Advisories » MGASA-2025-0228

Updated thunderbird packages fix vulnerabilities

Publication date: 05 Sep 2025
Modification date: 05 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-6424 , CVE-2025-6425 , CVE-2025-6429 , CVE-2025-6430 , CVE-2025-8027 , CVE-2025-8028 , CVE-2025-8029 , CVE-2025-8030 , CVE-2025-8031 , CVE-2025-8032 , CVE-2025-8033 , CVE-2025-8034 , CVE-2025-8035 , CVE-2025-9179 , CVE-2025-9180 , CVE-2025-9181 , CVE-2025--9185

Description

Use-after-free in FontFaceSet. (CVE-2025-6424)
The WebCompat WebExtension shipped exposed a persistent UUID.
(CVE-2025-6425)
Incorrect parsing of URLs could have allowed embedding of youtube.com.
(CVE-2025-6429)
Content-Disposition header ignored when a file is included in an embed
or object tag. (CVE-2025-6430)
JavaScript engine only wrote partial return value to stack.
(CVE-2025-8027)
Large branch table could lead to truncated instruction. (CVE-2025-8028)
Javascript: URLs executed on object and embed tags. (CVE-2025-8029)
Potential user-assisted code execution in “Copy as cURL” command.
(CVE-2025-8030)
Incorrect URL stripping in CSP reports. (CVE-2025-8031)
XSLT documents could bypass CSP. (CVE-2025-8032)
Incorrect JavaScript state machine for generators. (CVE-2025-8033)
Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13,
Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1,
Firefox 141 and Thunderbird 141. (CVE-2025-8034)
Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13,
Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird
141. (CVE-2025-8035)
Sandbox escape due to invalid pointer in the Audio/Video: GMP component.
(CVE-2025-9179)
Same-origin policy bypass in the Graphics: Canvas2D component.
(CVE-2025-9180)
Uninitialized memory in the JavaScript Engine component. (CVE-2025-9181)
Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14,
Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2,
Firefox 142 and Thunderbird 142. (CVE-2025-9185).
For the armv7hl architecture this package fixes additional vulnerabilities;
see the links below:
https://advisories.mageia.org/MGASA-2025-0197.html
https://advisories.mageia.org/MGASA-2025-0168.html
https://advisories.mageia.org/MGASA-2025-0151.html
https://advisories.mageia.org/MGASA-2025-0126.html
https://advisories.mageia.org/MGASA-2025-0093.html
https://advisories.mageia.org/MGASA-2025-0048.html
https://advisories.mageia.org/MGASA-2025-0010.html
https://advisories.mageia.org/MGASA-2024-0395.html
https://advisories.mageia.org/MGASA-2024-0384.html
https://advisories.mageia.org/MGASA-2024-0365.html
https://advisories.mageia.org/MGASA-2024-0350.html
https://advisories.mageia.org/MGASA-2024-0336.html
https://advisories.mageia.org/MGASA-2024-0332.html

References

SRPMS

9/core