Suggested advisory:
========================

The updated packages fix a security vulnerability:

WebChannel APIs susceptible to confused deputy attack. (CVE-2025-0237)

Use-after-free when breaking lines in text. (CVE-2025-0238)

Alt-Svc ALPN validation failure when redirected. (CVE-2025-0239)

Compartment mismatch when parsing JavaScript JSON module. (CVE-2025-0240)

Memory corruption when using JavaScript Text Segmentation. (CVE-2025-0241)

Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. (CVE-2025-0242)

Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. (CVE-2025-0243)

References:
https://www.thunderbird.net/en-US/thunderbird/128.6.0esr/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-05/
========================

Updated packages in core/updates_testing:
========================
thunderbird-128.6.0-1.mga9
thunderbird-af-128.6.0-1.mga9
thunderbird-ar-128.6.0-1.mga9
thunderbird-ast-128.6.0-1.mga9
thunderbird-be-128.6.0-1.mga9
thunderbird-bg-128.6.0-1.mga9
thunderbird-br-128.6.0-1.mga9
thunderbird-ca-128.6.0-1.mga9
thunderbird-cs-128.6.0-1.mga9
thunderbird-cy-128.6.0-1.mga9
thunderbird-da-128.6.0-1.mga9
thunderbird-de-128.6.0-1.mga9
thunderbird-dsb-128.6.0-1.mga9
thunderbird-el-128.6.0-1.mga9
thunderbird-en_CA-128.6.0-1.mga9
thunderbird-en_GB-128.6.0-1.mga9
thunderbird-en_US-128.6.0-1.mga9
thunderbird-es_AR-128.6.0-1.mga9
thunderbird-es_ES-128.6.0-1.mga9
thunderbird-es_MX-128.6.0-1.mga9
thunderbird-et-128.6.0-1.mga9
thunderbird-eu-128.6.0-1.mga9
thunderbird-fi-128.6.0-1.mga9
thunderbird-fr-128.6.0-1.mga9
thunderbird-fy_NL-128.6.0-1.mga9
thunderbird-ga_IE-128.6.0-1.mga9
thunderbird-gd-128.6.0-1.mga9
thunderbird-gl-128.6.0-1.mga9
thunderbird-he-128.6.0-1.mga9
thunderbird-hr-128.6.0-1.mga9
thunderbird-hsb-128.6.0-1.mga9
thunderbird-hu-128.6.0-1.mga9
thunderbird-hy_AM-128.6.0-1.mga9
thunderbird-id-128.6.0-1.mga9
thunderbird-is-128.6.0-1.mga9
thunderbird-it-128.6.0-1.mga9
thunderbird-ja-128.6.0-1.mga9
thunderbird-ka-128.6.0-1.mga9
thunderbird-kab-128.6.0-1.mga9
thunderbird-kk-128.6.0-1.mga9
thunderbird-ko-128.6.0-1.mga9
thunderbird-lt-128.6.0-1.mga9
thunderbird-lv-128.6.0-1.mga9
thunderbird-ms-128.6.0-1.mga9
thunderbird-nb_NO-128.6.0-1.mga9
thunderbird-nl-128.6.0-1.mga9
thunderbird-nn_NO-128.6.0-1.mga9
thunderbird-pa_IN-128.6.0-1.mga9
thunderbird-pl-128.6.0-1.mga9
thunderbird-pt_BR-128.6.0-1.mga9
thunderbird-pt_PT-128.6.0-1.mga9
thunderbird-ro-128.6.0-1.mga9
thunderbird-ru-128.6.0-1.mga9
thunderbird-sk-128.6.0-1.mga9
thunderbird-sl-128.6.0-1.mga9
thunderbird-sq-128.6.0-1.mga9
thunderbird-sr-128.6.0-1.mga9
thunderbird-sv_SE-128.6.0-1.mga9
thunderbird-th-128.6.0-1.mga9
thunderbird-tr-128.6.0-1.mga9
thunderbird-uk-128.6.0-1.mga9
thunderbird-uz-128.6.0-1.mga9
thunderbird-vi-128.6.0-1.mga9
thunderbird-zh_CN-128.6.0-1.mga9
thunderbird-zh_TW-128.6.0-1.mga9

from SRPMS:
thunderbird-128.6.0-1.mga9.src.rpm
thunderbird-l10n-128.6.0-1.mga9.src.rpm

CVE: (none) => CVE-2025-0237, CVE-2025-0238, CVE-2025-0239, CVE-2025-0240, CVE-2025-0241, CVE-2025-0242, CVE-2025-0243
Version: Cauldron => 9
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Assignee: bugsquad => qa-bugs

mga9-64 OK here
Plasma, Swedish locale

Intel Core i7 870, GPU: AMD Navi 24 Radeon RX 6400

Repeated tests like I use to perform:

Closed Thunderbird, data backup, updated, started:
Thunderbird just keep working OK:
Opened tabs restored
Settings and local mail kept
IMAP (offline, IMAP to synk to server)
SMTP
Sent mail with attached file
Received mail with inline jpg and attached pdf
Viewed attached pdf in Thunderbird, and printed to boomaga and network printer.

I do not use calendar nor tasks or filters.

---

As usual some messages in terminal from where it is launched:

$ thunderbird
Gtk-Message: 14:52:41.465: Failed to load module "appmenu-gtk-module": 'gtk_module_display_init': /usr/lib64/gtk-3.0/modules/libwindow-decorations-gtk-module.so: undefined symbol: gtk_module_display_init
ATTENTION: default value of option mesa_glthread overridden by environment.
[Parent 432170, Main Thread] WARNING: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.: 'glib warning', file /home/iurt/rpmbuild/BUILD/thunderbird-128.6.0/thunderbird-128.6.0/toolkit/xre/nsSigHandlers.cpp:187

(thunderbird:432170): GLib-GIO-WARNING **: 14:52:57.764: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.

 * All above quickly at start, and during use a couple of below messages: *

[ERROR style::stylesheets::rule_parser] Saw @import rule, but no way to trigger the load

CC: (none) => fri

Hi.

Installed from testing repos. Works fine for me.

Send and receive ok.
Calendar and task ok.
Sync calendar and task ok.
Signatures ok.
Settings and spanish translation ok.
Addons ok.

From terminal:

[jose@localhost ~]$ thunderbird
ATTENTION: default value of option mesa_glthread overridden by environment.
[Parent 4050, Main Thread] WARNING: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.: 'glib warning', file /home/iurt/rpmbuild/BUILD/thunderbird-128.6.0/thunderbird-128.6.0/toolkit/xre/nsSigHandlers.cpp:187

(thunderbird:4050): GLib-GIO-WARNING **: 16:19:48.994: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.
[libprotobuf ERROR /home/iurt/rpmbuild/BUILD/thunderbird-128.6.0/thunderbird-128.6.0/toolkit/components/protobuf/src/google/protobuf/message_lite.cc:134] Can't parse message of type "mozilla.cookieBanner.GoogleSOCSCookie" because it is missing required fields: (cannot determine missing fields for lite message)


Greetings!

CC: (none) => Joselp

MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues overwriting previous version.
Send and receive mail without and with attachaments Displaying calendar, all works OK.

CC: (none) => herman.viaene

MGA9-64 Plasma on two different machines.

No installation issues over the existing install. Over two days of use, no issues with using the existing profile with POP mail, or with using Newsgroups. I do not use the calendar.

CC: (none) => andrewsfarm

Looks good to me. Validating.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0010.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED