Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0080-1 Final 1 1 2025-01-13T15:30:55Z current 2025-01-13T15:30:55Z 2025-01-13T15:30:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird fixes the following issues: Update to Mozilla Thunderbird ESR 128.6 (MFSA 2025-05, bsc#1234991) Security fixes: - CVE-2025-0237 (bmo#1915257) WebChannel APIs susceptible to confused deputy attack - CVE-2025-0238 (bmo#1915535) Use-after-free when breaking lines in text - CVE-2025-0239 (bmo#1929156) Alt-Svc ALPN validation failure when redirected - CVE-2025-0240 (bmo#1929623) Compartment mismatch when parsing JavaScript JSON module - CVE-2025-0241 (bmo#1933023) Memory corruption when using JavaScript Text Segmentation - CVE-2025-0242 (bmo#1874523, bmo#1926454, bmo#1931873, bmo#1932169) Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6 - CVE-2025-0243 (bmo#1827142, bmo#1932783) Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6 Other fixes: - fixed: New mail notification was not hidden after reading the new message (bmo#1920077) - fixed: New mail notification could show for the wrong folder, causing repeated alerts (bmo#1926462) - fixed: macOS shortcut CMD+1 did not restore the main window when it was minimized (bmo#1857953) - fixed: Clicking the context menu 'Reply' button resulted in 'Reply-All' (bmo#1935883) - fixed: Switching from 'All', 'Unread', and 'Threads with unread' did not work (bmo#1921618) - fixed: Downloading message headers from a newsgroup could cause a hang (bmo#1931661) - fixed: Message list performance slow when many updates happened at once (bmo#1933104) - fixed: 'mailto:' links did not apply the compose format of the current identity (bmo#550414) - fixed: Authentication failure of AUTH PLAIN or AUTH LOGIN did not fall back to USERPASS (bmo#1928026) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-80,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-80,SUSE-SLE-Product-WE-15-SP6-2025-80,openSUSE-SLE-15.6-2025-80 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250080-1/ Link for SUSE-SU-2025:0080-1 https://lists.suse.com/pipermail/sle-security-updates/2025-January/020098.html E-Mail link for SUSE-SU-2025:0080-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1234991 SUSE Bug 1234991 https://www.suse.com/security/cve/CVE-2025-0237/ SUSE CVE CVE-2025-0237 page https://www.suse.com/security/cve/CVE-2025-0238/ SUSE CVE CVE-2025-0238 page https://www.suse.com/security/cve/CVE-2025-0239/ SUSE CVE CVE-2025-0239 page https://www.suse.com/security/cve/CVE-2025-0240/ SUSE CVE CVE-2025-0240 page https://www.suse.com/security/cve/CVE-2025-0241/ SUSE CVE CVE-2025-0241 page https://www.suse.com/security/cve/CVE-2025-0242/ SUSE CVE CVE-2025-0242 page https://www.suse.com/security/cve/CVE-2025-0243/ SUSE CVE CVE-2025-0243 page SUSE Linux Enterprise Module for Package Hub 15 SP6 SUSE Linux Enterprise Workstation Extension 15 SP6 openSUSE Leap 15.6 MozillaThunderbird-128.6.0-150200.8.197.1 MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 MozillaThunderbird-128.6.0-150200.8.197.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-128.6.0-150200.8.197.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-128.6.0-150200.8.197.1 as a component of openSUSE Leap 15.6 MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 as a component of openSUSE Leap 15.6 MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 as a component of openSUSE Leap 15.6 The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0237 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-128.6.0-150200.8.197.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250080-1/ https://www.suse.com/security/cve/CVE-2025-0237.html CVE-2025-0237 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0238 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-128.6.0-150200.8.197.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250080-1/ https://www.suse.com/security/cve/CVE-2025-0238.html CVE-2025-0238 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0239 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-128.6.0-150200.8.197.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250080-1/ https://www.suse.com/security/cve/CVE-2025-0239.html CVE-2025-0239 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0240 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-128.6.0-150200.8.197.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250080-1/ https://www.suse.com/security/cve/CVE-2025-0240.html CVE-2025-0240 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0241 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-128.6.0-150200.8.197.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250080-1/ https://www.suse.com/security/cve/CVE-2025-0241.html CVE-2025-0241 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0242 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-128.6.0-150200.8.197.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250080-1/ https://www.suse.com/security/cve/CVE-2025-0242.html CVE-2025-0242 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0243 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-128.6.0-150200.8.197.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-128.6.0-150200.8.197.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-128.6.0-150200.8.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250080-1/ https://www.suse.com/security/cve/CVE-2025-0243.html CVE-2025-0243 https://bugzilla.suse.com/1234991 SUSE Bug 1234991