Red Hat Product Errata RHSA-2025:7506 - Security Advisory
Issued:
2025-05-13
Updated:
2025-05-13

RHSA-2025:7506 - Security Advisory

Synopsis

Important: firefox security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 10.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

  • firefox: thunderbird: Privilege escalation in Firefox Updater (CVE-2025-2817)
  • firefox: thunderbird: Unsafe attribute access during XPath parsing (CVE-2025-4087)
  • firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames (CVE-2025-4083)
  • firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 (CVE-2025-4091)
  • firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10 (CVE-2025-4093)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 10 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 10 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x
  • Red Hat Enterprise Linux for Power, little endian 10 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le
  • Red Hat Enterprise Linux for ARM 64 10 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x
  • Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le
  • Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64

Fixes

  • BZ - 2362902 - CVE-2025-2817 firefox: thunderbird: Privilege escalation in Firefox Updater
  • BZ - 2362904 - CVE-2025-4087 firefox: thunderbird: Unsafe attribute access during XPath parsing
  • BZ - 2362907 - CVE-2025-4083 firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames
  • BZ - 2362912 - CVE-2025-4091 firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10
  • BZ - 2362915 - CVE-2025-4093 firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10

Red Hat Enterprise Linux for x86_64 10

SRPM
firefox-128.10.0-1.el10_0.src.rpm SHA-256: bfc4eca59235e38afedaff2f17a21595ca36052dd3bfb3ee607bb0e3c4f8b222
x86_64
firefox-128.10.0-1.el10_0.x86_64.rpm SHA-256: 859c14f1185e0c3b8f459c962104c30cf545ed3776ac12fa22361a459103ba43
firefox-debuginfo-128.10.0-1.el10_0.x86_64.rpm SHA-256: df2b70ea2925472371bdc660736a5cfe26370c3571315a56c5f8145cdfe495ce
firefox-debugsource-128.10.0-1.el10_0.x86_64.rpm SHA-256: b9bde70903e7f14bcc5c79c4d2368454cf1ced7e23b2ceadb6752b17e31cadf5

Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0

SRPM
firefox-128.10.0-1.el10_0.src.rpm SHA-256: bfc4eca59235e38afedaff2f17a21595ca36052dd3bfb3ee607bb0e3c4f8b222
x86_64
firefox-128.10.0-1.el10_0.x86_64.rpm SHA-256: 859c14f1185e0c3b8f459c962104c30cf545ed3776ac12fa22361a459103ba43
firefox-debuginfo-128.10.0-1.el10_0.x86_64.rpm SHA-256: df2b70ea2925472371bdc660736a5cfe26370c3571315a56c5f8145cdfe495ce
firefox-debugsource-128.10.0-1.el10_0.x86_64.rpm SHA-256: b9bde70903e7f14bcc5c79c4d2368454cf1ced7e23b2ceadb6752b17e31cadf5

Red Hat Enterprise Linux for IBM z Systems 10

SRPM
firefox-128.10.0-1.el10_0.src.rpm SHA-256: bfc4eca59235e38afedaff2f17a21595ca36052dd3bfb3ee607bb0e3c4f8b222
s390x
firefox-128.10.0-1.el10_0.s390x.rpm SHA-256: ec92afb2725d0a4f0231e7914b372c9964e2014904ca61c79cc096de91ee56aa
firefox-debuginfo-128.10.0-1.el10_0.s390x.rpm SHA-256: f020560108078c476025295ec148746eada7b854778b20722096683c6f155df7
firefox-debugsource-128.10.0-1.el10_0.s390x.rpm SHA-256: 59f62155532d3a1226b6594455bc16608f91204a03c231844232d9b75a56b1eb

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0

SRPM
firefox-128.10.0-1.el10_0.src.rpm SHA-256: bfc4eca59235e38afedaff2f17a21595ca36052dd3bfb3ee607bb0e3c4f8b222
s390x
firefox-128.10.0-1.el10_0.s390x.rpm SHA-256: ec92afb2725d0a4f0231e7914b372c9964e2014904ca61c79cc096de91ee56aa
firefox-debuginfo-128.10.0-1.el10_0.s390x.rpm SHA-256: f020560108078c476025295ec148746eada7b854778b20722096683c6f155df7
firefox-debugsource-128.10.0-1.el10_0.s390x.rpm SHA-256: 59f62155532d3a1226b6594455bc16608f91204a03c231844232d9b75a56b1eb

Red Hat Enterprise Linux for Power, little endian 10

SRPM
firefox-128.10.0-1.el10_0.src.rpm SHA-256: bfc4eca59235e38afedaff2f17a21595ca36052dd3bfb3ee607bb0e3c4f8b222
ppc64le
firefox-128.10.0-1.el10_0.ppc64le.rpm SHA-256: 26a7580c48e1cf4529f0fcaf5bf1bc5438ae6c87451146a43022921d5e72cfb0
firefox-debuginfo-128.10.0-1.el10_0.ppc64le.rpm SHA-256: bc39651206aa36495da191612a6ebcc96d0e761ed5a008b80b532f17542e42ce
firefox-debugsource-128.10.0-1.el10_0.ppc64le.rpm SHA-256: 41d640df5484d9b840b6bce299f99a4d9fbbce40ae93bb59df0f39a730b71e5f

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0

SRPM
firefox-128.10.0-1.el10_0.src.rpm SHA-256: bfc4eca59235e38afedaff2f17a21595ca36052dd3bfb3ee607bb0e3c4f8b222
ppc64le
firefox-128.10.0-1.el10_0.ppc64le.rpm SHA-256: 26a7580c48e1cf4529f0fcaf5bf1bc5438ae6c87451146a43022921d5e72cfb0
firefox-debuginfo-128.10.0-1.el10_0.ppc64le.rpm SHA-256: bc39651206aa36495da191612a6ebcc96d0e761ed5a008b80b532f17542e42ce
firefox-debugsource-128.10.0-1.el10_0.ppc64le.rpm SHA-256: 41d640df5484d9b840b6bce299f99a4d9fbbce40ae93bb59df0f39a730b71e5f

Red Hat Enterprise Linux for ARM 64 10

SRPM
firefox-128.10.0-1.el10_0.src.rpm SHA-256: bfc4eca59235e38afedaff2f17a21595ca36052dd3bfb3ee607bb0e3c4f8b222
aarch64
firefox-128.10.0-1.el10_0.aarch64.rpm SHA-256: 766fbeb1b35f208c8e341b08761fdde6f728443ae4490a4a69e12f6dc0a63cba
firefox-debuginfo-128.10.0-1.el10_0.aarch64.rpm SHA-256: 4fed7cd2f8804cd32e5331c5f2e254ac5b9345f7a533a2c9300fd73408814411
firefox-debugsource-128.10.0-1.el10_0.aarch64.rpm SHA-256: f107e6660254270b2947c09e17e63f5189b16c00507a88c4bb45ac02f5c93934

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0

SRPM
firefox-128.10.0-1.el10_0.src.rpm SHA-256: bfc4eca59235e38afedaff2f17a21595ca36052dd3bfb3ee607bb0e3c4f8b222
aarch64
firefox-128.10.0-1.el10_0.aarch64.rpm SHA-256: 766fbeb1b35f208c8e341b08761fdde6f728443ae4490a4a69e12f6dc0a63cba
firefox-debuginfo-128.10.0-1.el10_0.aarch64.rpm SHA-256: 4fed7cd2f8804cd32e5331c5f2e254ac5b9345f7a533a2c9300fd73408814411
firefox-debugsource-128.10.0-1.el10_0.aarch64.rpm SHA-256: f107e6660254270b2947c09e17e63f5189b16c00507a88c4bb45ac02f5c93934

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0

SRPM
firefox-128.10.0-1.el10_0.src.rpm SHA-256: bfc4eca59235e38afedaff2f17a21595ca36052dd3bfb3ee607bb0e3c4f8b222
aarch64
firefox-128.10.0-1.el10_0.aarch64.rpm SHA-256: 766fbeb1b35f208c8e341b08761fdde6f728443ae4490a4a69e12f6dc0a63cba
firefox-debuginfo-128.10.0-1.el10_0.aarch64.rpm SHA-256: 4fed7cd2f8804cd32e5331c5f2e254ac5b9345f7a533a2c9300fd73408814411
firefox-debugsource-128.10.0-1.el10_0.aarch64.rpm SHA-256: f107e6660254270b2947c09e17e63f5189b16c00507a88c4bb45ac02f5c93934

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0

SRPM
firefox-128.10.0-1.el10_0.src.rpm SHA-256: bfc4eca59235e38afedaff2f17a21595ca36052dd3bfb3ee607bb0e3c4f8b222
s390x
firefox-128.10.0-1.el10_0.s390x.rpm SHA-256: ec92afb2725d0a4f0231e7914b372c9964e2014904ca61c79cc096de91ee56aa
firefox-debuginfo-128.10.0-1.el10_0.s390x.rpm SHA-256: f020560108078c476025295ec148746eada7b854778b20722096683c6f155df7
firefox-debugsource-128.10.0-1.el10_0.s390x.rpm SHA-256: 59f62155532d3a1226b6594455bc16608f91204a03c231844232d9b75a56b1eb

Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0

SRPM
firefox-128.10.0-1.el10_0.src.rpm SHA-256: bfc4eca59235e38afedaff2f17a21595ca36052dd3bfb3ee607bb0e3c4f8b222
ppc64le
firefox-128.10.0-1.el10_0.ppc64le.rpm SHA-256: 26a7580c48e1cf4529f0fcaf5bf1bc5438ae6c87451146a43022921d5e72cfb0
firefox-debuginfo-128.10.0-1.el10_0.ppc64le.rpm SHA-256: bc39651206aa36495da191612a6ebcc96d0e761ed5a008b80b532f17542e42ce
firefox-debugsource-128.10.0-1.el10_0.ppc64le.rpm SHA-256: 41d640df5484d9b840b6bce299f99a4d9fbbce40ae93bb59df0f39a730b71e5f

Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0

SRPM
firefox-128.10.0-1.el10_0.src.rpm SHA-256: bfc4eca59235e38afedaff2f17a21595ca36052dd3bfb3ee607bb0e3c4f8b222
x86_64
firefox-128.10.0-1.el10_0.x86_64.rpm SHA-256: 859c14f1185e0c3b8f459c962104c30cf545ed3776ac12fa22361a459103ba43
firefox-debuginfo-128.10.0-1.el10_0.x86_64.rpm SHA-256: df2b70ea2925472371bdc660736a5cfe26370c3571315a56c5f8145cdfe495ce
firefox-debugsource-128.10.0-1.el10_0.x86_64.rpm SHA-256: b9bde70903e7f14bcc5c79c4d2368454cf1ced7e23b2ceadb6752b17e31cadf5

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.