Overview

File _patchinfo of Package patchinfo.43423

<patchinfo incident="43423">
  <!--generated with prepare-update from request 404506-->
  <issue tracker="bnc" id="1260083">VUL-0: MozillaFirefox / MozillaThunderbird: update to 149.0 and 140.9esr</issue>
  <issue tracker="cve" id="2025-59375"/>
  <issue tracker="cve" id="2026-3889"/>
  <issue tracker="cve" id="2026-4371"/>
  <issue tracker="cve" id="2026-4684"/>
  <issue tracker="cve" id="2026-4685"/>
  <issue tracker="cve" id="2026-4686"/>
  <issue tracker="cve" id="2026-4687"/>
  <issue tracker="cve" id="2026-4688"/>
  <issue tracker="cve" id="2026-4689"/>
  <issue tracker="cve" id="2026-4690"/>
  <issue tracker="cve" id="2026-4691"/>
  <issue tracker="cve" id="2026-4692"/>
  <issue tracker="cve" id="2026-4693"/>
  <issue tracker="cve" id="2026-4694"/>
  <issue tracker="cve" id="2026-4695"/>
  <issue tracker="cve" id="2026-4696"/>
  <issue tracker="cve" id="2026-4697"/>
  <issue tracker="cve" id="2026-4698"/>
  <issue tracker="cve" id="2026-4699"/>
  <issue tracker="cve" id="2026-4700"/>
  <issue tracker="cve" id="2026-4701"/>
  <issue tracker="cve" id="2026-4702"/>
  <issue tracker="cve" id="2026-4704"/>
  <issue tracker="cve" id="2026-4705"/>
  <issue tracker="cve" id="2026-4706"/>
  <issue tracker="cve" id="2026-4707"/>
  <issue tracker="cve" id="2026-4708"/>
  <issue tracker="cve" id="2026-4709"/>
  <issue tracker="cve" id="2026-4710"/>
  <issue tracker="cve" id="2026-4711"/>
  <issue tracker="cve" id="2026-4712"/>
  <issue tracker="cve" id="2026-4713"/>
  <issue tracker="cve" id="2026-4714"/>
  <issue tracker="cve" id="2026-4715"/>
  <issue tracker="cve" id="2026-4716"/>
  <issue tracker="cve" id="2026-4717"/>
  <issue tracker="cve" id="2026-4718"/>
  <issue tracker="cve" id="2026-4719"/>
  <issue tracker="cve" id="2026-4720"/>
  <issue tracker="cve" id="2026-4721"/>
  <category>security</category>
  <rating>important</rating>
  <packager>MSirringhaus</packager>
  <summary>Security update for MozillaThunderbird</summary>
  <description>This update for MozillaThunderbird fixes the following issues:

Update to Mozilla Thunderbird 140.9 (MFSA 2026-24, bsc#1260083):

- CVE-2026-3889: Spoofing issue in Thunderbird
- CVE-2026-4371: Out of bounds read in IMAP parsing
- CVE-2026-4684: Race condition, use-after-free in the Graphics: WebRender component
- CVE-2026-4685: Incorrect boundary conditions in the Graphics: Canvas2D component
- CVE-2026-4686: Incorrect boundary conditions in the Graphics: Canvas2D component
- CVE-2026-4687: Sandbox escape due to incorrect boundary conditions in the Telemetry component
- CVE-2026-4688: Sandbox escape due to use-after-free in the Disability Access APIs component
- CVE-2026-4689: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component
- CVE-2026-4690: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component
- CVE-2026-4691: Use-after-free in the CSS Parsing and Computation component
- CVE-2026-4692: Sandbox escape in the Responsive Design Mode component
- CVE-2026-4693: Incorrect boundary conditions in the Audio/Video: Playback component
- CVE-2026-4694: Incorrect boundary conditions, integer overflow in the Graphics component
- CVE-2026-4695: Incorrect boundary conditions in the Audio/Video: Web Codecs component
- CVE-2026-4696: Use-after-free in the Layout: Text and Fonts component
- CVE-2026-4697: Incorrect boundary conditions in the Audio/Video: Web Codecs component
- CVE-2026-4698: JIT miscompilation in the JavaScript Engine: JIT component
- CVE-2026-4699: Incorrect boundary conditions in the Layout: Text and Fonts component
- CVE-2026-4700: Mitigation bypass in the Networking: HTTP component
- CVE-2026-4701: Use-after-free in the JavaScript Engine component
- CVE-2026-4702: JIT miscompilation in the JavaScript Engine component
- CVE-2026-4704: Denial-of-service in the WebRTC: Signaling component
- CVE-2026-4705: Undefined behavior in the WebRTC: Signaling component
- CVE-2026-4706: Incorrect boundary conditions in the Graphics: Canvas2D component
- CVE-2026-4707: Incorrect boundary conditions in the Graphics: Canvas2D component
- CVE-2026-4708: Incorrect boundary conditions in the Graphics component
- CVE-2026-4709: Incorrect boundary conditions in the Audio/Video: GMP component
- CVE-2026-4710: Incorrect boundary conditions in the Audio/Video component
- CVE-2026-4711: Use-after-free in the Widget: Cocoa component
- CVE-2026-4712: Information disclosure in the Widget: Cocoa component
- CVE-2026-4713: Incorrect boundary conditions in the Graphics component
- CVE-2026-4714: Incorrect boundary conditions in the Audio/Video component
- CVE-2026-4715: Uninitialized memory in the Graphics: Canvas2D component
- CVE-2026-4716: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component
- CVE-2026-4717: Privilege escalation in the Netmonitor component
- CVE-2025-59375: Denial-of-service in the XML component
- CVE-2026-4718: Undefined behavior in the WebRTC: Signaling component
- CVE-2026-4719: Incorrect boundary conditions in the Graphics: Text component
- CVE-2026-4720: Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149
- CVE-2026-4721: Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9,
  Firefox 149 and Thunderbird 149
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places