SUSE alert openSUSE-SU-2025-20011-1 (thunderbird)

From:
             
 
meissner@suse.com
To:
             
 
security-announce@lists.opensuse.org
Subject:
             
 
openSUSE-SU-2025-20011-1: moderate: Security update for MozillaThunderbird
Date:
             
 
Mon, 10 Nov 2025 17:30:12 +0100
Message-ID:
             
 
<20251110163012.C70BFFBA0@maintenance.suse.de>
Archive-link:
             
 
Article
openSUSE security update: security update for mozillathunderbird
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2025-20011-1
Rating: moderate
References:

  * bsc#1247774
  * bsc#1251263



Cross-References:

  * CVE-2025-11708
  * CVE-2025-11709
  * CVE-2025-11710
  * CVE-2025-11711
  * CVE-2025-11712
  * CVE-2025-11713
  * CVE-2025-11714
  * CVE-2025-11715



Affected Products:

         openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 8 vulnerabilities and has 2 bug fixes can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

Mozilla Thunderbird 140.4:

  * changed: Account Hub is now disabled by default for second
    email account
  * changed: Flatpak runtime has been updated to Freedesktop SDK
    24.08
  * fixed: Users could not read mail signed with OpenPGP v6 and
    PQC keys
  * fixed: Image preview in Insert Image dialog failed with CSP
    error for web resources
  * fixed: Emptying trash on exit did not work with some
    providers
  * fixed: Thunderbird could crash when applying filters
  * fixed: Users were unable to override expired mail server
    certificate
  * fixed: Opening Website header link in RSS feed incorrectly
    re-encoded URL parameters
  * fixed: Security fixes

MFSA 2025-85 (bsc#1251263):

  * CVE-2025-11708
    Use-after-free in MediaTrackGraphImpl::GetInstance()
  * CVE-2025-11709
    Out of bounds read/write in a privileged process triggered by
    WebGL textures
  * CVE-2025-11710
    Cross-process information leaked due to malicious IPC
    messages
  * CVE-2025-11711
    Some non-writable Object properties could be modified
  * CVE-2025-11712
    An OBJECT tag type attribute overrode browser behavior on web
    resources without a content-type
  * CVE-2025-11713
    Potential user-assisted code execution in “Copy as cURL”
    command
  * CVE-2025-11714
    Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR
    140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
  * CVE-2025-11715
    Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
    ESR 140.4, Firefox 144 and Thunderbird 144


Patch instructions:

   To install this openSUSE security update use the suse recommended installation methods
   like YaST online_update or "zypper patch".
   Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

   zypper in -t patch openSUSE-Leap-16.0-packagehub-15=1

Package List:

- openSUSE Leap 16.0:

  MozillaThunderbird-140.4.0-bp160.1.1
  MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1
  MozillaThunderbird-translations-common-140.4.0-bp160.1.1
  MozillaThunderbird-translations-other-140.4.0-bp160.1.1

References:

  * https://www.suse.com/security/cve/CVE-2025-11708.html
  * https://www.suse.com/security/cve/CVE-2025-11709.html
  * https://www.suse.com/security/cve/CVE-2025-11710.html
  * https://www.suse.com/security/cve/CVE-2025-11711.html
  * https://www.suse.com/security/cve/CVE-2025-11712.html
  * https://www.suse.com/security/cve/CVE-2025-11713.html
  * https://www.suse.com/security/cve/CVE-2025-11714.html
  * https://www.suse.com/security/cve/CVE-2025-11715.html