Thunderbird 68.8.0 is out with bug and security fixes

Martin Brinkmann
May 6, 2020
Email, Thunderbird

MZLA Technologies Corporation, a wholly owned subsidiary of Mozilla Foundation, has released Thunderbird 68.8.0. The new version of the open source cross-platform email client is available for all supported operating systems.

Existing users of Thunderbird may select Help > About Thunderbird to run a check for updates from within the client. The new version should be detected, downloaded and installed. New users and those who prefer to download and install updates manually find the latest version on the official Thunderbird project website.

Note: Thunderbird 60.* installations will only be offered the upgrade to Thunderbird 68.* if the calendar extension Lightning is installed. A manual installation of Thunderbird 68 works in any case though. Some extensions may not be compatible with the new version.

Thunderbird, which is based on Firefox code to a large degree, follows the release schedule of the Extended Support Release version of Firefox known as Firefox ESR.

Thunderbird 68.8.0 is a bug fix and security release. The security advisory website lists six vulnerabilities in total that have been fixed in the new version. Two of the vulnerabilities have received the highest severity rating of critical. The other ratings are 1 high, 2 moderate, and 1 low.

  • CVE-2020-12387: Use-after-free during worker shutdown (critical)
  • CVE-2020-12395: Memory safety bugs fixed in Thunderbird 68.8.0 (critical)
  • CVE-2020-6831: Buffer overflow in SCTP chunk input validation (high)
  • CVE-2020-12392: Arbitrary local file access with 'Copy as cURL' (moderate)
  • CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection (moderate)
  • CVE-2020-12397: Sender Email Address Spoofing using encoded Unicode characters (low)

The team lists six fixed bugs and issues in Thunderbird 68.8.0 that are not security-related on the release notes page.

  • Two account manager fixes: the first corrects a text fields issue that displayed them too small in some cases. The second that the authentication method did not update when SMTP servers were selected.
  • Links with embedded credentials would not open on Windows devices (e.g.
  • Thunderbird would sometimes sent messages with "badly formed addresses" when addresses were added from the addressbook.
  • Screen readers were reporting too many activities from the status bar.
  • Setting IMAP messages as read with "borwser.messages.updated" in extensions failed to persist.

Now You: Have you updated Thunderbird already or are you still using an older version / different client?

Thunderbird 68.8.0 is out with bug and security fixes
Article Name
Thunderbird 68.8.0 is out with bug and security fixes
MZLA Technologies Corporation, a wholly owned subsidiary of Mozilla Foundation, has released Thunderbird 68.8.0.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. today is for rejoicing! said on May 9, 2020 at 3:23 am

    (flaps wings)

    I wish I could fork it and call it ANGRYVULTURE, with an angry vulture holding part of some road kill in it’s beak.

  2. Anonymous said on May 8, 2020 at 4:58 pm

    I keep v52 because keeping Thunderbird in tray is a basic functionality for me, and I’m using a legacy add-on for that (FireTray).

    I plan to use birdtray instead so that I can update Thunderbird, but birdtray is only available for Ubuntu 19.10 and later, I’m still in 18.04LTS.

    1. Wayne said on May 17, 2020 at 9:30 pm

      @anonymous, tray support is available in beta Windows and will ship more broadly in release 78. Unclear yet what will happen on the Linux side – a lot depends on what Linux-sperts are able to provide.

    2. Onesolo said on May 11, 2020 at 11:10 am

      v52 ?! works on v60.9.1!!!
      I’m waiting that the minimizetotray found on TB beta to pass to the release channel!!!

  3. Franck said on May 7, 2020 at 4:23 am

    This is great new! I really think it is the best email manager.
    If only they could stop the nonsense with addresses (1 by line) and allow to write them next to each other…

    1. Wayne said on May 17, 2020 at 9:28 pm

      @Franck, multiple address message compose lines is available in beta, and will ship more broadly in release 78.

    2. ShintoPlasm said on May 7, 2020 at 6:10 pm

      @Franck: Someone else has already raised the option here – that someone might be *paying* the TB devs to keep their UI pug-ugly… Otherwise I can’t imagine why their UI is still so primitive…

  4. Dave said on May 6, 2020 at 9:50 pm

    I so wish Thunderbird had inbuilt Exchange Web Services (EWS) and Microsoft Graph support for business customers.

  5. Max said on May 6, 2020 at 5:34 pm

    I moved to v68 earlier this year – after deciding that there were enough compatible extensions (search for ’68’, also see – and no problems so far.

    1. Ray said on May 7, 2020 at 4:20 am

      I decided to move to v68 today. There are some addons that no longer work, but most of the ones I rely on have been ported over.

      The next major release is going to break things all over again though.

    2. ShintoPlasm said on May 6, 2020 at 6:06 pm

      @Max: Do you know of any way to arrange TB’s message list like Outlook – i.e. in two rows for each message, with subject/date in the first row and a message preview snippet in the second? Either an extension or some CSS hack would do!

      1. Max said on May 7, 2020 at 8:34 pm

        @ShintoPlasm – looks like a request for that is still pending after 15 years

      2. Anonymous said on May 7, 2020 at 8:49 am

        The most obvious thing but they don’t seem to really intend to do anything in that direction anytime soon. Maybe someone is paying them to keep their product ugly and not user-friendly.

  6. racorbin2010 said on May 6, 2020 at 4:45 pm

    I have frozen Thunderbird at 52.9.1 for quite awhile because later versions inactivate extensions I don’t want to be without. Thunderbird went the same way as Firefox did: killing extensions and configs I didn’t want to be without. Many individuals who wrote desirable extensions just didn’t have time to keep upgrading them to meet changing requirements.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.