Red Hat Product Errata RHSA-2025:14844 - Security Advisory
Issued:
2025-08-28
Updated:
2025-08-28

RHSA-2025:14844 - Security Advisory

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 10.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

  • firefox: thunderbird: Denial-of-service due to out-of-memory in the Graphics: WebRender component (CVE-2025-9182)
  • thunderbird: firefox: Sandbox escape due to invalid pointer in the Audio/Video: GMP component (CVE-2025-9179)
  • thunderbird: firefox: Same-origin policy bypass in the Graphics: Canvas2D component (CVE-2025-9180)
  • thunderbird: firefox: Uninitialized memory in the JavaScript Engine component (CVE-2025-9181)
  • thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142 (CVE-2025-9185)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 10 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 10 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x
  • Red Hat Enterprise Linux for Power, little endian 10 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le
  • Red Hat Enterprise Linux for ARM 64 10 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x
  • Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le
  • Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64

Fixes

  • BZ - 2389575 - CVE-2025-9182 firefox: thunderbird: Denial-of-service due to out-of-memory in the Graphics: WebRender component
  • BZ - 2389580 - CVE-2025-9179 thunderbird: firefox: Sandbox escape due to invalid pointer in the Audio/Video: GMP component
  • BZ - 2389581 - CVE-2025-9180 thunderbird: firefox: Same-origin policy bypass in the Graphics: Canvas2D component
  • BZ - 2389583 - CVE-2025-9181 thunderbird: firefox: Uninitialized memory in the JavaScript Engine component
  • BZ - 2389584 - CVE-2025-9185 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142

Red Hat Enterprise Linux for x86_64 10

SRPM
thunderbird-128.14.0-3.el10_0.src.rpm SHA-256: 4e8fa9f4aa70f0668a7200aaf11434432def5810c6f62a9f74b5624d8b66f6af
x86_64
thunderbird-128.14.0-3.el10_0.x86_64.rpm SHA-256: c519c3d166d113c4fb6ef7c3a266304c8aee2eb47c46bc61338078e97ed3ee79
thunderbird-debuginfo-128.14.0-3.el10_0.x86_64.rpm SHA-256: bdeb76d067c7b4029cef1ab0733233ad59423f47ac773ee7ec56840662aea120
thunderbird-debugsource-128.14.0-3.el10_0.x86_64.rpm SHA-256: 18e1fc220256d166eb746016419f370717491c292be0a2b07068df66d2b420e1

Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0

SRPM
thunderbird-128.14.0-3.el10_0.src.rpm SHA-256: 4e8fa9f4aa70f0668a7200aaf11434432def5810c6f62a9f74b5624d8b66f6af
x86_64
thunderbird-128.14.0-3.el10_0.x86_64.rpm SHA-256: c519c3d166d113c4fb6ef7c3a266304c8aee2eb47c46bc61338078e97ed3ee79
thunderbird-debuginfo-128.14.0-3.el10_0.x86_64.rpm SHA-256: bdeb76d067c7b4029cef1ab0733233ad59423f47ac773ee7ec56840662aea120
thunderbird-debugsource-128.14.0-3.el10_0.x86_64.rpm SHA-256: 18e1fc220256d166eb746016419f370717491c292be0a2b07068df66d2b420e1

Red Hat Enterprise Linux for IBM z Systems 10

SRPM
thunderbird-128.14.0-3.el10_0.src.rpm SHA-256: 4e8fa9f4aa70f0668a7200aaf11434432def5810c6f62a9f74b5624d8b66f6af
s390x
thunderbird-128.14.0-3.el10_0.s390x.rpm SHA-256: ab7bc2c750b7991ebb944daaaa41bc942cc238dd965b745ad42922eb77946968
thunderbird-debuginfo-128.14.0-3.el10_0.s390x.rpm SHA-256: f3384751c994425f34e2a1ba19d52ad1efec5d46697e9ca75c85c7cb13e8cfae
thunderbird-debugsource-128.14.0-3.el10_0.s390x.rpm SHA-256: a9faee253feb7fa7372151377aaa0f9f19b855421069c16c2b20f74140a39f4d

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0

SRPM
thunderbird-128.14.0-3.el10_0.src.rpm SHA-256: 4e8fa9f4aa70f0668a7200aaf11434432def5810c6f62a9f74b5624d8b66f6af
s390x
thunderbird-128.14.0-3.el10_0.s390x.rpm SHA-256: ab7bc2c750b7991ebb944daaaa41bc942cc238dd965b745ad42922eb77946968
thunderbird-debuginfo-128.14.0-3.el10_0.s390x.rpm SHA-256: f3384751c994425f34e2a1ba19d52ad1efec5d46697e9ca75c85c7cb13e8cfae
thunderbird-debugsource-128.14.0-3.el10_0.s390x.rpm SHA-256: a9faee253feb7fa7372151377aaa0f9f19b855421069c16c2b20f74140a39f4d

Red Hat Enterprise Linux for Power, little endian 10

SRPM
thunderbird-128.14.0-3.el10_0.src.rpm SHA-256: 4e8fa9f4aa70f0668a7200aaf11434432def5810c6f62a9f74b5624d8b66f6af
ppc64le
thunderbird-128.14.0-3.el10_0.ppc64le.rpm SHA-256: d99bc9d74246c89d2eab52af3f154bb10af55bf7fe559de185ed2f4f64420b25
thunderbird-debuginfo-128.14.0-3.el10_0.ppc64le.rpm SHA-256: c33fb2fe02ec6bf60fbef257907f0c2008016749da7d64a23b6cfe12186d3fc6
thunderbird-debugsource-128.14.0-3.el10_0.ppc64le.rpm SHA-256: 9688061f19adbd35527f8cb7a4c6765c1e2f73d322016937db7e9dadde5661ce

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0

SRPM
thunderbird-128.14.0-3.el10_0.src.rpm SHA-256: 4e8fa9f4aa70f0668a7200aaf11434432def5810c6f62a9f74b5624d8b66f6af
ppc64le
thunderbird-128.14.0-3.el10_0.ppc64le.rpm SHA-256: d99bc9d74246c89d2eab52af3f154bb10af55bf7fe559de185ed2f4f64420b25
thunderbird-debuginfo-128.14.0-3.el10_0.ppc64le.rpm SHA-256: c33fb2fe02ec6bf60fbef257907f0c2008016749da7d64a23b6cfe12186d3fc6
thunderbird-debugsource-128.14.0-3.el10_0.ppc64le.rpm SHA-256: 9688061f19adbd35527f8cb7a4c6765c1e2f73d322016937db7e9dadde5661ce

Red Hat Enterprise Linux for ARM 64 10

SRPM
thunderbird-128.14.0-3.el10_0.src.rpm SHA-256: 4e8fa9f4aa70f0668a7200aaf11434432def5810c6f62a9f74b5624d8b66f6af
aarch64
thunderbird-128.14.0-3.el10_0.aarch64.rpm SHA-256: 8c886b869ccfe416e14c767ff06c84e61fd55f206f212136c408521c53ccc193
thunderbird-debuginfo-128.14.0-3.el10_0.aarch64.rpm SHA-256: 347c04fc9b836f5dbcaf0c1e0bcc792e7a60e1c6f15214e25c7fd3edd061fdfe
thunderbird-debugsource-128.14.0-3.el10_0.aarch64.rpm SHA-256: 06ca83ad1ca9684114bbcfba36734d9946fd3ad333e693b73528ee866d06af75

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0

SRPM
thunderbird-128.14.0-3.el10_0.src.rpm SHA-256: 4e8fa9f4aa70f0668a7200aaf11434432def5810c6f62a9f74b5624d8b66f6af
aarch64
thunderbird-128.14.0-3.el10_0.aarch64.rpm SHA-256: 8c886b869ccfe416e14c767ff06c84e61fd55f206f212136c408521c53ccc193
thunderbird-debuginfo-128.14.0-3.el10_0.aarch64.rpm SHA-256: 347c04fc9b836f5dbcaf0c1e0bcc792e7a60e1c6f15214e25c7fd3edd061fdfe
thunderbird-debugsource-128.14.0-3.el10_0.aarch64.rpm SHA-256: 06ca83ad1ca9684114bbcfba36734d9946fd3ad333e693b73528ee866d06af75

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0

SRPM
thunderbird-128.14.0-3.el10_0.src.rpm SHA-256: 4e8fa9f4aa70f0668a7200aaf11434432def5810c6f62a9f74b5624d8b66f6af
aarch64
thunderbird-128.14.0-3.el10_0.aarch64.rpm SHA-256: 8c886b869ccfe416e14c767ff06c84e61fd55f206f212136c408521c53ccc193
thunderbird-debuginfo-128.14.0-3.el10_0.aarch64.rpm SHA-256: 347c04fc9b836f5dbcaf0c1e0bcc792e7a60e1c6f15214e25c7fd3edd061fdfe
thunderbird-debugsource-128.14.0-3.el10_0.aarch64.rpm SHA-256: 06ca83ad1ca9684114bbcfba36734d9946fd3ad333e693b73528ee866d06af75

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0

SRPM
thunderbird-128.14.0-3.el10_0.src.rpm SHA-256: 4e8fa9f4aa70f0668a7200aaf11434432def5810c6f62a9f74b5624d8b66f6af
s390x
thunderbird-128.14.0-3.el10_0.s390x.rpm SHA-256: ab7bc2c750b7991ebb944daaaa41bc942cc238dd965b745ad42922eb77946968
thunderbird-debuginfo-128.14.0-3.el10_0.s390x.rpm SHA-256: f3384751c994425f34e2a1ba19d52ad1efec5d46697e9ca75c85c7cb13e8cfae
thunderbird-debugsource-128.14.0-3.el10_0.s390x.rpm SHA-256: a9faee253feb7fa7372151377aaa0f9f19b855421069c16c2b20f74140a39f4d

Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0

SRPM
thunderbird-128.14.0-3.el10_0.src.rpm SHA-256: 4e8fa9f4aa70f0668a7200aaf11434432def5810c6f62a9f74b5624d8b66f6af
ppc64le
thunderbird-128.14.0-3.el10_0.ppc64le.rpm SHA-256: d99bc9d74246c89d2eab52af3f154bb10af55bf7fe559de185ed2f4f64420b25
thunderbird-debuginfo-128.14.0-3.el10_0.ppc64le.rpm SHA-256: c33fb2fe02ec6bf60fbef257907f0c2008016749da7d64a23b6cfe12186d3fc6
thunderbird-debugsource-128.14.0-3.el10_0.ppc64le.rpm SHA-256: 9688061f19adbd35527f8cb7a4c6765c1e2f73d322016937db7e9dadde5661ce

Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0

SRPM
thunderbird-128.14.0-3.el10_0.src.rpm SHA-256: 4e8fa9f4aa70f0668a7200aaf11434432def5810c6f62a9f74b5624d8b66f6af
x86_64
thunderbird-128.14.0-3.el10_0.x86_64.rpm SHA-256: c519c3d166d113c4fb6ef7c3a266304c8aee2eb47c46bc61338078e97ed3ee79
thunderbird-debuginfo-128.14.0-3.el10_0.x86_64.rpm SHA-256: bdeb76d067c7b4029cef1ab0733233ad59423f47ac773ee7ec56840662aea120
thunderbird-debugsource-128.14.0-3.el10_0.x86_64.rpm SHA-256: 18e1fc220256d166eb746016419f370717491c292be0a2b07068df66d2b420e1

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.