firefox-140.1.0esr spidermonkey-128.13.0esr

[zeckma]

New minor release.

Source is now available, no release notes yet nor a security announcement, but may come pretty soon. Will be taking this one.

[Joe Locash]

Security fixes: ​https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/

• CVE-2025-8027: JavaScript engine only wrote partial return value to stack (high)
• CVE-2025-8028: Large branch table could lead to truncated instruction (high)
• CVE-2025-8029: javascript: URLs executed on object and embed tags (medium)
• CVE-2025-8036: DNS rebinding circumvents CORS (medium)
• CVE-2025-8037: Nameless cookies shadow secure cookies (medium)
• CVE-2025-8030: Potential user-assisted code execution in “Copy as cURL” command (medium)
• CVE-2025-8031: Incorrect URL stripping in CSP reports (medium)
• CVE-2025-8032: XSLT documents could bypass CSP (medium)
• CVE-2025-8038: CSP frame-src was not correctly enforced for paths (low)
• CVE-2025-8039: Search terms persisted in URL bar (low)
• CVE-2025-8033: Incorrect JavaScript state machine for generators (low)
• CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 (high)
• CVE-2025-8040: Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 (high)
• CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 (high)

[zeckma]

The CVEs are rated high, so elevating to high.

[zeckma]

Fixed at c66cd4d56f5e44fa69901a3eae1815ded9f94873. Keeping open until SAs are filed.

[zeckma]

Issued SA-12.3-079 and SA-12.3-080 for SpiderMonkey and Firefox respectively.