Red Hat Product Errata RHSA-2025:13648 - Security Advisory
Issued:
2025-08-11
Updated:
2025-08-11

RHSA-2025:13648 - Security Advisory

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

  • firefox: thunderbird: Large branch table could lead to truncated instruction (CVE-2025-8028)
  • firefox: thunderbird: Memory safety bugs (CVE-2025-8035)
  • firefox: thunderbird: Incorrect URL stripping in CSP reports (CVE-2025-8031)
  • firefox: thunderbird: JavaScript engine only wrote partial return value to stack (CVE-2025-8027)
  • firefox: thunderbird: Potential user-assisted code execution in ?Copy as cURL? command (CVE-2025-8030)
  • firefox: Memory safety bugs (CVE-2025-8034)
  • firefox: thunderbird: Incorrect JavaScript state machine for generators (CVE-2025-8033)
  • firefox: thunderbird: XSLT documents could bypass CSP (CVE-2025-8032)
  • firefox: thunderbird: javascript: URLs executed on object and embed tags (CVE-2025-8029)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server - AUS 9.2 x86_64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x

Fixes

  • BZ - 2382701 - CVE-2025-8028 firefox: thunderbird: Large branch table could lead to truncated instruction
  • BZ - 2382703 - CVE-2025-8035 firefox: thunderbird: Memory safety bugs
  • BZ - 2382704 - CVE-2025-8031 firefox: thunderbird: Incorrect URL stripping in CSP reports
  • BZ - 2382707 - CVE-2025-8027 firefox: thunderbird: JavaScript engine only wrote partial return value to stack
  • BZ - 2382710 - CVE-2025-8030 firefox: thunderbird: Potential user-assisted code execution in ?Copy as cURL? command
  • BZ - 2382711 - CVE-2025-8034 firefox: Memory safety bugs
  • BZ - 2382717 - CVE-2025-8033 firefox: thunderbird: Incorrect JavaScript state machine for generators
  • BZ - 2382718 - CVE-2025-8032 firefox: thunderbird: XSLT documents could bypass CSP
  • BZ - 2382720 - CVE-2025-8029 firefox: thunderbird: javascript: URLs executed on object and embed tags

Red Hat Enterprise Linux Server - AUS 9.2

SRPM
thunderbird-128.13.0-3.el9_2.src.rpm SHA-256: 4dfbae30aa066d34934973a5825815b5be5409c7c13f660b999dd110098a7fb5
x86_64
thunderbird-128.13.0-3.el9_2.x86_64.rpm SHA-256: cf3005bb090bde7ff1b89f094580734de2cedf859b750e08a523abe30ba5f05a
thunderbird-debuginfo-128.13.0-3.el9_2.x86_64.rpm SHA-256: 693739e3bfbaba4b43d00fb396136f65c1e353326b8216ef22d5cb5c41a0fc59
thunderbird-debugsource-128.13.0-3.el9_2.x86_64.rpm SHA-256: 1b2ed4d38f6b98c86703fb541ee059062fb1edd6d920b26fdfe6a5a68d0ac1ae

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2

SRPM
thunderbird-128.13.0-3.el9_2.src.rpm SHA-256: 4dfbae30aa066d34934973a5825815b5be5409c7c13f660b999dd110098a7fb5
ppc64le
thunderbird-128.13.0-3.el9_2.ppc64le.rpm SHA-256: 078c2a93bbc2a773a306d69af7be246691d5431a34f5618a14dfbc039ac34691
thunderbird-debuginfo-128.13.0-3.el9_2.ppc64le.rpm SHA-256: 0c7ed745b245570df46ce2757435986ff5e296314f538531d31379cff08fcafc
thunderbird-debugsource-128.13.0-3.el9_2.ppc64le.rpm SHA-256: dd3281595c5b997793483ffff027b30f9d977f84248c372bfc68a023045e52fb

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2

SRPM
thunderbird-128.13.0-3.el9_2.src.rpm SHA-256: 4dfbae30aa066d34934973a5825815b5be5409c7c13f660b999dd110098a7fb5
x86_64
thunderbird-128.13.0-3.el9_2.x86_64.rpm SHA-256: cf3005bb090bde7ff1b89f094580734de2cedf859b750e08a523abe30ba5f05a
thunderbird-debuginfo-128.13.0-3.el9_2.x86_64.rpm SHA-256: 693739e3bfbaba4b43d00fb396136f65c1e353326b8216ef22d5cb5c41a0fc59
thunderbird-debugsource-128.13.0-3.el9_2.x86_64.rpm SHA-256: 1b2ed4d38f6b98c86703fb541ee059062fb1edd6d920b26fdfe6a5a68d0ac1ae

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2

SRPM
thunderbird-128.13.0-3.el9_2.src.rpm SHA-256: 4dfbae30aa066d34934973a5825815b5be5409c7c13f660b999dd110098a7fb5
aarch64
thunderbird-128.13.0-3.el9_2.aarch64.rpm SHA-256: 2eab6d43c6d6c1e4d41d9b08683589960e77711f59607ea2192a46c62b4f8261
thunderbird-debuginfo-128.13.0-3.el9_2.aarch64.rpm SHA-256: cd06c3bfcc0110f481ff35682e59a3bb1159c2b7d35678d459fe4b15599ea901
thunderbird-debugsource-128.13.0-3.el9_2.aarch64.rpm SHA-256: d0df3ae2579c6f0a4881199ca3002d482f3fdaa2bba64ab5c0374776fb8cf2b3

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2

SRPM
thunderbird-128.13.0-3.el9_2.src.rpm SHA-256: 4dfbae30aa066d34934973a5825815b5be5409c7c13f660b999dd110098a7fb5
s390x
thunderbird-128.13.0-3.el9_2.s390x.rpm SHA-256: c202d0c93236bd79291221833f575416b7c508974327bc726ecccb8bceae83ce
thunderbird-debuginfo-128.13.0-3.el9_2.s390x.rpm SHA-256: 78f4dde47d48430d1a391fbd390b939f1636013a89ac18919a7759060a8b8476
thunderbird-debugsource-128.13.0-3.el9_2.s390x.rpm SHA-256: c4c774f77bc2dfa700aa74ad0aae3cad973a71dfc172a5c9850f8e5a5f20dc2f

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.