File _patchinfo of Package patchinfo.40714

<patchinfo incident="40714">
  <issue tracker="bnc" id="1249391">VUL-0: MozillaFirefox / MozillaThunderbird: update to 143.0 and 140.3esr</issue>
  <issue tracker="cve" id="2025-10529"/>
  <issue tracker="cve" id="2025-10537"/>
  <issue tracker="cve" id="2025-10533"/>
  <issue tracker="cve" id="2025-10527"/>
  <issue tracker="cve" id="2025-10536"/>
  <issue tracker="cve" id="2025-10528"/>
  <issue tracker="cve" id="2025-10532"/>
  <packager>MSirringhaus</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for MozillaThunderbird</summary>
  <description>This update for MozillaThunderbird fixes the following issues:

Update to Mozilla Thunderbird 140.3 (bsc#1249391).

Security issues fixed:

- MFSA 2025-78
  * CVE-2025-10527: sandbox escape due to use-after-free in the Graphics: Canvas2D component.
  * CVE-2025-10528: sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component.
  * CVE-2025-10529: same-origin policy bypass in the Layout component.
  * CVE-2025-10532: incorrect boundary conditions in the JavaScript: GC component.
  * CVE-2025-10533: integer overflow in the SVG component.
  * CVE-2025-10536: information disclosure in the Networking: Cache component.
  * CVE-2025-10537: memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird
    143.

Other issues fixed:

- Right-clicking 'List-ID' -&gt; 'Unsubscribe' created double encoded draft subject.
- Thunderbird could crash on startup.
- Thunderbird could crash when importing mail.
- Opening Website header link in RSS feed incorrectly re-encoded URL parameters.
</description>
</patchinfo>