head 1.16; access; symbols pkgsrc-2026Q1:1.11.0.2 pkgsrc-2026Q1-base:1.11 pkgsrc-2025Q4:1.4.0.2 pkgsrc-2025Q4-base:1.4; locks; strict; comment @# @; 1.16 date 2026.05.07.20.25.32; author gutteridge; state Exp; branches; next 1.15; commitid iWQ3iojshMyrgVEG; 1.15 date 2026.04.30.21.47.25; author gutteridge; state Exp; branches; next 1.14; commitid AL03i2xn9GmUV1EG; 1.14 date 2026.04.30.18.51.22; author gutteridge; state Exp; branches; next 1.13; commitid yKrZQOCM2JcYX0EG; 1.13 date 2026.04.21.13.40.08; author gutteridge; state Exp; branches; next 1.12; commitid D87keWPDmUVexPCG; 1.12 date 2026.04.09.18.37.06; author gutteridge; state Exp; branches; next 1.11; commitid 3tYWuzeMsO94zjBG; 1.11 date 2026.03.24.13.11.35; author gutteridge; state Exp; branches 1.11.2.1; next 1.10; commitid OQxDJoo44o6ghezG; 1.10 date 2026.02.24.14.07.55; author gutteridge; state Exp; branches; next 1.9; commitid e6LxN1xHBOyguDvG; 1.9 date 2026.02.17.00.26.49; author gutteridge; state Exp; branches; next 1.8; commitid r8ldzyvFdlHkaFuG; 1.8 date 2026.01.13.17.20.06; author gutteridge; state Exp; branches; next 1.7; commitid hqngZbAqcqMiTfqG; 1.7 date 2026.01.06.23.27.50; author gutteridge; state Exp; branches; next 1.6; commitid j97VjMVViBWP9opG; 1.6 date 2026.01.02.14.27.02; author tnn; state Exp; branches; next 1.5; commitid IofESGCby2yEiPoG; 1.5 date 2025.12.24.02.11.49; author gutteridge; state Exp; branches; next 1.4; commitid fKiRo3GRfeZ9wBnG; 1.4 date 2025.12.15.21.04.49; author gutteridge; state Exp; branches 1.4.2.1; next 1.3; commitid ifEhwQDHE5dK4ymG; 1.3 date 2025.12.11.11.05.21; author leot; state Exp; branches; next 1.2; commitid Jl8MdNyMAsEOSYlG; 1.2 date 2025.11.12.19.48.10; author leot; state Exp; branches; next 1.1; commitid c5kiPkEu7aPWHiiG; 1.1 date 2025.10.19.11.56.55; author leot; state Exp; branches; next ; commitid O4nVQ7B6izcESafG; 1.11.2.1 date 2026.04.10.19.09.35; author bsiegert; state Exp; branches; next 1.11.2.2; commitid FTTeGhuFkwkjIrBG; 1.11.2.2 date 2026.04.22.14.32.19; author maya; state Exp; branches; next 1.11.2.3; commitid iDHLLUhOplH6NXCG; 1.11.2.3 date 2026.04.26.19.35.21; author bsiegert; state Exp; branches; next 1.11.2.4; commitid M5E5QUqdg03glvDG; 1.11.2.4 date 2026.05.02.19.26.59; author bsiegert; state Exp; branches; next 1.11.2.5; commitid idHf729mVYiq6hEG; 1.11.2.5 date 2026.05.08.11.16.50; author maya; state Exp; branches; next ; commitid HGEyfAIx2h2kc0FG; 1.4.2.1 date 2025.12.26.10.41.36; author bsiegert; state Exp; branches; next 1.4.2.2; commitid KkEVuCr8qkaihUnG; 1.4.2.2 date 2026.01.14.18.58.46; author maya; state Exp; branches; next 1.4.2.3; commitid xVspYetx9XpZpoqG; 1.4.2.3 date 2026.02.28.20.14.29; author bsiegert; state Exp; branches; next ; commitid nTJO074MkAchobwG; desc @@ 1.16 log @firefox140: update to 140.10.2 Mozilla Foundation Security Advisory 2026-41 Security Vulnerabilities fixed in Firefox ESR 140.10.2 Announced May 7, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.10.2 #CVE-2026-8090: Use-after-free in the DOM: Networking component Reporter Kevin Brosnan Impact high References Bug 2034352 #CVE-2026-8094: Other issue in the WebRTC component Reporter Michael Froman Impact high References Bug 2035939 #CVE-2026-8092: Memory safety bugs fixed in Firefox ESR 115.35.2, Firefox ESR 140.10.2 and Firefox 150.0.2 Reporter Andrew McCreight, Christian Holler, Lee Salzman, Maurice Dauer, Tom Schuster, Wayne Mery and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.35.2, Firefox ESR 140.10.2 and Firefox 150.0.2 @ text @$NetBSD: distinfo,v 1.15 2026/04/30 21:47:25 gutteridge Exp $ BLAKE2s (firefox-140.10.2esr.source.tar.xz) = e8ccac19f20030271519ca34b325ee152f6f53f8343bea5b4c1cf1359a63aa4c SHA512 (firefox-140.10.2esr.source.tar.xz) = bda7d5e6d59a2ad310e3f3e6e8ec05c78222edce266671d5d454dfa3e8f0086add3b9c0099db907cb62b2587ed47026ba7b3aa4f0406693d142d8d91b818d551 Size (firefox-140.10.2esr.source.tar.xz) = 638783848 bytes BLAKE2s (nodejs-output-140.0.4.tgz) = 7ebb5993c8c9d7d5492afdb9fa7fef74fec7753fb0b14673817f24faf4a7fca4 SHA512 (nodejs-output-140.0.4.tgz) = e421b0b6be8b5b8dfda705eefcf4573a1270df9012dca5eac9ba0ac2af2bcc47dd66b1057106f8c2336a10bdcc39b9f852041dd33da9e7a8929d981dbb4e1fb4 Size (nodejs-output-140.0.4.tgz) = 245385 bytes SHA1 (patch-browser_app_profile_firefox.js) = bc719edef37d18655ba79b030270438ee166fdaf SHA1 (patch-build_moz.configure_init.configure) = 65deb3c233df0aab81eb1fca05d708e5a4ed169a SHA1 (patch-build_moz.configure_rust.configure) = 25ddfacd29cebbc6db005dbe61a2a7446d480678 SHA1 (patch-config_gcc-stl-wrapper.template.h) = 9d1f15ff487efa9202114d19ed5668b4e7aa032a SHA1 (patch-config_makefiles_rust.mk) = 3366ab089a23e66230e7e23749c10db38018fdd4 SHA1 (patch-dom_base_nsAttrName.h) = ac7ba441a3b27df2855cf2673eea36b1cb44ad49 SHA1 (patch-dom_webtransport_api_WebTransportDatagramDuplexStream.cpp) = b93b4c6367bd2fb3d1868ab7d97ca56c100be414 SHA1 (patch-gfx_angle_checkout_src_common_third__party_smhasher_src_PMurHash.cpp) = e458c9c8dc66edc69c1874734af28a77fc5e3993 SHA1 (patch-gfx_angle_checkout_src_compiler_translator_InfoSink.h) = b2adce9e65662283a11b6dcff40e95523e940045 SHA1 (patch-gfx_ots_src_name.cc) = 35ae5b2689eae8fab1ea351612f3628c14001f9e SHA1 (patch-gfx_skia_skia_src_sksl_codegen_SkSLSPIRVCodeGenerator.cpp) = 3eb9855e20fe8b7784a9620fce4ffb96f4736f82 SHA1 (patch-intl_lwbrk_LineBreaker.cpp) = 46914fd55257c13021d697cbd309ae4db3b9c029 SHA1 (patch-ipc_chromium_src_base_message__pump__libevent.cc) = 298642a3527804115b398fb7904a3596962932e3 SHA1 (patch-ipc_chromium_src_base_platform__thread__posix.cc) = 753bb4e90758f5b42a51bbc073b328de673988cf SHA1 (patch-ipc_glue_GeckoChildProcessHost.cpp) = 63fbee04321f7ade20db4ccc1a1218b848344ce1 SHA1 (patch-js-src-jit-arm64-vixl-MozCpu-vixl.cpp) = d90fca47d79551fd74214d47f8184670b901b792 SHA1 (patch-js_public_Utility.h) = bb5464a0398b91693ab362e6b9b06d48429b9e7d SHA1 (patch-js_src_jit_FlushICache.cpp) = f5d1fcb391c36a29fb71a78dbf731ee6a1cb17b6 SHA1 (patch-js_src_util_NativeStack.cpp) = a0a16d8d8d78d3cc3f4d2a508586f1a7821f7dba SHA1 (patch-js_src_vm_TypedArrayObject-inl.h) = e7913c8d4b2b05b67040baa64dae62d6ba40390e SHA1 (patch-media_ffvpx_libavcodec_parser__list.c) = 3965eb52df3e0821807ddf258c1209a2dd636104 SHA1 (patch-media_ffvpx_libavutil_arm_bswap.h) = ae89120862442275d6b14446c5a63b0ef570124f SHA1 (patch-media_libpng_pngpriv.h) = 8320a1f7534ed5c4914b597bb3d6117d0060318f SHA1 (patch-modules_fdlibm_src_math__private.h) = e20b6c23011d7123cbbd64a500eb8ce8c426620e SHA1 (patch-netwerk_protocol_http_nsHttpHandler.cpp) = 67493b4635041d21ff9fbfda80b3197fed542a26 SHA1 (patch-nsprpub_pr_src_pthreads_ptsynch.c) = 753fd4d62088c870aefe7c4b739286259848446e SHA1 (patch-python_mozbuild_mozbuild_backend_recursivemake.py) = 5be4183d9075f5a3a3c6b3e0338473af185fb50e SHA1 (patch-python_mozbuild_mozbuild_frontend_reader.py) = 57cad432ccc18e790e2cf00732f499116c79f4c1 SHA1 (patch-third__party_abseil-cpp_absl_debugging_internal_elf__mem__image.cc) = 3c015fe094aa1d4e8259a7cda08ce06e0ae506f0 SHA1 (patch-third__party_abseil-cpp_absl_debugging_internal_vdso__support.cc) = f9c44d0d6fd952296f23c24f56053958b30d8e5c SHA1 (patch-third__party_js_cfworker_build.sh) = 46cdf97b99cf01080f290ae8d9a33b5f869fc3e4 SHA1 (patch-third__party_libwebrtc_modules_audio__device_audio__device__impl.cc) = 47ba1a2b88b3fdfd16cd29da3eb1e4a218ecada8 SHA1 (patch-third__party_libwebrtc_modules_desktop__capture_desktop__capture__gn_moz.build) = d0454784eb72be49162f619579e060a0de3c480f SHA1 (patch-third__party_libwebrtc_modules_desktop__capture_linux_wayland_egl__dmabuf.cc) = 455be625b5de2f6f1f4b2dbb6c8cb33ca16c2583 SHA1 (patch-third__party_libwebrtc_modules_video__capture_linux_device__info__v4l2.cc) = 8831d477f14fd4f8f735ff0c1a322cba8c70e277 SHA1 (patch-third__party_libwebrtc_modules_video__capture_linux_video__capture__v4l2.cc) = 8111952a107eb2cd665525ddd0e27c79eee3c1cd SHA1 (patch-third__party_libwebrtc_modules_video__capture_video__capture__options.cc) = e15f7e365ef6d57cd262f920f49c4d73f3a13305 SHA1 (patch-third__party_libwebrtc_rtc__base_memory__usage.cc) = f8d926d400bf3df107127823eac27816f4b85644 SHA1 (patch-third__party_libwebrtc_rtc__base_physical__socket__server.cc) = 6909c4da9e7b3785252e5bce9be0ff47ebb87e01 SHA1 (patch-third__party_libwebrtc_rtc__base_platform__thread__types.cc) = 8ae75100775037347008d168eedc151e0e993b0f SHA1 (patch-third__party_libwebrtc_system__wrappers_source_cpu__features__linux.cc) = b90e22b50879f7adcc1da3a993f52c0701b720f8 SHA1 (patch-third__party_python_dlmanager_check.py) = 69054522d8ced8cb47e65e5a8b1a87ed5ce6708e SHA1 (patch-third__party_python_jsonschema_jsonschema_validators.py) = 24c84c8f8ca2bc39088001dffdcb05be3ac84c76 SHA1 (patch-third__party_sqlite3_ext_moz.build) = 026483e9cdc61eda80b699978b1677e1b6d3ff6d SHA1 (patch-third__party_sqlite3_src_moz.build) = b26856a4b87aa12211575d9982f62dc899474b52 SHA1 (patch-third__party_wasm2c_src_c-writer.cc) = 38eb2ee0e00722aa1380540b83648b43723719aa SHA1 (patch-third__party_wasm2c_src_prebuilt_wasm2c__source__includes.cc) = 99d0db944f0c2d0c623460991efd423d9127c988 SHA1 (patch-toolkit_components_terminator_nsTerminator.cpp) = e905e38ef1b88d764c695c019f15609350c1c43b SHA1 (patch-toolkit_moz.configure) = 1306e7ac3c3939886aff38a58dd3162e6517409b SHA1 (patch-toolkit_mozapps_installer_packager.mk) = 706635b76a7b525794aba95e95544f09e18bb662 SHA1 (patch-xpcom_base_nscore.h) = 1ac4d34d3c9e80bc1ac966c6c84cb320bc0fa1ec SHA1 (patch-xpcom_reflect_xptcall_md_unix_moz.build) = 8980398051fa16c7283acb6d323419993cce1420 @ 1.15 log @firefox140: note new patch added was already fixed upstream @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.14 2026/04/30 18:51:22 gutteridge Exp $ d3 3 a5 3 BLAKE2s (firefox-140.10.1esr.source.tar.xz) = c1ff3f87a5fe9357dafc87c008d6b2ada6dab049808e9be258f6dda37d44222a SHA512 (firefox-140.10.1esr.source.tar.xz) = aa3481dbdda0a302acefff52007ba2e6927962523408b942a7df673e80618fc381faf1ca70ebaac3760645bf7cb382b85658af49beca705cd636ce9de58349a5 Size (firefox-140.10.1esr.source.tar.xz) = 638929340 bytes @ 1.14 log @firefox140: update to 140.10.1 Mozilla Foundation Security Advisory 2026-36 Security Vulnerabilities fixed in Firefox ESR 140.10.1 Announced April 28, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.10.1 #CVE-2026-7320: Information disclosure due to incorrect boundary conditions in the Audio/Video component Reporter Xuehao Guo Impact high References Bug 2027433 #CVE-2026-7321: Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component Reporter The Mozilla Fuzzing Team Impact moderate References Bug 2029461 #CVE-2026-7322: Memory safety bugs fixed in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1 Reporter C.M.Chang, Christian Holler, Steve Fink and the Mozilla Fuzzing Team Impact critical Description Memory safety bugs present in Firefox ESR 115.35.0, Firefox ESR 140.10.0 and Firefox 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1 #CVE-2026-7323: Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1 Reporter Ryan Hunt, Steve Fink and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.10.0 and Firefox 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.13 2026/04/21 13:40:08 gutteridge Exp $ d29 1 a29 1 SHA1 (patch-media_ffvpx_libavcodec_parser__list.c) = c739791026d9ea3ef2ccc1c37db9edc37635e8d4 @ 1.13 log @firefox140: update to 140.10 Mozilla Foundation Security Advisory 2026-32 Security Vulnerabilities fixed in Firefox ESR 140.10 Announced April 21, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.10 #CVE-2026-6746: Use-after-free in the DOM: Core & HTML component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact high References Bug 2014596 #CVE-2026-6747: Use-after-free in the WebRTC component Reporter Nan Wang Impact high References Bug 2021769 #CVE-2026-6748: Uninitialized memory in the Audio/Video: Web Codecs component Reporter Inseo An Impact high References Bug 2022604 #CVE-2026-6749: Information disclosure due to uninitialized memory in the Graphics: Canvas2D component Reporter Inseo An Impact high References Bug 2022610 #CVE-2026-6750: Privilege escalation in the Graphics: WebRender component Reporter choeseyeong Impact high References Bug 2023407 #CVE-2026-6751: Uninitialized memory in the Audio/Video: Web Codecs component Reporter Joren Afman Impact high References Bug 2025883 #CVE-2026-6752: Incorrect boundary conditions in the WebRTC component Reporter jmwebdevelopement Impact high References Bug 2027499 #CVE-2026-6753: Incorrect boundary conditions in the WebRTC component Reporter jmwebdevelopement Impact high References Bug 2027501 #CVE-2026-6754: Use-after-free in the JavaScript Engine component Reporter Xuehao Guo Impact high References Bug 2027541 #CVE-2026-6757: Invalid pointer in the JavaScript: WebAssembly component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact moderate References Bug 2013588 #CVE-2026-6759: Use-after-free in the Widget: Cocoa component Reporter Steven Michaud Impact moderate References Bug 2016164 #CVE-2026-6761: Privilege escalation in the Networking component Reporter kiyong Impact moderate References Bug 2017857 #CVE-2026-6762: Spoofing issue in the DOM: Core & HTML component Reporter Farras Givari Impact moderate References Bug 2021080 #CVE-2026-6763: Mitigation bypass in the File Handling component Reporter Tomoya Nakanishi Impact moderate References Bug 2021666 #CVE-2026-6764: Incorrect boundary conditions in the DOM: Device Interfaces component Reporter Florian Impact moderate References Bug 2022162 #CVE-2026-6765: Information disclosure in the Form Autofill component Reporter ABDULAZIZ ALASAIQAH Impact moderate References Bug 2022419 #CVE-2026-6766: Incorrect boundary conditions in the Libraries component in NSS Reporter Haruto Kimura Impact moderate References Bug 2023207 #CVE-2026-6767: Other issue in the Libraries component in NSS Reporter Haruto Kimura Impact moderate References Bug 2023209 #CVE-2026-6769: Privilege escalation in the Debugger component Reporter Tomoya Nakanishi Impact moderate References Bug 2023753 #CVE-2026-6770: Other issue in the Storage: IndexedDB component Reporter Dai Impact moderate References Bug 2024220 #CVE-2026-6771: Mitigation bypass in the DOM: Security component Reporter Rayhan Hanaputra Impact moderate References Bug 2025067 #CVE-2026-6772: Incorrect boundary conditions in the Libraries component in NSS Reporter sseehra Impact moderate References Bug 2026089 #CVE-2026-6776: Incorrect boundary conditions in the WebRTC: Networking component Reporter Nan Wang Impact low References Bug 2021770 #CVE-2026-6785: Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 Reporter Andrew McCreight, Ashley Zebrowski, Brian Grinstead, Christian Holler, Maurice Dauer, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 #CVE-2026-6786: Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 Reporter Alex Franchuk, Andrew McCreight, Brian Grinstead, Christian Holler, Jan de Mooij, Maurice Dauer, Sebastian Hengst, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.12 2026/04/09 18:37:06 gutteridge Exp $ d3 3 a5 3 BLAKE2s (firefox-140.10.0esr.source.tar.xz) = 94fea47829730dbdb974dfdd694d214a86de37f21bf6a6aa98437f34e410c5ee SHA512 (firefox-140.10.0esr.source.tar.xz) = 56b274df21d0a908e826af6dda89a42b77fb0f597b75542b0330d448ae22be07a3636a3187ff1b488e466cc8c5264a8a75f79901354a49e35a3e99dcb0852514 Size (firefox-140.10.0esr.source.tar.xz) = 636605480 bytes d29 1 @ 1.12 log @firefox140: update to 140.9.1 Mozilla Foundation Security Advisory 2026-27 Security Vulnerabilities fixed in Firefox ESR 140.9.1 Announced April 7, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.9.1 #CVE-2026-5732: Incorrect boundary conditions, integer overflow in the Graphics: Text component Reporter Sajeeb Lohani Impact high References Bug 2017867 #CVE-2026-5731: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 Reporter Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 #CVE-2026-5734: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 Reporter Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11 2026/03/24 13:11:35 gutteridge Exp $ d3 3 a5 3 BLAKE2s (firefox-140.9.1esr.source.tar.xz) = 0602c185e37132155cbd4b9bc9b795295b99bc81eb2bf7c282bf5b29b21aa0d9 SHA512 (firefox-140.9.1esr.source.tar.xz) = 119a4e4e536fd4534adcc4a546a988e553285f9326bf16e9771854ec2dc7d039a729aedc5925623e172260a5e154172c56a011f131068736eb2a89a8de611840 Size (firefox-140.9.1esr.source.tar.xz) = 634745800 bytes @ 1.11 log @firefox140: update to 140.9 Mozilla Foundation Security Advisory 2026-22 Security Vulnerabilities fixed in Firefox ESR 140.9 Announced March 24, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.9 #CVE-2026-4684: Race condition, use-after-free in the Graphics: WebRender component Reporter Oskar L Impact high References Bug 2011129 #CVE-2026-4685: Incorrect boundary conditions in the Graphics: Canvas2D component Reporter Sajeeb Lohani Impact high References Bug 2016349 #CVE-2026-4686: Incorrect boundary conditions in the Graphics: Canvas2D component Reporter Sajeeb Lohani Impact high References Bug 2016351 #CVE-2026-4687: Sandbox escape due to incorrect boundary conditions in the Telemetry component Reporter Sajeeb Lohani Impact high References Bug 2016368 #CVE-2026-4688: Sandbox escape due to use-after-free in the Disability Access APIs component Reporter Sajeeb Lohani Impact high References Bug 2016373 #CVE-2026-4689: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component Reporter Sajeeb Lohani Impact high References Bug 2016374 #CVE-2026-4690: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component Reporter Sajeeb Lohani Impact high References Bug 2016375 #CVE-2026-4691: Use-after-free in the CSS Parsing and Computation component Reporter Fabius Artrel Impact high References Bug 2017512 #CVE-2026-4692: Sandbox escape in the Responsive Design Mode component Reporter Tom Ritter Impact high References Bug 2017643 #CVE-2026-4693: Incorrect boundary conditions in the Audio/Video: Playback component Reporter Sajeeb Lohani Impact high References Bug 2018102 #CVE-2026-4694: Incorrect boundary conditions, integer overflow in the Graphics component Reporter Sajeeb Lohani Impact high References Bug 2018430 #CVE-2026-4695: Incorrect boundary conditions in the Audio/Video: Web Codecs component Reporter Atte Kettunen Impact high References Bug 2020030 #CVE-2026-4696: Use-after-free in the Layout: Text and Fonts component Reporter Sota Wada Impact high References Bug 2020190 #CVE-2026-4697: Incorrect boundary conditions in the Audio/Video: Web Codecs component Reporter Lorenzo Impact high References Bug 2020422 #CVE-2026-4698: JIT miscompilation in the JavaScript Engine: JIT component Reporter maxpl0it working with Trend Micro Zero Day Initiative Impact high References Bug 2020906 #CVE-2026-4699: Incorrect boundary conditions in the Layout: Text and Fonts component Reporter Matej Smycka Impact high References Bug 2021863 #CVE-2026-4700: Mitigation bypass in the Networking: HTTP component Reporter pizzahunthack1 Impact moderate References Bug 2003766 #CVE-2026-4701: Use-after-free in the JavaScript Engine component Reporter Gary Kwong Impact moderate References Bug 2009303 #CVE-2026-4702: JIT miscompilation in the JavaScript Engine component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact moderate References Bug 2013560 #CVE-2026-4704: Denial-of-service in the WebRTC: Signaling component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact moderate References Bug 2014868 #CVE-2026-4705: Undefined behavior in the WebRTC: Signaling component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact moderate References Bug 2014873 #CVE-2026-4706: Incorrect boundary conditions in the Graphics: Canvas2D component Reporter Jun Yang Impact moderate References Bug 2015091 #CVE-2026-4707: Incorrect boundary conditions in the Graphics: Canvas2D component Reporter Sajeeb Lohani Impact moderate References Bug 2015267 #CVE-2026-4708: Incorrect boundary conditions in the Graphics component Reporter Sajeeb Lohani Impact moderate References Bug 2015268 #CVE-2026-4709: Incorrect boundary conditions in the Audio/Video: GMP component Reporter Sajeeb Lohani Impact moderate References Bug 2016329 #CVE-2026-4710: Incorrect boundary conditions in the Audio/Video component Reporter Sajeeb Lohani Impact moderate References Bug 2016370 #CVE-2026-4711: Use-after-free in the Widget: Cocoa component Reporter Josh Aas Impact moderate References Bug 2017002 #CVE-2026-4712: Information disclosure in the Widget: Cocoa component Reporter Josh Aas Impact moderate References Bug 2017666 #CVE-2026-4713: Incorrect boundary conditions in the Graphics component Reporter Sajeeb Lohani Impact moderate References Bug 2018113 #CVE-2026-4714: Incorrect boundary conditions in the Audio/Video component Reporter Sajeeb Lohani Impact moderate References Bug 2018126 #CVE-2026-4715: Uninitialized memory in the Graphics: Canvas2D component Reporter Jun Yang Impact moderate References Bug 2018405 #CVE-2026-4716: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component Reporter Pwn2addr Impact moderate References Bug 2018592 #CVE-2026-4717: Privilege escalation in the Netmonitor component Reporter Satoki Tsuji Impact moderate References Bug 2021695 #CVE-2025-59375: Denial-of-service in the XML component Reporter Jan Horak Impact low References Bug 1988467 #CVE-2026-4718: Undefined behavior in the WebRTC: Signaling component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact low References Bug 2014864 #CVE-2026-4719: Incorrect boundary conditions in the Graphics: Text component Reporter Sajeeb Lohani Impact low References Bug 2016367 #CVE-2026-4720: Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 Reporter Christian Holler, Gabriele Svelto, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 #CVE-2026-4721: Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 Reporter Christian Holler, Timothy Nikkel, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.10 2026/02/24 14:07:55 gutteridge Exp $ d3 3 a5 3 BLAKE2s (firefox-140.9.0esr.source.tar.xz) = 75f692405065815d77747a641f067694ec99a82548df0f326dada4f6963ccfa7 SHA512 (firefox-140.9.0esr.source.tar.xz) = bc03fd2a73d00a88bd0a3c9eeaefe618ffb34226fb7bc2fac4a02246ff29fe038423bf77538273ee6fac25fb1e3e4fa98bb522026ae3427a0ad5f41d2ec6ba98 Size (firefox-140.9.0esr.source.tar.xz) = 630445704 bytes @ 1.11.2.1 log @Pullup ticket #7074 - requested by gutteridge www/firefox140: security fix www/firefox140-l10n: dependent update Revisions pulled up: - www/firefox140-l10n/Makefile 1.8 - www/firefox140-l10n/distinfo 1.8 - www/firefox140/Makefile 1.13 - www/firefox140/distinfo 1.12 --- Module Name: pkgsrc Committed By: gutteridge Date: Thu Apr 9 18:37:06 UTC 2026 Modified Files: pkgsrc/www/firefox140: Makefile distinfo Log Message: firefox140: update to 140.9.1 Mozilla Foundation Security Advisory 2026-27 Security Vulnerabilities fixed in Firefox ESR 140.9.1 Announced April 7, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.9.1 #CVE-2026-5732: Incorrect boundary conditions, integer overflow in the Grap= hics: Text component Reporter Sajeeb Lohani Impact high References Bug 2017867 #CVE-2026-5731: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox E= SR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.= 2 Reporter Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing= Team Impact high Description Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Th= underbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of the= se bugs showed evidence of memory corruption and=20 we presume that with enough effort some of these could have been exploited = to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, = Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 #CVE-2026-5734: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbir= d ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 Reporter Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing= Team Impact high Description Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0,= Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidenc= e of memory corruption and we presume that with=20 enough effort some of these could have been exploited to run arbitrary code= . References Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.= 1, Firefox 149.0.2 and Thunderbird 149.0.2 --- Module Name: pkgsrc Committed By: gutteridge Date: Thu Apr 9 18:39:26 UTC 2026 Modified Files: pkgsrc/www/firefox140-l10n: Makefile distinfo Log Message: firefox140-l10n: update to 140.9.1 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11 2026/03/24 13:11:35 gutteridge Exp $ d3 3 a5 3 BLAKE2s (firefox-140.9.1esr.source.tar.xz) = 0602c185e37132155cbd4b9bc9b795295b99bc81eb2bf7c282bf5b29b21aa0d9 SHA512 (firefox-140.9.1esr.source.tar.xz) = 119a4e4e536fd4534adcc4a546a988e553285f9326bf16e9771854ec2dc7d039a729aedc5925623e172260a5e154172c56a011f131068736eb2a89a8de611840 Size (firefox-140.9.1esr.source.tar.xz) = 634745800 bytes @ 1.11.2.2 log @Revbump all Go packages after go126 security fix @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4.2.2 2026/01/14 18:58:46 maya Exp $ @ 1.11.2.3 log @Pullup ticket #7083 - requested by gutteridge www/firefox140: security fix www/firefox140-l10n: dependent update Revisions pulled up: - www/firefox140-l10n/Makefile 1.9 - www/firefox140-l10n/distinfo 1.9 - www/firefox140/Makefile 1.14 - www/firefox140/distinfo 1.13 --- Module Name: pkgsrc Committed By: gutteridge Date: Tue Apr 21 13:40:08 UTC 2026 Modified Files: pkgsrc/www/firefox140: Makefile distinfo Log Message: firefox140: update to 140.10 Mozilla Foundation Security Advisory 2026-32 Security Vulnerabilities fixed in Firefox ESR 140.10 Announced April 21, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.10 #CVE-2026-6746: Use-after-free in the DOM: Core & HTML component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact high References Bug 2014596 #CVE-2026-6747: Use-after-free in the WebRTC component Reporter Nan Wang Impact high References Bug 2021769 #CVE-2026-6748: Uninitialized memory in the Audio/Video: Web Codecs component Reporter Inseo An Impact high References Bug 2022604 #CVE-2026-6749: Information disclosure due to uninitialized memory in the Graphics: Canvas2D component Reporter Inseo An Impact high References Bug 2022610 #CVE-2026-6750: Privilege escalation in the Graphics: WebRender component Reporter choeseyeong Impact high References Bug 2023407 #CVE-2026-6751: Uninitialized memory in the Audio/Video: Web Codecs component Reporter Joren Afman Impact high References Bug 2025883 #CVE-2026-6752: Incorrect boundary conditions in the WebRTC component Reporter jmwebdevelopement Impact high References Bug 2027499 #CVE-2026-6753: Incorrect boundary conditions in the WebRTC component Reporter jmwebdevelopement Impact high References Bug 2027501 #CVE-2026-6754: Use-after-free in the JavaScript Engine component Reporter Xuehao Guo Impact high References Bug 2027541 #CVE-2026-6757: Invalid pointer in the JavaScript: WebAssembly component Reporter Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic Impact moderate References Bug 2013588 #CVE-2026-6759: Use-after-free in the Widget: Cocoa component Reporter Steven Michaud Impact moderate References Bug 2016164 #CVE-2026-6761: Privilege escalation in the Networking component Reporter kiyong Impact moderate References Bug 2017857 #CVE-2026-6762: Spoofing issue in the DOM: Core & HTML component Reporter Farras Givari Impact moderate References Bug 2021080 #CVE-2026-6763: Mitigation bypass in the File Handling component Reporter Tomoya Nakanishi Impact moderate References Bug 2021666 #CVE-2026-6764: Incorrect boundary conditions in the DOM: Device Interfaces component Reporter Florian Impact moderate References Bug 2022162 #CVE-2026-6765: Information disclosure in the Form Autofill component Reporter ABDULAZIZ ALASAIQAH Impact moderate References Bug 2022419 #CVE-2026-6766: Incorrect boundary conditions in the Libraries component in NSS Reporter Haruto Kimura Impact moderate References Bug 2023207 #CVE-2026-6767: Other issue in the Libraries component in NSS Reporter Haruto Kimura Impact moderate References Bug 2023209 #CVE-2026-6769: Privilege escalation in the Debugger component Reporter Tomoya Nakanishi Impact moderate References Bug 2023753 #CVE-2026-6770: Other issue in the Storage: IndexedDB component Reporter Dai Impact moderate References Bug 2024220 #CVE-2026-6771: Mitigation bypass in the DOM: Security component Reporter Rayhan Hanaputra Impact moderate References Bug 2025067 #CVE-2026-6772: Incorrect boundary conditions in the Libraries component in NSS Reporter sseehra Impact moderate References Bug 2026089 #CVE-2026-6776: Incorrect boundary conditions in the WebRTC: Networking component Reporter Nan Wang Impact low References Bug 2021770 #CVE-2026-6785: Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 Reporter Andrew McCreight, Ashley Zebrowski, Brian Grinstead, Christian Holler, Maurice Dauer, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 #CVE-2026-6786: Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 Reporter Alex Franchuk, Andrew McCreight, Brian Grinstead, Christian Holler, Jan de Mooij, Maurice Dauer, Sebastian Hengst, Tom Schuster and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 --- Module Name: pkgsrc Committed By: gutteridge Date: Tue Apr 21 13:42:06 UTC 2026 Modified Files: pkgsrc/www/firefox140-l10n: Makefile distinfo Log Message: firefox140-l10n: update to 140.10 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11.2.2 2026/04/22 14:32:19 maya Exp $ d3 3 a5 3 BLAKE2s (firefox-140.10.0esr.source.tar.xz) = 94fea47829730dbdb974dfdd694d214a86de37f21bf6a6aa98437f34e410c5ee SHA512 (firefox-140.10.0esr.source.tar.xz) = 56b274df21d0a908e826af6dda89a42b77fb0f597b75542b0330d448ae22be07a3636a3187ff1b488e466cc8c5264a8a75f79901354a49e35a3e99dcb0852514 Size (firefox-140.10.0esr.source.tar.xz) = 636605480 bytes @ 1.11.2.4 log @Pullup ticket #7087 - requested by gutteridge www/firefox140: security fix www/firefox140-l10n: dependent update Revisions pulled up: - www/firefox140-l10n/Makefile 1.10 - www/firefox140-l10n/distinfo 1.10 - www/firefox140/Makefile 1.15 - www/firefox140/distinfo 1.14-1.15 - www/firefox140/patches/patch-media_ffvpx_libavcodec_parser__list.c 1.1-1.2 --- Module Name: pkgsrc Committed By: gutteridge Date: Thu Apr 30 18:51:23 UTC 2026 Modified Files: pkgsrc/www/firefox140: Makefile distinfo Added Files: pkgsrc/www/firefox140/patches: patch-media_ffvpx_libavcodec_parser__list.c Log Message: firefox140: update to 140.10.1 Mozilla Foundation Security Advisory 2026-36 Security Vulnerabilities fixed in Firefox ESR 140.10.1 Announced April 28, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.10.1 #CVE-2026-7320: Information disclosure due to incorrect boundary conditions in the Audio/Video component Reporter Xuehao Guo Impact high References Bug 2027433 #CVE-2026-7321: Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component Reporter The Mozilla Fuzzing Team Impact moderate References Bug 2029461 #CVE-2026-7322: Memory safety bugs fixed in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1 Reporter C.M.Chang, Christian Holler, Steve Fink and the Mozilla Fuzzing Team Impact critical Description Memory safety bugs present in Firefox ESR 115.35.0, Firefox ESR 140.10.0 and Firefox 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1 #CVE-2026-7323: Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1 Reporter Ryan Hunt, Steve Fink and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.10.0 and Firefox 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1 --- Module Name: pkgsrc Committed By: gutteridge Date: Thu Apr 30 18:53:28 UTC 2026 Modified Files: pkgsrc/www/firefox140-l10n: Makefile distinfo Log Message: firefox140-l10n: update to 140.10.1 --- Module Name: pkgsrc Committed By: gutteridge Date: Thu Apr 30 21:47:25 UTC 2026 Modified Files: pkgsrc/www/firefox140: distinfo pkgsrc/www/firefox140/patches: patch-media_ffvpx_libavcodec_parser__list.c Log Message: firefox140: note new patch added was already fixed upstream @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11.2.3 2026/04/26 19:35:21 bsiegert Exp $ d3 3 a5 3 BLAKE2s (firefox-140.10.1esr.source.tar.xz) = c1ff3f87a5fe9357dafc87c008d6b2ada6dab049808e9be258f6dda37d44222a SHA512 (firefox-140.10.1esr.source.tar.xz) = aa3481dbdda0a302acefff52007ba2e6927962523408b942a7df673e80618fc381faf1ca70ebaac3760645bf7cb382b85658af49beca705cd636ce9de58349a5 Size (firefox-140.10.1esr.source.tar.xz) = 638929340 bytes a28 1 SHA1 (patch-media_ffvpx_libavcodec_parser__list.c) = 3965eb52df3e0821807ddf258c1209a2dd636104 @ 1.11.2.5 log @Pullup ticket #7102 - requested by gutteridge www/firefox140: Security fix www/firefox140-l10n: Security fix Revisions pulled up: - www/firefox140-l10n/Makefile 1.11 - www/firefox140-l10n/distinfo 1.11 - www/firefox140/Makefile 1.16 - www/firefox140/distinfo 1.16 --- Module Name: pkgsrc Committed By: gutteridge Date: Thu May 7 20:25:32 UTC 2026 Modified Files: pkgsrc/www/firefox140: Makefile distinfo Log Message: firefox140: update to 140.10.2 Mozilla Foundation Security Advisory 2026-41 Security Vulnerabilities fixed in Firefox ESR 140.10.2 Announced May 7, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.10.2 #CVE-2026-8090: Use-after-free in the DOM: Networking component Reporter Kevin Brosnan Impact high References Bug 2034352 #CVE-2026-8094: Other issue in the WebRTC component Reporter Michael Froman Impact high References Bug 2035939 #CVE-2026-8092: Memory safety bugs fixed in Firefox ESR 115.35.2, Firefox E= SR 140.10.2 and Firefox 150.0.2 Reporter Andrew McCreight, Christian Holler, Lee Salzman, Maurice Dauer, Tom Sch= uster, Wayne Mery and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 an= d Firefox 150.0.1. Some of these bugs showed evidence of memory corruption = and we presume that with enough effort some of=20 these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.35.2, Firefox ESR 140.10.2 = and Firefox 150.0.2 --- Module Name: pkgsrc Committed By: gutteridge Date: Thu May 7 20:26:58 UTC 2026 Modified Files: pkgsrc/www/firefox140-l10n: Makefile distinfo Log Message: firefox140-l10n: update to 140.10.2 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11.2.4 2026/05/02 19:26:59 bsiegert Exp $ d3 3 a5 3 BLAKE2s (firefox-140.10.2esr.source.tar.xz) = e8ccac19f20030271519ca34b325ee152f6f53f8343bea5b4c1cf1359a63aa4c SHA512 (firefox-140.10.2esr.source.tar.xz) = bda7d5e6d59a2ad310e3f3e6e8ec05c78222edce266671d5d454dfa3e8f0086add3b9c0099db907cb62b2587ed47026ba7b3aa4f0406693d142d8d91b818d551 Size (firefox-140.10.2esr.source.tar.xz) = 638783848 bytes @ 1.10 log @firefox140: update to 140.8 Mozilla Foundation Security Advisory 2026-15 Security Vulnerabilities fixed in Firefox ESR 140.8 Announced February 24, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.8 #CVE-2026-2757: Incorrect boundary conditions in the WebRTC: Audio/Video component Reporter Igor Morgenstern Impact high References Bug 2001637 #CVE-2026-2758: Use-after-free in the JavaScript: GC component Reporter Gary Kwong Impact high References Bug 2009608 #CVE-2026-2759: Incorrect boundary conditions in the Graphics: ImageLib component Reporter stevej Impact high References Bug 2010933 #CVE-2026-2760: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component Reporter Oskar L Impact high References Bug 2011062 #CVE-2026-2761: Sandbox escape in the Graphics: WebRender component Reporter Oskar L Impact high References Bug 2011063 #CVE-2026-2762: Integer overflow in the JavaScript: Standard Library component Reporter André Bargull Impact high References Bug 2011649 #CVE-2026-2763: Use-after-free in the JavaScript Engine component Reporter Information to follow Impact high References Bug 2012018 #CVE-2026-2764: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component Reporter Information to follow Impact high References Bug 2012608 #CVE-2026-2765: Use-after-free in the JavaScript Engine component Reporter Information to follow Impact high References Bug 2013562 #CVE-2026-2766: Use-after-free in the JavaScript Engine: JIT component Reporter Information to follow Impact high References Bug 2013583 #CVE-2026-2767: Use-after-free in the JavaScript: WebAssembly component Reporter Sajeeb Lohani Impact high References Bug 2013741 #CVE-2026-2768: Sandbox escape in the Storage: IndexedDB component Reporter Sajeeb Lohani Impact high References Bug 2014101 #CVE-2026-2769: Use-after-free in the Storage: IndexedDB component Reporter Information to follow Impact high References Bug 2014550 #CVE-2026-2770: Use-after-free in the DOM: Bindings (WebIDL) component Reporter Information to follow Impact high References Bug 2014585 #CVE-2026-2771: Undefined behavior in the DOM: Core & HTML component Reporter Information to follow Impact high References Bug 2014593 #CVE-2026-2772: Use-after-free in the Audio/Video: Playback component Reporter Information to follow Impact high References Bug 2014827 #CVE-2026-2773: Incorrect boundary conditions in the Web Audio component Reporter Information to follow Impact high References Bug 2014832 #CVE-2026-2774: Integer overflow in the Audio/Video component Reporter Information to follow Impact high References Bug 2014883 #CVE-2026-2775: Mitigation bypass in the DOM: HTML Parser component Reporter Information to follow Impact high References Bug 2015199 #CVE-2026-2776: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software Reporter Sajeeb Lohani Impact high References Bug 2015266 #CVE-2026-2777: Privilege escalation in the Messaging System component Reporter Richard Belisle Impact high References Bug 2015305 #CVE-2026-2778: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component Reporter Sajeeb Lohani Impact high References Bug 2016358 #CVE-2026-2779: Incorrect boundary conditions in the Networking: JAR component Reporter Alex Mayorga Impact moderate References Bug 1164141 #CVE-2026-2780: Privilege escalation in the Netmonitor component Reporter RyotaK Impact moderate References Bug 2007829 #CVE-2026-2781: Integer overflow in the Libraries component in NSS Reporter Clay Ver Valen Impact moderate References Bug 2009552 #CVE-2026-2782: Privilege escalation in the Netmonitor component Reporter Cody Impact moderate References Bug 2010743 #CVE-2026-2783: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component Reporter x0e Impact moderate References Bug 2010943 #CVE-2026-2784: Mitigation bypass in the DOM: Security component Reporter D. Santos Impact moderate References Bug 2012984 #CVE-2026-2785: Invalid pointer in the JavaScript Engine component Reporter Information to follow Impact moderate References Bug 2013549 #CVE-2026-2786: Use-after-free in the JavaScript Engine component Reporter Information to follow Impact moderate References Bug 2013612 #CVE-2026-2787: Use-after-free in the DOM: Window and Location component Reporter Information to follow Impact moderate References Bug 2014560 #CVE-2026-2788: Incorrect boundary conditions in the Audio/Video: GMP component Reporter Information to follow Impact moderate References Bug 2014824 #CVE-2026-2789: Use-after-free in the Graphics: ImageLib component Reporter Information to follow Impact moderate References Bug 2015179 #CVE-2026-2790: Same-origin policy bypass in the Networking: JAR component Reporter Surya Dev Singh Impact low References Bug 2008426 #CVE-2026-2791: Mitigation bypass in the Networking: Cache component Reporter Information to follow Impact low References Bug 2015220 #CVE-2026-2792: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 Reporter Andrew McCreight, Maurice Dauer, Olli Pettay, Ryan Hunt Impact high Description Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 #CVE-2026-2793: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 Reporter Andrew McCreight, Christian Holler Impact high Description Memory safety bugs present in Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.9 2026/02/17 00:26:49 gutteridge Exp $ d3 3 a5 3 BLAKE2s (firefox-140.8.0esr.source.tar.xz) = ddbe76491a3a5af88432b96b26a2ebb656819a780f2249d5198b4a8b94ac41ad SHA512 (firefox-140.8.0esr.source.tar.xz) = 3baca73c5c264884afa4b1d76ded4417119640e1161b8fed4ca406f0ec44e7f685258f5085f473dc9eff9057a6548a9b59cec3c696358dd1032503aa75f91d05 Size (firefox-140.8.0esr.source.tar.xz) = 633564864 bytes @ 1.9 log @firefox140: update to 140.7.1 Addresses a single high-severity security issue: CVE-2026-2447: Heap buffer overflow in libvpx @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.8 2026/01/13 17:20:06 gutteridge Exp $ d3 3 a5 3 BLAKE2s (firefox-140.7.1esr.source.tar.xz) = d916a5d95215d3efba9cb45f083396a4a57b41c92ef5d5f85e4a7687ffaccc23 SHA512 (firefox-140.7.1esr.source.tar.xz) = 7d867fa3c9c94903f6583be75ad4aa8d918f98f74c99c6615a0e40caf21c545a30149115214876693ef1758a320ebdccef017c484365c195e55998cce088663c Size (firefox-140.7.1esr.source.tar.xz) = 635535480 bytes @ 1.8 log @firefox140: update to 140.7.0 Mozilla Foundation Security Advisory 2026-03 Security Vulnerabilities fixed in Firefox ESR 140.7 Announced January 13, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.7 #CVE-2026-0877: Mitigation bypass in the DOM: Security component Reporter mingijung Impact high References Bug 1999257 #CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component Reporter Oskar L Impact high References Bug 2003989 #CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component Reporter Oskar L Impact high References Bug 2004602 #CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component Reporter Oskar L Impact high References Bug 2005014 #CVE-2026-0882: Use-after-free in the IPC component Reporter Randell Jesup Impact high References Bug 1924125 #CVE-2025-14327: Spoofing issue in the Downloads Panel component Reporter Caro Kann Impact moderate References Bug 1970743 #CVE-2026-0883: Information disclosure in the Networking component Reporter Vladislav Plyatsok Impact moderate References Bug 1989340 #CVE-2026-0884: Use-after-free in the JavaScript Engine component Reporter Gary Kwong and Nan Wang Impact moderate References Bug 2003588 #CVE-2026-0885: Use-after-free in the JavaScript: GC component Reporter Irvan Kurniawan Impact moderate References Bug 2003607 #CVE-2026-0886: Incorrect boundary conditions in the Graphics component Reporter Oskar L Impact moderate References Bug 2005658 #CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component Reporter Lyra Rebane Impact moderate References Bug 2006500 #CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component Reporter Edgar Chen Impact low References Bug 2005081 #CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 Reporter Andrew McCreight, Dennis Jackson and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.7 2026/01/06 23:27:50 gutteridge Exp $ d3 3 a5 3 BLAKE2s (firefox-140.7.0esr.source.tar.xz) = aff38f46c7b263dd45a2362eb269f25a7db3b6218e0480c88dcdad66100ab3f7 SHA512 (firefox-140.7.0esr.source.tar.xz) = 7781b1e203130c1cdf2a0c2ecb05a9cfa824c75d467e7faca78b66bd5568c821324112aecb774883d9f447af7fa4ade36488ff1017255af5510c8f641990e472 Size (firefox-140.7.0esr.source.tar.xz) = 641146512 bytes @ 1.7 log @firefox140: fix builds with ICU >= 78.1 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.6 2026/01/02 14:27:02 tnn Exp $ d3 3 a5 3 BLAKE2s (firefox-140.6.0esr.source.tar.xz) = 7a8bd60f08fdd421ac94fa13ff776eff21cba8f432d85a60fce3a2c0c57066d6 SHA512 (firefox-140.6.0esr.source.tar.xz) = ed66657bd4b2d94791892261d7c0c0d950b4f630d12ab28a777d93393427451a9aa125e5a01ee15f2ac0ff378d0be074a08583dcffd35609112ba4e6f9ada798 Size (firefox-140.6.0esr.source.tar.xz) = 643086844 bytes @ 1.6 log @firefox140: backport patch @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2025/12/24 02:11:49 gutteridge Exp $ d20 1 @ 1.5 log @firefox140: fix builds with Python >= 3.14 Build failure reported by Hisashi Todd Fujinaka in PR pkg/59854. A fix was applied upstream by Mozilla directly against their "vendored" version of jsonschema, but not backported to the ESR branch. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2025/12/15 21:04:49 gutteridge Exp $ d28 1 a28 1 SHA1 (patch-media_ffvpx_libavutil_arm_bswap.h) = 019677e249e744baea857ca17ef69d977f43b3a4 @ 1.4 log @firefox140: fix builds with NetBSD >= 11.99.4 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2025/12/11 11:05:21 leot Exp $ d49 1 @ 1.4.2.1 log @Pullup ticket #7038 - requested by gutteridge www/firefox140: build fix Revisions pulled up: - www/firefox140/distinfo 1.5 - www/firefox140/patches/patch-third__party_python_jsonschema_jsonschema_validators.py 1.1 --- Module Name: pkgsrc Committed By: gutteridge Date: Wed Dec 24 02:11:49 UTC 2025 Modified Files: pkgsrc/www/firefox140: distinfo Added Files: pkgsrc/www/firefox140/patches: patch-third__party_python_jsonschema_jsonschema_validators.py Log Message: firefox140: fix builds with Python >= 3.14 Build failure reported by Hisashi Todd Fujinaka in PR pkg/59854. A fix was applied upstream by Mozilla directly against their "vendored" version of jsonschema, but not backported to the ESR branch. @ text @d1 1 a1 1 $NetBSD$ a48 1 SHA1 (patch-third__party_python_jsonschema_jsonschema_validators.py) = 24c84c8f8ca2bc39088001dffdcb05be3ac84c76 @ 1.4.2.2 log @Pullup ticket #7044 - requested by gutteridge www/firefox140: Security fix www/firefox140-l10n: Security fix Revisions pulled up: - www/firefox140-l10n/Makefile 1.4 - www/firefox140-l10n/distinfo 1.4 - www/firefox140/Makefile 1.8 - www/firefox140/distinfo 1.8 --- Module Name: pkgsrc Committed By: gutteridge Date: Tue Jan 13 17:20:06 UTC 2026 Modified Files: pkgsrc/www/firefox140: Makefile distinfo Log Message: firefox140: update to 140.7.0 Mozilla Foundation Security Advisory 2026-03 Security Vulnerabilities fixed in Firefox ESR 140.7 Announced January 13, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.7 #CVE-2026-0877: Mitigation bypass in the DOM: Security component Reporter mingijung Impact high References Bug 1999257 #CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component Reporter Oskar L Impact high References Bug 2003989 #CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component Reporter Oskar L Impact high References Bug 2004602 #CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component Reporter Oskar L Impact high References Bug 2005014 #CVE-2026-0882: Use-after-free in the IPC component Reporter Randell Jesup Impact high References Bug 1924125 #CVE-2025-14327: Spoofing issue in the Downloads Panel component Reporter Caro Kann Impact moderate References Bug 1970743 #CVE-2026-0883: Information disclosure in the Networking component Reporter Vladislav Plyatsok Impact moderate References Bug 1989340 #CVE-2026-0884: Use-after-free in the JavaScript Engine component Reporter Gary Kwong and Nan Wang Impact moderate References Bug 2003588 #CVE-2026-0885: Use-after-free in the JavaScript: GC component Reporter Irvan Kurniawan Impact moderate References Bug 2003607 #CVE-2026-0886: Incorrect boundary conditions in the Graphics component Reporter Oskar L Impact moderate References Bug 2005658 #CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component Reporter Lyra Rebane Impact moderate References Bug 2006500 #CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component Reporter Edgar Chen Impact low References Bug 2005081 #CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 Reporter Andrew McCreight, Dennis Jackson and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 --- Module Name: pkgsrc Committed By: gutteridge Date: Tue Jan 13 17:23:35 UTC 2026 Modified Files: pkgsrc/www/firefox140-l10n: Makefile distinfo Log Message: firefox140-l10n: update to 140.7.0 Sync with www/firefox140 version. @ text @d3 3 a5 3 BLAKE2s (firefox-140.7.0esr.source.tar.xz) = aff38f46c7b263dd45a2362eb269f25a7db3b6218e0480c88dcdad66100ab3f7 SHA512 (firefox-140.7.0esr.source.tar.xz) = 7781b1e203130c1cdf2a0c2ecb05a9cfa824c75d467e7faca78b66bd5568c821324112aecb774883d9f447af7fa4ade36488ff1017255af5510c8f641990e472 Size (firefox-140.7.0esr.source.tar.xz) = 641146512 bytes @ 1.4.2.3 log @Pullup ticket #7045 - requested by gutteridge www/firefox140: security fix www/firefox140-l10n: dependent update Revisions pulled up: - www/firefox140-l10n/Makefile 1.6 - www/firefox140-l10n/distinfo 1.6 - www/firefox140/Makefile 1.11 - www/firefox140/distinfo 1.10 --- Module Name: pkgsrc Committed By: gutteridge Date: Tue Feb 24 14:07:55 UTC 2026 Modified Files: pkgsrc/www/firefox140: Makefile distinfo Log Message: firefox140: update to 140.8 Mozilla Foundation Security Advisory 2026-15 Security Vulnerabilities fixed in Firefox ESR 140.8 Announced February 24, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.8 #CVE-2026-2757: Incorrect boundary conditions in the WebRTC: Audio/Video component Reporter Igor Morgenstern Impact high References Bug 2001637 #CVE-2026-2758: Use-after-free in the JavaScript: GC component Reporter Gary Kwong Impact high References Bug 2009608 #CVE-2026-2759: Incorrect boundary conditions in the Graphics: ImageLib component Reporter stevej Impact high References Bug 2010933 #CVE-2026-2760: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component Reporter Oskar L Impact high References Bug 2011062 #CVE-2026-2761: Sandbox escape in the Graphics: WebRender component Reporter Oskar L Impact high References Bug 2011063 #CVE-2026-2762: Integer overflow in the JavaScript: Standard Library component Reporter André Bargull Impact high References Bug 2011649 #CVE-2026-2763: Use-after-free in the JavaScript Engine component Reporter Information to follow Impact high References Bug 2012018 #CVE-2026-2764: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component Reporter Information to follow Impact high References Bug 2012608 #CVE-2026-2765: Use-after-free in the JavaScript Engine component Reporter Information to follow Impact high References Bug 2013562 #CVE-2026-2766: Use-after-free in the JavaScript Engine: JIT component Reporter Information to follow Impact high References Bug 2013583 #CVE-2026-2767: Use-after-free in the JavaScript: WebAssembly component Reporter Sajeeb Lohani Impact high References Bug 2013741 #CVE-2026-2768: Sandbox escape in the Storage: IndexedDB component Reporter Sajeeb Lohani Impact high References Bug 2014101 #CVE-2026-2769: Use-after-free in the Storage: IndexedDB component Reporter Information to follow Impact high References Bug 2014550 #CVE-2026-2770: Use-after-free in the DOM: Bindings (WebIDL) component Reporter Information to follow Impact high References Bug 2014585 #CVE-2026-2771: Undefined behavior in the DOM: Core & HTML component Reporter Information to follow Impact high References Bug 2014593 #CVE-2026-2772: Use-after-free in the Audio/Video: Playback component Reporter Information to follow Impact high References Bug 2014827 #CVE-2026-2773: Incorrect boundary conditions in the Web Audio component Reporter Information to follow Impact high References Bug 2014832 #CVE-2026-2774: Integer overflow in the Audio/Video component Reporter Information to follow Impact high References Bug 2014883 #CVE-2026-2775: Mitigation bypass in the DOM: HTML Parser component Reporter Information to follow Impact high References Bug 2015199 #CVE-2026-2776: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software Reporter Sajeeb Lohani Impact high References Bug 2015266 #CVE-2026-2777: Privilege escalation in the Messaging System component Reporter Richard Belisle Impact high References Bug 2015305 #CVE-2026-2778: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component Reporter Sajeeb Lohani Impact high References Bug 2016358 #CVE-2026-2779: Incorrect boundary conditions in the Networking: JAR component Reporter Alex Mayorga Impact moderate References Bug 1164141 #CVE-2026-2780: Privilege escalation in the Netmonitor component Reporter RyotaK Impact moderate References Bug 2007829 #CVE-2026-2781: Integer overflow in the Libraries component in NSS Reporter Clay Ver Valen Impact moderate References Bug 2009552 #CVE-2026-2782: Privilege escalation in the Netmonitor component Reporter Cody Impact moderate References Bug 2010743 #CVE-2026-2783: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component Reporter x0e Impact moderate References Bug 2010943 #CVE-2026-2784: Mitigation bypass in the DOM: Security component Reporter D. Santos Impact moderate References Bug 2012984 #CVE-2026-2785: Invalid pointer in the JavaScript Engine component Reporter Information to follow Impact moderate References Bug 2013549 #CVE-2026-2786: Use-after-free in the JavaScript Engine component Reporter Information to follow Impact moderate References Bug 2013612 #CVE-2026-2787: Use-after-free in the DOM: Window and Location component Reporter Information to follow Impact moderate References Bug 2014560 #CVE-2026-2788: Incorrect boundary conditions in the Audio/Video: GMP component Reporter Information to follow Impact moderate References Bug 2014824 #CVE-2026-2789: Use-after-free in the Graphics: ImageLib component Reporter Information to follow Impact moderate References Bug 2015179 #CVE-2026-2790: Same-origin policy bypass in the Networking: JAR component Reporter Surya Dev Singh Impact low References Bug 2008426 #CVE-2026-2791: Mitigation bypass in the Networking: Cache component Reporter Information to follow Impact low References Bug 2015220 #CVE-2026-2792: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 Reporter Andrew McCreight, Maurice Dauer, Olli Pettay, Ryan Hunt Impact high Description Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 #CVE-2026-2793: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 Reporter Andrew McCreight, Christian Holler Impact high Description Memory safety bugs present in Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 --- Module Name: pkgsrc Committed By: gutteridge Date: Tue Feb 24 14:09:03 UTC 2026 Modified Files: pkgsrc/www/firefox140-l10n: Makefile distinfo Log Message: firefox140-l10n: update to 140.8.0 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4.2.2 2026/01/14 18:58:46 maya Exp $ d3 3 a5 3 BLAKE2s (firefox-140.8.0esr.source.tar.xz) = ddbe76491a3a5af88432b96b26a2ebb656819a780f2249d5198b4a8b94ac41ad SHA512 (firefox-140.8.0esr.source.tar.xz) = 3baca73c5c264884afa4b1d76ded4417119640e1161b8fed4ca406f0ec44e7f685258f5085f473dc9eff9057a6548a9b59cec3c696358dd1032503aa75f91d05 Size (firefox-140.8.0esr.source.tar.xz) = 633564864 bytes @ 1.3 log @firefox140{,-l10n}: Update to 140.6.0 Changes: 140.6.0 - Security fixes (MFSA2025-94) Discussed with PMC and ok by during carefulperiod 2, thanks! @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2025/11/12 19:48:10 leot Exp $ d35 1 a35 1 SHA1 (patch-third__party_abseil-cpp_absl_debugging_internal_elf__mem__image.cc) = 2b5955027add79d1b8709667b0433b2d19fbd1bc @ 1.2 log @firefox140: Update to 140.5.0 ESR Changes: Various security fixes (MFSA2025-88). @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1 2025/10/19 11:56:55 leot Exp $ d3 3 a5 3 BLAKE2s (firefox-140.5.0esr.source.tar.xz) = a88714ad96cbf5af2f8f1b8b33361acfde85b023761354244b18e35c6439d02a SHA512 (firefox-140.5.0esr.source.tar.xz) = 412236a25cbea171bd5bd535e45c3ba40957a94e1f8dd3ab74241e0aa1c4075fcb8d394b9619599d60ce3e4563e712c825fa8bec441794f229356802f72b2861 Size (firefox-140.5.0esr.source.tar.xz) = 636823136 bytes @ 1.1 log @firefox140: Import firefox140-140.4.0 as www/firefox140 Mozilla Firefox is a free, open-source and cross-platform web browser for Windows, Linux, MacOS X and many other operating systems. It is fast and easy to use, and offers many advantages over other web browsers, such as tabbed browsing and the ability to block pop-up windows. Firefox also offers excellent bookmark and history management, and it can be extended by developers using industry standards such as XML, CSS, JavaScript, C++, etc. Many extensions are available. Note: Due to upstream's trademark policies, this package identifies as "Nightly" rather than "Firefox" by default. This package provides Firefox 140 Extended Support Release. Based on latest 140.x www/firefox and adjusted for ESR. Thanks to for help! @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.559 2025/07/23 13:57:35 ryoon Exp $ d3 3 a5 3 BLAKE2s (firefox-140.4.0esr.source.tar.xz) = 13e7d026640f50b94584792be30953a2e5c59214ae89b0207b276065fdb5407a SHA512 (firefox-140.4.0esr.source.tar.xz) = cfce0bdcf6d4599c7b96bccd9fd1390bfb3645db9276a369a30760ce6819850aaa4251869e6bd3c5d8582ea3728b920762c5f16f7ce12ce151c3e74327b8c811 Size (firefox-140.4.0esr.source.tar.xz) = 639276460 bytes @