Thunderbird 2.0.0.16 Released

Changelog for previous release (Thunderbird 2.0.0.14) | Changelogs for other Thunderbird releases

Released on 23 Jul 08, and this changelog was last updated on 24 Jul 08.

Mozilla Thunderbird 2.0.0.16 has been released. Release notes are available. This post lists the improvements in Thunderbird 2.0.0.16 over 2.0.0.14. This list encompasses almost every single known fix that went into this release. Do check out the known issues as well.

The Gecko 1.8.1.x branch (Thunderbird 2.0.0.x series) will not include any groundbreaking features that Gecko 1.9.x will bring, since it is based on Gecko 1.8. Additionally, in order to synchronize the version numbering with Firefox, 2.0.0.15 was dropped in favour of 2.0.0.16.

Impact key for security issues listed on the Mozilla Foundation Security Advisories webpage:

  • Critical: Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
  • High: Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
  • Moderate: Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
  • Low: Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)

Changes in 2.0.0.16: (15)

Security issues: (8)

  • Fixed: MFSA 2008-34 – Remote code execution by overflowing CSS reference counter (Moderate)
  • Fixed: MFSA 2008-33 – Crash and remote code execution in block reflow (Moderate)
  • Fixed: MFSA 2008-31 – Peer-trusted certs can use alt names to spoof (Moderate)
  • Fixed: MFSA 2008-25 – Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript() (Moderate)
  • Fixed: MFSA 2008-24 – Chrome script loading from fastload file (Moderate)
  • Fixed: MFSA 2008-21 – Crashes with evidence of memory corruption (rv:1.8.1.15) (Moderate)
  • Fixed: MFSA 2008-29 – Faulty .properties file results in uninitialized memory being used (Low)
  • Fixed: MFSA 2008-26 – Buffer length checks in MIME processing (Low)

Other fixes: (7)

  • Fixed: 90584 – charset=… must be applied to non-MIME Subject:/From:/To:/etc. fields
  • Fixed: 381588 – Junk filter duplicating messages when connections cached set to 1 plus non-inbox folders configured to get checked for new messages
  • Fixed: 411481 – Make it easier for extensions to overlay the TB menubar by adding IDs
  • Fixed: 413874 – Audit mail MIME code for string buffer abuse
  • Fixed: 417957 – Setting mail.auth_login and mail.server.default.auth_login to false breaks IMAP after restart
  • Fixed: 432026 – Various accessibility fixes in mail/base/content XUL files
  • Fixed: 432919 – Help viewer content pane should not allow scripts, plugins, meta redirects, or subframes

Windows builds Official Windows installer

Linux builds Official Linux (i686)

Mac builds Official Mac (Universal binary)