MozillaThunderbird-140.4.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16708 Final 1 1 2025-10-18T00:00:00Z current 2025-10-18T00:00:00Z 2025-10-18T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z MozillaThunderbird-140.4.0-1.1 on GA media These are all security issues fixed in the MozillaThunderbird-140.4.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16708 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-11708/ SUSE CVE CVE-2025-11708 page https://www.suse.com/security/cve/CVE-2025-11709/ SUSE CVE CVE-2025-11709 page https://www.suse.com/security/cve/CVE-2025-11710/ SUSE CVE CVE-2025-11710 page https://www.suse.com/security/cve/CVE-2025-11711/ SUSE CVE CVE-2025-11711 page https://www.suse.com/security/cve/CVE-2025-11712/ SUSE CVE CVE-2025-11712 page https://www.suse.com/security/cve/CVE-2025-11713/ SUSE CVE CVE-2025-11713 page https://www.suse.com/security/cve/CVE-2025-11714/ SUSE CVE CVE-2025-11714 page https://www.suse.com/security/cve/CVE-2025-11715/ SUSE CVE CVE-2025-11715 page openSUSE Tumbleweed MozillaThunderbird-140.4.0-1.1 MozillaThunderbird-openpgp-librnp-140.4.0-1.1 MozillaThunderbird-translations-common-140.4.0-1.1 MozillaThunderbird-translations-other-140.4.0-1.1 MozillaThunderbird-140.4.0-1.1 as a component of openSUSE Tumbleweed MozillaThunderbird-openpgp-librnp-140.4.0-1.1 as a component of openSUSE Tumbleweed MozillaThunderbird-translations-common-140.4.0-1.1 as a component of openSUSE Tumbleweed MozillaThunderbird-translations-other-140.4.0-1.1 as a component of openSUSE Tumbleweed Use-after-free in MediaTrackGraphImpl::GetInstance() This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. CVE-2025-11708 openSUSE Tumbleweed:MozillaThunderbird-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-140.4.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11708.html CVE-2025-11708 https://bugzilla.suse.com/1251263 SUSE Bug 1251263 A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. CVE-2025-11709 openSUSE Tumbleweed:MozillaThunderbird-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-140.4.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11709.html CVE-2025-11709 https://bugzilla.suse.com/1251263 SUSE Bug 1251263 A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. CVE-2025-11710 openSUSE Tumbleweed:MozillaThunderbird-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-140.4.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11710.html CVE-2025-11710 https://bugzilla.suse.com/1251263 SUSE Bug 1251263 There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. CVE-2025-11711 openSUSE Tumbleweed:MozillaThunderbird-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-140.4.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11711.html CVE-2025-11711 https://bugzilla.suse.com/1251263 SUSE Bug 1251263 A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. CVE-2025-11712 openSUSE Tumbleweed:MozillaThunderbird-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-140.4.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11712.html CVE-2025-11712 https://bugzilla.suse.com/1251263 SUSE Bug 1251263 Insufficient escaping in the "Copy as cURL" feature could have been used to trick a user into executing unexpected code on Windows. This did not affect Firefox running on other operating systems. This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. CVE-2025-11713 openSUSE Tumbleweed:MozillaThunderbird-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-140.4.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11713.html CVE-2025-11713 https://bugzilla.suse.com/1251263 SUSE Bug 1251263 Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. CVE-2025-11714 openSUSE Tumbleweed:MozillaThunderbird-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-140.4.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11714.html CVE-2025-11714 https://bugzilla.suse.com/1251263 SUSE Bug 1251263 Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. CVE-2025-11715 openSUSE Tumbleweed:MozillaThunderbird-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-openpgp-librnp-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-common-140.4.0-1.1 openSUSE Tumbleweed:MozillaThunderbird-translations-other-140.4.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11715.html CVE-2025-11715 https://bugzilla.suse.com/1251263 SUSE Bug 1251263