---
- branch: MAIN
  date: Thu Feb 16 18:11:40 UTC 2023
  files:
  - new: '1.293'
    old: '1.292'
    path: pkgsrc/mail/thunderbird/Makefile
    pathrev: pkgsrc/mail/thunderbird/Makefile@1.293
    type: modified
  - new: '1.256'
    old: '1.255'
    path: pkgsrc/mail/thunderbird/distinfo
    pathrev: pkgsrc/mail/thunderbird/distinfo@1.256
    type: modified
  - new: '1.4'
    old: '1.3'
    path: pkgsrc/mail/thunderbird/patches/patch-media_libcubeb_src_cubeb__sun.c
    pathrev: pkgsrc/mail/thunderbird/patches/patch-media_libcubeb_src_cubeb__sun.c@1.4
    type: modified
  id: 20230216T181140Z.c40e4dd8e0cc1ea23beb7beb65eb8de192388bf9
  log: |
    mail/thunderbird: Update to version 102.8.0.

    Pkgsrc changes:
     * Checksum changes.
     * Minor adjustment to patches.

    Upstream changes:

    102.8.0:

    New:
     - Added option to build RNP library with OpenSSL backend (use
       "--with-librnp-backend=openssl" configure option)

    Changes:
     - Thunderbird now warns user that OpenPGP is disabled if RNP
       library is outdated or missing

    Fixes:
     - "Get Messages" did not retrieve messages from Gmail accounts
       using a local folder as a deferred inbox
     - Various visual and UX improvements

    Security fixes:
    CVE-2023-0616: User Interface lockup with messages combining S/MIME and OpenPGP
    CVE-2023-25728: Content security policy leak in violation reports using iframes
    CVE-2023-25730: Screen hijack via browser fullscreen mode
    CVE-2023-0767: Arbitrary memory write via PKCS 12 in NSS
    CVE-2023-25735: Potential use-after-free from compartment mismatch in SpiderMonkey
    CVE-2023-25737: Invalid downcast in SVGUtils::SetupStrokeGeometry
    CVE-2023-25738: Printing on Windows could potentially crash Thunderbird with some device drivers
    CVE-2023-25739: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
    CVE-2023-25729: Extensions could have opened external schemes withotu user knowledge
    CVE-2023-25732: Out of bounds memory write from EncodeInputStream
    CVE-2023-25734: Opening local.url files could cause unexpected network loads
    CVE-2023-25742: Web Crypto ImportKey crashes tab
    CVE-2023-25746: Memory safety bugs fixed in Thunderbird 102.8

    102.7.2:

    Fixes:
     - Various crash fixes

    102.7.1:

    Fixes:
     - Microsoft Office 365 accounts were unable to authenticate
     - Switching identities caused remote images in HTML signatures to
       not be shown
     - Thunderbird failed to import vCards that contained "\r\r\n" line endings
     - Contribution button for add-ons opened Contribution page in a
       Thunderbird tab, instead of the external browser
     - XMPP did not respond to unrecognized IQ queries, causing some
       servers to close the connection
     - Window titlebar buttons (minimize/maximize/close) were not
       displayed in Windows 10 "Dark" color mode

    Security fixes:
    CVE-2023-0430: Revocations tatus of S/Mime signature certificates was not checked

    102.7.0:

    New:
     - Enterprise policies now support Thunderbird-specific preferences.

    Fixes:
     - Localized builds and langpacks now use "comm-l10n" repository;
       downstream builds using official langpacks should not need to make
       changes
     - Having too many folders open at startup caused loss of MSF files
     - Copying an email from one local folder to another local folder
       sometimes caused "Another Operation is using the folder" error on
       Windows 7
     - Email address pill allowed for incorrectly formatted email addresses
     - Creating security exceptions for messages sent using a self-signed
       certificate failed if hostname contained uppercase letters
     - S/MIME certificate verification was prohibitively slow
     - OpenPGP key import failed for key blocks with comments that
       contain Unicode characters
     - Chat conversation sidebar was too wide under certain circumstances,
       making scrollbar unusable
     - On Mac, deleting events from Today Pane with "Backspace" key
       deleted selected messages instead

    Security fixes:
    CVE-2022-46871: libusrsctp library out of date
    CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux
    CVE-2023-23599: Malicious command could be hidden in devtools output on Windows
    CVE-2023-23601: URL being dragged from cross-origin iframe into same tab triggers navigation
    CVE-2023-23602: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers
    CVE-2022-46877: Fullscreen notification bypass
    CVE-2023-23603: Calls to console.log allowed bypassing Content Security Policy via format directive
    CVE-2023-23605: Memory safety bugs fixed in Thunderbird 102.7

    Known issues:
     - OAuth2 authentication not working for Microsoft 365 Enterprise
       accounts. See the Blog post
       (https://blog.thunderbird.net/2023/01/important-message-for-microsoft-office-365-enterprise-users/)
       for additional information. Bug 1810760
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/mail/thunderbird'
  unixtime: '1676571100'
  user: he