Issued:: 2025-05-05
Updated:: 2025-05-05

RHSA-2025:4458 - Security Advisory

Overview
Updated Packages

Synopsis

Important: firefox security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

firefox: thunderbird: Privilege escalation in Firefox Updater (CVE-2025-2817)
firefox: thunderbird: Unsafe attribute access during XPath parsing (CVE-2025-4087)
firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames (CVE-2025-4083)
firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 (CVE-2025-4091)
firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10 (CVE-2025-4093)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux for x86_64 8 x86_64
Red Hat Enterprise Linux for IBM z Systems 8 s390x
Red Hat Enterprise Linux for Power, little endian 8 ppc64le
Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

BZ - 2362902 - CVE-2025-2817 firefox: thunderbird: Privilege escalation in Firefox Updater
BZ - 2362904 - CVE-2025-4087 firefox: thunderbird: Unsafe attribute access during XPath parsing
BZ - 2362907 - CVE-2025-4083 firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames
BZ - 2362912 - CVE-2025-4091 firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10
BZ - 2362915 - CVE-2025-4093 firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for x86_64 8

SRPM
firefox-128.10.0-1.el8_10.src.rpm	SHA-256: 171e649494b95c2ce68a488837a6acd791d5eb66ef4d46bee6e20e8a352a12b1
x86_64
firefox-128.10.0-1.el8_10.x86_64.rpm	SHA-256: 5fe1a04c8c2eebe4cad5aa697e613bd4fd3afa02b68a9f0a095c6d7a044b9492
firefox-debuginfo-128.10.0-1.el8_10.x86_64.rpm	SHA-256: 7d80d6b724dcc5c20de6945facc49f8cb0aded657b597d867268b22a81e51b84
firefox-debugsource-128.10.0-1.el8_10.x86_64.rpm	SHA-256: e6c28985663e20eecc5dd5ed3e7e4eee8199310b40bb9ad54ceddfa4c41925fb

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
firefox-128.10.0-1.el8_10.src.rpm	SHA-256: 171e649494b95c2ce68a488837a6acd791d5eb66ef4d46bee6e20e8a352a12b1
s390x
firefox-128.10.0-1.el8_10.s390x.rpm	SHA-256: 34cf0241078f3e59910da178c661d0bb8cb5b43628d2cfa94a75441766e2610f
firefox-debuginfo-128.10.0-1.el8_10.s390x.rpm	SHA-256: 8bbefd90d1f516d979bf652c99c5cd3aa19d5b14f54e9a345e7949e1545daa06
firefox-debugsource-128.10.0-1.el8_10.s390x.rpm	SHA-256: e491d0adae3767a037aef0885a14ef3859471c1989b38b155be2cb7497afe4bd

Red Hat Enterprise Linux for Power, little endian 8

SRPM
firefox-128.10.0-1.el8_10.src.rpm	SHA-256: 171e649494b95c2ce68a488837a6acd791d5eb66ef4d46bee6e20e8a352a12b1
ppc64le
firefox-128.10.0-1.el8_10.ppc64le.rpm	SHA-256: 4b28142ddff737502f69ca670565e543e4f211722f2d03aa3222da1a77f26e24
firefox-debuginfo-128.10.0-1.el8_10.ppc64le.rpm	SHA-256: 2ae367e96c024a66e31175bb31b36a924316fd9fb2c9fcc397ababb8fe1298ea
firefox-debugsource-128.10.0-1.el8_10.ppc64le.rpm	SHA-256: 335ed2609f43bea1ed701122e834894a0a17643653d06e03eeaa402c37e14579

Red Hat Enterprise Linux for ARM 64 8

SRPM
firefox-128.10.0-1.el8_10.src.rpm	SHA-256: 171e649494b95c2ce68a488837a6acd791d5eb66ef4d46bee6e20e8a352a12b1
aarch64
firefox-128.10.0-1.el8_10.aarch64.rpm	SHA-256: 2ee15b78ffa2f4e220bcbb4a4f7893516699e756b88169de01a8e97cdd940a92
firefox-debuginfo-128.10.0-1.el8_10.aarch64.rpm	SHA-256: 234ece3ef164e5024bddf470f0dd033db03886ec949524497a502b43c92c43d6
firefox-debugsource-128.10.0-1.el8_10.aarch64.rpm	SHA-256: a756851691cd5b3cccb90838c62759bf57eece02c8dacdb74af5c0930fccb2dd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation