Import from CS git

.gitignore

@@ -1,6 +1,6 @@
 SOURCES/cbindgen-vendor.tar.xz
-SOURCES/nspr-4.35.0-1.el8_1.src.rpm
-SOURCES/nss-3.101.0-7.el8_2.src.rpm
-SOURCES/nss-3.101.0-7.el9_2.src.rpm
-SOURCES/thunderbird-128.10.0esr.processed-source.tar.xz
-SOURCES/thunderbird-langpacks-128.10.0esr-20250428.tar.xz
+SOURCES/nspr-4.36.0-2.el8_2.src.rpm
+SOURCES/nss-3.112.0-1.el9_4.src.rpm
+SOURCES/nss-3.112.0-4.el8_2.src.rpm
+SOURCES/thunderbird-140.6.0esr.processed-source.tar.xz
+SOURCES/thunderbird-langpacks-140.6.0esr-20251209.tar.xz

.thunderbird.metadata

@@ -1,6 +1,6 @@
-5012b69e54cbebe3b5e74011dacf3a2097f49921 SOURCES/cbindgen-vendor.tar.xz
-d744f92e874688cc4b5376477dfdd639a97a6cd4 SOURCES/nspr-4.35.0-1.el8_1.src.rpm
-f466d7213e85773e002c48897524eaf909480046 SOURCES/nss-3.101.0-7.el8_2.src.rpm
-0413d22a58ba1bba99acec9c3c2a4db56a4100c7 SOURCES/nss-3.101.0-7.el9_2.src.rpm
-c32d35afb300a89e0c702e1db5e923565f5c3989 SOURCES/thunderbird-128.10.0esr.processed-source.tar.xz
-9ad46c67f8e7458fac79ce6003a0b582fe606136 SOURCES/thunderbird-langpacks-128.10.0esr-20250428.tar.xz
+bc4adac8f38f5103d8f88564a1545063dd8d6402 SOURCES/cbindgen-vendor.tar.xz
+0d0ddbd2a73340b3cbc977997f57222946b1e775 SOURCES/nspr-4.36.0-2.el8_2.src.rpm
+fd3879b176634d66f8ef64d18fdaeec98e140c23 SOURCES/nss-3.112.0-1.el9_4.src.rpm
+c3f0aaef37972107442e2796efad71be3a98ce3c SOURCES/nss-3.112.0-4.el8_2.src.rpm
+ab767e5b54fba95763688dff619dbca1242d684b SOURCES/thunderbird-140.6.0esr.processed-source.tar.xz
+049156e2a11453644a8b203f0f9bfa5ab2ef6a71 SOURCES/thunderbird-langpacks-140.6.0esr-20251209.tar.xz

SOURCES/av1-else-condition-add.patch

@@ -0,0 +1,14 @@
+diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
+index acadd3a2cc..11b217174d 100644
+--- a/modules/libpref/init/StaticPrefList.yaml
++++ b/modules/libpref/init/StaticPrefList.yaml
+@@ -12561,6 +12561,8 @@
+   type: RelaxedAtomicBool
+ #if defined(MOZ_AV1)
+   value: true
++#else
++  value: false
+ #endif
+   mirror: always
+ 
+

SOURCES/build-ffvpx.patch

@@ -1,24 +0,0 @@
-diff -up thunderbird-128.0/media/ffvpx/libavcodec/av1dec.c.build-ffvpx thunderbird-128.0/media/ffvpx/libavcodec/av1dec.c
---- thunderbird-128.0/media/ffvpx/libavcodec/av1dec.c.build-ffvpx	2024-06-24 22:43:40.000000000 +0200
-+++ thunderbird-128.0/media/ffvpx/libavcodec/av1dec.c	2024-07-10 11:20:23.200948767 +0200
-@@ -887,7 +887,7 @@ static av_cold int av1_decode_init(AVCod
-         ff_cbs_fragment_reset(&s->current_obu);
-     }
- 
--    s->dovi.logctx = avctx;
-+    s->dovi.logctx = (AVContext *) avctx;
-     s->dovi.dv_profile = 10; // default for AV1
-     sd = ff_get_coded_side_data(avctx, AV_PKT_DATA_DOVI_CONF);
-     if (sd && sd->size > 0)
-diff -up thunderbird-128.0/media/ffvpx/libavcodec/libdav1d.c.build-ffvpx thunderbird-128.0/media/ffvpx/libavcodec/libdav1d.c
---- thunderbird-128.0/media/ffvpx/libavcodec/libdav1d.c.build-ffvpx	2024-07-10 12:46:57.005539959 +0200
-+++ thunderbird-128.0/media/ffvpx/libavcodec/libdav1d.c	2024-07-10 12:47:19.067507705 +0200
-@@ -289,7 +289,7 @@ static av_cold int libdav1d_init(AVCodec
-     c->delay = res > 1 ? res : 0;
- #endif
- 
--    dav1d->dovi.logctx = c;
-+    dav1d->dovi.logctx = (AVContext *) c;
-     dav1d->dovi.dv_profile = 10; // default for AV1
-     sd = ff_get_coded_side_data(c, AV_PKT_DATA_DOVI_CONF);
-     if (sd && sd->size > 0)

SOURCES/build-libaom.patch

@@ -1,12 +1,13 @@
 diff -up firefox-128.0/config/external/moz.build.libaom firefox-128.0/config/external/moz.build
 --- firefox-128.0/config/external/moz.build.libaom	2024-07-31 15:32:39.460374047 +0200
 +++ firefox-128.0/config/external/moz.build	2024-07-31 15:34:41.646064796 +0200
-@@ -39,8 +39,8 @@ if CONFIG["MOZ_VORBIS"]:
+@@ -39,9 +39,9 @@ if CONFIG["MOZ_VORBIS"]:
+ 
  if not CONFIG["MOZ_SYSTEM_LIBVPX"]:
      external_dirs += ["media/libvpx"]
- 
 +external_dirs += ["media/libaom"]
- if CONFIG["MOZ_AV1"]:
+ 
+ if not CONFIG["MOZ_SYSTEM_AV1"]:
 -    external_dirs += ["media/libaom"]
      external_dirs += ["media/libdav1d"]
  

SOURCES/build-rhel7-lower-node-min-version.patch

@@ -1,8 +1,9 @@
---- firefox-115.8.0/python/mozbuild/mozbuild/nodeutil.py.lower-node-min-version	2024-02-12 21:53:56.000000000 +0200
-+++ firefox-115.8.0/python/mozbuild/mozbuild/nodeutil.py	2024-02-14 16:48:12.476182627 +0200
-@@ -13,7 +13,7 @@ from mozboot.util import get_tools_dir
+diff -up firefox-140.0/python/mozbuild/mozbuild/nodeutil.py.build-rhel7-lower-node-min-version firefox-140.0/python/mozbuild/mozbuild/nodeutil.py
+--- firefox-140.0/python/mozbuild/mozbuild/nodeutil.py.build-rhel7-lower-node-min-version	2025-06-02 15:26:51.000000000 +0200
++++ firefox-140.0/python/mozbuild/mozbuild/nodeutil.py	2025-06-12 11:54:37.075505124 +0200
+@@ -10,7 +10,7 @@ from mozboot.util import get_tools_dir
+ from mozfile import which
  from packaging.version import Version
- from six import PY3
  
 -NODE_MIN_VERSION = Version("12.22.12")
 +NODE_MIN_VERSION = Version("10.24.0")

SOURCES/build-rhel7-nasm-dwarf.patch

@@ -1,12 +1,12 @@
-diff -up firefox-91.0.1/python/mozbuild/mozbuild/frontend/context.py.rhel7-nasm firefox-91.0.1/python/mozbuild/mozbuild/frontend/context.py
---- firefox-91.0.1/python/mozbuild/mozbuild/frontend/context.py.rhel7-nasm	2021-08-31 08:02:10.814740774 +0200
-+++ firefox-91.0.1/python/mozbuild/mozbuild/frontend/context.py	2021-08-31 08:04:03.967146994 +0200
-@@ -420,7 +420,7 @@ class AsmFlags(BaseCompileFlags):
+diff -up firefox-140.0/python/mozbuild/mozbuild/frontend/context.py.build-rhel7-nasm-dwarf firefox-140.0/python/mozbuild/mozbuild/frontend/context.py
+--- firefox-140.0/python/mozbuild/mozbuild/frontend/context.py.build-rhel7-nasm-dwarf	2025-06-02 15:26:51.000000000 +0200
++++ firefox-140.0/python/mozbuild/mozbuild/frontend/context.py	2025-06-12 12:09:56.398728745 +0200
+@@ -417,7 +417,7 @@ class AsmFlags(BaseCompileFlags):
                  if self._context.config.substs.get("OS_ARCH") == "WINNT":
                      debug_flags += ["-F", "cv8"]
                  elif self._context.config.substs.get("OS_ARCH") != "Darwin":
 -                    debug_flags += ["-F", "dwarf"]
-+                    debug_flags += ["-f", "elf32"]
-             elif (
-                 self._context.config.substs.get("OS_ARCH") == "WINNT"
-                 and self._context.config.substs.get("CPU_ARCH") == "aarch64"
++                    debug_flags += ["-F", "elf32"]
+             elif self._context.config.substs.get("CC_TYPE") == "clang-cl":
+                 if self._context.config.substs.get("TARGET_CPU") == "aarch64":
+                     # armasm64 accepts a paucity of options compared to ml/ml64.

SOURCES/build-system-nss.patch

@@ -0,0 +1,20 @@
+diff -up firefox-140.0/third_party/rust/neqo-crypto/.cargo-checksum.json.system-nss firefox-140.0/third_party/rust/neqo-crypto/.cargo-checksum.json
+--- firefox-140.0/third_party/rust/neqo-crypto/.cargo-checksum.json.system-nss	2025-07-25 10:17:19.112202464 +0200
++++ firefox-140.0/third_party/rust/neqo-crypto/.cargo-checksum.json	2025-07-25 10:17:55.824333955 +0200
+@@ -1 +1 @@
+-{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"83606aeb646b2833a8094f9d980c266ecc3e8cb40c93a4820da221988319dd1a","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null}
+\ No newline at end of file
++{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"50c1b84e06cd9a71bb9199f2518947a4d4ad3e5c33c1b86c585486dc43e872a0","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null}
+\ No newline at end of file
+diff -up firefox-140.0/third_party/rust/neqo-crypto/src/constants.rs.system-nss firefox-140.0/third_party/rust/neqo-crypto/src/constants.rs
+--- firefox-140.0/third_party/rust/neqo-crypto/src/constants.rs.system-nss	2025-07-25 10:16:27.299270237 +0200
++++ firefox-140.0/third_party/rust/neqo-crypto/src/constants.rs	2025-07-25 10:16:39.698529915 +0200
+@@ -83,7 +83,7 @@ remap_enum! {
+         TLS_GRP_EC_SECP521R1 = ssl_grp_ec_secp521r1,
+         TLS_GRP_EC_X25519 = ssl_grp_ec_curve25519,
+         TLS_GRP_KEM_XYBER768D00 = ssl_grp_kem_xyber768d00,
+-        TLS_GRP_KEM_MLKEM768X25519 = ssl_grp_kem_mlkem768x25519,
++        TLS_GRP_KEM_MLKEM768X25519 = ssl_grp_kem_x25519mlkem768,
+     }
+ }
+ 

SOURCES/build-tb-system-nss.patch

@@ -0,0 +1,20 @@
+diff -up thunderbird-140.0/comm/third_party/rust/neqo-crypto/.cargo-checksum.json.tb-system-nss thunderbird-140.0/comm/third_party/rust/neqo-crypto/.cargo-checksum.json
+--- thunderbird-140.0/comm/third_party/rust/neqo-crypto/.cargo-checksum.json.tb-system-nss	2025-06-25 13:13:16.000000000 +0200
++++ thunderbird-140.0/comm/third_party/rust/neqo-crypto/.cargo-checksum.json	2025-08-15 09:08:49.676977167 +0200
+@@ -1 +1 @@
+-{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"83606aeb646b2833a8094f9d980c266ecc3e8cb40c93a4820da221988319dd1a","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null}
+\ No newline at end of file
++{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"50c1b84e06cd9a71bb9199f2518947a4d4ad3e5c33c1b86c585486dc43e872a0","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null}
+\ No newline at end of file
+diff -up thunderbird-140.0/comm/third_party/rust/neqo-crypto/src/constants.rs.tb-system-nss thunderbird-140.0/comm/third_party/rust/neqo-crypto/src/constants.rs
+--- thunderbird-140.0/comm/third_party/rust/neqo-crypto/src/constants.rs.tb-system-nss	2025-06-25 13:13:16.000000000 +0200
++++ thunderbird-140.0/comm/third_party/rust/neqo-crypto/src/constants.rs	2025-08-15 09:08:35.941135895 +0200
+@@ -83,7 +83,7 @@ remap_enum! {
+         TLS_GRP_EC_SECP521R1 = ssl_grp_ec_secp521r1,
+         TLS_GRP_EC_X25519 = ssl_grp_ec_curve25519,
+         TLS_GRP_KEM_XYBER768D00 = ssl_grp_kem_xyber768d00,
+-        TLS_GRP_KEM_MLKEM768X25519 = ssl_grp_kem_mlkem768x25519,
++        TLS_GRP_KEM_MLKEM768X25519 = ssl_grp_kem_x25519mlkem768,
+     }
+ }
+ 

SOURCES/build-workaround-s390x.patch

@@ -0,0 +1,49 @@
+From 13858b4787c24a40cdce819b963baebff186cfe0 Mon Sep 17 00:00:00 2001
+From: Paul Murphy <murp@redhat.com>
+Date: Tue, 25 Nov 2025 08:55:25 -0600
+Subject: [PATCH] HACK: workaround s390x
+
+Attempt to workaround what seems to be a codegen related bug on s390x.
+
+This seems to avoid a crash related to Ident or Punct structures on
+s390x.
+
+For: RHEL-118250
+---
+ third_party/rust/proc-macro2/.cargo-checksum.json | 2 +-
+ third_party/rust/proc-macro2/src/lib.rs           | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/third_party/rust/proc-macro2/.cargo-checksum.json b/third_party/rust/proc-macro2/.cargo-checksum.json
+index b0d735a3a2d6..c47ce4ac5611 100644
+--- a/third_party/rust/proc-macro2/.cargo-checksum.json
++++ b/third_party/rust/proc-macro2/.cargo-checksum.json
+@@ -1 +1 @@
+-{"files":{"Cargo.toml":"41a9465146a2b62a642e29f065718649e686d3c9585736596392dd941c9b0bef","LICENSE-APACHE":"62c7a1e35f56406896d7aa7ca52d0cc0d272ac022b5d2796e7d6905db8a3636a","LICENSE-MIT":"23f18e03dc49df91622fe2a76176497404e46ced8a715d9d2b67a7446571cca3","README.md":"c609b6865476d6c35879784e9155367a97a0da496aa5c3c61488440a20f59883","build.rs":"cf78c0005f11d54ca42dbaee77cb76a440e6fa2e0b64798d3f74c04770a0ad2b","build/probe.rs":"971fd2178dc506ccdc5c2065c37b77696a4aee8e00330ca52625db4a857f68d3","rust-toolchain.toml":"6bbb61302978c736b2da03e4fb40e3beab908f85d533ab46fd541e637b5f3e0f","src/detection.rs":"ed9a5f9a979ab01247d7a68eeb1afa3c13209334c5bfff0f9289cb07e5bb4e8b","src/extra.rs":"29f094473279a29b71c3cc9f5fa27c2e2c30c670390cf7e4b7cf451486cc857e","src/fallback.rs":"be1ce5e32c88c29d41d2ab663375951817d52decce3dc9e335ec22378be8fa65","src/lib.rs":"97ca48f50ad15fbcef42b31fb4fbfb8e4a1c5f946d776aa44fd04b37d7c64b32","src/location.rs":"9225c5a55f03b56cce42bc55ceb509e8216a5e0b24c94aa1cd071b04e3d6c15f","src/marker.rs":"c11c5a1be8bdf18be3fcd224393f350a9aae7ce282e19ce583c84910c6903a8f","src/parse.rs":"4b77cddbc2752bc4d38a65acd8b96b6786c5220d19b1e1b37810257b5d24132d","src/rcvec.rs":"1c3c48c4f819927cc445ae15ca3bb06775feff2fd1cb21901ae4c40c7e6b4e82","src/wrapper.rs":"e41df9abc846b40f0cf01150d22b91944d07cde93bc72aa34798101652675844","tests/comments.rs":"31115b3a56c83d93eef2fb4c9566bf4543e302560732986161b98aef504785ed","tests/features.rs":"a86deb8644992a4eb64d9fd493eff16f9cf9c5cb6ade3a634ce0c990cf87d559","tests/marker.rs":"473e962ee1aa0633dd5cf9a973b3bbd0ef43b740d4b7f6d008ff455a6b89d386","tests/test.rs":"2e7106f582367d168638be7364d4e9aadbe0affca8b51dd80f0b3977cc2fcf83","tests/test_fmt.rs":"b7743b612af65f2c88cbe109d50a093db7aa7e87f9e37bf45b7bbaeb240aa020","tests/test_size.rs":"62d8373ea46b669b87bc90a9c49b6d02f90ff4c21f9a25acebf60c9926e01fb7"},"package":"5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77"}
+\ No newline at end of file
++{"files":{},"package":"5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77"}
+diff --git a/third_party/rust/proc-macro2/src/lib.rs b/third_party/rust/proc-macro2/src/lib.rs
+index 1430306bb31d..81f8c15a67e4 100644
+--- a/third_party/rust/proc-macro2/src/lib.rs
++++ b/third_party/rust/proc-macro2/src/lib.rs
+@@ -806,6 +806,8 @@ impl Debug for Group {
+ /// `Punct` with different forms of `Spacing` returned.
+ #[derive(Clone)]
+ pub struct Punct {
++    #[cfg(target_arch = "s390x")]
++    foo: u64,
+     ch: char,
+     spacing: Spacing,
+     span: Span,
+@@ -834,6 +836,8 @@ impl Punct {
+     /// which can be further configured with the `set_span` method below.
+     pub fn new(ch: char, spacing: Spacing) -> Self {
+         Punct {
++            #[cfg(target_arch = "s390x")]
++            foo: 0xabcd,
+             ch,
+             spacing,
+             span: Span::call_site(),
+-- 
+2.51.1
+

SOURCES/mozilla-bmo1170092.patch

@@ -1,6 +1,6 @@
-diff -up firefox-115.0.2/extensions/pref/autoconfig/src/nsReadConfig.cpp.1170092 firefox-115.0.2/extensions/pref/autoconfig/src/nsReadConfig.cpp
---- firefox-115.0.2/extensions/pref/autoconfig/src/nsReadConfig.cpp.1170092	2023-07-10 21:08:53.000000000 +0200
-+++ firefox-115.0.2/extensions/pref/autoconfig/src/nsReadConfig.cpp	2023-07-17 10:33:23.443355156 +0200
+diff -up firefox-140.0/extensions/pref/autoconfig/src/nsReadConfig.cpp.mozilla-bmo1170092 firefox-140.0/extensions/pref/autoconfig/src/nsReadConfig.cpp
+--- firefox-140.0/extensions/pref/autoconfig/src/nsReadConfig.cpp.mozilla-bmo1170092	2025-06-02 15:26:44.000000000 +0200
++++ firefox-140.0/extensions/pref/autoconfig/src/nsReadConfig.cpp	2025-06-04 13:24:00.344728697 +0200
 @@ -263,8 +263,20 @@ nsresult nsReadConfig::openAndEvaluateJS
      if (NS_FAILED(rv)) return rv;
  
@@ -23,10 +23,10 @@ diff -up firefox-115.0.2/extensions/pref/autoconfig/src/nsReadConfig.cpp.1170092
    } else {
      nsAutoCString location("resource://gre/defaults/autoconfig/");
      location += aFileName;
-diff -up firefox-115.0.2/modules/libpref/Preferences.cpp.1170092 firefox-115.0.2/modules/libpref/Preferences.cpp
---- firefox-115.0.2/modules/libpref/Preferences.cpp.1170092	2023-07-10 21:09:00.000000000 +0200
-+++ firefox-115.0.2/modules/libpref/Preferences.cpp	2023-07-17 10:33:23.444355156 +0200
-@@ -4825,6 +4825,9 @@ nsresult Preferences::InitInitialObjects
+diff -up firefox-140.0/modules/libpref/Preferences.cpp.mozilla-bmo1170092 firefox-140.0/modules/libpref/Preferences.cpp
+--- firefox-140.0/modules/libpref/Preferences.cpp.mozilla-bmo1170092	2025-06-02 15:26:51.000000000 +0200
++++ firefox-140.0/modules/libpref/Preferences.cpp	2025-06-04 13:24:00.345430064 +0200
+@@ -4914,6 +4914,9 @@ nsresult Preferences::InitInitialObjects
    //
    // Thus, in the omni.jar case, we always load app-specific default
    // preferences from omni.jar, whether or not `$app == $gre`.
@@ -36,10 +36,10 @@ diff -up firefox-115.0.2/modules/libpref/Preferences.cpp.1170092 firefox-115.0.2
  
    nsresult rv = NS_ERROR_FAILURE;
    UniquePtr<nsZipFind> find;
-diff -up firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp.1170092 firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp
---- firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp.1170092	2023-07-10 22:57:20.000000000 +0200
-+++ firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp	2023-07-17 10:56:25.309692121 +0200
-@@ -72,6 +72,7 @@
+diff -up firefox-140.0/toolkit/xre/nsXREDirProvider.cpp.mozilla-bmo1170092 firefox-140.0/toolkit/xre/nsXREDirProvider.cpp
+--- firefox-140.0/toolkit/xre/nsXREDirProvider.cpp.mozilla-bmo1170092	2025-06-02 15:27:00.000000000 +0200
++++ firefox-140.0/toolkit/xre/nsXREDirProvider.cpp	2025-06-04 15:44:09.413562326 +0200
+@@ -76,6 +76,7 @@
  #endif
  #ifdef XP_UNIX
  #  include <ctype.h>
@@ -47,7 +47,7 @@ diff -up firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp.1170092 firefox-115.0.
  #endif
  #ifdef XP_IOS
  #  include "UIKitDirProvider.h"
-@@ -478,6 +479,17 @@ nsXREDirProvider::GetFile(const char* aP
+@@ -462,6 +463,17 @@ nsXREDirProvider::GetFile(const char* aP
      rv = file->AppendNative(nsLiteralCString(PREF_OVERRIDE_DIRNAME));
      NS_ENSURE_SUCCESS(rv, rv);
      rv = EnsureDirectoryExists(file);
@@ -60,12 +60,12 @@ diff -up firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp.1170092 firefox-115.0.
 +    appInfo->GetName(appName);
 +    ToLowerCase(appName);
 +    sysConfigDir.Append(appName);
-+    NS_NewNativeLocalFile(sysConfigDir, false, getter_AddRefs(file));
++    NS_NewNativeLocalFile(sysConfigDir, getter_AddRefs(file));
 +    rv = EnsureDirectoryExists(file);
    } else {
      // We don't know anything about this property. Fail without warning, because
      // otherwise we'll get too much warning spam due to
-@@ -694,6 +706,16 @@ nsXREDirProvider::GetFiles(const char* a
+@@ -518,6 +530,16 @@ nsXREDirProvider::GetFiles(const char* a
      }
  #endif
  
@@ -82,9 +82,9 @@ diff -up firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp.1170092 firefox-115.0.
      rv = NS_NewArrayEnumerator(aResult, directories, NS_GET_IID(nsIFile));
    } else if (!strcmp(aProperty, NS_APP_CHROME_DIR_LIST)) {
      // NS_APP_CHROME_DIR_LIST is only used to get default (native) icons
-diff -up firefox-115.0.2/xpcom/io/nsAppDirectoryServiceDefs.h.1170092 firefox-115.0.2/xpcom/io/nsAppDirectoryServiceDefs.h
---- firefox-115.0.2/xpcom/io/nsAppDirectoryServiceDefs.h.1170092	2023-07-10 21:09:13.000000000 +0200
-+++ firefox-115.0.2/xpcom/io/nsAppDirectoryServiceDefs.h	2023-07-17 10:33:23.444355156 +0200
+diff -up firefox-140.0/xpcom/io/nsAppDirectoryServiceDefs.h.mozilla-bmo1170092 firefox-140.0/xpcom/io/nsAppDirectoryServiceDefs.h
+--- firefox-140.0/xpcom/io/nsAppDirectoryServiceDefs.h.mozilla-bmo1170092	2025-06-02 15:27:01.000000000 +0200
++++ firefox-140.0/xpcom/io/nsAppDirectoryServiceDefs.h	2025-06-04 13:24:00.346423861 +0200
 @@ -58,6 +58,7 @@
  #define NS_APP_PREFS_DEFAULTS_DIR_LIST "PrefDL"
  #define NS_APP_PREFS_OVERRIDE_DIR \

SOURCES/mozilla-bmo1670333.patch

@@ -1,7 +1,7 @@
-diff -up firefox-128.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333 firefox-128.0/dom/media/mp4/MP4Demuxer.cpp
---- firefox-128.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333	2024-07-04 18:20:27.000000000 +0200
-+++ firefox-128.0/dom/media/mp4/MP4Demuxer.cpp	2024-07-16 13:49:10.475630426 +0200
-@@ -33,6 +33,8 @@ mozilla::LogModule* GetDemuxerLog() { re
+diff -up firefox-140.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333 firefox-140.0/dom/media/mp4/MP4Demuxer.cpp
+--- firefox-140.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333	2025-06-17 18:15:13.000000000 +0200
++++ firefox-140.0/dom/media/mp4/MP4Demuxer.cpp	2025-06-18 10:17:47.394794429 +0200
+@@ -32,6 +32,8 @@ mozilla::LogModule* GetDemuxerLog() { re
    DDMOZ_LOG(gMediaDemuxerLog, mozilla::LogLevel::Debug, "::%s: " arg, \
              __func__, ##__VA_ARGS__)
  
@@ -11,9 +11,9 @@ diff -up firefox-128.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333 firefox-1
  
  using TimeUnit = media::TimeUnit;
 @@ -419,6 +421,12 @@ already_AddRefed<MediaRawData> MP4TrackD
-           [[fallthrough]];
          case H264::FrameType::OTHER: {
-           bool keyframe = type == H264::FrameType::I_FRAME;
+           bool keyframe = type == H264::FrameType::I_FRAME_OTHER ||
+                           type == H264::FrameType::I_FRAME_IDR;
 +          if (gUseKeyframeFromContainer) {
 +            if (sample->mKeyframe && sample->mKeyframe != keyframe) {
 +              sample->mKeyframe = keyframe;
@@ -23,10 +23,10 @@ diff -up firefox-128.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333 firefox-1
            if (sample->mKeyframe != keyframe) {
              NS_WARNING(nsPrintfCString("Frame incorrectly marked as %skeyframe "
                                         "@ pts:%" PRId64 " dur:%" PRId64
-diff -up firefox-128.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333 firefox-128.0/dom/media/platforms/PDMFactory.cpp
---- firefox-128.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333	2024-07-04 18:20:26.000000000 +0200
-+++ firefox-128.0/dom/media/platforms/PDMFactory.cpp	2024-07-16 14:16:04.635809901 +0200
-@@ -62,6 +62,8 @@
+diff -up firefox-140.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333 firefox-140.0/dom/media/platforms/PDMFactory.cpp
+--- firefox-140.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333	2025-06-17 18:15:13.000000000 +0200
++++ firefox-140.0/dom/media/platforms/PDMFactory.cpp	2025-06-18 10:10:29.209789856 +0200
+@@ -61,6 +61,8 @@
  
  #include <functional>
  
@@ -35,7 +35,7 @@ diff -up firefox-128.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333 fir
  using DecodeSupport = mozilla::media::DecodeSupport;
  using DecodeSupportSet = mozilla::media::DecodeSupportSet;
  using MediaCodec = mozilla::media::MediaCodec;
-@@ -543,7 +545,7 @@ void PDMFactory::CreateRddPDMs() {
+@@ -573,7 +575,7 @@ void PDMFactory::CreateRddPDMs() {
  #ifdef MOZ_FFMPEG
    if (StaticPrefs::media_ffmpeg_enabled() &&
        StaticPrefs::media_rdd_ffmpeg_enabled() &&
@@ -44,7 +44,7 @@ diff -up firefox-128.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333 fir
      mFailureFlags += GetFailureFlagBasedOnFFmpegStatus(
          FFmpegRuntimeLinker::LinkStatusCode());
    }
-@@ -719,7 +721,7 @@ void PDMFactory::CreateDefaultPDMs() {
+@@ -749,7 +751,7 @@ void PDMFactory::CreateDefaultPDMs() {
    StartupPDM(AgnosticDecoderModule::Create(),
               StaticPrefs::media_prefer_non_ffvpx());
  
@@ -53,10 +53,10 @@ diff -up firefox-128.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333 fir
        !StartupPDM(GMPDecoderModule::Create(),
                    StaticPrefs::media_gmp_decoder_preferred())) {
      mFailureFlags += DecoderDoctorDiagnostics::Flags::GMPPDMFailedToStartup;
-diff -up firefox-128.0/dom/media/platforms/PDMFactory.h.mozilla-bmo1670333 firefox-128.0/dom/media/platforms/PDMFactory.h
---- firefox-128.0/dom/media/platforms/PDMFactory.h.mozilla-bmo1670333	2024-07-04 18:20:26.000000000 +0200
-+++ firefox-128.0/dom/media/platforms/PDMFactory.h	2024-07-16 13:49:10.476630421 +0200
-@@ -98,6 +98,7 @@ class PDMFactory final {
+diff -up firefox-140.0/dom/media/platforms/PDMFactory.h.mozilla-bmo1670333 firefox-140.0/dom/media/platforms/PDMFactory.h
+--- firefox-140.0/dom/media/platforms/PDMFactory.h.mozilla-bmo1670333	2025-06-17 18:15:13.000000000 +0200
++++ firefox-140.0/dom/media/platforms/PDMFactory.h	2025-06-18 10:10:29.210054963 +0200
+@@ -105,6 +105,7 @@ class PDMFactory final {
    RefPtr<PlatformDecoderModule> mNullPDM;
  
    DecoderDoctorDiagnostics::FlagsSet mFailureFlags;

SOURCES/mozilla-bmo1789216-disable-av1.patch

@@ -42,32 +42,26 @@ diff -up firefox-128.0/media/ffvpx/libavcodec/codec_list.c.mozilla-bmo1789216-di
 diff -up firefox-128.0/media/ffvpx/libavcodec/moz.build.mozilla-bmo1789216-disable-av1 firefox-128.0/media/ffvpx/libavcodec/moz.build
 --- firefox-128.0/media/ffvpx/libavcodec/moz.build.mozilla-bmo1789216-disable-av1	2024-06-13 11:40:12.669924118 +0200
 +++ firefox-128.0/media/ffvpx/libavcodec/moz.build	2024-06-13 11:45:22.867304151 +0200
-@@ -94,7 +94,6 @@ if not CONFIG['MOZ_FFVPX_AUDIOONLY']:
-         'imgconvert.c',
-         'libaom.c',
-         'libaomenc.c',
--        'libdav1d.c',
-         'libvpxdec.c',
-         'libvpxenc.c',
-         'mathtables.c',
-@@ -119,10 +118,16 @@ if not CONFIG['MOZ_FFVPX_AUDIOONLY']:
-         'vp9recon.c',
+@@ -120,16 +120,15 @@ if not CONFIG['MOZ_FFVPX_AUDIOONLY']:
          'vpx_rac.c',
      ]
--    USE_LIBS += [
--        'dav1d',
--        'media_libdav1d_asm',
--    ]
-+    if CONFIG['MOZ_AV1']:
-+        USE_LIBS += [
-+            'dav1d',
-+            'media_libdav1d_asm',
-+        ]
+ 
+-    if CONFIG["MOZ_SYSTEM_AV1"]:
+-        CFLAGS += CONFIG['MOZ_SYSTEM_LIBDAV1D_CFLAGS']
+-        CFLAGS += CONFIG['MOZ_SYSTEM_LIBAOM_CFLAGS']
+-        OS_LIBS += CONFIG['MOZ_SYSTEM_LIBDAV1D_LIBS']
+-        OS_LIBS += CONFIG['MOZ_SYSTEM_LIBAOM_LIBS']
+-    else:
++    if CONFIG["MOZ_AV1"]:
+         USE_LIBS += [
+             'dav1d',
+             'media_libdav1d_asm',
+         ]
 +        SOURCES += [
 +            'libdav1d.c',
 +        ]
 +
-+
+ 
      if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk":
          LOCAL_INCLUDES += ['/media/mozva']
-         SOURCES += [
+

SOURCES/process-official-tarball

@@ -12,16 +12,21 @@ rm -vf ./process-tarball-dir/*/testing/web-platform/tests/css/css-ui/support/cur
 rm -vf ./process-tarball-dir/*/testing/web-platform/tests/conformance-checkers/html-rdfa/0230-novalid.html
 rm -vf ./process-tarball-dir/*/testing/web-platform/tests/conformance-checkers/html-rdfa/0231-isvalid.html
 rm -vf ./process-tarball-dir/*/layout/inspector/tests/chrome/test_fontVariationsAPI.css
+rm -vr ./process-tarball-dir/*/third_party/rust/wast/tests/parse-fail/confusing*
 # A forbidden code point was found in:
 rm -vf ./process-tarball-dir/*/mobile/android/android-components/components/browser/errorpages/src/main/res/values-ar/strings.xml
 rm -vf ./process-tarball-dir/*/mobile/android/android-components/components/feature/addons/src/main/res/values-ur/strings.xml
 rm -vf ./process-tarball-dir/*/third_party/webkit/PerformanceTests/Speedometer3/resources/editors/dist/assets/codemirror-521de7ab.js
 rm -vf ./process-tarball-dir/*/third_party/python/pip/pip-24.0.dist-info/AUTHORS.txt
+rm -vf ./process-tarball-dir/*/dom/locks/test/crashtests/1908240.js
 rm -vf ./process-tarball-dir/*/comm/third_party/rust/idna/tests/IdnaTestV2.txt
 rm -vr ./process-tarball-dir/*/comm/third_party/rust/wast/tests/parse-fail/confusing*
+rm -vr ./process-tarball-dir/*/third_party/rust/wast/tests/parse-fail/confusing*
 
 # We uses system freetype2
 rm -vrf ./process-tarball-dir/*/modules/freetype2
+# We use system zlib
+rm -vrf ./process-tarball-dir/*/modules/zlib
 
 processed_tarball=${1/source/processed-source}
 

SOURCES/rhbz-1173156.patch

@@ -1,12 +1,12 @@
-diff -up firefox-60.5.0/extensions/auth/nsAuthSambaNTLM.cpp.rhbz-1173156 firefox-60.5.0/extensions/auth/nsAuthSambaNTLM.cpp
---- firefox-60.5.0/extensions/auth/nsAuthSambaNTLM.cpp.rhbz-1173156	2019-01-22 10:36:09.284069020 +0100
-+++ firefox-60.5.0/extensions/auth/nsAuthSambaNTLM.cpp	2019-01-22 10:37:12.669757744 +0100
-@@ -161,7 +161,7 @@ nsresult nsAuthSambaNTLM::SpawnNTLMAuthH
-   const char* username = PR_GetEnv("USER");
-   if (!username) return NS_ERROR_FAILURE;
+diff -up firefox-140.0/extensions/auth/nsAuthSambaNTLM.cpp.rhbz-1173156 firefox-140.0/extensions/auth/nsAuthSambaNTLM.cpp
+--- firefox-140.0/extensions/auth/nsAuthSambaNTLM.cpp.rhbz-1173156	2025-06-02 15:26:45.000000000 +0200
++++ firefox-140.0/extensions/auth/nsAuthSambaNTLM.cpp	2025-06-12 11:02:37.183715940 +0200
+@@ -153,7 +153,7 @@ nsresult nsAuthSambaNTLM::SpawnNTLMAuthH
+     options.fds_to_remap.push_back(
+         std::pair{fromChildPipeWrite.get(), STDOUT_FILENO});
+ 
+-    std::vector<std::string> argvVec{"ntlm_auth",        "--helper-protocol",
++    std::vector<std::string> argvVec{"/usr/bin/ntlm_auth",        "--helper-protocol",
+                                      "ntlmssp-client-1", "--use-cached-creds",
+                                      "--username",       username};
  
--  const char* const args[] = {"ntlm_auth",
-+  const char* const args[] = {"/usr/bin/ntlm_auth",
-                               "--helper-protocol",
-                               "ntlmssp-client-1",
-                               "--use-cached-creds",

SOURCES/thunderbird-adapt-ml-dsa-support-to-rhel-nss.patch

@@ -0,0 +1,59 @@
+diff --git a/security/nss/lib/mozpkix/lib/pkixnss.cpp b/security/nss/lib/mozpkix/lib/pkixnss.cpp
+index 31aa1ddd67..93ab402bfd 100644
+--- a/security/nss/lib/mozpkix/lib/pkixnss.cpp
++++ b/security/nss/lib/mozpkix/lib/pkixnss.cpp
+@@ -303,6 +303,28 @@ DigestBufNSS(Input item,
+   return Success;
+ }
+ 
++static SECOidTag
++findOIDByName(const char *cipherString)
++{
++  SECOidTag tag;
++  SECOidData *oid;
++
++  for (int i = 1; ; i++) {
++    SECOidTag tag = static_cast<SECOidTag>(i);
++    oid = SECOID_FindOIDByTag(tag);
++
++    if (oid == NULL) {
++      break;
++    }
++
++    if (strcasecmp(oid->desc, cipherString) == 0) {
++      return tag;
++    }
++  }
++
++  return SEC_OID_UNKNOWN;
++}
++
+ Result
+ VerifyMLDSASignedDataNSS(Input data,
+                          Input signature,
+@@ -323,17 +345,14 @@ VerifyMLDSASignedDataNSS(Input data,
+   SECItem dataItem(UnsafeMapInputToSECItem(data));
+   CK_MECHANISM_TYPE mechanism;
+ 
+-  switch (pubk->u.mldsa.paramSet) {
+-    case SEC_OID_ML_DSA_44:
+-    case SEC_OID_ML_DSA_65:
+-    case SEC_OID_ML_DSA_87:
+-      mechanism = CKM_ML_DSA;
+-      signaturePolicyTag = pubk->u.mldsa.paramSet;
+-      hashPolicyTag = SEC_OID_UNKNOWN;
+-      break;
+-    default:
+-      return Result::ERROR_UNSUPPORTED_KEYALG;
+-      break;
++  if (pubk->u.mldsa.params == findOIDByName("ML-DSA-44") ||
++      pubk->u.mldsa.params == findOIDByName("ML-DSA-65") ||
++      pubk->u.mldsa.params == findOIDByName("ML-DSA-87")) {
++    hashPolicyTag = SEC_OID_UNKNOWN;
++    mechanism = CKM_ML_DSA;
++    signaturePolicyTag = pubk->u.mldsa.params;
++  } else {
++    return Result::ERROR_UNSUPPORTED_KEYALG;
+   }
+ 
+   SECOidTag policyTags[2] = {signaturePolicyTag, hashPolicyTag};

SOURCES/thunderbird-add-ml-dsa-certificate-support-to-certviewer.patch

@@ -0,0 +1,323 @@
+diff --git a/toolkit/components/certviewer/content/certDecoder.mjs b/toolkit/components/certviewer/content/certDecoder.mjs
+--- a/toolkit/components/certviewer/content/certDecoder.mjs
++++ b/toolkit/components/certviewer/content/certDecoder.mjs
+@@ -5,10 +5,11 @@
+ import {
+   Certificate,
+   ECNamedCurves,
+   ECPublicKey,
+   RSAPublicKey,
++  MLDSAPublicKey,
+ } from "./vendor/pkijs.js";
+ 
+ const getTimeZone = () => {
+   let timeZone = new Date().toString().match(/\(([A-Za-z\s].*)\)/);
+   if (timeZone === null) {
+@@ -45,10 +46,19 @@
+       x, // x coordinate
+       y, // y coordinate
+       xy: `04:${x}:${y}`, // 04 (uncompressed) public key
+     };
+   }
++  if (publicKey instanceof MLDSAPublicKey) {
++    let keyHex = publicKey.rhoT1.valueBlock.valueHex;
++    let keyBytes = new Uint8Array(keyHex);
++    return {
++      kty: publicKey.alg,
++      keysize: keyBytes.length,
++      rhoT1: hashify(keyHex),
++    };
++  }
+   return { kty: "Unknown" };
+ };
+ 
+ const getX509Ext = (extensions, v) => {
+   for (var extension in extensions) {
+@@ -1132,10 +1142,13 @@
+     "2.16.840.1.101.3.4.3.2": "DSA with SHA-256",
+     "1.2.840.10045.4.1": "ECDSA with SHA-1",
+     "1.2.840.10045.4.3.2": "ECDSA with SHA-256",
+     "1.2.840.10045.4.3.3": "ECDSA with SHA-384",
+     "1.2.840.10045.4.3.4": "ECDSA with SHA-512",
++    "2.16.840.1.101.3.4.3.17": "ML-DSA-44",
++    "2.16.840.1.101.3.4.3.18": "ML-DSA-65",
++    "2.16.840.1.101.3.4.3.19": "ML-DSA-87",
+   },
+ 
+   aia: {
+     "1.3.6.1.5.5.7.48.1": "Online Certificate Status Protocol (OCSP)",
+     "1.3.6.1.5.5.7.48.2": "CA Issuers",
+diff --git a/toolkit/components/certviewer/content/certviewer.mjs b/toolkit/components/certviewer/content/certviewer.mjs
+--- a/toolkit/components/certviewer/content/certviewer.mjs
++++ b/toolkit/components/certviewer/content/certviewer.mjs
+@@ -74,10 +74,23 @@
+     }
+   }
+   return result ? result : false;
+ };
+ 
++const getMLDSASecurityLevel = signatureName => {
++  switch (signatureName) {
++    case "ML-DSA-44":
++      return "Level 2 (NIST)";
++    case "ML-DSA-65":
++      return "Level 3 (NIST)";
++    case "ML-DSA-87":
++      return "Level 5 (NIST)";
++    default:
++      return null;
++  }
++};
++
+ export const adjustCertInformation = cert => {
+   let certItems = [];
+   let tabName = cert?.subject?.cn || "";
+   if (cert && !tabName) {
+     // No common name, use the value of the last item in the cert's entries.
+@@ -173,10 +186,15 @@
+           createEntryItem("key-size", cert.subjectPublicKeyInfo.keysize),
+           createEntryItem("curve", cert.subjectPublicKeyInfo.crv),
+           createEntryItem("public-value", cert.subjectPublicKeyInfo.xy, true),
+           createEntryItem("exponent", cert.subjectPublicKeyInfo.e),
+           createEntryItem("modulus", cert.subjectPublicKeyInfo.n, true),
++          createEntryItem(
++            "mldsa-public-value",
++            cert.subjectPublicKeyInfo.rhoT1,
++            true
++          ),
+         ].filter(elem => elem != null);
+       }
+       return items;
+     },
+     certItems,
+@@ -190,14 +208,23 @@
+         createEntryItem("serial-number", cert.serialNumber, true),
+         createEntryItem(
+           "signature-algorithm",
+           cert.signature ? cert.signature.name : null
+         ),
++      ];
++
++      const secLvl = getMLDSASecurityLevel(cert.signature?.name);
++      if (secLvl) {
++        items.push(createEntryItem("security-level", secLvl));
++      }
++
++      items.push(
+         createEntryItem("version", cert.version),
+-        createEntryItem("download", cert.files ? cert.files.pem : null),
+-      ].filter(elem => elem != null);
+-      return items;
++        createEntryItem("download", cert.files ? cert.files.pem : null)
++      );
++
++      return items.filter(elem => elem != null);
+     },
+     certItems,
+     "miscellaneous",
+     false
+   );
+diff --git a/toolkit/components/certviewer/content/vendor/pkijs.js b/toolkit/components/certviewer/content/vendor/pkijs.js
+--- a/toolkit/components/certviewer/content/vendor/pkijs.js
++++ b/toolkit/components/certviewer/content/vendor/pkijs.js
+@@ -8609,10 +8609,90 @@
+         this.publicExponent = new Integer({ valueHex: stringToArrayBuffer(fromBase64(json.e, true)).slice(0, 3) });
+     }
+ }
+ RSAPublicKey.CLASS_NAME = "RSAPublicKey";
+ 
++/* @see https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-11.html */
++const RHO_T1 = "rhoT1";
++const ALG = "alg";
++const CLEAR_PROPS_MLDSA = [RHO_T1, ALG];
++const MLDSA_MIN_LENGTH = 32;
++class MLDSAPublicKey extends PkiObject {
++    constructor(parameters = {}) {
++        super();
++
++        this.rhoT1 = getParametersValue(parameters, RHO_T1, MLDSAPublicKey.defaultValues(RHO_T1));
++        this.alg = getParametersValue(parameters, ALG, MLDSAPublicKey.defaultValues(ALG));
++
++        if (parameters.json) {
++            this.fromJSON(parameters.json);
++        }
++
++        if (parameters.schema) {
++            this.fromSchema(parameters.schema);
++        }
++    }
++
++    static defaultValues(memberName) {
++        switch (memberName) {
++            case RHO_T1:
++                return new BitString();
++            case ALG:
++                return "";
++            default:
++                return super.defaultValues(memberName);
++        }
++    }
++
++    static schema(parameters = {}) {
++        const names = getParametersValue(parameters, "names", {});
++        return new BitString({ name: names.rhoT1 || RHO_T1 });
++    }
++
++    fromSchema(schema) {
++        clearProps(schema, CLEAR_PROPS_MLDSA);
++
++        const asn1 = compareSchema(schema, schema, MLDSAPublicKey.schema({
++            names: { rhoT1: RHO_T1 }
++        }));
++
++        AsnError.assertSchema(asn1, this.className);
++
++        const bitString = asn1.result.rhoT1;
++        const length = bitString.valueBlock.valueHexView.length;
++
++        if (length < MLDSA_MIN_LENGTH || (length - MLDSA_MIN_LENGTH) % 320 !== 0) {
++            throw new Error(`Invalid ML-DSA key length: ${length} bytes`);
++        }
++
++        this.rhoT1 = bitString;
++    }
++
++    toSchema() {
++        return this.rhoT1;
++    }
++
++    toJSON() {
++        return {
++            rhoT1: Convert.ToBase64Url(this.rhoT1.valueBlock.valueHexView),
++            alg: this.alg
++        };
++    }
++
++    fromJSON(json) {
++        ParameterError.assert("json", json, "rhoT1");
++        const rawBuffer = stringToArrayBuffer(fromBase64(json.rhoT1, true));
++
++        if (rawBuffer.byteLength < MLDSA_MIN_LENGTH || (rawBuffer.byteLength - MLDSA_MIN_LENGTH) % 320 !== 0) {
++            throw new Error(`Invalid ML-DSA key length: ${rawBuffer.byteLength} bytes`);
++        }
++
++        this.rhoT1 = new BitString({ valueHex: rawBuffer });
++    }
++}
++MLDSAPublicKey.CLASS_NAME = "MLDSAPublicKey";
++
+ const ALGORITHM$1 = "algorithm";
+ const SUBJECT_PUBLIC_KEY = "subjectPublicKey";
+ const CLEAR_PROPS$1a = [ALGORITHM$1, SUBJECT_PUBLIC_KEY];
+ class PublicKeyInfo extends PkiObject {
+     constructor(parameters = {}) {
+@@ -8657,10 +8737,22 @@
+                             catch (ex) {
+                             }
+                         }
+                     }
+                     break;
++                case "2.16.840.1.101.3.4.3.17":
++                    /* Already a bitstring */
++                    this._parsedKey = new MLDSAPublicKey({ rhoT1: this.subjectPublicKey, alg: "ML-DSA-44" });
++                    break;
++                case "2.16.840.1.101.3.4.3.18":
++                    /* Already a bitstring */
++                    this._parsedKey = new MLDSAPublicKey({ rhoT1: this.subjectPublicKey, alg: "ML-DSA-65" });
++                    break;
++                case "2.16.840.1.101.3.4.3.19":
++                    /* Already a bitstring */
++                    this._parsedKey = new MLDSAPublicKey({ rhoT1: this.subjectPublicKey, alg: "ML-DSA-87" });
++                    break;
+             }
+             this._parsedKey || (this._parsedKey = null);
+         }
+         return this._parsedKey || undefined;
+     }
+@@ -8724,10 +8816,19 @@
+                 jwk.kty = "EC";
+                 break;
+             case "1.2.840.113549.1.1.1":
+                 jwk.kty = "RSA";
+                 break;
++            case "2.16.840.1.101.3.4.3.17":
++                jwk.kty = "ML-DSA-44";
++                break;
++            case "2.16.840.1.101.3.4.3.18":
++                jwk.kty = "ML-DSA-65";
++                break;
++            case "2.16.840.1.101.3.4.3.19":
++                jwk.kty = "ML-DSA-87";
++                break;
+         }
+         const publicKeyJWK = this.parsedKey.toJSON();
+         Object.assign(jwk, publicKeyJWK);
+         return jwk;
+     }
+@@ -8746,10 +8847,31 @@
+                     this.algorithm = new AlgorithmIdentifier({
+                         algorithmId: "1.2.840.113549.1.1.1",
+                         algorithmParams: new Null()
+                     });
+                     break;
++                case "ML-DSA-44":
++                    this.parsedKey = new MLDSAPublicKey({ json });
++                    this.algorithm = new AlgorithmIdentifier({
++                        algorithmId: "2.16.840.1.101.3.4.3.17",
++                        algorithmParams: new Null()
++                    });
++                    break;
++                case "ML-DSA-65":
++                    this.parsedKey = new MLDSAPublicKey({ json });
++                    this.algorithm = new AlgorithmIdentifier({
++                        algorithmId: "2.16.840.1.101.3.4.3.18",
++                        algorithmParams: new Null()
++                    });
++                    break;
++                case "ML-DSA-87":
++                    this.parsedKey = new MLDSAPublicKey({ json });
++                    this.algorithm = new AlgorithmIdentifier({
++                        algorithmId: "2.16.840.1.101.3.4.3.19",
++                        algorithmParams: new Null()
++                    });
++                    break;
+                 default:
+                     throw new Error(`Invalid value for "kty" parameter: ${json.kty}`);
+             }
+             this.subjectPublicKey = new BitString({ valueHex: this.parsedKey.toSchema().toBER(false) });
+         }
+@@ -24078,6 +24200,6 @@
+     }
+ }
+ 
+ initCryptoEngine();
+ 
+-export { AbstractCryptoEngine, AccessDescription, Accuracy, AlgorithmIdentifier, AltName, ArgumentError, AsnError, AttCertValidityPeriod, Attribute, AttributeCertificateInfoV1, AttributeCertificateInfoV2, AttributeCertificateV1, AttributeCertificateV2, AttributeTypeAndValue, AuthenticatedSafe, AuthorityKeyIdentifier, BasicConstraints, BasicOCSPResponse, CAVersion, CRLBag, CRLDistributionPoints, CertBag, CertID, Certificate, CertificateChainValidationEngine, CertificatePolicies, CertificateRevocationList, CertificateSet, CertificateTemplate, CertificationRequest, ChainValidationCode, ChainValidationError, ContentInfo, CryptoEngine, DigestInfo, DistributionPoint, ECCCMSSharedInfo, ECNamedCurves, ECPrivateKey, ECPublicKey, EncapsulatedContentInfo, EncryptedContentInfo, EncryptedData, EnvelopedData, ExtKeyUsage, Extension, ExtensionValueFactory, Extensions, GeneralName, GeneralNames, GeneralSubtree, HASHED_MESSAGE, HASH_ALGORITHM, Holder, InfoAccess, IssuerAndSerialNumber, IssuerSerial, IssuingDistributionPoint, KEKIdentifier, KEKRecipientInfo, KeyAgreeRecipientIdentifier, KeyAgreeRecipientInfo, KeyBag, KeyTransRecipientInfo, MICROS, MILLIS, MacData, MessageImprint, NameConstraints, OCSPRequest, OCSPResponse, ObjectDigestInfo, OriginatorIdentifierOrKey, OriginatorInfo, OriginatorPublicKey, OtherCertificateFormat, OtherKeyAttribute, OtherPrimeInfo, OtherRecipientInfo, OtherRevocationInfoFormat, PBES2Params, PBKDF2Params, PFX, PKCS8ShroudedKeyBag, PKIStatus, PKIStatusInfo, POLICY_IDENTIFIER, POLICY_QUALIFIERS, ParameterError, PasswordRecipientinfo, PkiObject, PolicyConstraints, PolicyInformation, PolicyMapping, PolicyMappings, PolicyQualifierInfo, PrivateKeyInfo, PrivateKeyUsagePeriod, PublicKeyInfo, QCStatement, QCStatements, RDN, RSAESOAEPParams, RSAPrivateKey, RSAPublicKey, RSASSAPSSParams, RecipientEncryptedKey, RecipientEncryptedKeys, RecipientIdentifier, RecipientInfo, RecipientKeyIdentifier, RelativeDistinguishedNames, Request, ResponseBytes, ResponseData, RevocationInfoChoices, RevokedCertificate, SECONDS, SafeBag, SafeBagValueFactory, SafeContents, SecretBag, Signature, SignedAndUnsignedAttributes, SignedCertificateTimestamp, SignedCertificateTimestampList, SignedData, SignedDataVerifyError, SignerInfo, SingleResponse, SubjectDirectoryAttributes, TBSRequest, TSTInfo, TYPE$4 as TYPE, TYPE_AND_VALUES, Time, TimeStampReq, TimeStampResp, TimeType, V2Form, VALUE$5 as VALUE, VALUE_BEFORE_DECODE, checkCA, createCMSECDSASignature, createECDSASignatureFromCMS, engine, getAlgorithmByOID, getAlgorithmParameters, getCrypto, getEngine, getHashAlgorithm, getOIDByAlgorithm, getRandomValues, id_AnyPolicy, id_AuthorityInfoAccess, id_AuthorityKeyIdentifier, id_BaseCRLNumber, id_BasicConstraints, id_CRLBag_X509CRL, id_CRLDistributionPoints, id_CRLNumber, id_CRLReason, id_CertBag_AttributeCertificate, id_CertBag_SDSICertificate, id_CertBag_X509Certificate, id_CertificateIssuer, id_CertificatePolicies, id_ContentType_Data, id_ContentType_EncryptedData, id_ContentType_EnvelopedData, id_ContentType_SignedData, id_ExtKeyUsage, id_FreshestCRL, id_InhibitAnyPolicy, id_InvalidityDate, id_IssuerAltName, id_IssuingDistributionPoint, id_KeyUsage, id_MicrosoftAppPolicies, id_MicrosoftCaVersion, id_MicrosoftCertTemplateV1, id_MicrosoftCertTemplateV2, id_MicrosoftPrevCaCertHash, id_NameConstraints, id_PKIX_OCSP_Basic, id_PolicyConstraints, id_PolicyMappings, id_PrivateKeyUsagePeriod, id_QCStatements, id_SignedCertificateTimestampList, id_SubjectAltName, id_SubjectDirectoryAttributes, id_SubjectInfoAccess, id_SubjectKeyIdentifier, id_ad, id_ad_caIssuers, id_ad_ocsp, id_eContentType_TSTInfo, id_pkix, id_sha1, id_sha256, id_sha384, id_sha512, kdf, setEngine, stringPrep, verifySCTsForCertificate };
++export { AbstractCryptoEngine, AccessDescription, Accuracy, AlgorithmIdentifier, AltName, ArgumentError, AsnError, AttCertValidityPeriod, Attribute, AttributeCertificateInfoV1, AttributeCertificateInfoV2, AttributeCertificateV1, AttributeCertificateV2, AttributeTypeAndValue, AuthenticatedSafe, AuthorityKeyIdentifier, BasicConstraints, BasicOCSPResponse, CAVersion, CRLBag, CRLDistributionPoints, CertBag, CertID, Certificate, CertificateChainValidationEngine, CertificatePolicies, CertificateRevocationList, CertificateSet, CertificateTemplate, CertificationRequest, ChainValidationCode, ChainValidationError, ContentInfo, CryptoEngine, DigestInfo, DistributionPoint, ECCCMSSharedInfo, ECNamedCurves, ECPrivateKey, ECPublicKey, EncapsulatedContentInfo, EncryptedContentInfo, EncryptedData, EnvelopedData, ExtKeyUsage, Extension, ExtensionValueFactory, Extensions, GeneralName, GeneralNames, GeneralSubtree, HASHED_MESSAGE, HASH_ALGORITHM, Holder, InfoAccess, IssuerAndSerialNumber, IssuerSerial, IssuingDistributionPoint, KEKIdentifier, KEKRecipientInfo, KeyAgreeRecipientIdentifier, KeyAgreeRecipientInfo, KeyBag, KeyTransRecipientInfo, MICROS, MILLIS, MacData, MessageImprint, NameConstraints, OCSPRequest, OCSPResponse, ObjectDigestInfo, OriginatorIdentifierOrKey, OriginatorInfo, OriginatorPublicKey, OtherCertificateFormat, OtherKeyAttribute, OtherPrimeInfo, OtherRecipientInfo, OtherRevocationInfoFormat, PBES2Params, PBKDF2Params, PFX, PKCS8ShroudedKeyBag, PKIStatus, PKIStatusInfo, POLICY_IDENTIFIER, POLICY_QUALIFIERS, ParameterError, PasswordRecipientinfo, PkiObject, PolicyConstraints, PolicyInformation, PolicyMapping, PolicyMappings, PolicyQualifierInfo, PrivateKeyInfo, PrivateKeyUsagePeriod, PublicKeyInfo, QCStatement, QCStatements, RDN, RSAESOAEPParams, RSAPrivateKey, RSAPublicKey, RSASSAPSSParams, RecipientEncryptedKey, RecipientEncryptedKeys, RecipientIdentifier, RecipientInfo, RecipientKeyIdentifier, RelativeDistinguishedNames, Request, ResponseBytes, ResponseData, RevocationInfoChoices, RevokedCertificate, SECONDS, SafeBag, SafeBagValueFactory, SafeContents, SecretBag, Signature, SignedAndUnsignedAttributes, SignedCertificateTimestamp, SignedCertificateTimestampList, SignedData, SignedDataVerifyError, SignerInfo, SingleResponse, SubjectDirectoryAttributes, TBSRequest, TSTInfo, TYPE$4 as TYPE, TYPE_AND_VALUES, Time, TimeStampReq, TimeStampResp, TimeType, V2Form, VALUE$5 as VALUE, VALUE_BEFORE_DECODE, checkCA, createCMSECDSASignature, createECDSASignatureFromCMS, engine, getAlgorithmByOID, getAlgorithmParameters, getCrypto, getEngine, getHashAlgorithm, getOIDByAlgorithm, getRandomValues, id_AnyPolicy, id_AuthorityInfoAccess, id_AuthorityKeyIdentifier, id_BaseCRLNumber, id_BasicConstraints, id_CRLBag_X509CRL, id_CRLDistributionPoints, id_CRLNumber, id_CRLReason, id_CertBag_AttributeCertificate, id_CertBag_SDSICertificate, id_CertBag_X509Certificate, id_CertificateIssuer, id_CertificatePolicies, id_ContentType_Data, id_ContentType_EncryptedData, id_ContentType_EnvelopedData, id_ContentType_SignedData, id_ExtKeyUsage, id_FreshestCRL, id_InhibitAnyPolicy, id_InvalidityDate, id_IssuerAltName, id_IssuingDistributionPoint, id_KeyUsage, id_MicrosoftAppPolicies, id_MicrosoftCaVersion, id_MicrosoftCertTemplateV1, id_MicrosoftCertTemplateV2, id_MicrosoftPrevCaCertHash, id_NameConstraints, id_PKIX_OCSP_Basic, id_PolicyConstraints, id_PolicyMappings, id_PrivateKeyUsagePeriod, id_QCStatements, id_SignedCertificateTimestampList, id_SubjectAltName, id_SubjectDirectoryAttributes, id_SubjectInfoAccess, id_SubjectKeyIdentifier, id_ad, id_ad_caIssuers, id_ad_ocsp, id_eContentType_TSTInfo, id_pkix, id_sha1, id_sha256, id_sha384, id_sha512, kdf, setEngine, stringPrep, verifySCTsForCertificate, MLDSAPublicKey };
+diff --git a/toolkit/locales/en-US/toolkit/about/certviewer.ftl b/toolkit/locales/en-US/toolkit/about/certviewer.ftl
+--- a/toolkit/locales/en-US/toolkit/about/certviewer.ftl
++++ b/toolkit/locales/en-US/toolkit/about/certviewer.ftl
+@@ -45,20 +45,22 @@
+ certificate-viewer-organization = Organization
+ certificate-viewer-organizational-unit = Organizational Unit
+ certificate-viewer-policy = Policy
+ certificate-viewer-protocol = Protocol
+ certificate-viewer-public-value = Public Value
++certificate-viewer-mldsa-public-value = Public Value
+ certificate-viewer-purposes = Purposes
+ certificate-viewer-qualifier = Qualifier
+ certificate-viewer-qualifiers = Qualifiers
+ certificate-viewer-required = Required
+ certificate-viewer-unsupported = &lt;unsupported&gt;
+ # Inc. means Incorporated, e.g GitHub is incorporated in Delaware
+ certificate-viewer-inc-state-province = Inc. State/Province
+ certificate-viewer-state-province = State/Province
+ certificate-viewer-sha-1 = SHA-1
+ certificate-viewer-sha-256 = SHA-256
++certificate-viewer-security-level = Security Level
+ certificate-viewer-serial-number = Serial Number
+ certificate-viewer-signature-algorithm = Signature Algorithm
+ certificate-viewer-signature-scheme = Signature Scheme
+ certificate-viewer-timestamp = Timestamp
+ certificate-viewer-value = Value
+

SOURCES/thunderbird-enable-ml-dsa-in-manager-ssl.patch

@@ -0,0 +1,48 @@
+diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp
+index 2dc48c9f4c..0a7b84d787 100644
+--- a/security/manager/ssl/nsNSSCallbacks.cpp
++++ b/security/manager/ssl/nsNSSCallbacks.cpp
+@@ -722,6 +722,15 @@ nsCString getSignatureName(uint32_t aSignatureScheme) {
+     case ssl_sig_rsa_pkcs1_sha1md5:
+       signatureName = "RSA-PKCS1-SHA1MD5"_ns;
+       break;
++    case ssl_sig_mldsa44:
++      signatureName = "ML-DSA-44"_ns;
++      break;
++    case ssl_sig_mldsa65:
++      signatureName = "ML-DSA-65"_ns;
++      break;
++    case ssl_sig_mldsa87:
++      signatureName = "ML-DSA-87"_ns;
++      break;
+     // All other groups are not enabled in Firefox. See sEnabledSignatureSchemes
+     // in nsNSSIOLayer.cpp.
+     default:
+@@ -1061,6 +1070,13 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
+           glean::ssl::auth_ecdsa_curve_full.AccumulateSingleSample(
+               ECCCurve(channelInfo.authKeyBits));
+           break;
++      case ssl_auth_mldsa44:
++      case ssl_auth_mldsa65:
++      case ssl_auth_mldsa87:
++          /* TODO: add auth_mldsa_key_size_full in ssl/metrics.yaml
++          glean::ssl::auth_mldsa_key_size_full.AccumulateSingleSample(
++              NonECCKeySize(channelInfo.authKeyBits)); */
++          break;
+         default:
+           MOZ_CRASH("impossible auth algorithm");
+           break;
+diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp
+index b1a5f5c2df..7443011b13 100644
+--- a/security/manager/ssl/nsNSSIOLayer.cpp
++++ b/security/manager/ssl/nsNSSIOLayer.cpp
+@@ -1300,6 +1300,9 @@ static PRFileDesc* nsSSLIOLayerImportFD(PRFileDesc* fd,
+ // Please change getSignatureName in nsNSSCallbacks.cpp when changing the list
+ // here. See NOTE at SSL_SignatureSchemePrefSet call site.
+ static const SSLSignatureScheme sEnabledSignatureSchemes[] = {
++    ssl_sig_mldsa87,
++    ssl_sig_mldsa65,
++    ssl_sig_mldsa44,
+     ssl_sig_ecdsa_secp256r1_sha256,
+     ssl_sig_ecdsa_secp384r1_sha384,
+     ssl_sig_ecdsa_secp521r1_sha512,

SOURCES/thunderbird-enable-ml-dsa-signature-verification-for-certificate-chain-validation.patch

@@ -0,0 +1,239 @@
+diff --git a/security/nss/lib/mozpkix/include/pkix/pkixder.h b/security/nss/lib/mozpkix/include/pkix/pkixder.h
+index ac1ec24393..40eb5027af 100644
+--- a/security/nss/lib/mozpkix/include/pkix/pkixder.h
++++ b/security/nss/lib/mozpkix/include/pkix/pkixder.h
+@@ -488,7 +488,7 @@ inline Result OptionalExtensions(Reader& input, uint8_t tag,
+ Result DigestAlgorithmIdentifier(Reader& input,
+                                  /*out*/ DigestAlgorithm& algorithm);
+ 
+-enum class PublicKeyAlgorithm { RSA_PKCS1, RSA_PSS, ECDSA };
++enum class PublicKeyAlgorithm { RSA_PKCS1, RSA_PSS, ECDSA, MLDSA };
+ 
+ Result SignatureAlgorithmIdentifierValue(
+     Reader& input,
+diff --git a/security/nss/lib/mozpkix/include/pkix/pkixnss.h b/security/nss/lib/mozpkix/include/pkix/pkixnss.h
+index 6711959e71..b87e88a599 100644
+--- a/security/nss/lib/mozpkix/include/pkix/pkixnss.h
++++ b/security/nss/lib/mozpkix/include/pkix/pkixnss.h
+@@ -50,6 +50,13 @@ Result VerifyECDSASignedDataNSS(Input data, DigestAlgorithm digestAlgorithm,
+                                 Input signature, Input subjectPublicKeyInfo,
+                                 void* pkcs11PinArg);
+ 
++// Verifies the ML-DSA signature on the given data using the given ML-DSA
++// public key
++Result VerifyMLDSASignedDataNSS(Input data,
++                                Input signature,
++                                Input subjectPublicKeyInfo,
++                                void* pkcs11PinArg);
++
+ // Computes the digest of the given data using the given digest algorithm.
+ //
+ // item contains the data to hash.
+diff --git a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
+index 6a07d6e885..f24bd546e4 100644
+--- a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
++++ b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
+@@ -334,6 +334,10 @@ class TrustDomain {
+                                        Input signature,
+                                        Input subjectPublicKeyInfo) = 0;
+ 
++  virtual Result VerifyMLDSASignedData(Input data,
++                                       Input signature,
++                                       Input subjectPublicKeyInfo) = 0;
++
+   // Check that the validity duration is acceptable.
+   //
+   // Return Success if the validity duration is acceptable,
+diff --git a/security/nss/lib/mozpkix/lib/pkixc.cpp b/security/nss/lib/mozpkix/lib/pkixc.cpp
+index 5dea13c43e..f797a3b3a1 100644
+--- a/security/nss/lib/mozpkix/lib/pkixc.cpp
++++ b/security/nss/lib/mozpkix/lib/pkixc.cpp
+@@ -143,6 +143,15 @@ class CodeSigningTrustDomain final : public TrustDomain {
+         subjectPublicKeyInfo, nullptr);
+   }
+ 
++  virtual Result VerifyMLDSASignedData(Input data,
++                                       Input signature,
++                                       Input subjectPublicKeyInfo) override {
++    return VerifyMLDSASignedDataNSS(data,
++                                    signature,
++                                    subjectPublicKeyInfo,
++                                    nullptr);
++  }
++
+   virtual Result CheckValidityIsAcceptable(Time notBefore, Time notAfter,
+                                            EndEntityOrCA endEntityOrCA,
+                                            KeyPurposeId keyPurpose) override {
+diff --git a/security/nss/lib/mozpkix/lib/pkixcheck.cpp b/security/nss/lib/mozpkix/lib/pkixcheck.cpp
+index 8b7e1bf73e..4ce73f3944 100644
+--- a/security/nss/lib/mozpkix/lib/pkixcheck.cpp
++++ b/security/nss/lib/mozpkix/lib/pkixcheck.cpp
+@@ -118,6 +118,9 @@ CheckSignatureAlgorithm(TrustDomain& trustDomain,
+       // for any curve that we support, the chances of us encountering a curve
+       // during path building is too low to be worth bothering with.
+       break;
++
++    case der::PublicKeyAlgorithm::MLDSA:
++      break;
+     MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+   }
+ 
+@@ -248,6 +251,24 @@ CheckSubjectPublicKeyInfoContents(Reader& input, TrustDomain& trustDomain,
+     0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01
+   };
+ 
++  // Params for pure ML-DSA-44 signature
++  // python DottedOIDToCode.py id-ml-dsa-44 2.16.840.1.101.3.4.3.17
++  static const uint8_t id_ml_dsa_44[] = {
++      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x11
++  };
++
++  // Params for pure ML-DSA-65 signature
++  // python DottedOIDToCode.py id-ml-dsa-65 2.16.840.1.101.3.4.3.18
++  static const uint8_t id_ml_dsa_65[] = {
++      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x12
++  };
++
++  // Params for pure ML-DSA-87 signature
++  // python DottedOIDToCode.py id-ml-dsa-87 2.16.840.1.101.3.4.3.19
++  static const uint8_t id_ml_dsa_87[] = {
++      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x13
++  };
++
+   if (algorithmOID.MatchRest(id_ecPublicKey)) {
+     // An id-ecPublicKey AlgorithmIdentifier has a parameter that identifes
+     // the curve being used. Although RFC 5480 specifies multiple forms, we
+@@ -361,6 +382,30 @@ CheckSubjectPublicKeyInfoContents(Reader& input, TrustDomain& trustDomain,
+     if (rv != Success) {
+       return rv;
+     }
++  } else if (algorithmOID.MatchRest(id_ml_dsa_44) ||
++             algorithmOID.MatchRest(id_ml_dsa_65) ||
++             algorithmOID.MatchRest(id_ml_dsa_87)) {
++
++    /*
++     * The ML-DSA AlgorithmIdentifier is expected to contain only the OID,
++     * with no parameters field present. According to the Internet-Draft
++     * https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-11.html
++     * (Section 3), the AlgorithmIdentifier for ML-DSA variants must omit the `parameters`
++     * field entirely.
++     * In DER encoding, the absence of the parameters field means that after parsing the
++     * OID, no additional bytes should remain. Calling `der::End(algorithm)` confirms that
++     * this constraint is satisfied and that the structure is correctly encoded.
++     */
++    rv = der::End(algorithm);
++    if (rv != Success) {
++      return rv;
++    }
++
++    Input rawPublicKey;
++    rv = subjectPublicKeyReader.SkipToEnd(rawPublicKey);
++    if (rv != Success) {
++      return rv;
++    }
+   } else {
+     return Result::ERROR_UNSUPPORTED_KEYALG;
+   }
+diff --git a/security/nss/lib/mozpkix/lib/pkixder.cpp b/security/nss/lib/mozpkix/lib/pkixder.cpp
+index 59454c7d3c..4ff45ed566 100644
+--- a/security/nss/lib/mozpkix/lib/pkixder.cpp
++++ b/security/nss/lib/mozpkix/lib/pkixder.cpp
+@@ -211,6 +211,24 @@ SignatureAlgorithmIdentifierValue(Reader& input,
+     0x00, 0xa2, 0x03, 0x02, 0x01, 0x40
+   };
+ 
++  // Params for pure ML-DSA-44 signature
++  // python DottedOIDToCode.py id-ml-dsa-44 2.16.840.1.101.3.4.3.17
++  static const uint8_t id_ml_dsa_44[] = {
++      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x11
++  };
++
++  // Params for pure ML-DSA-65 signature
++  // python DottedOIDToCode.py id-ml-dsa-65 2.16.840.1.101.3.4.3.18
++  static const uint8_t id_ml_dsa_65[] = {
++      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x12
++  };
++
++  // Params for pure ML-DSA-87 signature
++  // python DottedOIDToCode.py id-ml-dsa-87 2.16.840.1.101.3.4.3.19
++  static const uint8_t id_ml_dsa_87[] = {
++      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x13
++  };
++
+   // Matching is attempted based on a rough estimate of the commonality of the
+   // algorithm, to minimize the number of MatchRest calls.
+   if (algorithmID.MatchRest(sha256WithRSAEncryption)) {
+@@ -252,6 +270,10 @@ SignatureAlgorithmIdentifierValue(Reader& input,
+     } else {
+       return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
+     }
++  } else if (algorithmID.MatchRest(id_ml_dsa_44) ||
++             algorithmID.MatchRest(id_ml_dsa_65) ||
++             algorithmID.MatchRest(id_ml_dsa_87)) {
++    publicKeyAlgorithm = PublicKeyAlgorithm::MLDSA;
+   } else {
+     return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
+   }
+diff --git a/security/nss/lib/mozpkix/lib/pkixnss.cpp b/security/nss/lib/mozpkix/lib/pkixnss.cpp
+index 606ef708d8..31aa1ddd67 100644
+--- a/security/nss/lib/mozpkix/lib/pkixnss.cpp
++++ b/security/nss/lib/mozpkix/lib/pkixnss.cpp
+@@ -303,6 +303,44 @@ DigestBufNSS(Input item,
+   return Success;
+ }
+ 
++Result
++VerifyMLDSASignedDataNSS(Input data,
++                         Input signature,
++                         Input subjectPublicKeyInfo,
++                         void* pkcs11PinArg)
++{
++  ScopedSECKEYPublicKey publicKey;
++  SECKEYPublicKey *pubk = NULL;
++  SECOidTag signaturePolicyTag, hashPolicyTag;
++  Result rv = SubjectPublicKeyInfoToSECKEYPublicKey(subjectPublicKeyInfo,
++                                                    publicKey);
++  if (rv != Success) {
++    return rv;
++  }
++
++  pubk = publicKey.get();
++  SECItem signatureItem(UnsafeMapInputToSECItem(signature));
++  SECItem dataItem(UnsafeMapInputToSECItem(data));
++  CK_MECHANISM_TYPE mechanism;
++
++  switch (pubk->u.mldsa.paramSet) {
++    case SEC_OID_ML_DSA_44:
++    case SEC_OID_ML_DSA_65:
++    case SEC_OID_ML_DSA_87:
++      mechanism = CKM_ML_DSA;
++      signaturePolicyTag = pubk->u.mldsa.paramSet;
++      hashPolicyTag = SEC_OID_UNKNOWN;
++      break;
++    default:
++      return Result::ERROR_UNSUPPORTED_KEYALG;
++      break;
++  }
++
++  SECOidTag policyTags[2] = {signaturePolicyTag, hashPolicyTag};
++  return VerifySignedData(pubk, mechanism, nullptr, &signatureItem,
++                          &dataItem, policyTags, pkcs11PinArg);
++}
++
+ Result
+ MapPRErrorCodeToResult(PRErrorCode error)
+ {
+diff --git a/security/nss/lib/mozpkix/lib/pkixverify.cpp b/security/nss/lib/mozpkix/lib/pkixverify.cpp
+index 8cb58bf7de..ff132d89df 100644
+--- a/security/nss/lib/mozpkix/lib/pkixverify.cpp
++++ b/security/nss/lib/mozpkix/lib/pkixverify.cpp
+@@ -53,6 +53,9 @@ VerifySignedData(TrustDomain& trustDomain,
+     case der::PublicKeyAlgorithm::RSA_PSS:
+       return trustDomain.VerifyRSAPSSSignedData(signedData.data,
+           digestAlgorithm, signedData.signature, signerSubjectPublicKeyInfo);
++    case der::PublicKeyAlgorithm::MLDSA:
++      return trustDomain.VerifyMLDSASignedData(signedData.data,
++          signedData.signature, signerSubjectPublicKeyInfo);
+     MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+   }
+ }

SOURCES/thunderbird-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch

@@ -0,0 +1,247 @@
+diff --git a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
+index cc778640a1..298d6a61e8 100644
+--- a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
++++ b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
+@@ -53,6 +53,10 @@ class ServerCertHashesTrustDomain : public mozilla::pkix::TrustDomain {
+       mozilla::pkix::Input signature,
+       mozilla::pkix::Input subjectPublicKeyInfo) override;
+ 
++  virtual mozilla::pkix::Result VerifyMLDSASignedData(
++      mozilla::pkix::Input data, mozilla::pkix::Input signature,
++      mozilla::pkix::Input subjectPublicKeyInfo) override;
++
+   virtual mozilla::pkix::Result DigestBuf(
+       mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg,
+       /*out*/ uint8_t* digestBuf, size_t digestBufLen) override;
+@@ -151,6 +155,14 @@ mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyECDSASignedData(
+   return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
+ }
+ 
++mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyMLDSASignedData(
++    mozilla::pkix::Input data, mozilla::pkix::Input signature,
++    mozilla::pkix::Input subjectPublicKeyInfo) {
++  MOZ_ASSERT_UNREACHABLE("not expecting this to be called");
++
++  return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
++}
++
+ mozilla::pkix::Result ServerCertHashesTrustDomain::DigestBuf(
+     mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg,
+     /*out*/ uint8_t* digestBuf, size_t digestBufLen) {
+diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
+index ca330770fb..1e8f1d4996 100644
+--- a/security/certverifier/CertVerifier.cpp
++++ b/security/certverifier/CertVerifier.cpp
+@@ -7,6 +7,7 @@
+ #include "CertVerifier.h"
+ 
+ #include <stdint.h>
++#include <optional>
+ 
+ #include "AppTrustDomain.h"
+ #include "CTKnownLogs.h"
+@@ -1010,7 +1011,7 @@ Result CertVerifier::VerifySSLServerCert(
+ void HashSignatureParams(pkix::Input data, pkix::Input signature,
+                          pkix::Input subjectPublicKeyInfo,
+                          pkix::der::PublicKeyAlgorithm publicKeyAlgorithm,
+-                         pkix::DigestAlgorithm digestAlgorithm,
++                         std::optional<pkix::DigestAlgorithm> digestAlgorithm,
+                          /*out*/ Maybe<nsTArray<uint8_t>>& sha512Hash) {
+   sha512Hash.reset();
+   Digest digest;
+@@ -1048,10 +1049,14 @@ void HashSignatureParams(pkix::Input data, pkix::Input signature,
+                         sizeof(publicKeyAlgorithm)))) {
+     return;
+   }
+-  if (NS_FAILED(
+-          digest.Update(reinterpret_cast<const uint8_t*>(&digestAlgorithm),
+-                        sizeof(digestAlgorithm)))) {
+-    return;
++  // There is no fallback digest algorithm when it's empty.
++  // Check that digestAlgorithm actually contains a value.
++  if (digestAlgorithm) {
++    pkix::DigestAlgorithm value = digestAlgorithm.value();
++    if (NS_FAILED(digest.Update(reinterpret_cast<const uint8_t*>(&value),
++                                sizeof(value)))) {
++      return;
++    }
+   }
+   nsTArray<uint8_t> result;
+   if (NS_FAILED(digest.End(result))) {
+@@ -1064,10 +1069,17 @@ Result VerifySignedDataWithCache(
+     der::PublicKeyAlgorithm publicKeyAlg,
+     mozilla::glean::impl::DenominatorMetric telemetryDenominator,
+     mozilla::glean::impl::NumeratorMetric telemetryNumerator, Input data,
+-    DigestAlgorithm digestAlgorithm, Input signature,
++    std::optional<DigestAlgorithm> digestAlgorithm, Input signature,
+     Input subjectPublicKeyInfo, SignatureCache* signatureCache, void* pinArg) {
+   telemetryDenominator.Add(1);
+   Maybe<nsTArray<uint8_t>> sha512Hash;
++
++  // Currently, it is only acceptable for `digestAlgorithm` to be null when the
++  // public key algorithm is pure ML-DSA. Fail immediately otherwise.
++  if ((publicKeyAlg != der::PublicKeyAlgorithm::MLDSA) && !digestAlgorithm) {
++    return Result::ERROR_INVALID_ALGORITHM;
++  }
++
+   HashSignatureParams(data, signature, subjectPublicKeyInfo, publicKeyAlg,
+                       digestAlgorithm, sha512Hash);
+   // If hashing the signature parameters succeeded, see if this signature is in
+@@ -1080,16 +1092,23 @@ Result VerifySignedDataWithCache(
+   Result result;
+   switch (publicKeyAlg) {
+     case der::PublicKeyAlgorithm::ECDSA:
+-      result = VerifyECDSASignedDataNSS(data, digestAlgorithm, signature,
+-                                        subjectPublicKeyInfo, pinArg);
++      result =
++          VerifyECDSASignedDataNSS(data, digestAlgorithm.value(), signature,
++                                   subjectPublicKeyInfo, pinArg);
+       break;
+     case der::PublicKeyAlgorithm::RSA_PKCS1:
+-      result = VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature,
+-                                           subjectPublicKeyInfo, pinArg);
++      result =
++          VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm.value(), signature,
++                                      subjectPublicKeyInfo, pinArg);
+       break;
+     case der::PublicKeyAlgorithm::RSA_PSS:
+-      result = VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature,
+-                                         subjectPublicKeyInfo, pinArg);
++      result =
++          VerifyRSAPSSSignedDataNSS(data, digestAlgorithm.value(), signature,
++                                    subjectPublicKeyInfo, pinArg);
++      break;
++    case der::PublicKeyAlgorithm::MLDSA:
++      result = VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
++                                        pinArg);
+       break;
+     default:
+       MOZ_ASSERT_UNREACHABLE("unhandled public key algorithm");
+diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h
+index 6432547c8a..6e09e6fcdd 100644
+--- a/security/certverifier/CertVerifier.h
++++ b/security/certverifier/CertVerifier.h
+@@ -331,7 +331,8 @@ mozilla::pkix::Result VerifySignedDataWithCache(
+     mozilla::pkix::der::PublicKeyAlgorithm publicKeyAlg,
+     mozilla::glean::impl::DenominatorMetric telemetryDenominator,
+     mozilla::glean::impl::NumeratorMetric telemetryNumerator,
+-    mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
++    mozilla::pkix::Input data,
++    std::optional<mozilla::pkix::DigestAlgorithm> digestAlgorithm,
+     mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo,
+     SignatureCache* signatureCache, void* pinArg);
+ 
+diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
+index 70ba17d70f..a3ace3cee7 100644
+--- a/security/certverifier/NSSCertDBTrustDomain.cpp
++++ b/security/certverifier/NSSCertDBTrustDomain.cpp
+@@ -1541,6 +1541,15 @@ Result NSSCertDBTrustDomain::VerifyECDSASignedData(
+       signature, subjectPublicKeyInfo, mSignatureCache, mPinArg);
+ }
+ 
++Result NSSCertDBTrustDomain::VerifyMLDSASignedData(Input data, Input signature,
++                                                   Input subjectPublicKeyInfo) {
++  return VerifySignedDataWithCache(
++      der::PublicKeyAlgorithm::MLDSA,
++      mozilla::glean::cert_signature_cache::total,
++      mozilla::glean::cert_signature_cache::hits, data, std::nullopt, signature,
++      subjectPublicKeyInfo, mSignatureCache, mPinArg);
++}
++
+ Result NSSCertDBTrustDomain::CheckValidityIsAcceptable(
+     Time notBefore, Time notAfter, EndEntityOrCA endEntityOrCA,
+     KeyPurposeId keyPurpose) {
+diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
+index fc210f3254..6178201758 100644
+--- a/security/certverifier/NSSCertDBTrustDomain.h
++++ b/security/certverifier/NSSCertDBTrustDomain.h
+@@ -197,6 +197,10 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
+       mozilla::pkix::Input signature,
+       mozilla::pkix::Input subjectPublicKeyInfo) override;
+ 
++  virtual Result VerifyMLDSASignedData(
++      mozilla::pkix::Input data, mozilla::pkix::Input signature,
++      mozilla::pkix::Input subjectPublicKeyInfo) override;
++
+   virtual Result DigestBuf(mozilla::pkix::Input item,
+                            mozilla::pkix::DigestAlgorithm digestAlg,
+                            /*out*/ uint8_t* digestBuf,
+diff --git a/security/ct/CTLogVerifier.cpp b/security/ct/CTLogVerifier.cpp
+index d5e665aaca..471213745d 100644
+--- a/security/ct/CTLogVerifier.cpp
++++ b/security/ct/CTLogVerifier.cpp
+@@ -99,6 +99,10 @@ class SignatureParamsTrustDomain final : public TrustDomain {
+     return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
+   }
+ 
++  pkix::Result VerifyMLDSASignedData(Input, Input, Input) override {
++    return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
++  }
++
+   pkix::Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,
+                                          KeyPurposeId) override {
+     return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
+diff --git a/security/ct/tests/gtest/CTTestUtils.cpp b/security/ct/tests/gtest/CTTestUtils.cpp
+index 6a25307ec3..dbec7adc91 100644
+--- a/security/ct/tests/gtest/CTTestUtils.cpp
++++ b/security/ct/tests/gtest/CTTestUtils.cpp
+@@ -807,6 +807,12 @@ class OCSPExtensionTrustDomain : public TrustDomain {
+                                      subjectPublicKeyInfo, nullptr);
+   }
+ 
++  pkix::Result VerifyMLDSASignedData(Input data, Input signature,
++                                     Input subjectPublicKeyInfo) override {
++    return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
++                                    nullptr);
++  }
++
+   pkix::Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,
+                                          KeyPurposeId) override {
+     ADD_FAILURE();
+diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp
+index ab49d7eb1f..3963f90eb1 100644
+--- a/security/manager/ssl/AppTrustDomain.cpp
++++ b/security/manager/ssl/AppTrustDomain.cpp
+@@ -322,6 +322,12 @@ pkix::Result AppTrustDomain::VerifyECDSASignedData(
+                                   subjectPublicKeyInfo, nullptr);
+ }
+ 
++pkix::Result AppTrustDomain::VerifyMLDSASignedData(Input data, Input signature,
++                                                   Input subjectPublicKeyInfo) {
++  return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
++                                  nullptr);
++}
++
+ pkix::Result AppTrustDomain::CheckValidityIsAcceptable(
+     Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/,
+     KeyPurposeId /*keyPurpose*/) {
+diff --git a/security/manager/ssl/AppTrustDomain.h b/security/manager/ssl/AppTrustDomain.h
+index 4b0212ede0..85fdff5f13 100644
+--- a/security/manager/ssl/AppTrustDomain.h
++++ b/security/manager/ssl/AppTrustDomain.h
+@@ -80,6 +80,9 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain {
+                            mozilla::pkix::DigestAlgorithm digestAlg,
+                            /*out*/ uint8_t* digestBuf,
+                            size_t digestBufLen) override;
++  virtual Result VerifyMLDSASignedData(
++      mozilla::pkix::Input data, mozilla::pkix::Input signature,
++      mozilla::pkix::Input subjectPublicKeyInfo) override;
+ 
+  private:
+   nsTArray<Span<const uint8_t>> mTrustedRoots;
+diff --git a/security/manager/ssl/TLSClientAuthCertSelection.cpp b/security/manager/ssl/TLSClientAuthCertSelection.cpp
+index 3a84b15ee6..a3dc5a1af1 100644
+--- a/security/manager/ssl/TLSClientAuthCertSelection.cpp
++++ b/security/manager/ssl/TLSClientAuthCertSelection.cpp
+@@ -217,6 +217,11 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
+       pkix::Input subjectPublicKeyInfo) override {
+     return pkix::Success;
+   }
++  virtual mozilla::pkix::Result VerifyMLDSASignedData(
++      pkix::Input data, pkix::Input signature,
++      pkix::Input subjectPublicKeyInfo) override {
++    return pkix::Success;
++  }
+   virtual mozilla::pkix::Result CheckValidityIsAcceptable(
+       pkix::Time notBefore, pkix::Time notAfter,
+       pkix::EndEntityOrCA endEntityOrCA,

SOURCES/thunderbird-redhat-default-prefs.js

@@ -12,8 +12,6 @@ pref("offline.autoDetect", true);
 /* Disable global indexing by default*/
 pref("mailnews.database.global.indexer.enabled", false);
 
-/* Do not switch to Smart Folders after upgrade to 3.0b4 */
-pref("mail.folder.views.version", "1");
 pref("extensions.shownSelectionUI", true);
 pref("extensions.autoDisableScopes", 0);
 

SOURCES/thunderbird.appdata.xml.in

@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<component type="desktop-application">
+  <id>thunderbird.desktop</id>
+  <metadata_license>CC0-1.0</metadata_license>
+  <name>Thunderbird</name>
+  <summary>Thunderbird is a free and open source email, newsfeed, chat, and calendaring client</summary>
+  <description>
+    <!-- From https://www.thunderbird.net/en-US/about/  -->
+    <p>
+      Thunderbird is a free and open source email, newsfeed, chat, and
+      calendaring client, that’s easy to set up and customize. One of the core
+      principles of Thunderbird is the use and promotion of open standards -
+      this focus is a rejection of our world of closed platforms and services
+      that can’t communicate with each other. We want our users to have freedom
+      and choice in how they communicate.
+    </p>
+    <p>
+      Thunderbird is an open source project, which means anyone can contribute
+      ideas, designs, code, and time helping fellow users.
+    </p>
+  </description>
+  <categories>
+    <category>Calendar</category>
+    <category>Email</category>
+    <category>Office</category>
+  </categories>
+
+  <url type="homepage">https://www.thunderbird.net/</url>
+  <url type="bugtracker">https://bugzilla.mozilla.org/</url>
+  <url type="faq">https://support.mozilla.org/kb/thunderbird-faq/</url>
+  <url type="help">https://support.mozilla.org/products/thunderbird/</url>
+  <url type="donation">https://www.thunderbird.net/donate/</url>
+  <url type="translate">https://www.thunderbird.net/participate/</url>
+
+  <project_group>Mozilla</project_group>
+  <project_license>MPL-2.0</project_license>
+  <developer_name>Thunderbird Project</developer_name>
+
+  <screenshots>
+    <screenshot type="default">
+      <image>https://raw.githubusercontent.com/thunderbird/flatpak-screenshots/main/image_1.png</image>
+    </screenshot>
+    <screenshot>
+      <image>https://raw.githubusercontent.com/thunderbird/flatpak-screenshots/main/image_2.png</image>
+    </screenshot>
+  </screenshots>
+
+  <mimetypes>
+    <mimetype>message/rfc822</mimetype>
+    <mimetype>x-scheme-handler/mailto</mimetype>
+    <mimetype>text/calendar</mimetype>
+    <mimetype>text/vcard</mimetype>
+    <mimetype>text/x-vcard</mimetype>
+  </mimetypes>
+  <releases>
+    <release version="__VERSION__" date="__DATE__"/>
+  </releases>
+  <update_contact>jhorak@redhat.com</update_contact>
+</component>