Описание
Security update for MozillaThunderbird
This update for MozillaThunderbird fixes the following issues:
Updated to Mozilla Thunderbird 140.2 MFSA 2025-72 (bsc#1248162):
- CVE-2025-9179: Sandbox escape due to invalid pointer in the Audio/Video: GMP component
- CVE-2025-9180: Same-origin policy bypass in the Graphics: Canvas2D component
- CVE-2025-9181: Uninitialized memory in the JavaScript Engine component
- CVE-2025-9182: Denial-of-service due to out-of-memory in the Graphics: WebRender component
- CVE-2025-9184: Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142
- CVE-2025-9185: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142
Other fixes:
- Users were unable to use Fastmail calendars due to missing OAuth settings
- Account setup error handling was broken for Account hub
- Menu bar was hidden after updating from 128esr to 140esr
Список пакетов
SUSE Linux Enterprise Module for Package Hub 15 SP6
SUSE Linux Enterprise Module for Package Hub 15 SP7
SUSE Linux Enterprise Workstation Extension 15 SP6
SUSE Linux Enterprise Workstation Extension 15 SP7
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:03007-1
- E-Mail link for SUSE-SU-2025:03007-1
- SUSE Security Ratings
- SUSE Bug 1248162
- SUSE CVE CVE-2025-9179 page
- SUSE CVE CVE-2025-9180 page
- SUSE CVE CVE-2025-9181 page
- SUSE CVE CVE-2025-9182 page
- SUSE CVE CVE-2025-9184 page
- SUSE CVE CVE-2025-9185 page
Описание
An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
Затронутые продукты
Ссылки
- CVE-2025-9179
- SUSE Bug 1248162
Описание
'Same-origin policy bypass in the Graphics: Canvas2D component.' This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
Затронутые продукты
Ссылки
- CVE-2025-9180
- SUSE Bug 1248162
Описание
Uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 142, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
Затронутые продукты
Ссылки
- CVE-2025-9181
- SUSE Bug 1248162
Описание
'Denial-of-service due to out-of-memory in the Graphics: WebRender component.' This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2.
Затронутые продукты
Ссылки
- CVE-2025-9182
- SUSE Bug 1248162
Описание
Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2.
Затронутые продукты
Ссылки
- CVE-2025-9184
- SUSE Bug 1248162
Описание
Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
Затронутые продукты
Ссылки
- CVE-2025-9185
- SUSE Bug 1248162