Red Hat Product Errata RHSA-2025:19944 - Security Advisory
Issued:
2025-11-10
Updated:
2025-11-10

RHSA-2025:19944 - Security Advisory

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

  • thunderbird: firefox: Memory safety bugs (CVE-2025-11714)
  • thunderbird: firefox: Out of bounds read/write in a privileged process triggered by WebGL textures (CVE-2025-11709)
  • thunderbird: firefox: Cross-process information leaked due to malicious IPC messages (CVE-2025-11710)
  • thunderbird: firefox: Use-after-free in MediaTrackGraphImpl::GetInstance() (CVE-2025-11708)
  • thunderbird: firefox: An OBJECT tag type attribute overrode browser behavior on web resources without a content-type (CVE-2025-11712)
  • thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144 (CVE-2025-11715)
  • thunderbird: firefox: Some non-writable Object properties could be modified (CVE-2025-11711)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server - AUS 9.2 x86_64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x

Fixes

  • BZ - 2403763 - CVE-2025-11714 thunderbird: firefox: Memory safety bugs
  • BZ - 2403765 - CVE-2025-11709 thunderbird: firefox: Out of bounds read/write in a privileged process triggered by WebGL textures
  • BZ - 2403768 - CVE-2025-11710 thunderbird: firefox: Cross-process information leaked due to malicious IPC messages
  • BZ - 2403769 - CVE-2025-11708 thunderbird: firefox: Use-after-free in MediaTrackGraphImpl::GetInstance()
  • BZ - 2403770 - CVE-2025-11712 thunderbird: firefox: An OBJECT tag type attribute overrode browser behavior on web resources without a content-type
  • BZ - 2403774 - CVE-2025-11715 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
  • BZ - 2403776 - CVE-2025-11711 thunderbird: firefox: Some non-writable Object properties could be modified

Red Hat Enterprise Linux Server - AUS 9.2

SRPM
thunderbird-140.4.0-2.el9_2.src.rpm SHA-256: c2f380282c6289c8c4d030ee25079c1f34c7ad640b2be4046759491ef3e0daba
x86_64
thunderbird-140.4.0-2.el9_2.x86_64.rpm SHA-256: 8392cef4dd9b113f14f809638e5020227f920acd62a36830502eef5e9467c937
thunderbird-debuginfo-140.4.0-2.el9_2.x86_64.rpm SHA-256: a3c5a0758010d80ab1c095911ecbb6a41bcef9fca71be893588f42c7250b2816
thunderbird-debugsource-140.4.0-2.el9_2.x86_64.rpm SHA-256: 894d5772325f388ad0af5e895d73b2f2ede0db1e1ade233aa736a12b41e08a8e

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2

SRPM
thunderbird-140.4.0-2.el9_2.src.rpm SHA-256: c2f380282c6289c8c4d030ee25079c1f34c7ad640b2be4046759491ef3e0daba
ppc64le
thunderbird-140.4.0-2.el9_2.ppc64le.rpm SHA-256: 7ea7d2260591697152aa7403ae446ca31589719e046ad0633bcf7bc9f86c95d7
thunderbird-debuginfo-140.4.0-2.el9_2.ppc64le.rpm SHA-256: f53592657ee51c6f9c9f95a5b927272aaa5c3604daf4457b490b049672d43a8a
thunderbird-debugsource-140.4.0-2.el9_2.ppc64le.rpm SHA-256: 71cd3cc3995b5899b6d7b74115b04c8c29e835f437063b11dff9941d8743080d

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2

SRPM
thunderbird-140.4.0-2.el9_2.src.rpm SHA-256: c2f380282c6289c8c4d030ee25079c1f34c7ad640b2be4046759491ef3e0daba
x86_64
thunderbird-140.4.0-2.el9_2.x86_64.rpm SHA-256: 8392cef4dd9b113f14f809638e5020227f920acd62a36830502eef5e9467c937
thunderbird-debuginfo-140.4.0-2.el9_2.x86_64.rpm SHA-256: a3c5a0758010d80ab1c095911ecbb6a41bcef9fca71be893588f42c7250b2816
thunderbird-debugsource-140.4.0-2.el9_2.x86_64.rpm SHA-256: 894d5772325f388ad0af5e895d73b2f2ede0db1e1ade233aa736a12b41e08a8e

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2

SRPM
thunderbird-140.4.0-2.el9_2.src.rpm SHA-256: c2f380282c6289c8c4d030ee25079c1f34c7ad640b2be4046759491ef3e0daba
aarch64
thunderbird-140.4.0-2.el9_2.aarch64.rpm SHA-256: d0b5eb655bfc5dd2f98ad719da69887c3df4e5ebecf4f01f7ae90dc417ef6bc4
thunderbird-debuginfo-140.4.0-2.el9_2.aarch64.rpm SHA-256: 15c2b08eff99642e5780a99a9e2b316ce397c55ca8972924d3783f9d0ca78386
thunderbird-debugsource-140.4.0-2.el9_2.aarch64.rpm SHA-256: 3dec1d198fdbf89f8343fd5f1a23b8ab50ef3adda6a3ba93a09d418ee80dcf79

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2

SRPM
thunderbird-140.4.0-2.el9_2.src.rpm SHA-256: c2f380282c6289c8c4d030ee25079c1f34c7ad640b2be4046759491ef3e0daba
s390x
thunderbird-140.4.0-2.el9_2.s390x.rpm SHA-256: c5e3f8e53a4315bacf35b950782a3d266934b037d6704d243c50a8e941ec947b
thunderbird-debuginfo-140.4.0-2.el9_2.s390x.rpm SHA-256: a7ca702e4efb0cd8af4edb8c9d2dc5e6a07d03d539340c150ad053d5025705e3
thunderbird-debugsource-140.4.0-2.el9_2.s390x.rpm SHA-256: 28dcd7da823de8a43c499bc56317ad55e5027e7ede99f6b04fc6494c72ebe387

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.