MozillaThunderbird-140.5.0-bp160.1.1

- Add build_limit for s390x on SLE16 (bsc#1247774)
  * by Martin Sirringhaus <martin.sirringhaus@suse.com>

- Mozilla Thunderbird 140.5.0 ESR
  MFSA 2025-91 (bsc#1253188)
  * CVE-2025-13012 (bmo#1991458)
    Race condition in the Graphics component
  * CVE-2025-13016 (bmo#1992130)
    Incorrect boundary conditions in the JavaScript: WebAssembly
    component
  * CVE-2025-13017 (bmo#1980904)
    Same-origin policy bypass in the DOM: Notifications component
  * CVE-2025-13018 (bmo#1984940)
    Mitigation bypass in the DOM: Security component
  * CVE-2025-13019 (bmo#1988412)
    Same-origin policy bypass in the DOM: Workers component
  * CVE-2025-13013 (bmo#1991945)
    Mitigation bypass in the DOM: Core & HTML component
  * CVE-2025-13020 (bmo#1995686)
    Use-after-free in the WebRTC: Audio/Video component
  * CVE-2025-13014 (bmo#1994241)
    Use-after-free in the Audio/Video component
  * CVE-2025-13015 (bmo#1994164)
    Spoofing issue in Thunderbird
  * fixed: Could not drag and drop ICS file to Today Pane
    (bmo#1992935)
  * fixed: With Thunderbird closed, clicking a 'mailto:' link to
    send signed message failed (bmo#1972857)
  * fixed: Upgrade from 128.x->140.x broke authentication for
    @att.net using Yahoo backend (bmo#1978361)

- Mozilla Thunderbird 140.4.0 ESR
  * Account Hub is now disabled by default for second email account
  * Users could not read mail signed with OpenPGP v6 and PQC keys
  * Image preview in Insert Image dialog failed with CSP error for web resources
  * Emptying trash on exit did not work with some providers
  * Thunderbird could crash when applying filters
  * Users were unable to override expired mail server certificate
  * Opening Website header link in RSS feed incorrectly re-encoded
    URL parameters
  MFSA 2025-85 (bsc#1251263)
  * CVE-2025-11708 (bmo#1988931)
    Use-after-free in MediaTrackGraphImpl::GetInstance()
  * CVE-2025-11709 (bmo#1989127)
    Out of bounds read/write in a privileged process triggered by
    WebGL textures
  * CVE-2025-11710 (bmo#1989899)
    Cross-process information leaked due to malicious IPC
    messages
  * CVE-2025-11711 (bmo#1989978)
    Some non-writable Object properties could be modified
  * CVE-2025-11712 (bmo#1979536)
    An OBJECT tag type attribute overrode browser behavior on web
    resources without a content-type
  * CVE-2025-11713 (bmo#1986142)
    Potential user-assisted code execution in “Copy as cURL”
    command
  * CVE-2025-11714 (bmo#1973699, bmo#1989945, bmo#1990970,
    bmo#1991040, bmo#1992113)
    Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR
    140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
  * CVE-2025-11715 (bmo#1983838, bmo#1987624, bmo#1988244,
    bmo#1988912, bmo#1989734, bmo#1990085, bmo#1991899)
    Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
    ESR 140.4, Firefox 144 and Thunderbird 144

- Mozilla Thunderbird 140.3.1 ESR
  * several bugfixes listed here
    https://www.thunderbird.net/en-US/thunderbird/140.3.1esr/releasenotes

- Mozilla Thunderbird 140.4
  * changed: Account Hub is now disabled by default for second
    email account (bmo#1992027)
  * changed: Flatpak runtime has been updated to Freedesktop SDK
    24.08 (bmo#1952100)
  * fixed: Users could not read mail signed with OpenPGP v6 and
    PQC keys (bmo#1986845)
  * fixed: Image preview in Insert Image dialog failed with CSP
    error for web resources (bmo#1989392)
  * fixed: Emptying trash on exit did not work with some
    providers (bmo#1975147)
  * fixed: Thunderbird could crash when applying filters
    (bmo#1987880)
  * fixed: Users were unable to override expired mail server
    certificate (bmo#1979323)
  * fixed: Opening Website header link in RSS feed incorrectly
    re-encoded URL parameters (bmo#1971035)
  * fixed: Security fixes
  MFSA 2025-85 (bsc#1251263)
  * CVE-2025-11708 (bmo#1988931)
    Use-after-free in MediaTrackGraphImpl::GetInstance()
  * CVE-2025-11709 (bmo#1989127)
    Out of bounds read/write in a privileged process triggered by
    WebGL textures
  * CVE-2025-11710 (bmo#1989899)
    Cross-process information leaked due to malicious IPC
    messages
  * CVE-2025-11711 (bmo#1989978)
    Some non-writable Object properties could be modified
  * CVE-2025-11712 (bmo#1979536)
    An OBJECT tag type attribute overrode browser behavior on web
    resources without a content-type
  * CVE-2025-11713 (bmo#1986142)
    Potential user-assisted code execution in “Copy as cURL”
    command
  * CVE-2025-11714 (bmo#1973699, bmo#1989945, bmo#1990970,
    bmo#1991040, bmo#1992113)
    Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR
    140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
  * CVE-2025-11715 (bmo#1983838, bmo#1987624, bmo#1988244,
    bmo#1988912, bmo#1989734, bmo#1990085, bmo#1991899)
    Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
    ESR 140.4, Firefox 144 and Thunderbird 144
- Replace mozilla-bmo998749.patch with upstreams version

- Add build_limit for s390x on SLE16 (bsc#1247774)

- Mozilla Thunderbird 140.3.0 ESR
  * Right-clicking 'List-ID' -> 'Unsubscribe' created double encoded
    draft subject
  * Thunderbird could crash on startup
  * Thunderbird could crash when importing mail
  * Opening Website header link in RSS feed incorrectly re-encoded
    URL parameters
  MFSA 2025-78 (bsc#1249391)
  * CVE-2025-10527 (bmo#1984825)
    Sandbox escape due to use-after-free in the Graphics:
    Canvas2D component
  * CVE-2025-10528 (bmo#1986185)
    Sandbox escape due to undefined behavior, invalid pointer in
    the Graphics: Canvas2D component
  * CVE-2025-10529 (bmo#1970490)
    Same-origin policy bypass in the Layout component
  * CVE-2025-10532 (bmo#1979502)
    Incorrect boundary conditions in the JavaScript: GC component
  * CVE-2025-10533 (bmo#1980788)
    Integer overflow in the SVG component
  * CVE-2025-10536 (bmo#1981502)
    Information disclosure in the Networking: Cache component
  * CVE-2025-10537 (bmo#1938220, bmo#1980730, bmo#1981280,
    bmo#1981283, bmo#1984505, bmo#1985067)
    Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird
    ESR 140.3, Firefox 143 and Thunderbird 143

- Fix suse_version check for 16.0

- Build for Leap 16 using gcc13 (gcc14 is unavailable on Leap 16)

- Mozilla Thunderbird 140.2.1
  * Users could no longer send using smtp-relay.gmail.com
  * Folder compaction could fail to complete due to folder write errors
  * Creating an event or task from mail failed if the mail was
    opened in a tab

- Mozilla Thunderbird 140.2
  * fixed: Users were unable to use Fastmail calendars due to
    missing OAuth settings (bmo#1978192)
  * fixed: Account setup error handling was broken for Account
    hub (bmo#1971303)
  * fixed: Menu bar was hidden after updating from 128esr to
    140esr (bmo#1979002)
  * fixed: Security fixes
  MFSA 2025-72 (bsc#1248162)
  * CVE-2025-9179 (bmo#1979527)
    Sandbox escape due to invalid pointer in the Audio/Video: GMP
    component
  * CVE-2025-9180 (bmo#1979782)
    Same-origin policy bypass in the Graphics: Canvas2D component
  * CVE-2025-9181 (bmo#1977130)
    Uninitialized memory in the JavaScript Engine component
  * CVE-2025-9182 (bmo#1975837)
    Denial-of-service due to out-of-memory in the Graphics:
    WebRender component
  * CVE-2025-9184 (bmo#1929482, bmo#1976376, bmo#1979163,
    bmo#1979955)
    Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird
    ESR 140.2, Firefox 142 and Thunderbird 142
  * CVE-2025-9185 (bmo#1970154, bmo#1976782, bmo#1977166)
    Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR
    128.14, Thunderbird ESR 128.14, Firefox ESR 140.2,
    Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142

- Mozilla Thunderbird ESR 140.1.1
  Fixed
  * Users with attachments open in tabs saw an error on Thunderbird restart
  * Sending from unified or local folder failed if no default account was set
  * Delete button could remove attachment instead of message
  * Message list scrolled back when returning to mail tab after opening a message

- Update memory constraints

- Mozilla Thunderbird ESR 140.1.0
  * New folders were not added alphabetically if folders manually
    reordered beforehand
  * Message archive folder creation could silently stop during async
    folder creation
  MFSA 2025-63 (bsc#1246664)
  * CVE-2025-8027 (bmo#1968423)
    JavaScript engine only wrote partial return value to stack
  * CVE-2025-8028 (bmo#1971581)
    Large branch table could lead to truncated instruction
  * CVE-2025-8029 (bmo#1928021)
    javascript: URLs executed on object and embed tags
  * CVE-2025-8036 (bmo#1960834)
    DNS rebinding circumvents CORS
  * CVE-2025-8037 (bmo#1964767)
    Nameless cookies shadow secure cookies
  * CVE-2025-8030 (bmo#1968414)
    Potential user-assisted code execution in “Copy as cURL” command
  * CVE-2025-8031 (bmo#1971719)
    Incorrect URL stripping in CSP reports
  * CVE-2025-8032 (bmo#1974407)
    XSLT documents could bypass CSP
  * CVE-2025-8038 (bmo#1808979)
    CSP frame-src was not correctly enforced for paths
  * CVE-2025-8039 (bmo#1970997)
    Search terms persisted in URL bar
  * CVE-2025-8033 (bmo#1973990)
    Incorrect JavaScript state machine for generators
  * CVE-2025-8034 (bmo#1970422, bmo#1970422, bmo#1970422, bmo#1970422)
    Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR
    128.13, Thunderbird ESR 128.13, Firefox ESR 140.1,
    Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
  * CVE-2025-8040 (bmo#1975058, bmo#1975058, bmo#1975998, bmo#1975998)
    Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird
    ESR 140.1, Firefox 141 and Thunderbird 141
  * CVE-2025-8035 (bmo#1975961, bmo#1975961, bmo#1975961)
    Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird
    ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox
    141 and Thunderbird 141

- Mozilla Thunderbird ESR 140.0.1
  MFSA 2025-54
  * CVE-2025-6424 (bmo#1966423)
    Use-after-free in FontFaceSet
  * CVE-2025-6425 (bmo#1717672)
    The WebCompat WebExtension shipped exposed a persistent UUID
  * CVE-2025-6426 (bmo#1964385)
    No warning when opening executable terminal files on macOS
  * CVE-2025-6427 (bmo#1966927)
    connect-src Content Security Policy restriction could be
    bypassed
  * CVE-2025-6429 (bmo#1970658)
    Incorrect parsing of URLs could have allowed embedding of
    youtube.com
  * CVE-2025-6430 (bmo#1971140)
    Content-Disposition header ignored when a file is included in
    an embed or object tag
  * CVE-2025-6432 (bmo#1943804)
    DNS Requests leaked outside of a configured SOCKS proxy
  * CVE-2025-6433 (bmo#1954033)
    WebAuthn would allow a user to sign a challenge on a webpage
    with an invalid TLS certificate
  * CVE-2025-6434 (bmo#1955182)
    HTTPS-Only exception screen lacked anti-clickjacking delay
  * CVE-2025-6435 (bmo#1961777 bmo#1950056)
    Save as in Devtools could download files without sanitizing
    the extension
  * CVE-2025-6436 (bmo#1941377 bmo#1960948 bmo#1966187 bmo#1966505
    bmo#1970764)
    Memory safety bugs fixed in Firefox 140 and Thunderbird 140
- adapt mozilla-ntlm-full-path.patch for Thunderbird 140.0.1
- adapt mozilla-silence-no-return-type.patch for Thunderbird
  140.0.1

- Mozilla Thunderbird ESR 128.12.0
  MFSA 2025-55 (bsc#1244670)
  * CVE-2025-6424 (bmo#1966423)
    Use-after-free in FontFaceSet
  * CVE-2025-6425 (bmo#1717672)
    The WebCompat WebExtension shipped exposed a persistent UUID
  * CVE-2025-6426 (bmo#1964385)
    No warning when opening executable terminal files on macOS
  * CVE-2025-6429 (bmo#1970658)
    Incorrect parsing of URLs could have allowed embedding of
    youtube.com
  * CVE-2025-6430 (bmo#1971140)
    Content-Disposition header ignored when a file is included in
    an embed or object tag

- Use these tools/versions unconditionally, package won't build on
  Tumbleweed with new gcc15 otherwise:
  gcc14, gcc14-c++, cargo1.84, rust1.84

- Mozilla Thunderbird ESR 128.11.1
  MFSA 2025-49
  * CVE-2025-5986 (bmo#1958580, bmo#1968012)
    Unsolicited File Download, Disk Space Exhaustion, and Credential
    Leakage via mailbox:/// Links