Issued:: 2025-11-20
Updated:: 2025-11-20

RHSA-2025:21881 - Security Advisory

Overview
Updated Packages

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

firefox: Mitigation bypass in the DOM: Security component (CVE-2025-13018)
firefox: Use-after-free in the Audio/Video component (CVE-2025-13014)
firefox: Incorrect boundary conditions in the JavaScript: WebAssembly component (CVE-2025-13016)
firefox: Same-origin policy bypass in the DOM: Workers component (CVE-2025-13019)
firefox: Use-after-free in the WebRTC: Audio/Video component (CVE-2025-13020)
firefox: Race condition in the Graphics component (CVE-2025-13012)
firefox: Spoofing issue in Firefox (CVE-2025-13015)
firefox: Mitigation bypass in the DOM: Core & HTML component (CVE-2025-13013)
firefox: Same-origin policy bypass in the DOM: Notifications component (CVE-2025-13017)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux for x86_64 8 x86_64
Red Hat Enterprise Linux for IBM z Systems 8 s390x
Red Hat Enterprise Linux for Power, little endian 8 ppc64le
Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

BZ - 2414079 - CVE-2025-13018 firefox: thunderbird: Mitigation bypass in the DOM: Security component
BZ - 2414080 - CVE-2025-13014 firefox: thunderbird: Use-after-free in the Audio/Video component
BZ - 2414083 - CVE-2025-13016 firefox: thunderbird: Incorrect boundary conditions in the JavaScript: WebAssembly component
BZ - 2414084 - CVE-2025-13019 firefox: thunderbird: Same-origin policy bypass in the DOM: Workers component
BZ - 2414085 - CVE-2025-13020 firefox: thunderbird: Use-after-free in the WebRTC: Audio/Video component
BZ - 2414086 - CVE-2025-13012 firefox: thunderbird: Race condition in the Graphics component
BZ - 2414090 - CVE-2025-13015 firefox: thunderbird: Spoofing issue in Firefox
BZ - 2414091 - CVE-2025-13013 firefox: thunderbird: Mitigation bypass in the DOM: Core & HTML component
BZ - 2414092 - CVE-2025-13017 firefox: thunderbird: Same-origin policy bypass in the DOM: Notifications component

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for x86_64 8

SRPM
thunderbird-140.5.0-2.el8_10.src.rpm	SHA-256: 2942d56501b0f29251f168daa1575b47c290c6e4e45dcb19e45df862339b32b0
x86_64
thunderbird-140.5.0-2.el8_10.x86_64.rpm	SHA-256: ef1e22d62f43ec25cfcaf5fd7bc60d3e2b42fb6ed7e4d690e07057230ea6e40a
thunderbird-debugsource-140.5.0-2.el8_10.x86_64.rpm	SHA-256: 2d7c02a57922011dff0081f9ff5306926f912f46f820de2bfe6bc3657f85da04

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
thunderbird-140.5.0-2.el8_10.src.rpm	SHA-256: 2942d56501b0f29251f168daa1575b47c290c6e4e45dcb19e45df862339b32b0
s390x
thunderbird-140.5.0-2.el8_10.s390x.rpm	SHA-256: 3558e0b3356cd74423c381903642f78dca813ac1cec0e7b2c4483e9fb35e79b4
thunderbird-debuginfo-140.5.0-2.el8_10.s390x.rpm	SHA-256: 1edaefef39f15d5cbfb1a795b4cd4faa3f4bff7e114a9220341d3737c0200bad
thunderbird-debugsource-140.5.0-2.el8_10.s390x.rpm	SHA-256: dd79bf3aac9cd1c75a9dd2b91a6fea8a5af8273fad436e0d03b4188208dcb56b

Red Hat Enterprise Linux for Power, little endian 8

SRPM
thunderbird-140.5.0-2.el8_10.src.rpm	SHA-256: 2942d56501b0f29251f168daa1575b47c290c6e4e45dcb19e45df862339b32b0
ppc64le
thunderbird-140.5.0-2.el8_10.ppc64le.rpm	SHA-256: c48f952e4428d6e0a26ad59ae8e3fffc5f972d77d6a9a7e333ff81a5e11b112d
thunderbird-debugsource-140.5.0-2.el8_10.ppc64le.rpm	SHA-256: dbc710b81de52f46e607b0707a0e5dd3e6fbe5d912abe0c403741cba52fe0086

Red Hat Enterprise Linux for ARM 64 8

SRPM
thunderbird-140.5.0-2.el8_10.src.rpm	SHA-256: 2942d56501b0f29251f168daa1575b47c290c6e4e45dcb19e45df862339b32b0
aarch64
thunderbird-140.5.0-2.el8_10.aarch64.rpm	SHA-256: e3e2bc10b2f195ae68d30c3ddc2cc29f0144c28aae589db1d790821804805184
thunderbird-debugsource-140.5.0-2.el8_10.aarch64.rpm	SHA-256: 810e9e04094534a568d8196f97a90dad1c986ee601c893cf846fe4205ecb5be1

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation