OESA-2025-1912

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1912
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2025-1912.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2025-1912
Upstream
Published
2025-07-25T13:17:26Z
Modified
2025-08-12T05:52:28.767776Z
Summary
thunderbird security update
Details

Security Fix(es):

A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.(CVE-2025-6424)

An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.(CVE-2025-6425)

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.(CVE-2025-6429)

When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a &amp;lt;embed&amp;gt; or &amp;lt;object&amp;gt; tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140 and Firefox ESR < 128.12.(CVE-2025-6430)

Database specific 
{
    "severity": "Critical"
}
References

Affected packages

openEuler:24.03-LTS-SP2 / thunderbird

Package

Name
thunderbird
Purl
pkg:rpm/openEuler/thunderbird&distro=openEuler-24.03-LTS-SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
128.12.0-1.oe2403sp2

Ecosystem specific 

{
    "src": [
        "thunderbird-128.12.0-1.oe2403sp2.src.rpm"
    ],
    "x86_64": [
        "thunderbird-128.12.0-1.oe2403sp2.x86_64.rpm",
        "thunderbird-debuginfo-128.12.0-1.oe2403sp2.x86_64.rpm",
        "thunderbird-debugsource-128.12.0-1.oe2403sp2.x86_64.rpm",
        "thunderbird-librnp-rnp-128.12.0-1.oe2403sp2.x86_64.rpm",
        "thunderbird-wayland-128.12.0-1.oe2403sp2.x86_64.rpm"
    ],
    "aarch64": [
        "thunderbird-128.12.0-1.oe2403sp2.aarch64.rpm",
        "thunderbird-debuginfo-128.12.0-1.oe2403sp2.aarch64.rpm",
        "thunderbird-debugsource-128.12.0-1.oe2403sp2.aarch64.rpm",
        "thunderbird-librnp-rnp-128.12.0-1.oe2403sp2.aarch64.rpm",
        "thunderbird-wayland-128.12.0-1.oe2403sp2.aarch64.rpm"
    ]
}