MozillaThunderbird-128.12.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16374 Final 1 1 2025-07-06T00:00:00Z current 2025-07-06T00:00:00Z 2025-07-06T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z MozillaThunderbird-128.12.0-1.1 on GA media These are all security issues fixed in the MozillaThunderbird-128.12.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16374 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-6424/ SUSE CVE CVE-2025-6424 page https://www.suse.com/security/cve/CVE-2025-6425/ SUSE CVE CVE-2025-6425 page https://www.suse.com/security/cve/CVE-2025-6426/ SUSE CVE CVE-2025-6426 page https://www.suse.com/security/cve/CVE-2025-6429/ SUSE CVE CVE-2025-6429 page https://www.suse.com/security/cve/CVE-2025-6430/ SUSE CVE CVE-2025-6430 page openSUSE Tumbleweed MozillaThunderbird-128.12.0-1.1 MozillaThunderbird-openpgp-librnp-128.12.0-1.1 MozillaThunderbird-translations-common-128.12.0-1.1 MozillaThunderbird-translations-other-128.12.0-1.1 MozillaThunderbird-128.12.0-1.1 as a component of openSUSE Tumbleweed MozillaThunderbird-openpgp-librnp-128.12.0-1.1 as a component of openSUSE Tumbleweed MozillaThunderbird-translations-common-128.12.0-1.1 as a component of openSUSE Tumbleweed MozillaThunderbird-translations-other-128.12.0-1.1 as a component of openSUSE Tumbleweed A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. CVE-2025-6424 openSUSE Tumbleweed:MozillaThunderbird-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-128.12.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-6424.html CVE-2025-6424 https://bugzilla.suse.com/1244670 SUSE Bug 1244670 An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. CVE-2025-6425 openSUSE Tumbleweed:MozillaThunderbird-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-128.12.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-6425.html CVE-2025-6425 https://bugzilla.suse.com/1244670 SUSE Bug 1244670 The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. CVE-2025-6426 openSUSE Tumbleweed:MozillaThunderbird-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-128.12.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-6426.html CVE-2025-6426 https://bugzilla.suse.com/1244670 SUSE Bug 1244670 Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. CVE-2025-6429 openSUSE Tumbleweed:MozillaThunderbird-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-128.12.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-6429.html CVE-2025-6429 https://bugzilla.suse.com/1244670 SUSE Bug 1244670 When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `&lt;embed&gt;` or `&lt;object&gt;` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. CVE-2025-6430 openSUSE Tumbleweed:MozillaThunderbird-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-128.12.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-128.12.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-6430.html CVE-2025-6430 https://bugzilla.suse.com/1244670 SUSE Bug 1244670