Mozilla has released Thunderbird 128.10 on April 29: https://www.thunderbird.net/en-US/thunderbird/128.10.0esr/releasenotes/ Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2025-32/
CVE: (none) => CVE-2025-2817, CVE-2025-4083, CVE-2025-4087, CVE-2025-4091, CVE-2025-4093Source RPM: (none) => thunderbird, thunderbird-l10nWhiteboard: (none) => MGA9TOO
Assignee: bugsquad => nicolas.salguero
Blocks: (none) => 34246
Suggested advisory: ======================== The updated packages fix a security vulnerability: Process isolation bypass using "javascript:" URI links in cross-origin frames. (CVE-2025-4083) Unsafe attribute access during XPath parsing. (CVE-2025-4087) Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. (CVE-2025-4091) Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10. (CVE-2025-4093) References: https://www.thunderbird.net/en-US/thunderbird/128.10.0esr/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-32/ ======================== Updated packages in core/updates_testing: ======================== thunderbird-128.10.0-1.mga9 thunderbird-af-128.10.0-1.mga9 thunderbird-ar-128.10.0-1.mga9 thunderbird-ast-128.10.0-1.mga9 thunderbird-be-128.10.0-1.mga9 thunderbird-bg-128.10.0-1.mga9 thunderbird-br-128.10.0-1.mga9 thunderbird-ca-128.10.0-1.mga9 thunderbird-cs-128.10.0-1.mga9 thunderbird-cy-128.10.0-1.mga9 thunderbird-da-128.10.0-1.mga9 thunderbird-de-128.10.0-1.mga9 thunderbird-dsb-128.10.0-1.mga9 thunderbird-el-128.10.0-1.mga9 thunderbird-en_CA-128.10.0-1.mga9 thunderbird-en_GB-128.10.0-1.mga9 thunderbird-en_US-128.10.0-1.mga9 thunderbird-es_AR-128.10.0-1.mga9 thunderbird-es_ES-128.10.0-1.mga9 thunderbird-es_MX-128.10.0-1.mga9 thunderbird-et-128.10.0-1.mga9 thunderbird-eu-128.10.0-1.mga9 thunderbird-fi-128.10.0-1.mga9 thunderbird-fr-128.10.0-1.mga9 thunderbird-fy_NL-128.10.0-1.mga9 thunderbird-ga_IE-128.10.0-1.mga9 thunderbird-gd-128.10.0-1.mga9 thunderbird-gl-128.10.0-1.mga9 thunderbird-he-128.10.0-1.mga9 thunderbird-hr-128.10.0-1.mga9 thunderbird-hsb-128.10.0-1.mga9 thunderbird-hu-128.10.0-1.mga9 thunderbird-hy_AM-128.10.0-1.mga9 thunderbird-id-128.10.0-1.mga9 thunderbird-is-128.10.0-1.mga9 thunderbird-it-128.10.0-1.mga9 thunderbird-ja-128.10.0-1.mga9 thunderbird-ka-128.10.0-1.mga9 thunderbird-kab-128.10.0-1.mga9 thunderbird-kk-128.10.0-1.mga9 thunderbird-ko-128.10.0-1.mga9 thunderbird-lt-128.10.0-1.mga9 thunderbird-lv-128.10.0-1.mga9 thunderbird-ms-128.10.0-1.mga9 thunderbird-nb_NO-128.10.0-1.mga9 thunderbird-nl-128.10.0-1.mga9 thunderbird-nn_NO-128.10.0-1.mga9 thunderbird-pa_IN-128.10.0-1.mga9 thunderbird-pl-128.10.0-1.mga9 thunderbird-pt_BR-128.10.0-1.mga9 thunderbird-pt_PT-128.10.0-1.mga9 thunderbird-ro-128.10.0-1.mga9 thunderbird-ru-128.10.0-1.mga9 thunderbird-sk-128.10.0-1.mga9 thunderbird-sl-128.10.0-1.mga9 thunderbird-sq-128.10.0-1.mga9 thunderbird-sr-128.10.0-1.mga9 thunderbird-sv_SE-128.10.0-1.mga9 thunderbird-th-128.10.0-1.mga9 thunderbird-tr-128.10.0-1.mga9 thunderbird-uk-128.10.0-1.mga9 thunderbird-uz-128.10.0-1.mga9 thunderbird-vi-128.10.0-1.mga9 thunderbird-zh_CN-128.10.0-1.mga9 thunderbird-zh_TW-128.10.0-1.mga9 from SRPMS: thunderbird-128.10.0-1.mga9.src.rpm thunderbird-l10n-128.10.0-1.mga9.src.rpm
Version: Cauldron => 9Whiteboard: MGA9TOO => (none)Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNEDCVE: CVE-2025-2817, CVE-2025-4083, CVE-2025-4087, CVE-2025-4091, CVE-2025-4093 => CVE-2025-4083, CVE-2025-4087, CVE-2025-4091, CVE-2025-4093
MGA9-64 Plasma Wayland on Compaq H000SB No installation issues. First deleted my .thunderbird folder, then let thunderbird configure my hotmail account. used that one tosend and receive mail without and with attachment. Connect to my Google calendar. All works OK.
CC: (none) => herman.viaene
Keywords: (none) => advisory
Installed in Mga9 X64 Plasma. No installation issues. Works fine for now Accounts Imap and Pop3 Ok. Settings and spanish translation ok. Signatures ok. Addons ok Calendar and task ok. Sent and receive ok. Some warnings in terminal: [jose@Prox14Amd ~]$ thunderbird ATTENTION: default value of option mesa_glthread overridden by environment. [Parent 327856, Main Thread] WARNING: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here. Only the non-desktop-specific mimeapps.list file may add or remove associations.: 'glib warning', file /home/iurt/rpmbuild/BUILD/thunderbird-128.10.0/thunderbird-128.10.0/toolkit/xre/nsSigHandlers.cpp:187 (thunderbird:327856): GLib-GIO-WARNING **: 10:40:20.886: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here. Only the non-desktop-specific mimeapps.list file may add or remove associations. ALSA lib pcm_dmix.c:999:(snd_pcm_dmix_open) unable to open slave ALSA lib pcm_dmix.c:999:(snd_pcm_dmix_open) unable to open slave ALSA lib pcm_dmix.c:999:(snd_pcm_dmix_open) unable to open slave
CC: (none) => Joselp
MGA9-64 Plasma on two machines, one AMD-based and one Intel-based. Updated the US English version with no issues. Received and sent POP email, received and posted Usenet posts, with no issues. I don't use the calendar.
CC: (none) => andrewsfarm
mga9, x64 IMAP account at Google. Using the en_GB and en_CA modules. Local Folders looks intact after relaunch and incoming subscription emails continue to arrive, Change.org, Guardian newspaper, ... Sent email to my sister's phone. $ thunderbird & $ ATTENTION: default value of option mesa_glthread overridden by environment. That seems harmless.
CC: (none) => tarazed25
This looks good to go to me. Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA9-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0151.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED