Thunderbird 68.8.0 is out with bug and security fixes
MZLA Technologies Corporation, a wholly owned subsidiary of Mozilla Foundation, has released Thunderbird 68.8.0. The new version of the open source cross-platform email client is available for all supported operating systems.
Existing users of Thunderbird may select Help > About Thunderbird to run a check for updates from within the client. The new version should be detected, downloaded and installed. New users and those who prefer to download and install updates manually find the latest version on the official Thunderbird project website.
Note: Thunderbird 60.* installations will only be offered the upgrade to Thunderbird 68.* if the calendar extension Lightning is installed. A manual installation of Thunderbird 68 works in any case though. Some extensions may not be compatible with the new version.
Thunderbird, which is based on Firefox code to a large degree, follows the release schedule of the Extended Support Release version of Firefox known as Firefox ESR.
Thunderbird 68.8.0 is a bug fix and security release. The security advisory website lists six vulnerabilities in total that have been fixed in the new version. Two of the vulnerabilities have received the highest severity rating of critical. The other ratings are 1 high, 2 moderate, and 1 low.
- CVE-2020-12387: Use-after-free during worker shutdown (critical)
- CVE-2020-12395: Memory safety bugs fixed in Thunderbird 68.8.0 (critical)
- CVE-2020-6831: Buffer overflow in SCTP chunk input validation (high)
- CVE-2020-12392: Arbitrary local file access with 'Copy as cURL' (moderate)
- CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection (moderate)
- CVE-2020-12397: Sender Email Address Spoofing using encoded Unicode characters (low)
The team lists six fixed bugs and issues in Thunderbird 68.8.0 that are not security-related on the release notes page.
- Two account manager fixes: the first corrects a text fields issue that displayed them too small in some cases. The second that the authentication method did not update when SMTP servers were selected.
- Links with embedded credentials would not open on Windows devices (e.g. https://username:[email protected]/)
- Thunderbird would sometimes sent messages with "badly formed addresses" when addresses were added from the addressbook.
- Screen readers were reporting too many activities from the status bar.
- Setting IMAP messages as read with "borwser.messages.updated" in extensions failed to persist.
Now You: Have you updated Thunderbird already or are you still using an older version / different client?Advertisement