ALT-PU-2025-8611-2
Package thunderbird updated to version 139.0.2-alt1 for branch p11 in task 388283.
Closed vulnerabilities
BDU:2025-04709
Уязвимость почтового клиента Thunderbird, связанная с некорректной обработкой заголовка p2-from, позволяющая нарушителю проводить спуфинг атаки
BDU:2025-05734
Уязвимость почтового клиента Thunderbird, связанная с обходом аутентификации посредством спуфинга, позволяющая нарушителю выполнить произвольный код
BDU:2025-06016
Уязвимость обработчика JavaScript-сценариев браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании
BDU:2025-06048
Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с записью за границами буфера в памяти, позволяющая нарушителю выполнить произвольный код
BDU:2025-06221
Уязвимость функции Copy as cURL браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird операционных систем Windows, позволяющая нарушителю выполнить произвольный код
BDU:2025-06222
Уязвимость функции Copy as cURL браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю выполнить произвольный код
BDU:2025-06223
Уязвимость механизма CORS браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
BDU:2025-06224
Уязвимость механизма CORS браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
BDU:2025-06225
Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с непринятием мер по очистке данных на управляющем уровне, позволяющая нарушителю выполнить произвольный код
BDU:2025-06226
Уязвимость браузера Mozilla Firefox и почтового клиента Thunderbird, связанная с передачей конфиденциальной информации открытым текстом, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
BDU:2025-06227
Уязвимость браузера Mozilla Firefox и почтового клиента Thunderbird, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код
BDU:2025-06228
Уязвимость функции предварительного просмотре ответа набора инструментов для веб-разработки DevTools браузера Mozilla Firefox и почтового клиента Thunderbird, позволяющая нарушителю обойти защитный механизм CSP (Content Security Policy)
BDU:2025-06229
Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с некорректным ограничением визуализированных слоев пользовательского интерфейса, позволяющая нарушителю провести атаку типа clickjacking («захват клика»)
Modified: 2025-06-05
CVE-2025-3875
Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
Modified: 2025-06-05
CVE-2025-3909
Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
Modified: 2025-06-05
CVE-2025-3932
It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
Modified: 2025-05-28
CVE-2025-4918
An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox < 138.0.4, Firefox ESR < 128.10.1, Firefox ESR < 115.23.1, Thunderbird < 128.10.2, and Thunderbird < 138.0.2.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1966612
- https://www.mozilla.org/security/advisories/mfsa2025-36/
- https://www.mozilla.org/security/advisories/mfsa2025-37/
- https://www.mozilla.org/security/advisories/mfsa2025-38/
- https://www.mozilla.org/security/advisories/mfsa2025-40/
- https://www.mozilla.org/security/advisories/mfsa2025-41/
- https://www.vicarius.io/vsociety/posts/cve-2025-4918-detect-firefox-out-of-bounds-write
- https://www.vicarius.io/vsociety/posts/cve-2025-4918-mitigate-firefox-out-of-bounds-write
Modified: 2025-05-28
CVE-2025-4919
An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. This vulnerability affects Firefox < 138.0.4, Firefox ESR < 128.10.1, Firefox ESR < 115.23.1, Thunderbird < 128.10.2, and Thunderbird < 138.0.2.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1966614
- https://www.mozilla.org/security/advisories/mfsa2025-36/
- https://www.mozilla.org/security/advisories/mfsa2025-37/
- https://www.mozilla.org/security/advisories/mfsa2025-38/
- https://www.mozilla.org/security/advisories/mfsa2025-40/
- https://www.mozilla.org/security/advisories/mfsa2025-41/
Modified: 2025-08-25
CVE-2025-5262
A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 139 and Thunderbird < 128.11.
Modified: 2025-06-11
CVE-2025-5263
Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1960745
- https://www.mozilla.org/security/advisories/mfsa2025-42/
- https://www.mozilla.org/security/advisories/mfsa2025-43/
- https://www.mozilla.org/security/advisories/mfsa2025-44/
- https://www.mozilla.org/security/advisories/mfsa2025-45/
- https://www.mozilla.org/security/advisories/mfsa2025-46/
Modified: 2025-06-11
CVE-2025-5264
Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1950001
- https://www.mozilla.org/security/advisories/mfsa2025-42/
- https://www.mozilla.org/security/advisories/mfsa2025-43/
- https://www.mozilla.org/security/advisories/mfsa2025-44/
- https://www.mozilla.org/security/advisories/mfsa2025-45/
- https://www.mozilla.org/security/advisories/mfsa2025-46/
Modified: 2025-06-11
CVE-2025-5265
Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1962301
- https://www.mozilla.org/security/advisories/mfsa2025-42/
- https://www.mozilla.org/security/advisories/mfsa2025-43/
- https://www.mozilla.org/security/advisories/mfsa2025-44/
- https://www.mozilla.org/security/advisories/mfsa2025-45/
- https://www.mozilla.org/security/advisories/mfsa2025-46/
Modified: 2025-06-11
CVE-2025-5266
Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
Modified: 2025-06-11
CVE-2025-5267
A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
Modified: 2025-06-11
CVE-2025-5268
Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
- https://bugzilla.mozilla.org/buglist.cgi?bug_id=1950136%2C1958121%2C1960499%2C1962634
- https://www.mozilla.org/security/advisories/mfsa2025-42/
- https://www.mozilla.org/security/advisories/mfsa2025-44/
- https://www.mozilla.org/security/advisories/mfsa2025-45/
- https://www.mozilla.org/security/advisories/mfsa2025-46/
Modified: 2025-06-11
CVE-2025-5270
In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability affects Firefox < 139 and Thunderbird < 139.
Modified: 2025-06-11
CVE-2025-5271
Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability affects Firefox < 139 and Thunderbird < 139.
Modified: 2025-06-11
CVE-2025-5272
Memory safety bugs present in Firefox 138 and Thunderbird 138. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 139 and Thunderbird < 139.
Modified: 2025-07-02
CVE-2025-5986
A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability affects Thunderbird < 128.11.1 and Thunderbird < 139.0.2.