Overview

File _patchinfo of Package patchinfo.37780

<patchinfo incident="37780">
  <issue tracker="bnc" id="1237683">VUL-0: MozillaFirefox / MozillaThunderbird: update to 136 and 128.8esr</issue>
  <issue tracker="cve" id="2024-43097"/>
  <issue tracker="cve" id="2025-1930"/>
  <issue tracker="cve" id="2025-1931"/>
  <issue tracker="cve" id="2025-1932"/>
  <issue tracker="cve" id="2025-1933"/>
  <issue tracker="cve" id="2025-1934"/>
  <issue tracker="cve" id="2025-1935"/>
  <issue tracker="cve" id="2025-1936"/>
  <issue tracker="cve" id="2025-1937"/>
  <issue tracker="cve" id="2025-1938"/>
  <issue tracker="cve" id="2025-26695"/>
  <issue tracker="cve" id="2025-26696"/>
  <packager>MSirringhaus</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for MozillaThunderbird</summary>
  <description>This update for MozillaThunderbird fixes the following issues:

  Updated to Mozilla Thunderbird 128.8 MFSA 2025-18 (bsc#1237683):
    
  - CVE-2024-43097: Overflow when growing an SkRegion's RunArray
  - CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in the
    Browser process
  - CVE-2025-1931: Use-after-free in WebTransportChild
  - CVE-2025-1932: Inconsistent comparator in XSLT sorting led to out-of-bounds
    access
  - CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs
  - CVE-2025-1934: Unexpected GC during RegExp bailout processing
  - CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar
  - CVE-2025-1936: Adding %00 and a fake extension to a jar: URL  changed the
    interpretation of the contents
  - CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird 136,
    Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8
  - CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird 136,
    Firefox ESR 128.8, and Thunderbird 128.8
  - CVE-2025-26695: Downloading of OpenPGP keys from WKD used incorrect padding
  - CVE-2025-26696: Crafted email message incorrectly shown as being encrypted  
  
  Other fixes:
  * Opening an .EML file in profiles with many folders
    could take a long time.
  * Users with many folders experienced poor performance
    when resizing message panes.
  *"Replace" button in compose window was overwritten
    when the window was narrow.
  * Export to mobile did not work when "Use default
    server" was selected.
  * "Save Link As" was not working in feed web content.
 
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places