{"affected":[{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"140.1.0-150200.8.230.1","MozillaThunderbird-translations-common":"140.1.0-150200.8.230.1","MozillaThunderbird-translations-other":"140.1.0-150200.8.230.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Package Hub 15 SP6","name":"MozillaThunderbird","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"140.1.0-150200.8.230.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"140.1.0-150200.8.230.1","MozillaThunderbird-translations-common":"140.1.0-150200.8.230.1","MozillaThunderbird-translations-other":"140.1.0-150200.8.230.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Package Hub 15 SP7","name":"MozillaThunderbird","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"140.1.0-150200.8.230.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"140.1.0-150200.8.230.1","MozillaThunderbird-translations-common":"140.1.0-150200.8.230.1","MozillaThunderbird-translations-other":"140.1.0-150200.8.230.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Workstation Extension 15 SP6","name":"MozillaThunderbird","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"140.1.0-150200.8.230.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"140.1.0-150200.8.230.1","MozillaThunderbird-translations-common":"140.1.0-150200.8.230.1","MozillaThunderbird-translations-other":"140.1.0-150200.8.230.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Workstation Extension 15 SP7","name":"MozillaThunderbird","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"140.1.0-150200.8.230.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"140.1.0-150200.8.230.1","MozillaThunderbird-translations-common":"140.1.0-150200.8.230.1","MozillaThunderbird-translations-other":"140.1.0-150200.8.230.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"MozillaThunderbird","purl":"pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"140.1.0-150200.8.230.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for MozillaThunderbird fixes the following issues:\n\nUpdate to Mozilla Thunderbird 140.1 (MFSA 2025-63) (bsc#1246664):\n\n- CVE-2025-8027: JavaScript engine only wrote partial return value to stack (bmo#1968423)\n- CVE-2025-8028: Large branch table could lead to truncated instruction (bmo#1971581)\n- CVE-2025-8029: javascript: URLs executed on object and embed tags (bmo#1928021)\n- CVE-2025-8036: DNS rebinding circumvents CORS (bmo#1960834)\n- CVE-2025-8037: Nameless cookies shadow secure cookies (bmo#1964767)\n- CVE-2025-8030: Potential user-assisted code execution in 'Copy as cURL' command (bmo#1968414)\n- CVE-2025-8031: Incorrect URL stripping in CSP reports (bmo#1971719)\n- CVE-2025-8032: XSLT documents could bypass CSP (bmo#1974407)\n- CVE-2025-8038: CSP frame-src was not correctly enforced for paths (bmo#1808979)\n- CVE-2025-8039: Search terms persisted in URL bar (bmo#1970997)\n- CVE-2025-8033: Incorrect JavaScript state machine for generators (bmo#1973990)\n- CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 (bmo#1970422, bmo#1970422, bmo#1970422, bmo#1970422)\n- CVE-2025-8040: Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 (bmo#1975058, bmo#1975058, bmo#1975998, bmo#1975998)\n- CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 (bmo#1975961, bmo#1975961, bmo#1975961)\n\nUpdate to Mozilla Thunderbird 140.0.1 (MFSA 2025-54) (bsc#1244670):\n\n- CVE-2025-6424: Use-after-free in FontFaceSet (bmo#1966423)\n- CVE-2025-6425: The WebCompat WebExtension shipped exposed a persistent UUID (bmo#1717672)\n- CVE-2025-6426: No warning when opening executable terminal files on macOS (bmo#1964385)\n- CVE-2025-6427: connect-src Content Security Policy restriction could be bypassed (bmo#1966927)\n- CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com (bmo#1970658)\n- CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag (bmo#1971140)\n- CVE-2025-6432: DNS Requests leaked outside of a configured SOCKS proxy (bmo#1943804)\n- CVE-2025-6433: WebAuthn would allow a user to sign a challenge on a webpage with an invalid TLS certificate (bmo#1954033)\n- CVE-2025-6434: HTTPS-Only exception screen lacked anti-clickjacking delay (bmo#1955182)\n- CVE-2025-6435: Save as in Devtools could download files without sanitizing the extension (bmo#1950056, bmo#1961777)\n- CVE-2025-6436: Memory safety bugs fixed in Firefox 140 and Thunderbird 140 (bmo#1941377, bmo#1960948, bmo#1966187, bmo#1966505, bmo#1970764)\n","id":"SUSE-SU-2025:02546-1","modified":"2025-07-30T07:34:22Z","published":"2025-07-30T07:34:22Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202502546-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1244670"},{"type":"REPORT","url":"https://bugzilla.suse.com/1246664"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6424"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6425"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6426"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6427"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6429"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6430"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6432"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6433"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6434"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6435"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6436"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8027"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8028"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8029"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8030"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8031"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8032"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8033"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8034"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8035"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8036"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8037"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8038"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8039"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8040"}],"related":["CVE-2025-6424","CVE-2025-6425","CVE-2025-6426","CVE-2025-6427","CVE-2025-6429","CVE-2025-6430","CVE-2025-6432","CVE-2025-6433","CVE-2025-6434","CVE-2025-6435","CVE-2025-6436","CVE-2025-8027","CVE-2025-8028","CVE-2025-8029","CVE-2025-8030","CVE-2025-8031","CVE-2025-8032","CVE-2025-8033","CVE-2025-8034","CVE-2025-8035","CVE-2025-8036","CVE-2025-8037","CVE-2025-8038","CVE-2025-8039","CVE-2025-8040"],"summary":"Security update for MozillaThunderbird","upstream":["CVE-2025-6424","CVE-2025-6425","CVE-2025-6426","CVE-2025-6427","CVE-2025-6429","CVE-2025-6430","CVE-2025-6432","CVE-2025-6433","CVE-2025-6434","CVE-2025-6435","CVE-2025-6436","CVE-2025-8027","CVE-2025-8028","CVE-2025-8029","CVE-2025-8030","CVE-2025-8031","CVE-2025-8032","CVE-2025-8033","CVE-2025-8034","CVE-2025-8035","CVE-2025-8036","CVE-2025-8037","CVE-2025-8038","CVE-2025-8039","CVE-2025-8040"]}