Red Hat Product Errata RHSA-2025:8196 - Security Advisory
Issued:
2025-05-27
Updated:
2025-05-27

RHSA-2025:8196 - Security Advisory

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 10.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

  • thunderbird: JavaScript Execution via Spoofed PDF Attachment and file:/// Link (CVE-2025-3909)
  • thunderbird: Sender Spoofing via Malformed From Header in Thunderbird (CVE-2025-3875)
  • thunderbird: Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links (CVE-2025-3877)
  • thunderbird: Tracking Links in Attachments Bypassed Remote Content Blocking (CVE-2025-3932)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 10 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 10 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x
  • Red Hat Enterprise Linux for Power, little endian 10 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le
  • Red Hat Enterprise Linux for ARM 64 10 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x
  • Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le
  • Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64

Fixes

  • BZ - 2366283 - CVE-2025-3909 thunderbird: JavaScript Execution via Spoofed PDF Attachment and file:/// Link
  • BZ - 2366287 - CVE-2025-3875 thunderbird: Sender Spoofing via Malformed From Header in Thunderbird
  • BZ - 2366291 - CVE-2025-3877 thunderbird: Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links
  • BZ - 2366297 - CVE-2025-3932 thunderbird: Tracking Links in Attachments Bypassed Remote Content Blocking

Red Hat Enterprise Linux for x86_64 10

SRPM
thunderbird-128.10.1-1.el10_0.src.rpm SHA-256: 6db65a14f4e6a3361b83c2f2d96e1b4b019c246dfcb317ca0b8c9c3731fa6ae2
x86_64
thunderbird-128.10.1-1.el10_0.x86_64.rpm SHA-256: 8a623aad951fac3b7d6da6774c55df3e8a752af9e2807211a88187637de0337a
thunderbird-debuginfo-128.10.1-1.el10_0.x86_64.rpm SHA-256: 1ae2e34d612a415d95ae77a719844e1846d261a11cc9300e428bc401b795b19e
thunderbird-debugsource-128.10.1-1.el10_0.x86_64.rpm SHA-256: 7036bc595e13c9d1d98b6b70abff1568bdc77b32b054fbb1a217ea899248c01d

Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0

SRPM
thunderbird-128.10.1-1.el10_0.src.rpm SHA-256: 6db65a14f4e6a3361b83c2f2d96e1b4b019c246dfcb317ca0b8c9c3731fa6ae2
x86_64
thunderbird-128.10.1-1.el10_0.x86_64.rpm SHA-256: 8a623aad951fac3b7d6da6774c55df3e8a752af9e2807211a88187637de0337a
thunderbird-debuginfo-128.10.1-1.el10_0.x86_64.rpm SHA-256: 1ae2e34d612a415d95ae77a719844e1846d261a11cc9300e428bc401b795b19e
thunderbird-debugsource-128.10.1-1.el10_0.x86_64.rpm SHA-256: 7036bc595e13c9d1d98b6b70abff1568bdc77b32b054fbb1a217ea899248c01d

Red Hat Enterprise Linux for IBM z Systems 10

SRPM
thunderbird-128.10.1-1.el10_0.src.rpm SHA-256: 6db65a14f4e6a3361b83c2f2d96e1b4b019c246dfcb317ca0b8c9c3731fa6ae2
s390x
thunderbird-128.10.1-1.el10_0.s390x.rpm SHA-256: b5da6917410f44b90986d5dbc0744278277acc078eefc805579d6ece94f42ac9
thunderbird-debuginfo-128.10.1-1.el10_0.s390x.rpm SHA-256: 808d719edbaf0fe8543802b770181e823b51c692599e36b67e4ea59e80273809
thunderbird-debugsource-128.10.1-1.el10_0.s390x.rpm SHA-256: 25483cd36e4104323bd79a66d52bdc17bff59d1c312bdf564a985b2edea02e6b

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0

SRPM
thunderbird-128.10.1-1.el10_0.src.rpm SHA-256: 6db65a14f4e6a3361b83c2f2d96e1b4b019c246dfcb317ca0b8c9c3731fa6ae2
s390x
thunderbird-128.10.1-1.el10_0.s390x.rpm SHA-256: b5da6917410f44b90986d5dbc0744278277acc078eefc805579d6ece94f42ac9
thunderbird-debuginfo-128.10.1-1.el10_0.s390x.rpm SHA-256: 808d719edbaf0fe8543802b770181e823b51c692599e36b67e4ea59e80273809
thunderbird-debugsource-128.10.1-1.el10_0.s390x.rpm SHA-256: 25483cd36e4104323bd79a66d52bdc17bff59d1c312bdf564a985b2edea02e6b

Red Hat Enterprise Linux for Power, little endian 10

SRPM
thunderbird-128.10.1-1.el10_0.src.rpm SHA-256: 6db65a14f4e6a3361b83c2f2d96e1b4b019c246dfcb317ca0b8c9c3731fa6ae2
ppc64le
thunderbird-128.10.1-1.el10_0.ppc64le.rpm SHA-256: 35f906a9415ec2779c01b77ac873bbbc6116e185177ca40f44e145b6ebfe6c54
thunderbird-debuginfo-128.10.1-1.el10_0.ppc64le.rpm SHA-256: b0dc67453c0578a74e1fdd7591449176b669239f28e7350c38eaa39c4aed2bec
thunderbird-debugsource-128.10.1-1.el10_0.ppc64le.rpm SHA-256: 7497e09b22bd99c59ffeca1186262ed43b468003cdfeccf84ef47a48fb12dea5

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0

SRPM
thunderbird-128.10.1-1.el10_0.src.rpm SHA-256: 6db65a14f4e6a3361b83c2f2d96e1b4b019c246dfcb317ca0b8c9c3731fa6ae2
ppc64le
thunderbird-128.10.1-1.el10_0.ppc64le.rpm SHA-256: 35f906a9415ec2779c01b77ac873bbbc6116e185177ca40f44e145b6ebfe6c54
thunderbird-debuginfo-128.10.1-1.el10_0.ppc64le.rpm SHA-256: b0dc67453c0578a74e1fdd7591449176b669239f28e7350c38eaa39c4aed2bec
thunderbird-debugsource-128.10.1-1.el10_0.ppc64le.rpm SHA-256: 7497e09b22bd99c59ffeca1186262ed43b468003cdfeccf84ef47a48fb12dea5

Red Hat Enterprise Linux for ARM 64 10

SRPM
thunderbird-128.10.1-1.el10_0.src.rpm SHA-256: 6db65a14f4e6a3361b83c2f2d96e1b4b019c246dfcb317ca0b8c9c3731fa6ae2
aarch64
thunderbird-128.10.1-1.el10_0.aarch64.rpm SHA-256: cb59eb94789fd0ebab9613431f282aa1d4a43f0d69051ab48cde3cd224fe6c0a
thunderbird-debuginfo-128.10.1-1.el10_0.aarch64.rpm SHA-256: f82b7d9f9b70f7d6ebd65a212ec0e4f31163d6fbe8ca5163ae07a970ce75bc1d
thunderbird-debugsource-128.10.1-1.el10_0.aarch64.rpm SHA-256: b2b2072717dd3442c25810ec6498d32e0823529bd1f0432d15685ca4370d9175

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0

SRPM
thunderbird-128.10.1-1.el10_0.src.rpm SHA-256: 6db65a14f4e6a3361b83c2f2d96e1b4b019c246dfcb317ca0b8c9c3731fa6ae2
aarch64
thunderbird-128.10.1-1.el10_0.aarch64.rpm SHA-256: cb59eb94789fd0ebab9613431f282aa1d4a43f0d69051ab48cde3cd224fe6c0a
thunderbird-debuginfo-128.10.1-1.el10_0.aarch64.rpm SHA-256: f82b7d9f9b70f7d6ebd65a212ec0e4f31163d6fbe8ca5163ae07a970ce75bc1d
thunderbird-debugsource-128.10.1-1.el10_0.aarch64.rpm SHA-256: b2b2072717dd3442c25810ec6498d32e0823529bd1f0432d15685ca4370d9175

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0

SRPM
thunderbird-128.10.1-1.el10_0.src.rpm SHA-256: 6db65a14f4e6a3361b83c2f2d96e1b4b019c246dfcb317ca0b8c9c3731fa6ae2
aarch64
thunderbird-128.10.1-1.el10_0.aarch64.rpm SHA-256: cb59eb94789fd0ebab9613431f282aa1d4a43f0d69051ab48cde3cd224fe6c0a
thunderbird-debuginfo-128.10.1-1.el10_0.aarch64.rpm SHA-256: f82b7d9f9b70f7d6ebd65a212ec0e4f31163d6fbe8ca5163ae07a970ce75bc1d
thunderbird-debugsource-128.10.1-1.el10_0.aarch64.rpm SHA-256: b2b2072717dd3442c25810ec6498d32e0823529bd1f0432d15685ca4370d9175

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0

SRPM
thunderbird-128.10.1-1.el10_0.src.rpm SHA-256: 6db65a14f4e6a3361b83c2f2d96e1b4b019c246dfcb317ca0b8c9c3731fa6ae2
s390x
thunderbird-128.10.1-1.el10_0.s390x.rpm SHA-256: b5da6917410f44b90986d5dbc0744278277acc078eefc805579d6ece94f42ac9
thunderbird-debuginfo-128.10.1-1.el10_0.s390x.rpm SHA-256: 808d719edbaf0fe8543802b770181e823b51c692599e36b67e4ea59e80273809
thunderbird-debugsource-128.10.1-1.el10_0.s390x.rpm SHA-256: 25483cd36e4104323bd79a66d52bdc17bff59d1c312bdf564a985b2edea02e6b

Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0

SRPM
thunderbird-128.10.1-1.el10_0.src.rpm SHA-256: 6db65a14f4e6a3361b83c2f2d96e1b4b019c246dfcb317ca0b8c9c3731fa6ae2
ppc64le
thunderbird-128.10.1-1.el10_0.ppc64le.rpm SHA-256: 35f906a9415ec2779c01b77ac873bbbc6116e185177ca40f44e145b6ebfe6c54
thunderbird-debuginfo-128.10.1-1.el10_0.ppc64le.rpm SHA-256: b0dc67453c0578a74e1fdd7591449176b669239f28e7350c38eaa39c4aed2bec
thunderbird-debugsource-128.10.1-1.el10_0.ppc64le.rpm SHA-256: 7497e09b22bd99c59ffeca1186262ed43b468003cdfeccf84ef47a48fb12dea5

Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0

SRPM
thunderbird-128.10.1-1.el10_0.src.rpm SHA-256: 6db65a14f4e6a3361b83c2f2d96e1b4b019c246dfcb317ca0b8c9c3731fa6ae2
x86_64
thunderbird-128.10.1-1.el10_0.x86_64.rpm SHA-256: 8a623aad951fac3b7d6da6774c55df3e8a752af9e2807211a88187637de0337a
thunderbird-debuginfo-128.10.1-1.el10_0.x86_64.rpm SHA-256: 1ae2e34d612a415d95ae77a719844e1846d261a11cc9300e428bc401b795b19e
thunderbird-debugsource-128.10.1-1.el10_0.x86_64.rpm SHA-256: 7036bc595e13c9d1d98b6b70abff1568bdc77b32b054fbb1a217ea899248c01d

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.