaling <video> to extreme sizes
  - fixed accessibility under GNOME 3 (bnc#732898)
  - do not show update channel in about box
* Sun Dec 04 2011
  - update enigmail to 1.3.4 (bnc#733002)
    * fixes several regressions from previous release
* Mon Nov 21 2011
  - do not disable system addons
  - fixed enigmail localizations
* Mon Nov 21 2011
  - fix powerpc build
  - disable crashreporter on ppc and ppc64
* Mon Nov 07 2011
  - update to version 8.0 (bnc#728520)
    * MFSA 2011-47/CVE-2011-3648 (bmo#690225)
      Potential XSS against sites using Shift-JIS
    * MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654
      Miscellaneous memory safety hazards
    * MFSA 2011-49/CVE-2011-3650 (bmo#674776)
      Memory corruption while profiling using Firebug
    * MFSA 2011-52/CVE-2011-3655 (bmo#672182)
      Code execution via NoWaiverWrapper
  - rebased patches
  - update enigmail to 1.3.3
  - update icon cache after install/removal (bnc#726758)
* Fri Sep 30 2011
  - update to minor version 7.0.1
    * fixed staged addon updates
    * Disabled the what's new tab for updaters from 7.0 (bmo#690290)
    * Insert Characters & Symbols fix (bmo#690267)
* Mon Sep 26 2011
  - update to version 7.0 (bnc#720264)
    * MFSA 2011-36
      Miscellaneous memory safety hazards
    * MFSA 2011-39/CVE-2011-3000 (bmo#655389)
      Defense against multiple Location headers due to CRLF Injection
    * MFSA 2011-40/CVE-2011-2372/CVE-2011-3001
      Code installation through holding down Enter
    * MFSA 2011-42/CVE-2011-3232
      Potentially exploitable crash in the YARR regular expression
    * MFSA 2011-44/CVE-2011-3005 (bmo#675747)
      Use after free reading OGG headers
  - removed obsolete mozilla-cairo-lcd.patch
* Tue Sep 13 2011
  - update enigmail to 1.3.2 (no changelog available)
  - add dbus-1-glib-devel to BuildRequires (not pulled automatically
    anymore with 12.1)
* Fri Sep 09 2011
  - make enigmail a subversion of Thunderbird to fix %release
    number tracking issues with the Open Build Service
    (taken from dmueller's 3.1.x changes)
* Wed Sep 07 2011
  - security update to 6.0.2 (bnc#714931)
    * Complete blocking of certificates issued by DigiNotar
* Fri Sep 02 2011
  - security update to 6.0.1 (bnc#714931)
    * MFSA 2011-34
      Protection against fraudulent DigiNotar certificates
* Wed Aug 17 2011
  - update enigmail to 1.3 final
* Fri Aug 12 2011
  - update to version 6.0 (bnc#712224)
    including security fixes MFSA 2011-31
    * CVE-2011-2989/CVE-2011-2991/CVE-2011-2992/CVE-2011-2985
      Miscellaneous memory safety hazards
    * CVE-2011-2988 (bmo#665936)
      String crash using WebGL shaders
    * CVE-2011-2987 (bmo#665934)
      Heap overflow in ANGLE library
    * CVE-2011-0084 (bmo#648094)
      Crash in SVGTextElement.getCharNumAtPosition()
    * CVE-2011-2986 (bmo#655836)
      Cross-origin data theft using canvas and Windows D2D
  - add mozilla-curl.patch to remove dependencies to obsolete curl
* Sat Jul 30 2011
  - update enigmail to 1.2.99 (1.3a1pre)
* Fri Jul 29 2011
  - update to version 6.0b2
    * removed obsolete patches
    - mozilla-gio.patch
    - thunderbird-gio.patch
  - fix symbol dumper for linux3 platform
* Sat Jul 09 2011
  - update to version 5.0
  - update enigmail to version 1.2
  - improved logic for the launcher command
  - enable gio usage (instead of gnomevfs) for 11.4 and newer
  - build dump_syms dynamic to build on 12.1 and above
* Mon Jun 20 2011
  - security update to version 3.1.11 (bnc#701296)
    * MFSA 2011-19/CVE-2011-2374 CVE-2011-2376 CVE-2011-2364
      Miscellaneous memory safety hazards
    * MFSA 2011-20/CVE-2011-2373 (bmo#617247)
      Use-after-free vulnerability when viewing XUL document with
      script disabled
    * MFSA 2011-21/CVE-2011-2377 (bmo#638018, bmo#639303)
      Memory corruption due to multipart/x-mixed-replace images
    * MFSA 2011-22/CVE-2011-2371 (bmo#664009)
      Integer overflow and arbitrary code execution in
    * MFSA 2011-23/CVE-2011-0083 CVE-2011-0085 CVE-2011-2363
      Multiple dangling pointer vulnerabilities
    * MFSA 2011-24/CVE-2011-2362 (bmo#616264)
      Cookie isolation error
  - speed up
  - do not build dump_syms static as it is not needed for us
    - > fixes build for 12.1 and above
* Fri Apr 15 2011
  - security update to version 3.1.10 (bnc#689281)
    * MFSA 2011-12/ CVE-2011-0069 CVE-2011-0070 CVE-2011-0072
      CVE-2011-0074 CVE-2011-0075 CVE-2011-0077 CVE-2011-0078
      CVE-2011-0080 CVE-2011-0081
      Miscellaneous memory safety hazards
* Fri Mar 25 2011
  - Add mozilla-gcc46.patch: fix compilation with gcc 4.6
    See the following bug reports:
* Tue Feb 22 2011
  - security update to version 3.1.8 (build3) (bnc#667155)
    * MFSA 2011-01/CVE-2011-0053/CVE-2011-0062
      Miscellaneous memory safety hazards (rv:
    * MFSA 2011-08/CVE-2010-1585 (bmo#562547)
      ParanoidFragmentSink allows javascript: URLs in chrome documents
    * MFSA 2011-09/CVE-2011-0061 (bmo#610601)
      Crash caused by corrupted JPEG image
* Thu Jan 13 2011
  - rename desktop file for 11.4 and above (bnc#664211)
* Mon Jan 10 2011
  - add x-scheme-handler/mailto as mimetype to the desktop file
    as needed by newer Gnome environment
* Mon Nov 29 2010
  - security update to version 3.1.7 (bnc#657016)
    * MFSA 2010-74/CVE-2010-3776/CVE-2010-3777/CVE-2010-3778
      Miscellaneous memory safety hazards (rv:
    * MFSA 2010-75/CVE-2010-3769 (bmo#608336)
      Buffer overflow while line breaking after document.write with
      long string
    * MFSA 2010-78/CVE-2010-3768 (bmo#527276)
      Add support for OTS font sanitizer
  - provide versioned "thunderbird" symbol
* Wed Oct 27 2010
  - security update to version 3.1.6 (bnc#649492)
    * MFSA 2010-73/CVE-2010-3765 (bmo#607222)
      Heap buffer overflow mixing document.write and DOM insertion
* Wed Oct 06 2010
  - security update to version 3.1.5 (bnc#645315)
    * MFSA 2010-64/CVE-2010-3174/CVE-2010-3175/CVE-2010-3176
      Miscellaneous memory safety hazards
    * MFSA 2010-65/CVE-2010-3179 (bmo#583077)
      Buffer overflow and memory corruption using document.write
    * MFSA 2010-66/CVE-2010-3180 (bmo#588929)
      Use-after-free error in nsBarProp
    * MFSA 2010-67/CVE-2010-3183 (bmo#598669)
      Dangling pointer vulnerability in LookupGetterOrSetter
    * MFSA 2010-69/CVE-2010-3178 (bmo#576616)
      Cross-site information disclosure via modal calls
    * MFSA 2010-70/CVE-2010-3170 (bmo#578697)
      SSL wildcard certificate matching IP addresses
    * MFSA 2010-71/CVE-2010-3182 (bmo#590753, bnc#642502)
      Unsafe library loading vulnerabilities
    * MFSA 2010-72/CVE-2010-3173
      Insecure Diffie-Hellman key exchange
    * new extra locales
    * removed upstreamed mozilla-helper-app.patch
  - require mozilla-nss >= 3.12.8
* Wed Sep 15 2010
  - update to version 3.1.4
    * fixing startup topcrash
* Mon Aug 30 2010
  - security update to version 3.1.3 (bnc#637303)
    * MFSA 2010-49/CVE-2010-3169
      Miscellaneous memory safety hazards
    * MFSA 2010-50/CVE-2010-2765 (bmo#576447)
      Frameset integer overflow vulnerability
    * MFSA 2010-51/CVE-2010-2767 (bmo#584512)
      Dangling pointer vulnerability using DOM plugin array
    * MFSA 2010-53/CVE-2010-3166 (bmo#579655)
      Heap buffer overflow in nsTextFrameUtils::TransformText
    * MFSA 2010-54/CVE-2010-2760 (bmo#585815)
      Dangling pointer vulnerability in nsTreeSelection
    * MFSA 2010-55/CVE-2010-3168 (bmo#576075)
      XUL tree removal crash and remote code execution
    * MFSA 2010-56/CVE-2010-3167 (bmo#576070)
      Dangling pointer vulnerability in nsTreeContentView
    * MFSA 2010-57/CVE-2010-2766 (bmo#580445)
      Crash and remote code execution in normalizeDocument
    * MFSA 2010-59/CVE-2010-2762 (bmo#584180)
      SJOW creates scope chains ending in outer object
    * MFSA 2010-61/CVE-2010-2768 (bmo#579744)
      UTF-7 XSS by overriding document charset using <object> type
    * MFSA 2010-62/CVE-2010-2769 (bmo#520189)
      Copy-and-paste or drag-and-drop into designMode document allows
    * MFSA 2010-63/CVE-2010-2764 (bmo#552090)
      Information leak via XMLHttpRequest statusText
  - ESD notification sound fix included upstream
* Mon Aug 30 2010
  - fixed build with latest Gnome
* Sat Jul 24 2010
  - update to version 3.1.1
    * based on the Gecko 1.9.2 platform
    * Faster Search Results
    * Quick Filter Toolbar
    * New Migration Assistant
    * Saved Files Manager
  - update to enigmail 1.1.2
  - enable crashreporter and package buildsymbols
  - fixed esd sound output (notifications) (bmo#576365)
* Fri Jul 16 2010
  - security update to 3.0.6 (bnc#622506)
    * MFSA 2010-34/CVE-2010-1211/CVE-2010-1212
      Miscellaneous memory safety hazards
    * MFSA 2010-39/CVE-2010-2752 (bmo#574059)
      nsCSSValue::Array index integer overflow
    * MFSA 2010-40/CVE-2010-2753 (bmo#571106)
      nsTreeSelection dangling pointer remote code execution
    * MFSA 2010-41/CVE-2010-1205 (bmo#570451)
      Remote code execution using malformed PNG image
    * MFSA 2010-42/CVE-2010-1213 (bmo#568148)
      Cross-origin data disclosure via Web Workers and importScripts
    * MFSA 2010-46/CVE-2010-0654 (bmo#524223)
      Cross-domain data theft using CSS
    * MFSA 2010-47/CVE-2010-2754 (bmo#568564)
      Cross-origin data leakage from script filename in error messages
* Fri May 21 2010
  - security update to 3.0.5 (bnc#603356)
    * MFSA 2010-25/CVE-2010-1121 (bmo#555109)
      Re-use of freed object due to scope confusion
    * MFSA 2010-26/CVE-2010-1200/CVE-2010-1201/CVE-2010-1202/
      Crashes with evidence of memory corruption (rv:
    * MFSA 2010-29/CVE-2010-1196 (bmo#534666)
      Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
    * MFSA 2010-30/CVE-2010-1199 (bmo#554255)
      Integer Overflow in XSLT Node Sorting
* Mon Apr 12 2010
  - do not encode the RPM release number into the useragent
    to avoid non useful republishing (bnc#593807)
* Wed Mar 17 2010
  - security update to 3.0.4 (bnc#586567)
    * MFSA 2010-16/CVE-2010-0173/CVE-2010-0174
      Crashes with evidence of memory corruption
    * MFSA 2010-17/CVE-2010-0175 (bmo#540100,375928)
      Remote code execution with use-after-free in nsTreeSelection
    * MFSA 2010-18/CVE-2010-0176 (bmo#538308)
      Dangling pointer vulnerability in nsTreeContentView
    * MFSA 2010-22/CVE-2009-3555 (bmo#545755)
      Update NSS to support TLS renegotiation indication
    * MFSA 2010-24/CVE-2010-0182 (bmo#490790)
      XMLDocument::load() doesn't check nsIContentPolicy
* Sun Feb 28 2010
  - update to 3.0.3
    * Fix for missing folders or empty folder pane after updating
      to Thunderbird 3.0.2
* Fri Feb 26 2010
  - security update to 3.0.2 (bnc#576969)
    * MFSA 2010-01/CVE-2010-0159
      Crashes with evidence of memory corruption
    * MFSA 2010-03/CVE-2009-1571
      Use-after-free crash in HTML parser
    * various stability improvements
  - update enigmail to 1.0.1
    * Czech, Dutch, Polish and Portuguese (Brazilian) languages
      were added to the release.
    * there are several fixes related using OpenPGP Smartcards
  - use system hunspell again (bnc#582276)
* Mon Jan 11 2010
  - update to 3.0.1
    * fixed UI issues related to some combinations of installed addons
  - fixed session restore (bnc#528406, bmo#508986)
  - removed obsolete lightning stuff from spec file
  - removed obsolete orbit-devel build requirement
* Mon Dec 07 2009
  - update to 3.0 (bnc#559819)
  - update enigmail to final version 1.0.0
  - use --disable-updater and removed obsolete UI patch and
    pref changes
  - use internal cairo up to 11.1 (Gecko now requires at least 1.8.8)
  - added mozilla-clipboard.patch fixing a common crash (bmo#495392)
  - removed upstreamed patch thunderbird-cs-smtpauth.patch
* Wed Oct 07 2009
  - fixed startup-notification (bnc#518603)
* Tue Sep 29 2009
  - fixed CS locale to allow SMTP AUTH sending of mails (bnc#542809)
* Tue Sep 15 2009
  - update to 3.0b4
    * removed upstreamed patches
    * based on Gecko (inheriting security fixes)
    * new global search
* Tue Aug 25 2009
  - reversioned enigmail to 0.96.99 (as it's actually 0.97a and 0.96
    has been released already)
  - fixed RPM group for the translation subpackages
* Fri Aug 21 2009
  - remove obsolete code for protocol handlers (bmo#389732)
  - new enigmail snapshot (20090813)
  - require pinentry-gui for 11.2 and up (bnc#441084)
* Sun Aug 09 2009
  - Gtk filechooser allows alternative button order (as used in KDE)
  - translations{,-common} package doesn't provide en-US
  - split translations into -common and -other packages (bnc#529180)
* Tue Jul 28 2009
  - fixed wrong %exclude by removing unwanted files at %install stage
* Fri Jul 17 2009
  - major update to 3.0b3
  - update enigmail to 0.96pre
  - created enigmail subpackage and install to system wide location
    for Thunderbird and SeaMonkey
  - define MOZ_APP_LAUNCHER for session management (bmo#453689)
    (mozilla-app-launcher.patch and
  - move opensuse.js prefs to all-opensuse.js prefs to be able
    to override prefs in all-thunderbird.js
  - move intl.locale.matchOS to all-opensuse.js
  - added mozilla-jemalloc_deepbind.patch to fix various possible
    crashes (bnc#503151, bmo#493541)
* Fri Jun 19 2009
  - disable as-needed for this package as it fails to build with it
* Tue Jun 02 2009
  - Fixed build issue for gcc 4.4 (mozilla-gcc44.patch)
* Wed Mar 18 2009
  - security update to version (bnc#484321)
    * MFSA 2009-07/CVE-2009-0771, CVE-2009-0772, CVE-2009-0773
      Crashes with evidence of memory corruption (rv:
    * MFSA 2009-09/CVE-2009-0776:
      XML data theft via RDFXMLDataSource and cross-domain redirect
    * MFSA 2009-10/CVE-2009-0040:
      Upgrade PNG library to fix memory safety hazards



Generated by rpm2html 1.8.1

Fabrice Bellet, Mon Feb 10 10:49:50 2020