{"affected":[{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"140.5.0-bp160.1.1","MozillaThunderbird-openpgp-librnp":"140.5.0-bp160.1.1","MozillaThunderbird-translations-common":"140.5.0-bp160.1.1","MozillaThunderbird-translations-other":"140.5.0-bp160.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"MozillaThunderbird","purl":"pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"140.5.0-bp160.1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for MozillaThunderbird fixes the following issues:\n\nChanges in MozillaThunderbird:\n\nMozilla Thunderbird 140.5.0 ESR\n\nMFSA 2025-91 (bsc#1253188):\n\n  * CVE-2025-13012\n    Race condition in the Graphics component\n  * CVE-2025-13016\n    Incorrect boundary conditions in the JavaScript: WebAssembly\n    component\n  * CVE-2025-13017\n    Same-origin policy bypass in the DOM: Notifications component\n  * CVE-2025-13018\n    Mitigation bypass in the DOM: Security component\n  * CVE-2025-13019\n    Same-origin policy bypass in the DOM: Workers component\n  * CVE-2025-13013\n    Mitigation bypass in the DOM: Core & HTML component\n  * CVE-2025-13020\n    Use-after-free in the WebRTC: Audio/Video component\n  * CVE-2025-13014\n    Use-after-free in the Audio/Video component\n  * CVE-2025-13015\n    Spoofing issue in Thunderbird\n  * fixed: Could not drag and drop ICS file to Today Pane\n  * fixed: With Thunderbird closed, clicking a 'mailto:' link to\n    send signed message failed\n  * fixed: Upgrade from 128.x->140.x broke authentication for\n    @att.net using Yahoo backend\n\nMozilla Thunderbird 140.4.0 ESR\n\n  * Account Hub is now disabled by default for second email account\n  * Users could not read mail signed with OpenPGP v6 and PQC keys\n  * Image preview in Insert Image dialog failed with CSP error for web resources\n  * Emptying trash on exit did not work with some providers\n  * Thunderbird could crash when applying filters\n  * Users were unable to override expired mail server certificate\n  * Opening Website header link in RSS feed incorrectly re-encoded\n    URL parameters\n\nMozilla Thunderbird 140.3.1 ESR:\n\n  * several bugfixes listed here\n    https://www.thunderbird.net/en-US/thunderbird/140.3.1esr/releasenotes\n-------------------------------------------------------------------\n","id":"openSUSE-SU-2026:20002-1","modified":"2026-01-02T12:14:18Z","published":"2026-01-02T12:14:18Z","references":[{"type":"ADVISORY","url":null},{"type":"REPORT","url":"https://bugzilla.suse.com/1253188"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-13012"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-13013"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-13014"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-13015"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-13016"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-13017"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-13018"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-13019"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-13020"}],"related":["CVE-2025-13012","CVE-2025-13013","CVE-2025-13014","CVE-2025-13015","CVE-2025-13016","CVE-2025-13017","CVE-2025-13018","CVE-2025-13019","CVE-2025-13020"],"summary":"Security update for MozillaThunderbird","upstream":["CVE-2025-13012","CVE-2025-13013","CVE-2025-13014","CVE-2025-13015","CVE-2025-13016","CVE-2025-13017","CVE-2025-13018","CVE-2025-13019","CVE-2025-13020"]}