8 changed files with 101 additions and 25 deletions
--- a/MozillaThunderbird.changes
+++ b/MozillaThunderbird.changes
@@ -1,3 +1,79 @@
+-------------------------------------------------------------------
+Sun Nov  9 12:24:12 UTC 2025 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Thunderbird 140.5.0 ESR
+  MFSA 2025-91 (bsc#1253188)
+  * CVE-2025-13012 (bmo#1991458)
+    Race condition in the Graphics component
+  * CVE-2025-13016 (bmo#1992130)
+    Incorrect boundary conditions in the JavaScript: WebAssembly
+    component
+  * CVE-2025-13017 (bmo#1980904)
+    Same-origin policy bypass in the DOM: Notifications component
+  * CVE-2025-13018 (bmo#1984940)
+    Mitigation bypass in the DOM: Security component
+  * CVE-2025-13019 (bmo#1988412)
+    Same-origin policy bypass in the DOM: Workers component
+  * CVE-2025-13013 (bmo#1991945)
+    Mitigation bypass in the DOM: Core & HTML component
+  * CVE-2025-13020 (bmo#1995686)
+    Use-after-free in the WebRTC: Audio/Video component
+  * CVE-2025-13014 (bmo#1994241)
+    Use-after-free in the Audio/Video component
+  * CVE-2025-13015 (bmo#1994164)
+    Spoofing issue in Thunderbird
+  * fixed: Could not drag and drop ICS file to Today Pane
+    (bmo#1992935)
+  * fixed: With Thunderbird closed, clicking a 'mailto:' link to
+    send signed message failed (bmo#1972857)
+  * fixed: Upgrade from 128.x->140.x broke authentication for
+    @att.net using Yahoo backend (bmo#1978361)
+
+-------------------------------------------------------------------
+Sat Oct 18 05:29:10 UTC 2025 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Thunderbird 140.4.0 ESR
+  * Account Hub is now disabled by default for second email account
+  * Users could not read mail signed with OpenPGP v6 and PQC keys
+  * Image preview in Insert Image dialog failed with CSP error for web resources
+  * Emptying trash on exit did not work with some providers
+  * Thunderbird could crash when applying filters
+  * Users were unable to override expired mail server certificate
+  * Opening Website header link in RSS feed incorrectly re-encoded
+    URL parameters
+  MFSA 2025-85 (bsc#1251263)
+  * CVE-2025-11708 (bmo#1988931)
+    Use-after-free in MediaTrackGraphImpl::GetInstance()
+  * CVE-2025-11709 (bmo#1989127)
+    Out of bounds read/write in a privileged process triggered by
+    WebGL textures
+  * CVE-2025-11710 (bmo#1989899)
+    Cross-process information leaked due to malicious IPC
+    messages
+  * CVE-2025-11711 (bmo#1989978)
+    Some non-writable Object properties could be modified
+  * CVE-2025-11712 (bmo#1979536)
+    An OBJECT tag type attribute overrode browser behavior on web
+    resources without a content-type
+  * CVE-2025-11713 (bmo#1986142)
+    Potential user-assisted code execution in “Copy as cURL”
+    command
+  * CVE-2025-11714 (bmo#1973699, bmo#1989945, bmo#1990970,
+    bmo#1991040, bmo#1992113)
+    Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR
+    140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
+  * CVE-2025-11715 (bmo#1983838, bmo#1987624, bmo#1988244,
+    bmo#1988912, bmo#1989734, bmo#1990085, bmo#1991899)
+    Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
+    ESR 140.4, Firefox 144 and Thunderbird 144
+
+-------------------------------------------------------------------
+Tue Sep 30 16:41:53 UTC 2025 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Thunderbird 140.3.1 ESR
+  * several bugfixes listed here
+    https://www.thunderbird.net/en-US/thunderbird/140.3.1esr/releasenotes
+
 -------------------------------------------------------------------
 Sun Sep 14 06:58:42 UTC 2025 - Wolfgang Rosenauer <wr@rosenauer.org>

--- a/MozillaThunderbird.spec
+++ b/MozillaThunderbird.spec
@@ -30,8 +30,8 @@
 # major 69
 # mainver %%major.99
 %define major          140
-%define mainver        %major.3.0
-%define orig_version   140.3.0
+%define mainver        %major.5.0
+%define orig_version   140.5.0
 %define orig_suffix    esr
 %define update_channel esr
 %define source_prefix  thunderbird-%{orig_version}
--- a/l10n-140.5.0esr.tar.xz
+++ b/l10n-140.5.0esr.tar.xz
--- a/8
+++ b/8
@@ -1,10 +1,10 @@
 PRODUCT="thunderbird"
 CHANNEL="esr140"
-VERSION="140.3.0"
+VERSION="140.5.0"
 VERSION_SUFFIX="esr"
-REV_VERSION="140.2.1"
+REV_VERSION="140.4.0"
 PREV_VERSION_SUFFIX="esr"
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr140"
-RELEASE_TAG="34b243658c31506d293b13d67238ccca56c290e0"
-RELEASE_TIMESTAMP="20250911182516"
+RELEASE_TAG="6a3011b7161c6f3a36d5116f2608d51b19fb4d58"
+RELEASE_TIMESTAMP="20251108022659"
--- a/thunderbird-140.3.0esr.source.tar.xz
+++ b/thunderbird-140.3.0esr.source.tar.xz
--- a/thunderbird-140.3.0esr.source.tar.xz.asc
+++ b/thunderbird-140.3.0esr.source.tar.xz.asc
@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEECb7tY/NGKi3/qzuHXstkl8GiAlYFAmjDU+UACgkQXstkl8Gi
-AlaRzhAAilg8h5t2o0FZJpVfAc3jaNW9//GFwpnoFu6QB0IEi/QP+SYphSrLmxnS
-pjHxhdZ4SHKkcl7EawHmhbW54TuncnUBTRqOhGu+AosUVgrdImVTRaF3mQWh8v94
-G3XsRIPl7T8hd85bACS6HItMhTy7rFsJSiUQZ7C+tXLn0QsL3WNOzx4pmTSEZj56
-ywuctRC6GXTxdw8AZcDG6624RkDTdNq0ISw7Ge24kckpUiGaM/bS455l+Tol72Jy
-7+uKywIBWCwumQsTjRf6DeEik543atrNBLb2BAJOCU/HetR5sOcoL+hPUsJU2VNq
-53w3Yx991nC0cioeccYEjaxh2ejzaOeRMtuqyxz7OjtBtGu+KUuJahW9kmR/0xBX
-1Jof/mT3C2JZZuKj5soaxkGvOL3IWJJ69e2DHW45D6Di/TS9yGgqsy8npuVCZJGA
-dfo6/YVivEtQIcwZKqjUQqRAmQ5AMy6hD4fgmK7gw3LqQdig8MwDxkGGLxNRHhah
-9NB8sLvG2j1qPUZLBM9Ky5yXXvBuziGpb2llrnK3xr7N2fM6f9d6eTchDt9kG6ly
-aSYoSUd/vRYb4XXvr5ESkUDDJRGTmVwEexM/USPOlFg+iPSvmxJ6Rj+R/d3ruhOK
-a0qg/ZdGiQmkpD0OXwhOOfTGXZLuI7Qtg6s6NUUQmmGPBJvoLjM=
-=R/Vh
-----END PGP SIGNATURE-----
--- a/thunderbird-140.5.0esr.source.tar.xz
+++ b/thunderbird-140.5.0esr.source.tar.xz
--- a/thunderbird-140.5.0esr.source.tar.xz.asc
+++ b/thunderbird-140.5.0esr.source.tar.xz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEECb7tY/NGKi3/qzuHXstkl8GiAlYFAmkOzIQACgkQXstkl8Gi
+AlasTQ/+JbrEW3aHRhVa1xBwFx5aUXroEAcufGOovpwlmb8wYmmyeuELWbzsrQRv
+SX7HqLrF8FYfZOgy8qHbz7W8zIHSi5K312u2WuDdguj4SkUdJp5Qimnq6uW+eBBo
+bVrKXFSvUvseuswutCjBLha/A49VHvJehz6f9ITCyva3yiK8LOVEeX/QNkP9Ust7
+8Ry+cgrmWGw3vN991OqYvg3mwKKGuQHk//11gaUaRU2yO6r6bkLWB+bMedGWZWhb
+WC+o3Weu1jR5piNKLTrZZjKV5PK4va7bIW13amu+t+XiNBGt/CMnXr2isTJ+qRIs
+F7P9yk+mjEoFo3RDslCZorSLv+8VHglIhtw4Ont4KMDzuXru76/RwIa7qaG8vINp
+Dx2BOKmIde26X63Nva87+KdEf4x+DoVkPr4yqWUxEugUlWuVXGvBLEhszfbmEqA5
+E8XdYLX4fnrG9kAAg4pGccIYJ4LIu/n82ZDKU7u/vea2Sdcemdcgn35/8jnbs3oV
+MNDduQ/ISxIzGuYbosfIIk7oMWUpc7bwnnNb+PuB4GOHNl/PjGXO0iOFgx8iUEPQ
+jLHYNVDnPCI2Cdqx5JsObv6zlN9NyJKNVEnDKh9fLmqolkdiy97wSn/Hjz1EwmjG
+MlOCr6YByB9kUPPEVYYh852J2yUirgxzc5eA0TuuM9GeL+wQClY=
+=wq2n
+-----END PGP SIGNATURE-----