Description:
Mozilla Thunderbird is a standalone mail and newsgroup client.
Security Fix(es):
* thunderbird: JavaScript Execution via Spoofed PDF Attachment and file:/// Link (CVE-2025-3909)
* thunderbird: Sender Spoofing via Malformed From Header in Thunderbird (CVE-2025-3875)
* thunderbird: Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links (CVE-2025-3877)
* thunderbird: Tracking Links in Attachments Bypassed Remote Content Blocking (CVE-2025-3932)
* firefox: thunderbird: Out-of-bounds access when resolving Promise objects (CVE-2025-4918)
* firefox: thunderbird: Out-of-bounds access when optimizing linear sums (CVE-2025-4919)
* firefox: thunderbird: Clickjacking vulnerability could have led to leaking saved payment card details (CVE-2025-5267)
* firefox: thunderbird: Potential local code execution in ?Copy as cURL? command (CVE-2025-5264)
* firefox: thunderbird: Memory safety bugs (CVE-2025-5268)
* firefox: thunderbird: Script element events leaked cross-origin resource status (CVE-2025-5266)
* firefox: thunderbird: Error handling for script execution was incorrectly isolated from web content (CVE-2025-5263)
* firefox: thunderbird: Memory safety bug (CVE-2025-5269)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Updated packages listed below:
Architecture |
Package |
Checksum |
aarch64 |
thunderbird-128.11.0-1.el8_10.alma.1.aarch64.rpm |
6c0d890f571dcf9311e076f1fc5fbd44402d05423a54cc2c891a1f2b09cf9281 |
ppc64le |
thunderbird-128.11.0-1.el8_10.alma.1.ppc64le.rpm |
faf6883dedb0d478d83367da50cacef76418232657bf9a8d6844e1819bf7b53f |
s390x |
thunderbird-128.11.0-1.el8_10.alma.1.s390x.rpm |
e8f3d14ea889e5fb53fc4695daf42d0330b8dc3d0c368458115bf9b3e59302cd |
x86_64 |
thunderbird-128.11.0-1.el8_10.alma.1.x86_64.rpm |
20aad2d89fb8a9ef24544c394150c6c3715e1d8dd63e98b2d0e948219e2f9c07 |