35273 – Thunderbird 140.9

Bug 35273 - Thunderbird 140.9

Summary: Thunderbird 140.9

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:	35272
Blocks:
	Show dependency tree / graph

Reported:	2026-03-25 09:48 CET by Nicolas Salguero
Modified:	2026-04-02 18:49 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	thunderbird, thunderbird-l10n
CVE:	CVE-2025-59375, CVE-2026-3889, CVE-2026-468[4-9], CVE-2026-469[0-9], CVE-2026-470[012456789], CVE-2026-471[0-9], CVE-2026-472[01]
Status comment:

Flags:	andrewsfarm: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-25 09:48:48 CET

Mozilla has released Thunderbird 140.9 on March 24:
https://www.thunderbird.net/en-US/thunderbird/140.9.0esr/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/

Nicolas Salguero 2026-03-25 09:59:37 CET

Flags: (none) => affects_mga9+
Depends on: (none) => 35272
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-59375, CVE-2026-3889, CVE-2026-468[4-9], CVE-2026-469[0-9], CVE-2026-470[012456789], CVE-2026-471[0-9], CVE-2026-472[01]
Source RPM: (none) => thunderbird, thunderbird-l10n

Comment 1 Lewis Smith 2026-03-25 10:20:55 CET

As ususal for this SRPM, assigning to you Nicolas.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2026-03-27 08:19:45 CET

For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Denial-of-service in the XML component. (CVE-2025-59375)

Spoofing issue in Thunderbird. (CVE-2026-3889)

Race condition, use-after-free in the Graphics: WebRender component. (CVE-2026-4684)

Incorrect boundary conditions in the Graphics: Canvas2D component. (CVE-2026-4685)

Incorrect boundary conditions in the Graphics: Canvas2D component. (CVE-2026-4686)

Sandbox escape due to incorrect boundary conditions in the Telemetry component. (CVE-2026-4687)

Sandbox escape due to use-after-free in the Disability Access APIs component. (CVE-2026-4688)

Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. (CVE-2026-4689)

Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. (CVE-2026-4690)

Use-after-free in the CSS Parsing and Computation component. (CVE-2026-4691)

Sandbox escape in the Responsive Design Mode component. (CVE-2026-4692)

Incorrect boundary conditions in the Audio/Video: Playback component. (CVE-2026-4693)

Incorrect boundary conditions, integer overflow in the Graphics component. (CVE-2026-4694)

Incorrect boundary conditions in the Audio/Video: Web Codecs component. (CVE-2026-4695)

Use-after-free in the Layout: Text and Fonts component. (CVE-2026-4696)

Incorrect boundary conditions in the Audio/Video: Web Codecs component. (CVE-2026-4697)

JIT miscompilation in the JavaScript Engine: JIT component. (CVE-2026-4698)

Incorrect boundary conditions in the Layout: Text and Fonts component. (CVE-2026-4699)

Mitigation bypass in the Networking: HTTP component. (CVE-2026-4700)

Use-after-free in the JavaScript Engine component. (CVE-2026-4701)

JIT miscompilation in the JavaScript Engine component. (CVE-2026-4702)

Denial-of-service in the WebRTC: Signaling component. (CVE-2026-4704)

Undefined behavior in the WebRTC: Signaling component. (CVE-2026-4705)

Incorrect boundary conditions in the Graphics: Canvas2D component. (CVE-2026-4706)

Incorrect boundary conditions in the Graphics: Canvas2D component. (CVE-2026-4707)

Incorrect boundary conditions in the Graphics component. (CVE-2026-4708)

Incorrect boundary conditions in the Audio/Video: GMP component. (CVE-2026-4709)

Incorrect boundary conditions in the Audio/Video component. (CVE-2026-4710)

Use-after-free in the Widget: Cocoa component. (CVE-2026-4711)

Information disclosure in the Widget: Cocoa component. (CVE-2026-4712)

Incorrect boundary conditions in the Graphics component. (CVE-2026-4713)

Incorrect boundary conditions in the Audio/Video component. (CVE-2026-4714)

Uninitialized memory in the Graphics: Canvas2D component. (CVE-2026-4715)

Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. (CVE-2026-4716)

Privilege escalation in the Netmonitor component. (CVE-2026-4717)

Undefined behavior in the WebRTC: Signaling component. (CVE-2026-4718)

Incorrect boundary conditions in the Graphics: Text component. (CVE-2026-4719)

Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. (CVE-2026-4720)

Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. (CVE-2026-4721)

References:
https://www.thunderbird.net/en-US/thunderbird/140.9.0esr/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/
========================

Updated packages in core/updates_testing:
========================
thunderbird-140.9.0-1.mga9
thunderbird-af-140.9.0-1.mga9
thunderbird-ar-140.9.0-1.mga9
thunderbird-ast-140.9.0-1.mga9
thunderbird-be-140.9.0-1.mga9
thunderbird-bg-140.9.0-1.mga9
thunderbird-br-140.9.0-1.mga9
thunderbird-ca-140.9.0-1.mga9
thunderbird-cs-140.9.0-1.mga9
thunderbird-cy-140.9.0-1.mga9
thunderbird-da-140.9.0-1.mga9
thunderbird-de-140.9.0-1.mga9
thunderbird-dsb-140.9.0-1.mga9
thunderbird-el-140.9.0-1.mga9
thunderbird-en_CA-140.9.0-1.mga9
thunderbird-en_GB-140.9.0-1.mga9
thunderbird-en_US-140.9.0-1.mga9
thunderbird-es_AR-140.9.0-1.mga9
thunderbird-es_ES-140.9.0-1.mga9
thunderbird-es_MX-140.9.0-1.mga9
thunderbird-et-140.9.0-1.mga9
thunderbird-eu-140.9.0-1.mga9
thunderbird-fi-140.9.0-1.mga9
thunderbird-fr-140.9.0-1.mga9
thunderbird-fy_NL-140.9.0-1.mga9
thunderbird-ga_IE-140.9.0-1.mga9
thunderbird-gd-140.9.0-1.mga9
thunderbird-gl-140.9.0-1.mga9
thunderbird-he-140.9.0-1.mga9
thunderbird-hr-140.9.0-1.mga9
thunderbird-hsb-140.9.0-1.mga9
thunderbird-hu-140.9.0-1.mga9
thunderbird-hy_AM-140.9.0-1.mga9
thunderbird-id-140.9.0-1.mga9
thunderbird-is-140.9.0-1.mga9
thunderbird-it-140.9.0-1.mga9
thunderbird-ja-140.9.0-1.mga9
thunderbird-ka-140.9.0-1.mga9
thunderbird-kab-140.9.0-1.mga9
thunderbird-kk-140.9.0-1.mga9
thunderbird-ko-140.9.0-1.mga9
thunderbird-lt-140.9.0-1.mga9
thunderbird-lv-140.9.0-1.mga9
thunderbird-ms-140.9.0-1.mga9
thunderbird-nb_NO-140.9.0-1.mga9
thunderbird-nl-140.9.0-1.mga9
thunderbird-nn_NO-140.9.0-1.mga9
thunderbird-pa_IN-140.9.0-1.mga9
thunderbird-pl-140.9.0-1.mga9
thunderbird-pt_BR-140.9.0-1.mga9
thunderbird-pt_PT-140.9.0-1.mga9
thunderbird-ro-140.9.0-1.mga9
thunderbird-ru-140.9.0-1.mga9
thunderbird-sk-140.9.0-1.mga9
thunderbird-sl-140.9.0-1.mga9
thunderbird-sq-140.9.0-1.mga9
thunderbird-sr-140.9.0-1.mga9
thunderbird-sv_SE-140.9.0-1.mga9
thunderbird-th-140.9.0-1.mga9
thunderbird-tr-140.9.0-1.mga9
thunderbird-uk-140.9.0-1.mga9
thunderbird-uz-140.9.0-1.mga9
thunderbird-vi-140.9.0-1.mga9
thunderbird-zh_CN-140.9.0-1.mga9
thunderbird-zh_TW-140.9.0-1.mga9

from SRPMS:
thunderbird-140.9.0-1.mga9.src.rpm
thunderbird-l10n-140.9.0-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9
Assignee: nicolas.salguero => qa-bugs
Flags: affects_mga9+ => (none)

Comment 3 Herman Viaene 2026-03-27 17:00:22 CET

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Connection with Google calendar OK.
Send and receive mails without and with attachments work OK.
Two minor remarks:
This is the first version in a long time that does not duplicate mails in Sent folder by default. Good!!
This is an installation over an existing 140.8 version, so I did not touch the .thunderbird folder manually. But I had to change the setting to display the Menu bar as I always use thunderbird in such setting. This is a minor niggle.

CC: (none) => herman.viaene

katnatek 2026-03-28 03:02:02 CET

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2026-03-29 19:18:53 CEST

MGA9-64 Plasma. No installation issues. 

Sent and received POP mail, checked newsgroups, looks OK here.

CC: (none) => andrewsfarm

Comment 5 Morgan Leijström 2026-03-30 13:23:40 CEST

OK x86_64, Plasma, on my workstation svarten

Plasma X11, Swedish locale

$  thunderbird --version
Mozilla Thunderbird 140.9.0esr

__Repeated tests like I use to perform, during a couple days:
Closed Thunderbird, data backup, updated, started:
Thunderbird just keep working OK:
Swedish locale
Settings and local mail kept
IMAP (offline, IMAP to synk to server)
SMTP
Sent and received mail with inline png and attached pdf
Viewed attached pdf in Thunderbird, and printed to network printer.

I do not use calendar nor tasks or filters.

Also in similar use OK by my wife.

CC: (none) => fri

Comment 6 Thomas Andrews 2026-04-02 16:39:06 CEST

I've been using this in Cauldron for several days now, with no issues. Time to send it on.

Validating.

Flags: (none) => test_passed_mga9_64+
Whiteboard: (none) => MGA9-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mageia Robot 2026-04-02 18:49:59 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0081.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.