Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20002-1 Final 1 1 2026-01-02T12:14:18Z current 2026-01-02T12:14:18Z 2026-01-02T12:14:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird fixes the following issues: Changes in MozillaThunderbird: Mozilla Thunderbird 140.5.0 ESR MFSA 2025-91 (bsc#1253188): * CVE-2025-13012 Race condition in the Graphics component * CVE-2025-13016 Incorrect boundary conditions in the JavaScript: WebAssembly component * CVE-2025-13017 Same-origin policy bypass in the DOM: Notifications component * CVE-2025-13018 Mitigation bypass in the DOM: Security component * CVE-2025-13019 Same-origin policy bypass in the DOM: Workers component * CVE-2025-13013 Mitigation bypass in the DOM: Core & HTML component * CVE-2025-13020 Use-after-free in the WebRTC: Audio/Video component * CVE-2025-13014 Use-after-free in the Audio/Video component * CVE-2025-13015 Spoofing issue in Thunderbird * fixed: Could not drag and drop ICS file to Today Pane * fixed: With Thunderbird closed, clicking a 'mailto:' link to send signed message failed * fixed: Upgrade from 128.x->140.x broke authentication for @att.net using Yahoo backend Mozilla Thunderbird 140.4.0 ESR * Account Hub is now disabled by default for second email account * Users could not read mail signed with OpenPGP v6 and PQC keys * Image preview in Insert Image dialog failed with CSP error for web resources * Emptying trash on exit did not work with some providers * Thunderbird could crash when applying filters * Users were unable to override expired mail server certificate * Opening Website header link in RSS feed incorrectly re-encoded URL parameters Mozilla Thunderbird 140.3.1 ESR: * several bugfixes listed here https://www.thunderbird.net/en-US/thunderbird/140.3.1esr/releasenotes ------------------------------------------------------------------- The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-packagehub-27 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1253188 SUSE Bug 1253188 https://www.suse.com/security/cve/CVE-2025-13012/ SUSE CVE CVE-2025-13012 page https://www.suse.com/security/cve/CVE-2025-13013/ SUSE CVE CVE-2025-13013 page https://www.suse.com/security/cve/CVE-2025-13014/ SUSE CVE CVE-2025-13014 page https://www.suse.com/security/cve/CVE-2025-13015/ SUSE CVE CVE-2025-13015 page https://www.suse.com/security/cve/CVE-2025-13016/ SUSE CVE CVE-2025-13016 page https://www.suse.com/security/cve/CVE-2025-13017/ SUSE CVE CVE-2025-13017 page https://www.suse.com/security/cve/CVE-2025-13018/ SUSE CVE CVE-2025-13018 page https://www.suse.com/security/cve/CVE-2025-13019/ SUSE CVE CVE-2025-13019 page https://www.suse.com/security/cve/CVE-2025-13020/ SUSE CVE CVE-2025-13020 page openSUSE Leap 16.0 MozillaThunderbird-140.5.0-bp160.1.1 MozillaThunderbird-openpgp-librnp-140.5.0-bp160.1.1 MozillaThunderbird-translations-common-140.5.0-bp160.1.1 MozillaThunderbird-translations-other-140.5.0-bp160.1.1 MozillaThunderbird-140.5.0-bp160.1.1 as a component of openSUSE Leap 16.0 MozillaThunderbird-openpgp-librnp-140.5.0-bp160.1.1 as a component of openSUSE Leap 16.0 MozillaThunderbird-translations-common-140.5.0-bp160.1.1 as a component of openSUSE Leap 16.0 MozillaThunderbird-translations-other-140.5.0-bp160.1.1 as a component of openSUSE Leap 16.0 Race condition in the Graphics component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. CVE-2025-13012 openSUSE Leap 16.0:MozillaThunderbird-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.5.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13012.html CVE-2025-13012 https://bugzilla.suse.com/1253188 SUSE Bug 1253188 Mitigation bypass in the DOM: Core & HTML component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. CVE-2025-13013 openSUSE Leap 16.0:MozillaThunderbird-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.5.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13013.html CVE-2025-13013 https://bugzilla.suse.com/1253188 SUSE Bug 1253188 Use-after-free in the Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. CVE-2025-13014 openSUSE Leap 16.0:MozillaThunderbird-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.5.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13014.html CVE-2025-13014 https://bugzilla.suse.com/1253188 SUSE Bug 1253188 Spoofing issue in Firefox. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. CVE-2025-13015 openSUSE Leap 16.0:MozillaThunderbird-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.5.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13015.html CVE-2025-13015 https://bugzilla.suse.com/1253188 SUSE Bug 1253188 Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. CVE-2025-13016 openSUSE Leap 16.0:MozillaThunderbird-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.5.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13016.html CVE-2025-13016 https://bugzilla.suse.com/1253188 SUSE Bug 1253188 Same-origin policy bypass in the DOM: Notifications component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. CVE-2025-13017 openSUSE Leap 16.0:MozillaThunderbird-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.5.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13017.html CVE-2025-13017 https://bugzilla.suse.com/1253188 SUSE Bug 1253188 Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. CVE-2025-13018 openSUSE Leap 16.0:MozillaThunderbird-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.5.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13018.html CVE-2025-13018 https://bugzilla.suse.com/1253188 SUSE Bug 1253188 Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. CVE-2025-13019 openSUSE Leap 16.0:MozillaThunderbird-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.5.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13019.html CVE-2025-13019 https://bugzilla.suse.com/1253188 SUSE Bug 1253188 Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. CVE-2025-13020 openSUSE Leap 16.0:MozillaThunderbird-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.5.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.5.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13020.html CVE-2025-13020 https://bugzilla.suse.com/1253188 SUSE Bug 1253188