MozillaThunderbird-128.6.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15710 Final 1 1 2025-01-15T00:00:00Z current 2025-01-15T00:00:00Z 2025-01-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z MozillaThunderbird-128.6.0-1.1 on GA media These are all security issues fixed in the MozillaThunderbird-128.6.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15710 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-0237/ SUSE CVE CVE-2025-0237 page https://www.suse.com/security/cve/CVE-2025-0238/ SUSE CVE CVE-2025-0238 page https://www.suse.com/security/cve/CVE-2025-0239/ SUSE CVE CVE-2025-0239 page https://www.suse.com/security/cve/CVE-2025-0240/ SUSE CVE CVE-2025-0240 page https://www.suse.com/security/cve/CVE-2025-0241/ SUSE CVE CVE-2025-0241 page https://www.suse.com/security/cve/CVE-2025-0242/ SUSE CVE CVE-2025-0242 page https://www.suse.com/security/cve/CVE-2025-0243/ SUSE CVE CVE-2025-0243 page openSUSE Tumbleweed MozillaThunderbird-128.6.0-1.1 MozillaThunderbird-openpgp-librnp-128.6.0-1.1 MozillaThunderbird-translations-common-128.6.0-1.1 MozillaThunderbird-translations-other-128.6.0-1.1 MozillaThunderbird-128.6.0-1.1 as a component of openSUSE Tumbleweed MozillaThunderbird-openpgp-librnp-128.6.0-1.1 as a component of openSUSE Tumbleweed MozillaThunderbird-translations-common-128.6.0-1.1 as a component of openSUSE Tumbleweed MozillaThunderbird-translations-other-128.6.0-1.1 as a component of openSUSE Tumbleweed The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0237 openSUSE Tumbleweed:MozillaThunderbird-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-128.6.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-0237.html CVE-2025-0237 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0238 openSUSE Tumbleweed:MozillaThunderbird-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-128.6.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-0238.html CVE-2025-0238 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0239 openSUSE Tumbleweed:MozillaThunderbird-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-128.6.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-0239.html CVE-2025-0239 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0240 openSUSE Tumbleweed:MozillaThunderbird-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-128.6.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-0240.html CVE-2025-0240 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0241 openSUSE Tumbleweed:MozillaThunderbird-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-128.6.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-0241.html CVE-2025-0241 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0242 openSUSE Tumbleweed:MozillaThunderbird-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-128.6.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-0242.html CVE-2025-0242 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0243 openSUSE Tumbleweed:MozillaThunderbird-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-128.6.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-128.6.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-0243.html CVE-2025-0243 https://bugzilla.suse.com/1234991 SUSE Bug 1234991