-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 25 Mar 2026 09:04:25 +0100 Source: thunderbird Architecture: source Version: 1:140.9.0esr-1 Distribution: unstable Urgency: medium Maintainer: Carsten Schoenert <[email protected]> Changed-By: Christoph Goehre <[email protected]> Changes: thunderbird (1:140.9.0esr-1) unstable; urgency=medium . * [a5389ca] New upstream version 140.9.0esr Fixed CVE issues in upstream version 140.9 (MFSA 2026-24): CVE-2026-3889: Spoofing issue in Thunderbird CVE-2026-4371: Out of bounds read in IMAP parsing CVE-2026-4684: Race condition, use-after-free in the Graphics: WebRender component CVE-2026-4685: Incorrect boundary conditions in the Graphics: Canvas2D component CVE-2026-4686: Incorrect boundary conditions in the Graphics: Canvas2D component CVE-2026-4687: Sandbox escape due to incorrect boundary conditions in the Telemetry component CVE-2026-4688: Sandbox escape due to use-after-free in the Disability Access APIs component CVE-2026-4689: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component CVE-2026-4690: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component CVE-2026-4691: Use-after-free in the CSS Parsing and Computation component CVE-2026-4692: Sandbox escape in the Responsive Design Mode component CVE-2026-4693: Incorrect boundary conditions in the Audio/Video: Playback component CVE-2026-4694: Incorrect boundary conditions, integer overflow in the Graphics component CVE-2026-4695: Incorrect boundary conditions in the Audio/Video: Web Codecs component CVE-2026-4696: Use-after-free in the Layout: Text and Fonts component CVE-2026-4697: Incorrect boundary conditions in the Audio/Video: Web Codecs component CVE-2026-4698: JIT miscompilation in the JavaScript Engine: JIT component CVE-2026-4699: Incorrect boundary conditions in the Layout: Text and Fonts component CVE-2026-4700: Mitigation bypass in the Networking: HTTP component CVE-2026-4701: Use-after-free in the JavaScript Engine component CVE-2026-4702: JIT miscompilation in the JavaScript Engine component CVE-2026-4704: Denial-of-service in the WebRTC: Signaling component CVE-2026-4705: Undefined behavior in the WebRTC: Signaling component CVE-2026-4706: Incorrect boundary conditions in the Graphics: Canvas2D component CVE-2026-4707: Incorrect boundary conditions in the Graphics: Canvas2D component CVE-2026-4708: Incorrect boundary conditions in the Graphics component CVE-2026-4709: Incorrect boundary conditions in the Audio/Video: GMP component CVE-2026-4710: Incorrect boundary conditions in the Audio/Video component CVE-2026-4711: Use-after-free in the Widget: Cocoa component CVE-2026-4712: Information disclosure in the Widget: Cocoa component CVE-2026-4713: Incorrect boundary conditions in the Graphics component CVE-2026-4714: Incorrect boundary conditions in the Audio/Video component CVE-2026-4715: Uninitialized memory in the Graphics: Canvas2D component CVE-2026-4716: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component CVE-2026-4717: Privilege escalation in the Netmonitor component CVE-2025-59375: Denial-of-service in the XML component CVE-2026-4718: Undefined behavior in the WebRTC: Signaling component CVE-2026-4719: Incorrect boundary conditions in the Graphics: Text component CVE-2026-4720: Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 CVE-2026-4721: Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 Checksums-Sha1: f1b1a09fc42f89ded7002fffc87c8e5a2a70dee9 8435 thunderbird_140.9.0esr-1.dsc 1304f54be83297abceb4a66e0d2bb664958734e9 12256936 thunderbird_140.9.0esr.orig-thunderbird-l10n.tar.xz 2b131869a6f94ec9213bc07edffc1816bfb6c177 786522288 thunderbird_140.9.0esr.orig.tar.xz 3b1249c93c30b6601321250ae5aa8969934746a5 554704 thunderbird_140.9.0esr-1.debian.tar.xz 17b2d9bbdb454168a48855314a480bec7894892d 8357 thunderbird_140.9.0esr-1_source.buildinfo Checksums-Sha256: 6f9aaa2ea081c41157a29a21548ef6de461119d8ce92094a0aaa3e5f40961245 8435 thunderbird_140.9.0esr-1.dsc d5efaeb54387d6b03e6e3b7bf5e721adca3b64ded384e5028455815b1d7199c3 12256936 thunderbird_140.9.0esr.orig-thunderbird-l10n.tar.xz f3f6dc5dbd4bd41c02b164c911894d8f87e7958f11ff19c1d5f247da745add8e 786522288 thunderbird_140.9.0esr.orig.tar.xz 18effe6d1ca69ee0915ff602cb71efa58ae9fa8e54d758000d6741ca20eeb01f 554704 thunderbird_140.9.0esr-1.debian.tar.xz 97ea5d6c220f9f1bc2f930c8eb1e908ff5dafb590e1e4e3ef79a67f1f6d31d19 8357 thunderbird_140.9.0esr-1_source.buildinfo Files: 8072124f4ba31e4d5f5460eb97a98a62 8435 mail optional thunderbird_140.9.0esr-1.dsc 80025e05d39344fc4e950e7e335c326c 12256936 mail optional thunderbird_140.9.0esr.orig-thunderbird-l10n.tar.xz a6f323837a873dec155ef0b13619a644 786522288 mail optional thunderbird_140.9.0esr.orig.tar.xz cb73fb14528ce811c04116ac1dc18ee9 554704 mail optional thunderbird_140.9.0esr-1.debian.tar.xz a89140b4da29b6c85590570815e04194 8357 mail optional thunderbird_140.9.0esr-1_source.buildinfo
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEi5SBnCVVcKN0tizNJuPIdadEIO8FAmnECdkACgkQJuPIdadE IO8R4hAA2PQoeUvxZMyUpyQCyYBkbgDDiDNpGsuAF+DfooDeL+MALHdUawhDkGT0 UU3t4MyGpD/1f2GesbRPPPyEkdbZdnOMjsbony8xV/+6gOEC6C7lGOak8k/rZABK J07i9TEq5Y2iZC6rOhiYsGdnOcuv2ggMUXegbpX5ObkjiLhkA9GIeghQ2AwIugXI Q+YR5A3wsGsq3OBq9EXCLaav9UtCrjqr9L6EERuhtbk2RT/xL48Ttc4OqT9NH5Yv kExmN83K6Pv4KVpUvRFEl5cephm7UvM9H2AkQEPR322kR7/plxmT61iR9ZPh9QRn H90jKq6V/gUGcMlm/LE3xBG5FLcsJc4DLRL9IeBmHE5eHjil+7r60eJBnXfj8WQ7 ox36qK9cM8QC4Wu4huDGgRFa7NU88O9XBbFzu8/28uiqP9xwENOx7p0IdEIIuGVj 9vpiYIi7PIu00fmWTcOc+VTE76x2tlWIy9riXqANOSaUAs0ciqGFtcg5ZfLeYpAA ljyPm2BIwiLaC8mn9kAi1LTlRqfHBbeC/NCWY24su52tmVc/BmVI9Q1GPjnhAqLP G5HeI5a2ZFGEzyO7Dg4lvyGIUE9aRUOzS849DFQpO4PCl9/VAdCN/f4EV4dMpsbw WLbg+oFSscytpVq2tRRcnHyg1L/HTXWjOwXogw//NOV+gJeOIi8= =Yz5g -----END PGP SIGNATURE-----
pgp25z9Inqmkn.pgp
Description: PGP signature
