[Git][security-tracker-team/security-tracker][master] Track fixed version for thunderbird issues addressed via unstable upload
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Wed Mar 25 19:58:04 GMT 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
86247225 by Salvatore Bonaccorso at 2026-03-25T20:57:28+01:00
Track fixed version for thunderbird issues addressed via unstable upload
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -777,10 +777,10 @@ CVE-2025-33216 (NVIDIA SNAP-4 Container contains a vulnerability in the configur
CVE-2025-33215 (NVIDIA SNAP-4 Container contains a vulnerability in the VIRTIO-BLK com ...)
TODO: check
CVE-2026-4371 (A malicious mail server could send malformed strings with negative len ...)
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4371
CVE-2026-3889 (Spoofing issue in Thunderbird. This vulnerability affects Thunderbird ...)
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-3889
CVE-2026-3836
- dnf5 <unfixed>
@@ -1057,7 +1057,7 @@ CVE-2019-25626 (River Past Cam Do 3.7.6 contains a local buffer overflow vulnera
CVE-2026-4721 (Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, T ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4721
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4721
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4721
@@ -1067,21 +1067,21 @@ CVE-2026-4729 (Memory safety bugs present in Firefox 148 and Thunderbird 148. So
CVE-2026-4720 (Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8 ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4720
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4720
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4720
CVE-2026-4719 (Incorrect boundary conditions in the Graphics: Text component. This vu ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4719
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4719
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4719
CVE-2026-4718 (Undefined behavior in the WebRTC: Signaling component. This vulnerabil ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4718
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4718
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4718
@@ -1097,35 +1097,35 @@ CVE-2026-4726 (Denial-of-service in the XML component. This vulnerability affect
CVE-2026-4717 (Privilege escalation in the Netmonitor component. This vulnerability a ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4717
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4717
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4717
CVE-2026-4716 (Incorrect boundary conditions, uninitialized memory in the JavaScript ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4716
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4716
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4716
CVE-2026-4715 (Uninitialized memory in the Graphics: Canvas2D component. This vulnera ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4715
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4715
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4715
CVE-2026-4714 (Incorrect boundary conditions in the Audio/Video component. This vulne ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4714
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4714
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4714
CVE-2026-4713 (Incorrect boundary conditions in the Graphics component. This vulnerab ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4713
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4713
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4713
@@ -1149,49 +1149,49 @@ CVE-2026-4711 (Use-after-free in the Widget: Cocoa component. This vulnerability
CVE-2026-4710 (Incorrect boundary conditions in the Audio/Video component. This vulne ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4710
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4710
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4710
CVE-2026-4709 (Incorrect boundary conditions in the Audio/Video: GMP component. This ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4709
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4709
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4709
CVE-2026-4708 (Incorrect boundary conditions in the Graphics component. This vulnerab ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4708
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4708
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4708
CVE-2026-4707 (Incorrect boundary conditions in the Graphics: Canvas2D component. Thi ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4707
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4707
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4707
CVE-2026-4706 (Incorrect boundary conditions in the Graphics: Canvas2D component. Thi ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4706
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4706
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4706
CVE-2026-4705 (Undefined behavior in the WebRTC: Signaling component. This vulnerabil ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4705
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4705
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4705
CVE-2026-4704 (Denial-of-service in the WebRTC: Signaling component. This vulnerabili ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4704
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4704
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4704
@@ -1204,7 +1204,7 @@ CVE-2026-4723 (Use-after-free in the JavaScript Engine component. This vulnerabi
CVE-2026-4702 (JIT miscompilation in the JavaScript Engine component. This vulnerabil ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4702
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4702
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4702
@@ -1214,126 +1214,126 @@ CVE-2026-4722 (Privilege escalation in the IPC component. This vulnerability aff
CVE-2026-4701 (Use-after-free in the JavaScript Engine component. This vulnerability ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4701
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4701
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4701
CVE-2026-4700 (Mitigation bypass in the Networking: HTTP component. This vulnerabilit ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4700
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4700
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4700
CVE-2026-4699 (Incorrect boundary conditions in the Layout: Text and Fonts component. ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4699
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4699
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4699
CVE-2026-4698 (JIT miscompilation in the JavaScript Engine: JIT component. This vulne ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4698
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4698
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4698
CVE-2026-4697 (Incorrect boundary conditions in the Audio/Video: Web Codecs component ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4697
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4697
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4697
CVE-2026-4696 (Use-after-free in the Layout: Text and Fonts component. This vulnerabi ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4696
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4696
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4696
CVE-2026-4695 (Incorrect boundary conditions in the Audio/Video: Web Codecs component ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4695
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4695
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4695
CVE-2026-4694 (Incorrect boundary conditions, integer overflow in the Graphics compon ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4694
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4694
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4694
CVE-2026-4693 (Incorrect boundary conditions in the Audio/Video: Playback component. ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4693
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4693
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4693
CVE-2026-4692 (Sandbox escape in the Responsive Design Mode component. This vulnerabi ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4692
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4692
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4692
CVE-2026-4691 (Use-after-free in the CSS Parsing and Computation component. This vuln ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4691
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4691
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4691
CVE-2026-4690 (Sandbox escape due to incorrect boundary conditions, integer overflow ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4690
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4690
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4690
CVE-2026-4689 (Sandbox escape due to incorrect boundary conditions, integer overflow ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4689
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4689
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4689
CVE-2026-4688 (Sandbox escape due to use-after-free in the Disability Access APIs com ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4688
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4688
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4688
CVE-2026-4687 (Sandbox escape due to incorrect boundary conditions in the Telemetry c ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4687
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4687
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4687
CVE-2026-4686 (Incorrect boundary conditions in the Graphics: Canvas2D component. Thi ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4686
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4686
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4686
CVE-2026-4685 (Incorrect boundary conditions in the Graphics: Canvas2D component. Thi ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4685
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4685
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4685
CVE-2026-4684 (Race condition, use-after-free in the Graphics: WebRender component. T ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/#CVE-2026-4684
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/#CVE-2026-4684
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/#CVE-2026-4684
@@ -77842,7 +77842,7 @@ CVE-2025-59378 (In guix-daemon in GNU Guix before 1618ca7, a content-addressed-m
CVE-2025-59375 (libexpat in Expat before 2.7.2 allows attackers to trigger large dynam ...)
- firefox <unfixed>
- firefox-esr 140.9.0esr-1
- - thunderbird <unfixed>
+ - thunderbird 1:140.9.0esr-1
- expat 2.7.2-1 (bug #1115298)
[trixie] - expat <no-dsa> (Minor issue)
[bookworm] - expat <ignored> (Minor issue)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86247225ab9e4ef5396c3824816a3b422829d1f7
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86247225ab9e4ef5396c3824816a3b422829d1f7
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260325/53d102e6/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list