From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: DKIM-Filter: OpenDKIM Filter v2.11.0 mskdc-relay.altlinux.org 0016C600CE DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=altlinux.org; s=relay-alt2025; t=1759364625; bh=zL43wLaJ/5GIFFmUqVCssZ9omrd8CrXZzhIcpzsz8gE=; h=Date:From:To:Subject:From; b=YayCECnKx05XRtdyy7vN18HJTZDEBVkqIq8CevOIeRUWnRB9doCSlyIVwg3XQ82HU aREAOtEs+OOjqeULsMZTMRorgOjilBUiUnfFq8gFaCyCiWF6ZSlFkxwcmpQ+bnkwyO ijox3mHyZsU0JrARZWv1LCTAra/pobdzfn2OkcQc= Date: Thu, 2 Oct 2025 00:23:44 +0000 From: QA Team Robot To: sisyphus-cybertalk@lists.altlinux.org Message-ID: Mail-Followup-To: sisyphus-cybertalk@lists.altlinux.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Subject: [cyber] I: p10/branch packages: +1! +8 (19068) X-BeenThere: sisyphus-cybertalk@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: devel@lists.altlinux.org List-Id: ALT Linux Sisyphus cybertalk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2025 00:23:45 -0000 Archived-At: List-Archive: 1 ADDED package rpm-macros-thunderbird - Set of RPM macros for packaging applications that requires thunderbird * Wed Jun 04 2025 Ajrat Makhmutov 0.0.1-alt1 - Initial build. 8 UPDATED packages ca-certificates - Common CA Certificates * Mon Feb 10 2025 Ajrat Makhmutov 2025.02.10-alt1 - mozilla: sync with nss-3.108. * Tue Dec 10 2024 Ajrat Makhmutov 2024.12.10-alt1 firefox - The Mozilla Firefox project is a redesign of Mozilla's browser [641M] * Wed Aug 06 2025 Ajrat Makhmutov 141.0.2-alt0.p10.1 - Backprort new version to p10 branch. * Wed Aug 06 2025 Ajrat Makhmutov 141.0.2-alt1 - New version (141.0.2). * Tue Jul 29 2025 Ajrat Makhmutov 141.0-alt1 - New version (141.0). - Fixes: + CVE-2025-8027: JavaScript engine only wrote partial return value to stack + CVE-2025-8028: Large branch table could lead to truncated instruction + CVE-2025-8041: Incorrect URL truncation in Firefox for Android + CVE-2025-8042: Sandboxed iframe could start downloads + CVE-2025-8029: javascript: URLs executed on object and embed tags + CVE-2025-8036: DNS rebinding circumvents CORS + CVE-2025-8037: Nameless cookies shadow secure cookies + CVE-2025-8030: Potential user-assisted code execution in "Copy as cURL" command + CVE-2025-8043: Incorrect URL truncation + CVE-2025-8031: Incorrect URL stripping in CSP reports + CVE-2025-8032: XSLT documents could bypass CSP + CVE-2025-8038: CSP frame-src was not correctly enforced for paths + CVE-2025-8039: Search terms persisted in URL bar + CVE-2025-8033: Incorrect JavaScript state machine for generators + CVE-2025-8044: Memory safety bugs fixed in Firefox 141 and Thunderbird 141 + CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 + CVE-2025-8040: Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 + CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 * Thu Jul 10 2025 Ajrat Makhmutov 140.0.4-alt1 - New version (140.0.4). - Terminate buggy unfinished D&D operation as DragDrop (closes: 54713). * Sat Jun 28 2025 Ajrat Makhmutov 140.0.2-alt1 - New version (140.0.2). * Thu Jun 26 2025 Ajrat Makhmutov 140.0-alt1 - New version (140.0). - Security fixes: + CVE-2025-6424: Use-after-free in FontFaceSet + CVE-2025-6425: The WebCompat WebExtension shipped with Firefox exposed a persistent UUID + CVE-2025-6426: No warning when opening executable terminal files on macOS + CVE-2025-6427: connect-src Content Security Policy restriction could be bypassed + CVE-2025-6428: Firefox for Android opened URLs specified in a link querystring parameter + CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com + CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag + CVE-2025-6431: The prompt in Firefox for Android that asks before opening a link in an external application could be bypassed + CVE-2025-6432: DNS Requests leaked outside of a configured SOCKS proxy + CVE-2025-6433: WebAuthn would allow a user to sign a challenge on a webpage with an invalid TLS certificate + CVE-2025-6434: HTTPS-Only exception screen lacked anti-clickjacking delay + CVE-2025-6435: Save as in Devtools could download files without sanitizing the extension + CVE-2025-6436: Memory safety bugs fixed in Firefox 140 and Thunderbird 140 * Tue Jun 10 2025 Ajrat Makhmutov 139.0.4-alt1 - New version (139.0.4). - Security fixes: + CVE-2025-49709: Memory corruption in canvas surfaces + CVE-2025-49710: Integer overflow in OrderedHashTable * Sat May 31 2025 Ajrat Makhmutov 139.0.1-alt1 - New version (139.0.1). - Fix FTBFS: exclude i586 arch due to idle time limit exceeded. - Security fixes: + MFSA-TMP-2025-0001: Double-free in libvpx encoder + CVE-2025-5263: Error handling for script execution was incorrectly isolated from web content + CVE-2025-5264: Potential local code execution in "Copy as cURL" command + CVE-2025-5265: Potential local code execution in "Copy as cURL" command + CVE-2025-5266: Script element events leaked cross-origin resource status + CVE-2025-5270: SNI was sometimes unencrypted + CVE-2025-5271: Devtools' preview ignored CSP headers + CVE-2025-5267: Clickjacking vulnerability could have led to leaking saved payment card details + CVE-2025-5268: Memory safety bugs fixed in Firefox 139, Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11 + CVE-2025-5272: Memory safety bugs fixed in Firefox 139 and Thunderbird 139 * Tue May 27 2025 Ajrat Makhmutov 138.0.1-alt0.p10.1 kde5-virtual - Virtual packages for KDE 5 * Wed Aug 06 2025 Ajrat Makhmutov 5.28.2-alt3 - use thunderbird_arch macro for kde-email-client files * Mon Jun 02 2025 Ajrat Makhmutov 5.28.2-alt2 nss - Netscape Network Security Services(NSS) [52M] * Thu Jun 26 2025 Ajrat Makhmutov 3.113-alt1 - New version (3.113). * Sat Jun 07 2025 Ajrat Makhmutov 3.112-alt1 - New version (3.112). * Mon May 12 2025 Ajrat Makhmutov 3.111-alt1 - New version (3.111). * Mon May 05 2025 Ajrat Makhmutov 3.110-alt1 systray-x - A system tray extension for Thunderbird * Wed Jun 04 2025 Ajrat Makhmutov 0.9.11-alt4 - Use %thunderbird_arch to specify supported architectures. * Fri Apr 25 2025 Andrey Cherepanov 0.9.11-alt3 task-edu - Educational software (base set) * Thu Aug 07 2025 Ajrat Makhmutov 1.5.9-alt13.p10.3.2 - Use the thunderbird_arch macro for the thunderbird requirement. * Wed Apr 09 2025 Andrey Cherepanov 1.5.9-alt13.p10.3.1 thunderbird - Thunderbird is Mozilla's e-mail client [752M] * Wed Aug 06 2025 Ajrat Makhmutov 141.0-alt0.p10.1 - Backport new version to p10 branch. * Tue Jul 29 2025 Ajrat Makhmutov 141.0-alt1 - New version. - Fixes: + CVE-2025-8027: JavaScript engine only wrote partial return value to stack + CVE-2025-8028: Large branch table could lead to truncated instruction + CVE-2025-8029: javascript: URLs executed on object and embed tags + CVE-2025-8036: DNS rebinding circumvents CORS + CVE-2025-8037: Nameless cookies shadow secure cookies + CVE-2025-8030: Potential user-assisted code execution in "Copy as cURL" command + CVE-2025-8043: Incorrect URL truncation + CVE-2025-8031: Incorrect URL stripping in CSP reports + CVE-2025-8032: XSLT documents could bypass CSP + CVE-2025-8038: CSP frame-src was not correctly enforced for paths + CVE-2025-8039: Search terms persisted in URL bar + CVE-2025-8033: Incorrect JavaScript state machine for generators + CVE-2025-8044: Memory safety bugs fixed in Firefox 141 and Thunderbird 141 + CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 + CVE-2025-8040: Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 + CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 * Thu Jul 10 2025 Ajrat Makhmutov 140.0.1-alt1 - New version. * Mon Jul 07 2025 Ivan A. Melnikov 140.0-alt2 - NMU: Disable crashreporter on loongarch64 and riscv64 as it does not support these architectures yet (fixes FTBFS) * Sat Jul 05 2025 Ajrat Makhmutov 140.0-alt1 - New version. - Security fixes: + CVE-2025-6424: Use-after-free in FontFaceSet + CVE-2025-6425: The WebCompat WebExtension shipped exposed a persistent UUID + CVE-2025-6426: No warning when opening executable terminal files on macOS + CVE-2025-6427: connect-src Content Security Policy restriction could be bypassed + CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com + CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag + CVE-2025-6432: DNS Requests leaked outside of a configured SOCKS proxy + CVE-2025-6433: WebAuthn would allow a user to sign a challenge on a webpage with an invalid TLS certificate + CVE-2025-6434: HTTPS-Only exception screen lacked anti-clickjacking delay + CVE-2025-6435: Save as in Devtools could download files without sanitizing the extension + CVE-2025-6436: Memory safety bugs fixed in Firefox 140 and Thunderbird 140 * Wed Jun 11 2025 Ajrat Makhmutov 139.0.2-alt1 - New version. - Security fixes: + CVE-2025-5986: Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links * Wed Jun 04 2025 Ajrat Makhmutov 139.0.1-alt1 - New version. - Put the list of supported architectures to the rpm-macros-thunderbird. * Sat May 31 2025 Ajrat Makhmutov 139.0-alt1 - New version. - Fix FTBFS: exclude i586 arch due to idle time limit exceeded. - Security fixes: + CVE-2025-5262: Double-free in libvpx encoder + CVE-2025-5263: Error handling for script execution was incorrectly isolated from web content + CVE-2025-5264: Potential local code execution in "Copy as cURL" command + CVE-2025-5265: Potential local code execution in "Copy as cURL" command + CVE-2025-5266: Script element events leaked cross-origin resource status + CVE-2025-5270: SNI was sometimes unencrypted + CVE-2025-5271: Devtools' preview ignored CSP headers + CVE-2025-5267: Clickjacking vulnerability could have led to leaking saved payment card details + CVE-2025-5268: Memory safety bugs fixed in Firefox 139, Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11 + CVE-2025-5272: Memory safety bugs fixed in Firefox 139 and Thunderbird 139 * Sat May 31 2025 Ajrat Makhmutov 138.0-alt1.p10.1 tomcat - Apache Servlet/JSP Engine, RI for Servlet 4.0/JSP 2.3 API [15M] * Fri Sep 26 2025 Sergey Gvozdetskiy 1:9.0.98-alt0_1jpp17.p10.5 - security fixes: + CVE-2025-48989: Denial of service + CVE-2025-55668: Session Fixation Via Rewrite Valve * Tue Aug 12 2025 Sergey Gvozdetskiy 1:9.0.98-alt0_1jpp17.p10.4 Total 19068 source packages.