32 changed files with 1090 additions and 2102 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,6 @@
 SOURCES/cbindgen-vendor.tar.xz
-SOURCES/nspr-4.36.0-2.el8_2.src.rpm
+SOURCES/nspr-4.35.0-1.el8_1.src.rpm
-SOURCES/nss-3.112.0-1.el9_4.src.rpm
+SOURCES/nss-3.90.0-2.el8_1.src.rpm
-SOURCES/nss-3.112.0-4.el8_2.src.rpm
+SOURCES/nss-3.90.0-3.el9_0.src.rpm
-SOURCES/thunderbird-140.5.0esr.processed-source.tar.xz
+SOURCES/thunderbird-115.9.0.processed-source.tar.xz
-SOURCES/thunderbird-langpacks-140.5.0esr-20251111.tar.xz
+SOURCES/thunderbird-langpacks-115.9.0-20240318.tar.xz
--- a/.thunderbird.metadata
+++ b/.thunderbird.metadata
@ -1,6 +1,6 @@
-bc4adac8f38f5103d8f88564a1545063dd8d6402 SOURCES/cbindgen-vendor.tar.xz
+b963b16f6879c5dbe6e33a3a3da058b494453922 SOURCES/cbindgen-vendor.tar.xz
-0d0ddbd2a73340b3cbc977997f57222946b1e775 SOURCES/nspr-4.36.0-2.el8_2.src.rpm
+d744f92e874688cc4b5376477dfdd639a97a6cd4 SOURCES/nspr-4.35.0-1.el8_1.src.rpm
-fd3879b176634d66f8ef64d18fdaeec98e140c23 SOURCES/nss-3.112.0-1.el9_4.src.rpm
+39d1004f8948186cdaa33bbb90423f6f994bdf6c SOURCES/nss-3.90.0-2.el8_1.src.rpm
-c3f0aaef37972107442e2796efad71be3a98ce3c SOURCES/nss-3.112.0-4.el8_2.src.rpm
+df0dd588680f6ade6728a1fd3ff2d71e7a46255d SOURCES/nss-3.90.0-3.el9_0.src.rpm
-d520f59fc94847639c7fad352c70806f1e9387ea SOURCES/thunderbird-140.5.0esr.processed-source.tar.xz
+cb287fa47bd8bdff66aacb2143a3c244250bae88 SOURCES/thunderbird-115.9.0.processed-source.tar.xz
-93aae73f4a8d28e76adcb9298fb3074fa86aa6f7 SOURCES/thunderbird-langpacks-140.5.0esr-20251111.tar.xz
+12f6297fbc364c63712e13e30d289b37840a865f SOURCES/thunderbird-langpacks-115.9.0-20240318.tar.xz
--- a/SOURCES/CVE-2023-44488-libvpx.patch
+++ b/SOURCES/CVE-2023-44488-libvpx.patch
@ -0,0 +1,127 @@
 From 263682c9a29395055f3b3afe2d97be1828a6223f Mon Sep 17 00:00:00 2001
 From: Jerome Jiang <jianj@google.com>
 Date: Thu, 30 Jun 2022 13:48:56 -0400
 Subject: [PATCH] Fix bug with smaller width bigger size
 Fixed previous patch that clusterfuzz failed on.
 Bug: webm:1642
 Change-Id: If0e08e72abd2e042efe4dcfac21e4cc51afdfdb9
 ---
 test/resize_test.cc          | 11 +++--------
 vp9/common/vp9_alloccommon.c | 13 ++++++-------
 vp9/encoder/vp9_encoder.c    | 27 +++++++++++++++++++++++++--
 3 files changed, 34 insertions(+), 17 deletions(-)
 diff --git a/test/resize_test.cc b/test/resize_test.cc
 index fd1c2a92de6..20ad2229b46 100644
 --- a/test/resize_test.cc
 +++ b/test/resize_test.cc
@@ -102,11 +102,8 @@ void ScaleForFrameNumber(unsigned int frame, unsigned int initial_w,
     if (frame < 30) {
       return;
     }
 -    if (frame < 100) {
 -      *w = initial_w * 7 / 10;
 -      *h = initial_h * 16 / 10;
 -      return;
 -    }
 +    *w = initial_w * 7 / 10;
 +    *h = initial_h * 16 / 10;
     return;
   }
   if (frame < 10) {
@@ -559,9 +556,7 @@ TEST_P(ResizeRealtimeTest, TestExternalResizeWorks) {
   }
 }
 -// TODO(https://crbug.com/webm/1642): This causes a segfault in
 -// init_encode_frame_mb_context().
 -TEST_P(ResizeRealtimeTest, DISABLED_TestExternalResizeSmallerWidthBiggerSize) {
 +TEST_P(ResizeRealtimeTest, TestExternalResizeSmallerWidthBiggerSize) {
   ResizingVideoSource video;
   video.flag_codec_ = true;
   video.smaller_width_larger_size_ = true;
 diff --git a/vp9/common/vp9_alloccommon.c b/vp9/common/vp9_alloccommon.c
 index e53883f621d..9e73e40ea09 100644
 --- a/vp9/common/vp9_alloccommon.c
 +++ b/vp9/common/vp9_alloccommon.c
@@ -135,13 +135,6 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) {
     cm->free_mi(cm);
     if (cm->alloc_mi(cm, new_mi_size)) goto fail;
   }
 -
 -  if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) {
 -    // Create the segmentation map structure and set to 0.
 -    free_seg_map(cm);
 -    if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail;
 -  }
 -
   if (cm->above_context_alloc_cols < cm->mi_cols) {
     vpx_free(cm->above_context);
     cm->above_context = (ENTROPY_CONTEXT *)vpx_calloc(
@@ -156,6 +149,12 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) {
     cm->above_context_alloc_cols = cm->mi_cols;
   }
 +  if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) {
 +    // Create the segmentation map structure and set to 0.
 +    free_seg_map(cm);
 +    if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail;
 +  }
 +
   if (vp9_alloc_loop_filter(cm)) goto fail;
   return 0;
 diff --git a/vp9/encoder/vp9_encoder.c b/vp9/encoder/vp9_encoder.c
 index 69a4e3c314f..e3ba294c32f 100644
 --- a/vp9/encoder/vp9_encoder.c
 +++ b/vp9/encoder/vp9_encoder.c
@@ -2047,6 +2047,17 @@ static void alloc_copy_partition_data(VP9_COMP *cpi) {
   }
 }
 +static void free_copy_partition_data(VP9_COMP *cpi) {
 +  vpx_free(cpi->prev_partition);
 +  cpi->prev_partition = NULL;
 +  vpx_free(cpi->prev_segment_id);
 +  cpi->prev_segment_id = NULL;
 +  vpx_free(cpi->prev_variance_low);
 +  cpi->prev_variance_low = NULL;
 +  vpx_free(cpi->copied_frame_cnt);
 +  cpi->copied_frame_cnt = NULL;
 +}
 +
 void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
   VP9_COMMON *const cm = &cpi->common;
   RATE_CONTROL *const rc = &cpi->rc;
@@ -2126,6 +2137,8 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
     new_mi_size = cm->mi_stride * calc_mi_size(cm->mi_rows);
     if (cm->mi_alloc_size < new_mi_size) {
       vp9_free_context_buffers(cm);
 +      vp9_free_pc_tree(&cpi->td);
 +      vpx_free(cpi->mbmi_ext_base);
       alloc_compressor_data(cpi);
       realloc_segmentation_maps(cpi);
       cpi->initial_width = cpi->initial_height = 0;
@@ -2144,8 +2157,18 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
     update_frame_size(cpi);
   if (last_w != cpi->oxcf.width || last_h != cpi->oxcf.height) {
 -    memset(cpi->consec_zero_mv, 0,
 -           cm->mi_rows * cm->mi_cols * sizeof(*cpi->consec_zero_mv));
 +    vpx_free(cpi->consec_zero_mv);
 +    CHECK_MEM_ERROR(
 +        &cm->error, cpi->consec_zero_mv,
 +        vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(*cpi->consec_zero_mv)));
 +
 +    vpx_free(cpi->skin_map);
 +    CHECK_MEM_ERROR(
 +        &cm->error, cpi->skin_map,
 +        vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(cpi->skin_map[0])));
 +
 +    free_copy_partition_data(cpi);
 +    alloc_copy_partition_data(cpi);
     if (cpi->oxcf.aq_mode == CYCLIC_REFRESH_AQ)
       vp9_cyclic_refresh_reset_resize(cpi);
     rc->rc_1_frame = 0;
--- a/SOURCES/av1-else-condition-add.patch
+++ b/SOURCES/av1-else-condition-add.patch
@ -1,14 +0,0 @@
 diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
 index acadd3a2cc..11b217174d 100644
 --- a/modules/libpref/init/StaticPrefList.yaml
 +++ b/modules/libpref/init/StaticPrefList.yaml
@@ -12561,6 +12561,8 @@
   type: RelaxedAtomicBool
 #if defined(MOZ_AV1)
   value: true
 +#else
 +  value: false
 #endif
   mirror: always
--- a/SOURCES/build-cargo-lock-version.patch
+++ b/SOURCES/build-cargo-lock-version.patch
@ -1,11 +0,0 @@
 diff -up thunderbird-128.7.0/comm/rust/Cargo.lock.cargo-lock thunderbird-128.7.0/comm/rust/Cargo.lock
 --- thunderbird-128.7.0/comm/rust/Cargo.lock.cargo-lock	2025-02-07 10:14:12.483795636 +0100
 +++ thunderbird-128.7.0/comm/rust/Cargo.lock	2025-02-07 10:14:15.654801697 +0100
@@ -1,6 +1,6 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
 -version = 4
 +version = 3
 [[package]]
 name = "aa-stroke"
--- a/SOURCES/build-disable-elfhack.patch
+++ b/SOURCES/build-disable-elfhack.patch
@ -1,12 +1,12 @@
-diff -up firefox-128.0/toolkit/moz.configure.disable-elfhack firefox-128.0/toolkit/moz.configure
+diff -up firefox-115.0.2/toolkit/moz.configure.disable-elfhack firefox-115.0.2/toolkit/moz.configure
--- firefox-128.0/toolkit/moz.configure.disable-elfhack	2024-06-19 17:24:29.964976617 +0200
+--- firefox-115.0.2/toolkit/moz.configure.disable-elfhack	2023-07-18 12:21:22.507358334 +0200
-+++ firefox-128.0/toolkit/moz.configure	2024-06-19 17:24:53.015843805 +0200
+++ firefox-115.0.2/toolkit/moz.configure	2023-07-18 12:52:55.972727498 +0200
-@@ -1553,7 +1553,7 @@ with only_when("--enable-compile-environ
+@@ -1520,7 +1520,7 @@ with only_when("--enable-compile-environ
-     @depends(host, target)
+                     "Cannot enable elfhack with lld."
-     def has_elfhack(host, target):
+                     " Use --enable-linker=bfd, --enable-linker=gold, or --disable-elf-hack"
-         return (
+                 )
-            target.kernel == "Linux"
+-            return True
-+            False and target.kernel == "Linux"
+            return False
-             and host.kernel == "Linux"
+ 
-             and target.cpu in ("arm", "aarch64", "x86", "x86_64")
+         set_config("USE_ELF_HACK", use_elf_hack)
-         )
+ 
--- a/SOURCES/build-libaom.patch
+++ b/SOURCES/build-libaom.patch
@ -1,21 +0,0 @@
 diff -up firefox-128.0/config/external/moz.build.libaom firefox-128.0/config/external/moz.build
 --- firefox-128.0/config/external/moz.build.libaom	2024-07-31 15:32:39.460374047 +0200
 +++ firefox-128.0/config/external/moz.build	2024-07-31 15:34:41.646064796 +0200
@@ -39,9 +39,9 @@ if CONFIG["MOZ_VORBIS"]:
 if not CONFIG["MOZ_SYSTEM_LIBVPX"]:
     external_dirs += ["media/libvpx"]
 +external_dirs += ["media/libaom"]
 if not CONFIG["MOZ_SYSTEM_AV1"]:
 -    external_dirs += ["media/libaom"]
     external_dirs += ["media/libdav1d"]
 if not CONFIG["MOZ_SYSTEM_PNG"]:
 diff -up firefox-128.0/third_party/aom/third_party/fastfeat/README.libaom firefox-128.0/third_party/aom/third_party/fastfeat/README
 diff -up firefox-128.0/third_party/aom/third_party/googletest/README.libaom firefox-128.0/third_party/aom/third_party/googletest/README
 diff -up firefox-128.0/third_party/aom/third_party/libwebm/README.libaom firefox-128.0/third_party/aom/third_party/libwebm/README
 diff -up firefox-128.0/third_party/aom/third_party/libyuv/README.libaom firefox-128.0/third_party/aom/third_party/libyuv/README
 diff -up firefox-128.0/third_party/aom/third_party/SVT-AV1/README.libaom firefox-128.0/third_party/aom/third_party/SVT-AV1/README
 diff -up firefox-128.0/third_party/aom/third_party/vector/README.libaom firefox-128.0/third_party/aom/third_party/vector/README
 diff -up firefox-128.0/third_party/aom/third_party/x86inc/README.libaom firefox-128.0/third_party/aom/third_party/x86inc/README
--- a/SOURCES/build-rhel7-lower-node-min-version.patch
+++ b/SOURCES/build-rhel7-lower-node-min-version.patch
@ -1,9 +1,8 @@
-diff -up firefox-140.0/python/mozbuild/mozbuild/nodeutil.py.build-rhel7-lower-node-min-version firefox-140.0/python/mozbuild/mozbuild/nodeutil.py
+--- firefox-115.8.0/python/mozbuild/mozbuild/nodeutil.py.lower-node-min-version	2024-02-12 21:53:56.000000000 +0200
--- firefox-140.0/python/mozbuild/mozbuild/nodeutil.py.build-rhel7-lower-node-min-version	2025-06-02 15:26:51.000000000 +0200
+++ firefox-115.8.0/python/mozbuild/mozbuild/nodeutil.py	2024-02-14 16:48:12.476182627 +0200
-+++ firefox-140.0/python/mozbuild/mozbuild/nodeutil.py	2025-06-12 11:54:37.075505124 +0200
+@@ -13,7 +13,7 @@ from mozboot.util import get_tools_dir
@@ -10,7 +10,7 @@ from mozboot.util import get_tools_dir
 from mozfile import which
 from packaging.version import Version
 from six import PY3
 -NODE_MIN_VERSION = Version("12.22.12")
 +NODE_MIN_VERSION = Version("10.24.0")
--- a/SOURCES/build-rhel7-nasm-dwarf.patch
+++ b/SOURCES/build-rhel7-nasm-dwarf.patch
@ -1,12 +1,12 @@
-diff -up firefox-140.0/python/mozbuild/mozbuild/frontend/context.py.build-rhel7-nasm-dwarf firefox-140.0/python/mozbuild/mozbuild/frontend/context.py
+diff -up firefox-91.0.1/python/mozbuild/mozbuild/frontend/context.py.rhel7-nasm firefox-91.0.1/python/mozbuild/mozbuild/frontend/context.py
--- firefox-140.0/python/mozbuild/mozbuild/frontend/context.py.build-rhel7-nasm-dwarf	2025-06-02 15:26:51.000000000 +0200
+--- firefox-91.0.1/python/mozbuild/mozbuild/frontend/context.py.rhel7-nasm	2021-08-31 08:02:10.814740774 +0200
-+++ firefox-140.0/python/mozbuild/mozbuild/frontend/context.py	2025-06-12 12:09:56.398728745 +0200
+++ firefox-91.0.1/python/mozbuild/mozbuild/frontend/context.py	2021-08-31 08:04:03.967146994 +0200
-@@ -417,7 +417,7 @@ class AsmFlags(BaseCompileFlags):
+@@ -420,7 +420,7 @@ class AsmFlags(BaseCompileFlags):
                 if self._context.config.substs.get("OS_ARCH") == "WINNT":
                     debug_flags += ["-F", "cv8"]
                 elif self._context.config.substs.get("OS_ARCH") != "Darwin":
 -                    debug_flags += ["-F", "dwarf"]
-+                    debug_flags += ["-F", "elf32"]
+                    debug_flags += ["-f", "elf32"]
-             elif self._context.config.substs.get("CC_TYPE") == "clang-cl":
+             elif (
-                 if self._context.config.substs.get("TARGET_CPU") == "aarch64":
+                 self._context.config.substs.get("OS_ARCH") == "WINNT"
-                     # armasm64 accepts a paucity of options compared to ml/ml64.
+                 and self._context.config.substs.get("CPU_ARCH") == "aarch64"
--- a/SOURCES/build-system-nss.patch
+++ b/SOURCES/build-system-nss.patch
@ -1,20 +0,0 @@
 diff -up firefox-140.0/third_party/rust/neqo-crypto/.cargo-checksum.json.system-nss firefox-140.0/third_party/rust/neqo-crypto/.cargo-checksum.json
 --- firefox-140.0/third_party/rust/neqo-crypto/.cargo-checksum.json.system-nss	2025-07-25 10:17:19.112202464 +0200
 +++ firefox-140.0/third_party/rust/neqo-crypto/.cargo-checksum.json	2025-07-25 10:17:55.824333955 +0200
@@ -1 +1 @@
 -{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"83606aeb646b2833a8094f9d980c266ecc3e8cb40c93a4820da221988319dd1a","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null}
 \ No newline at end of file
 +{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"50c1b84e06cd9a71bb9199f2518947a4d4ad3e5c33c1b86c585486dc43e872a0","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null}
 \ No newline at end of file
 diff -up firefox-140.0/third_party/rust/neqo-crypto/src/constants.rs.system-nss firefox-140.0/third_party/rust/neqo-crypto/src/constants.rs
 --- firefox-140.0/third_party/rust/neqo-crypto/src/constants.rs.system-nss	2025-07-25 10:16:27.299270237 +0200
 +++ firefox-140.0/third_party/rust/neqo-crypto/src/constants.rs	2025-07-25 10:16:39.698529915 +0200
@@ -83,7 +83,7 @@ remap_enum! {
         TLS_GRP_EC_SECP521R1 = ssl_grp_ec_secp521r1,
         TLS_GRP_EC_X25519 = ssl_grp_ec_curve25519,
         TLS_GRP_KEM_XYBER768D00 = ssl_grp_kem_xyber768d00,
 -        TLS_GRP_KEM_MLKEM768X25519 = ssl_grp_kem_mlkem768x25519,
 +        TLS_GRP_KEM_MLKEM768X25519 = ssl_grp_kem_x25519mlkem768,
     }
 }
--- a/SOURCES/build-tb-rnp-openssl.patch
+++ b/SOURCES/build-tb-rnp-openssl.patch
@ -0,0 +1,12 @@
 diff -up thunderbird-115.1.0/comm/third_party/rnp/moz.build.rnp-openssl thunderbird-115.1.0/comm/third_party/rnp/moz.build
 --- thunderbird-115.1.0/comm/third_party/rnp/moz.build.rnp-openssl	2023-08-07 16:38:39.272780256 +0200
 +++ thunderbird-115.1.0/comm/third_party/rnp/moz.build	2023-08-07 16:38:42.822780087 +0200
@@ -93,7 +93,7 @@ elif CONFIG["MZLA_LIBRNP_BACKEND"] == "o
         # Supported, but not with RHEL's OpenSSL, disabled for now;
         "ENABLE_BRAINPOOL": False,
     })
 -    rnp_defines["PACKAGE_STRING"] = rnp_defines["PACKAGE_STRING"][:-1] + '-openssl"'
 +    #rnp_defines["PACKAGE_STRING"] = rnp_defines["PACKAGE_STRING"][:-1] + '-openssl"'
     if CONFIG["MZLA_LIBRNP_OPENSSL_VERSION"][0] == "3":
         rnp_defines["CRYPTO_BACKEND_OPENSSL3"] = True
--- a/SOURCES/build-tb-system-nss.patch
+++ b/SOURCES/build-tb-system-nss.patch
@ -1,20 +0,0 @@
 diff -up thunderbird-140.0/comm/third_party/rust/neqo-crypto/.cargo-checksum.json.tb-system-nss thunderbird-140.0/comm/third_party/rust/neqo-crypto/.cargo-checksum.json
 --- thunderbird-140.0/comm/third_party/rust/neqo-crypto/.cargo-checksum.json.tb-system-nss	2025-06-25 13:13:16.000000000 +0200
 +++ thunderbird-140.0/comm/third_party/rust/neqo-crypto/.cargo-checksum.json	2025-08-15 09:08:49.676977167 +0200
@@ -1 +1 @@
 -{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"83606aeb646b2833a8094f9d980c266ecc3e8cb40c93a4820da221988319dd1a","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null}
 \ No newline at end of file
 +{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"50c1b84e06cd9a71bb9199f2518947a4d4ad3e5c33c1b86c585486dc43e872a0","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null}
 \ No newline at end of file
 diff -up thunderbird-140.0/comm/third_party/rust/neqo-crypto/src/constants.rs.tb-system-nss thunderbird-140.0/comm/third_party/rust/neqo-crypto/src/constants.rs
 --- thunderbird-140.0/comm/third_party/rust/neqo-crypto/src/constants.rs.tb-system-nss	2025-06-25 13:13:16.000000000 +0200
 +++ thunderbird-140.0/comm/third_party/rust/neqo-crypto/src/constants.rs	2025-08-15 09:08:35.941135895 +0200
@@ -83,7 +83,7 @@ remap_enum! {
         TLS_GRP_EC_SECP521R1 = ssl_grp_ec_secp521r1,
         TLS_GRP_EC_X25519 = ssl_grp_ec_curve25519,
         TLS_GRP_KEM_XYBER768D00 = ssl_grp_kem_xyber768d00,
 -        TLS_GRP_KEM_MLKEM768X25519 = ssl_grp_kem_mlkem768x25519,
 +        TLS_GRP_KEM_MLKEM768X25519 = ssl_grp_kem_x25519mlkem768,
     }
 }
--- a/SOURCES/disable-openpgp-in-thunderbird.patch
+++ b/SOURCES/disable-openpgp-in-thunderbird.patch
@ -1,8 +1,7 @@
-diff -up thunderbird-128.0/comm/mail/extensions/openpgp/content/$.disable-openpgp thunderbird-128.0/comm/mail/extensions/openpgp/content/$
+diff -up thunderbird-102.2.1/comm/mail/extensions/openpgp/content/BondOpenPGP.jsm.disable-openpgp-in-thunderbird thunderbird-102.2.1/comm/mail/extensions/openpgp/content/BondOpenPGP.jsm
-diff -up thunderbird-128.0/comm/mail/extensions/openpgp/content/BondOpenPGP.sys.mjs.disable-openpgp thunderbird-128.0/comm/mail/extensions/openpgp/content/BondOpenPGP.sys.mjs
+--- thunderbird-102.2.1/comm/mail/extensions/openpgp/content/BondOpenPGP.jsm.disable-openpgp-in-thunderbird	2022-09-12 14:33:54.995339932 +0200
--- thunderbird-128.0/comm/mail/extensions/openpgp/content/BondOpenPGP.sys.mjs.disable-openpgp	2024-08-13 16:21:15.804595768 +0200
+++ thunderbird-102.2.1/comm/mail/extensions/openpgp/content/BondOpenPGP.jsm	2022-09-12 14:39:26.784999636 +0200
-+++ thunderbird-128.0/comm/mail/extensions/openpgp/content/BondOpenPGP.sys.mjs	2024-08-13 16:20:40.900692240 +0200
+@@ -51,6 +51,8 @@ var BondOpenPGP = {
@@ -27,6 +27,8 @@ export var BondOpenPGP = {
   _alreadyTriedInit: false, // if already true, we will not try again
   async init() {
--- a/SOURCES/expat-CVE-2023-52425.patch
+++ b/SOURCES/expat-CVE-2023-52425.patch
@ -0,0 +1,375 @@
 # erAck: backport of expat CVE-2023-52425 DoS fix
 # https://github.com/libexpat/libexpat/commit/34b598c5f594b015c513c73f06e7ced3323edbf1
 #
 --- thunderbird-115.9.0/parser/expat/lib/expat.h.expat-CVE-2023-52425	2024-03-11 20:36:11.000000000 +0100
 +++ thunderbird-115.9.0/parser/expat/lib/expat.h	2024-03-13 20:46:45.648505015 +0100
@@ -1045,6 +1045,10 @@ XMLPARSEAPI(const XML_Feature *)
 XML_GetFeatureList(void);
 +/* Added in Expat 2.6.0. */
 +XMLPARSEAPI(XML_Bool)
 +XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled);
 +
 /* Expat follows the semantic versioning convention.
    See http://semver.org.
 */
 --- thunderbird-115.9.0/parser/expat/lib/internal.h.expat-CVE-2023-52425	2024-03-11 20:36:11.000000000 +0100
 +++ thunderbird-115.9.0/parser/expat/lib/internal.h	2024-03-14 00:14:39.334319725 +0100
@@ -80,6 +80,7 @@
 # endif
 #endif
 +#include "expat.h" // so we can use type XML_Parser below
 #ifdef __cplusplus
 extern "C" {
@@ -90,6 +91,9 @@ void
 align_limit_to_full_utf8_characters(const char * from, const char ** fromLimRef);
 +extern XML_Bool g_reparseDeferralEnabledDefault; // written ONLY in runtests.c
 +extern unsigned int g_parseAttempts;             // used for testing only
 +
 #ifdef __cplusplus
 }
 #endif
 --- thunderbird-115.9.0/parser/expat/lib/xmlparse.c.expat-CVE-2023-52425	2024-03-11 20:36:11.000000000 +0100
 +++ thunderbird-115.9.0/parser/expat/lib/xmlparse.c	2024-03-13 22:55:14.844756009 +0100
@@ -6,6 +6,7 @@
 #define _GNU_SOURCE                     /* syscall prototype */
 +#include <stdbool.h>
 #include <stddef.h>
 #include <string.h>                     /* memset(), memcpy() */
 #include <assert.h>
@@ -89,6 +90,9 @@ typedef char ICHAR;
 /* Round up n to be a multiple of sz, where sz is a power of 2. */
 #define ROUND_UP(n, sz) (((n) + ((sz) - 1)) & ~((sz) - 1))
 +/* Do safe (NULL-aware) pointer arithmetic */
 +#define EXPAT_SAFE_PTR_DIFF(p, q) (((p) && (q)) ? ((p) - (q)) : 0)
 +
 /* Handle the case where memmove() doesn't exist. */
 #ifndef HAVE_MEMMOVE
 #ifdef HAVE_BCOPY
@@ -98,6 +102,8 @@ typedef char ICHAR;
 #endif /* HAVE_BCOPY */
 #endif /* HAVE_MEMMOVE */
 +#define EXPAT_MIN(a, b) (((a) < (b)) ? (a) : (b))
 +
 #include "internal.h"
 #include "xmltok.h"
 #include "xmlrole.h"
@@ -476,6 +482,9 @@ parserInit(XML_Parser parser, const XML_
    ? 0 \
    : ((*((pool)->ptr)++ = c), 1))
 +XML_Bool g_reparseDeferralEnabledDefault = XML_TRUE; // write ONLY in runtests.c
 +unsigned int g_parseAttempts = 0;                    // used for testing only
 +
 struct XML_ParserStruct {
   /* The first member must be userData so that the XML_GetUserData
      macro works. */
@@ -491,6 +500,9 @@ struct XML_ParserStruct {
   const char *m_bufferLim;
   XML_Index m_parseEndByteIndex;
   const char *m_parseEndPtr;
 +  size_t m_partialTokenBytesBefore; /* used in heuristic to avoid O(n^2) */
 +  XML_Bool m_reparseDeferralEnabled;
 +  int m_lastBufferRequestSize;
   XML_Char *m_dataBuf;
   XML_Char *m_dataBufEnd;
   XML_StartElementHandler m_startElementHandler;
@@ -647,6 +659,9 @@ struct XML_ParserStruct {
 #define bufferEnd (parser->m_bufferEnd)
 #define parseEndByteIndex (parser->m_parseEndByteIndex)
 #define parseEndPtr (parser->m_parseEndPtr)
 +#define partialTokenBytesBefore (parser->m_partialTokenBytesBefore)
 +#define reparseDeferralEnabled (parser->m_reparseDeferralEnabled)
 +#define lastBufferRequestSize (parser->m_lastBufferRequestSize)
 #define bufferLim (parser->m_bufferLim)
 #define dataBuf (parser->m_dataBuf)
 #define dataBufEnd (parser->m_dataBufEnd)
@@ -887,6 +902,47 @@ get_hash_secret_salt(XML_Parser parser)
   return parser->m_hash_secret_salt;
 }
 +static enum XML_Error
 +callProcessor(XML_Parser parser, const char *start, const char *end,
 +              const char **endPtr) {
 +  const size_t have_now = EXPAT_SAFE_PTR_DIFF(end, start);
 +
 +  if (parser->m_reparseDeferralEnabled
 +      && ! parser->m_parsingStatus.finalBuffer) {
 +    // Heuristic: don't try to parse a partial token again until the amount of
 +    // available data has increased significantly.
 +    const size_t had_before = parser->m_partialTokenBytesBefore;
 +    // ...but *do* try anyway if we're close to causing a reallocation.
 +    size_t available_buffer
 +        = EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
 +#if XML_CONTEXT_BYTES > 0
 +    available_buffer -= EXPAT_MIN(available_buffer, XML_CONTEXT_BYTES);
 +#endif
 +    available_buffer
 +        += EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferEnd);
 +    // m_lastBufferRequestSize is never assigned a value < 0, so the cast is ok
 +    const bool enough
 +        = (have_now >= 2 * had_before)
 +          || ((size_t)parser->m_lastBufferRequestSize > available_buffer);
 +
 +    if (! enough) {
 +      *endPtr = start; // callers may expect this to be set
 +      return XML_ERROR_NONE;
 +    }
 +  }
 +  g_parseAttempts += 1;
 +  const enum XML_Error ret = parser->m_processor(parser, start, end, endPtr);
 +  if (ret == XML_ERROR_NONE) {
 +    // if we consumed nothing, remember what we had on this parse attempt.
 +    if (*endPtr == start) {
 +      parser->m_partialTokenBytesBefore = have_now;
 +    } else {
 +      parser->m_partialTokenBytesBefore = 0;
 +    }
 +  }
 +  return ret;
 +}
 +
 static XML_Bool  /* only valid for root parser */
 startParsing(XML_Parser parser)
 {
@@ -1075,6 +1131,9 @@ parserInit(XML_Parser parser, const XML_
   bufferEnd = buffer;
   parseEndByteIndex = 0;
   parseEndPtr = NULL;
 +  partialTokenBytesBefore = 0;
 +  reparseDeferralEnabled = g_reparseDeferralEnabledDefault;
 +  lastBufferRequestSize = 0;
   declElementType = NULL;
   declAttributeId = NULL;
   declEntity = NULL;
@@ -1232,6 +1291,7 @@ XML_ExternalEntityParserCreate(XML_Parse
      to worry which hash secrets each table has.
   */
   unsigned long oldhash_secret_salt;
 +  XML_Bool oldReparseDeferralEnabled;
   /* Validate the oldParser parameter before we pull everything out of it */
   if (oldParser == NULL)
@@ -1276,6 +1336,7 @@ XML_ExternalEntityParserCreate(XML_Parse
      to worry which hash secrets each table has.
   */
   oldhash_secret_salt = hash_secret_salt;
 +  oldReparseDeferralEnabled = reparseDeferralEnabled;
 #ifdef XML_DTD
   if (!context)
@@ -1330,6 +1391,7 @@ XML_ExternalEntityParserCreate(XML_Parse
   defaultExpandInternalEntities = oldDefaultExpandInternalEntities;
   ns_triplets = oldns_triplets;
   hash_secret_salt = oldhash_secret_salt;
 +  reparseDeferralEnabled = oldReparseDeferralEnabled;
   parentParser = oldParser;
 #ifdef XML_DTD
   paramEntityParsing = oldParamEntityParsing;
@@ -1850,39 +1912,8 @@ XML_Parse(XML_Parser parser, const char
     ps_parsing = XML_PARSING;
   }
 -  if (len == 0) {
 -    ps_finalBuffer = (XML_Bool)isFinal;
 -    if (!isFinal)
 -      return XML_STATUS_OK;
 -    positionPtr = bufferPtr;
 -    parseEndPtr = bufferEnd;
 -
 -    /* If data are left over from last buffer, and we now know that these
 -       data are the final chunk of input, then we have to check them again
 -       to detect errors based on that fact.
 -    */
 -    errorCode = processor(parser, bufferPtr, parseEndPtr, &bufferPtr);
 -
 -    if (errorCode == XML_ERROR_NONE) {
 -      switch (ps_parsing) {
 -      case XML_SUSPENDED:
 -        XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position);
 -        positionPtr = bufferPtr;
 -        return XML_STATUS_SUSPENDED;
 -      case XML_INITIALIZED:
 -      case XML_PARSING:
 -        ps_parsing = XML_FINISHED;
 -        /* fall through */
 -      default:
 -        return XML_STATUS_OK;
 -      }
 -    }
 -    eventEndPtr = eventPtr;
 -    processor = errorProcessor;
 -    return XML_STATUS_ERROR;
 -  }
 #ifndef XML_CONTEXT_BYTES
 -  else if (bufferPtr == bufferEnd) {
 +  if (bufferPtr == bufferEnd) {
     const char *end;
     int nLeftOver;
     enum XML_Status result;
@@ -1899,11 +1930,14 @@ XML_Parse(XML_Parser parser, const char
        processor = errorProcessor;
        return XML_STATUS_ERROR;
     }
 +    // though this isn't a buffer request, we assume that `len` is the app's
 +    // preferred buffer fill size, and therefore save it here.
 +    lastBufferRequestSize = len;
     parseEndByteIndex += len;
     positionPtr = s;
     ps_finalBuffer = (XML_Bool)isFinal;
 -    errorCode = processor(parser, s, parseEndPtr = s + len, &end);
 +    errorCode = callProcessor(parser, s, parseEndPtr = s + len, &end);
     if (errorCode != XML_ERROR_NONE) {
       eventEndPtr = eventPtr;
@@ -1930,6 +1964,8 @@ XML_Parse(XML_Parser parser, const char
     XmlUpdatePosition(encoding, positionPtr, end, &position);
     nLeftOver = s + len - end;
     if (nLeftOver) {
 +#if 0
 +// erAck: replace with XML_GetBuffer() below.
       if (buffer == NULL || nLeftOver > bufferLim - buffer) {
         /* avoid _signed_ integer overflow */
         char *temp = NULL;
@@ -1939,6 +1975,28 @@ XML_Parse(XML_Parser parser, const char
                 ? (char *)MALLOC(bytesToAllocate)
                 : (char *)REALLOC(buffer, bytesToAllocate));
         }
 +#endif
 +#if 1
 +// erAck: the original patch context had a call to XML_GetBuffer() instead:
 +      // Back up and restore the parsing status to avoid XML_ERROR_SUSPENDED
 +      // (and XML_ERROR_FINISHED) from XML_GetBuffer.
 +      const enum XML_Parsing originalStatus = ps_parsing;
 +      ps_parsing = XML_PARSING;
 +      void *const temp = XML_GetBuffer(parser, nLeftOver);
 +      ps_parsing = originalStatus;
 +#endif
 +      // GetBuffer may have overwritten this, but we want to remember what the
 +      // app requested, not how many bytes were left over after parsing.
 +      lastBufferRequestSize = len;
 +#if 1
 +      if (temp == NULL) {
 +        // NOTE: parser->m_errorCode has already been set by XML_GetBuffer().
 +        eventPtr = eventEndPtr = NULL;
 +        processor = errorProcessor;
 +        return XML_STATUS_ERROR;
 +      }
 +#endif
 +#if 0
         if (temp == NULL) {
           errorCode = XML_ERROR_NO_MEMORY;
           eventPtr = eventEndPtr = NULL;
@@ -1948,6 +2006,7 @@ XML_Parse(XML_Parser parser, const char
         buffer = temp;
         bufferLim = buffer + bytesToAllocate;
       }
 +#endif
       memcpy(buffer, end, nLeftOver);
     }
     bufferPtr = buffer;
@@ -1959,15 +2018,14 @@ XML_Parse(XML_Parser parser, const char
     return result;
   }
 #endif  /* not defined XML_CONTEXT_BYTES */
 -  else {
 -    void *buff = XML_GetBuffer(parser, len);
 -    if (buff == NULL)
 -      return XML_STATUS_ERROR;
 -    else {
 -      memcpy(buff, s, len);
 -      return XML_ParseBuffer(parser, len, isFinal);
 -    }
 +  void *buff = XML_GetBuffer(parser, len);
 +  if (buff == NULL)
 +    return XML_STATUS_ERROR;
 +  if (len > 0) {
 +    assert(s != NULL); // make sure s==NULL && len!=0 was rejected above
 +    memcpy(buff, s, len);
   }
 +  return XML_ParseBuffer(parser, len, isFinal);
 }
 enum XML_Status XMLCALL
@@ -2001,7 +2059,7 @@ XML_ParseBuffer(XML_Parser parser, int l
   parseEndByteIndex += len;
   ps_finalBuffer = (XML_Bool)isFinal;
 -  errorCode = processor(parser, start, parseEndPtr, &bufferPtr);
 +  errorCode = callProcessor(parser, start, parseEndPtr, &bufferPtr);
   if (errorCode != XML_ERROR_NONE) {
     eventEndPtr = eventPtr;
@@ -2047,7 +2105,11 @@ XML_GetBuffer(XML_Parser parser, int len
   default: ;
   }
 -  if (len > bufferLim - bufferEnd) {
 +  // whether or not the request succeeds, `len` seems to be the app's preferred
 +  // buffer fill size; remember it.
 +  lastBufferRequestSize = len;
 +  if (len > EXPAT_SAFE_PTR_DIFF(bufferLim, bufferEnd)
 +      || buffer == NULL) {
 #ifdef XML_CONTEXT_BYTES
     int keep;
 #endif  /* defined XML_CONTEXT_BYTES */
@@ -2063,7 +2125,9 @@ XML_GetBuffer(XML_Parser parser, int len
       keep = XML_CONTEXT_BYTES;
     neededSize += keep;
 #endif  /* defined XML_CONTEXT_BYTES */
 -    if (neededSize  <= bufferLim - buffer) {
 +    if (buffer && bufferPtr
 +        && neededSize
 +               <= EXPAT_SAFE_PTR_DIFF(bufferLim, buffer)) {
 #ifdef XML_CONTEXT_BYTES
       if (keep < bufferPtr - buffer) {
         int offset = (int)(bufferPtr - buffer) - keep;
@@ -2072,8 +2136,11 @@ XML_GetBuffer(XML_Parser parser, int len
         bufferPtr -= offset;
       }
 #else
 -      memmove(buffer, bufferPtr, bufferEnd - bufferPtr);
 -      bufferEnd = buffer + (bufferEnd - bufferPtr);
 +      memmove(buffer, bufferPtr,
 +              EXPAT_SAFE_PTR_DIFF(bufferEnd, bufferPtr));
 +      bufferEnd
 +          = buffer
 +            + EXPAT_SAFE_PTR_DIFF(bufferEnd, bufferPtr);
       bufferPtr = buffer;
 #endif  /* not defined XML_CONTEXT_BYTES */
     }
@@ -2171,7 +2238,7 @@ XML_ResumeParser(XML_Parser parser)
   }
   ps_parsing = XML_PARSING;
 -  errorCode = processor(parser, bufferPtr, parseEndPtr, &bufferPtr);
 +  errorCode = callProcessor(parser, bufferPtr, parseEndPtr, &bufferPtr);
   if (errorCode != XML_ERROR_NONE) {
     eventEndPtr = eventPtr;
@@ -2481,6 +2548,15 @@ MOZ_XML_ProcessingEntityValue(XML_Parser
 }
 /* END MOZILLA CHANGE */
 +XML_Bool XMLCALL
 +XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled) {
 +  if (parser != NULL && (enabled == XML_TRUE || enabled == XML_FALSE)) {
 +    parser->m_reparseDeferralEnabled = enabled;
 +    return XML_TRUE;
 +  }
 +  return XML_FALSE;
 +}
 +
 /* Initially tag->rawName always points into the parse buffer;
    for those TAG instances opened while the current parse buffer was
    processed, and not yet closed, we need to store tag->rawName in a more
--- a/SOURCES/firefox-enable-addons.patch
+++ b/SOURCES/firefox-enable-addons.patch
@ -1,10 +1,10 @@
-diff -up firefox-128.0/browser/app/profile/firefox.js.addons firefox-128.0/browser/app/profile/firefox.js
+diff -up firefox-55.0/browser/app/profile/firefox.js.addons firefox-55.0/browser/app/profile/firefox.js
--- firefox-128.0/browser/app/profile/firefox.js.addons	2024-06-13 11:47:04.255428350 +0200
+--- firefox-55.0/browser/app/profile/firefox.js.addons	2017-08-02 10:58:30.566363833 +0200
-+++ firefox-128.0/browser/app/profile/firefox.js	2024-06-13 11:53:00.442837371 +0200
+++ firefox-55.0/browser/app/profile/firefox.js	2017-08-02 10:59:15.377216959 +0200
-@@ -56,7 +56,8 @@ pref("extensions.systemAddon.update.enab
+@@ -65,7 +65,8 @@ pref("extensions.systemAddon.update.url"
 // Disable add-ons that are not installed by the user in all scopes by default.
- // See the SCOPE constants in AddonManager.sys.mjs for values to use here.
+ // See the SCOPE constants in AddonManager.jsm for values to use here.
 -pref("extensions.autoDisableScopes", 15);
 +pref("extensions.autoDisableScopes", 0);
 +pref("extensions.showMismatchUI", false);
--- a/SOURCES/mozilla-bmo1170092.patch
+++ b/SOURCES/mozilla-bmo1170092.patch
@ -1,6 +1,6 @@
-diff -up firefox-140.0/extensions/pref/autoconfig/src/nsReadConfig.cpp.mozilla-bmo1170092 firefox-140.0/extensions/pref/autoconfig/src/nsReadConfig.cpp
+diff -up firefox-115.0.2/extensions/pref/autoconfig/src/nsReadConfig.cpp.1170092 firefox-115.0.2/extensions/pref/autoconfig/src/nsReadConfig.cpp
--- firefox-140.0/extensions/pref/autoconfig/src/nsReadConfig.cpp.mozilla-bmo1170092	2025-06-02 15:26:44.000000000 +0200
+--- firefox-115.0.2/extensions/pref/autoconfig/src/nsReadConfig.cpp.1170092	2023-07-10 21:08:53.000000000 +0200
-+++ firefox-140.0/extensions/pref/autoconfig/src/nsReadConfig.cpp	2025-06-04 13:24:00.344728697 +0200
+++ firefox-115.0.2/extensions/pref/autoconfig/src/nsReadConfig.cpp	2023-07-17 10:33:23.443355156 +0200
@@ -263,8 +263,20 @@ nsresult nsReadConfig::openAndEvaluateJS
     if (NS_FAILED(rv)) return rv;
@ -23,10 +23,10 @@ diff -up firefox-140.0/extensions/pref/autoconfig/src/nsReadConfig.cpp.mozilla-b
   } else {
     nsAutoCString location("resource://gre/defaults/autoconfig/");
     location += aFileName;
-diff -up firefox-140.0/modules/libpref/Preferences.cpp.mozilla-bmo1170092 firefox-140.0/modules/libpref/Preferences.cpp
+diff -up firefox-115.0.2/modules/libpref/Preferences.cpp.1170092 firefox-115.0.2/modules/libpref/Preferences.cpp
--- firefox-140.0/modules/libpref/Preferences.cpp.mozilla-bmo1170092	2025-06-02 15:26:51.000000000 +0200
+--- firefox-115.0.2/modules/libpref/Preferences.cpp.1170092	2023-07-10 21:09:00.000000000 +0200
-+++ firefox-140.0/modules/libpref/Preferences.cpp	2025-06-04 13:24:00.345430064 +0200
+++ firefox-115.0.2/modules/libpref/Preferences.cpp	2023-07-17 10:33:23.444355156 +0200
-@@ -4914,6 +4914,9 @@ nsresult Preferences::InitInitialObjects
+@@ -4825,6 +4825,9 @@ nsresult Preferences::InitInitialObjects
   //
   // Thus, in the omni.jar case, we always load app-specific default
   // preferences from omni.jar, whether or not `$app == $gre`.
@ -36,10 +36,10 @@ diff -up firefox-140.0/modules/libpref/Preferences.cpp.mozilla-bmo1170092 firefo
   nsresult rv = NS_ERROR_FAILURE;
   UniquePtr<nsZipFind> find;
-diff -up firefox-140.0/toolkit/xre/nsXREDirProvider.cpp.mozilla-bmo1170092 firefox-140.0/toolkit/xre/nsXREDirProvider.cpp
+diff -up firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp.1170092 firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp
--- firefox-140.0/toolkit/xre/nsXREDirProvider.cpp.mozilla-bmo1170092	2025-06-02 15:27:00.000000000 +0200
+--- firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp.1170092	2023-07-10 22:57:20.000000000 +0200
-+++ firefox-140.0/toolkit/xre/nsXREDirProvider.cpp	2025-06-04 15:44:09.413562326 +0200
+++ firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp	2023-07-17 10:56:25.309692121 +0200
-@@ -76,6 +76,7 @@
+@@ -72,6 +72,7 @@
 #endif
 #ifdef XP_UNIX
 #  include <ctype.h>
@ -47,7 +47,7 @@ diff -up firefox-140.0/toolkit/xre/nsXREDirProvider.cpp.mozilla-bmo1170092 firef
 #endif
 #ifdef XP_IOS
 #  include "UIKitDirProvider.h"
-@@ -462,6 +463,17 @@ nsXREDirProvider::GetFile(const char* aP
+@@ -478,6 +479,17 @@ nsXREDirProvider::GetFile(const char* aP
     rv = file->AppendNative(nsLiteralCString(PREF_OVERRIDE_DIRNAME));
     NS_ENSURE_SUCCESS(rv, rv);
     rv = EnsureDirectoryExists(file);
@ -60,12 +60,12 @@ diff -up firefox-140.0/toolkit/xre/nsXREDirProvider.cpp.mozilla-bmo1170092 firef
 +    appInfo->GetName(appName);
 +    ToLowerCase(appName);
 +    sysConfigDir.Append(appName);
-+    NS_NewNativeLocalFile(sysConfigDir, getter_AddRefs(file));
+    NS_NewNativeLocalFile(sysConfigDir, false, getter_AddRefs(file));
 +    rv = EnsureDirectoryExists(file);
   } else {
     // We don't know anything about this property. Fail without warning, because
     // otherwise we'll get too much warning spam due to
-@@ -518,6 +530,16 @@ nsXREDirProvider::GetFiles(const char* a
+@@ -694,6 +706,16 @@ nsXREDirProvider::GetFiles(const char* a
     }
 #endif
@ -82,9 +82,9 @@ diff -up firefox-140.0/toolkit/xre/nsXREDirProvider.cpp.mozilla-bmo1170092 firef
     rv = NS_NewArrayEnumerator(aResult, directories, NS_GET_IID(nsIFile));
   } else if (!strcmp(aProperty, NS_APP_CHROME_DIR_LIST)) {
     // NS_APP_CHROME_DIR_LIST is only used to get default (native) icons
-diff -up firefox-140.0/xpcom/io/nsAppDirectoryServiceDefs.h.mozilla-bmo1170092 firefox-140.0/xpcom/io/nsAppDirectoryServiceDefs.h
+diff -up firefox-115.0.2/xpcom/io/nsAppDirectoryServiceDefs.h.1170092 firefox-115.0.2/xpcom/io/nsAppDirectoryServiceDefs.h
--- firefox-140.0/xpcom/io/nsAppDirectoryServiceDefs.h.mozilla-bmo1170092	2025-06-02 15:27:01.000000000 +0200
+--- firefox-115.0.2/xpcom/io/nsAppDirectoryServiceDefs.h.1170092	2023-07-10 21:09:13.000000000 +0200
-+++ firefox-140.0/xpcom/io/nsAppDirectoryServiceDefs.h	2025-06-04 13:24:00.346423861 +0200
+++ firefox-115.0.2/xpcom/io/nsAppDirectoryServiceDefs.h	2023-07-17 10:33:23.444355156 +0200
@@ -58,6 +58,7 @@
 #define NS_APP_PREFS_DEFAULTS_DIR_LIST "PrefDL"
 #define NS_APP_PREFS_OVERRIDE_DIR \
--- a/SOURCES/mozilla-bmo1504834-part1.patch
+++ b/SOURCES/mozilla-bmo1504834-part1.patch
@ -1,20 +1,23 @@
-diff -up firefox-128.0/gfx/2d/DrawTargetSkia.cpp.mozilla-bmo1504834-part1 firefox-128.0/gfx/2d/DrawTargetSkia.cpp
+# HG changeset patch
--- firefox-128.0/gfx/2d/DrawTargetSkia.cpp.mozilla-bmo1504834-part1	2024-06-12 15:02:55.000000000 +0200
+# Parent  9fcbd287056a40084b1e679f787bf683b291f323
-+++ firefox-128.0/gfx/2d/DrawTargetSkia.cpp	2024-06-13 11:36:54.550728034 +0200
+Taken from https://bugzilla.mozilla.org/show_bug.cgi?id=1504834
-@@ -156,8 +156,8 @@ static IntRect CalculateSurfaceBounds(co
+
 diff --git a/gfx/2d/DrawTargetSkia.cpp b/gfx/2d/DrawTargetSkia.cpp
 --- a/gfx/2d/DrawTargetSkia.cpp
 +++ b/gfx/2d/DrawTargetSkia.cpp
@@ -156,7 +156,8 @@ static IntRect CalculateSurfaceBounds(co
 }
 static const int kARGBAlphaOffset =
 -    SurfaceFormat::A8R8G8B8_UINT32 == SurfaceFormat::B8G8R8A8 ? 3 : 0;
 -
 +    0;  // Skia is always BGRA SurfaceFormat::A8R8G8B8_UINT32 ==
 +        // SurfaceFormat::B8G8R8A8 ? 3 : 0;
 static bool VerifyRGBXFormat(uint8_t* aData, const IntSize& aSize,
                              const int32_t aStride, SurfaceFormat aFormat) {
-   if (aFormat != SurfaceFormat::B8G8R8X8 || aSize.IsEmpty()) {
+diff --git a/gfx/2d/Types.h b/gfx/2d/Types.h
-diff -up firefox-128.0/gfx/2d/Types.h.mozilla-bmo1504834-part1 firefox-128.0/gfx/2d/Types.h
+--- a/gfx/2d/Types.h
--- firefox-128.0/gfx/2d/Types.h.mozilla-bmo1504834-part1	2024-06-12 15:02:56.000000000 +0200
+++ b/gfx/2d/Types.h
 +++ firefox-128.0/gfx/2d/Types.h	2024-06-13 11:36:54.551728036 +0200
@@ -89,18 +89,11 @@ enum class SurfaceFormat : int8_t {
   // This represents the unknown format.
   UNKNOWN,  // TODO: Replace uses with Maybe<SurfaceFormat>.
@ -37,10 +40,10 @@ diff -up firefox-128.0/gfx/2d/Types.h.mozilla-bmo1504834-part1 firefox-128.0/gfx
   // The following values are OS and endian-independent synonyms.
   //
-diff -up firefox-128.0/gfx/skia/skia/modules/skcms/skcms.cc.mozilla-bmo1504834-part1 firefox-128.0/gfx/skia/skia/modules/skcms/skcms.cc
+diff --git a/gfx/skia/skia/modules/skcms/skcms.cc b/gfx/skia/skia/modules/skcms/skcms.cc
--- firefox-128.0/gfx/skia/skia/modules/skcms/skcms.cc.mozilla-bmo1504834-part1	2024-06-12 15:02:57.000000000 +0200
+--- a/gfx/skia/skia/modules/skcms/skcms.cc
-+++ firefox-128.0/gfx/skia/skia/modules/skcms/skcms.cc	2024-06-13 11:38:45.377835856 +0200
+++ b/gfx/skia/skia/modules/skcms/skcms.cc
-@@ -31,6 +31,8 @@
+@@ -30,6 +30,8 @@
         #include <avx512fintrin.h>
         #include <avx512dqintrin.h>
     #endif
@ -48,7 +51,7 @@ diff -up firefox-128.0/gfx/skia/skia/modules/skcms/skcms.cc.mozilla-bmo1504834-p
 +    #define SKCMS_PORTABLE
 #endif
- using namespace skcms_private;
+ static bool runtime_cpu_detection = true;
@@ -324,20 +326,28 @@ enum {
 static uint16_t read_big_u16(const uint8_t* ptr) {
     uint16_t be;
--- a/SOURCES/mozilla-bmo1670333.patch
+++ b/SOURCES/mozilla-bmo1670333.patch
@ -1,6 +1,6 @@
-diff -up firefox-140.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333 firefox-140.0/dom/media/mp4/MP4Demuxer.cpp
+diff -up firefox-115.0/dom/media/mp4/MP4Demuxer.cpp.1670333 firefox-115.0/dom/media/mp4/MP4Demuxer.cpp
--- firefox-140.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333	2025-06-17 18:15:13.000000000 +0200
+--- firefox-115.0/dom/media/mp4/MP4Demuxer.cpp.1670333	2023-06-06 23:14:43.000000000 +0200
-+++ firefox-140.0/dom/media/mp4/MP4Demuxer.cpp	2025-06-18 10:17:47.394794429 +0200
+++ firefox-115.0/dom/media/mp4/MP4Demuxer.cpp	2023-06-08 08:15:48.214109403 +0200
@@ -32,6 +32,8 @@ mozilla::LogModule* GetDemuxerLog() { re
   DDMOZ_LOG(gMediaDemuxerLog, mozilla::LogLevel::Debug, "::%s: " arg, \
             __func__, ##__VA_ARGS__)
@ -10,10 +10,10 @@ diff -up firefox-140.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333 firefox-1
 namespace mozilla {
 using TimeUnit = media::TimeUnit;
-@@ -419,6 +421,12 @@ already_AddRefed<MediaRawData> MP4TrackD
+@@ -404,6 +406,12 @@ already_AddRefed<MediaRawData> MP4TrackD
           [[fallthrough]];
         case H264::FrameType::OTHER: {
-           bool keyframe = type == H264::FrameType::I_FRAME_OTHER ||
+           bool keyframe = type == H264::FrameType::I_FRAME;
                           type == H264::FrameType::I_FRAME_IDR;
 +          if (gUseKeyframeFromContainer) {
 +            if (sample->mKeyframe && sample->mKeyframe != keyframe) {
 +              sample->mKeyframe = keyframe;
@ -23,10 +23,10 @@ diff -up firefox-140.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333 firefox-1
           if (sample->mKeyframe != keyframe) {
             NS_WARNING(nsPrintfCString("Frame incorrectly marked as %skeyframe "
                                        "@ pts:%" PRId64 " dur:%" PRId64
-diff -up firefox-140.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333 firefox-140.0/dom/media/platforms/PDMFactory.cpp
+diff -up firefox-115.0/dom/media/platforms/PDMFactory.cpp.1670333 firefox-115.0/dom/media/platforms/PDMFactory.cpp
--- firefox-140.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333	2025-06-17 18:15:13.000000000 +0200
+--- firefox-115.0/dom/media/platforms/PDMFactory.cpp.1670333	2023-06-06 23:14:44.000000000 +0200
-+++ firefox-140.0/dom/media/platforms/PDMFactory.cpp	2025-06-18 10:10:29.209789856 +0200
+++ firefox-115.0/dom/media/platforms/PDMFactory.cpp	2023-06-08 08:09:33.145289602 +0200
-@@ -61,6 +61,8 @@
+@@ -67,6 +67,8 @@
 #include <functional>
@ -35,28 +35,31 @@ diff -up firefox-140.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333 fir
 using DecodeSupport = mozilla::media::DecodeSupport;
 using DecodeSupportSet = mozilla::media::DecodeSupportSet;
 using MediaCodec = mozilla::media::MediaCodec;
-@@ -573,7 +575,7 @@ void PDMFactory::CreateRddPDMs() {
+@@ -562,7 +564,7 @@ void PDMFactory::CreateRddPDMs() {
 #ifdef MOZ_FFMPEG
   if (StaticPrefs::media_ffmpeg_enabled() &&
       StaticPrefs::media_rdd_ffmpeg_enabled() &&
-      !StartupPDM(FFmpegRuntimeLinker::CreateDecoder())) {
+-      !CreateAndStartupPDM<FFmpegRuntimeLinker>()) {
-+      !(mFFmpegUsed = StartupPDM(FFmpegRuntimeLinker::CreateDecoder()))) {
+      !(mFFmpegUsed = CreateAndStartupPDM<FFmpegRuntimeLinker>())) {
     mFailureFlags += GetFailureFlagBasedOnFFmpegStatus(
         FFmpegRuntimeLinker::LinkStatusCode());
   }
-@@ -749,7 +751,7 @@ void PDMFactory::CreateDefaultPDMs() {
+@@ -738,9 +740,10 @@ void PDMFactory::CreateDefaultPDMs() {
-   StartupPDM(AgnosticDecoderModule::Create(),
+ 
-              StaticPrefs::media_prefer_non_ffvpx());
+   CreateAndStartupPDM<AgnosticDecoderModule>();
 -  if (StaticPrefs::media_gmp_decoder_enabled() &&
 +  if (StaticPrefs::media_gmp_decoder_enabled() && !mFFmpegUsed &&
       !StartupPDM(GMPDecoderModule::Create(),
                   StaticPrefs::media_gmp_decoder_preferred())) {
 +    gUseKeyframeFromContainer = true;
     mFailureFlags += DecoderDoctorDiagnostics::Flags::GMPPDMFailedToStartup;
-diff -up firefox-140.0/dom/media/platforms/PDMFactory.h.mozilla-bmo1670333 firefox-140.0/dom/media/platforms/PDMFactory.h
+   }
--- firefox-140.0/dom/media/platforms/PDMFactory.h.mozilla-bmo1670333	2025-06-17 18:15:13.000000000 +0200
+ }
-+++ firefox-140.0/dom/media/platforms/PDMFactory.h	2025-06-18 10:10:29.210054963 +0200
+diff -up firefox-115.0/dom/media/platforms/PDMFactory.h.1670333 firefox-115.0/dom/media/platforms/PDMFactory.h
-@@ -105,6 +105,7 @@ class PDMFactory final {
+--- firefox-115.0/dom/media/platforms/PDMFactory.h.1670333	2023-06-06 23:14:42.000000000 +0200
 +++ firefox-115.0/dom/media/platforms/PDMFactory.h	2023-06-08 08:09:33.145289602 +0200
@@ -103,6 +103,7 @@ class PDMFactory final {
   RefPtr<PlatformDecoderModule> mNullPDM;
   DecoderDoctorDiagnostics::FlagsSet mFailureFlags;
--- a/SOURCES/mozilla-bmo1789216-disable-av1.patch
+++ b/SOURCES/mozilla-bmo1789216-disable-av1.patch
@ -1,7 +1,9 @@
-diff -up firefox-128.0/media/ffvpx/libavcodec/allcodecs.c.mozilla-bmo1789216-disable-av1 firefox-128.0/media/ffvpx/libavcodec/allcodecs.c
+diff --git a/media/ffvpx/libavcodec/allcodecs.c b/media/ffvpx/libavcodec/allcodecs.c
--- firefox-128.0/media/ffvpx/libavcodec/allcodecs.c.mozilla-bmo1789216-disable-av1	2024-06-12 15:03:01.000000000 +0200
+--- a/media/ffvpx/libavcodec/allcodecs.c
-+++ firefox-128.0/media/ffvpx/libavcodec/allcodecs.c	2024-06-13 11:44:10.637215674 +0200
+++ b/media/ffvpx/libavcodec/allcodecs.c
-@@ -764,8 +764,11 @@ extern const FFCodec ff_libaribb24_decod
+@@ -755,12 +755,15 @@
 extern FFCodec ff_libaom_av1_encoder;
 extern const FFCodec ff_libaribb24_decoder;
 extern const FFCodec ff_libcelt_decoder;
 extern const FFCodec ff_libcodec2_encoder;
 extern const FFCodec ff_libcodec2_decoder;
@ -13,7 +15,11 @@ diff -up firefox-128.0/media/ffvpx/libavcodec/allcodecs.c.mozilla-bmo1789216-dis
 extern const FFCodec ff_libfdk_aac_encoder;
 extern const FFCodec ff_libfdk_aac_decoder;
 extern const FFCodec ff_libgsm_encoder;
-@@ -793,7 +796,6 @@ extern const FFCodec ff_libspeex_decoder
+ extern const FFCodec ff_libgsm_decoder;
 extern const FFCodec ff_libgsm_ms_encoder;
@@ -783,11 +786,10 @@
 extern const FFCodec ff_libspeex_encoder;
 extern const FFCodec ff_libspeex_decoder;
 extern const FFCodec ff_libsvtav1_encoder;
 extern const FFCodec ff_libtheora_encoder;
 extern const FFCodec ff_libtwolame_encoder;
@ -21,10 +27,14 @@ diff -up firefox-128.0/media/ffvpx/libavcodec/allcodecs.c.mozilla-bmo1789216-dis
 extern const FFCodec ff_libvo_amrwbenc_encoder;
 extern const FFCodec ff_libvorbis_encoder;
 extern const FFCodec ff_libvorbis_decoder;
-diff -up firefox-128.0/media/ffvpx/libavcodec/codec_list.c.mozilla-bmo1789216-disable-av1 firefox-128.0/media/ffvpx/libavcodec/codec_list.c
+ extern const FFCodec ff_libvpx_vp8_encoder;
--- firefox-128.0/media/ffvpx/libavcodec/codec_list.c.mozilla-bmo1789216-disable-av1	2024-06-13 11:40:12.668924117 +0200
+ extern const FFCodec ff_libvpx_vp8_decoder;
-+++ firefox-128.0/media/ffvpx/libavcodec/codec_list.c	2024-06-13 11:44:41.411253372 +0200
+diff --git a/media/ffvpx/libavcodec/codec_list.c b/media/ffvpx/libavcodec/codec_list.c
-@@ -11,12 +11,14 @@ static const FFCodec * const codec_list[
+--- a/media/ffvpx/libavcodec/codec_list.c
 +++ b/media/ffvpx/libavcodec/codec_list.c
@@ -9,12 +9,14 @@
     &ff_flac_decoder,
 #endif
 #if CONFIG_MP3_DECODER
     &ff_mp3_decoder,
 #endif
@ -36,32 +46,44 @@ diff -up firefox-128.0/media/ffvpx/libavcodec/codec_list.c.mozilla-bmo1789216-di
     &ff_av1_decoder,
 #endif
 +#endif
- #if CONFIG_LIBVORBIS_DECODER
+     NULL };
-     &ff_libvorbis_decoder,
+diff --git a/media/ffvpx/libavcodec/moz.build b/media/ffvpx/libavcodec/moz.build
- #endif
+--- a/media/ffvpx/libavcodec/moz.build
-diff -up firefox-128.0/media/ffvpx/libavcodec/moz.build.mozilla-bmo1789216-disable-av1 firefox-128.0/media/ffvpx/libavcodec/moz.build
+++ b/media/ffvpx/libavcodec/moz.build
--- firefox-128.0/media/ffvpx/libavcodec/moz.build.mozilla-bmo1789216-disable-av1	2024-06-13 11:40:12.669924118 +0200
+@@ -84,11 +84,10 @@
-+++ firefox-128.0/media/ffvpx/libavcodec/moz.build	2024-06-13 11:45:22.867304151 +0200
+         'cbs.c',
-@@ -120,16 +120,15 @@ if not CONFIG['MOZ_FFVPX_AUDIOONLY']:
+         'cbs_av1.c',
         'golomb.c',
         'h264pred.c',
         'imgconvert.c',
 -        'libdav1d.c',
         'mathtables.c',
         'qsv_api.c',
         'raw.c',
         'videodsp.c',
         'vp8.c',
@@ -107,14 +106,19 @@
         'vp9mvs.c',
         'vp9prob.c',
         'vp9recon.c',
         'vpx_rac.c',
     ]
- 
+-    USE_LIBS += [
-    if CONFIG["MOZ_SYSTEM_AV1"]:
+-        'dav1d',
-        CFLAGS += CONFIG['MOZ_SYSTEM_LIBDAV1D_CFLAGS']
+-        'media_libdav1d_asm',
-        CFLAGS += CONFIG['MOZ_SYSTEM_LIBAOM_CFLAGS']
+-    ]
-        OS_LIBS += CONFIG['MOZ_SYSTEM_LIBDAV1D_LIBS']
+    if CONFIG['MOZ_AV1']:
-        OS_LIBS += CONFIG['MOZ_SYSTEM_LIBAOM_LIBS']
+        USE_LIBS += [
-    else:
+            'dav1d',
-+    if CONFIG["MOZ_AV1"]:
+            'media_libdav1d_asm',
-         USE_LIBS += [
+        ]
             'dav1d',
             'media_libdav1d_asm',
         ]
 +        SOURCES += [
 +            'libdav1d.c',
 +        ]
 +
- 
+     if CONFIG['MOZ_WAYLAND']:
     if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk":
         LOCAL_INCLUDES += ['/media/mozva']
         SOURCES += [
             'vaapi_av1.c',
             'vaapi_decode.c',
--- a/SOURCES/process-official-tarball
+++ b/SOURCES/process-official-tarball
@ -12,21 +12,6 @@ rm -vf ./process-tarball-dir/*/testing/web-platform/tests/css/css-ui/support/cur
 rm -vf ./process-tarball-dir/*/testing/web-platform/tests/conformance-checkers/html-rdfa/0230-novalid.html
 rm -vf ./process-tarball-dir/*/testing/web-platform/tests/conformance-checkers/html-rdfa/0231-isvalid.html
 rm -vf ./process-tarball-dir/*/layout/inspector/tests/chrome/test_fontVariationsAPI.css
 rm -vr ./process-tarball-dir/*/third_party/rust/wast/tests/parse-fail/confusing*
 # A forbidden code point was found in:
 rm -vf ./process-tarball-dir/*/mobile/android/android-components/components/browser/errorpages/src/main/res/values-ar/strings.xml
 rm -vf ./process-tarball-dir/*/mobile/android/android-components/components/feature/addons/src/main/res/values-ur/strings.xml
 rm -vf ./process-tarball-dir/*/third_party/webkit/PerformanceTests/Speedometer3/resources/editors/dist/assets/codemirror-521de7ab.js
 rm -vf ./process-tarball-dir/*/third_party/python/pip/pip-24.0.dist-info/AUTHORS.txt
 rm -vf ./process-tarball-dir/*/dom/locks/test/crashtests/1908240.js
 rm -vf ./process-tarball-dir/*/comm/third_party/rust/idna/tests/IdnaTestV2.txt
 rm -vr ./process-tarball-dir/*/comm/third_party/rust/wast/tests/parse-fail/confusing*
 rm -vr ./process-tarball-dir/*/third_party/rust/wast/tests/parse-fail/confusing*
 # We uses system freetype2
 rm -vrf ./process-tarball-dir/*/modules/freetype2
 # We use system zlib
 rm -vrf ./process-tarball-dir/*/modules/zlib
 processed_tarball=${1/source/processed-source}
--- a/SOURCES/rhbz-1173156.patch
+++ b/SOURCES/rhbz-1173156.patch
@ -1,12 +1,12 @@
-diff -up firefox-140.0/extensions/auth/nsAuthSambaNTLM.cpp.rhbz-1173156 firefox-140.0/extensions/auth/nsAuthSambaNTLM.cpp
+diff -up firefox-60.5.0/extensions/auth/nsAuthSambaNTLM.cpp.rhbz-1173156 firefox-60.5.0/extensions/auth/nsAuthSambaNTLM.cpp
--- firefox-140.0/extensions/auth/nsAuthSambaNTLM.cpp.rhbz-1173156	2025-06-02 15:26:45.000000000 +0200
+--- firefox-60.5.0/extensions/auth/nsAuthSambaNTLM.cpp.rhbz-1173156	2019-01-22 10:36:09.284069020 +0100
-+++ firefox-140.0/extensions/auth/nsAuthSambaNTLM.cpp	2025-06-12 11:02:37.183715940 +0200
+++ firefox-60.5.0/extensions/auth/nsAuthSambaNTLM.cpp	2019-01-22 10:37:12.669757744 +0100
-@@ -153,7 +153,7 @@ nsresult nsAuthSambaNTLM::SpawnNTLMAuthH
+@@ -161,7 +161,7 @@ nsresult nsAuthSambaNTLM::SpawnNTLMAuthH
-     options.fds_to_remap.push_back(
+   const char* username = PR_GetEnv("USER");
-         std::pair{fromChildPipeWrite.get(), STDOUT_FILENO});
+   if (!username) return NS_ERROR_FAILURE;
 -    std::vector<std::string> argvVec{"ntlm_auth",        "--helper-protocol",
 +    std::vector<std::string> argvVec{"/usr/bin/ntlm_auth",        "--helper-protocol",
                                      "ntlmssp-client-1", "--use-cached-creds",
                                      "--username",       username};
 -  const char* const args[] = {"ntlm_auth",
 +  const char* const args[] = {"/usr/bin/ntlm_auth",
                               "--helper-protocol",
                               "ntlmssp-client-1",
                               "--use-cached-creds",
--- a/SOURCES/rust-file-removal.patch
+++ b/SOURCES/rust-file-removal.patch
--- a/SOURCES/thunderbird-adapt-ml-dsa-support-to-rhel-nss.patch
+++ b/SOURCES/thunderbird-adapt-ml-dsa-support-to-rhel-nss.patch
@ -1,59 +0,0 @@
 diff --git a/security/nss/lib/mozpkix/lib/pkixnss.cpp b/security/nss/lib/mozpkix/lib/pkixnss.cpp
 index 31aa1ddd67..93ab402bfd 100644
 --- a/security/nss/lib/mozpkix/lib/pkixnss.cpp
 +++ b/security/nss/lib/mozpkix/lib/pkixnss.cpp
@@ -303,6 +303,28 @@ DigestBufNSS(Input item,
   return Success;
 }
 +static SECOidTag
 +findOIDByName(const char *cipherString)
 +{
 +  SECOidTag tag;
 +  SECOidData *oid;
 +
 +  for (int i = 1; ; i++) {
 +    SECOidTag tag = static_cast<SECOidTag>(i);
 +    oid = SECOID_FindOIDByTag(tag);
 +
 +    if (oid == NULL) {
 +      break;
 +    }
 +
 +    if (strcasecmp(oid->desc, cipherString) == 0) {
 +      return tag;
 +    }
 +  }
 +
 +  return SEC_OID_UNKNOWN;
 +}
 +
 Result
 VerifyMLDSASignedDataNSS(Input data,
                          Input signature,
@@ -323,17 +345,14 @@ VerifyMLDSASignedDataNSS(Input data,
   SECItem dataItem(UnsafeMapInputToSECItem(data));
   CK_MECHANISM_TYPE mechanism;
 -  switch (pubk->u.mldsa.paramSet) {
 -    case SEC_OID_ML_DSA_44:
 -    case SEC_OID_ML_DSA_65:
 -    case SEC_OID_ML_DSA_87:
 -      mechanism = CKM_ML_DSA;
 -      signaturePolicyTag = pubk->u.mldsa.paramSet;
 -      hashPolicyTag = SEC_OID_UNKNOWN;
 -      break;
 -    default:
 -      return Result::ERROR_UNSUPPORTED_KEYALG;
 -      break;
 +  if (pubk->u.mldsa.params == findOIDByName("ML-DSA-44") ||
 +      pubk->u.mldsa.params == findOIDByName("ML-DSA-65") ||
 +      pubk->u.mldsa.params == findOIDByName("ML-DSA-87")) {
 +    hashPolicyTag = SEC_OID_UNKNOWN;
 +    mechanism = CKM_ML_DSA;
 +    signaturePolicyTag = pubk->u.mldsa.params;
 +  } else {
 +    return Result::ERROR_UNSUPPORTED_KEYALG;
   }
   SECOidTag policyTags[2] = {signaturePolicyTag, hashPolicyTag};
--- a/SOURCES/thunderbird-add-ml-dsa-certificate-support-to-certviewer.patch
+++ b/SOURCES/thunderbird-add-ml-dsa-certificate-support-to-certviewer.patch
@ -1,323 +0,0 @@
 diff --git a/toolkit/components/certviewer/content/certDecoder.mjs b/toolkit/components/certviewer/content/certDecoder.mjs
 --- a/toolkit/components/certviewer/content/certDecoder.mjs
 +++ b/toolkit/components/certviewer/content/certDecoder.mjs
@@ -5,10 +5,11 @@
 import {
   Certificate,
   ECNamedCurves,
   ECPublicKey,
   RSAPublicKey,
 +  MLDSAPublicKey,
 } from "./vendor/pkijs.js";
 const getTimeZone = () => {
   let timeZone = new Date().toString().match(/\(([A-Za-z\s].*)\)/);
   if (timeZone === null) {
@@ -45,10 +46,19 @@
       x, // x coordinate
       y, // y coordinate
       xy: `04:${x}:${y}`, // 04 (uncompressed) public key
     };
   }
 +  if (publicKey instanceof MLDSAPublicKey) {
 +    let keyHex = publicKey.rhoT1.valueBlock.valueHex;
 +    let keyBytes = new Uint8Array(keyHex);
 +    return {
 +      kty: publicKey.alg,
 +      keysize: keyBytes.length,
 +      rhoT1: hashify(keyHex),
 +    };
 +  }
   return { kty: "Unknown" };
 };
 const getX509Ext = (extensions, v) => {
   for (var extension in extensions) {
@@ -1132,10 +1142,13 @@
     "2.16.840.1.101.3.4.3.2": "DSA with SHA-256",
     "1.2.840.10045.4.1": "ECDSA with SHA-1",
     "1.2.840.10045.4.3.2": "ECDSA with SHA-256",
     "1.2.840.10045.4.3.3": "ECDSA with SHA-384",
     "1.2.840.10045.4.3.4": "ECDSA with SHA-512",
 +    "2.16.840.1.101.3.4.3.17": "ML-DSA-44",
 +    "2.16.840.1.101.3.4.3.18": "ML-DSA-65",
 +    "2.16.840.1.101.3.4.3.19": "ML-DSA-87",
   },
   aia: {
     "1.3.6.1.5.5.7.48.1": "Online Certificate Status Protocol (OCSP)",
     "1.3.6.1.5.5.7.48.2": "CA Issuers",
 diff --git a/toolkit/components/certviewer/content/certviewer.mjs b/toolkit/components/certviewer/content/certviewer.mjs
 --- a/toolkit/components/certviewer/content/certviewer.mjs
 +++ b/toolkit/components/certviewer/content/certviewer.mjs
@@ -74,10 +74,23 @@
     }
   }
   return result ? result : false;
 };
 +const getMLDSASecurityLevel = signatureName => {
 +  switch (signatureName) {
 +    case "ML-DSA-44":
 +      return "Level 2 (NIST)";
 +    case "ML-DSA-65":
 +      return "Level 3 (NIST)";
 +    case "ML-DSA-87":
 +      return "Level 5 (NIST)";
 +    default:
 +      return null;
 +  }
 +};
 +
 export const adjustCertInformation = cert => {
   let certItems = [];
   let tabName = cert?.subject?.cn || "";
   if (cert && !tabName) {
     // No common name, use the value of the last item in the cert's entries.
@@ -173,10 +186,15 @@
           createEntryItem("key-size", cert.subjectPublicKeyInfo.keysize),
           createEntryItem("curve", cert.subjectPublicKeyInfo.crv),
           createEntryItem("public-value", cert.subjectPublicKeyInfo.xy, true),
           createEntryItem("exponent", cert.subjectPublicKeyInfo.e),
           createEntryItem("modulus", cert.subjectPublicKeyInfo.n, true),
 +          createEntryItem(
 +            "mldsa-public-value",
 +            cert.subjectPublicKeyInfo.rhoT1,
 +            true
 +          ),
         ].filter(elem => elem != null);
       }
       return items;
     },
     certItems,
@@ -190,14 +208,23 @@
         createEntryItem("serial-number", cert.serialNumber, true),
         createEntryItem(
           "signature-algorithm",
           cert.signature ? cert.signature.name : null
         ),
 +      ];
 +
 +      const secLvl = getMLDSASecurityLevel(cert.signature?.name);
 +      if (secLvl) {
 +        items.push(createEntryItem("security-level", secLvl));
 +      }
 +
 +      items.push(
         createEntryItem("version", cert.version),
 -        createEntryItem("download", cert.files ? cert.files.pem : null),
 -      ].filter(elem => elem != null);
 -      return items;
 +        createEntryItem("download", cert.files ? cert.files.pem : null)
 +      );
 +
 +      return items.filter(elem => elem != null);
     },
     certItems,
     "miscellaneous",
     false
   );
 diff --git a/toolkit/components/certviewer/content/vendor/pkijs.js b/toolkit/components/certviewer/content/vendor/pkijs.js
 --- a/toolkit/components/certviewer/content/vendor/pkijs.js
 +++ b/toolkit/components/certviewer/content/vendor/pkijs.js
@@ -8609,10 +8609,90 @@
         this.publicExponent = new Integer({ valueHex: stringToArrayBuffer(fromBase64(json.e, true)).slice(0, 3) });
     }
 }
 RSAPublicKey.CLASS_NAME = "RSAPublicKey";
 +/* @see https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-11.html */
 +const RHO_T1 = "rhoT1";
 +const ALG = "alg";
 +const CLEAR_PROPS_MLDSA = [RHO_T1, ALG];
 +const MLDSA_MIN_LENGTH = 32;
 +class MLDSAPublicKey extends PkiObject {
 +    constructor(parameters = {}) {
 +        super();
 +
 +        this.rhoT1 = getParametersValue(parameters, RHO_T1, MLDSAPublicKey.defaultValues(RHO_T1));
 +        this.alg = getParametersValue(parameters, ALG, MLDSAPublicKey.defaultValues(ALG));
 +
 +        if (parameters.json) {
 +            this.fromJSON(parameters.json);
 +        }
 +
 +        if (parameters.schema) {
 +            this.fromSchema(parameters.schema);
 +        }
 +    }
 +
 +    static defaultValues(memberName) {
 +        switch (memberName) {
 +            case RHO_T1:
 +                return new BitString();
 +            case ALG:
 +                return "";
 +            default:
 +                return super.defaultValues(memberName);
 +        }
 +    }
 +
 +    static schema(parameters = {}) {
 +        const names = getParametersValue(parameters, "names", {});
 +        return new BitString({ name: names.rhoT1 || RHO_T1 });
 +    }
 +
 +    fromSchema(schema) {
 +        clearProps(schema, CLEAR_PROPS_MLDSA);
 +
 +        const asn1 = compareSchema(schema, schema, MLDSAPublicKey.schema({
 +            names: { rhoT1: RHO_T1 }
 +        }));
 +
 +        AsnError.assertSchema(asn1, this.className);
 +
 +        const bitString = asn1.result.rhoT1;
 +        const length = bitString.valueBlock.valueHexView.length;
 +
 +        if (length < MLDSA_MIN_LENGTH || (length - MLDSA_MIN_LENGTH) % 320 !== 0) {
 +            throw new Error(`Invalid ML-DSA key length: ${length} bytes`);
 +        }
 +
 +        this.rhoT1 = bitString;
 +    }
 +
 +    toSchema() {
 +        return this.rhoT1;
 +    }
 +
 +    toJSON() {
 +        return {
 +            rhoT1: Convert.ToBase64Url(this.rhoT1.valueBlock.valueHexView),
 +            alg: this.alg
 +        };
 +    }
 +
 +    fromJSON(json) {
 +        ParameterError.assert("json", json, "rhoT1");
 +        const rawBuffer = stringToArrayBuffer(fromBase64(json.rhoT1, true));
 +
 +        if (rawBuffer.byteLength < MLDSA_MIN_LENGTH || (rawBuffer.byteLength - MLDSA_MIN_LENGTH) % 320 !== 0) {
 +            throw new Error(`Invalid ML-DSA key length: ${rawBuffer.byteLength} bytes`);
 +        }
 +
 +        this.rhoT1 = new BitString({ valueHex: rawBuffer });
 +    }
 +}
 +MLDSAPublicKey.CLASS_NAME = "MLDSAPublicKey";
 +
 const ALGORITHM$1 = "algorithm";
 const SUBJECT_PUBLIC_KEY = "subjectPublicKey";
 const CLEAR_PROPS$1a = [ALGORITHM$1, SUBJECT_PUBLIC_KEY];
 class PublicKeyInfo extends PkiObject {
     constructor(parameters = {}) {
@@ -8657,10 +8737,22 @@
                             catch (ex) {
                             }
                         }
                     }
                     break;
 +                case "2.16.840.1.101.3.4.3.17":
 +                    /* Already a bitstring */
 +                    this._parsedKey = new MLDSAPublicKey({ rhoT1: this.subjectPublicKey, alg: "ML-DSA-44" });
 +                    break;
 +                case "2.16.840.1.101.3.4.3.18":
 +                    /* Already a bitstring */
 +                    this._parsedKey = new MLDSAPublicKey({ rhoT1: this.subjectPublicKey, alg: "ML-DSA-65" });
 +                    break;
 +                case "2.16.840.1.101.3.4.3.19":
 +                    /* Already a bitstring */
 +                    this._parsedKey = new MLDSAPublicKey({ rhoT1: this.subjectPublicKey, alg: "ML-DSA-87" });
 +                    break;
             }
             this._parsedKey || (this._parsedKey = null);
         }
         return this._parsedKey || undefined;
     }
@@ -8724,10 +8816,19 @@
                 jwk.kty = "EC";
                 break;
             case "1.2.840.113549.1.1.1":
                 jwk.kty = "RSA";
                 break;
 +            case "2.16.840.1.101.3.4.3.17":
 +                jwk.kty = "ML-DSA-44";
 +                break;
 +            case "2.16.840.1.101.3.4.3.18":
 +                jwk.kty = "ML-DSA-65";
 +                break;
 +            case "2.16.840.1.101.3.4.3.19":
 +                jwk.kty = "ML-DSA-87";
 +                break;
         }
         const publicKeyJWK = this.parsedKey.toJSON();
         Object.assign(jwk, publicKeyJWK);
         return jwk;
     }
@@ -8746,10 +8847,31 @@
                     this.algorithm = new AlgorithmIdentifier({
                         algorithmId: "1.2.840.113549.1.1.1",
                         algorithmParams: new Null()
                     });
                     break;
 +                case "ML-DSA-44":
 +                    this.parsedKey = new MLDSAPublicKey({ json });
 +                    this.algorithm = new AlgorithmIdentifier({
 +                        algorithmId: "2.16.840.1.101.3.4.3.17",
 +                        algorithmParams: new Null()
 +                    });
 +                    break;
 +                case "ML-DSA-65":
 +                    this.parsedKey = new MLDSAPublicKey({ json });
 +                    this.algorithm = new AlgorithmIdentifier({
 +                        algorithmId: "2.16.840.1.101.3.4.3.18",
 +                        algorithmParams: new Null()
 +                    });
 +                    break;
 +                case "ML-DSA-87":
 +                    this.parsedKey = new MLDSAPublicKey({ json });
 +                    this.algorithm = new AlgorithmIdentifier({
 +                        algorithmId: "2.16.840.1.101.3.4.3.19",
 +                        algorithmParams: new Null()
 +                    });
 +                    break;
                 default:
                     throw new Error(`Invalid value for "kty" parameter: ${json.kty}`);
             }
             this.subjectPublicKey = new BitString({ valueHex: this.parsedKey.toSchema().toBER(false) });
         }
@@ -24078,6 +24200,6 @@
     }
 }
 initCryptoEngine();
 -export { AbstractCryptoEngine, AccessDescription, Accuracy, AlgorithmIdentifier, AltName, ArgumentError, AsnError, AttCertValidityPeriod, Attribute, AttributeCertificateInfoV1, AttributeCertificateInfoV2, AttributeCertificateV1, AttributeCertificateV2, AttributeTypeAndValue, AuthenticatedSafe, AuthorityKeyIdentifier, BasicConstraints, BasicOCSPResponse, CAVersion, CRLBag, CRLDistributionPoints, CertBag, CertID, Certificate, CertificateChainValidationEngine, CertificatePolicies, CertificateRevocationList, CertificateSet, CertificateTemplate, CertificationRequest, ChainValidationCode, ChainValidationError, ContentInfo, CryptoEngine, DigestInfo, DistributionPoint, ECCCMSSharedInfo, ECNamedCurves, ECPrivateKey, ECPublicKey, EncapsulatedContentInfo, EncryptedContentInfo, EncryptedData, EnvelopedData, ExtKeyUsage, Extension, ExtensionValueFactory, Extensions, GeneralName, GeneralNames, GeneralSubtree, HASHED_MESSAGE, HASH_ALGORITHM, Holder, InfoAccess, IssuerAndSerialNumber, IssuerSerial, IssuingDistributionPoint, KEKIdentifier, KEKRecipientInfo, KeyAgreeRecipientIdentifier, KeyAgreeRecipientInfo, KeyBag, KeyTransRecipientInfo, MICROS, MILLIS, MacData, MessageImprint, NameConstraints, OCSPRequest, OCSPResponse, ObjectDigestInfo, OriginatorIdentifierOrKey, OriginatorInfo, OriginatorPublicKey, OtherCertificateFormat, OtherKeyAttribute, OtherPrimeInfo, OtherRecipientInfo, OtherRevocationInfoFormat, PBES2Params, PBKDF2Params, PFX, PKCS8ShroudedKeyBag, PKIStatus, PKIStatusInfo, POLICY_IDENTIFIER, POLICY_QUALIFIERS, ParameterError, PasswordRecipientinfo, PkiObject, PolicyConstraints, PolicyInformation, PolicyMapping, PolicyMappings, PolicyQualifierInfo, PrivateKeyInfo, PrivateKeyUsagePeriod, PublicKeyInfo, QCStatement, QCStatements, RDN, RSAESOAEPParams, RSAPrivateKey, RSAPublicKey, RSASSAPSSParams, RecipientEncryptedKey, RecipientEncryptedKeys, RecipientIdentifier, RecipientInfo, RecipientKeyIdentifier, RelativeDistinguishedNames, Request, ResponseBytes, ResponseData, RevocationInfoChoices, RevokedCertificate, SECONDS, SafeBag, SafeBagValueFactory, SafeContents, SecretBag, Signature, SignedAndUnsignedAttributes, SignedCertificateTimestamp, SignedCertificateTimestampList, SignedData, SignedDataVerifyError, SignerInfo, SingleResponse, SubjectDirectoryAttributes, TBSRequest, TSTInfo, TYPE$4 as TYPE, TYPE_AND_VALUES, Time, TimeStampReq, TimeStampResp, TimeType, V2Form, VALUE$5 as VALUE, VALUE_BEFORE_DECODE, checkCA, createCMSECDSASignature, createECDSASignatureFromCMS, engine, getAlgorithmByOID, getAlgorithmParameters, getCrypto, getEngine, getHashAlgorithm, getOIDByAlgorithm, getRandomValues, id_AnyPolicy, id_AuthorityInfoAccess, id_AuthorityKeyIdentifier, id_BaseCRLNumber, id_BasicConstraints, id_CRLBag_X509CRL, id_CRLDistributionPoints, id_CRLNumber, id_CRLReason, id_CertBag_AttributeCertificate, id_CertBag_SDSICertificate, id_CertBag_X509Certificate, id_CertificateIssuer, id_CertificatePolicies, id_ContentType_Data, id_ContentType_EncryptedData, id_ContentType_EnvelopedData, id_ContentType_SignedData, id_ExtKeyUsage, id_FreshestCRL, id_InhibitAnyPolicy, id_InvalidityDate, id_IssuerAltName, id_IssuingDistributionPoint, id_KeyUsage, id_MicrosoftAppPolicies, id_MicrosoftCaVersion, id_MicrosoftCertTemplateV1, id_MicrosoftCertTemplateV2, id_MicrosoftPrevCaCertHash, id_NameConstraints, id_PKIX_OCSP_Basic, id_PolicyConstraints, id_PolicyMappings, id_PrivateKeyUsagePeriod, id_QCStatements, id_SignedCertificateTimestampList, id_SubjectAltName, id_SubjectDirectoryAttributes, id_SubjectInfoAccess, id_SubjectKeyIdentifier, id_ad, id_ad_caIssuers, id_ad_ocsp, id_eContentType_TSTInfo, id_pkix, id_sha1, id_sha256, id_sha384, id_sha512, kdf, setEngine, stringPrep, verifySCTsForCertificate };
 +export { AbstractCryptoEngine, AccessDescription, Accuracy, AlgorithmIdentifier, AltName, ArgumentError, AsnError, AttCertValidityPeriod, Attribute, AttributeCertificateInfoV1, AttributeCertificateInfoV2, AttributeCertificateV1, AttributeCertificateV2, AttributeTypeAndValue, AuthenticatedSafe, AuthorityKeyIdentifier, BasicConstraints, BasicOCSPResponse, CAVersion, CRLBag, CRLDistributionPoints, CertBag, CertID, Certificate, CertificateChainValidationEngine, CertificatePolicies, CertificateRevocationList, CertificateSet, CertificateTemplate, CertificationRequest, ChainValidationCode, ChainValidationError, ContentInfo, CryptoEngine, DigestInfo, DistributionPoint, ECCCMSSharedInfo, ECNamedCurves, ECPrivateKey, ECPublicKey, EncapsulatedContentInfo, EncryptedContentInfo, EncryptedData, EnvelopedData, ExtKeyUsage, Extension, ExtensionValueFactory, Extensions, GeneralName, GeneralNames, GeneralSubtree, HASHED_MESSAGE, HASH_ALGORITHM, Holder, InfoAccess, IssuerAndSerialNumber, IssuerSerial, IssuingDistributionPoint, KEKIdentifier, KEKRecipientInfo, KeyAgreeRecipientIdentifier, KeyAgreeRecipientInfo, KeyBag, KeyTransRecipientInfo, MICROS, MILLIS, MacData, MessageImprint, NameConstraints, OCSPRequest, OCSPResponse, ObjectDigestInfo, OriginatorIdentifierOrKey, OriginatorInfo, OriginatorPublicKey, OtherCertificateFormat, OtherKeyAttribute, OtherPrimeInfo, OtherRecipientInfo, OtherRevocationInfoFormat, PBES2Params, PBKDF2Params, PFX, PKCS8ShroudedKeyBag, PKIStatus, PKIStatusInfo, POLICY_IDENTIFIER, POLICY_QUALIFIERS, ParameterError, PasswordRecipientinfo, PkiObject, PolicyConstraints, PolicyInformation, PolicyMapping, PolicyMappings, PolicyQualifierInfo, PrivateKeyInfo, PrivateKeyUsagePeriod, PublicKeyInfo, QCStatement, QCStatements, RDN, RSAESOAEPParams, RSAPrivateKey, RSAPublicKey, RSASSAPSSParams, RecipientEncryptedKey, RecipientEncryptedKeys, RecipientIdentifier, RecipientInfo, RecipientKeyIdentifier, RelativeDistinguishedNames, Request, ResponseBytes, ResponseData, RevocationInfoChoices, RevokedCertificate, SECONDS, SafeBag, SafeBagValueFactory, SafeContents, SecretBag, Signature, SignedAndUnsignedAttributes, SignedCertificateTimestamp, SignedCertificateTimestampList, SignedData, SignedDataVerifyError, SignerInfo, SingleResponse, SubjectDirectoryAttributes, TBSRequest, TSTInfo, TYPE$4 as TYPE, TYPE_AND_VALUES, Time, TimeStampReq, TimeStampResp, TimeType, V2Form, VALUE$5 as VALUE, VALUE_BEFORE_DECODE, checkCA, createCMSECDSASignature, createECDSASignatureFromCMS, engine, getAlgorithmByOID, getAlgorithmParameters, getCrypto, getEngine, getHashAlgorithm, getOIDByAlgorithm, getRandomValues, id_AnyPolicy, id_AuthorityInfoAccess, id_AuthorityKeyIdentifier, id_BaseCRLNumber, id_BasicConstraints, id_CRLBag_X509CRL, id_CRLDistributionPoints, id_CRLNumber, id_CRLReason, id_CertBag_AttributeCertificate, id_CertBag_SDSICertificate, id_CertBag_X509Certificate, id_CertificateIssuer, id_CertificatePolicies, id_ContentType_Data, id_ContentType_EncryptedData, id_ContentType_EnvelopedData, id_ContentType_SignedData, id_ExtKeyUsage, id_FreshestCRL, id_InhibitAnyPolicy, id_InvalidityDate, id_IssuerAltName, id_IssuingDistributionPoint, id_KeyUsage, id_MicrosoftAppPolicies, id_MicrosoftCaVersion, id_MicrosoftCertTemplateV1, id_MicrosoftCertTemplateV2, id_MicrosoftPrevCaCertHash, id_NameConstraints, id_PKIX_OCSP_Basic, id_PolicyConstraints, id_PolicyMappings, id_PrivateKeyUsagePeriod, id_QCStatements, id_SignedCertificateTimestampList, id_SubjectAltName, id_SubjectDirectoryAttributes, id_SubjectInfoAccess, id_SubjectKeyIdentifier, id_ad, id_ad_caIssuers, id_ad_ocsp, id_eContentType_TSTInfo, id_pkix, id_sha1, id_sha256, id_sha384, id_sha512, kdf, setEngine, stringPrep, verifySCTsForCertificate, MLDSAPublicKey };
 diff --git a/toolkit/locales/en-US/toolkit/about/certviewer.ftl b/toolkit/locales/en-US/toolkit/about/certviewer.ftl
 --- a/toolkit/locales/en-US/toolkit/about/certviewer.ftl
 +++ b/toolkit/locales/en-US/toolkit/about/certviewer.ftl
@@ -45,20 +45,22 @@
 certificate-viewer-organization = Organization
 certificate-viewer-organizational-unit = Organizational Unit
 certificate-viewer-policy = Policy
 certificate-viewer-protocol = Protocol
 certificate-viewer-public-value = Public Value
 +certificate-viewer-mldsa-public-value = Public Value
 certificate-viewer-purposes = Purposes
 certificate-viewer-qualifier = Qualifier
 certificate-viewer-qualifiers = Qualifiers
 certificate-viewer-required = Required
 certificate-viewer-unsupported = &lt;unsupported&gt;
 # Inc. means Incorporated, e.g GitHub is incorporated in Delaware
 certificate-viewer-inc-state-province = Inc. State/Province
 certificate-viewer-state-province = State/Province
 certificate-viewer-sha-1 = SHA-1
 certificate-viewer-sha-256 = SHA-256
 +certificate-viewer-security-level = Security Level
 certificate-viewer-serial-number = Serial Number
 certificate-viewer-signature-algorithm = Signature Algorithm
 certificate-viewer-signature-scheme = Signature Scheme
 certificate-viewer-timestamp = Timestamp
 certificate-viewer-value = Value
--- a/SOURCES/thunderbird-add-mlkem768-secp256r1-support.patch
+++ b/SOURCES/thunderbird-add-mlkem768-secp256r1-support.patch
--- a/SOURCES/thunderbird-enable-ml-dsa-in-manager-ssl.patch
+++ b/SOURCES/thunderbird-enable-ml-dsa-in-manager-ssl.patch
@ -1,48 +0,0 @@
 diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp
 index 2dc48c9f4c..0a7b84d787 100644
 --- a/security/manager/ssl/nsNSSCallbacks.cpp
 +++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -722,6 +722,15 @@ nsCString getSignatureName(uint32_t aSignatureScheme) {
     case ssl_sig_rsa_pkcs1_sha1md5:
       signatureName = "RSA-PKCS1-SHA1MD5"_ns;
       break;
 +    case ssl_sig_mldsa44:
 +      signatureName = "ML-DSA-44"_ns;
 +      break;
 +    case ssl_sig_mldsa65:
 +      signatureName = "ML-DSA-65"_ns;
 +      break;
 +    case ssl_sig_mldsa87:
 +      signatureName = "ML-DSA-87"_ns;
 +      break;
     // All other groups are not enabled in Firefox. See sEnabledSignatureSchemes
     // in nsNSSIOLayer.cpp.
     default:
@@ -1061,6 +1070,13 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
           glean::ssl::auth_ecdsa_curve_full.AccumulateSingleSample(
               ECCCurve(channelInfo.authKeyBits));
           break;
 +      case ssl_auth_mldsa44:
 +      case ssl_auth_mldsa65:
 +      case ssl_auth_mldsa87:
 +          /* TODO: add auth_mldsa_key_size_full in ssl/metrics.yaml
 +          glean::ssl::auth_mldsa_key_size_full.AccumulateSingleSample(
 +              NonECCKeySize(channelInfo.authKeyBits)); */
 +          break;
         default:
           MOZ_CRASH("impossible auth algorithm");
           break;
 diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp
 index b1a5f5c2df..7443011b13 100644
 --- a/security/manager/ssl/nsNSSIOLayer.cpp
 +++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -1300,6 +1300,9 @@ static PRFileDesc* nsSSLIOLayerImportFD(PRFileDesc* fd,
 // Please change getSignatureName in nsNSSCallbacks.cpp when changing the list
 // here. See NOTE at SSL_SignatureSchemePrefSet call site.
 static const SSLSignatureScheme sEnabledSignatureSchemes[] = {
 +    ssl_sig_mldsa87,
 +    ssl_sig_mldsa65,
 +    ssl_sig_mldsa44,
     ssl_sig_ecdsa_secp256r1_sha256,
     ssl_sig_ecdsa_secp384r1_sha384,
     ssl_sig_ecdsa_secp521r1_sha512,
--- a/SOURCES/thunderbird-enable-ml-dsa-signature-verification-for-certificate-chain-validation.patch
+++ b/SOURCES/thunderbird-enable-ml-dsa-signature-verification-for-certificate-chain-validation.patch
@ -1,239 +0,0 @@
 diff --git a/security/nss/lib/mozpkix/include/pkix/pkixder.h b/security/nss/lib/mozpkix/include/pkix/pkixder.h
 index ac1ec24393..40eb5027af 100644
 --- a/security/nss/lib/mozpkix/include/pkix/pkixder.h
 +++ b/security/nss/lib/mozpkix/include/pkix/pkixder.h
@@ -488,7 +488,7 @@ inline Result OptionalExtensions(Reader& input, uint8_t tag,
 Result DigestAlgorithmIdentifier(Reader& input,
                                  /*out*/ DigestAlgorithm& algorithm);
 -enum class PublicKeyAlgorithm { RSA_PKCS1, RSA_PSS, ECDSA };
 +enum class PublicKeyAlgorithm { RSA_PKCS1, RSA_PSS, ECDSA, MLDSA };
 Result SignatureAlgorithmIdentifierValue(
     Reader& input,
 diff --git a/security/nss/lib/mozpkix/include/pkix/pkixnss.h b/security/nss/lib/mozpkix/include/pkix/pkixnss.h
 index 6711959e71..b87e88a599 100644
 --- a/security/nss/lib/mozpkix/include/pkix/pkixnss.h
 +++ b/security/nss/lib/mozpkix/include/pkix/pkixnss.h
@@ -50,6 +50,13 @@ Result VerifyECDSASignedDataNSS(Input data, DigestAlgorithm digestAlgorithm,
                                 Input signature, Input subjectPublicKeyInfo,
                                 void* pkcs11PinArg);
 +// Verifies the ML-DSA signature on the given data using the given ML-DSA
 +// public key
 +Result VerifyMLDSASignedDataNSS(Input data,
 +                                Input signature,
 +                                Input subjectPublicKeyInfo,
 +                                void* pkcs11PinArg);
 +
 // Computes the digest of the given data using the given digest algorithm.
 //
 // item contains the data to hash.
 diff --git a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
 index 6a07d6e885..f24bd546e4 100644
 --- a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
 +++ b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
@@ -334,6 +334,10 @@ class TrustDomain {
                                        Input signature,
                                        Input subjectPublicKeyInfo) = 0;
 +  virtual Result VerifyMLDSASignedData(Input data,
 +                                       Input signature,
 +                                       Input subjectPublicKeyInfo) = 0;
 +
   // Check that the validity duration is acceptable.
   //
   // Return Success if the validity duration is acceptable,
 diff --git a/security/nss/lib/mozpkix/lib/pkixc.cpp b/security/nss/lib/mozpkix/lib/pkixc.cpp
 index 5dea13c43e..f797a3b3a1 100644
 --- a/security/nss/lib/mozpkix/lib/pkixc.cpp
 +++ b/security/nss/lib/mozpkix/lib/pkixc.cpp
@@ -143,6 +143,15 @@ class CodeSigningTrustDomain final : public TrustDomain {
         subjectPublicKeyInfo, nullptr);
   }
 +  virtual Result VerifyMLDSASignedData(Input data,
 +                                       Input signature,
 +                                       Input subjectPublicKeyInfo) override {
 +    return VerifyMLDSASignedDataNSS(data,
 +                                    signature,
 +                                    subjectPublicKeyInfo,
 +                                    nullptr);
 +  }
 +
   virtual Result CheckValidityIsAcceptable(Time notBefore, Time notAfter,
                                            EndEntityOrCA endEntityOrCA,
                                            KeyPurposeId keyPurpose) override {
 diff --git a/security/nss/lib/mozpkix/lib/pkixcheck.cpp b/security/nss/lib/mozpkix/lib/pkixcheck.cpp
 index 8b7e1bf73e..4ce73f3944 100644
 --- a/security/nss/lib/mozpkix/lib/pkixcheck.cpp
 +++ b/security/nss/lib/mozpkix/lib/pkixcheck.cpp
@@ -118,6 +118,9 @@ CheckSignatureAlgorithm(TrustDomain& trustDomain,
       // for any curve that we support, the chances of us encountering a curve
       // during path building is too low to be worth bothering with.
       break;
 +
 +    case der::PublicKeyAlgorithm::MLDSA:
 +      break;
     MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
   }
@@ -248,6 +251,24 @@ CheckSubjectPublicKeyInfoContents(Reader& input, TrustDomain& trustDomain,
     0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01
   };
 +  // Params for pure ML-DSA-44 signature
 +  // python DottedOIDToCode.py id-ml-dsa-44 2.16.840.1.101.3.4.3.17
 +  static const uint8_t id_ml_dsa_44[] = {
 +      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x11
 +  };
 +
 +  // Params for pure ML-DSA-65 signature
 +  // python DottedOIDToCode.py id-ml-dsa-65 2.16.840.1.101.3.4.3.18
 +  static const uint8_t id_ml_dsa_65[] = {
 +      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x12
 +  };
 +
 +  // Params for pure ML-DSA-87 signature
 +  // python DottedOIDToCode.py id-ml-dsa-87 2.16.840.1.101.3.4.3.19
 +  static const uint8_t id_ml_dsa_87[] = {
 +      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x13
 +  };
 +
   if (algorithmOID.MatchRest(id_ecPublicKey)) {
     // An id-ecPublicKey AlgorithmIdentifier has a parameter that identifes
     // the curve being used. Although RFC 5480 specifies multiple forms, we
@@ -361,6 +382,30 @@ CheckSubjectPublicKeyInfoContents(Reader& input, TrustDomain& trustDomain,
     if (rv != Success) {
       return rv;
     }
 +  } else if (algorithmOID.MatchRest(id_ml_dsa_44) ||
 +             algorithmOID.MatchRest(id_ml_dsa_65) ||
 +             algorithmOID.MatchRest(id_ml_dsa_87)) {
 +
 +    /*
 +     * The ML-DSA AlgorithmIdentifier is expected to contain only the OID,
 +     * with no parameters field present. According to the Internet-Draft
 +     * https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-11.html
 +     * (Section 3), the AlgorithmIdentifier for ML-DSA variants must omit the `parameters`
 +     * field entirely.
 +     * In DER encoding, the absence of the parameters field means that after parsing the
 +     * OID, no additional bytes should remain. Calling `der::End(algorithm)` confirms that
 +     * this constraint is satisfied and that the structure is correctly encoded.
 +     */
 +    rv = der::End(algorithm);
 +    if (rv != Success) {
 +      return rv;
 +    }
 +
 +    Input rawPublicKey;
 +    rv = subjectPublicKeyReader.SkipToEnd(rawPublicKey);
 +    if (rv != Success) {
 +      return rv;
 +    }
   } else {
     return Result::ERROR_UNSUPPORTED_KEYALG;
   }
 diff --git a/security/nss/lib/mozpkix/lib/pkixder.cpp b/security/nss/lib/mozpkix/lib/pkixder.cpp
 index 59454c7d3c..4ff45ed566 100644
 --- a/security/nss/lib/mozpkix/lib/pkixder.cpp
 +++ b/security/nss/lib/mozpkix/lib/pkixder.cpp
@@ -211,6 +211,24 @@ SignatureAlgorithmIdentifierValue(Reader& input,
     0x00, 0xa2, 0x03, 0x02, 0x01, 0x40
   };
 +  // Params for pure ML-DSA-44 signature
 +  // python DottedOIDToCode.py id-ml-dsa-44 2.16.840.1.101.3.4.3.17
 +  static const uint8_t id_ml_dsa_44[] = {
 +      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x11
 +  };
 +
 +  // Params for pure ML-DSA-65 signature
 +  // python DottedOIDToCode.py id-ml-dsa-65 2.16.840.1.101.3.4.3.18
 +  static const uint8_t id_ml_dsa_65[] = {
 +      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x12
 +  };
 +
 +  // Params for pure ML-DSA-87 signature
 +  // python DottedOIDToCode.py id-ml-dsa-87 2.16.840.1.101.3.4.3.19
 +  static const uint8_t id_ml_dsa_87[] = {
 +      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x13
 +  };
 +
   // Matching is attempted based on a rough estimate of the commonality of the
   // algorithm, to minimize the number of MatchRest calls.
   if (algorithmID.MatchRest(sha256WithRSAEncryption)) {
@@ -252,6 +270,10 @@ SignatureAlgorithmIdentifierValue(Reader& input,
     } else {
       return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
     }
 +  } else if (algorithmID.MatchRest(id_ml_dsa_44) ||
 +             algorithmID.MatchRest(id_ml_dsa_65) ||
 +             algorithmID.MatchRest(id_ml_dsa_87)) {
 +    publicKeyAlgorithm = PublicKeyAlgorithm::MLDSA;
   } else {
     return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
   }
 diff --git a/security/nss/lib/mozpkix/lib/pkixnss.cpp b/security/nss/lib/mozpkix/lib/pkixnss.cpp
 index 606ef708d8..31aa1ddd67 100644
 --- a/security/nss/lib/mozpkix/lib/pkixnss.cpp
 +++ b/security/nss/lib/mozpkix/lib/pkixnss.cpp
@@ -303,6 +303,44 @@ DigestBufNSS(Input item,
   return Success;
 }
 +Result
 +VerifyMLDSASignedDataNSS(Input data,
 +                         Input signature,
 +                         Input subjectPublicKeyInfo,
 +                         void* pkcs11PinArg)
 +{
 +  ScopedSECKEYPublicKey publicKey;
 +  SECKEYPublicKey *pubk = NULL;
 +  SECOidTag signaturePolicyTag, hashPolicyTag;
 +  Result rv = SubjectPublicKeyInfoToSECKEYPublicKey(subjectPublicKeyInfo,
 +                                                    publicKey);
 +  if (rv != Success) {
 +    return rv;
 +  }
 +
 +  pubk = publicKey.get();
 +  SECItem signatureItem(UnsafeMapInputToSECItem(signature));
 +  SECItem dataItem(UnsafeMapInputToSECItem(data));
 +  CK_MECHANISM_TYPE mechanism;
 +
 +  switch (pubk->u.mldsa.paramSet) {
 +    case SEC_OID_ML_DSA_44:
 +    case SEC_OID_ML_DSA_65:
 +    case SEC_OID_ML_DSA_87:
 +      mechanism = CKM_ML_DSA;
 +      signaturePolicyTag = pubk->u.mldsa.paramSet;
 +      hashPolicyTag = SEC_OID_UNKNOWN;
 +      break;
 +    default:
 +      return Result::ERROR_UNSUPPORTED_KEYALG;
 +      break;
 +  }
 +
 +  SECOidTag policyTags[2] = {signaturePolicyTag, hashPolicyTag};
 +  return VerifySignedData(pubk, mechanism, nullptr, &signatureItem,
 +                          &dataItem, policyTags, pkcs11PinArg);
 +}
 +
 Result
 MapPRErrorCodeToResult(PRErrorCode error)
 {
 diff --git a/security/nss/lib/mozpkix/lib/pkixverify.cpp b/security/nss/lib/mozpkix/lib/pkixverify.cpp
 index 8cb58bf7de..ff132d89df 100644
 --- a/security/nss/lib/mozpkix/lib/pkixverify.cpp
 +++ b/security/nss/lib/mozpkix/lib/pkixverify.cpp
@@ -53,6 +53,9 @@ VerifySignedData(TrustDomain& trustDomain,
     case der::PublicKeyAlgorithm::RSA_PSS:
       return trustDomain.VerifyRSAPSSSignedData(signedData.data,
           digestAlgorithm, signedData.signature, signerSubjectPublicKeyInfo);
 +    case der::PublicKeyAlgorithm::MLDSA:
 +      return trustDomain.VerifyMLDSASignedData(signedData.data,
 +          signedData.signature, signerSubjectPublicKeyInfo);
     MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
   }
 }
--- a/SOURCES/thunderbird-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch
+++ b/SOURCES/thunderbird-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch
@ -1,247 +0,0 @@
 diff --git a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
 index cc778640a1..298d6a61e8 100644
 --- a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
 +++ b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
@@ -53,6 +53,10 @@ class ServerCertHashesTrustDomain : public mozilla::pkix::TrustDomain {
       mozilla::pkix::Input signature,
       mozilla::pkix::Input subjectPublicKeyInfo) override;
 +  virtual mozilla::pkix::Result VerifyMLDSASignedData(
 +      mozilla::pkix::Input data, mozilla::pkix::Input signature,
 +      mozilla::pkix::Input subjectPublicKeyInfo) override;
 +
   virtual mozilla::pkix::Result DigestBuf(
       mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg,
       /*out*/ uint8_t* digestBuf, size_t digestBufLen) override;
@@ -151,6 +155,14 @@ mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyECDSASignedData(
   return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
 }
 +mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyMLDSASignedData(
 +    mozilla::pkix::Input data, mozilla::pkix::Input signature,
 +    mozilla::pkix::Input subjectPublicKeyInfo) {
 +  MOZ_ASSERT_UNREACHABLE("not expecting this to be called");
 +
 +  return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
 +}
 +
 mozilla::pkix::Result ServerCertHashesTrustDomain::DigestBuf(
     mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg,
     /*out*/ uint8_t* digestBuf, size_t digestBufLen) {
 diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
 index ca330770fb..1e8f1d4996 100644
 --- a/security/certverifier/CertVerifier.cpp
 +++ b/security/certverifier/CertVerifier.cpp
@@ -7,6 +7,7 @@
 #include "CertVerifier.h"
 #include <stdint.h>
 +#include <optional>
 #include "AppTrustDomain.h"
 #include "CTKnownLogs.h"
@@ -1010,7 +1011,7 @@ Result CertVerifier::VerifySSLServerCert(
 void HashSignatureParams(pkix::Input data, pkix::Input signature,
                          pkix::Input subjectPublicKeyInfo,
                          pkix::der::PublicKeyAlgorithm publicKeyAlgorithm,
 -                         pkix::DigestAlgorithm digestAlgorithm,
 +                         std::optional<pkix::DigestAlgorithm> digestAlgorithm,
                          /*out*/ Maybe<nsTArray<uint8_t>>& sha512Hash) {
   sha512Hash.reset();
   Digest digest;
@@ -1048,10 +1049,14 @@ void HashSignatureParams(pkix::Input data, pkix::Input signature,
                         sizeof(publicKeyAlgorithm)))) {
     return;
   }
 -  if (NS_FAILED(
 -          digest.Update(reinterpret_cast<const uint8_t*>(&digestAlgorithm),
 -                        sizeof(digestAlgorithm)))) {
 -    return;
 +  // There is no fallback digest algorithm when it's empty.
 +  // Check that digestAlgorithm actually contains a value.
 +  if (digestAlgorithm) {
 +    pkix::DigestAlgorithm value = digestAlgorithm.value();
 +    if (NS_FAILED(digest.Update(reinterpret_cast<const uint8_t*>(&value),
 +                                sizeof(value)))) {
 +      return;
 +    }
   }
   nsTArray<uint8_t> result;
   if (NS_FAILED(digest.End(result))) {
@@ -1064,10 +1069,17 @@ Result VerifySignedDataWithCache(
     der::PublicKeyAlgorithm publicKeyAlg,
     mozilla::glean::impl::DenominatorMetric telemetryDenominator,
     mozilla::glean::impl::NumeratorMetric telemetryNumerator, Input data,
 -    DigestAlgorithm digestAlgorithm, Input signature,
 +    std::optional<DigestAlgorithm> digestAlgorithm, Input signature,
     Input subjectPublicKeyInfo, SignatureCache* signatureCache, void* pinArg) {
   telemetryDenominator.Add(1);
   Maybe<nsTArray<uint8_t>> sha512Hash;
 +
 +  // Currently, it is only acceptable for `digestAlgorithm` to be null when the
 +  // public key algorithm is pure ML-DSA. Fail immediately otherwise.
 +  if ((publicKeyAlg != der::PublicKeyAlgorithm::MLDSA) && !digestAlgorithm) {
 +    return Result::ERROR_INVALID_ALGORITHM;
 +  }
 +
   HashSignatureParams(data, signature, subjectPublicKeyInfo, publicKeyAlg,
                       digestAlgorithm, sha512Hash);
   // If hashing the signature parameters succeeded, see if this signature is in
@@ -1080,16 +1092,23 @@ Result VerifySignedDataWithCache(
   Result result;
   switch (publicKeyAlg) {
     case der::PublicKeyAlgorithm::ECDSA:
 -      result = VerifyECDSASignedDataNSS(data, digestAlgorithm, signature,
 -                                        subjectPublicKeyInfo, pinArg);
 +      result =
 +          VerifyECDSASignedDataNSS(data, digestAlgorithm.value(), signature,
 +                                   subjectPublicKeyInfo, pinArg);
       break;
     case der::PublicKeyAlgorithm::RSA_PKCS1:
 -      result = VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature,
 -                                           subjectPublicKeyInfo, pinArg);
 +      result =
 +          VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm.value(), signature,
 +                                      subjectPublicKeyInfo, pinArg);
       break;
     case der::PublicKeyAlgorithm::RSA_PSS:
 -      result = VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature,
 -                                         subjectPublicKeyInfo, pinArg);
 +      result =
 +          VerifyRSAPSSSignedDataNSS(data, digestAlgorithm.value(), signature,
 +                                    subjectPublicKeyInfo, pinArg);
 +      break;
 +    case der::PublicKeyAlgorithm::MLDSA:
 +      result = VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
 +                                        pinArg);
       break;
     default:
       MOZ_ASSERT_UNREACHABLE("unhandled public key algorithm");
 diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h
 index 6432547c8a..6e09e6fcdd 100644
 --- a/security/certverifier/CertVerifier.h
 +++ b/security/certverifier/CertVerifier.h
@@ -331,7 +331,8 @@ mozilla::pkix::Result VerifySignedDataWithCache(
     mozilla::pkix::der::PublicKeyAlgorithm publicKeyAlg,
     mozilla::glean::impl::DenominatorMetric telemetryDenominator,
     mozilla::glean::impl::NumeratorMetric telemetryNumerator,
 -    mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
 +    mozilla::pkix::Input data,
 +    std::optional<mozilla::pkix::DigestAlgorithm> digestAlgorithm,
     mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo,
     SignatureCache* signatureCache, void* pinArg);
 diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
 index 70ba17d70f..a3ace3cee7 100644
 --- a/security/certverifier/NSSCertDBTrustDomain.cpp
 +++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -1541,6 +1541,15 @@ Result NSSCertDBTrustDomain::VerifyECDSASignedData(
       signature, subjectPublicKeyInfo, mSignatureCache, mPinArg);
 }
 +Result NSSCertDBTrustDomain::VerifyMLDSASignedData(Input data, Input signature,
 +                                                   Input subjectPublicKeyInfo) {
 +  return VerifySignedDataWithCache(
 +      der::PublicKeyAlgorithm::MLDSA,
 +      mozilla::glean::cert_signature_cache::total,
 +      mozilla::glean::cert_signature_cache::hits, data, std::nullopt, signature,
 +      subjectPublicKeyInfo, mSignatureCache, mPinArg);
 +}
 +
 Result NSSCertDBTrustDomain::CheckValidityIsAcceptable(
     Time notBefore, Time notAfter, EndEntityOrCA endEntityOrCA,
     KeyPurposeId keyPurpose) {
 diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
 index fc210f3254..6178201758 100644
 --- a/security/certverifier/NSSCertDBTrustDomain.h
 +++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -197,6 +197,10 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
       mozilla::pkix::Input signature,
       mozilla::pkix::Input subjectPublicKeyInfo) override;
 +  virtual Result VerifyMLDSASignedData(
 +      mozilla::pkix::Input data, mozilla::pkix::Input signature,
 +      mozilla::pkix::Input subjectPublicKeyInfo) override;
 +
   virtual Result DigestBuf(mozilla::pkix::Input item,
                            mozilla::pkix::DigestAlgorithm digestAlg,
                            /*out*/ uint8_t* digestBuf,
 diff --git a/security/ct/CTLogVerifier.cpp b/security/ct/CTLogVerifier.cpp
 index d5e665aaca..471213745d 100644
 --- a/security/ct/CTLogVerifier.cpp
 +++ b/security/ct/CTLogVerifier.cpp
@@ -99,6 +99,10 @@ class SignatureParamsTrustDomain final : public TrustDomain {
     return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 +  pkix::Result VerifyMLDSASignedData(Input, Input, Input) override {
 +    return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
 +  }
 +
   pkix::Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,
                                          KeyPurposeId) override {
     return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
 diff --git a/security/ct/tests/gtest/CTTestUtils.cpp b/security/ct/tests/gtest/CTTestUtils.cpp
 index 6a25307ec3..dbec7adc91 100644
 --- a/security/ct/tests/gtest/CTTestUtils.cpp
 +++ b/security/ct/tests/gtest/CTTestUtils.cpp
@@ -807,6 +807,12 @@ class OCSPExtensionTrustDomain : public TrustDomain {
                                      subjectPublicKeyInfo, nullptr);
   }
 +  pkix::Result VerifyMLDSASignedData(Input data, Input signature,
 +                                     Input subjectPublicKeyInfo) override {
 +    return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
 +                                    nullptr);
 +  }
 +
   pkix::Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,
                                          KeyPurposeId) override {
     ADD_FAILURE();
 diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp
 index ab49d7eb1f..3963f90eb1 100644
 --- a/security/manager/ssl/AppTrustDomain.cpp
 +++ b/security/manager/ssl/AppTrustDomain.cpp
@@ -322,6 +322,12 @@ pkix::Result AppTrustDomain::VerifyECDSASignedData(
                                   subjectPublicKeyInfo, nullptr);
 }
 +pkix::Result AppTrustDomain::VerifyMLDSASignedData(Input data, Input signature,
 +                                                   Input subjectPublicKeyInfo) {
 +  return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
 +                                  nullptr);
 +}
 +
 pkix::Result AppTrustDomain::CheckValidityIsAcceptable(
     Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/,
     KeyPurposeId /*keyPurpose*/) {
 diff --git a/security/manager/ssl/AppTrustDomain.h b/security/manager/ssl/AppTrustDomain.h
 index 4b0212ede0..85fdff5f13 100644
 --- a/security/manager/ssl/AppTrustDomain.h
 +++ b/security/manager/ssl/AppTrustDomain.h
@@ -80,6 +80,9 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain {
                            mozilla::pkix::DigestAlgorithm digestAlg,
                            /*out*/ uint8_t* digestBuf,
                            size_t digestBufLen) override;
 +  virtual Result VerifyMLDSASignedData(
 +      mozilla::pkix::Input data, mozilla::pkix::Input signature,
 +      mozilla::pkix::Input subjectPublicKeyInfo) override;
  private:
   nsTArray<Span<const uint8_t>> mTrustedRoots;
 diff --git a/security/manager/ssl/TLSClientAuthCertSelection.cpp b/security/manager/ssl/TLSClientAuthCertSelection.cpp
 index 3a84b15ee6..a3dc5a1af1 100644
 --- a/security/manager/ssl/TLSClientAuthCertSelection.cpp
 +++ b/security/manager/ssl/TLSClientAuthCertSelection.cpp
@@ -217,6 +217,11 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
       pkix::Input subjectPublicKeyInfo) override {
     return pkix::Success;
   }
 +  virtual mozilla::pkix::Result VerifyMLDSASignedData(
 +      pkix::Input data, pkix::Input signature,
 +      pkix::Input subjectPublicKeyInfo) override {
 +    return pkix::Success;
 +  }
   virtual mozilla::pkix::Result CheckValidityIsAcceptable(
       pkix::Time notBefore, pkix::Time notAfter,
       pkix::EndEntityOrCA endEntityOrCA,
--- a/SOURCES/thunderbird-mozconfig
+++ b/SOURCES/thunderbird-mozconfig
@ -3,6 +3,7 @@ ac_add_options --enable-application=comm/mail
 ac_add_options --allow-addon-sideload
 ac_add_options --disable-bootstrap
 ac_add_options --disable-crashreporter
 #ac_add_options --disable-elf-hack
 ac_add_options --disable-jemalloc
 ac_add_options --disable-strip
 ac_add_options --disable-tests
@ -12,6 +13,7 @@ ac_add_options --enable-default-toolkit=cairo-gtk3-wayland
 ac_add_options --enable-js-shell
 ac_add_options --enable-necko-wifi
 ac_add_options --enable-official-branding
 ac_add_options --enable-official-branding
 ac_add_options --enable-pulseaudio
 ac_add_options --enable-release
 ac_add_options --enable-system-ffi
@ -32,9 +34,6 @@ ac_add_options --with-unsigned-addon-scopes=app,system
 export BUILD_OFFICIAL=1
 export MOZILLA_OFFICIAL=1
 export MOZ_UPDATE_CHANNEL=release
 mk_add_options MOZ_TELEMETRY_REPORTING=
 mk_add_options MOZ_NORMANDY=
 mk_add_options MOZ_SERVICES_HEALTHREPORT=
 mk_add_options BUILD_OFFICIAL=1
 mk_add_options MOZ_CO_PROJECT=mail
 mk_add_options MOZILLA_OFFICIAL=1
--- a/SOURCES/thunderbird-redhat-default-prefs.js
+++ b/SOURCES/thunderbird-redhat-default-prefs.js
@ -2,7 +2,7 @@ pref("app.update.enabled", false);
 pref("app.update.autoInstallEnabled", false);
 /* Allow users to set custom colors*/
 /* pref("browser.display.use_system_colors",   true);*/
-pref("general.useragent.vendor", "Red Hat");
+pref("general.useragent.vendor", "AlmaLinux");
 pref("general.useragent.vendorSub", "THUNDERBIRD_RPM_VR");
 pref("intl.locale.matchOS", true);
 pref("mail.shell.checkDefaultClient", false);
@ -12,6 +12,8 @@ pref("offline.autoDetect", true);
 /* Disable global indexing by default*/
 pref("mailnews.database.global.indexer.enabled", false);
 /* Do not switch to Smart Folders after upgrade to 3.0b4 */
 pref("mail.folder.views.version", "1");
 pref("extensions.shownSelectionUI", true);
 pref("extensions.autoDisableScopes", 0);
@ -32,5 +34,3 @@ pref("intl.locale.requested", "");
 pref("datareporting.healthreport.uploadEnabled", false);
 pref("datareporting.policy.dataSubmissionEnabled", false);
 pref("toolkit.telemetry.archive.enabled", false);
 /* ECH is not supported in the system nss */
 pref("security.tls.ech.grease_probability", 0);
--- a/SOURCES/thunderbird.appdata.xml.in
+++ b/SOURCES/thunderbird.appdata.xml.in
@ -1,50 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <component type="desktop-application">
  <id>thunderbird</id>
  <metadata_license>CC0-1.0</metadata_license>
  <name>Thunderbird</name>
  <summary>Thunderbird is a free and open source email, newsfeed, chat, and calendaring client</summary>
  <description>
    <!-- From https://www.thunderbird.net/en-US/about/  -->
    <p>
      Thunderbird is a free and open source email, newsfeed, chat, and
      calendaring client, that’s easy to set up and customize. One of the core
      principles of Thunderbird is the use and promotion of open standards -
      this focus is a rejection of our world of closed platforms and services
      that can’t communicate with each other. We want our users to have freedom
      and choice in how they communicate.
    </p>
    <p>
      Thunderbird is an open source project, which means anyone can contribute
      ideas, designs, code, and time helping fellow users.
    </p>
  </description>
  <categories>
    <category>Calendar</category>
    <category>Email</category>
    <category>Office</category>
  </categories>
  <url type="homepage">https://www.thunderbird.net/</url>
  <url type="bugtracker">https://bugzilla.mozilla.org/</url>
  <url type="faq">https://support.mozilla.org/kb/thunderbird-faq/</url>
  <url type="help">https://support.mozilla.org/products/thunderbird/</url>
  <url type="donation">https://www.thunderbird.net/donate/</url>
  <url type="translate">https://www.thunderbird.net/participate/</url>
  <project_group>Mozilla</project_group>
  <project_license>MPL-2.0</project_license>
  <developer_name>Thunderbird Project</developer_name>
  <mimetypes>
    <mimetype>message/rfc822</mimetype>
    <mimetype>x-scheme-handler/mailto</mimetype>
    <mimetype>text/calendar</mimetype>
    <mimetype>text/vcard</mimetype>
    <mimetype>text/x-vcard</mimetype>
  </mimetypes>
  <releases>
    <release version="__VERSION__" date="__DATE__"/>
  </releases>
  <update_contact>jhorak@redhat.com</update_contact>
 </component>
--- a/SPECS/thunderbird.spec
+++ b/SPECS/thunderbird.spec