-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 27 Feb 2026 15:41:01 +0100
Source: thunderbird
Architecture: source
Version: 1:140.8.0esr-1
Distribution: unstable
Urgency: medium
Maintainer: Carsten Schoenert <c.schoenert@t-online.de>
Changed-By: Christoph Goehre <chris@sigxcpu.org>
Changes:
thunderbird (1:140.8.0esr-1) unstable; urgency=medium
.
* [2c79d20] d/source.filter: don't filter out *.orig files
* [860f180] New upstream version 140.8.0esr
Fixed CVE issues in upstream version 140.8 (MFSA 2026-17):
CVE-2026-2757: Incorrect boundary conditions in the WebRTC: Audio/Video
component
CVE-2026-2758: Use-after-free in the JavaScript: GC component
CVE-2026-2759: Incorrect boundary conditions in the Graphics: ImageLib
component
CVE-2026-2760: Sandbox escape due to incorrect boundary conditions in the
Graphics: WebRender component
CVE-2026-2761: Sandbox escape in the Graphics: WebRender component
CVE-2026-2762: Integer overflow in the JavaScript: Standard Library
component
CVE-2026-2763: Use-after-free in the JavaScript Engine component
CVE-2026-2764: JIT miscompilation, use-after-free in the JavaScript
Engine: JIT component
CVE-2026-2765: Use-after-free in the JavaScript Engine component
CVE-2026-2766: Use-after-free in the JavaScript Engine: JIT component
CVE-2026-2767: Use-after-free in the JavaScript: WebAssembly component
CVE-2026-2768: Sandbox escape in the Storage: IndexedDB component
CVE-2026-2769: Use-after-free in the Storage: IndexedDB component
CVE-2026-2770: Use-after-free in the DOM: Bindings (WebIDL) component
CVE-2026-2771: Undefined behavior in the DOM: Core & HTML component
CVE-2026-2772: Use-after-free in the Audio/Video: Playback component
CVE-2026-2773: Incorrect boundary conditions in the Web Audio component
CVE-2026-2774: Integer overflow in the Audio/Video component
CVE-2026-2775: Mitigation bypass in the DOM: HTML Parser component
CVE-2026-2776: Sandbox escape due to incorrect boundary conditions in the
Telemetry component in External Software
CVE-2026-2777: Privilege escalation in the Messaging System component
CVE-2026-2778: Sandbox escape due to incorrect boundary conditions in the
DOM: Core & HTML component
CVE-2026-2779: Incorrect boundary conditions in the Networking: JAR
component
CVE-2026-2780: Privilege escalation in the Netmonitor component
CVE-2026-2781: Integer overflow in the Libraries component in NSS
CVE-2026-2782: Privilege escalation in the Netmonitor component
CVE-2026-2783: Information disclosure due to JIT miscompilation in the
JavaScript Engine: JIT component
CVE-2026-2784: Mitigation bypass in the DOM: Security component
CVE-2026-2785: Invalid pointer in the JavaScript Engine component
CVE-2026-2786: Use-after-free in the JavaScript Engine component
CVE-2026-2787: Use-after-free in the DOM: Window and Location component
CVE-2026-2788: Incorrect boundary conditions in the Audio/Video: GMP
component
CVE-2026-2789: Use-after-free in the Graphics: ImageLib component
CVE-2026-2790: Same-origin policy bypass in the Networking: JAR component
CVE-2026-2791: Mitigation bypass in the Networking: Cache component
CVE-2026-2792: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird
ESR 140.8, Firefox 148 and Thunderbird 148
CVE-2026-2793: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR
140.8, Thunderbird ESR 140.8, Firefox 148 and
Thunderbird 148
* [ff6cabd] d/rules: override dh_clean
* [eb4c1eb] rebuild patch queue from patch-queue branch
added patches:
fixes/Add-missing-.gitmodules-files-which-are-needed-to-build-t.patch
* [c9b11f8] d/rules: create empty .gitmodules file via dh_auto_configure
Checksums-Sha1:
12f521ac224758ab6e27f38edbcf3cce4be3f787 8435 thunderbird_140.8.0esr-1.dsc
4246300b85462254b35623b3ce698cbde0e2a65e 12256396 thunderbird_140.8.0esr.orig-thunderbird-l10n.tar.xz
07d105cd3896d9fe36137b474236d07bc1ae7221 791711444 thunderbird_140.8.0esr.orig.tar.xz
d1cdfd60f8a232fddf4d620ae9e78b72459383c6 554276 thunderbird_140.8.0esr-1.debian.tar.xz
b75b7cfc8981d2979df322fcf6972a256796513c 8312 thunderbird_140.8.0esr-1_source.buildinfo
Checksums-Sha256:
2cf49392dc7185e8fca549cd994717fa08dd4c219b72ac6714dedbe199792356 8435 thunderbird_140.8.0esr-1.dsc
355f5b2a9f9fb545371e4509956dd454513570d17f8d21256cef67758f374068 12256396 thunderbird_140.8.0esr.orig-thunderbird-l10n.tar.xz
3161f706d9115b21f5cd989bfbca71ee73a64c356676bcb3e78af8ee51a2fbab 791711444 thunderbird_140.8.0esr.orig.tar.xz
ae743e936376e605aeddec41f8ea0e639a30bf3abc8deba74215ac53fcd2f761 554276 thunderbird_140.8.0esr-1.debian.tar.xz
622f128017d65b28e7468f7df03d5e429dcdaae25c96f571566754147c086d2c 8312 thunderbird_140.8.0esr-1_source.buildinfo
Files:
75b174ceded9c7bea1e4c4f9f005fdd1 8435 mail optional thunderbird_140.8.0esr-1.dsc
c94b94753a59259f35f129dbe2e71d84 12256396 mail optional thunderbird_140.8.0esr.orig-thunderbird-l10n.tar.xz
f77023bdce648171c7ef6d7b224f50a1 791711444 mail optional thunderbird_140.8.0esr.orig.tar.xz
cc042e41a49e3eb392f772c6bd094f84 554276 mail optional thunderbird_140.8.0esr-1.debian.tar.xz
5b705f03b4aa64b0866cd81fd4e3fc19 8312 mail optional thunderbird_140.8.0esr-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi5SBnCVVcKN0tizNJuPIdadEIO8FAmmh5vAACgkQJuPIdadE
IO+ZsxAA0UEHdgZ9j48smermx7iE+GD8bxY0D8NFGKwqu+Y5L+HPsnuGOrX2vDN+
OILSJSLh4x6JTHFUnlAfEKrnDOIyy3DkuOacsnSB08PUUmpk7ZRy0EgwzYwcKj+T
pFT9CcbJJuBaNke4FzWWnQiPaYkOZgaa3D3DyyqlXDw69pHIQu6Px8mfTawQTFH/
DT2E16hqbUoI7RltTVZy5JAHA3tF35pCnccvSg8HzRguHQ5/eyUQyNNJUsIQZ0Rs
AgVs0jWn54l/oHY5sR/etK5cfxlEhDr+5kfkKHl1IT1s9p5h1HqQ/BkUXCXqG8F/
RSvbe4NPBRH2ZlFPH4ctodhs0sKmvqBGhVpZ2qtpogt87GrJIpYOK4Oaipc+DeRt
3ak94QtVCcC1U4rh8q/FdhdeSiKPv2RkiEnxBDavYTuaWq2dhK0m1Qs1IbOSHrO3
tK1aP+I75lbPfM05iV6Zb3FyfR1bT/PbM29qs5/qJUTsHX2/RhiLILoZyEe+dGID
AFGCSBkf08BoR4cWYPcqoYg5EpJc1osKnWGmig2nIRcOdo65Kxb2bblFCm9lbN62
xJGZd0/g9+emaZU6FMljhMuzxYLnVFnvA4rFvS/qR/VF/N+K7y6ROlUoFp9U9Ctj
FxyjYl+YvqTdn3Lcv70jY+J1zxPi+ba+yTvFEscpBQRc13Uth6M=
=hpGN
-----END PGP SIGNATURE-----
