Updated thunderbird packages fix security vulnerabilities
Publication date: 15 Dec 2025Modification date: 15 Dec 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-14321 , CVE-2025-14322 , CVE-2025-14323 , CVE-2025-14324 , CVE-2025-14325 , CVE-2025-14328 , CVE-2025-14329 , CVE-2025-14330 , CVE-2025-14331 , CVE-2025-14333
Description
Use-after-free in the WebRTC: Signaling component. (CVE-2025-14321)
Sandbox escape due to incorrect boundary conditions in the Graphics:
CanvasWebGL component. (CVE-2025-14322)
Privilege escalation in the DOM: Notifications component.
(CVE-2025-14323)
IT miscompilation in the JavaScript Engine: JIT component.
(CVE-2025-14324, CVE-2025-14325, CVE-2025-14330)
Privilege escalation in the Netmonitor component. (CVE-2025-14328,
CVE-2025-14329)
Same-origin policy bypass in the Request Handling component.
(CVE-2025-14331)
Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6,
Firefox 146 and Thunderbird 146. (CVE-2025-14333)
References
- https://bugs.mageia.org/show_bug.cgi?id=34820
- https://www.thunderbird.net/en-US/thunderbird/140.6.0esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-96/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14321
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14322
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14323
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14324
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14325
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14328
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14329
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14330
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14331
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14333
SRPMS
9/core
- thunderbird-140.6.0-1.mga9
- thunderbird-l10n-140.6.0-1.mga9