RLSA-2025:13676

Synopsis

Important: thunderbird security update

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* firefox: thunderbird: Large branch table could lead to truncated instruction (CVE-2025-8028)

* firefox: thunderbird: Memory safety bugs (CVE-2025-8035)

* firefox: thunderbird: Incorrect URL stripping in CSP reports (CVE-2025-8031)

* firefox: thunderbird: JavaScript engine only wrote partial return value to stack (CVE-2025-8027)

* firefox: thunderbird: Potential user-assisted code execution in ?Copy as cURL? command (CVE-2025-8030)

* firefox: Memory safety bugs (CVE-2025-8034)

* firefox: thunderbird: Incorrect JavaScript state machine for generators (CVE-2025-8033)

* firefox: thunderbird: XSLT documents could bypass CSP (CVE-2025-8032)

* firefox: thunderbird: javascript: URLs executed on object and embed tags (CVE-2025-8029)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected products

Rocky Linux 8 aarch64 Rocky Linux 8 x86_64

Fixes

2382701 2382703 2382704 2382707 2382710 2382711 2382717 2382718 2382720

CVEs

CVE-2025-8027 CVE-2025-8028 CVE-2025-8029 CVE-2025-8030 CVE-2025-8031 CVE-2025-8032 CVE-2025-8033 CVE-2025-8034 CVE-2025-8035

Affected packages

Rocky Linux 8 aarch64 - AppStream

thunderbird-0:128.13.0-3.el8_10.aarch64.rpm thunderbird-0:128.13.0-3.el8_10.src.rpm thunderbird-debuginfo-0:128.13.0-3.el8_10.aarch64.rpm thunderbird-debugsource-0:128.13.0-3.el8_10.aarch64.rpm

Rocky Linux 8 x86_64 - AppStream

thunderbird-0:128.13.0-3.el8_10.src.rpm thunderbird-0:128.13.0-3.el8_10.x86_64.rpm thunderbird-debuginfo-0:128.13.0-3.el8_10.x86_64.rpm thunderbird-debugsource-0:128.13.0-3.el8_10.x86_64.rpm