Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:03007-1 Final 1 1 2025-08-28T08:03:38Z current 2025-08-28T08:03:38Z 2025-08-28T08:03:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird fixes the following issues: Updated to Mozilla Thunderbird 140.2 MFSA 2025-72 (bsc#1248162): * CVE-2025-9179: Sandbox escape due to invalid pointer in the Audio/Video: GMP component * CVE-2025-9180: Same-origin policy bypass in the Graphics: Canvas2D component * CVE-2025-9181: Uninitialized memory in the JavaScript Engine component * CVE-2025-9182: Denial-of-service due to out-of-memory in the Graphics: WebRender component * CVE-2025-9184: Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142 * CVE-2025-9185: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142 Other fixes: * Users were unable to use Fastmail calendars due to missing OAuth settings * Account setup error handling was broken for Account hub * Menu bar was hidden after updating from 128esr to 140esr The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-3007,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-3007,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-3007,SUSE-SLE-Product-WE-15-SP6-2025-3007,SUSE-SLE-Product-WE-15-SP7-2025-3007,openSUSE-SLE-15.6-2025-3007 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202503007-1/ Link for SUSE-SU-2025:03007-1 https://lists.suse.com/pipermail/sle-updates/2025-August/041411.html E-Mail link for SUSE-SU-2025:03007-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1248162 SUSE Bug 1248162 https://www.suse.com/security/cve/CVE-2025-9179/ SUSE CVE CVE-2025-9179 page https://www.suse.com/security/cve/CVE-2025-9180/ SUSE CVE CVE-2025-9180 page https://www.suse.com/security/cve/CVE-2025-9181/ SUSE CVE CVE-2025-9181 page https://www.suse.com/security/cve/CVE-2025-9182/ SUSE CVE CVE-2025-9182 page https://www.suse.com/security/cve/CVE-2025-9184/ SUSE CVE CVE-2025-9184 page https://www.suse.com/security/cve/CVE-2025-9185/ SUSE CVE CVE-2025-9185 page SUSE Linux Enterprise Module for Package Hub 15 SP6 SUSE Linux Enterprise Module for Package Hub 15 SP7 SUSE Linux Enterprise Workstation Extension 15 SP6 SUSE Linux Enterprise Workstation Extension 15 SP7 openSUSE Leap 15.6 MozillaThunderbird-140.2.0-150200.8.236.1 MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 MozillaThunderbird-140.2.0-150200.8.236.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 MozillaThunderbird-140.2.0-150200.8.236.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 MozillaThunderbird-140.2.0-150200.8.236.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP6 MozillaThunderbird-140.2.0-150200.8.236.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP7 MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP7 MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP7 MozillaThunderbird-140.2.0-150200.8.236.1 as a component of openSUSE Leap 15.6 MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 as a component of openSUSE Leap 15.6 MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 as a component of openSUSE Leap 15.6 An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. CVE-2025-9179 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503007-1/ https://www.suse.com/security/cve/CVE-2025-9179.html CVE-2025-9179 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 'Same-origin policy bypass in the Graphics: Canvas2D component.' This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. CVE-2025-9180 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503007-1/ https://www.suse.com/security/cve/CVE-2025-9180.html CVE-2025-9180 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 Uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 142, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. CVE-2025-9181 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503007-1/ https://www.suse.com/security/cve/CVE-2025-9181.html CVE-2025-9181 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 'Denial-of-service due to out-of-memory in the Graphics: WebRender component.' This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2. CVE-2025-9182 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503007-1/ https://www.suse.com/security/cve/CVE-2025-9182.html CVE-2025-9182 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2. CVE-2025-9184 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503007-1/ https://www.suse.com/security/cve/CVE-2025-9184.html CVE-2025-9184 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. CVE-2025-9185 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 SUSE Linux Enterprise Workstation Extension 15 SP7:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-translations-common-140.2.0-150200.8.236.1 openSUSE Leap 15.6:MozillaThunderbird-translations-other-140.2.0-150200.8.236.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503007-1/ https://www.suse.com/security/cve/CVE-2025-9185.html CVE-2025-9185 https://bugzilla.suse.com/1248162 SUSE Bug 1248162