Fixed
* Users with attachments open in tabs saw an error on Thunderbird restart
* Sending from unified or local folder failed if no default account was set
* Delete button could remove attachment instead of message
* Message list scrolled back when returning to mail tab after opening a message
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=833
- Mozilla Thunderbird ESR 140.1.0
* New folders were not added alphabetically if folders manually
reordered beforehand
* Message archive folder creation could silently stop during async
folder creation
MFSA 2025-63 (bsc#1246664)
* CVE-2025-8027 (bmo#1968423)
JavaScript engine only wrote partial return value to stack
* CVE-2025-8028 (bmo#1971581)
Large branch table could lead to truncated instruction
* CVE-2025-8029 (bmo#1928021)
javascript: URLs executed on object and embed tags
* CVE-2025-8036 (bmo#1960834)
DNS rebinding circumvents CORS
* CVE-2025-8037 (bmo#1964767)
Nameless cookies shadow secure cookies
* CVE-2025-8030 (bmo#1968414)
Potential user-assisted code execution in “Copy as cURL” command
* CVE-2025-8031 (bmo#1971719)
Incorrect URL stripping in CSP reports
* CVE-2025-8032 (bmo#1974407)
XSLT documents could bypass CSP
* CVE-2025-8038 (bmo#1808979)
CSP frame-src was not correctly enforced for paths
* CVE-2025-8039 (bmo#1970997)
Search terms persisted in URL bar
* CVE-2025-8033 (bmo#1973990)
Incorrect JavaScript state machine for generators
* CVE-2025-8034 (bmo#1970422, bmo#1970422, bmo#1970422, bmo#1970422)
Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR
OBS-URL: https://build.opensuse.org/request/show/1295681
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=367
* New folders were not added alphabetically if folders manually
reordered beforehand
* Message archive folder creation could silently stop during async
folder creation
MFSA 2025-63 (bsc#1246664)
* CVE-2025-8027 (bmo#1968423)
JavaScript engine only wrote partial return value to stack
* CVE-2025-8028 (bmo#1971581)
Large branch table could lead to truncated instruction
* CVE-2025-8029 (bmo#1928021)
javascript: URLs executed on object and embed tags
* CVE-2025-8036 (bmo#1960834)
DNS rebinding circumvents CORS
* CVE-2025-8037 (bmo#1964767)
Nameless cookies shadow secure cookies
* CVE-2025-8030 (bmo#1968414)
Potential user-assisted code execution in “Copy as cURL” command
* CVE-2025-8031 (bmo#1971719)
Incorrect URL stripping in CSP reports
* CVE-2025-8032 (bmo#1974407)
XSLT documents could bypass CSP
* CVE-2025-8038 (bmo#1808979)
CSP frame-src was not correctly enforced for paths
* CVE-2025-8039 (bmo#1970997)
Search terms persisted in URL bar
* CVE-2025-8033 (bmo#1973990)
Incorrect JavaScript state machine for generators
* CVE-2025-8034 (bmo#1970422, bmo#1970422, bmo#1970422, bmo#1970422)
Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=829
- Mozilla Thunderbird ESR 128.12.0
MFSA 2025-55 (bsc#1244670)
* CVE-2025-6424 (bmo#1966423)
Use-after-free in FontFaceSet
* CVE-2025-6425 (bmo#1717672)
The WebCompat WebExtension shipped exposed a persistent UUID
* CVE-2025-6426 (bmo#1964385)
No warning when opening executable terminal files on macOS
* CVE-2025-6429 (bmo#1970658)
Incorrect parsing of URLs could have allowed embedding of
youtube.com
* CVE-2025-6430 (bmo#1971140)
Content-Disposition header ignored when a file is included in
an embed or object tag
OBS-URL: https://build.opensuse.org/request/show/1290580
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=366
MFSA 2025-55 (bsc#1244670)
* CVE-2025-6424 (bmo#1966423)
Use-after-free in FontFaceSet
* CVE-2025-6425 (bmo#1717672)
The WebCompat WebExtension shipped exposed a persistent UUID
* CVE-2025-6426 (bmo#1964385)
No warning when opening executable terminal files on macOS
* CVE-2025-6429 (bmo#1970658)
Incorrect parsing of URLs could have allowed embedding of
youtube.com
* CVE-2025-6430 (bmo#1971140)
Content-Disposition header ignored when a file is included in
an embed or object tag
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=827
- Mozilla Thunderbird ESR 128.10.0
* Changed color override defaults with high contrast mode on
macOS and Linux
* Using Delete column in "Search Messages..." window could delete
other messages
MFSA 2025-32 (bsc#1241621)
* CVE-2025-2817 (bmo#1917536)
Privilege escalation in Thunderbird Updater
* CVE-2025-4082 (bmo#1937097)
WebGL shader attribute memory corruption in Thunderbird for
macOS
* CVE-2025-4083 (bmo#1958350)
Process isolation bypass using "javascript:" URI links in
cross-origin frames
* CVE-2025-4084 (bmo#1949994, bmo#1956698, bmo#1960198)
Potential local code execution in "copy as cURL" command
* CVE-2025-4087 (bmo#1952465)
Unsafe attribute access during XPath parsing
* CVE-2025-4091 (bmo#1951161, bmo#1952105)
Memory safety bugs fixed in Firefox 138, Thunderbird 138,
Firefox ESR 128.10, and Thunderbird 128.10
* CVE-2025-4093 (bmo#1894100)
Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird
128.10
OBS-URL: https://build.opensuse.org/request/show/1273775
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=360
* Changed color override defaults with high contrast mode on
macOS and Linux
* Using Delete column in "Search Messages..." window could delete
other messages
MFSA 2025-32 (bsc#1241621)
* CVE-2025-2817 (bmo#1917536)
Privilege escalation in Thunderbird Updater
* CVE-2025-4082 (bmo#1937097)
WebGL shader attribute memory corruption in Thunderbird for
macOS
* CVE-2025-4083 (bmo#1958350)
Process isolation bypass using "javascript:" URI links in
cross-origin frames
* CVE-2025-4084 (bmo#1949994, bmo#1956698, bmo#1960198)
Potential local code execution in "copy as cURL" command
* CVE-2025-4087 (bmo#1952465)
Unsafe attribute access during XPath parsing
* CVE-2025-4091 (bmo#1951161, bmo#1952105)
Memory safety bugs fixed in Firefox 138, Thunderbird 138,
Firefox ESR 128.10, and Thunderbird 128.10
* CVE-2025-4093 (bmo#1894100)
Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird
128.10
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=812
