This update for MozillaThunderbird fixes the following issues:
Changes in MozillaThunderbird:
Mozilla Thunderbird 140.5.0 ESR
MFSA 2025-91 (bsc#1253188):
- CVE-2025-13012
Race condition in the Graphics component
- CVE-2025-13016
Incorrect boundary conditions in the JavaScript: WebAssembly
component
- CVE-2025-13017
Same-origin policy bypass in the DOM: Notifications component
- CVE-2025-13018
Mitigation bypass in the DOM: Security component
- CVE-2025-13019
Same-origin policy bypass in the DOM: Workers component
- CVE-2025-13013
Mitigation bypass in the DOM: Core & HTML component
- CVE-2025-13020
Use-after-free in the WebRTC: Audio/Video component
- CVE-2025-13014
Use-after-free in the Audio/Video component
- CVE-2025-13015
Spoofing issue in Thunderbird
- fixed: Could not drag and drop ICS file to Today Pane
- fixed: With Thunderbird closed, clicking a 'mailto:' link to
send signed message failed
- fixed: Upgrade from 128.x->140.x broke authentication for
@att.net using Yahoo backend
Mozilla Thunderbird 140.4.0 ESR
- Account Hub is now disabled by default for second email account
- Users could not read mail signed with OpenPGP v6 and PQC keys
- Image preview in Insert Image dialog failed with CSP error for web resources
- Emptying trash on exit did not work with some providers
- Thunderbird could crash when applying filters
- Users were unable to override expired mail server certificate
- Opening Website header link in RSS feed incorrectly re-encoded
URL parameters
Mozilla Thunderbird 140.3.1 ESR:
- several bugfixes listed here
https://www.thunderbird.net/en-US/thunderbird/140.3.1esr/releasenotes