|
|
Subscribe / Log in / New account

SUSE alert openSUSE-SU-2025-20006-1 (thunderbird)



From:
              meissner@suse.com


To:
              security-announce@lists.opensuse.org


Subject:
              openSUSE-SU-2025-20006-1: important: Security update for MozillaThunderbird


Date:
              Mon, 10 Nov 2025 17:30:11 +0100


Message-ID:
              <20251110163011.A00F1FBA0@maintenance.suse.de>


Archive-link:
              Article


openSUSE security update: security update for mozillathunderbird
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2025-20006-1
Rating: important
References:

  * bsc#1249391



Cross-References:

  * CVE-2025-10527
  * CVE-2025-10528
  * CVE-2025-10529
  * CVE-2025-10532
  * CVE-2025-10533
  * CVE-2025-10536
  * CVE-2025-10537



Affected Products:

         openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 7 vulnerabilities and has one bug fix can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

Changes in MozillaThunderbird:

Mozilla Thunderbird 140.3.0 ESR:

  * Right-clicking 'List-ID' -> 'Unsubscribe' created double encoded
    draft subject
  * Thunderbird could crash on startup
  * Thunderbird could crash when importing mail
  * Opening Website header link in RSS feed incorrectly re-encoded
    URL parameters
  MFSA 2025-78 (bsc#1249391)
  * CVE-2025-10527
    Sandbox escape due to use-after-free in the Graphics:
    Canvas2D component
  * CVE-2025-10528
    Sandbox escape due to undefined behavior, invalid pointer in
    the Graphics: Canvas2D component
  * CVE-2025-10529
    Same-origin policy bypass in the Layout component
  * CVE-2025-10532
    Incorrect boundary conditions in the JavaScript: GC component
  * CVE-2025-10533
    Integer overflow in the SVG component
  * CVE-2025-10536
    Information disclosure in the Networking: Cache component
  * CVE-2025-10537
    Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird
    ESR 140.3, Firefox 143 and Thunderbird 143



Patch instructions:

   To install this openSUSE security update use the suse recommended installation methods
   like YaST online_update or "zypper patch".
   Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

   zypper in -t patch openSUSE-Leap-16.0-packagehub-10=1

Package List:

- openSUSE Leap 16.0:

  MozillaThunderbird-140.3.0-bp160.1.1
  MozillaThunderbird-openpgp-librnp-140.3.0-bp160.1.1
  MozillaThunderbird-translations-common-140.3.0-bp160.1.1
  MozillaThunderbird-translations-other-140.3.0-bp160.1.1

References:

  * https://www.suse.com/security/cve/CVE-2025-10527.html
  * https://www.suse.com/security/cve/CVE-2025-10528.html
  * https://www.suse.com/security/cve/CVE-2025-10529.html
  * https://www.suse.com/security/cve/CVE-2025-10532.html
  * https://www.suse.com/security/cve/CVE-2025-10533.html
  * https://www.suse.com/security/cve/CVE-2025-10536.html
  * https://www.suse.com/security/cve/CVE-2025-10537.html
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds