Thunderbird 1.0.8 Released

Changelog for previous release (Thunderbird 1.0.7) | Changelogs for other releases

Make a donation to the upkeep of The Rumbling Edge.

Released on 21 Apr 06, and this changelog was last updated on 23 Apr 06.

Mozilla Thunderbird 1.0.8 has been released. Release notes are available. This post lists the improvements in Thunderbird 1.0.8 over the previous release 1.0.7. This list encompasses almost every single known fix that went into this release.

The Aviary 1.0.x branch (Thunderbird 1.0.x series) will most probably be the last release from the Aviary branch, dropped in favour of the 1.5.0.x series. There will not be a universal binary for Thunderbird Aviary branch releases.

Impact key for security issues listed on the Mozilla Foundation Security Advisories webpage:

  • Critical: Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
  • High: Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
  • Moderate: Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
  • Low: Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have “High” impact because those are generally used to steal sensitive data intended for other sites.)

Changes in 1.0.8: (26)

Security issues: (18)

  • Fixed: 319858 – JavaScript execution in mail when forwarding in-line (Critical)
  • Fixed: 325991, 328469 – Privilege escalation through Print Preview (Critical)
  • Fixed: 265736, 280769, 311710, 313173, 315304 – Crashes with evidence of memory corruption (rv:1.8) (Moderate)
  • Fixed: 269095, 320182, ZDI-06-009 – Mozilla Firefox Tag Order Vulnerability (Moderate)
  • Fixed: 282105, 320459 – Crashes with evidence of memory corruption (rv:1.8.0.2) (Moderate)
  • Fixed: 290488, 327194 – Cross-site scripting using .valueOf.call() (Moderate)
  • Fixed: 296514, 316589 – Cross-site JavaScript injection using event handlers (Moderate)
  • Fixed: 311025, 311403, 311455 – Privilege escalation via XBL.method.eval (Moderate)
  • Fixed: 311497, 311792, 312278, 313276, 313479, 313630, 313726, 313763, 313938, 325269 – JavaScript garbage-collection hazard audit (Moderate)
  • Fixed: 312871, 313236, 313375 – Accessing XBL compilation scope via valueOf.call() (Moderate)
  • Fixed: 313370, 313684 – Privilege escalation using a JavaScript function’s cloned parent (Moderate)
  • Fixed: 313373 – cross-site scripting through window.controllers (Moderate)
  • Fixed: 316885, 322045 – JavaScript garbage-collection hazards (Moderate)
  • Fixed: 319847 – Localstore.rdf XML injection through XULDocument.persist() (Moderate)
  • Fixed: 325403, ZDI-06-010 – CSS Letter-Spacing Heap Overflow Vulnerability (Moderate)
  • Fixed: 327126 – Privilege escalation using crypto.generateCRMFRequest (Moderate)
  • Fixed: 328937, ZDI-06-011 – Table Rebuilding Code Execution Vulnerability (Moderate)
  • Fixed: 328917 – Mail Multiple Information Disclosure (Low)

Major bugfixes: (6)

  • Fixed: 305557 – Inline images are being blocked on Forward or composition from drafts
  • Fixed: 315625 – When forwarding a message inline, Thunderbird strips inline-images
  • Fixed: 326279 – 1.0.8 builds fail to launch with pegged cpu usage
  • Fixed: 333035 – Context menu broken on form elements
  • Fixed: 333131 – Image Context menu opens as Normal Context Menu

Mac-specific: (2)

  • Fixed: 301069 – Bug 298934 (Dialog Origin Spoofing) not fixed on Mac
  • Fixed: 304842 – Talkback data are nearly useless for OS X Firefox: most crashes appear as firefox-bin + offset

Windows builds Official Windows installer

Linux builds Official Linux (i686)

Mac builds Official Mac