Red Hat Product Errata RHSA-2025:7493 - Security Advisory
Issued:
2025-05-13
Updated:
2025-05-13

RHSA-2025:7493 - Security Advisory

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 10.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

  • firefox: thunderbird: URL Bar Spoofing via non-BMP Unicode characters (CVE-2025-3029)
  • firefox: thunderbird: Use-after-free triggered by XSLTProcessor (CVE-2025-3028)
  • firefox: thunderbird: Memory safety bugs fixed in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9 (CVE-2025-3030)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 10 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 10 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x
  • Red Hat Enterprise Linux for Power, little endian 10 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le
  • Red Hat Enterprise Linux for ARM 64 10 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x
  • Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le
  • Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64

Fixes

  • BZ - 2356556 - CVE-2025-3029 firefox: thunderbird: URL Bar Spoofing via non-BMP Unicode characters
  • BZ - 2356562 - CVE-2025-3028 firefox: thunderbird: Use-after-free triggered by XSLTProcessor
  • BZ - 2356563 - CVE-2025-3030 firefox: thunderbird: Memory safety bugs fixed in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9

Red Hat Enterprise Linux for x86_64 10

SRPM
thunderbird-128.9.0-2.el10_0.src.rpm SHA-256: a7a3c0ab8d41617175c4f6f0f697264079f52862ae89477b41f39a920c750946
x86_64
thunderbird-128.9.0-2.el10_0.x86_64.rpm SHA-256: 6419bc68066f41d13f7b5f77f141925959bf4c19233d5aa2c87e604c447aa43a
thunderbird-debuginfo-128.9.0-2.el10_0.x86_64.rpm SHA-256: fb474847e298dd35f767cbc179889bcc7ddefd534e61918cd19b4bf8076806ca
thunderbird-debugsource-128.9.0-2.el10_0.x86_64.rpm SHA-256: 87876858bf991fd4c0f3c201155f6ea2766d82e70ce414d10e86f23f24aeea57

Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0

SRPM
thunderbird-128.9.0-2.el10_0.src.rpm SHA-256: a7a3c0ab8d41617175c4f6f0f697264079f52862ae89477b41f39a920c750946
x86_64
thunderbird-128.9.0-2.el10_0.x86_64.rpm SHA-256: 6419bc68066f41d13f7b5f77f141925959bf4c19233d5aa2c87e604c447aa43a
thunderbird-debuginfo-128.9.0-2.el10_0.x86_64.rpm SHA-256: fb474847e298dd35f767cbc179889bcc7ddefd534e61918cd19b4bf8076806ca
thunderbird-debugsource-128.9.0-2.el10_0.x86_64.rpm SHA-256: 87876858bf991fd4c0f3c201155f6ea2766d82e70ce414d10e86f23f24aeea57

Red Hat Enterprise Linux for IBM z Systems 10

SRPM
thunderbird-128.9.0-2.el10_0.src.rpm SHA-256: a7a3c0ab8d41617175c4f6f0f697264079f52862ae89477b41f39a920c750946
s390x
thunderbird-128.9.0-2.el10_0.s390x.rpm SHA-256: fba7a4b2ff42ab3c3ad949b7f81016c3bf898b0b174a80da9d07cb05a068fa0d
thunderbird-debuginfo-128.9.0-2.el10_0.s390x.rpm SHA-256: 34f7f107c1b52e3c8123b4c29ea7bf20862b49c7269fbe741a98fd5433bcc423
thunderbird-debugsource-128.9.0-2.el10_0.s390x.rpm SHA-256: 93379f93b89fd59728e1cb02a52c4a991c6174d0091f7cdbb300ea654357fb9e

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0

SRPM
thunderbird-128.9.0-2.el10_0.src.rpm SHA-256: a7a3c0ab8d41617175c4f6f0f697264079f52862ae89477b41f39a920c750946
s390x
thunderbird-128.9.0-2.el10_0.s390x.rpm SHA-256: fba7a4b2ff42ab3c3ad949b7f81016c3bf898b0b174a80da9d07cb05a068fa0d
thunderbird-debuginfo-128.9.0-2.el10_0.s390x.rpm SHA-256: 34f7f107c1b52e3c8123b4c29ea7bf20862b49c7269fbe741a98fd5433bcc423
thunderbird-debugsource-128.9.0-2.el10_0.s390x.rpm SHA-256: 93379f93b89fd59728e1cb02a52c4a991c6174d0091f7cdbb300ea654357fb9e

Red Hat Enterprise Linux for Power, little endian 10

SRPM
thunderbird-128.9.0-2.el10_0.src.rpm SHA-256: a7a3c0ab8d41617175c4f6f0f697264079f52862ae89477b41f39a920c750946
ppc64le
thunderbird-128.9.0-2.el10_0.ppc64le.rpm SHA-256: 2cefbab7a68e643e25b6e3f15b6ff6f3032bcb0663f2a4eececf088c26cfca86
thunderbird-debuginfo-128.9.0-2.el10_0.ppc64le.rpm SHA-256: 10e81094de20f10a8f422bb4c5d52e99c3df4824334f262c2097db3728148d36
thunderbird-debugsource-128.9.0-2.el10_0.ppc64le.rpm SHA-256: d1549fc326b6f4628d46529690f7a943911dcc033ec48433d0c2cb7f2424f72f

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0

SRPM
thunderbird-128.9.0-2.el10_0.src.rpm SHA-256: a7a3c0ab8d41617175c4f6f0f697264079f52862ae89477b41f39a920c750946
ppc64le
thunderbird-128.9.0-2.el10_0.ppc64le.rpm SHA-256: 2cefbab7a68e643e25b6e3f15b6ff6f3032bcb0663f2a4eececf088c26cfca86
thunderbird-debuginfo-128.9.0-2.el10_0.ppc64le.rpm SHA-256: 10e81094de20f10a8f422bb4c5d52e99c3df4824334f262c2097db3728148d36
thunderbird-debugsource-128.9.0-2.el10_0.ppc64le.rpm SHA-256: d1549fc326b6f4628d46529690f7a943911dcc033ec48433d0c2cb7f2424f72f

Red Hat Enterprise Linux for ARM 64 10

SRPM
thunderbird-128.9.0-2.el10_0.src.rpm SHA-256: a7a3c0ab8d41617175c4f6f0f697264079f52862ae89477b41f39a920c750946
aarch64
thunderbird-128.9.0-2.el10_0.aarch64.rpm SHA-256: fa5299e4c0999e2c1eb1ac639f620bb166ed122c545730b2bfab6977f1aa3c60
thunderbird-debuginfo-128.9.0-2.el10_0.aarch64.rpm SHA-256: db786a6eb27ad74d49eb703e72d59ed712fde7037c084628818a50341e3c5e98
thunderbird-debugsource-128.9.0-2.el10_0.aarch64.rpm SHA-256: 729a25491d91cd7fd90382124b9156bad5575dfc16f5bdf3b6247c8a057ae5d0

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0

SRPM
thunderbird-128.9.0-2.el10_0.src.rpm SHA-256: a7a3c0ab8d41617175c4f6f0f697264079f52862ae89477b41f39a920c750946
aarch64
thunderbird-128.9.0-2.el10_0.aarch64.rpm SHA-256: fa5299e4c0999e2c1eb1ac639f620bb166ed122c545730b2bfab6977f1aa3c60
thunderbird-debuginfo-128.9.0-2.el10_0.aarch64.rpm SHA-256: db786a6eb27ad74d49eb703e72d59ed712fde7037c084628818a50341e3c5e98
thunderbird-debugsource-128.9.0-2.el10_0.aarch64.rpm SHA-256: 729a25491d91cd7fd90382124b9156bad5575dfc16f5bdf3b6247c8a057ae5d0

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0

SRPM
thunderbird-128.9.0-2.el10_0.src.rpm SHA-256: a7a3c0ab8d41617175c4f6f0f697264079f52862ae89477b41f39a920c750946
aarch64
thunderbird-128.9.0-2.el10_0.aarch64.rpm SHA-256: fa5299e4c0999e2c1eb1ac639f620bb166ed122c545730b2bfab6977f1aa3c60
thunderbird-debuginfo-128.9.0-2.el10_0.aarch64.rpm SHA-256: db786a6eb27ad74d49eb703e72d59ed712fde7037c084628818a50341e3c5e98
thunderbird-debugsource-128.9.0-2.el10_0.aarch64.rpm SHA-256: 729a25491d91cd7fd90382124b9156bad5575dfc16f5bdf3b6247c8a057ae5d0

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0

SRPM
thunderbird-128.9.0-2.el10_0.src.rpm SHA-256: a7a3c0ab8d41617175c4f6f0f697264079f52862ae89477b41f39a920c750946
s390x
thunderbird-128.9.0-2.el10_0.s390x.rpm SHA-256: fba7a4b2ff42ab3c3ad949b7f81016c3bf898b0b174a80da9d07cb05a068fa0d
thunderbird-debuginfo-128.9.0-2.el10_0.s390x.rpm SHA-256: 34f7f107c1b52e3c8123b4c29ea7bf20862b49c7269fbe741a98fd5433bcc423
thunderbird-debugsource-128.9.0-2.el10_0.s390x.rpm SHA-256: 93379f93b89fd59728e1cb02a52c4a991c6174d0091f7cdbb300ea654357fb9e

Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0

SRPM
thunderbird-128.9.0-2.el10_0.src.rpm SHA-256: a7a3c0ab8d41617175c4f6f0f697264079f52862ae89477b41f39a920c750946
ppc64le
thunderbird-128.9.0-2.el10_0.ppc64le.rpm SHA-256: 2cefbab7a68e643e25b6e3f15b6ff6f3032bcb0663f2a4eececf088c26cfca86
thunderbird-debuginfo-128.9.0-2.el10_0.ppc64le.rpm SHA-256: 10e81094de20f10a8f422bb4c5d52e99c3df4824334f262c2097db3728148d36
thunderbird-debugsource-128.9.0-2.el10_0.ppc64le.rpm SHA-256: d1549fc326b6f4628d46529690f7a943911dcc033ec48433d0c2cb7f2424f72f

Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0

SRPM
thunderbird-128.9.0-2.el10_0.src.rpm SHA-256: a7a3c0ab8d41617175c4f6f0f697264079f52862ae89477b41f39a920c750946
x86_64
thunderbird-128.9.0-2.el10_0.x86_64.rpm SHA-256: 6419bc68066f41d13f7b5f77f141925959bf4c19233d5aa2c87e604c447aa43a
thunderbird-debuginfo-128.9.0-2.el10_0.x86_64.rpm SHA-256: fb474847e298dd35f767cbc179889bcc7ddefd534e61918cd19b4bf8076806ca
thunderbird-debugsource-128.9.0-2.el10_0.x86_64.rpm SHA-256: 87876858bf991fd4c0f3c201155f6ea2766d82e70ce414d10e86f23f24aeea57

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.