Bug 34288 - Thunderbird 128.10.2
Summary: Thunderbird 128.10.2
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on: 34246 34287
Blocks:
  Show dependency treegraph
 
Reported: 2025-05-19 12:30 CEST by Nicolas Salguero
Modified: 2025-05-27 20:47 CEST (History)
4 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE: CVE-2025-3875, CVE-2025-3877, CVE-2025-3909, CVE-2025-3932, CVE-2025-4918, CVE-2025-4919
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-05-19 12:30:22 CEST 
Mozilla has released Thunderbird 128.10.1 on May 14:
https://www.thunderbird.net/en-US/thunderbird/128.10.1esr/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2025-34/
Nicolas Salguero 2025-05-19 12:32:00 CEST

Source RPM: (none) => thunderbird, thunderbird-l10n
Depends on: (none) => 34287
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-3875, CVE-2025-3877, CVE-2025-3909, CVE-2025-3932

Nicolas Salguero 2025-05-19 12:32:21 CEST

Depends on: (none) => 34246

Comment 1 Lewis Smith 2025-05-19 21:16:14 CEST 
Another one you know you will get!

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2025-05-20 09:08:00 CEST 
Mozilla has released Thunderbird 128.10.2 on May 20:
https://www.thunderbird.net/en-US/thunderbird/128.10.2esr/releasenotes/

Summary: Thunderbird 128.10.1 => Thunderbird 128.10.2

Comment 3 Nicolas Salguero 2025-05-21 14:33:38 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Sender Spoofing via Malformed From Header in Thunderbird. (CVE-2025-3875)

Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links. (CVE-2025-3877)

JavaScript Execution via Spoofed PDF Attachment and file:/// Link. (CVE-2025-3909)

Tracking Links in Attachments Bypassed Remote Content Blocking. (CVE-2025-3932)

Out-of-bounds access when resolving Promise objects. (CVE-2025-4918)

Out-of-bounds access when optimizing linear sums. (CVE-2025-4919)

References:
https://www.thunderbird.net/en-US/thunderbird/128.10.1esr/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-34/
https://www.thunderbird.net/en-US/thunderbird/128.10.2esr/releasenotes/
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird128.10.2
========================

Updated packages in core/updates_testing:
========================
thunderbird-128.10.2-1.mga9
thunderbird-af-128.10.2-1.mga9
thunderbird-ar-128.10.2-1.mga9
thunderbird-ast-128.10.2-1.mga9
thunderbird-be-128.10.2-1.mga9
thunderbird-bg-128.10.2-1.mga9
thunderbird-br-128.10.2-1.mga9
thunderbird-ca-128.10.2-1.mga9
thunderbird-cs-128.10.2-1.mga9
thunderbird-cy-128.10.2-1.mga9
thunderbird-da-128.10.2-1.mga9
thunderbird-de-128.10.2-1.mga9
thunderbird-dsb-128.10.2-1.mga9
thunderbird-el-128.10.2-1.mga9
thunderbird-en_CA-128.10.2-1.mga9
thunderbird-en_GB-128.10.2-1.mga9
thunderbird-en_US-128.10.2-1.mga9
thunderbird-es_AR-128.10.2-1.mga9
thunderbird-es_ES-128.10.2-1.mga9
thunderbird-es_MX-128.10.2-1.mga9
thunderbird-et-128.10.2-1.mga9
thunderbird-eu-128.10.2-1.mga9
thunderbird-fi-128.10.2-1.mga9
thunderbird-fr-128.10.2-1.mga9
thunderbird-fy_NL-128.10.2-1.mga9
thunderbird-ga_IE-128.10.2-1.mga9
thunderbird-gd-128.10.2-1.mga9
thunderbird-gl-128.10.2-1.mga9
thunderbird-he-128.10.2-1.mga9
thunderbird-hr-128.10.2-1.mga9
thunderbird-hsb-128.10.2-1.mga9
thunderbird-hu-128.10.2-1.mga9
thunderbird-hy_AM-128.10.2-1.mga9
thunderbird-id-128.10.2-1.mga9
thunderbird-is-128.10.2-1.mga9
thunderbird-it-128.10.2-1.mga9
thunderbird-ja-128.10.2-1.mga9
thunderbird-ka-128.10.2-1.mga9
thunderbird-kab-128.10.2-1.mga9
thunderbird-kk-128.10.2-1.mga9
thunderbird-ko-128.10.2-1.mga9
thunderbird-lt-128.10.2-1.mga9
thunderbird-lv-128.10.2-1.mga9
thunderbird-ms-128.10.2-1.mga9
thunderbird-nb_NO-128.10.2-1.mga9
thunderbird-nl-128.10.2-1.mga9
thunderbird-nn_NO-128.10.2-1.mga9
thunderbird-pa_IN-128.10.2-1.mga9
thunderbird-pl-128.10.2-1.mga9
thunderbird-pt_BR-128.10.2-1.mga9
thunderbird-pt_PT-128.10.2-1.mga9
thunderbird-ro-128.10.2-1.mga9
thunderbird-ru-128.10.2-1.mga9
thunderbird-sk-128.10.2-1.mga9
thunderbird-sl-128.10.2-1.mga9
thunderbird-sq-128.10.2-1.mga9
thunderbird-sr-128.10.2-1.mga9
thunderbird-sv_SE-128.10.2-1.mga9
thunderbird-th-128.10.2-1.mga9
thunderbird-tr-128.10.2-1.mga9
thunderbird-uk-128.10.2-1.mga9
thunderbird-uz-128.10.2-1.mga9
thunderbird-vi-128.10.2-1.mga9
thunderbird-zh_CN-128.10.2-1.mga9
thunderbird-zh_TW-128.10.2-1.mga9

from SRPMS:
thunderbird-128.10.2-1.mga9.src.rpm
thunderbird-l10n-128.10.2-1.mga9.src.rpm

Version: Cauldron => 9
Status: NEW => ASSIGNED
Severity: major => critical
Whiteboard: MGA9TOO => (none)
Assignee: nicolas.salguero => qa-bugs
CVE: CVE-2025-3875, CVE-2025-3877, CVE-2025-3909, CVE-2025-3932 => CVE-2025-3875, CVE-2025-3877, CVE-2025-3909, CVE-2025-3932, CVE-2025-4918, CVE-2025-4919

Comment 4 Herman Viaene 2025-05-21 15:55:17 CEST 
MGA9-64 Plasma Wayland on Compaq H000SB
Installing over existing version, no problems
Tested by sending and receiving email without and with attachment tto and from other account on my desktop PC.
Connecting to my google calendar.
All works OK.

CC: (none) => herman.viaene

katnatek 2025-05-21 19:49:25 CEST

Keywords: (none) => advisory

Comment 5 Thomas Andrews 2025-05-22 22:19:02 CEST 
MGA9-64 Plasma on two different sets of hardware. Updated the US English version with no installation issues. Used wit POP email to send and receive, as well as with newsgroups, with no issues.

CC: (none) => andrewsfarm

Comment 6 Jose Manuel López 2025-05-25 17:12:24 CEST 
Install in Mga 9 X64 Plasma Kde

No issues for now. 

Accounst IMAP and POP3 ok.
Settings ok.
Spanish language ok.
Signatures ok.
Calendar and task ok.
Addons ok.

Greetings!

CC: (none) => Joselp

Comment 7 Thomas Andrews 2025-05-27 02:59:13 CEST 
Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2025-05-27 20:47:31 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0168.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.