Issued:: 2025-06-09
Updated:: 2025-06-09

RHSA-2025:8630 - Security Advisory

Overview
Updated Packages

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

firefox: thunderbird: Out-of-bounds access when resolving Promise objects (CVE-2025-4918)
firefox: thunderbird: Out-of-bounds access when optimizing linear sums (CVE-2025-4919)
firefox: thunderbird: Clickjacking vulnerability could have led to leaking saved payment card details (CVE-2025-5267)
firefox: thunderbird: Potential local code execution in ?Copy as cURL? command (CVE-2025-5264)
firefox: thunderbird: Memory safety bugs (CVE-2025-5268)
firefox: thunderbird: Script element events leaked cross-origin resource status (CVE-2025-5266)
firefox: thunderbird: Error handling for script execution was incorrectly isolated from web content (CVE-2025-5263)
firefox: thunderbird: Memory safety bug (CVE-2025-5269)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux Server - AUS 8.4 x86_64

Fixes

BZ - 2367016 - CVE-2025-4918 firefox: thunderbird: Out-of-bounds access when resolving Promise objects
BZ - 2367018 - CVE-2025-4919 firefox: thunderbird: Out-of-bounds access when optimizing linear sums
BZ - 2368750 - CVE-2025-5267 firefox: thunderbird: Clickjacking vulnerability could have led to leaking saved payment card details
BZ - 2368751 - CVE-2025-5264 firefox: thunderbird: Potential local code execution in ?Copy as cURL? command
BZ - 2368752 - CVE-2025-5268 firefox: thunderbird: Memory safety bugs
BZ - 2368755 - CVE-2025-5266 firefox: thunderbird: Script element events leaked cross-origin resource status
BZ - 2368756 - CVE-2025-5263 firefox: thunderbird: Error handling for script execution was incorrectly isolated from web content
BZ - 2368757 - CVE-2025-5269 firefox: thunderbird: Memory safety bug

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server - AUS 8.4

SRPM
thunderbird-128.11.0-1.el8_4.src.rpm	SHA-256: a3a2a4454c4e5facc8d1d92633619f06047f0d3b98b0d2e7d0c8e3e9d05abfa7
x86_64
thunderbird-128.11.0-1.el8_4.x86_64.rpm	SHA-256: 3a8ead4a35c340709b474818131a31ac627dfc5b5fb4177758ed8d2f3e77d0f1
thunderbird-debuginfo-128.11.0-1.el8_4.x86_64.rpm	SHA-256: 1734578ff1fab244112fcf29d506fba4a0460d960ff9daa703c32e1f9f3502fa
thunderbird-debugsource-128.11.0-1.el8_4.x86_64.rpm	SHA-256: 0517b4767d5fbac147b162ce8c113098e16df8e4842222273280dad179982f19

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation