Issued:: 2025-05-12
Updated:: 2025-05-12

RHSA-2025:4797 - Security Advisory

Overview
Updated Packages

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

firefox: thunderbird: Privilege escalation in Firefox Updater (CVE-2025-2817)
firefox: thunderbird: Unsafe attribute access during XPath parsing (CVE-2025-4087)
firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames (CVE-2025-4083)
firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 (CVE-2025-4091)
firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10 (CVE-2025-4093)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux for x86_64 8 x86_64
Red Hat Enterprise Linux for IBM z Systems 8 s390x
Red Hat Enterprise Linux for Power, little endian 8 ppc64le
Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

BZ - 2362902 - CVE-2025-2817 firefox: thunderbird: Privilege escalation in Firefox Updater
BZ - 2362904 - CVE-2025-4087 firefox: thunderbird: Unsafe attribute access during XPath parsing
BZ - 2362907 - CVE-2025-4083 firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames
BZ - 2362912 - CVE-2025-4091 firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10
BZ - 2362915 - CVE-2025-4093 firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for x86_64 8

SRPM
thunderbird-128.10.0-1.el8_10.src.rpm	SHA-256: 66ccd1e0cf4af96dbb40b8eb48c848a533a489fe4b8eb34e0fbff4155fe6a619
x86_64
thunderbird-128.10.0-1.el8_10.x86_64.rpm	SHA-256: ba3c7614fa60d84c2189513d5d41a82d872e98221ff32d66448f8d789e2c342a
thunderbird-debuginfo-128.10.0-1.el8_10.x86_64.rpm	SHA-256: 6b81fe65516f88ac5482a1718c1e8cd1c6ad3f65345058355001d678b40ac9fd
thunderbird-debugsource-128.10.0-1.el8_10.x86_64.rpm	SHA-256: 180ed4deb4286cbbe5d0a30f1c6c0ce8f46ee00ab1a005bfec50140796c9ff15

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
thunderbird-128.10.0-1.el8_10.src.rpm	SHA-256: 66ccd1e0cf4af96dbb40b8eb48c848a533a489fe4b8eb34e0fbff4155fe6a619
s390x
thunderbird-128.10.0-1.el8_10.s390x.rpm	SHA-256: 9f002589072bf09d1941f3885b983071d33582daa16bdba71798bb14b3e837fb
thunderbird-debuginfo-128.10.0-1.el8_10.s390x.rpm	SHA-256: 0a43717d327534447fde54a8ee7cf8abd0e208dde31e91cc8e90d8413090115c
thunderbird-debugsource-128.10.0-1.el8_10.s390x.rpm	SHA-256: a2c519e555ed893b62017d27ccff460ee6593dce0e43ab2ed8406fe406156738

Red Hat Enterprise Linux for Power, little endian 8

SRPM
thunderbird-128.10.0-1.el8_10.src.rpm	SHA-256: 66ccd1e0cf4af96dbb40b8eb48c848a533a489fe4b8eb34e0fbff4155fe6a619
ppc64le
thunderbird-128.10.0-1.el8_10.ppc64le.rpm	SHA-256: 744e5e083e33a799911e2289411feb97370e5cb2507956d25be44a605af87500
thunderbird-debuginfo-128.10.0-1.el8_10.ppc64le.rpm	SHA-256: c02f7a4c1cce6940704b083a7d398a4aeec7a2268977b0df134c3ac1608425cf
thunderbird-debugsource-128.10.0-1.el8_10.ppc64le.rpm	SHA-256: 2595a85e213c0c9cc5871e2f2b9d9a9b9447a827ff95af183d87f528d49c4cae

Red Hat Enterprise Linux for ARM 64 8

SRPM
thunderbird-128.10.0-1.el8_10.src.rpm	SHA-256: 66ccd1e0cf4af96dbb40b8eb48c848a533a489fe4b8eb34e0fbff4155fe6a619
aarch64
thunderbird-128.10.0-1.el8_10.aarch64.rpm	SHA-256: 101f070ceaa6424dc7083f3510314080eef2526964f0b3ca586381a840b223b6
thunderbird-debuginfo-128.10.0-1.el8_10.aarch64.rpm	SHA-256: fc3a1ec4d91652a693d5e26d4ec0e20814a710d91a113b6ebf4977d707f3e52e
thunderbird-debugsource-128.10.0-1.el8_10.aarch64.rpm	SHA-256: 676312444f0c8033e83a8930a81cb5bb79d98ee1161602d39e198a1626623536

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation