{"affected":[{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"128.7.0-150200.8.200.1","MozillaThunderbird-translations-common":"128.7.0-150200.8.200.1","MozillaThunderbird-translations-other":"128.7.0-150200.8.200.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Package Hub 15 SP6","name":"MozillaThunderbird","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"128.7.0-150200.8.200.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"128.7.0-150200.8.200.1","MozillaThunderbird-translations-common":"128.7.0-150200.8.200.1","MozillaThunderbird-translations-other":"128.7.0-150200.8.200.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Workstation Extension 15 SP6","name":"MozillaThunderbird","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"128.7.0-150200.8.200.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"128.7.0-150200.8.200.1","MozillaThunderbird-translations-common":"128.7.0-150200.8.200.1","MozillaThunderbird-translations-other":"128.7.0-150200.8.200.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"MozillaThunderbird","purl":"pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"128.7.0-150200.8.200.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for MozillaThunderbird fixes the following issues:\n\nUpdate to Mozilla Thunderbird 128.7 (MFSA 2025-10, bsc#1236539).\n\nSecurity fixes:\n\n  - CVE-2025-1009: use-after-free in XSLT.\n  - CVE-2025-1010: use-after-free in Custom Highlight.\n  - CVE-2025-1011: a bug in WebAssembly code generation could result in a crash.\n  - CVE-2025-1012: use-after-free during concurrent delazification.\n  - CVE-2024-11704: potential double-free vulnerability in PKCS#7 decryption handling.\n  - CVE-2025-1013: potential opening of private browsing tabs in normal browsing windows.\n  - CVE-2025-1014: certificate length was not properly checked.\n  - CVE-2025-1015: unsanitized address book fields.\n  - CVE-2025-0510: address of e-mail sender can be spoofed by malicious email.\n  - CVE-2025-1016: memory safety bugs.\n  - CVE-2025-1017: memory safety bugs.\n\nOther fixes:\n\n  - fixed: images inside links could zoom when clicked instead of opening the link.\n  - fixed: compacting an empty folder failed with write error.\n  - fixed: compacting of IMAP folder with corrupted local storage failed with write error.\n  - fixed: after restart, all restored tabs with opened PDFs showed the same attachment.\n  - fixed: exceptions during CalDAV item processing would halt subsequent item handling.\n  - fixed: context menu was unable to move email address to a different field.\n  - fixed: link at about:rights pointed to Firefox privacy policy instead of Thunderbird's.\n  - fixed: POP3 'fetch headers only' and 'get selected messages' could delete messages.\n  - fixed: 'Search Online' checkbox in saved search properties was incorrectly disabled.\n  - fixed: POP3 status message showed incorrect download count when messages were deleted.\n  - fixed: space bar did not always advance to the next unread message.\n  - fixed: folder creation or renaming failed due to incorrect preference settings.\n  - fixed: forwarding/editing S/MIME drafts/templates unusable due to regression (bsc#1236411).\n  - fixed: sort order in 'Search Messages' panel reset after search or on first launch.\n  - fixed: reply window added an unnecessary third blank line at the top.\n  - fixed: Thunderbird spell check box did not allow ENTER to accept suggested changes.\n  - fixed: long email subject lines could overlap window control buttons on macOS.\n  - fixed: flathub manifest link was not correct.\n  - fixed: 'Prefer client-side email scheduling' needed to be selected twice.\n  - fixed: duplicate invitations were sent if CALDAV calendar email case did not match.\n  - fixed: visual and UX improvements.\n","id":"SUSE-SU-2025:0405-1","modified":"2025-02-10T13:54:51Z","published":"2025-02-10T13:54:51Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-20250405-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1236411"},{"type":"REPORT","url":"https://bugzilla.suse.com/1236539"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-11704"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-0510"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1009"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1010"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1011"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1012"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1013"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1014"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1015"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1016"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1017"}],"related":["CVE-2024-11704","CVE-2025-0510","CVE-2025-1009","CVE-2025-1010","CVE-2025-1011","CVE-2025-1012","CVE-2025-1013","CVE-2025-1014","CVE-2025-1015","CVE-2025-1016","CVE-2025-1017"],"summary":"Security update for MozillaThunderbird","upstream":["CVE-2024-11704","CVE-2025-0510","CVE-2025-1009","CVE-2025-1010","CVE-2025-1011","CVE-2025-1012","CVE-2025-1013","CVE-2025-1014","CVE-2025-1015","CVE-2025-1016","CVE-2025-1017"]}