CVS commit: pkgsrc/mail/thunderbird

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/mail/thunderbird
From: "Ryo ONODERA" <ryoon%netbsd.org@localhost>
Date: Thu, 26 Feb 2026 13:38:44 +0000

Module Name:    pkgsrc
Committed By:   ryoon
Date:           Thu Feb 26 13:38:44 UTC 2026

Modified Files:
        pkgsrc/mail/thunderbird: Makefile distinfo mozilla-common.mk

Log Message:
mail/thunderbird: Update to 148.0

* Use nodejs* in the standard way.

Changelog:
148.0:
What's New

new
Accessiblity is improved in various tree views

new
'Favorites' added as destination for 'Move To' and 'File' buttons

new
Add mail.openpgp.load_untested_gpgme_version to load untested GPGME version

new
NTLM is exposed as an available authentication method for EWS accounts

What's Changed

changed
Read folders are now removed from Unread Folders view

changed
Yahoo, AT&T, AOL accounts are switched to PKCE, a more secure auth protocol

What's Fixed

fixed
Periodic new mail checks silently stopped after sleep or network outages

fixed
Donation banner stole focus when Thunderbird was running in the background

fixed
Status bar messages displayed unlocalizedd folder names or IMAP mailbox names

fixed
New Folder dialog allowed invalid folder creation without a selected parent
folder

fixed
New/unread messages in collapsed thread were not obvious enough

fixed
Invalidly signed unencrypted emails were indicated as worse than unsigned ones

fixed
Untagged messages were not working correctly with quick filter

fixed
Calendar/address book sections were shown in Account Hub when there were none

fixed
Shortcuts could be executed on background mail window while in Account Hub

fixed
Adding a Gmail account prompted for OAuth during auto config

fixed
New password-based Exchange accounts failed to save passwords in login manager

fixed
'Move Message to' filter action was not logged

fixed
Unknown OAuth providers were not allowed during EWS manual config in AccountHub

fixed
Saved search in unified folder resulted in server error

fixed
EWS password prompt looped endlessly if the password was empty

fixed
Account Hub manual configuration flow for Exchange accounts was incorrect

fixed
Google calendars had broken RSVP logic and wrong organizer on new events

fixed
CalDAV calendars that invited calendar alias did not give all response options

fixed
CalDAV calendar with multiple addresses could crash on multi-attendee invites

fixed
iCal imports misread unknown timezones as GMT, creating events at wrong times

fixed
Visual and UX improvements

fixed
Security fixes

Security fixes:
Mozilla Foundation Security Advisory 2026-16
#CVE-2026-2757: Incorrect boundary conditions in the WebRTC: Audio/Video
 component
#CVE-2026-2758: Use-after-free in the JavaScript: GC component
#CVE-2026-2759: Incorrect boundary conditions in the Graphics: ImageLib
 component
#CVE-2026-2795: Use-after-free in the JavaScript: GC component
#CVE-2026-2760: Sandbox escape due to incorrect boundary conditions in the
 Graphics: WebRender component
#CVE-2026-2761: Sandbox escape in the Graphics: WebRender component
#CVE-2026-2762: Integer overflow in the JavaScript: Standard Library component
#CVE-2026-2763: Use-after-free in the JavaScript Engine component
#CVE-2026-2764: JIT miscompilation, use-after-free in the JavaScript Engine:
 JIT component
#CVE-2026-2796: JIT miscompilation in the JavaScript: WebAssembly component
#CVE-2026-2797: Use-after-free in the JavaScript: GC component
#CVE-2026-2765: Use-after-free in the JavaScript Engine component
#CVE-2026-2766: Use-after-free in the JavaScript Engine: JIT component
#CVE-2026-2767: Use-after-free in the JavaScript: WebAssembly component
#CVE-2026-2768: Sandbox escape in the Storage: IndexedDB component
#CVE-2026-2798: Use-after-free in the DOM: Core & HTML component
#CVE-2026-2769: Use-after-free in the Storage: IndexedDB component
#CVE-2026-2799: Use-after-free in the DOM: Core & HTML component
#CVE-2026-2770: Use-after-free in the DOM: Bindings (WebIDL) component
#CVE-2026-2771: Undefined behavior in the DOM: Core & HTML component
#CVE-2026-2772: Use-after-free in the Audio/Video: Playback component
#CVE-2026-2773: Incorrect boundary conditions in the Web Audio component
#CVE-2026-2774: Integer overflow in the Audio/Video component
#CVE-2026-2775: Mitigation bypass in the DOM: HTML Parser component
#CVE-2026-2776: Sandbox escape due to incorrect boundary conditions in the
 Telemetry component in External Software
#CVE-2026-2777: Privilege escalation in the Messaging System component
#CVE-2026-2778: Sandbox escape due to incorrect boundary conditions in the DOM:
 Core & HTML component
#CVE-2026-2779: Incorrect boundary conditions in the Networking: JAR component
#CVE-2026-2800: Spoofing issue in the WebAuthn component in Firefox for Android
#CVE-2026-2780: Privilege escalation in the Netmonitor component
#CVE-2026-2781: Integer overflow in the Libraries component in NSS
#CVE-2026-2801: Incorrect boundary conditions in the JavaScript: WebAssembly
 component
#CVE-2026-2782: Privilege escalation in the Netmonitor component
#CVE-2026-2783: Information disclosure due to JIT miscompilation in the
 JavaScript Engine: JIT component
#CVE-2026-2802: Race condition in the JavaScript: GC component
#CVE-2026-2803: Information disclosure, mitigation bypass in the Settings UI
 component
#CVE-2026-2784: Mitigation bypass in the DOM: Security component
#CVE-2026-2785: Invalid pointer in the JavaScript Engine component
#CVE-2026-2804: Use-after-free in the JavaScript: WebAssembly component
#CVE-2026-2786: Use-after-free in the JavaScript Engine component
#CVE-2026-2805: Invalid pointer in the DOM: Core & HTML component
#CVE-2026-2787: Use-after-free in the DOM: Window and Location component
#CVE-2026-2788: Incorrect boundary conditions in the Audio/Video: GMP component
#CVE-2026-2789: Use-after-free in the Graphics: ImageLib component
#CVE-2026-2806: Uninitialized memory in the Graphics: Text component
#CVE-2026-2790: Same-origin policy bypass in the Networking: JAR component
#CVE-2026-2791: Mitigation bypass in the Networking: Cache component
#CVE-2026-2807: Memory safety bugs fixed in Firefox 148 and Thunderbird 148
#CVE-2026-2792: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR
 140.8, Firefox 148 and Thunderbird 148
#CVE-2026-2793: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR
 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148


To generate a diff of this commit:
cvs rdiff -u -r1.359 -r1.360 pkgsrc/mail/thunderbird/Makefile
cvs rdiff -u -r1.294 -r1.295 pkgsrc/mail/thunderbird/distinfo
cvs rdiff -u -r1.26 -r1.27 pkgsrc/mail/thunderbird/mozilla-common.mk

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/mail/thunderbird/Makefile
diff -u pkgsrc/mail/thunderbird/Makefile:1.359 pkgsrc/mail/thunderbird/Makefile:1.360
--- pkgsrc/mail/thunderbird/Makefile:1.359      Sun Feb  1 07:01:19 2026
+++ pkgsrc/mail/thunderbird/Makefile    Thu Feb 26 13:38:43 2026
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.359 2026/02/01 07:01:19 ryoon Exp $
+# $NetBSD: Makefile,v 1.360 2026/02/26 13:38:43 ryoon Exp $
 
 DISTNAME=      thunderbird-${TB_VER}.source
 PKGNAME=       thunderbird-${TB_VER:S/esr//}
-TB_VER=                147.0.1
+TB_VER=                148.0
 CATEGORIES=    mail
 MASTER_SITES=  ${MASTER_SITE_MOZILLA:=thunderbird/releases/${TB_VER}/source/}
 EXTRACT_SUFX=  .tar.xz
@@ -17,7 +17,7 @@ LICENSE=      mpl-1.1
 # overflowing even a biggish tmpfs).
 
 USE_TOOLS+=    unzip pax
-WRKSRC=                ${WRKDIR}/${DISTNAME:S/.source//:S/esr//}
+WRKSRC=                ${WRKDIR}/thunderbird-${TB_VER:C/b.*//}
 MOZILLA_DIR=   # empty
 PLIST_SRC+=    ${PLIST_SRC_DFLT}
 
@@ -90,11 +90,6 @@ SUBST_FILES.cksum+=  ${crate}/.cargo-chec
 SUBST_SED.cksum+=      -e 's,${from},${to},g'
 .endfor
 
-SUBST_CLASSES+=                netbsdtag
-SUBST_STAGE.netbsdtag= pre-configure
-SUBST_FILES.netbsdtag= comm/third_party/rnp/src/librekey/key_store_pgp.cpp
-SUBST_SED.netbsdtag=   -e 's/__NetBSD__/__NEVER__/'
-
 post-extract:
        ${TOUCH} ${WRKSRC}/comm/third_party/rust/minimal-lexical/.gitmodules
        ${TOUCH} ${WRKSRC}/comm/third_party/rust/sfv/.gitmodules

Index: pkgsrc/mail/thunderbird/distinfo
diff -u pkgsrc/mail/thunderbird/distinfo:1.294 pkgsrc/mail/thunderbird/distinfo:1.295
--- pkgsrc/mail/thunderbird/distinfo:1.294      Sun Feb  1 07:01:19 2026
+++ pkgsrc/mail/thunderbird/distinfo    Thu Feb 26 13:38:43 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.294 2026/02/01 07:01:19 ryoon Exp $
+$NetBSD: distinfo,v 1.295 2026/02/26 13:38:43 ryoon Exp $
 
-BLAKE2s (thunderbird-147.0.1.source.tar.xz) = f498d09124c75acb54736eecfb7e9782f596ea613c3b39f9458d1c32ea26f592
-SHA512 (thunderbird-147.0.1.source.tar.xz) = bae9adbcb1d45a7644e4d699215a3da85b612b9d99516bdf12f84482f1a6f89153ec4d5ab6dd8bcf69dc512cb50080db4630a5bb52525f22213c7af92b4b77d7
-Size (thunderbird-147.0.1.source.tar.xz) = 781853284 bytes
+BLAKE2s (thunderbird-148.0.source.tar.xz) = 6f95f845fb3137f4b042d902dcc37169eab35d70d358659a48c0fe01ab4f4113
+SHA512 (thunderbird-148.0.source.tar.xz) = ec5e586206ef217f37eb6985356994e7e7c9db6090f57d5b4c43a3a5dc0e1f5a56c0e7080d86fb895446845f9c9b948284f7417afebcf6e6120eca0e1ed238f3
+Size (thunderbird-148.0.source.tar.xz) = 796239120 bytes
 SHA1 (patch-browser_app_profile_firefox.js) = 1eaa674c0aa8279e2f9dc2eda582650a08156d65
 SHA1 (patch-build_gn__processor.py) = 078f773104bf4c1b30584564aefe365db6ba6daf
 SHA1 (patch-build_moz.configure_init.configure) = 65deb3c233df0aab81eb1fca05d708e5a4ed169a

Index: pkgsrc/mail/thunderbird/mozilla-common.mk
diff -u pkgsrc/mail/thunderbird/mozilla-common.mk:1.26 pkgsrc/mail/thunderbird/mozilla-common.mk:1.27
--- pkgsrc/mail/thunderbird/mozilla-common.mk:1.26      Thu Jan 22 19:41:09 2026
+++ pkgsrc/mail/thunderbird/mozilla-common.mk   Thu Feb 26 13:38:43 2026
@@ -1,4 +1,4 @@
-# $NetBSD: mozilla-common.mk,v 1.26 2026/01/22 19:41:09 ryoon Exp $
+# $NetBSD: mozilla-common.mk,v 1.27 2026/02/26 13:38:43 ryoon Exp $
 #
 # common Makefile fragment for mozilla packages based on gecko 2.0.
 #
@@ -30,7 +30,8 @@ CFLAGS.NetBSD+=               -D_NETBSD_SOURCE
 
 TOOL_DEPENDS+=         cbindgen>=0.28.0:../../devel/cbindgen
 
-TOOL_DEPENDS+=         nodejs-[0-9]*:../../lang/nodejs
+BUILDLINK_DEPMETHOD.nodejs=    build
+.include "../../lang/nodejs/nodeversion.mk"
 
 .if ${MACHINE_ARCH} == "i386" || ${MACHINE_ARCH} == "x86_64"
 TOOL_DEPENDS+=         nasm>=2.14:../../devel/nasm

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index