Re: CVS commit: pkgsrc/www/firefox140

To: pkgsrc-changes%netbsd.org@localhost
Subject: Re: CVS commit: pkgsrc/www/firefox140
From: "David H. Gutteridge" <david%gutteridge.ca@localhost>
Date: Mon, 16 Feb 2026 20:30:09 -0500

> Module Name:    pkgsrc
> Committed By:   gutteridge
> Date:           Tue Feb 17 00:26:49 UTC 2026
> 
> Modified Files:
>         pkgsrc/www/firefox140: Makefile distinfo
> 
> Log Message:
> firefox140: update to 140.7.1
> 
> Addresses a single high-severity security issue:
> CVE-2026-2447: Heap buffer overflow in libvpx

I've updated this package, but I don't think this is actually relevant
to pull up in a pkgsrc context, since our packaging uses the "system"
libvpx to link against. The upstream bug report appears presently
embargoed, and other summaries of the CVE have no details. However, the
change itself is visible in Mozilla's repo(s):

https://github.com/mozilla-firefox/firefox/commit/1be74505011a99d24a1625526c36735b8db85fd0

This change also appears previously in the libvpx code base:

https://github.com/webmproject/libvpx/commit/d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1

The latter seems not to be released yet (was committed after libvpx 1.16
was tagged). So really we should be waiting for that update.

Dave

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/math/R-DAAG
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/math/R-DAAG
Indexes:

Home | Main Index | Thread Index | Old Index