Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted thunderbird 1:140.11.0esr-1 (source) into unstable
Date: Wed, 20 May 2026 11:05:25 +0000
Signed by: Christoph Goehre <christoph.goehre@gmx.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 20 May 2026 08:48:31 +0200
Source: thunderbird
Architecture: source
Version: 1:140.11.0esr-1
Distribution: unstable
Urgency: medium
Maintainer: Carsten Schoenert <c.schoenert@t-online.de>
Changed-By: Christoph Goehre <chris@sigxcpu.org>
Changes:
 thunderbird (1:140.11.0esr-1) unstable; urgency=medium
 .
   * [3d3d128] New upstream version 140.11.0esr
     Fixed CVE issues in upstream version 140.11 (MFSA 2026-51):
     CVE-2026-8946: Incorrect boundary conditions in the Audio/Video: Web
                    Codecs component
     CVE-2026-8388: Incorrect boundary conditions in the JavaScript Engine: JIT
                    component
     CVE-2026-8947: Use-after-free in the DOM: Bindings (WebIDL) component
     CVE-2026-8391: Other issue in the JavaScript Engine component
     CVE-2026-8401: Sandbox escape in the Profile Backup component
     CVE-2026-8949: Integer overflow in the Widget: Win32 component
     CVE-2026-8950: Same-origin policy bypass in the Networking: HTTP component
     CVE-2026-8953: Sandbox escape due to use-after-free in the Disability
                    Access APIs component
     CVE-2026-8954: Incorrect boundary conditions, integer overflow in the
                    Audio/Video component
     CVE-2026-8955: Privilege escalation in the DOM: Workers component
     CVE-2026-8956: Integer overflow in the Networking: JAR component
     CVE-2026-8957: Privilege escalation in the Enterprise Policies component
     CVE-2026-8958: Information disclosure, sandbox escape in the Security:
                    Process Sandboxing component
     CVE-2026-8959: Sandbox escape due to incorrect boundary conditions in the
                    Widget: Win32 component
     CVE-2026-8961: Spoofing issue in the Form Autofill component
     CVE-2026-8962: Mitigation bypass in the DOM: Security component
     CVE-2026-8968: Denial-of-service due to invalid pointer in the
                    Audio/Video: Web Codecs component
     CVE-2026-8970: Privilege escalation in the Security component
     CVE-2026-8974: Memory safety bugs fixed in Thunderbird 140.11 and
                    Thunderbird 151
     CVE-2026-8975: Memory safety bugs fixed in Thunderbird 140.11 and
                    Thunderbird 151
   * [19ff1a5] rebuild patch queue from patch-queue branch
     modified patches:
     fixes/Fix-conflicting-types-for-once_flag-and-call_once-with-gl.patch
Checksums-Sha1:
 4c4125985df0c608e03a780bd98a230fe67b2897 8445 thunderbird_140.11.0esr-1.dsc
 9cf0e7df3df0894d25b0d1d8f58915718037633b 12279600 thunderbird_140.11.0esr.orig-thunderbird-l10n.tar.xz
 33f391ad0f26239564fd95a7bf8b1407f77dd493 791000676 thunderbird_140.11.0esr.orig.tar.xz
 3b5b0660ec64f554a021448241797a10e514f408 569560 thunderbird_140.11.0esr-1.debian.tar.xz
 fc5ac02a2dcca1be8befe6d6b5df916753a35c67 8066 thunderbird_140.11.0esr-1_source.buildinfo
Checksums-Sha256:
 3bdfddd26cc5ab2e2af5c77a0f732ae13df693bf4555a5db448a1066c974e0a2 8445 thunderbird_140.11.0esr-1.dsc
 357aefe726360d4b480004537c608b2b1009ea30ee7c8b75fc9563b640fd1061 12279600 thunderbird_140.11.0esr.orig-thunderbird-l10n.tar.xz
 43c6db86fc9dc600759517a6d39f2e362aa5092e38e4564db58f2b0c56f094c3 791000676 thunderbird_140.11.0esr.orig.tar.xz
 660b20ebd3d9ee4ced1282c9b3751c88a9f7acdf97fc8f21016972182b852e28 569560 thunderbird_140.11.0esr-1.debian.tar.xz
 92211f3f47963b55e620a79ec5d7ff620326313380d09c752fc45a08e1d04f23 8066 thunderbird_140.11.0esr-1_source.buildinfo
Files:
 3feb1ab2b13a24b5cc3ffc0c0e532377 8445 mail optional thunderbird_140.11.0esr-1.dsc
 1ffb701693b5d580acb29f2364872330 12279600 mail optional thunderbird_140.11.0esr.orig-thunderbird-l10n.tar.xz
 1f6172042df22ad7744ffb6a90cfdf17 791000676 mail optional thunderbird_140.11.0esr.orig.tar.xz
 63df4106fba122e21fbffd3c9f014b16 569560 mail optional thunderbird_140.11.0esr-1.debian.tar.xz
 197bfae485de4dd513decc2a2dc0f829 8066 mail optional thunderbird_140.11.0esr-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi5SBnCVVcKN0tizNJuPIdadEIO8FAmoNkJYACgkQJuPIdadE
IO/nHg/5AXh+Wr3OJ6kRLCMuqoUyE7Au6YPGLsF5LssIBXA8UU7hNZV1MKn2sk71
fjb7JU6x79RlSoQN36s1H7c+up8YsU220kAK7UArHDPjPpbsoZUAuW0Qgqbwo+SL
XKrjafshmAPAEc1D+n6xonm6AGf+A1miGEmqhkwUNFNDA9ev/pOi7TpDmR4oQsJ6
NoZz3Bu3HQ9/MQjuo/rJbcBr8Gd+4ku5s21uv5ValhhkSXRheLjUG7wKL5uQDN48
0mZzkxZw5ooM1Rv7sOXgItNUfRes4sgmzrXJEPiorncHOHlJ/q9yql/RfV1LnVHV
0vLRjfEfdiendKFfsZ0ctf5tsAmYpvHEPxUjqnPJtqjGtBmBzeZDLlzPMjUaGK3l
mKwpJcIQ7cQa04OQ845BdWwPKwkSfwqRix8WEEg4d/sp9ZjhVVf4mYsyYRHqbLoc
g0sTS7aHF6D5CU2h6eFdU8YTtOGsQKkPf9TwByFyDmjgHQ/44jdsa1CtLeoNIXQ6
ewHWMAK/NRduwLghXpGOb9HSy+gzlFLYCdfTdHTQwiyUTFYL2M2/sSH0R65r0KRu
zYW9/Q7MW2E8r40wgm2oFTHOIRcC/jSmKamjGBrnvdG62C9TlTpxyHhH64Dhe9x1
dnKNXtZH/pAOTJxe3ZLLfonKeWyHUjIPi0TkYp4yGrWc+BVU9qk=
=qY0E
-----END PGP SIGNATURE-----
News for package thunderbird
