Issued:: 2025-05-14
Updated:: 2025-05-14

RHSA-2025:7547 - Security Advisory

Overview
Updated Packages

Synopsis

Important: firefox security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

firefox: thunderbird: Privilege escalation in Firefox Updater (CVE-2025-2817)
firefox: thunderbird: Unsafe attribute access during XPath parsing (CVE-2025-4087)
firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames (CVE-2025-4083)
firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 (CVE-2025-4091)
firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10 (CVE-2025-4093)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux Server - AUS 8.2 x86_64

Fixes

BZ - 2362902 - CVE-2025-2817 firefox: thunderbird: Privilege escalation in Firefox Updater
BZ - 2362904 - CVE-2025-4087 firefox: thunderbird: Unsafe attribute access during XPath parsing
BZ - 2362907 - CVE-2025-4083 firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames
BZ - 2362912 - CVE-2025-4091 firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10
BZ - 2362915 - CVE-2025-4093 firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server - AUS 8.2

SRPM
firefox-128.10.0-1.el8_2.src.rpm	SHA-256: 774f7e289f39ccb023facbeb02483fa0bf8afcc8cc7ab0ae9ec8d8fa3683b5d5
x86_64
firefox-128.10.0-1.el8_2.x86_64.rpm	SHA-256: 278a4f2de52a4a1f97dbaf379b2a987fe0999944f4b2d0905cb89cc2fcba99e7
firefox-debuginfo-128.10.0-1.el8_2.x86_64.rpm	SHA-256: 087baecf9f00fd873ab0b53f8736935fc6651582cd60061d3df49cfdae2c2d43
firefox-debugsource-128.10.0-1.el8_2.x86_64.rpm	SHA-256: d617773f2118e25a55526edb10a0a0b4698e43fe8bcc8f7f526499f3cb757ba1

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation