File _patchinfo of Package patchinfo.42246
<patchinfo incident="42246">
<issue tracker="bnc" id="1256340">VUL-0: MozillaFirefox / MozillaThunderbird: update to 147.0 and 140.7esr</issue>
<issue tracker="cve" id="2026-0887"/>
<issue tracker="cve" id="2026-0878"/>
<issue tracker="cve" id="2026-0885"/>
<issue tracker="cve" id="2026-0890"/>
<issue tracker="cve" id="2026-0880"/>
<issue tracker="cve" id="2026-0883"/>
<issue tracker="cve" id="2025-14327"/>
<issue tracker="cve" id="2026-0886"/>
<issue tracker="cve" id="2026-0879"/>
<issue tracker="cve" id="2026-0891"/>
<issue tracker="cve" id="2026-0884"/>
<issue tracker="cve" id="2026-0877"/>
<issue tracker="cve" id="2026-0882"/>
<packager>MSirringhaus</packager>
<rating>critical</rating>
<category>security</category>
<summary>Security update for MozillaThunderbird</summary>
<description>This update for MozillaThunderbird fixes the following issues:
MFSA 2026-05 (bsc#1256340):
- CVE-2026-0877: Mitigation bypass in the DOM in Security component
- CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the
Graphics in CanvasWebGL component
- CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the
Graphics component
- CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics
component
- CVE-2026-0882: Use-after-free in the IPC component
- CVE-2025-14327: Spoofing issue in the Downloads Panel component
- CVE-2026-0883: Information disclosure in the Networking component
- CVE-2026-0884: Use-after-free in the JavaScript Engine component
- CVE-2026-0885: Use-after-free in the JavaScript: GC component
- CVE-2026-0886: Incorrect boundary conditions in the Graphics component
- CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer
component
- CVE-2026-0890: Spoofing issue in the DOM in Copy & Paste and Drag & Drop
component
- CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird
ESR 140.7, Firefox 147 and Thunderbird 147
</description>
</patchinfo>
