RLSA-2025:21881

Security

Mirrored from RHSA-2025:21881

Issued at: 2025-11-21

Updated at: 2025-11-23

Synopsis

Important: thunderbird security update

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* firefox: Mitigation bypass in the DOM: Security component (CVE-2025-13018)

* firefox: Use-after-free in the Audio/Video component (CVE-2025-13014)

* firefox: Incorrect boundary conditions in the JavaScript: WebAssembly component (CVE-2025-13016)

* firefox: Same-origin policy bypass in the DOM: Workers component (CVE-2025-13019)

* firefox: Use-after-free in the WebRTC: Audio/Video component (CVE-2025-13020)

* firefox: Race condition in the Graphics component (CVE-2025-13012)

* firefox: Spoofing issue in Firefox (CVE-2025-13015)

* firefox: Mitigation bypass in the DOM: Core & HTML component (CVE-2025-13013)

* firefox: Same-origin policy bypass in the DOM: Notifications component (CVE-2025-13017)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected products

Rocky Linux 8 aarch64

Rocky Linux 8 x86_64

Fixes

2414079

2414080

2414083

2414084

2414085

2414086

2414090

2414091

2414092

CVEs

CVE-2025-13012

CVE-2025-13013

CVE-2025-13014

CVE-2025-13015

CVE-2025-13016

CVE-2025-13017

CVE-2025-13018

CVE-2025-13019

CVE-2025-13020

Affected packages

Rocky Linux 8 aarch64 - AppStream

thunderbird-0:140.5.0-2.el8_10.aarch64.rpm

thunderbird-0:140.5.0-2.el8_10.src.rpm

thunderbird-debuginfo-0:140.5.0-2.el8_10.aarch64.rpm

thunderbird-debugsource-0:140.5.0-2.el8_10.aarch64.rpm

Rocky Linux 8 x86_64 - AppStream

thunderbird-0:140.5.0-2.el8_10.src.rpm

thunderbird-0:140.5.0-2.el8_10.x86_64.rpm

thunderbird-debuginfo-0:140.5.0-2.el8_10.x86_64.rpm

thunderbird-debugsource-0:140.5.0-2.el8_10.x86_64.rpm