openSUSE-SU-2026:20002-1

This update for MozillaThunderbird fixes the following issues:

Changes in MozillaThunderbird:

Mozilla Thunderbird 140.5.0 ESR

MFSA 2025-91 (bsc#1253188):

• CVE-2025-13012 Race condition in the Graphics component
• CVE-2025-13016 Incorrect boundary conditions in the JavaScript: WebAssembly component
• CVE-2025-13017 Same-origin policy bypass in the DOM: Notifications component
• CVE-2025-13018 Mitigation bypass in the DOM: Security component
• CVE-2025-13019 Same-origin policy bypass in the DOM: Workers component
• CVE-2025-13013 Mitigation bypass in the DOM: Core & HTML component
• CVE-2025-13020 Use-after-free in the WebRTC: Audio/Video component
• CVE-2025-13014 Use-after-free in the Audio/Video component
• CVE-2025-13015 Spoofing issue in Thunderbird
• fixed: Could not drag and drop ICS file to Today Pane
• fixed: With Thunderbird closed, clicking a 'mailto:' link to send signed message failed
• fixed: Upgrade from 128.x->140.x broke authentication for @att.net using Yahoo backend

Mozilla Thunderbird 140.4.0 ESR

• Account Hub is now disabled by default for second email account
• Users could not read mail signed with OpenPGP v6 and PQC keys
• Image preview in Insert Image dialog failed with CSP error for web resources
• Emptying trash on exit did not work with some providers
• Thunderbird could crash when applying filters
• Users were unable to override expired mail server certificate
• Opening Website header link in RSS feed incorrectly re-encoded URL parameters

Mozilla Thunderbird 140.3.1 ESR:

• several bugfixes listed here

  https://www.thunderbird.net/en-US/thunderbird/140.3.1esr/releasenotes