head 1.16; access; symbols pkgsrc-2026Q1:1.12.0.2 pkgsrc-2026Q1-base:1.12 pkgsrc-2025Q4:1.4.0.2 pkgsrc-2025Q4-base:1.4; locks; strict; comment @# @; 1.16 date 2026.05.07.20.25.32; author gutteridge; state Exp; branches; next 1.15; commitid iWQ3iojshMyrgVEG; 1.15 date 2026.04.30.18.51.22; author gutteridge; state Exp; branches; next 1.14; commitid yKrZQOCM2JcYX0EG; 1.14 date 2026.04.21.13.40.08; author gutteridge; state Exp; branches; next 1.13; commitid D87keWPDmUVexPCG; 1.13 date 2026.04.09.18.37.06; author gutteridge; state Exp; branches; next 1.12; commitid 3tYWuzeMsO94zjBG; 1.12 date 2026.03.24.13.11.35; author gutteridge; state Exp; branches 1.12.2.1; next 1.11; commitid OQxDJoo44o6ghezG; 1.11 date 2026.02.24.14.07.55; author gutteridge; state Exp; branches; next 1.10; commitid e6LxN1xHBOyguDvG; 1.10 date 2026.02.17.00.26.49; author gutteridge; state Exp; branches; next 1.9; commitid r8ldzyvFdlHkaFuG; 1.9 date 2026.01.27.08.40.49; author wiz; state Exp; branches; next 1.8; commitid f4MYtJVcsY7dz0sG; 1.8 date 2026.01.13.17.20.06; author gutteridge; state Exp; branches; next 1.7; commitid hqngZbAqcqMiTfqG; 1.7 date 2026.01.07.08.49.18; author wiz; state Exp; branches; next 1.6; commitid 1wQ3ICD8eebefrpG; 1.6 date 2026.01.06.23.27.50; author gutteridge; state Exp; branches; next 1.5; commitid j97VjMVViBWP9opG; 1.5 date 2025.12.22.06.08.17; author adam; state Exp; branches; next 1.4; commitid YVGobEfcMaDpTmnG; 1.4 date 2025.12.11.11.05.21; author leot; state Exp; branches 1.4.2.1; next 1.3; commitid Jl8MdNyMAsEOSYlG; 1.3 date 2025.11.12.19.48.10; author leot; state Exp; branches; next 1.2; commitid c5kiPkEu7aPWHiiG; 1.2 date 2025.10.23.20.39.46; author wiz; state Exp; branches; next 1.1; commitid 1V2hBZn9ypXaCJfG; 1.1 date 2025.10.19.11.56.55; author leot; state Exp; branches; next ; commitid O4nVQ7B6izcESafG; 1.12.2.1 date 2026.04.10.19.09.35; author bsiegert; state Exp; branches; next 1.12.2.2; commitid FTTeGhuFkwkjIrBG; 1.12.2.2 date 2026.04.22.14.32.19; author maya; state Exp; branches; next 1.12.2.3; commitid iDHLLUhOplH6NXCG; 1.12.2.3 date 2026.04.26.19.35.21; author bsiegert; state Exp; branches; next 1.12.2.4; commitid M5E5QUqdg03glvDG; 1.12.2.4 date 2026.05.02.19.26.59; author bsiegert; state Exp; branches; next 1.12.2.5; commitid idHf729mVYiq6hEG; 1.12.2.5 date 2026.05.08.11.16.50; author maya; state Exp; branches; next ; commitid HGEyfAIx2h2kc0FG; 1.4.2.1 date 2026.01.14.18.58.46; author maya; state Exp; branches; next 1.4.2.2; commitid xVspYetx9XpZpoqG; 1.4.2.2 date 2026.02.28.20.14.29; author bsiegert; state Exp; branches; next ; commitid nTJO074MkAchobwG; desc @@ 1.16 log @firefox140: update to 140.10.2 Mozilla Foundation Security Advisory 2026-41 Security Vulnerabilities fixed in Firefox ESR 140.10.2 Announced May 7, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.10.2 #CVE-2026-8090: Use-after-free in the DOM: Networking component Reporter Kevin Brosnan Impact high References Bug 2034352 #CVE-2026-8094: Other issue in the WebRTC component Reporter Michael Froman Impact high References Bug 2035939 #CVE-2026-8092: Memory safety bugs fixed in Firefox ESR 115.35.2, Firefox ESR 140.10.2 and Firefox 150.0.2 Reporter Andrew McCreight, Christian Holler, Lee Salzman, Maurice Dauer, Tom Schuster, Wayne Mery and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.35.2, Firefox ESR 140.10.2 and Firefox 150.0.2 @ text @# $NetBSD: Makefile,v 1.15 2026/04/30 18:51:22 gutteridge Exp $ FIREFOX_VER= ${MOZ_BRANCH}${MOZ_BRANCH_MINOR} MOZ_BRANCH= 140.10 MOZ_BRANCH_MINOR= .2esr DISTNAME= firefox-${FIREFOX_VER}.source PKGNAME= ${DISTNAME:S/.source//:S/b/beta/:S/esr//:S/firefox-/firefox140-/} CATEGORIES= www MASTER_SITES+= ${MASTER_SITE_MOZILLA:=firefox/releases/${FIREFOX_VER}/source/} MASTER_SITES+= ${MASTER_SITE_MOZILLA_ALL:=firefox/releases/${FIREFOX_VER}/source/} EXTRACT_SUFX= .tar.xz NODEJSKIT= nodejs-output-140.0.4.tgz DISTFILES= ${DEFAULT_DISTFILES} ${NODEJSKIT} SITES.${NODEJSKIT}= ${MASTER_SITE_LOCAL} MAINTAINER= ryoon@@NetBSD.org HOMEPAGE= https://www.mozilla.org/en-US/firefox/ COMMENT= Web browser with support for extensions (version ${FIREFOX_VER:tu:C/\\.[[:digit:]\.]*//}) LICENSE= mpl-1.1 # -------- BEFORE UPDATING THIS PACKAGE PLEASE READ & UNDERSTAND: ------- # # This package works around a (stupid) build time dependency on nodejs # (which is not available for all architectures and unnecessary for the # real build). To do this, it places some additional burden on the # maintainer. # # While working on the package, please make sure you have # # FIREFOX_MAINTAINER=yes # # set in your build environment. # When the package is ready for commit (but before commit), do: # # make maintainer-files # # This will do another round (depending on state of your work dir at this # moment) of one or two builds and generate a cache of all output that # nodejs generates during a build. # # When this is done, just commit the results (they will be in the files/ # directory). # # ----------------------------------------------------------------------- WRKSRC= ${WRKDIR}/firefox-${PKGVERSION_NOREV} MOZILLA_DIR= # empty # Note: In --enable-chrome-format=flat case, # when updating remember to conditionalise about-background.png in PLIST CONFIGURE_ARGS+= --enable-application=browser #CFLAGS+= -I${PREFIX}/include/nspr # for lang/gcc6 CFLAGS+= -D_GLIBCXX_INCLUDE_NEXT_C_HEADERS CFLAGS.SunOS+= -D_POSIX_PTHREAD_SEMANTICS # Do not use uselocale() in third_party/pipewire. CFLAGS.NetBSD+= -D__LOCALE_C_ONLY LDFLAGS+= ${COMPILER_RPATH_FLAG}${PREFIX}/lib/${PKGBASE} LDFLAGS+= ${COMPILER_RPATH_FLAG}${PREFIX}/lib LDFLAGS.DragonFly+= -lplc4 -lnspr4 LDFLAGS.FreeBSD+= -lplc4 -lnspr4 LDFLAGS.Linux+= -lnspr4 LDFLAGS.SunOS+= -lm # Should revisit to complete mprotect support. NOT_PAX_MPROTECT_SAFE+= lib/${PKGBASE}/${MOZILLA} NOT_PAX_MPROTECT_SAFE+= lib/${PKGBASE}/${MOZILLA}-bin # Avoid ld "invalid section index" errors. BUILDLINK_TRANSFORM.SunOS+= rm:-fdata-sections BUILDLINK_TRANSFORM.SunOS+= rm:-ffunction-sections BUILDLINK_TRANSFORM.SunOS+= rm:-pie BUILDLINK_TRANSFORM.SunOS+= rm:-Wl,-rpath-link,${WRKDIR}/build/dist/bin BUILDLINK_TRANSFORM.SunOS+= rm:-Wl,-rpath-link,${PREFIX}/lib # Workaround for https://bugs.llvm.org/show_bug.cgi?id=46366 BUILDLINK_TRANSFORM.NetBSD+= rm:-fexperimental-new-pass-manager SUBST_CLASSES+= dfly_malloc_h SUBST_STAGE.dfly_malloc_h= pre-configure SUBST_MESSAGE.dfly_malloc_h= Dont include malloc.h on dragonflybsd SUBST_SED.dfly_malloc_h= -e 's,HAVE_MALLOC_H,HAVE_MALLOC_H \&\& !defined(__DragonFly__),g' SUBST_FILES.dfly_malloc_h+= media/ffvpx/libavutil/mem.c SUBST_CLASSES+= paths SUBST_STAGE.paths= pre-configure SUBST_FILES.paths= ../firefox.sh SUBST_VARS.paths= PREFIX MOZILLA .include "mozilla-common.mk" .include "options.mk" CHECK_INTERPRETER_SKIP+= lib/firefox-sdk/sdk/bin/header.py CHECK_INTERPRETER_SKIP+= lib/firefox-sdk/sdk/bin/typelib.py CHECK_INTERPRETER_SKIP+= lib/firefox-sdk/sdk/bin/xpidl.py CHECK_INTERPRETER_SKIP+= lib/firefox-sdk/sdk/bin/xpt.py CHECK_WRKREF_SKIP+= lib/${MOZILLA}/omni.ja MOZILLA= ${PKGBASE} .if !empty(PKG_OPTIONS:Mofficial-mozilla-branding) MOZILLA_NAME= Firefox MOZILLA_BRANDING= official .else MOZILLA_NAME= Browser MOZILLA_BRANDING= unofficial .endif pre-configure: # As of 106.0, .in template files are not patched. # cd ${WRKSRC} && autoconf # cd ${WRKSRC}/js/src && autoconf cd ${WRKSRC} && mkdir ${OBJDIR} cd ${WRKSRC}/${OBJDIR} && touch old-configure.vars # Do not fetch Rust Cargo file via network during build .if !defined(FIREFOX_MAINTAINER) mv ${WRKDIR}/dist ${WRKSRC}/${OBJDIR} .endif .if defined(FIREFOX_MAINTAINER) # Create files needed only by the firefox maintainer when updating # the package # XXX - manually removing the .*_done files is wrong! .PHONY: build-list build-list: cd ${WRKSRC}/${OBJDIR}/dist/bin/browser/chrome && \ find . -type f | sort > ${OUT:Q} NODE_LIST= "${WRKDIR}/node.list" NO_NODE_LIST= "${WRKDIR}/no-node.list" NODE_FILES= "${WRKDIR}/node.flist" .PHONY: maintainer-files maintainer-files: rm -f ${FILESDIR}/node-wrapper.sh V=$$( node -v ) && \ printf '#! /bin/sh\n\nVERS=%s\n\nif [ "$$1" = "-v" ] || [ "$$1" = "--version" ]; then\n\tprintf "$${VERS}\\n"\nfi\n\nexit 0\n' $$V \ > ${FILESDIR}/node-wrapper.sh && \ chmod 0755 ${FILESDIR}/node-wrapper.sh rm -f ${WRKDIR}/.build_done ${WRKDIR}/.configure_done ${MAKE} MAINTAINER_INTERNAL=yes build ${MAKE} MAINTAINER_INTERNAL=yes OUT="${NO_NODE_LIST}" build-list ${MAKE} OUT="${NODE_LIST}" build-list ${DIFF} -u "${NO_NODE_LIST}" "${NODE_LIST}" | \ ${AWK} \ '/^\+\.\//{ printf("dist/bin/browser/chrome/%s\n", gensub(/^\+\.\//, "", "")) }' \ > "${NODE_FILES}" cd ${WRKSRC}/${OBJDIR} && tar -c -T "${NODE_FILES}" -z \ -f ${FILESDIR}/nodejs-output-${PKGVERSION_NOREV}.tgz .endif pre-patch: for f in $$(find ${WRKSRC}/third_party/libwebrtc -name moz.build -type f) ; \ do \ ${AWK} -f ${FILESDIR}/replace-moz.build.awk $$f > $$f.new; mv $$f.new $$f ; \ done for f in $$(find ${WRKSRC}/third_party/abseil-cpp -name moz.build -type f) ; \ do \ ${AWK} -f ${FILESDIR}/replace-moz.build.awk $$f > $$f.new; mv $$f.new $$f ; \ done post-build: ${SED} -e 's|@@MOZILLA@@|${MOZILLA}|g' \ -e 's|@@MOZILLA_NAME@@|${MOZILLA_NAME}|g' \ -e 's|@@FIREFOX_ICON@@|${MOZILLA}|g' \ < ${FILESDIR}/desktop.in \ > ${WRKDIR}/desktop INSTALLATION_DIRS+= share/applications post-extract: ${CP} ${FILESDIR}/firefox.sh ${WRKDIR}/firefox.sh post-install: .if ${OPSYS} == "NetBSD" && ${X11_TYPE} == "native" ${INSTALL_SCRIPT} ${WRKDIR}/firefox.sh ${DESTDIR}${PREFIX}/bin/${MOZILLA} .else ${ECHO} '#! /bin/sh' > ${DESTDIR}${PREFIX}/bin/${MOZILLA} ${ECHO} '${PREFIX}/lib/${MOZILLA}/${MOZILLA} "$$@@"' >> \ ${DESTDIR}${PREFIX}/bin/${MOZILLA} ${CHMOD} 755 ${DESTDIR}${PREFIX}/bin/${MOZILLA} .endif ${INSTALL_DATA} ${WRKDIR}/desktop \ ${DESTDIR}${PREFIX}/share/applications/${MOZILLA}.desktop .for i in 16 22 24 32 48 64 128 256 ${INSTALL_DATA_DIR} ${DESTDIR}${PREFIX}/share/icons/hicolor/${i}x${i}/apps ${INSTALL_DATA} ${WRKSRC}/browser/branding/${MOZILLA_BRANDING}/default${i}.png \ ${DESTDIR}${PREFIX}/share/icons/hicolor/${i}x${i}/apps/${MOZILLA}.png .endfor .include "../../graphics/hicolor-icon-theme/buildlink3.mk" .include "../../sysutils/desktop-file-utils/desktopdb.mk" .include "../../mk/bsd.pkg.mk" @ 1.15 log @firefox140: update to 140.10.1 Mozilla Foundation Security Advisory 2026-36 Security Vulnerabilities fixed in Firefox ESR 140.10.1 Announced April 28, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.10.1 #CVE-2026-7320: Information disclosure due to incorrect boundary conditions in the Audio/Video component Reporter Xuehao Guo Impact high References Bug 2027433 #CVE-2026-7321: Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component Reporter The Mozilla Fuzzing Team Impact moderate References Bug 2029461 #CVE-2026-7322: Memory safety bugs fixed in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1 Reporter C.M.Chang, Christian Holler, Steve Fink and the Mozilla Fuzzing Team Impact critical Description Memory safety bugs present in Firefox ESR 115.35.0, Firefox ESR 140.10.0 and Firefox 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1 #CVE-2026-7323: Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1 Reporter Ryan Hunt, Steve Fink and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.10.0 and Firefox 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.14 2026/04/21 13:40:08 gutteridge Exp $ d5 1 a5 1 MOZ_BRANCH_MINOR= .1esr @ 1.14 log @firefox140: update to 140.10 Mozilla Foundation Security Advisory 2026-32 Security Vulnerabilities fixed in Firefox ESR 140.10 Announced April 21, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.10 #CVE-2026-6746: Use-after-free in the DOM: Core & HTML component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact high References Bug 2014596 #CVE-2026-6747: Use-after-free in the WebRTC component Reporter Nan Wang Impact high References Bug 2021769 #CVE-2026-6748: Uninitialized memory in the Audio/Video: Web Codecs component Reporter Inseo An Impact high References Bug 2022604 #CVE-2026-6749: Information disclosure due to uninitialized memory in the Graphics: Canvas2D component Reporter Inseo An Impact high References Bug 2022610 #CVE-2026-6750: Privilege escalation in the Graphics: WebRender component Reporter choeseyeong Impact high References Bug 2023407 #CVE-2026-6751: Uninitialized memory in the Audio/Video: Web Codecs component Reporter Joren Afman Impact high References Bug 2025883 #CVE-2026-6752: Incorrect boundary conditions in the WebRTC component Reporter jmwebdevelopement Impact high References Bug 2027499 #CVE-2026-6753: Incorrect boundary conditions in the WebRTC component Reporter jmwebdevelopement Impact high References Bug 2027501 #CVE-2026-6754: Use-after-free in the JavaScript Engine component Reporter Xuehao Guo Impact high References Bug 2027541 #CVE-2026-6757: Invalid pointer in the JavaScript: WebAssembly component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact moderate References Bug 2013588 #CVE-2026-6759: Use-after-free in the Widget: Cocoa component Reporter Steven Michaud Impact moderate References Bug 2016164 #CVE-2026-6761: Privilege escalation in the Networking component Reporter kiyong Impact moderate References Bug 2017857 #CVE-2026-6762: Spoofing issue in the DOM: Core & HTML component Reporter Farras Givari Impact moderate References Bug 2021080 #CVE-2026-6763: Mitigation bypass in the File Handling component Reporter Tomoya Nakanishi Impact moderate References Bug 2021666 #CVE-2026-6764: Incorrect boundary conditions in the DOM: Device Interfaces component Reporter Florian Impact moderate References Bug 2022162 #CVE-2026-6765: Information disclosure in the Form Autofill component Reporter ABDULAZIZ ALASAIQAH Impact moderate References Bug 2022419 #CVE-2026-6766: Incorrect boundary conditions in the Libraries component in NSS Reporter Haruto Kimura Impact moderate References Bug 2023207 #CVE-2026-6767: Other issue in the Libraries component in NSS Reporter Haruto Kimura Impact moderate References Bug 2023209 #CVE-2026-6769: Privilege escalation in the Debugger component Reporter Tomoya Nakanishi Impact moderate References Bug 2023753 #CVE-2026-6770: Other issue in the Storage: IndexedDB component Reporter Dai Impact moderate References Bug 2024220 #CVE-2026-6771: Mitigation bypass in the DOM: Security component Reporter Rayhan Hanaputra Impact moderate References Bug 2025067 #CVE-2026-6772: Incorrect boundary conditions in the Libraries component in NSS Reporter sseehra Impact moderate References Bug 2026089 #CVE-2026-6776: Incorrect boundary conditions in the WebRTC: Networking component Reporter Nan Wang Impact low References Bug 2021770 #CVE-2026-6785: Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 Reporter Andrew McCreight, Ashley Zebrowski, Brian Grinstead, Christian Holler, Maurice Dauer, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 #CVE-2026-6786: Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 Reporter Alex Franchuk, Andrew McCreight, Brian Grinstead, Christian Holler, Jan de Mooij, Maurice Dauer, Sebastian Hengst, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.13 2026/04/09 18:37:06 gutteridge Exp $ d5 1 a5 1 MOZ_BRANCH_MINOR= .0esr @ 1.13 log @firefox140: update to 140.9.1 Mozilla Foundation Security Advisory 2026-27 Security Vulnerabilities fixed in Firefox ESR 140.9.1 Announced April 7, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.9.1 #CVE-2026-5732: Incorrect boundary conditions, integer overflow in the Graphics: Text component Reporter Sajeeb Lohani Impact high References Bug 2017867 #CVE-2026-5731: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 Reporter Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 #CVE-2026-5734: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 Reporter Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.12 2026/03/24 13:11:35 gutteridge Exp $ d4 2 a5 2 MOZ_BRANCH= 140.9 MOZ_BRANCH_MINOR= .1esr @ 1.12 log @firefox140: update to 140.9 Mozilla Foundation Security Advisory 2026-22 Security Vulnerabilities fixed in Firefox ESR 140.9 Announced March 24, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.9 #CVE-2026-4684: Race condition, use-after-free in the Graphics: WebRender component Reporter Oskar L Impact high References Bug 2011129 #CVE-2026-4685: Incorrect boundary conditions in the Graphics: Canvas2D component Reporter Sajeeb Lohani Impact high References Bug 2016349 #CVE-2026-4686: Incorrect boundary conditions in the Graphics: Canvas2D component Reporter Sajeeb Lohani Impact high References Bug 2016351 #CVE-2026-4687: Sandbox escape due to incorrect boundary conditions in the Telemetry component Reporter Sajeeb Lohani Impact high References Bug 2016368 #CVE-2026-4688: Sandbox escape due to use-after-free in the Disability Access APIs component Reporter Sajeeb Lohani Impact high References Bug 2016373 #CVE-2026-4689: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component Reporter Sajeeb Lohani Impact high References Bug 2016374 #CVE-2026-4690: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component Reporter Sajeeb Lohani Impact high References Bug 2016375 #CVE-2026-4691: Use-after-free in the CSS Parsing and Computation component Reporter Fabius Artrel Impact high References Bug 2017512 #CVE-2026-4692: Sandbox escape in the Responsive Design Mode component Reporter Tom Ritter Impact high References Bug 2017643 #CVE-2026-4693: Incorrect boundary conditions in the Audio/Video: Playback component Reporter Sajeeb Lohani Impact high References Bug 2018102 #CVE-2026-4694: Incorrect boundary conditions, integer overflow in the Graphics component Reporter Sajeeb Lohani Impact high References Bug 2018430 #CVE-2026-4695: Incorrect boundary conditions in the Audio/Video: Web Codecs component Reporter Atte Kettunen Impact high References Bug 2020030 #CVE-2026-4696: Use-after-free in the Layout: Text and Fonts component Reporter Sota Wada Impact high References Bug 2020190 #CVE-2026-4697: Incorrect boundary conditions in the Audio/Video: Web Codecs component Reporter Lorenzo Impact high References Bug 2020422 #CVE-2026-4698: JIT miscompilation in the JavaScript Engine: JIT component Reporter maxpl0it working with Trend Micro Zero Day Initiative Impact high References Bug 2020906 #CVE-2026-4699: Incorrect boundary conditions in the Layout: Text and Fonts component Reporter Matej Smycka Impact high References Bug 2021863 #CVE-2026-4700: Mitigation bypass in the Networking: HTTP component Reporter pizzahunthack1 Impact moderate References Bug 2003766 #CVE-2026-4701: Use-after-free in the JavaScript Engine component Reporter Gary Kwong Impact moderate References Bug 2009303 #CVE-2026-4702: JIT miscompilation in the JavaScript Engine component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact moderate References Bug 2013560 #CVE-2026-4704: Denial-of-service in the WebRTC: Signaling component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact moderate References Bug 2014868 #CVE-2026-4705: Undefined behavior in the WebRTC: Signaling component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact moderate References Bug 2014873 #CVE-2026-4706: Incorrect boundary conditions in the Graphics: Canvas2D component Reporter Jun Yang Impact moderate References Bug 2015091 #CVE-2026-4707: Incorrect boundary conditions in the Graphics: Canvas2D component Reporter Sajeeb Lohani Impact moderate References Bug 2015267 #CVE-2026-4708: Incorrect boundary conditions in the Graphics component Reporter Sajeeb Lohani Impact moderate References Bug 2015268 #CVE-2026-4709: Incorrect boundary conditions in the Audio/Video: GMP component Reporter Sajeeb Lohani Impact moderate References Bug 2016329 #CVE-2026-4710: Incorrect boundary conditions in the Audio/Video component Reporter Sajeeb Lohani Impact moderate References Bug 2016370 #CVE-2026-4711: Use-after-free in the Widget: Cocoa component Reporter Josh Aas Impact moderate References Bug 2017002 #CVE-2026-4712: Information disclosure in the Widget: Cocoa component Reporter Josh Aas Impact moderate References Bug 2017666 #CVE-2026-4713: Incorrect boundary conditions in the Graphics component Reporter Sajeeb Lohani Impact moderate References Bug 2018113 #CVE-2026-4714: Incorrect boundary conditions in the Audio/Video component Reporter Sajeeb Lohani Impact moderate References Bug 2018126 #CVE-2026-4715: Uninitialized memory in the Graphics: Canvas2D component Reporter Jun Yang Impact moderate References Bug 2018405 #CVE-2026-4716: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component Reporter Pwn2addr Impact moderate References Bug 2018592 #CVE-2026-4717: Privilege escalation in the Netmonitor component Reporter Satoki Tsuji Impact moderate References Bug 2021695 #CVE-2025-59375: Denial-of-service in the XML component Reporter Jan Horak Impact low References Bug 1988467 #CVE-2026-4718: Undefined behavior in the WebRTC: Signaling component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact low References Bug 2014864 #CVE-2026-4719: Incorrect boundary conditions in the Graphics: Text component Reporter Sajeeb Lohani Impact low References Bug 2016367 #CVE-2026-4720: Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 Reporter Christian Holler, Gabriele Svelto, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 #CVE-2026-4721: Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 Reporter Christian Holler, Timothy Nikkel, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.11 2026/02/24 14:07:55 gutteridge Exp $ d5 1 a5 1 MOZ_BRANCH_MINOR= .0esr @ 1.12.2.1 log @Pullup ticket #7074 - requested by gutteridge www/firefox140: security fix www/firefox140-l10n: dependent update Revisions pulled up: - www/firefox140-l10n/Makefile 1.8 - www/firefox140-l10n/distinfo 1.8 - www/firefox140/Makefile 1.13 - www/firefox140/distinfo 1.12 --- Module Name: pkgsrc Committed By: gutteridge Date: Thu Apr 9 18:37:06 UTC 2026 Modified Files: pkgsrc/www/firefox140: Makefile distinfo Log Message: firefox140: update to 140.9.1 Mozilla Foundation Security Advisory 2026-27 Security Vulnerabilities fixed in Firefox ESR 140.9.1 Announced April 7, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.9.1 #CVE-2026-5732: Incorrect boundary conditions, integer overflow in the Grap= hics: Text component Reporter Sajeeb Lohani Impact high References Bug 2017867 #CVE-2026-5731: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox E= SR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.= 2 Reporter Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing= Team Impact high Description Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Th= underbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of the= se bugs showed evidence of memory corruption and=20 we presume that with enough effort some of these could have been exploited = to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, = Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 #CVE-2026-5734: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbir= d ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 Reporter Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing= Team Impact high Description Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0,= Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidenc= e of memory corruption and we presume that with=20 enough effort some of these could have been exploited to run arbitrary code= . References Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.= 1, Firefox 149.0.2 and Thunderbird 149.0.2 --- Module Name: pkgsrc Committed By: gutteridge Date: Thu Apr 9 18:39:26 UTC 2026 Modified Files: pkgsrc/www/firefox140-l10n: Makefile distinfo Log Message: firefox140-l10n: update to 140.9.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.12 2026/03/24 13:11:35 gutteridge Exp $ d5 1 a5 1 MOZ_BRANCH_MINOR= .1esr @ 1.12.2.2 log @Revbump all Go packages after go126 security fix @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4.2.1 2026/01/14 18:58:46 maya Exp $ @ 1.12.2.3 log @Pullup ticket #7083 - requested by gutteridge www/firefox140: security fix www/firefox140-l10n: dependent update Revisions pulled up: - www/firefox140-l10n/Makefile 1.9 - www/firefox140-l10n/distinfo 1.9 - www/firefox140/Makefile 1.14 - www/firefox140/distinfo 1.13 --- Module Name: pkgsrc Committed By: gutteridge Date: Tue Apr 21 13:40:08 UTC 2026 Modified Files: pkgsrc/www/firefox140: Makefile distinfo Log Message: firefox140: update to 140.10 Mozilla Foundation Security Advisory 2026-32 Security Vulnerabilities fixed in Firefox ESR 140.10 Announced April 21, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.10 #CVE-2026-6746: Use-after-free in the DOM: Core & HTML component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact high References Bug 2014596 #CVE-2026-6747: Use-after-free in the WebRTC component Reporter Nan Wang Impact high References Bug 2021769 #CVE-2026-6748: Uninitialized memory in the Audio/Video: Web Codecs component Reporter Inseo An Impact high References Bug 2022604 #CVE-2026-6749: Information disclosure due to uninitialized memory in the Graphics: Canvas2D component Reporter Inseo An Impact high References Bug 2022610 #CVE-2026-6750: Privilege escalation in the Graphics: WebRender component Reporter choeseyeong Impact high References Bug 2023407 #CVE-2026-6751: Uninitialized memory in the Audio/Video: Web Codecs component Reporter Joren Afman Impact high References Bug 2025883 #CVE-2026-6752: Incorrect boundary conditions in the WebRTC component Reporter jmwebdevelopement Impact high References Bug 2027499 #CVE-2026-6753: Incorrect boundary conditions in the WebRTC component Reporter jmwebdevelopement Impact high References Bug 2027501 #CVE-2026-6754: Use-after-free in the JavaScript Engine component Reporter Xuehao Guo Impact high References Bug 2027541 #CVE-2026-6757: Invalid pointer in the JavaScript: WebAssembly component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact moderate References Bug 2013588 #CVE-2026-6759: Use-after-free in the Widget: Cocoa component Reporter Steven Michaud Impact moderate References Bug 2016164 #CVE-2026-6761: Privilege escalation in the Networking component Reporter kiyong Impact moderate References Bug 2017857 #CVE-2026-6762: Spoofing issue in the DOM: Core & HTML component Reporter Farras Givari Impact moderate References Bug 2021080 #CVE-2026-6763: Mitigation bypass in the File Handling component Reporter Tomoya Nakanishi Impact moderate References Bug 2021666 #CVE-2026-6764: Incorrect boundary conditions in the DOM: Device Interfaces component Reporter Florian Impact moderate References Bug 2022162 #CVE-2026-6765: Information disclosure in the Form Autofill component Reporter ABDULAZIZ ALASAIQAH Impact moderate References Bug 2022419 #CVE-2026-6766: Incorrect boundary conditions in the Libraries component in NSS Reporter Haruto Kimura Impact moderate References Bug 2023207 #CVE-2026-6767: Other issue in the Libraries component in NSS Reporter Haruto Kimura Impact moderate References Bug 2023209 #CVE-2026-6769: Privilege escalation in the Debugger component Reporter Tomoya Nakanishi Impact moderate References Bug 2023753 #CVE-2026-6770: Other issue in the Storage: IndexedDB component Reporter Dai Impact moderate References Bug 2024220 #CVE-2026-6771: Mitigation bypass in the DOM: Security component Reporter Rayhan Hanaputra Impact moderate References Bug 2025067 #CVE-2026-6772: Incorrect boundary conditions in the Libraries component in NSS Reporter sseehra Impact moderate References Bug 2026089 #CVE-2026-6776: Incorrect boundary conditions in the WebRTC: Networking component Reporter Nan Wang Impact low References Bug 2021770 #CVE-2026-6785: Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 Reporter Andrew McCreight, Ashley Zebrowski, Brian Grinstead, Christian Holler, Maurice Dauer, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 #CVE-2026-6786: Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 Reporter Alex Franchuk, Andrew McCreight, Brian Grinstead, Christian Holler, Jan de Mooij, Maurice Dauer, Sebastian Hengst, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 --- Module Name: pkgsrc Committed By: gutteridge Date: Tue Apr 21 13:42:06 UTC 2026 Modified Files: pkgsrc/www/firefox140-l10n: Makefile distinfo Log Message: firefox140-l10n: update to 140.10 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.12.2.2 2026/04/22 14:32:19 maya Exp $ d4 2 a5 2 MOZ_BRANCH= 140.10 MOZ_BRANCH_MINOR= .0esr @ 1.12.2.4 log @Pullup ticket #7087 - requested by gutteridge www/firefox140: security fix www/firefox140-l10n: dependent update Revisions pulled up: - www/firefox140-l10n/Makefile 1.10 - www/firefox140-l10n/distinfo 1.10 - www/firefox140/Makefile 1.15 - www/firefox140/distinfo 1.14-1.15 - www/firefox140/patches/patch-media_ffvpx_libavcodec_parser__list.c 1.1-1.2 --- Module Name: pkgsrc Committed By: gutteridge Date: Thu Apr 30 18:51:23 UTC 2026 Modified Files: pkgsrc/www/firefox140: Makefile distinfo Added Files: pkgsrc/www/firefox140/patches: patch-media_ffvpx_libavcodec_parser__list.c Log Message: firefox140: update to 140.10.1 Mozilla Foundation Security Advisory 2026-36 Security Vulnerabilities fixed in Firefox ESR 140.10.1 Announced April 28, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.10.1 #CVE-2026-7320: Information disclosure due to incorrect boundary conditions in the Audio/Video component Reporter Xuehao Guo Impact high References Bug 2027433 #CVE-2026-7321: Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component Reporter The Mozilla Fuzzing Team Impact moderate References Bug 2029461 #CVE-2026-7322: Memory safety bugs fixed in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1 Reporter C.M.Chang, Christian Holler, Steve Fink and the Mozilla Fuzzing Team Impact critical Description Memory safety bugs present in Firefox ESR 115.35.0, Firefox ESR 140.10.0 and Firefox 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1 #CVE-2026-7323: Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1 Reporter Ryan Hunt, Steve Fink and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.10.0 and Firefox 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1 --- Module Name: pkgsrc Committed By: gutteridge Date: Thu Apr 30 18:53:28 UTC 2026 Modified Files: pkgsrc/www/firefox140-l10n: Makefile distinfo Log Message: firefox140-l10n: update to 140.10.1 --- Module Name: pkgsrc Committed By: gutteridge Date: Thu Apr 30 21:47:25 UTC 2026 Modified Files: pkgsrc/www/firefox140: distinfo pkgsrc/www/firefox140/patches: patch-media_ffvpx_libavcodec_parser__list.c Log Message: firefox140: note new patch added was already fixed upstream @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.12.2.3 2026/04/26 19:35:21 bsiegert Exp $ d5 1 a5 1 MOZ_BRANCH_MINOR= .1esr @ 1.12.2.5 log @Pullup ticket #7102 - requested by gutteridge www/firefox140: Security fix www/firefox140-l10n: Security fix Revisions pulled up: - www/firefox140-l10n/Makefile 1.11 - www/firefox140-l10n/distinfo 1.11 - www/firefox140/Makefile 1.16 - www/firefox140/distinfo 1.16 --- Module Name: pkgsrc Committed By: gutteridge Date: Thu May 7 20:25:32 UTC 2026 Modified Files: pkgsrc/www/firefox140: Makefile distinfo Log Message: firefox140: update to 140.10.2 Mozilla Foundation Security Advisory 2026-41 Security Vulnerabilities fixed in Firefox ESR 140.10.2 Announced May 7, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.10.2 #CVE-2026-8090: Use-after-free in the DOM: Networking component Reporter Kevin Brosnan Impact high References Bug 2034352 #CVE-2026-8094: Other issue in the WebRTC component Reporter Michael Froman Impact high References Bug 2035939 #CVE-2026-8092: Memory safety bugs fixed in Firefox ESR 115.35.2, Firefox E= SR 140.10.2 and Firefox 150.0.2 Reporter Andrew McCreight, Christian Holler, Lee Salzman, Maurice Dauer, Tom Sch= uster, Wayne Mery and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 an= d Firefox 150.0.1. Some of these bugs showed evidence of memory corruption = and we presume that with enough effort some of=20 these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.35.2, Firefox ESR 140.10.2 = and Firefox 150.0.2 --- Module Name: pkgsrc Committed By: gutteridge Date: Thu May 7 20:26:58 UTC 2026 Modified Files: pkgsrc/www/firefox140-l10n: Makefile distinfo Log Message: firefox140-l10n: update to 140.10.2 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.12.2.4 2026/05/02 19:26:59 bsiegert Exp $ d5 1 a5 1 MOZ_BRANCH_MINOR= .2esr @ 1.11 log @firefox140: update to 140.8 Mozilla Foundation Security Advisory 2026-15 Security Vulnerabilities fixed in Firefox ESR 140.8 Announced February 24, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.8 #CVE-2026-2757: Incorrect boundary conditions in the WebRTC: Audio/Video component Reporter Igor Morgenstern Impact high References Bug 2001637 #CVE-2026-2758: Use-after-free in the JavaScript: GC component Reporter Gary Kwong Impact high References Bug 2009608 #CVE-2026-2759: Incorrect boundary conditions in the Graphics: ImageLib component Reporter stevej Impact high References Bug 2010933 #CVE-2026-2760: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component Reporter Oskar L Impact high References Bug 2011062 #CVE-2026-2761: Sandbox escape in the Graphics: WebRender component Reporter Oskar L Impact high References Bug 2011063 #CVE-2026-2762: Integer overflow in the JavaScript: Standard Library component Reporter André Bargull Impact high References Bug 2011649 #CVE-2026-2763: Use-after-free in the JavaScript Engine component Reporter Information to follow Impact high References Bug 2012018 #CVE-2026-2764: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component Reporter Information to follow Impact high References Bug 2012608 #CVE-2026-2765: Use-after-free in the JavaScript Engine component Reporter Information to follow Impact high References Bug 2013562 #CVE-2026-2766: Use-after-free in the JavaScript Engine: JIT component Reporter Information to follow Impact high References Bug 2013583 #CVE-2026-2767: Use-after-free in the JavaScript: WebAssembly component Reporter Sajeeb Lohani Impact high References Bug 2013741 #CVE-2026-2768: Sandbox escape in the Storage: IndexedDB component Reporter Sajeeb Lohani Impact high References Bug 2014101 #CVE-2026-2769: Use-after-free in the Storage: IndexedDB component Reporter Information to follow Impact high References Bug 2014550 #CVE-2026-2770: Use-after-free in the DOM: Bindings (WebIDL) component Reporter Information to follow Impact high References Bug 2014585 #CVE-2026-2771: Undefined behavior in the DOM: Core & HTML component Reporter Information to follow Impact high References Bug 2014593 #CVE-2026-2772: Use-after-free in the Audio/Video: Playback component Reporter Information to follow Impact high References Bug 2014827 #CVE-2026-2773: Incorrect boundary conditions in the Web Audio component Reporter Information to follow Impact high References Bug 2014832 #CVE-2026-2774: Integer overflow in the Audio/Video component Reporter Information to follow Impact high References Bug 2014883 #CVE-2026-2775: Mitigation bypass in the DOM: HTML Parser component Reporter Information to follow Impact high References Bug 2015199 #CVE-2026-2776: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software Reporter Sajeeb Lohani Impact high References Bug 2015266 #CVE-2026-2777: Privilege escalation in the Messaging System component Reporter Richard Belisle Impact high References Bug 2015305 #CVE-2026-2778: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component Reporter Sajeeb Lohani Impact high References Bug 2016358 #CVE-2026-2779: Incorrect boundary conditions in the Networking: JAR component Reporter Alex Mayorga Impact moderate References Bug 1164141 #CVE-2026-2780: Privilege escalation in the Netmonitor component Reporter RyotaK Impact moderate References Bug 2007829 #CVE-2026-2781: Integer overflow in the Libraries component in NSS Reporter Clay Ver Valen Impact moderate References Bug 2009552 #CVE-2026-2782: Privilege escalation in the Netmonitor component Reporter Cody Impact moderate References Bug 2010743 #CVE-2026-2783: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component Reporter x0e Impact moderate References Bug 2010943 #CVE-2026-2784: Mitigation bypass in the DOM: Security component Reporter D. Santos Impact moderate References Bug 2012984 #CVE-2026-2785: Invalid pointer in the JavaScript Engine component Reporter Information to follow Impact moderate References Bug 2013549 #CVE-2026-2786: Use-after-free in the JavaScript Engine component Reporter Information to follow Impact moderate References Bug 2013612 #CVE-2026-2787: Use-after-free in the DOM: Window and Location component Reporter Information to follow Impact moderate References Bug 2014560 #CVE-2026-2788: Incorrect boundary conditions in the Audio/Video: GMP component Reporter Information to follow Impact moderate References Bug 2014824 #CVE-2026-2789: Use-after-free in the Graphics: ImageLib component Reporter Information to follow Impact moderate References Bug 2015179 #CVE-2026-2790: Same-origin policy bypass in the Networking: JAR component Reporter Surya Dev Singh Impact low References Bug 2008426 #CVE-2026-2791: Mitigation bypass in the Networking: Cache component Reporter Information to follow Impact low References Bug 2015220 #CVE-2026-2792: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 Reporter Andrew McCreight, Maurice Dauer, Olli Pettay, Ryan Hunt Impact high Description Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 #CVE-2026-2793: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 Reporter Andrew McCreight, Christian Holler Impact high Description Memory safety bugs present in Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.10 2026/02/17 00:26:49 gutteridge Exp $ d4 1 a4 1 MOZ_BRANCH= 140.8 @ 1.10 log @firefox140: update to 140.7.1 Addresses a single high-severity security issue: CVE-2026-2447: Heap buffer overflow in libvpx @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.9 2026/01/27 08:40:49 wiz Exp $ d4 2 a5 2 MOZ_BRANCH= 140.7 MOZ_BRANCH_MINOR= .1esr @ 1.9 log @*: recursive bump for removal of cairo's xcb option @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.8 2026/01/13 17:20:06 gutteridge Exp $ d5 1 a5 1 MOZ_BRANCH_MINOR= .0esr a8 1 PKGREVISION= 1 @ 1.8 log @firefox140: update to 140.7.0 Mozilla Foundation Security Advisory 2026-03 Security Vulnerabilities fixed in Firefox ESR 140.7 Announced January 13, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.7 #CVE-2026-0877: Mitigation bypass in the DOM: Security component Reporter mingijung Impact high References Bug 1999257 #CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component Reporter Oskar L Impact high References Bug 2003989 #CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component Reporter Oskar L Impact high References Bug 2004602 #CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component Reporter Oskar L Impact high References Bug 2005014 #CVE-2026-0882: Use-after-free in the IPC component Reporter Randell Jesup Impact high References Bug 1924125 #CVE-2025-14327: Spoofing issue in the Downloads Panel component Reporter Caro Kann Impact moderate References Bug 1970743 #CVE-2026-0883: Information disclosure in the Networking component Reporter Vladislav Plyatsok Impact moderate References Bug 1989340 #CVE-2026-0884: Use-after-free in the JavaScript Engine component Reporter Gary Kwong and Nan Wang Impact moderate References Bug 2003588 #CVE-2026-0885: Use-after-free in the JavaScript: GC component Reporter Irvan Kurniawan Impact moderate References Bug 2003607 #CVE-2026-0886: Incorrect boundary conditions in the Graphics component Reporter Oskar L Impact moderate References Bug 2005658 #CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component Reporter Lyra Rebane Impact moderate References Bug 2006500 #CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component Reporter Edgar Chen Impact low References Bug 2005081 #CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 Reporter Andrew McCreight, Dennis Jackson and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.7 2026/01/07 08:49:18 wiz Exp $ d9 1 @ 1.7 log @*: recursive bump for icu 78.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.6 2026/01/06 23:27:50 gutteridge Exp $ d4 1 a4 1 MOZ_BRANCH= 140.6 a8 1 PKGREVISION= 3 @ 1.6 log @firefox140: fix builds with ICU >= 78.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.5 2025/12/22 06:08:17 adam Exp $ d9 1 a9 1 PKGREVISION= 2 @ 1.5 log @revbump for x264 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4 2025/12/11 11:05:21 leot Exp $ d9 1 a9 1 PKGREVISION= 1 @ 1.4 log @firefox140{,-l10n}: Update to 140.6.0 Changes: 140.6.0 - Security fixes (MFSA2025-94) Discussed with PMC and ok by during carefulperiod 2, thanks! @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.3 2025/11/12 19:48:10 leot Exp $ d9 1 @ 1.4.2.1 log @Pullup ticket #7044 - requested by gutteridge www/firefox140: Security fix www/firefox140-l10n: Security fix Revisions pulled up: - www/firefox140-l10n/Makefile 1.4 - www/firefox140-l10n/distinfo 1.4 - www/firefox140/Makefile 1.8 - www/firefox140/distinfo 1.8 --- Module Name: pkgsrc Committed By: gutteridge Date: Tue Jan 13 17:20:06 UTC 2026 Modified Files: pkgsrc/www/firefox140: Makefile distinfo Log Message: firefox140: update to 140.7.0 Mozilla Foundation Security Advisory 2026-03 Security Vulnerabilities fixed in Firefox ESR 140.7 Announced January 13, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.7 #CVE-2026-0877: Mitigation bypass in the DOM: Security component Reporter mingijung Impact high References Bug 1999257 #CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component Reporter Oskar L Impact high References Bug 2003989 #CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component Reporter Oskar L Impact high References Bug 2004602 #CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component Reporter Oskar L Impact high References Bug 2005014 #CVE-2026-0882: Use-after-free in the IPC component Reporter Randell Jesup Impact high References Bug 1924125 #CVE-2025-14327: Spoofing issue in the Downloads Panel component Reporter Caro Kann Impact moderate References Bug 1970743 #CVE-2026-0883: Information disclosure in the Networking component Reporter Vladislav Plyatsok Impact moderate References Bug 1989340 #CVE-2026-0884: Use-after-free in the JavaScript Engine component Reporter Gary Kwong and Nan Wang Impact moderate References Bug 2003588 #CVE-2026-0885: Use-after-free in the JavaScript: GC component Reporter Irvan Kurniawan Impact moderate References Bug 2003607 #CVE-2026-0886: Incorrect boundary conditions in the Graphics component Reporter Oskar L Impact moderate References Bug 2005658 #CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component Reporter Lyra Rebane Impact moderate References Bug 2006500 #CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component Reporter Edgar Chen Impact low References Bug 2005081 #CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 Reporter Andrew McCreight, Dennis Jackson and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 --- Module Name: pkgsrc Committed By: gutteridge Date: Tue Jan 13 17:23:35 UTC 2026 Modified Files: pkgsrc/www/firefox140-l10n: Makefile distinfo Log Message: firefox140-l10n: update to 140.7.0 Sync with www/firefox140 version. @ text @d1 1 a1 1 # $NetBSD$ d4 1 a4 1 MOZ_BRANCH= 140.7 @ 1.4.2.2 log @Pullup ticket #7045 - requested by gutteridge www/firefox140: security fix www/firefox140-l10n: dependent update Revisions pulled up: - www/firefox140-l10n/Makefile 1.6 - www/firefox140-l10n/distinfo 1.6 - www/firefox140/Makefile 1.11 - www/firefox140/distinfo 1.10 --- Module Name: pkgsrc Committed By: gutteridge Date: Tue Feb 24 14:07:55 UTC 2026 Modified Files: pkgsrc/www/firefox140: Makefile distinfo Log Message: firefox140: update to 140.8 Mozilla Foundation Security Advisory 2026-15 Security Vulnerabilities fixed in Firefox ESR 140.8 Announced February 24, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.8 #CVE-2026-2757: Incorrect boundary conditions in the WebRTC: Audio/Video component Reporter Igor Morgenstern Impact high References Bug 2001637 #CVE-2026-2758: Use-after-free in the JavaScript: GC component Reporter Gary Kwong Impact high References Bug 2009608 #CVE-2026-2759: Incorrect boundary conditions in the Graphics: ImageLib component Reporter stevej Impact high References Bug 2010933 #CVE-2026-2760: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component Reporter Oskar L Impact high References Bug 2011062 #CVE-2026-2761: Sandbox escape in the Graphics: WebRender component Reporter Oskar L Impact high References Bug 2011063 #CVE-2026-2762: Integer overflow in the JavaScript: Standard Library component Reporter André Bargull Impact high References Bug 2011649 #CVE-2026-2763: Use-after-free in the JavaScript Engine component Reporter Information to follow Impact high References Bug 2012018 #CVE-2026-2764: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component Reporter Information to follow Impact high References Bug 2012608 #CVE-2026-2765: Use-after-free in the JavaScript Engine component Reporter Information to follow Impact high References Bug 2013562 #CVE-2026-2766: Use-after-free in the JavaScript Engine: JIT component Reporter Information to follow Impact high References Bug 2013583 #CVE-2026-2767: Use-after-free in the JavaScript: WebAssembly component Reporter Sajeeb Lohani Impact high References Bug 2013741 #CVE-2026-2768: Sandbox escape in the Storage: IndexedDB component Reporter Sajeeb Lohani Impact high References Bug 2014101 #CVE-2026-2769: Use-after-free in the Storage: IndexedDB component Reporter Information to follow Impact high References Bug 2014550 #CVE-2026-2770: Use-after-free in the DOM: Bindings (WebIDL) component Reporter Information to follow Impact high References Bug 2014585 #CVE-2026-2771: Undefined behavior in the DOM: Core & HTML component Reporter Information to follow Impact high References Bug 2014593 #CVE-2026-2772: Use-after-free in the Audio/Video: Playback component Reporter Information to follow Impact high References Bug 2014827 #CVE-2026-2773: Incorrect boundary conditions in the Web Audio component Reporter Information to follow Impact high References Bug 2014832 #CVE-2026-2774: Integer overflow in the Audio/Video component Reporter Information to follow Impact high References Bug 2014883 #CVE-2026-2775: Mitigation bypass in the DOM: HTML Parser component Reporter Information to follow Impact high References Bug 2015199 #CVE-2026-2776: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software Reporter Sajeeb Lohani Impact high References Bug 2015266 #CVE-2026-2777: Privilege escalation in the Messaging System component Reporter Richard Belisle Impact high References Bug 2015305 #CVE-2026-2778: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component Reporter Sajeeb Lohani Impact high References Bug 2016358 #CVE-2026-2779: Incorrect boundary conditions in the Networking: JAR component Reporter Alex Mayorga Impact moderate References Bug 1164141 #CVE-2026-2780: Privilege escalation in the Netmonitor component Reporter RyotaK Impact moderate References Bug 2007829 #CVE-2026-2781: Integer overflow in the Libraries component in NSS Reporter Clay Ver Valen Impact moderate References Bug 2009552 #CVE-2026-2782: Privilege escalation in the Netmonitor component Reporter Cody Impact moderate References Bug 2010743 #CVE-2026-2783: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component Reporter x0e Impact moderate References Bug 2010943 #CVE-2026-2784: Mitigation bypass in the DOM: Security component Reporter D. Santos Impact moderate References Bug 2012984 #CVE-2026-2785: Invalid pointer in the JavaScript Engine component Reporter Information to follow Impact moderate References Bug 2013549 #CVE-2026-2786: Use-after-free in the JavaScript Engine component Reporter Information to follow Impact moderate References Bug 2013612 #CVE-2026-2787: Use-after-free in the DOM: Window and Location component Reporter Information to follow Impact moderate References Bug 2014560 #CVE-2026-2788: Incorrect boundary conditions in the Audio/Video: GMP component Reporter Information to follow Impact moderate References Bug 2014824 #CVE-2026-2789: Use-after-free in the Graphics: ImageLib component Reporter Information to follow Impact moderate References Bug 2015179 #CVE-2026-2790: Same-origin policy bypass in the Networking: JAR component Reporter Surya Dev Singh Impact low References Bug 2008426 #CVE-2026-2791: Mitigation bypass in the Networking: Cache component Reporter Information to follow Impact low References Bug 2015220 #CVE-2026-2792: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 Reporter Andrew McCreight, Maurice Dauer, Olli Pettay, Ryan Hunt Impact high Description Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 #CVE-2026-2793: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 Reporter Andrew McCreight, Christian Holler Impact high Description Memory safety bugs present in Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 --- Module Name: pkgsrc Committed By: gutteridge Date: Tue Feb 24 14:09:03 UTC 2026 Modified Files: pkgsrc/www/firefox140-l10n: Makefile distinfo Log Message: firefox140-l10n: update to 140.8.0 @ text @d4 1 a4 1 MOZ_BRANCH= 140.8 @ 1.3 log @firefox140: Update to 140.5.0 ESR Changes: Various security fixes (MFSA2025-88). @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.2 2025/10/23 20:39:46 wiz Exp $ d4 1 a4 1 MOZ_BRANCH= 140.5 @ 1.2 log @*: recursive bump for pcre2 Running an old binary against the new pcre doesn't work: /usr/pkg/lib/libpcre2-8.so.0: version PCRE2_10.47 required by /usr/pkg/lib/libglib-2.0.so.0 not defined @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.1 2025/10/19 11:56:55 leot Exp $ d4 1 a4 1 MOZ_BRANCH= 140.4 a8 1 PKGREVISION= 1 @ 1.1 log @firefox140: Import firefox140-140.4.0 as www/firefox140 Mozilla Firefox is a free, open-source and cross-platform web browser for Windows, Linux, MacOS X and many other operating systems. It is fast and easy to use, and offers many advantages over other web browsers, such as tabbed browsing and the ability to block pop-up windows. Firefox also offers excellent bookmark and history management, and it can be extended by developers using industry standards such as XML, CSS, JavaScript, C++, etc. Many extensions are available. Note: Due to upstream's trademark policies, this package identifies as "Nightly" rather than "Firefox" by default. This package provides Firefox 140 Extended Support Release. Based on latest 140.x www/firefox and adjusted for ESR. Thanks to for help! @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.637 2025/07/23 13:57:34 ryoon Exp $ d9 1 @