Red Hat Product Errata RHSA-2025:8203 - Security Advisory
Issued:
2025-05-27
Updated:
2025-05-27

RHSA-2025:8203 - Security Advisory

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

  • thunderbird: JavaScript Execution via Spoofed PDF Attachment and file:/// Link (CVE-2025-3909)
  • thunderbird: Sender Spoofing via Malformed From Header in Thunderbird (CVE-2025-3875)
  • thunderbird: Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links (CVE-2025-3877)
  • thunderbird: Tracking Links in Attachments Bypassed Remote Content Blocking (CVE-2025-3932)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 9 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64
  • Red Hat Enterprise Linux Server - AUS 9.6 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 9 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x
  • Red Hat Enterprise Linux for Power, little endian 9 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le
  • Red Hat Enterprise Linux for ARM 64 9 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x

Fixes

  • BZ - 2366283 - CVE-2025-3909 thunderbird: JavaScript Execution via Spoofed PDF Attachment and file:/// Link
  • BZ - 2366287 - CVE-2025-3875 thunderbird: Sender Spoofing via Malformed From Header in Thunderbird
  • BZ - 2366291 - CVE-2025-3877 thunderbird: Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links
  • BZ - 2366297 - CVE-2025-3932 thunderbird: Tracking Links in Attachments Bypassed Remote Content Blocking

Red Hat Enterprise Linux for x86_64 9

SRPM
thunderbird-128.10.1-1.el9_6.src.rpm SHA-256: f34b871d252283027ea71cf96600ba4c356bdc2f9a93e3ae18d295c551b40713
x86_64
thunderbird-128.10.1-1.el9_6.x86_64.rpm SHA-256: ea47e543d4baff54d4a4b1a4b3b47c86f8d7c6aad613a70d61e86ac7d23887e5
thunderbird-debuginfo-128.10.1-1.el9_6.x86_64.rpm SHA-256: 3240e5a3c117236e061036a04736911a255e5b70a50a2a66fd79b9a29021ad19
thunderbird-debugsource-128.10.1-1.el9_6.x86_64.rpm SHA-256: d3e31162de651a4c80e70aa0bce9f02e3d0e7a0293d3a6fb4d07bb91aab1090d

Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6

SRPM
thunderbird-128.10.1-1.el9_6.src.rpm SHA-256: f34b871d252283027ea71cf96600ba4c356bdc2f9a93e3ae18d295c551b40713
x86_64
thunderbird-128.10.1-1.el9_6.x86_64.rpm SHA-256: ea47e543d4baff54d4a4b1a4b3b47c86f8d7c6aad613a70d61e86ac7d23887e5
thunderbird-debuginfo-128.10.1-1.el9_6.x86_64.rpm SHA-256: 3240e5a3c117236e061036a04736911a255e5b70a50a2a66fd79b9a29021ad19
thunderbird-debugsource-128.10.1-1.el9_6.x86_64.rpm SHA-256: d3e31162de651a4c80e70aa0bce9f02e3d0e7a0293d3a6fb4d07bb91aab1090d

Red Hat Enterprise Linux Server - AUS 9.6

SRPM
thunderbird-128.10.1-1.el9_6.src.rpm SHA-256: f34b871d252283027ea71cf96600ba4c356bdc2f9a93e3ae18d295c551b40713
x86_64
thunderbird-128.10.1-1.el9_6.x86_64.rpm SHA-256: ea47e543d4baff54d4a4b1a4b3b47c86f8d7c6aad613a70d61e86ac7d23887e5
thunderbird-debuginfo-128.10.1-1.el9_6.x86_64.rpm SHA-256: 3240e5a3c117236e061036a04736911a255e5b70a50a2a66fd79b9a29021ad19
thunderbird-debugsource-128.10.1-1.el9_6.x86_64.rpm SHA-256: d3e31162de651a4c80e70aa0bce9f02e3d0e7a0293d3a6fb4d07bb91aab1090d

Red Hat Enterprise Linux for IBM z Systems 9

SRPM
thunderbird-128.10.1-1.el9_6.src.rpm SHA-256: f34b871d252283027ea71cf96600ba4c356bdc2f9a93e3ae18d295c551b40713
s390x
thunderbird-128.10.1-1.el9_6.s390x.rpm SHA-256: 36bfba7c01e4d2b41585c301f04788d19a56eb19eed73ae9860b470be8072be3
thunderbird-debuginfo-128.10.1-1.el9_6.s390x.rpm SHA-256: 8bb84676b7abdf72801f1406d1e0f8211d8e17ef1f007fb99b2b213d3d80bcc1
thunderbird-debugsource-128.10.1-1.el9_6.s390x.rpm SHA-256: a0c9f3b718fc6ebbbd4ec0cebd8557c0f2bca2fb55a81bd5d8ca23e7ddbf6087

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6

SRPM
thunderbird-128.10.1-1.el9_6.src.rpm SHA-256: f34b871d252283027ea71cf96600ba4c356bdc2f9a93e3ae18d295c551b40713
s390x
thunderbird-128.10.1-1.el9_6.s390x.rpm SHA-256: 36bfba7c01e4d2b41585c301f04788d19a56eb19eed73ae9860b470be8072be3
thunderbird-debuginfo-128.10.1-1.el9_6.s390x.rpm SHA-256: 8bb84676b7abdf72801f1406d1e0f8211d8e17ef1f007fb99b2b213d3d80bcc1
thunderbird-debugsource-128.10.1-1.el9_6.s390x.rpm SHA-256: a0c9f3b718fc6ebbbd4ec0cebd8557c0f2bca2fb55a81bd5d8ca23e7ddbf6087

Red Hat Enterprise Linux for Power, little endian 9

SRPM
thunderbird-128.10.1-1.el9_6.src.rpm SHA-256: f34b871d252283027ea71cf96600ba4c356bdc2f9a93e3ae18d295c551b40713
ppc64le
thunderbird-128.10.1-1.el9_6.ppc64le.rpm SHA-256: 63580c2908fe85a4a11dc80e5700be77a654e9b20c4b0ce447516a6e653a2342
thunderbird-debuginfo-128.10.1-1.el9_6.ppc64le.rpm SHA-256: 3deab2288a7d9437e182a293b6338685f90440f31d29dca479ba112dd6c756a7
thunderbird-debugsource-128.10.1-1.el9_6.ppc64le.rpm SHA-256: 79fab15710acc086367080a6cced1db5c17647151a9b39cc6c3955ae80555d90

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6

SRPM
thunderbird-128.10.1-1.el9_6.src.rpm SHA-256: f34b871d252283027ea71cf96600ba4c356bdc2f9a93e3ae18d295c551b40713
ppc64le
thunderbird-128.10.1-1.el9_6.ppc64le.rpm SHA-256: 63580c2908fe85a4a11dc80e5700be77a654e9b20c4b0ce447516a6e653a2342
thunderbird-debuginfo-128.10.1-1.el9_6.ppc64le.rpm SHA-256: 3deab2288a7d9437e182a293b6338685f90440f31d29dca479ba112dd6c756a7
thunderbird-debugsource-128.10.1-1.el9_6.ppc64le.rpm SHA-256: 79fab15710acc086367080a6cced1db5c17647151a9b39cc6c3955ae80555d90

Red Hat Enterprise Linux for ARM 64 9

SRPM
thunderbird-128.10.1-1.el9_6.src.rpm SHA-256: f34b871d252283027ea71cf96600ba4c356bdc2f9a93e3ae18d295c551b40713
aarch64
thunderbird-128.10.1-1.el9_6.aarch64.rpm SHA-256: ac4d6bd062032dec5ae35d1636ea69b2ba3da565c605fce9cfe6067a6df4e46f
thunderbird-debuginfo-128.10.1-1.el9_6.aarch64.rpm SHA-256: f3c9f569b18cda6d68dea6e4ce5c31c8ba59664d89fb7a053ddfa5266d98fafb
thunderbird-debugsource-128.10.1-1.el9_6.aarch64.rpm SHA-256: d0e20965591d82228d5f25c2e7258dafd68cd50529fae5b35f5451b3a066f707

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6

SRPM
thunderbird-128.10.1-1.el9_6.src.rpm SHA-256: f34b871d252283027ea71cf96600ba4c356bdc2f9a93e3ae18d295c551b40713
aarch64
thunderbird-128.10.1-1.el9_6.aarch64.rpm SHA-256: ac4d6bd062032dec5ae35d1636ea69b2ba3da565c605fce9cfe6067a6df4e46f
thunderbird-debuginfo-128.10.1-1.el9_6.aarch64.rpm SHA-256: f3c9f569b18cda6d68dea6e4ce5c31c8ba59664d89fb7a053ddfa5266d98fafb
thunderbird-debugsource-128.10.1-1.el9_6.aarch64.rpm SHA-256: d0e20965591d82228d5f25c2e7258dafd68cd50529fae5b35f5451b3a066f707

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6

SRPM
thunderbird-128.10.1-1.el9_6.src.rpm SHA-256: f34b871d252283027ea71cf96600ba4c356bdc2f9a93e3ae18d295c551b40713
ppc64le
thunderbird-128.10.1-1.el9_6.ppc64le.rpm SHA-256: 63580c2908fe85a4a11dc80e5700be77a654e9b20c4b0ce447516a6e653a2342
thunderbird-debuginfo-128.10.1-1.el9_6.ppc64le.rpm SHA-256: 3deab2288a7d9437e182a293b6338685f90440f31d29dca479ba112dd6c756a7
thunderbird-debugsource-128.10.1-1.el9_6.ppc64le.rpm SHA-256: 79fab15710acc086367080a6cced1db5c17647151a9b39cc6c3955ae80555d90

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6

SRPM
thunderbird-128.10.1-1.el9_6.src.rpm SHA-256: f34b871d252283027ea71cf96600ba4c356bdc2f9a93e3ae18d295c551b40713
x86_64
thunderbird-128.10.1-1.el9_6.x86_64.rpm SHA-256: ea47e543d4baff54d4a4b1a4b3b47c86f8d7c6aad613a70d61e86ac7d23887e5
thunderbird-debuginfo-128.10.1-1.el9_6.x86_64.rpm SHA-256: 3240e5a3c117236e061036a04736911a255e5b70a50a2a66fd79b9a29021ad19
thunderbird-debugsource-128.10.1-1.el9_6.x86_64.rpm SHA-256: d3e31162de651a4c80e70aa0bce9f02e3d0e7a0293d3a6fb4d07bb91aab1090d

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6

SRPM
thunderbird-128.10.1-1.el9_6.src.rpm SHA-256: f34b871d252283027ea71cf96600ba4c356bdc2f9a93e3ae18d295c551b40713
aarch64
thunderbird-128.10.1-1.el9_6.aarch64.rpm SHA-256: ac4d6bd062032dec5ae35d1636ea69b2ba3da565c605fce9cfe6067a6df4e46f
thunderbird-debuginfo-128.10.1-1.el9_6.aarch64.rpm SHA-256: f3c9f569b18cda6d68dea6e4ce5c31c8ba59664d89fb7a053ddfa5266d98fafb
thunderbird-debugsource-128.10.1-1.el9_6.aarch64.rpm SHA-256: d0e20965591d82228d5f25c2e7258dafd68cd50529fae5b35f5451b3a066f707

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6

SRPM
thunderbird-128.10.1-1.el9_6.src.rpm SHA-256: f34b871d252283027ea71cf96600ba4c356bdc2f9a93e3ae18d295c551b40713
s390x
thunderbird-128.10.1-1.el9_6.s390x.rpm SHA-256: 36bfba7c01e4d2b41585c301f04788d19a56eb19eed73ae9860b470be8072be3
thunderbird-debuginfo-128.10.1-1.el9_6.s390x.rpm SHA-256: 8bb84676b7abdf72801f1406d1e0f8211d8e17ef1f007fb99b2b213d3d80bcc1
thunderbird-debugsource-128.10.1-1.el9_6.s390x.rpm SHA-256: a0c9f3b718fc6ebbbd4ec0cebd8557c0f2bca2fb55a81bd5d8ca23e7ddbf6087

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.