mail/thunderbird: Update to 148.0

ryoon · ryoon · commit ffe057323f9a · 2026-02-26T13:38:43.000Z
* Use nodejs* in the standard way. Changelog: 148.0: What's New new Accessiblity is improved in various tree views new 'Favorites' added as destination for 'Move To' and 'File' buttons new Add mail.openpgp.load_untested_gpgme_version to load untested GPGME version new NTLM is exposed as an available authentication method for EWS accounts What's Changed changed Read folders are now removed from Unread Folders view changed Yahoo, AT&T, AOL accounts are switched to PKCE, a more secure auth protocol What's Fixed fixed Periodic new mail checks silently stopped after sleep or network outages fixed Donation banner stole focus when Thunderbird was running in the background fixed Status bar messages displayed unlocalizedd folder names or IMAP mailbox names fixed New Folder dialog allowed invalid folder creation without a selected parent folder fixed New/unread messages in collapsed thread were not obvious enough fixed Invalidly signed unencrypted emails were indicated as worse than unsigned ones fixed Untagged messages were not working correctly with quick filter fixed Calendar/address book sections were shown in Account Hub when there were none fixed Shortcuts could be executed on background mail window while in Account Hub fixed Adding a Gmail account prompted for OAuth during auto config fixed New password-based Exchange accounts failed to save passwords in login manager fixed 'Move Message to' filter action was not logged fixed Unknown OAuth providers were not allowed during EWS manual config in AccountHub fixed Saved search in unified folder resulted in server error fixed EWS password prompt looped endlessly if the password was empty fixed Account Hub manual configuration flow for Exchange accounts was incorrect fixed Google calendars had broken RSVP logic and wrong organizer on new events fixed CalDAV calendars that invited calendar alias did not give all response options fixed CalDAV calendar with multiple addresses could crash on multi-attendee invites fixed iCal imports misread unknown timezones as GMT, creating events at wrong times fixed Visual and UX improvements fixed Security fixes Security fixes: Mozilla Foundation Security Advisory 2026-16 #CVE-2026-2757: Incorrect boundary conditions in the WebRTC: Audio/Video component #CVE-2026-2758: Use-after-free in the JavaScript: GC component #CVE-2026-2759: Incorrect boundary conditions in the Graphics: ImageLib component #CVE-2026-2795: Use-after-free in the JavaScript: GC component #CVE-2026-2760: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component #CVE-2026-2761: Sandbox escape in the Graphics: WebRender component #CVE-2026-2762: Integer overflow in the JavaScript: Standard Library component #CVE-2026-2763: Use-after-free in the JavaScript Engine component #CVE-2026-2764: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component #CVE-2026-2796: JIT miscompilation in the JavaScript: WebAssembly component #CVE-2026-2797: Use-after-free in the JavaScript: GC component #CVE-2026-2765: Use-after-free in the JavaScript Engine component #CVE-2026-2766: Use-after-free in the JavaScript Engine: JIT component #CVE-2026-2767: Use-after-free in the JavaScript: WebAssembly component #CVE-2026-2768: Sandbox escape in the Storage: IndexedDB component #CVE-2026-2798: Use-after-free in the DOM: Core & HTML component #CVE-2026-2769: Use-after-free in the Storage: IndexedDB component #CVE-2026-2799: Use-after-free in the DOM: Core & HTML component #CVE-2026-2770: Use-after-free in the DOM: Bindings (WebIDL) component #CVE-2026-2771: Undefined behavior in the DOM: Core & HTML component #CVE-2026-2772: Use-after-free in the Audio/Video: Playback component #CVE-2026-2773: Incorrect boundary conditions in the Web Audio component #CVE-2026-2774: Integer overflow in the Audio/Video component #CVE-2026-2775: Mitigation bypass in the DOM: HTML Parser component #CVE-2026-2776: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software #CVE-2026-2777: Privilege escalation in the Messaging System component #CVE-2026-2778: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component #CVE-2026-2779: Incorrect boundary conditions in the Networking: JAR component #CVE-2026-2800: Spoofing issue in the WebAuthn component in Firefox for Android #CVE-2026-2780: Privilege escalation in the Netmonitor component #CVE-2026-2781: Integer overflow in the Libraries component in NSS #CVE-2026-2801: Incorrect boundary conditions in the JavaScript: WebAssembly component #CVE-2026-2782: Privilege escalation in the Netmonitor component #CVE-2026-2783: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component #CVE-2026-2802: Race condition in the JavaScript: GC component #CVE-2026-2803: Information disclosure, mitigation bypass in the Settings UI component #CVE-2026-2784: Mitigation bypass in the DOM: Security component #CVE-2026-2785: Invalid pointer in the JavaScript Engine component #CVE-2026-2804: Use-after-free in the JavaScript: WebAssembly component #CVE-2026-2786: Use-after-free in the JavaScript Engine component #CVE-2026-2805: Invalid pointer in the DOM: Core & HTML component #CVE-2026-2787: Use-after-free in the DOM: Window and Location component #CVE-2026-2788: Incorrect boundary conditions in the Audio/Video: GMP component #CVE-2026-2789: Use-after-free in the Graphics: ImageLib component #CVE-2026-2806: Uninitialized memory in the Graphics: Text component #CVE-2026-2790: Same-origin policy bypass in the Networking: JAR component #CVE-2026-2791: Mitigation bypass in the Networking: Cache component #CVE-2026-2807: Memory safety bugs fixed in Firefox 148 and Thunderbird 148 #CVE-2026-2792: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 #CVE-2026-2793: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148
diff --git a/mail/thunderbird/Makefile b/mail/thunderbird/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.359 2026/02/01 07:01:19 ryoon Exp $
+# $NetBSD: Makefile,v 1.360 2026/02/26 13:38:43 ryoon Exp $
 
 DISTNAME=	thunderbird-${TB_VER}.source
 PKGNAME=	thunderbird-${TB_VER:S/esr//}
-TB_VER=		147.0.1
+TB_VER=		148.0
 CATEGORIES=	mail
 MASTER_SITES=	${MASTER_SITE_MOZILLA:=thunderbird/releases/${TB_VER}/source/}
 EXTRACT_SUFX=	.tar.xz
@@ -17,7 +17,7 @@ LICENSE=	mpl-1.1
 # overflowing even a biggish tmpfs).
 
 USE_TOOLS+=	unzip pax
-WRKSRC=		${WRKDIR}/${DISTNAME:S/.source//:S/esr//}
+WRKSRC=		${WRKDIR}/thunderbird-${TB_VER:C/b.*//}
 MOZILLA_DIR=	# empty
 PLIST_SRC+=	${PLIST_SRC_DFLT}
 
@@ -90,11 +90,6 @@ SUBST_FILES.cksum+=	${crate}/.cargo-checksum.json
 SUBST_SED.cksum+=	-e 's,${from},${to},g'
 .endfor
 
-SUBST_CLASSES+=		netbsdtag
-SUBST_STAGE.netbsdtag=	pre-configure
-SUBST_FILES.netbsdtag=	comm/third_party/rnp/src/librekey/key_store_pgp.cpp
-SUBST_SED.netbsdtag=	-e 's/__NetBSD__/__NEVER__/'
-
 post-extract:
 	${TOUCH} ${WRKSRC}/comm/third_party/rust/minimal-lexical/.gitmodules
 	${TOUCH} ${WRKSRC}/comm/third_party/rust/sfv/.gitmodules
diff --git a/mail/thunderbird/distinfo b/mail/thunderbird/distinfo
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.294 2026/02/01 07:01:19 ryoon Exp $
+$NetBSD: distinfo,v 1.295 2026/02/26 13:38:43 ryoon Exp $
 
-BLAKE2s (thunderbird-147.0.1.source.tar.xz) = f498d09124c75acb54736eecfb7e9782f596ea613c3b39f9458d1c32ea26f592
-SHA512 (thunderbird-147.0.1.source.tar.xz) = bae9adbcb1d45a7644e4d699215a3da85b612b9d99516bdf12f84482f1a6f89153ec4d5ab6dd8bcf69dc512cb50080db4630a5bb52525f22213c7af92b4b77d7
-Size (thunderbird-147.0.1.source.tar.xz) = 781853284 bytes
+BLAKE2s (thunderbird-148.0.source.tar.xz) = 6f95f845fb3137f4b042d902dcc37169eab35d70d358659a48c0fe01ab4f4113
+SHA512 (thunderbird-148.0.source.tar.xz) = ec5e586206ef217f37eb6985356994e7e7c9db6090f57d5b4c43a3a5dc0e1f5a56c0e7080d86fb895446845f9c9b948284f7417afebcf6e6120eca0e1ed238f3
+Size (thunderbird-148.0.source.tar.xz) = 796239120 bytes
 SHA1 (patch-browser_app_profile_firefox.js) = 1eaa674c0aa8279e2f9dc2eda582650a08156d65
 SHA1 (patch-build_gn__processor.py) = 078f773104bf4c1b30584564aefe365db6ba6daf
 SHA1 (patch-build_moz.configure_init.configure) = 65deb3c233df0aab81eb1fca05d708e5a4ed169a
diff --git a/mail/thunderbird/mozilla-common.mk b/mail/thunderbird/mozilla-common.mk
@@ -1,4 +1,4 @@
-# $NetBSD: mozilla-common.mk,v 1.26 2026/01/22 19:41:09 ryoon Exp $
+# $NetBSD: mozilla-common.mk,v 1.27 2026/02/26 13:38:43 ryoon Exp $
 #
 # common Makefile fragment for mozilla packages based on gecko 2.0.
 #
@@ -30,7 +30,8 @@ CFLAGS.NetBSD+=		-D_NETBSD_SOURCE
 
 TOOL_DEPENDS+=		cbindgen>=0.28.0:../../devel/cbindgen
 
-TOOL_DEPENDS+=		nodejs-[0-9]*:../../lang/nodejs
+BUILDLINK_DEPMETHOD.nodejs=	build
+.include "../../lang/nodejs/nodeversion.mk"
 
 .if ${MACHINE_ARCH} == "i386" || ${MACHINE_ARCH} == "x86_64"
 TOOL_DEPENDS+=		nasm>=2.14:../../devel/nasm

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# $NetBSD: mozilla-common.mk,v 1.26 2026/01/22 19:41:09 ryoon Exp $`
	`1`	`+# $NetBSD: mozilla-common.mk,v 1.27 2026/02/26 13:38:43 ryoon Exp $`
`2`	`2`	`#`
`3`	`3`	`# common Makefile fragment for mozilla packages based on gecko 2.0.`
`4`	`4`	`#`
`@@ -30,7 +30,8 @@ CFLAGS.NetBSD+= -D_NETBSD_SOURCE`
`30`	`30`
`31`	`31`	`TOOL_DEPENDS+= cbindgen>=0.28.0:../../devel/cbindgen`
`32`	`32`
`33`		`-TOOL_DEPENDS+= nodejs-[0-9]*:../../lang/nodejs`
	`33`	`+BUILDLINK_DEPMETHOD.nodejs= build`
	`34`	`+.include "../../lang/nodejs/nodeversion.mk"`
`34`	`35`
`35`	`36`	`.if ${MACHINE_ARCH} == "i386" \|\| ${MACHINE_ARCH} == "x86_64"`
`36`	`37`	`TOOL_DEPENDS+= nasm>=2.14:../../devel/nasm`