File _patchinfo of Package patchinfo.37360

<patchinfo incident="37360">
  <issue tracker="bnc" id="1236539">VUL-0: MozillaFirefox / MozillaThunderbird: update to 135 and 128.7esr</issue>
  <issue tracker="bnc" id="1236411">MozillaThunderbird: S/MIME inline-forwarded email is empty</issue>
  <issue tracker="cve" id="2025-1010"/>
  <issue tracker="cve" id="2024-11704"/>
  <issue tracker="cve" id="2025-1017"/>
  <issue tracker="cve" id="2025-1012"/>
  <issue tracker="cve" id="2025-1016"/>
  <issue tracker="cve" id="2025-1011"/>
  <issue tracker="cve" id="2025-1013"/>
  <issue tracker="cve" id="2025-0510"/>
  <issue tracker="cve" id="2025-1014"/>
  <issue tracker="cve" id="2025-1009"/>
  <issue tracker="cve" id="2025-1015"/>
  <packager>MSirringhaus</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for MozillaThunderbird</summary>
  <description>This update for MozillaThunderbird fixes the following issues:

Update to Mozilla Thunderbird 128.7 (MFSA 2025-10, bsc#1236539).

Security fixes:

  - CVE-2025-1009: use-after-free in XSLT.
  - CVE-2025-1010: use-after-free in Custom Highlight.
  - CVE-2025-1011: a bug in WebAssembly code generation could result in a crash.
  - CVE-2025-1012: use-after-free during concurrent delazification.
  - CVE-2024-11704: potential double-free vulnerability in PKCS#7 decryption handling.
  - CVE-2025-1013: potential opening of private browsing tabs in normal browsing windows.
  - CVE-2025-1014: certificate length was not properly checked.
  - CVE-2025-1015: unsanitized address book fields.
  - CVE-2025-0510: address of e-mail sender can be spoofed by malicious email.
  - CVE-2025-1016: memory safety bugs.
  - CVE-2025-1017: memory safety bugs.

Other fixes:

  - fixed: images inside links could zoom when clicked instead of opening the link.
  - fixed: compacting an empty folder failed with write error.
  - fixed: compacting of IMAP folder with corrupted local storage failed with write error.
  - fixed: after restart, all restored tabs with opened PDFs showed the same attachment.
  - fixed: exceptions during CalDAV item processing would halt subsequent item handling.
  - fixed: context menu was unable to move email address to a different field.
  - fixed: link at about:rights pointed to Firefox privacy policy instead of Thunderbird's.
  - fixed: POP3 'fetch headers only' and 'get selected messages' could delete messages.
  - fixed: 'Search Online' checkbox in saved search properties was incorrectly disabled.
  - fixed: POP3 status message showed incorrect download count when messages were deleted.
  - fixed: space bar did not always advance to the next unread message.
  - fixed: folder creation or renaming failed due to incorrect preference settings.
  - fixed: forwarding/editing S/MIME drafts/templates unusable due to regression (bsc#1236411).
  - fixed: sort order in 'Search Messages' panel reset after search or on first launch.
  - fixed: reply window added an unnecessary third blank line at the top.
  - fixed: Thunderbird spell check box did not allow ENTER to accept suggested changes.
  - fixed: long email subject lines could overlap window control buttons on macOS.
  - fixed: flathub manifest link was not correct.
  - fixed: 'Prefer client-side email scheduling' needed to be selected twice.
  - fixed: duplicate invitations were sent if CALDAV calendar email case did not match.
  - fixed: visual and UX improvements.
</description>
</patchinfo>