35166 – Thunderbird 140.8

Bug 35166 - Thunderbird 140.8

Summary: Thunderbird 140.8

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:	35165
Blocks:
	Show dependency tree / graph

Reported:	2026-03-02 09:24 CET by Nicolas Salguero
Modified:	2026-03-09 20:20 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	thunderbird, thunderbird-l01n
CVE:	CVE-2026-275[7-9], CVE-2026-276[0-9], CVE-2026-277[0-9], CVE-2026-2780, CVE-2026-278[2-9], CVE-2026-279[0-3]
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-02 09:24:29 CET

Mozilla has released Thunderbird 140.8 on February 24:
https://www.thunderbird.net/en-US/thunderbird/140.8.0esr/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-17/

Nicolas Salguero 2026-03-02 09:24:52 CET

Flags: (none) => affects_mga9+
Source RPM: (none) => thunderbird, thunderbird-l01n
Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2026-03-02 09:25:13 CET

Depends on: (none) => 35165

Nicolas Salguero 2026-03-02 09:31:10 CET

CVE: (none) => CVE-2026-275[7-9], CVE-2026-276[0-9], CVE-2026-277[0-9], CVE-2026-278[0-9], CVE-2026-279[0-3]

Nicolas Salguero 2026-03-02 09:33:26 CET

CVE: CVE-2026-275[7-9], CVE-2026-276[0-9], CVE-2026-277[0-9], CVE-2026-278[0-9], CVE-2026-279[0-3] => CVE-2026-275[7-9], CVE-2026-276[0-9], CVE-2026-277[0-9], CVE-2026-2780, CVE-2026-278[2-9], CVE-2026-279[0-3]

Comment 1 Nicolas Salguero 2026-03-02 14:37:52 CET

thunderbird and thunderbird-l01n 140.8.0 are in the SVN.

Comment 2 katnatek 2026-03-02 20:35:04 CET

For thunderbird fail https://bugzilla.mozilla.org/show_bug.cgi?id=2006630

Comment 3 Lewis Smith 2026-03-02 20:55:02 CET

Again leaving with you, Nicolas; CC'ing José re previous comment.

CC: (none) => j.alberto.vc
Assignee: bugsquad => nicolas.salguero

Comment 4 katnatek 2026-03-04 03:40:56 CET

RPMS:

thunderbird-140.8.0-1.mga9
thunderbird-af-140.8.0-1.mga9.noarch.rpm
thunderbird-ar-140.8.0-1.mga9.noarch.rpm
thunderbird-ast-140.8.0-1.mga9.noarch.rpm
thunderbird-be-140.8.0-1.mga9.noarch.rpm
thunderbird-bg-140.8.0-1.mga9.noarch.rpm
thunderbird-br-140.8.0-1.mga9.noarch.rpm
thunderbird-ca-140.8.0-1.mga9.noarch.rpm
thunderbird-cs-140.8.0-1.mga9.noarch.rpm
thunderbird-cy-140.8.0-1.mga9.noarch.rpm
thunderbird-da-140.8.0-1.mga9.noarch.rpm
thunderbird-de-140.8.0-1.mga9.noarch.rpm
thunderbird-dsb-140.8.0-1.mga9.noarch.rpm
thunderbird-el-140.8.0-1.mga9.noarch.rpm
thunderbird-en_CA-140.8.0-1.mga9.noarch.rpm
thunderbird-en_GB-140.8.0-1.mga9.noarch.rpm
thunderbird-en_US-140.8.0-1.mga9.noarch.rpm
thunderbird-es_AR-140.8.0-1.mga9.noarch.rpm
thunderbird-es_ES-140.8.0-1.mga9.noarch.rpm
thunderbird-es_MX-140.8.0-1.mga9.noarch.rpm
thunderbird-et-140.8.0-1.mga9.noarch.rpm
thunderbird-eu-140.8.0-1.mga9.noarch.rpm
thunderbird-fi-140.8.0-1.mga9.noarch.rpm
thunderbird-fr-140.8.0-1.mga9.noarch.rpm
thunderbird-fy_NL-140.8.0-1.mga9.noarch.rpm
thunderbird-ga_IE-140.8.0-1.mga9.noarch.rpm
thunderbird-gd-140.8.0-1.mga9.noarch.rpm
thunderbird-gl-140.8.0-1.mga9.noarch.rpm
thunderbird-he-140.8.0-1.mga9.noarch.rpm
thunderbird-hr-140.8.0-1.mga9.noarch.rpm
thunderbird-hsb-140.8.0-1.mga9.noarch.rpm
thunderbird-hu-140.8.0-1.mga9.noarch.rpm
thunderbird-hy_AM-140.8.0-1.mga9.noarch.rpm
thunderbird-id-140.8.0-1.mga9.noarch.rpm
thunderbird-is-140.8.0-1.mga9.noarch.rpm
thunderbird-it-140.8.0-1.mga9.noarch.rpm
thunderbird-ja-140.8.0-1.mga9.noarch.rpm
thunderbird-ka-140.8.0-1.mga9.noarch.rpm
thunderbird-kab-140.8.0-1.mga9.noarch.rpm
thunderbird-kk-140.8.0-1.mga9.noarch.rpm
thunderbird-ko-140.8.0-1.mga9.noarch.rpm
thunderbird-lt-140.8.0-1.mga9.noarch.rpm
thunderbird-lv-140.8.0-1.mga9.noarch.rpm
thunderbird-ms-140.8.0-1.mga9.noarch.rpm
thunderbird-nb_NO-140.8.0-1.mga9.noarch.rpm
thunderbird-nl-140.8.0-1.mga9.noarch.rpm
thunderbird-nn_NO-140.8.0-1.mga9.noarch.rpm
thunderbird-pa_IN-140.8.0-1.mga9.noarch.rpm
thunderbird-pl-140.8.0-1.mga9.noarch.rpm
thunderbird-pt_BR-140.8.0-1.mga9.noarch.rpm
thunderbird-pt_PT-140.8.0-1.mga9.noarch.rpm
thunderbird-ro-140.8.0-1.mga9.noarch.rpm
thunderbird-ru-140.8.0-1.mga9.noarch.rpm
thunderbird-sk-140.8.0-1.mga9.noarch.rpm
thunderbird-sl-140.8.0-1.mga9.noarch.rpm
thunderbird-sq-140.8.0-1.mga9.noarch.rpm
thunderbird-sr-140.8.0-1.mga9.noarch.rpm
thunderbird-sv_SE-140.8.0-1.mga9.noarch.rpm
thunderbird-th-140.8.0-1.mga9.noarch.rpm
thunderbird-tr-140.8.0-1.mga9.noarch.rpm
thunderbird-uk-140.8.0-1.mga9.noarch.rpm
thunderbird-uz-140.8.0-1.mga9.noarch.rpm
thunderbird-vi-140.8.0-1.mga9.noarch.rpm
thunderbird-zh_CN-140.8.0-1.mga9.noarch.rpm
thunderbird-zh_TW-140.8.0-1.mga9.noarch.rpm



SRPMS:
thunderbird-140.8.0-1.mga9
thunderbird-l10n-140.8.0-1.mga9

Nicolas, please provide advisory

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9
Assignee: nicolas.salguero => qa-bugs

Nicolas Salguero 2026-03-04 09:13:11 CET

Flags: affects_mga9+ => (none)

Comment 6 Nicolas Salguero 2026-03-04 09:13:57 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Incorrect boundary conditions in the WebRTC: Audio/Video component. (CVE-2026-2757)

Use-after-free in the JavaScript: GC component. (CVE-2026-2758)

Incorrect boundary conditions in the Graphics: ImageLib component. (CVE-2026-2759)

Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. (CVE-2026-2760)

Sandbox escape in the Graphics: WebRender component. (CVE-2026-2761)

Integer overflow in the JavaScript: Standard Library component. (CVE-2026-2762)

Use-after-free in the JavaScript Engine component. (CVE-2026-2763)

JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2764)

Use-after-free in the JavaScript Engine component. (CVE-2026-2765)

Use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2766)

Use-after-free in the JavaScript: WebAssembly component. (CVE-2026-2767)

Sandbox escape in the Storage: IndexedDB component. (CVE-2026-2768)

Use-after-free in the Storage: IndexedDB component. (CVE-2026-2769)

Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-2770)

Undefined behavior in the DOM: Core & HTML component. (CVE-2026-2771)

Use-after-free in the Audio/Video: Playback component. (CVE-2026-2772)

Incorrect boundary conditions in the Web Audio component. (CVE-2026-2773)

Integer overflow in the Audio/Video component. (CVE-2026-2774)

Mitigation bypass in the DOM: HTML Parser component. (CVE-2026-2775)

Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. (CVE-2026-2776)

Privilege escalation in the Messaging System component. (CVE-2026-2777)

Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. (CVE-2026-2778)

Incorrect boundary conditions in the Networking: JAR component. (CVE-2026-2779)

Privilege escalation in the Netmonitor component. (CVE-2026-2780)

Privilege escalation in the Netmonitor component. (CVE-2026-2782)

Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. (CVE-2026-2783)

Mitigation bypass in the DOM: Security component. (CVE-2026-2784)

Invalid pointer in the JavaScript Engine component. (CVE-2026-2785)

Use-after-free in the JavaScript Engine component. (CVE-2026-2786)

Use-after-free in the DOM: Window and Location component. (CVE-2026-2787)

Incorrect boundary conditions in the Audio/Video: GMP component. (CVE-2026-2788)

Use-after-free in the Graphics: ImageLib component. (CVE-2026-2789)

Same-origin policy bypass in the Networking: JAR component. (CVE-2026-2790)

Mitigation bypass in the Networking: Cache component. (CVE-2026-2791)

Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2792)

Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2793)

References:
https://www.thunderbird.net/en-US/thunderbird/140.8.0esr/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-17/

katnatek 2026-03-04 20:19:08 CET

CC: j.alberto.vc => (none)

katnatek 2026-03-05 03:27:50 CET

Keywords: (none) => advisory

Comment 7 Herman Viaene 2026-03-05 14:58:39 CET

MGA9-64 server Plasma Wayland on Compaq H000SB
No installatiuion issues.
Tested by sending and receiving mails withouth and with attachments to and from desktop PC
Synching with Google calendar, all works OK

CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2026-03-07 23:09:01 CET

I updated this and Firefox in one operation three days ago, with no issues. Sent and received POP mail, checked newsgroups, all seems OK.

CC: (none) => andrewsfarm

Comment 9 Thomas Andrews 2026-03-08 19:30:45 CET

Still no issues with this. Validating.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update

Comment 10 Morgan Leijström 2026-03-08 21:49:08 CET

OK x86_64, Plasma, on my workstation svarten

Plasma X11, Swedish locale

$  thunderbird --version
Mozilla Thunderbird 140.8.0esr


__Repeated tests like I use to perform:
Closed Thunderbird, data backup, updated, started:
Thunderbird just keep working OK:
Swedish locale
Settings and local mail kept
IMAP (offline, IMAP to synk to server)
SMTP
Sent and received mail with inline png and attached pdf
Viewed attached pdf in Thunderbird, and printed to network printer.

I do not use calendar nor tasks or filters.

System and machine details in Bug 35165 Comment 18

CC: (none) => fri

Comment 11 Jose Manuel López 2026-03-09 09:53:15 CET

Installed in Mageia 9 Plasma x86_64, 

Pc Intel I3 with mesa drivers.

Works fine for the moment

Pop3 and Imap accounts ok.
Calendar and task ok.
Send and receive ok.
Spanish locale ok.
Signatures ok.

CC: (none) => Joselp

Comment 12 Jose Manuel López 2026-03-09 09:55:09 CET

Installed in Mageia 9 Plasma x86_64, 

Laptop Slimbok Essential Intel I5 wit Mesa Intel Iris driver

Works fine for the moment

Pop3 and Imap accounts ok.
Calendar and task ok.
Send and receive ok.
Spanish locale ok.
Signatures ok.

Comment 13 Dan Fandrich 2026-03-09 17:58:49 CET

thunderbird-l10n-140.8.0-1.mga9 is missing from the advisory. Shouldn't that be included?

CC: (none) => dan

Comment 14 katnatek 2026-03-09 18:09:18 CET

(In reply to Dan Fandrich from comment #13)
> thunderbird-l10n-140.8.0-1.mga9 is missing from the advisory. Shouldn't that
> be included?

Obviously yes :S,Fixed

Comment 15 Mageia Robot 2026-03-09 20:20:44 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0053.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.