CVS commit: pkgsrc/www/firefox140

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/firefox140
From: "David H. Gutteridge" <gutteridge%netbsd.org@localhost>
Date: Tue, 13 Jan 2026 17:20:06 +0000

Module Name:    pkgsrc
Committed By:   gutteridge
Date:           Tue Jan 13 17:20:06 UTC 2026

Modified Files:
        pkgsrc/www/firefox140: Makefile distinfo

Log Message:
firefox140: update to 140.7.0

Mozilla Foundation Security Advisory 2026-03
Security Vulnerabilities fixed in Firefox ESR 140.7

Announced
    January 13, 2026
Impact
    high
Products
    Firefox ESR
Fixed in

        Firefox ESR 140.7

#CVE-2026-0877: Mitigation bypass in the DOM: Security component

Reporter
    mingijung
Impact
    high

References

    Bug 1999257

#CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component

Reporter
    Oskar L
Impact
    high

References

    Bug 2003989

#CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component

Reporter
    Oskar L
Impact
    high

References

    Bug 2004602

#CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component

Reporter
    Oskar L
Impact
    high

References

    Bug 2005014

#CVE-2026-0882: Use-after-free in the IPC component

Reporter
    Randell Jesup
Impact
    high

References

    Bug 1924125

#CVE-2025-14327: Spoofing issue in the Downloads Panel component

Reporter
    Caro Kann
Impact
    moderate

References

    Bug 1970743

#CVE-2026-0883: Information disclosure in the Networking component

Reporter
    Vladislav Plyatsok
Impact
    moderate

References

    Bug 1989340

#CVE-2026-0884: Use-after-free in the JavaScript Engine component

Reporter
    Gary Kwong and Nan Wang
Impact
    moderate

References

    Bug 2003588

#CVE-2026-0885: Use-after-free in the JavaScript: GC component

Reporter
    Irvan Kurniawan
Impact
    moderate

References

    Bug 2003607

#CVE-2026-0886: Incorrect boundary conditions in the Graphics component

Reporter
    Oskar L
Impact
    moderate

References

    Bug 2005658

#CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component

Reporter
    Lyra Rebane
Impact
    moderate

References

    Bug 2006500

#CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component

Reporter
    Edgar Chen
Impact
    low

References

    Bug 2005081

#CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147

Reporter
    Andrew McCreight, Dennis Jackson and the Mozilla Fuzzing Team
Impact
    high

Description

Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort 
some of these could have been exploited to run arbitrary code.

References

    Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147


To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 pkgsrc/www/firefox140/Makefile \
    pkgsrc/www/firefox140/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/firefox140/Makefile
diff -u pkgsrc/www/firefox140/Makefile:1.7 pkgsrc/www/firefox140/Makefile:1.8
--- pkgsrc/www/firefox140/Makefile:1.7  Wed Jan  7 08:49:18 2026
+++ pkgsrc/www/firefox140/Makefile      Tue Jan 13 17:20:06 2026
@@ -1,12 +1,11 @@
-# $NetBSD: Makefile,v 1.7 2026/01/07 08:49:18 wiz Exp $
+# $NetBSD: Makefile,v 1.8 2026/01/13 17:20:06 gutteridge Exp $
 
 FIREFOX_VER=           ${MOZ_BRANCH}${MOZ_BRANCH_MINOR}
-MOZ_BRANCH=            140.6
+MOZ_BRANCH=            140.7
 MOZ_BRANCH_MINOR=      .0esr
 
 DISTNAME=      firefox-${FIREFOX_VER}.source
 PKGNAME=       ${DISTNAME:S/.source//:S/b/beta/:S/esr//:S/firefox-/firefox140-/}
-PKGREVISION=   3
 CATEGORIES=    www
 MASTER_SITES+= ${MASTER_SITE_MOZILLA:=firefox/releases/${FIREFOX_VER}/source/}
 MASTER_SITES+= ${MASTER_SITE_MOZILLA_ALL:=firefox/releases/${FIREFOX_VER}/source/}
Index: pkgsrc/www/firefox140/distinfo
diff -u pkgsrc/www/firefox140/distinfo:1.7 pkgsrc/www/firefox140/distinfo:1.8
--- pkgsrc/www/firefox140/distinfo:1.7  Tue Jan  6 23:27:50 2026
+++ pkgsrc/www/firefox140/distinfo      Tue Jan 13 17:20:06 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.7 2026/01/06 23:27:50 gutteridge Exp $
+$NetBSD: distinfo,v 1.8 2026/01/13 17:20:06 gutteridge Exp $
 
-BLAKE2s (firefox-140.6.0esr.source.tar.xz) = 7a8bd60f08fdd421ac94fa13ff776eff21cba8f432d85a60fce3a2c0c57066d6
-SHA512 (firefox-140.6.0esr.source.tar.xz) = ed66657bd4b2d94791892261d7c0c0d950b4f630d12ab28a777d93393427451a9aa125e5a01ee15f2ac0ff378d0be074a08583dcffd35609112ba4e6f9ada798
-Size (firefox-140.6.0esr.source.tar.xz) = 643086844 bytes
+BLAKE2s (firefox-140.7.0esr.source.tar.xz) = aff38f46c7b263dd45a2362eb269f25a7db3b6218e0480c88dcdad66100ab3f7
+SHA512 (firefox-140.7.0esr.source.tar.xz) = 7781b1e203130c1cdf2a0c2ecb05a9cfa824c75d467e7faca78b66bd5568c821324112aecb774883d9f447af7fa4ade36488ff1017255af5510c8f641990e472
+Size (firefox-140.7.0esr.source.tar.xz) = 641146512 bytes
 BLAKE2s (nodejs-output-140.0.4.tgz) = 7ebb5993c8c9d7d5492afdb9fa7fef74fec7753fb0b14673817f24faf4a7fca4
 SHA512 (nodejs-output-140.0.4.tgz) = e421b0b6be8b5b8dfda705eefcf4573a1270df9012dca5eac9ba0ac2af2bcc47dd66b1057106f8c2336a10bdcc39b9f852041dd33da9e7a8929d981dbb4e1fb4
 Size (nodejs-output-140.0.4.tgz) = 245385 bytes

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/textproc/xapian
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/textproc/xapian
Indexes:

Home | Main Index | Thread Index | Old Index