* Sat Mar 07 2026 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 140.8.1 ESR
* Add mail.openpgp.load_untested_gpgme_version to load untested
GPGME version
- drop mozilla-bmo1967121.patch because of the upstream change
* Sun Feb 22 2026 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 140.8.0 ESR
MFSA 2026-17 (boo#1258568)
* CVE-2026-2757 (bmo#2001637)
Incorrect boundary conditions in the WebRTC: Audio/Video
component
* CVE-2026-2758 (bmo#2009608)
Use-after-free in the JavaScript: GC component
* CVE-2026-2759 (bmo#2010933)
Incorrect boundary conditions in the Graphics: ImageLib
component
* CVE-2026-2760 (bmo#2011062)
Sandbox escape due to incorrect boundary conditions in the
Graphics: WebRender component
* CVE-2026-2761 (bmo#2011063)
Sandbox escape in the Graphics: WebRender component
* CVE-2026-2762 (bmo#2011649)
Integer overflow in the JavaScript: Standard Library
component
* CVE-2026-2763 (bmo#2012018)
Use-after-free in the JavaScript Engine component
* CVE-2026-2764 (bmo#2012608)
JIT miscompilation, use-after-free in the JavaScript Engine:
JIT component
* CVE-2026-2765 (bmo#2013562)
Use-after-free in the JavaScript Engine component
* CVE-2026-2766 (bmo#2013583)
Use-after-free in the JavaScript Engine: JIT component
* CVE-2026-2767 (bmo#2013741)
Use-after-free in the JavaScript: WebAssembly component
* CVE-2026-2768 (bmo#2014101)
Sandbox escape in the Storage: IndexedDB component
* CVE-2026-2769 (bmo#2014550)
Use-after-free in the Storage: IndexedDB component
* CVE-2026-2770 (bmo#2014585)
Use-after-free in the DOM: Bindings (WebIDL) component
* CVE-2026-2771 (bmo#2014593)
Undefined behavior in the DOM: Core & HTML component
* CVE-2026-2772 (bmo#2014827)
Use-after-free in the Audio/Video: Playback component
* CVE-2026-2773 (bmo#2014832)
Incorrect boundary conditions in the Web Audio component
* CVE-2026-2774 (bmo#2014883)
Integer overflow in the Audio/Video component
* CVE-2026-2775 (bmo#2015199)
Mitigation bypass in the DOM: HTML Parser component
* CVE-2026-2776 (bmo#2015266)
Sandbox escape due to incorrect boundary conditions in the
Telemetry component in External Software
* CVE-2026-2777 (bmo#2015305)
Privilege escalation in the Messaging System component
* CVE-2026-2778 (bmo#2016358)
Sandbox escape due to incorrect boundary conditions in the
DOM: Core & HTML component
* CVE-2026-2779 (bmo#1164141)
Incorrect boundary conditions in the Networking: JAR
component
* CVE-2026-2780 (bmo#2007829)
Privilege escalation in the Netmonitor component
* CVE-2026-2781 (bmo#2009552)
Integer overflow in the Libraries component in NSS
* CVE-2026-2782 (bmo#2010743)
Privilege escalation in the Netmonitor component
* CVE-2026-2783 (bmo#2010943)
Information disclosure due to JIT miscompilation in the
JavaScript Engine: JIT component
* CVE-2026-2784 (bmo#2012984)
Mitigation bypass in the DOM: Security component
* CVE-2026-2785 (bmo#2013549)
Invalid pointer in the JavaScript Engine component
* CVE-2026-2786 (bmo#2013612)
Use-after-free in the JavaScript Engine component
* CVE-2026-2787 (bmo#2014560)
Use-after-free in the DOM: Window and Location component
* CVE-2026-2788 (bmo#2014824)
Incorrect boundary conditions in the Audio/Video: GMP
component
* CVE-2026-2789 (bmo#2015179)
Use-after-free in the Graphics: ImageLib component
* CVE-2026-2790 (bmo#2008426)
Same-origin policy bypass in the Networking: JAR component
* CVE-2026-2791 (bmo#2015220)
Mitigation bypass in the Networking: Cache component
* CVE-2026-2792 (bmo#2008912, bmo#2010050, bmo#2010275,
bmo#2012331)
Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird
ESR 140.8, Firefox 148 and Thunderbird 148
* CVE-2026-2793 (bmo#2015196, bmo#2016423, bmo#2016498)
Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR
140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148
- add thunderbird-bmo2006630.patch (bmo#2006630)
* Tue Feb 17 2026 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 140.7.2 ESR
MFSA 2026-11 (boo#1258231)
* CVE-2026-2447 (bmo#2014390)
Heap buffer overflow in libvpx
* Fri Jan 30 2026 Andreas Stieger <andreas.stieger@gmx.de>
- Mozilla Thunderbird 140.7.1 ESR
MFSA 2026-08 (bsc#1257397)
* CVE-2026-0818 (bmo#1881530)
CSS-based exfiltration of the content from partially
encrypted emails when allowing remote content
* Thu Jan 15 2026 Andreas Stieger <andreas.stieger@gmx.de>
- Support using system GnuPG with gpgme 2, boo#1253718 bmo1967121
add mozilla-bmo1967121.patch
* Wed Jan 14 2026 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 140.7.0 ESR
MFSA 2026-05 (bsc#1256340)
* CVE-2026-0877 (bmo#1999257)
Mitigation bypass in the DOM: Security component
* CVE-2026-0878 (bmo#2003989)
Sandbox escape due to incorrect boundary conditions in the
Graphics: CanvasWebGL component
* CVE-2026-0879 (bmo#2004602)
Sandbox escape due to incorrect boundary conditions in the
Graphics component
* CVE-2026-0880 (bmo#2005014)
Sandbox escape due to integer overflow in the Graphics
component
* CVE-2026-0882 (bmo#1924125)
Use-after-free in the IPC component
* CVE-2025-14327 (bmo#1970743)
Spoofing issue in the Downloads Panel component
* CVE-2026-0883 (bmo#1989340)
Information disclosure in the Networking component
* CVE-2026-0884 (bmo#2003588)
Use-after-free in the JavaScript Engine component
* CVE-2026-0885 (bmo#2003607)
Use-after-free in the JavaScript: GC component
* CVE-2026-0886 (bmo#2005658)
Incorrect boundary conditions in the Graphics component
* CVE-2026-0887 (bmo#2006500)
Clickjacking issue, information disclosure in the PDF Viewer
component
* CVE-2026-0890 (bmo#2005081)
Spoofing issue in the DOM: Copy & Paste and Drag & Drop
component
* CVE-2026-0891 (bmo#1964722, bmo#2000981, bmo#2003100,
bmo#2003278)
Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird
ESR 140.7, Firefox 147 and Thunderbird 147
Version: 140.5.0-bp160.1.1
* Mon Nov 17 2025 Yoshio Sato <vasua.ukraine@gmail.com>
- Add build_limit for s390x on SLE16 (bsc#1247774)
* by Martin Sirringhaus <martin.sirringhaus@suse.com>
* Sun Nov 09 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 140.5.0 ESR
MFSA 2025-91 (bsc#1253188)
* CVE-2025-13012 (bmo#1991458)
Race condition in the Graphics component
* CVE-2025-13016 (bmo#1992130)
Incorrect boundary conditions in the JavaScript: WebAssembly
component
* CVE-2025-13017 (bmo#1980904)
Same-origin policy bypass in the DOM: Notifications component
* CVE-2025-13018 (bmo#1984940)
Mitigation bypass in the DOM: Security component
* CVE-2025-13019 (bmo#1988412)
Same-origin policy bypass in the DOM: Workers component
* CVE-2025-13013 (bmo#1991945)
Mitigation bypass in the DOM: Core & HTML component
* CVE-2025-13020 (bmo#1995686)
Use-after-free in the WebRTC: Audio/Video component
* CVE-2025-13014 (bmo#1994241)
Use-after-free in the Audio/Video component
* CVE-2025-13015 (bmo#1994164)
Spoofing issue in Thunderbird
* fixed: Could not drag and drop ICS file to Today Pane
(bmo#1992935)
* fixed: With Thunderbird closed, clicking a 'mailto:' link to
send signed message failed (bmo#1972857)
* fixed: Upgrade from 128.x->140.x broke authentication for
@att.net using Yahoo backend (bmo#1978361)
* Sat Oct 18 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 140.4.0 ESR
* Account Hub is now disabled by default for second email account
* Users could not read mail signed with OpenPGP v6 and PQC keys
* Image preview in Insert Image dialog failed with CSP error for web resources
* Emptying trash on exit did not work with some providers
* Thunderbird could crash when applying filters
* Users were unable to override expired mail server certificate
* Opening Website header link in RSS feed incorrectly re-encoded
URL parameters
MFSA 2025-85 (bsc#1251263)
* CVE-2025-11708 (bmo#1988931)
Use-after-free in MediaTrackGraphImpl::GetInstance()
* CVE-2025-11709 (bmo#1989127)
Out of bounds read/write in a privileged process triggered by
WebGL textures
* CVE-2025-11710 (bmo#1989899)
Cross-process information leaked due to malicious IPC
messages
* CVE-2025-11711 (bmo#1989978)
Some non-writable Object properties could be modified
* CVE-2025-11712 (bmo#1979536)
An OBJECT tag type attribute overrode browser behavior on web
resources without a content-type
* CVE-2025-11713 (bmo#1986142)
Potential user-assisted code execution in “Copy as cURL”
command
* CVE-2025-11714 (bmo#1973699, bmo#1989945, bmo#1990970,
bmo#1991040, bmo#1992113)
Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR
140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
* CVE-2025-11715 (bmo#1983838, bmo#1987624, bmo#1988244,
bmo#1988912, bmo#1989734, bmo#1990085, bmo#1991899)
Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
ESR 140.4, Firefox 144 and Thunderbird 144
* Tue Sep 30 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 140.3.1 ESR
* several bugfixes listed here
https://www.thunderbird.net/en-US/thunderbird/140.3.1esr/releasenotes
Version: 140.4.0-bp160.1.1
* Tue Nov 04 2025 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 140.4
* changed: Account Hub is now disabled by default for second
email account (bmo#1992027)
* changed: Flatpak runtime has been updated to Freedesktop SDK
24.08 (bmo#1952100)
* fixed: Users could not read mail signed with OpenPGP v6 and
PQC keys (bmo#1986845)
* fixed: Image preview in Insert Image dialog failed with CSP
error for web resources (bmo#1989392)
* fixed: Emptying trash on exit did not work with some
providers (bmo#1975147)
* fixed: Thunderbird could crash when applying filters
(bmo#1987880)
* fixed: Users were unable to override expired mail server
certificate (bmo#1979323)
* fixed: Opening Website header link in RSS feed incorrectly
re-encoded URL parameters (bmo#1971035)
* fixed: Security fixes
MFSA 2025-85 (bsc#1251263)
* CVE-2025-11708 (bmo#1988931)
Use-after-free in MediaTrackGraphImpl::GetInstance()
* CVE-2025-11709 (bmo#1989127)
Out of bounds read/write in a privileged process triggered by
WebGL textures
* CVE-2025-11710 (bmo#1989899)
Cross-process information leaked due to malicious IPC
messages
* CVE-2025-11711 (bmo#1989978)
Some non-writable Object properties could be modified
* CVE-2025-11712 (bmo#1979536)
An OBJECT tag type attribute overrode browser behavior on web
resources without a content-type
* CVE-2025-11713 (bmo#1986142)
Potential user-assisted code execution in “Copy as cURL”
command
* CVE-2025-11714 (bmo#1973699, bmo#1989945, bmo#1990970,
bmo#1991040, bmo#1992113)
Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR
140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
* CVE-2025-11715 (bmo#1983838, bmo#1987624, bmo#1988244,
bmo#1988912, bmo#1989734, bmo#1990085, bmo#1991899)
Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
ESR 140.4, Firefox 144 and Thunderbird 144
- Replace mozilla-bmo998749.patch with upstreams version
* Tue Nov 04 2025 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Add build_limit for s390x on SLE16 (bsc#1247774)
Version: 140.3.0-bp160.1.1
* Sun Sep 14 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 140.3.0 ESR
* Right-clicking 'List-ID' -> 'Unsubscribe' created double encoded
draft subject
* Thunderbird could crash on startup
* Thunderbird could crash when importing mail
* Opening Website header link in RSS feed incorrectly re-encoded
URL parameters
MFSA 2025-78 (bsc#1249391)
* CVE-2025-10527 (bmo#1984825)
Sandbox escape due to use-after-free in the Graphics:
Canvas2D component
* CVE-2025-10528 (bmo#1986185)
Sandbox escape due to undefined behavior, invalid pointer in
the Graphics: Canvas2D component
* CVE-2025-10529 (bmo#1970490)
Same-origin policy bypass in the Layout component
* CVE-2025-10532 (bmo#1979502)
Incorrect boundary conditions in the JavaScript: GC component
* CVE-2025-10533 (bmo#1980788)
Integer overflow in the SVG component
* CVE-2025-10536 (bmo#1981502)
Information disclosure in the Networking: Cache component
* CVE-2025-10537 (bmo#1938220, bmo#1980730, bmo#1981280,
bmo#1981283, bmo#1984505, bmo#1985067)
Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird
ESR 140.3, Firefox 143 and Thunderbird 143
* Tue Sep 09 2025 Lubos Kocman <lubos.kocman@suse.com>
- Fix suse_version check for 16.0
Version: 140.2.1-bp160.1.1
* Mon Sep 08 2025 Yoshio Sato <vasua.ukraine@gmail.com>
- Build for Leap 16 using gcc13 (gcc14 is unavailable on Leap 16)
* Sat Sep 06 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 140.2.1
* Users could no longer send using smtp-relay.gmail.com
* Folder compaction could fail to complete due to folder write errors
* Creating an event or task from mail failed if the mail was
opened in a tab
* Wed Aug 20 2025 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Mozilla Thunderbird 140.2
* fixed: Users were unable to use Fastmail calendars due to
missing OAuth settings (bmo#1978192)
* fixed: Account setup error handling was broken for Account
hub (bmo#1971303)
* fixed: Menu bar was hidden after updating from 128esr to
140esr (bmo#1979002)
* fixed: Security fixes
MFSA 2025-72 (bsc#1248162)
* CVE-2025-9179 (bmo#1979527)
Sandbox escape due to invalid pointer in the Audio/Video: GMP
component
* CVE-2025-9180 (bmo#1979782)
Same-origin policy bypass in the Graphics: Canvas2D component
* CVE-2025-9181 (bmo#1977130)
Uninitialized memory in the JavaScript Engine component
* CVE-2025-9182 (bmo#1975837)
Denial-of-service due to out-of-memory in the Graphics:
WebRender component
* CVE-2025-9184 (bmo#1929482, bmo#1976376, bmo#1979163,
bmo#1979955)
Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird
ESR 140.2, Firefox 142 and Thunderbird 142
* CVE-2025-9185 (bmo#1970154, bmo#1976782, bmo#1977166)
Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR
128.14, Thunderbird ESR 128.14, Firefox ESR 140.2,
Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142
* Tue Aug 05 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 140.1.1
Fixed
* Users with attachments open in tabs saw an error on Thunderbird restart
* Sending from unified or local folder failed if no default account was set
* Delete button could remove attachment instead of message
* Message list scrolled back when returning to mail tab after opening a message
* Sat Jul 26 2025 Andreas Schwab <schwab@suse.de>
- Update memory constraints
* Sat Jul 19 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 140.1.0
* New folders were not added alphabetically if folders manually
reordered beforehand
* Message archive folder creation could silently stop during async
folder creation
MFSA 2025-63 (bsc#1246664)
* CVE-2025-8027 (bmo#1968423)
JavaScript engine only wrote partial return value to stack
* CVE-2025-8028 (bmo#1971581)
Large branch table could lead to truncated instruction
* CVE-2025-8029 (bmo#1928021)
javascript: URLs executed on object and embed tags
* CVE-2025-8036 (bmo#1960834)
DNS rebinding circumvents CORS
* CVE-2025-8037 (bmo#1964767)
Nameless cookies shadow secure cookies
* CVE-2025-8030 (bmo#1968414)
Potential user-assisted code execution in “Copy as cURL” command
* CVE-2025-8031 (bmo#1971719)
Incorrect URL stripping in CSP reports
* CVE-2025-8032 (bmo#1974407)
XSLT documents could bypass CSP
* CVE-2025-8038 (bmo#1808979)
CSP frame-src was not correctly enforced for paths
* CVE-2025-8039 (bmo#1970997)
Search terms persisted in URL bar
* CVE-2025-8033 (bmo#1973990)
Incorrect JavaScript state machine for generators
* CVE-2025-8034 (bmo#1970422, bmo#1970422, bmo#1970422, bmo#1970422)
Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR
128.13, Thunderbird ESR 128.13, Firefox ESR 140.1,
Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
* CVE-2025-8040 (bmo#1975058, bmo#1975058, bmo#1975998, bmo#1975998)
Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird
ESR 140.1, Firefox 141 and Thunderbird 141
* CVE-2025-8035 (bmo#1975961, bmo#1975961, bmo#1975961)
Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird
ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox
141 and Thunderbird 141
* Tue Jul 15 2025 Tristan Miller <psychonaut@nothingisreal.com>
- Mozilla Thunderbird ESR 140.0.1
MFSA 2025-54
* CVE-2025-6424 (bmo#1966423)
Use-after-free in FontFaceSet
* CVE-2025-6425 (bmo#1717672)
The WebCompat WebExtension shipped exposed a persistent UUID
* CVE-2025-6426 (bmo#1964385)
No warning when opening executable terminal files on macOS
* CVE-2025-6427 (bmo#1966927)
connect-src Content Security Policy restriction could be
bypassed
* CVE-2025-6429 (bmo#1970658)
Incorrect parsing of URLs could have allowed embedding of
youtube.com
* CVE-2025-6430 (bmo#1971140)
Content-Disposition header ignored when a file is included in
an embed or object tag
* CVE-2025-6432 (bmo#1943804)
DNS Requests leaked outside of a configured SOCKS proxy
* CVE-2025-6433 (bmo#1954033)
WebAuthn would allow a user to sign a challenge on a webpage
with an invalid TLS certificate
* CVE-2025-6434 (bmo#1955182)
HTTPS-Only exception screen lacked anti-clickjacking delay
* CVE-2025-6435 (bmo#1961777 bmo#1950056)
Save as in Devtools could download files without sanitizing
the extension
* CVE-2025-6436 (bmo#1941377 bmo#1960948 bmo#1966187 bmo#1966505
bmo#1970764)
Memory safety bugs fixed in Firefox 140 and Thunderbird 140
- adapt mozilla-ntlm-full-path.patch for Thunderbird 140.0.1
- adapt mozilla-silence-no-return-type.patch for Thunderbird
140.0.1
* Sun Jun 29 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 128.12.0
MFSA 2025-55 (bsc#1244670)
* CVE-2025-6424 (bmo#1966423)
Use-after-free in FontFaceSet
* CVE-2025-6425 (bmo#1717672)
The WebCompat WebExtension shipped exposed a persistent UUID
* CVE-2025-6426 (bmo#1964385)
No warning when opening executable terminal files on macOS
* CVE-2025-6429 (bmo#1970658)
Incorrect parsing of URLs could have allowed embedding of
youtube.com
* CVE-2025-6430 (bmo#1971140)
Content-Disposition header ignored when a file is included in
an embed or object tag
* Tue Jun 17 2025 Manfred Hollstein <manfred.h@gmx.net>
- Use these tools/versions unconditionally, package won't build on
Tumbleweed with new gcc15 otherwise:
gcc14, gcc14-c++, cargo1.84, rust1.84
* Mon Jun 09 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird ESR 128.11.1
MFSA 2025-49
* CVE-2025-5986 (bmo#1958580, bmo#1968012)
Unsolicited File Download, Disk Space Exhaustion, and Credential
Leakage via mailbox:/// Links