This update for MozillaThunderbird fixes the following issues:

Changes in MozillaThunderbird:

Mozilla Thunderbird 140.5.0 ESR

MFSA 2025-91 (bsc#1253188):

  * CVE-2025-13012
    Race condition in the Graphics component
  * CVE-2025-13016
    Incorrect boundary conditions in the JavaScript: WebAssembly
    component
  * CVE-2025-13017
    Same-origin policy bypass in the DOM: Notifications component
  * CVE-2025-13018
    Mitigation bypass in the DOM: Security component
  * CVE-2025-13019
    Same-origin policy bypass in the DOM: Workers component
  * CVE-2025-13013
    Mitigation bypass in the DOM: Core & HTML component
  * CVE-2025-13020
    Use-after-free in the WebRTC: Audio/Video component
  * CVE-2025-13014
    Use-after-free in the Audio/Video component
  * CVE-2025-13015
    Spoofing issue in Thunderbird
  * fixed: Could not drag and drop ICS file to Today Pane
  * fixed: With Thunderbird closed, clicking a 'mailto:' link to
    send signed message failed
  * fixed: Upgrade from 128.x->140.x broke authentication for
    @att.net using Yahoo backend

Mozilla Thunderbird 140.4.0 ESR

  * Account Hub is now disabled by default for second email account
  * Users could not read mail signed with OpenPGP v6 and PQC keys
  * Image preview in Insert Image dialog failed with CSP error for web resources
  * Emptying trash on exit did not work with some providers
  * Thunderbird could crash when applying filters
  * Users were unable to override expired mail server certificate
  * Opening Website header link in RSS feed incorrectly re-encoded
    URL parameters

Mozilla Thunderbird 140.3.1 ESR:

  * several bugfixes listed here
    https://www.thunderbird.net/en-US/thunderbird/140.3.1esr/releasenotes
------------------------------------------------------------------