Security update for MozillaThunderbird

Announcement ID:	SUSE-SU-2025:0405-1
Release Date:	2025-02-10T13:54:56Z
Rating:	important
References:	bsc#1236411 bsc#1236539
Cross-References:	CVE-2024-11704 CVE-2025-0510 CVE-2025-1009 CVE-2025-1010 CVE-2025-1011 CVE-2025-1012 CVE-2025-1013 CVE-2025-1014 CVE-2025-1015 CVE-2025-1016 CVE-2025-1017
CVSS scores:	CVE-2024-11704 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-0510 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2025-0510 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2025-0510 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2025-1009 ( SUSE ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H CVE-2025-1009 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-1009 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-1010 ( SUSE ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H CVE-2025-1010 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-1010 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-1011 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-1011 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-1011 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-1012 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-1012 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-1012 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-1013 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2025-1013 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2025-1014 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2025-1014 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-1014 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-1015 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-1015 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2025-1015 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2025-1016 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-1016 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-1016 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-1017 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-1017 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-1017 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Workstation Extension 15 SP6 SUSE Package Hub 15 15-SP6

An update that solves 11 vulnerabilities can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

Update to Mozilla Thunderbird 128.7 (MFSA 2025-10, bsc#1236539).

Security fixes:

• CVE-2025-1009: use-after-free in XSLT.
• CVE-2025-1010: use-after-free in Custom Highlight.
• CVE-2025-1011: a bug in WebAssembly code generation could result in a crash.
• CVE-2025-1012: use-after-free during concurrent delazification.
• CVE-2024-11704: potential double-free vulnerability in PKCS#7 decryption handling.
• CVE-2025-1013: potential opening of private browsing tabs in normal browsing windows.
• CVE-2025-1014: certificate length was not properly checked.
• CVE-2025-1015: unsanitized address book fields.
• CVE-2025-0510: address of e-mail sender can be spoofed by malicious email.
• CVE-2025-1016: memory safety bugs.
• CVE-2025-1017: memory safety bugs.

Other fixes:

• fixed: images inside links could zoom when clicked instead of opening the link.
• fixed: compacting an empty folder failed with write error.
• fixed: compacting of IMAP folder with corrupted local storage failed with write error.
• fixed: after restart, all restored tabs with opened PDFs showed the same attachment.
• fixed: exceptions during CalDAV item processing would halt subsequent item handling.
• fixed: context menu was unable to move email address to a different field.
• fixed: link at about:rights pointed to Firefox privacy policy instead of Thunderbird's.
• fixed: POP3 'fetch headers only' and 'get selected messages' could delete messages.
• fixed: 'Search Online' checkbox in saved search properties was incorrectly disabled.
• fixed: POP3 status message showed incorrect download count when messages were deleted.
• fixed: space bar did not always advance to the next unread message.
• fixed: folder creation or renaming failed due to incorrect preference settings.
• fixed: forwarding/editing S/MIME drafts/templates unusable due to regression (bsc#1236411).
• fixed: sort order in 'Search Messages' panel reset after search or on first launch.
• fixed: reply window added an unnecessary third blank line at the top.
• fixed: Thunderbird spell check box did not allow ENTER to accept suggested changes.
• fixed: long email subject lines could overlap window control buttons on macOS.
• fixed: flathub manifest link was not correct.
• fixed: 'Prefer client-side email scheduling' needed to be selected twice.
• fixed: duplicate invitations were sent if CALDAV calendar email case did not match.
• fixed: visual and UX improvements.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.6
  zypper in -t patch openSUSE-SLE-15.6-2025-405=1
• SUSE Package Hub 15 15-SP6
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-405=1
• SUSE Linux Enterprise Workstation Extension 15 SP6
  zypper in -t patch SUSE-SLE-Product-WE-15-SP6-2025-405=1

Package List:

• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
  • MozillaThunderbird-128.7.0-150200.8.200.1
  • MozillaThunderbird-debuginfo-128.7.0-150200.8.200.1
  • MozillaThunderbird-translations-common-128.7.0-150200.8.200.1
  • MozillaThunderbird-debugsource-128.7.0-150200.8.200.1
  • MozillaThunderbird-translations-other-128.7.0-150200.8.200.1
• SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x)
  • MozillaThunderbird-128.7.0-150200.8.200.1
  • MozillaThunderbird-debuginfo-128.7.0-150200.8.200.1
  • MozillaThunderbird-translations-common-128.7.0-150200.8.200.1
  • MozillaThunderbird-debugsource-128.7.0-150200.8.200.1
  • MozillaThunderbird-translations-other-128.7.0-150200.8.200.1
• SUSE Linux Enterprise Workstation Extension 15 SP6 (x86_64)
  • MozillaThunderbird-128.7.0-150200.8.200.1
  • MozillaThunderbird-debuginfo-128.7.0-150200.8.200.1
  • MozillaThunderbird-translations-common-128.7.0-150200.8.200.1
  • MozillaThunderbird-debugsource-128.7.0-150200.8.200.1
  • MozillaThunderbird-translations-other-128.7.0-150200.8.200.1

References:

• https://www.suse.com/security/cve/CVE-2024-11704.html
• https://www.suse.com/security/cve/CVE-2025-0510.html
• https://www.suse.com/security/cve/CVE-2025-1009.html
• https://www.suse.com/security/cve/CVE-2025-1010.html
• https://www.suse.com/security/cve/CVE-2025-1011.html
• https://www.suse.com/security/cve/CVE-2025-1012.html
• https://www.suse.com/security/cve/CVE-2025-1013.html
• https://www.suse.com/security/cve/CVE-2025-1014.html
• https://www.suse.com/security/cve/CVE-2025-1015.html
• https://www.suse.com/security/cve/CVE-2025-1016.html
• https://www.suse.com/security/cve/CVE-2025-1017.html
• https://bugzilla.suse.com/show_bug.cgi?id=1236411
• https://bugzilla.suse.com/show_bug.cgi?id=1236539