This update for MozillaThunderbird to version 60.2.1 fixes the following issues:
Update to Thunderbird 60.2.1:
- Calendar: Default values for the first day of the week and
working days are now derived from the selected datetime
formatting locale
- Calendar: Switch to a Photon-style icon set for all platforms
- Fix multiple requests for master password when Google Mail or
Calendar OAuth2 is enabled
- Fix scrollbar of the address entry auto-complete popup
- Fix security info dialog in compose window not showing
certificate status
- Fix links in the Add-on Manager's search results and theme
browsing tabs that opened in external browser
- Fix localization not showing the localized name for the
'Drafts' and 'Sent' folders for certain IMAP providers
- Fix replying to a message with an empty subject which
inserted Re: twice
- Fix spellcheck marks disappeaing erroneously for words with
an apostrophe
- Calendar: First day of the week can now be set
- Calendar: Several fixes related to cutting/deleting of events
and email schedulin
These security issues were fixed:
- CVE-2018-12359: Prevent buffer overflow using computed size of canvas element (bsc#1098998).
- CVE-2018-12360: Prevent use-after-free when using focus() (bsc#1098998).
- CVE-2018-12361: Prevent integer overflow in SwizzleData (bsc#1098998).
- CVE-2018-12362: Prevent integer overflow in SSSE3 scaler (bsc#1098998).
- CVE-2018-5156: Prevent media recorder segmentation fault when track type is changed during capture (bsc#1098998).
- CVE-2018-12363: Prevent use-after-free when appending DOM nodes (bsc#1098998).
- CVE-2018-12364: Prevent CSRF attacks through 307 redirects and NPAPI plugins (bsc#1098998).
- CVE-2018-12365: Prevent compromised IPC child process listing local filenames (bsc#1098998).
- CVE-2018-12371: Prevent integer overflow in Skia library during edge builder allocation (bsc#1098998).
- CVE-2018-12366: Prevent invalid data handling during QCMS transformations (bsc#1098998).
- CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming (bsc#1098998).
- CVE-2018-5187: Various memory safety bugs (bsc#1098998).
- CVE-2018-5188: Various memory safety bugs (bsc#1098998).
- CVE-2018-12377: Prevent use-after-free in refresh driver timers (bsc#1107343)
- CVE-2018-12378: Prevent use-after-free in IndexedDB (bsc#1107343)
- CVE-2017-16541: Prevent proxy bypass using automount and autofs (bsc#1066489)
- CVE-2018-12376: Fixed various memory safety bugs (bsc#1107343)
- CVE-2018-12385: Fixed crash in TransportSecurityInfo due to cached data (bsc#1109363)
- CVE-2018-12383: Fixed that setting a master password did not delete unencrypted previously stored passwords (bsc#1107343)
These can not, in general, be exploited through email, but are potential risks
in browser or browser-like contexts.
These non-security issues were fixed:
- Storing of remote content settings fixed (bsc#1084603)
- Improved message handling and composing
- Improved handling of message templates
- Support for OAuth2 and FIDO U2F
- Various Calendar improvements
- Various fixes and changes to e-mail workflow
- Various IMAP fixes
- Native desktop notifications
- Fix date display issues (bsc#1109379)
- Fix start-up crash due to folder name with special characters
(bsc#1107772)