Red Hat Product Errata RHSA-2025:1319 - Security Advisory
Issued:
2025-02-11
Updated:
2025-02-11

RHSA-2025:1319 - Security Advisory

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

  • firefox: thunderbird: Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7 (CVE-2025-1017)
  • firefox: thunderbird: Use-after-free in Custom Highlight (CVE-2025-1010)
  • firefox: thunderbird: Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 115.20, and Thunderbird 128.7 (CVE-2025-1016)
  • firefox: thunderbird: Potential opening of private browsing tabs in normal browsing windows (CVE-2025-1013)
  • firefox: thunderbird: A bug in WebAssembly code generation could result in a crash (CVE-2025-1011)
  • thunderbird: Unsanitized address book fields (CVE-2025-1015)
  • firefox: thunderbird: Use-after-free in XSLT (CVE-2025-1009)
  • thunderbird: Address of e-mail sender can be spoofed by malicious email (CVE-2025-0510)
  • firefox: thunderbird: Certificate length was not properly checked (CVE-2025-1014)
  • firefox: thunderbird: Use-after-free during concurrent delazification (CVE-2025-1012)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x

Fixes

  • BZ - 2343748 - CVE-2025-1017 firefox: thunderbird: Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7
  • BZ - 2343750 - CVE-2025-1010 firefox: thunderbird: Use-after-free in Custom Highlight
  • BZ - 2343752 - CVE-2025-1016 firefox: thunderbird: Memory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 115.20, and Thunderbird 128.7
  • BZ - 2343754 - CVE-2025-1013 firefox: thunderbird: Potential opening of private browsing tabs in normal browsing windows
  • BZ - 2343756 - CVE-2025-1011 firefox: thunderbird: A bug in WebAssembly code generation could result in a crash
  • BZ - 2343759 - CVE-2025-1015 thunderbird: Unsanitized address book fields
  • BZ - 2343760 - CVE-2025-1009 firefox: thunderbird: Use-after-free in XSLT
  • BZ - 2343762 - CVE-2025-0510 thunderbird: Address of e-mail sender can be spoofed by malicious email
  • BZ - 2343764 - CVE-2025-1014 firefox: thunderbird: Certificate length was not properly checked
  • BZ - 2343765 - CVE-2025-1012 firefox: thunderbird: Use-after-free during concurrent delazification

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0

SRPM
thunderbird-128.7.0-1.el9_0.src.rpm SHA-256: 4e29888ba2913ae472b942124234115065d64dba1b0fa56b530df114bbf1c133
ppc64le
thunderbird-128.7.0-1.el9_0.ppc64le.rpm SHA-256: fc75bb72809afe250b36de1a8b8260ab2790b847901e20e32215e1d45ec96c9c
thunderbird-debuginfo-128.7.0-1.el9_0.ppc64le.rpm SHA-256: 5c6d814df4d2eccffeea36b130eb3fb345553aaef92a61249ef943ed6fa11f5b
thunderbird-debugsource-128.7.0-1.el9_0.ppc64le.rpm SHA-256: 816b2678a2e82f1690b2595893294cdd72e9c6425ed11f4b7d148926754a2e93

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0

SRPM
thunderbird-128.7.0-1.el9_0.src.rpm SHA-256: 4e29888ba2913ae472b942124234115065d64dba1b0fa56b530df114bbf1c133
x86_64
thunderbird-128.7.0-1.el9_0.x86_64.rpm SHA-256: b3430d7667cb3653c99314626a9a292fe9c07e88036dc1fb5bfa28eb3f94ec57
thunderbird-debuginfo-128.7.0-1.el9_0.x86_64.rpm SHA-256: 119dd81b951ea0929891ea2b254f344f87dc4292f9388f14a465a3c451136b40
thunderbird-debugsource-128.7.0-1.el9_0.x86_64.rpm SHA-256: ffbbf3aa26fe3f4660d670ef0d17ae2151f5337ab76a2e5e85d7537027bd3fda

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0

SRPM
thunderbird-128.7.0-1.el9_0.src.rpm SHA-256: 4e29888ba2913ae472b942124234115065d64dba1b0fa56b530df114bbf1c133
aarch64
thunderbird-128.7.0-1.el9_0.aarch64.rpm SHA-256: f14387849de0c0e78a4a089225f430ee390318aa584b5ac6adafa5b7315f7973
thunderbird-debuginfo-128.7.0-1.el9_0.aarch64.rpm SHA-256: 294022b39c8c514fe3f60c06a8a167bd9ef32164227d01dd3a6a518abf2faa3d
thunderbird-debugsource-128.7.0-1.el9_0.aarch64.rpm SHA-256: 4e2def9e102263381be10dcea9ae8ce6bd8b10f30ff9b1199c69f03becbacf3d

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0

SRPM
thunderbird-128.7.0-1.el9_0.src.rpm SHA-256: 4e29888ba2913ae472b942124234115065d64dba1b0fa56b530df114bbf1c133
s390x
thunderbird-128.7.0-1.el9_0.s390x.rpm SHA-256: 13dbb0f7d2c6f7ee9921de870337802b5b4c853d5af123e54018f46fd8ae237d
thunderbird-debuginfo-128.7.0-1.el9_0.s390x.rpm SHA-256: 5916adcd0de4a6e8d64f73bcb2229a88ff855c8221ebdf176a54960001285c4c
thunderbird-debugsource-128.7.0-1.el9_0.s390x.rpm SHA-256: c9a2698b9afd9e0f3d3ad8aee090078f6633d1b7a8f3c5d70fcd173aa86f126e

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.