Описание
Security update for MozillaThunderbird
This update for MozillaThunderbird fixes the following issues:
Update to Mozilla Thunderbird 128.12 (MFSA 2025-55, bsc#1244670):
- CVE-2025-6424: Use-after-free in FontFaceSet (bmo#1966423)
- CVE-2025-6425: The WebCompat WebExtension shipped exposed a persistent UUID (bmo#1717672)
- CVE-2025-6426: No warning when opening executable terminal files on macOS (bmo#1964385)
- CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com (bmo#1970658)
- CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag (bmo#1971140)
Список пакетов
SUSE Linux Enterprise Module for Package Hub 15 SP6
SUSE Linux Enterprise Module for Package Hub 15 SP7
SUSE Linux Enterprise Workstation Extension 15 SP6
SUSE Linux Enterprise Workstation Extension 15 SP7
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:02368-1
- E-Mail link for SUSE-SU-2025:02368-1
- SUSE Security Ratings
- SUSE Bug 1244670
- SUSE CVE CVE-2025-6424 page
- SUSE CVE CVE-2025-6425 page
- SUSE CVE CVE-2025-6426 page
- SUSE CVE CVE-2025-6429 page
- SUSE CVE CVE-2025-6430 page
Описание
A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
Затронутые продукты
Ссылки
- CVE-2025-6424
- SUSE Bug 1244670
Описание
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
Затронутые продукты
Ссылки
- CVE-2025-6425
- SUSE Bug 1244670
Описание
The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
Затронутые продукты
Ссылки
- CVE-2025-6426
- SUSE Bug 1244670
Описание
Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
Затронутые продукты
Ссылки
- CVE-2025-6429
- SUSE Bug 1244670
Описание
When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
Затронутые продукты
Ссылки
- CVE-2025-6430
- SUSE Bug 1244670