Updated thunderbird packages fix security vulnerabilities
Publication date: 27 May 2025Modification date: 27 May 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-3875 , CVE-2025-3877 , CVE-2025-3909 , CVE-2025-3932 , CVE-2025-4918 , CVE-2025-4919
Description
Sender Spoofing via Malformed From Header in Thunderbird.
(CVE-2025-3875)
Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage
via mailbox:/// Links. (CVE-2025-3877)
JavaScript Execution via Spoofed PDF Attachment and file:/// Link.
(CVE-2025-3909)
Tracking Links in Attachments Bypassed Remote Content Blocking.
(CVE-2025-3932)
Out-of-bounds access when resolving Promise objects. (CVE-2025-4918)
Out-of-bounds access when optimizing linear sums. (CVE-2025-4919)
References
- https://bugs.mageia.org/show_bug.cgi?id=34288
- https://www.thunderbird.net/en-US/thunderbird/128.10.1esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-34/
- https://www.thunderbird.net/en-US/thunderbird/128.10.2esr/releasenotes/
- https://www.thunderbird.net/en-US/thunderbird/128.10.2esr/releasenotes/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3875
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3877
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3909
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3932
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4918
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4919
SRPMS
9/core
- thunderbird-128.10.2-1.mga9
- thunderbird-l10n-128.10.2-1.mga9