{"affected":[{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"128.8.0-150200.8.203.1","MozillaThunderbird-translations-common":"128.8.0-150200.8.203.1","MozillaThunderbird-translations-other":"128.8.0-150200.8.203.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Package Hub 15 SP6","name":"MozillaThunderbird","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"128.8.0-150200.8.203.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"128.8.0-150200.8.203.1","MozillaThunderbird-translations-common":"128.8.0-150200.8.203.1","MozillaThunderbird-translations-other":"128.8.0-150200.8.203.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Workstation Extension 15 SP6","name":"MozillaThunderbird","purl":"pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"128.8.0-150200.8.203.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"128.8.0-150200.8.203.1","MozillaThunderbird-translations-common":"128.8.0-150200.8.203.1","MozillaThunderbird-translations-other":"128.8.0-150200.8.203.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"MozillaThunderbird","purl":"pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"128.8.0-150200.8.203.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for MozillaThunderbird fixes the following issues:\n\n  Updated to Mozilla Thunderbird 128.8 MFSA 2025-18 (bsc#1237683):\n    \n  - CVE-2024-43097: Overflow when growing an SkRegion's RunArray\n  - CVE-2025-1930: AudioIPC StreamData could trigger a use-after-free in the\n    Browser process\n  - CVE-2025-1931: Use-after-free in WebTransportChild\n  - CVE-2025-1932: Inconsistent comparator in XSLT sorting led to out-of-bounds\n    access\n  - CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs\n  - CVE-2025-1934: Unexpected GC during RegExp bailout processing\n  - CVE-2025-1935: Clickjacking the registerProtocolHandler info-bar\n  - CVE-2025-1936: Adding %00 and a fake extension to a jar: URL  changed the\n    interpretation of the contents\n  - CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird 136,\n    Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8\n  - CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird 136,\n    Firefox ESR 128.8, and Thunderbird 128.8\n  - CVE-2025-26695: Downloading of OpenPGP keys from WKD used incorrect padding\n  - CVE-2025-26696: Crafted email message incorrectly shown as being encrypted  \n  \n  Other fixes:\n  * Opening an .EML file in profiles with many folders\n    could take a long time.\n  * Users with many folders experienced poor performance\n    when resizing message panes.\n  *'Replace' button in compose window was overwritten\n    when the window was narrow.\n  * Export to mobile did not work when 'Use default\n    server' was selected.\n  * 'Save Link As' was not working in feed web content.\n \n","id":"SUSE-SU-2025:0849-1","modified":"2025-03-12T15:12:43Z","published":"2025-03-12T15:12:43Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-20250849-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1237683"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-43097"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1930"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1931"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1932"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1933"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1934"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1935"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1936"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1937"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1938"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-26695"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-26696"}],"related":["CVE-2024-43097","CVE-2025-1930","CVE-2025-1931","CVE-2025-1932","CVE-2025-1933","CVE-2025-1934","CVE-2025-1935","CVE-2025-1936","CVE-2025-1937","CVE-2025-1938","CVE-2025-26695","CVE-2025-26696"],"summary":"Security update for MozillaThunderbird","upstream":["CVE-2024-43097","CVE-2025-1930","CVE-2025-1931","CVE-2025-1932","CVE-2025-1933","CVE-2025-1934","CVE-2025-1935","CVE-2025-1936","CVE-2025-1937","CVE-2025-1938","CVE-2025-26695","CVE-2025-26696"]}