firefox140: update to 140.10.2
Mozilla Foundation Security Advisory 2026-41
Security Vulnerabilities fixed in Firefox ESR 140.10.2
Announced
May 7, 2026
Impact
high
Products
Firefox ESR
Fixed in
Firefox ESR 140.10.2
#CVE-2026-8090: Use-after-free in the DOM: Networking component
Reporter
Kevin Brosnan
[31 lines not shown]
vcmi: updated to 1.7.3
1.7.3
Stability
Fixed crash on Master Genie spellcasting attempts
Fixed random crash on startup due to preloading of .def assets
Fixed crash when attempting to start HotA 1.8 map while having older version of HotA mod active
Fixed crash on switching to or from fullscreen mode while rebinding spell for quick spell panel in combat
Fixed crash on invalid string in creature recruitment title
Fixed crash on Heroes Chronicles import failure on iOS
Fixed crash on starting Deus Ex Machina scenario of Forged of Fire campaign from HotA
Fixed crash on removing boat of a hero that starts map on water in HotA maps
Fixed crash on Linux on attempt to use middle mouse in the backpack
Fixed rare crash on opening custom campaigns map list while player has multiple mods active
Fixed rare crash on mod conflict detection testing
Fixed rare crash on closing of video playback
Fixed rare crash on updating minimap view
[40 lines not shown]
libsquish: added version 1.15.1.3
The squish library (primarily known by libsquish) is an open source DXT/S3TC
compression library written in C++ that is commonly used with OpenGL and
DirectX for the lossy compression of RGBA textures.
ait: update to 1.15
Packaging updates:
- NotABug died due to AI, moved upstream elsewhere
Upstream updates:
New:
- added register system
- set the registers location via -r
- Use C-x r [s,i,<spc>,f,j,m,e,k,c,?] to use.
- indent/un-indent by single space
- using the spacebar to indent and backspace to un-indent
- support commands and keybindings via -c
- dynamic-expand now supports completing words that contain any
symbol in the Symbols Allowed In Variables (saiv) of the syntax
mode. It will always assume an underscore (_) is valid since all
common programming languages support it as a variable symbol.
- illumOS support
[7 lines not shown]
hunspell: updated to 1.7.3
Hunspell 1.7.3 release:
- Fix stack-buffer-overflow in Hunzip::getline (reported and fixed
by MarkLee131)
- Fix stack overflow in compound_check on Hungarian dictionaries
under certain conditions (reported by Anthropic via Ada Logics)
- Fix UB when SFX condition starts with '^'
- Bounds-check continuation bytes in u8_u16
- oss-fuzz timeout/OOM hardenings
- Fix 715 CHECKCOMPOUNDCASE considers digits uppercase
- Fix 748 hzip: cannot write file
- Fix 1024 std::string bounds check
- Fix 1044 tools/analyze crash
- Fix 1076 flags 65520/65521 wrongly rejected
- Fix 1058 don't suggest the input word as its own correction
- Fix 1002 exact word marked as a near miss
- Fix tdf125600 dotted-I regression
- Partial Unicode table refresh for Mc combining marks
[14 lines not shown]
wabt: updated to 1.0.41
1.0.41
Implement quoted identifier parsing
feat(demo): Run js in worker in wat2wasm demo
Refactor browser demos and Emscripten build output
Fix wasm2wat demo
Cleanup how emscripten is invoked
[demo] Use arrow functions
Fix Emscripten warnings by removing deprecated writeAsciiToMemory
[wasm2c] Fix exception testing on macOS
bug fix for wat2wasm demo to remove call to module.resolveNames
[wast-parser] Optimize Consume()
Move filename out of Location
Add declaration limit checks to parser
[lexer] Simplify GetLineOffsets
Remove debug-parser option and other unused variables
Use unsigned line info in Locations
[3 lines not shown]
inkscape: update to 1.4.4.
Inkscape 1.4.4 is a maintenance and bugfix release, which brings you
20 crash fixes, among them for three nasty bugs where Inkscape wouldn't even start
almost 20 bug fixes
6 performance improvements
a new palette
a new button for rotating stars and polygons into their 'neutral' or 'upright' position
27 updated interface translations
15 updated documentation translations
installation files for Windows on Arm
