OESA-2025-1936

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1936
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2025-1936.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2025-1936
Upstream
Published
2025-08-01T13:03:25Z
Modified
2025-08-12T05:52:35.689178Z
Summary
firefox security update
Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. %if 0 %global mozdebugprefix /lib/debug %global mozdebugdir /lib/debug/ %global unamem %(uname -m) %global symbolsfilename -.en-US.-%(uname.crashreporter-symbols.zip %global symbolsfilepath /lib/debug//-.en-US.-%(uname.crashreporter-symbols.zip %global _finddebuginfoopts -p /lib/debug//-.en-US.-%(uname.crashreporter-symbols.zip -o debugcrashreporter.list %global crashreporterpkg_name mozilla-crashreporter--debuginfo

Security Fix(es):

A vulnerability was found in Mozilla Thunderbird up to 140 on 64-bit (Mail Client Software). It has been classified as critical.CWE is classifying the issue as CWE-252. The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 141 eliminates this vulnerability.(CVE-2025-8027)

A vulnerability was found in Mozilla Firefox up to 140 on ARM64 (Web Browser). It has been declared as critical.The CWE definition for the vulnerability is CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.As an impact it is known to affect confidentiality, integrity, and availability.Upgrading to version 141 eliminates this vulnerability.(CVE-2025-8028)

A vulnerability classified as critical has been found in Mozilla Firefox up to 140 (Web Browser).CWE is classifying the issue as CWE-94. The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 141 eliminates this vulnerability.(CVE-2025-8029)

A vulnerability, which was classified as critical, was found in Mozilla Thunderbird up to 140 (Mail Client Software).CWE is classifying the issue as CWE-94. The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 141 eliminates this vulnerability.(CVE-2025-8030)

A vulnerability was found in Mozilla Thunderbird up to 140 (Mail Client Software) and classified as problematic.Using CWE to declare the problem leads to CWE-534. This entry has been deprecated because its abstraction was too low-level. See CWE-532.Impacted is confidentiality.Upgrading to version 141 eliminates this vulnerability.(CVE-2025-8031)

A vulnerability, which was classified as problematic, has been found in Mozilla Firefox up to 140 (Web Browser).Using CWE to declare the problem leads to CWE-942. The product uses a cross-domain policy file that includes domains that should not be trusted.Impacted is integrity.Upgrading to version 141 eliminates this vulnerability.(CVE-2025-8032)

A vulnerability was found in Mozilla Firefox up to 140 (Web Browser). It has been classified as problematic.CWE is classifying the issue as CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.This is going to have an impact on availability.Upgrading to version 141 eliminates this vulnerability.(CVE-2025-8033)

A vulnerability was found in Mozilla Thunderbird up to 140 (Mail Client Software). It has been classified as critical.CWE is classifying the issue as CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 141 eliminates this vulnerability.(CVE-2025-8034)

A vulnerability was found in Mozilla Thunderbird up to 140 (Mail Client Software). It has been rated as critical.Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Impacted is confidentiality, integrity, and availability.Upgrading to version 141 eliminates this vulnerability.(CVE-2025-8035)

Database specific 
{
    "severity": "Critical"
}
References

Affected packages

openEuler:24.03-LTS-SP1 / firefox

Package

Name
firefox
Purl
pkg:rpm/openEuler/firefox&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
128.13.0-1.oe2403sp1

Ecosystem specific 

{
    "src": [
        "firefox-128.13.0-1.oe2403sp1.src.rpm"
    ],
    "x86_64": [
        "firefox-128.13.0-1.oe2403sp1.x86_64.rpm",
        "firefox-debuginfo-128.13.0-1.oe2403sp1.x86_64.rpm",
        "firefox-debugsource-128.13.0-1.oe2403sp1.x86_64.rpm"
    ],
    "aarch64": [
        "firefox-128.13.0-1.oe2403sp1.aarch64.rpm",
        "firefox-debuginfo-128.13.0-1.oe2403sp1.aarch64.rpm",
        "firefox-debugsource-128.13.0-1.oe2403sp1.aarch64.rpm"
    ]
}