Bug 34415 - Thunderbird 128.14.0
Summary: Thunderbird 128.14.0
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on: 34393 34552
Blocks:
  Show dependency treegraph
 
Reported: 2025-07-02 14:32 CEST by Nicolas Salguero
Modified: 2025-09-05 20:31 CEST (History)
6 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE: CVE-2025-6424, CVE-2025-6425, CVE-2025-6429, CVE-2025-6430, CVE-2025-8027, CVE-2025-8028, CVE-2025-8029, CVE-2025-8030, CVE-2025-8031, CVE-2025-8032, CVE-2025-8033, CVE-2025-8034, CVE-2025-8035, CVE-2025-9179, CVE-2025-9180, CVE-2025-9181, CVE-2025-9185
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-07-02 14:32:29 CEST 
Mozilla has released Thunderbird 128.11 on July 1:
https://www.thunderbird.net/en-US/thunderbird/128.12.0esr/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird128.12
Nicolas Salguero 2025-07-02 14:32:54 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => thunderbird, thunderbird-l10n
Depends on: (none) => 34393

Comment 1 Nicolas Salguero 2025-07-03 09:27:19 CEST 
Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2025-55/

CVE: (none) => CVE-2025-6424, CVE-2025-6425, CVE-2025-6429, CVE-2025-6430

Comment 2 Marja Van Waes 2025-07-05 20:00:05 CEST 
The registered maintainer hasn't touched this package since over 9 years ago, so assigning to all.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 3 katnatek 2025-08-09 19:38:45 CEST 
Thunderbird  128.13.0 is here fixing additional CVEs

https://www.mozilla.org/en-US/security/advisories/mfsa2025-62/

Summary: Thunderbird 128.12 => Thunderbird 128.13

katnatek 2025-08-20 20:01:57 CEST

Summary: Thunderbird 128.13 => Thunderbird 128.14.0

Nicolas Salguero 2025-08-27 10:47:47 CEST

Depends on: (none) => 34552

Comment 4 Nicolas Salguero 2025-08-28 09:07:18 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Use-after-free in FontFaceSet. (CVE-2025-6424)

The WebCompat WebExtension shipped exposed a persistent UUID. (CVE-2025-6425)

Incorrect parsing of URLs could have allowed embedding of youtube.com. (CVE-2025-6429)

Content-Disposition header ignored when a file is included in an embed or object tag. (CVE-2025-6430)

JavaScript engine only wrote partial return value to stack. (CVE-2025-8027)

Large branch table could lead to truncated instruction. (CVE-2025-8028)

Javascript: URLs executed on object and embed tags. (CVE-2025-8029)

Potential user-assisted code execution in “Copy as cURL” command. (CVE-2025-8030)

Incorrect URL stripping in CSP reports. (CVE-2025-8031)

XSLT documents could bypass CSP. (CVE-2025-8032)

Incorrect JavaScript state machine for generators. (CVE-2025-8033)

Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. (CVE-2025-8034)

Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. (CVE-2025-8035)

Sandbox escape due to invalid pointer in the Audio/Video: GMP component. (CVE-2025-9179)

Same-origin policy bypass in the Graphics: Canvas2D component. (CVE-2025-9180)

Uninitialized memory in the JavaScript Engine component. (CVE-2025-9181)

Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. (CVE-2025-9185)

References:
https://www.thunderbird.net/en-US/thunderbird/128.12.0esr/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-55/
https://www.thunderbird.net/en-US/thunderbird/128.13.0esr/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-62/
https://www.thunderbird.net/en-US/thunderbird/128.14.0esr/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-71/
========================

Updated packages in core/updates_testing:
========================
thunderbird-128.14.0-1.mga9
thunderbird-af-128.14.0-1.mga9
thunderbird-ar-128.14.0-1.mga9
thunderbird-ast-128.14.0-1.mga9
thunderbird-be-128.14.0-1.mga9
thunderbird-bg-128.14.0-1.mga9
thunderbird-br-128.14.0-1.mga9
thunderbird-ca-128.14.0-1.mga9
thunderbird-cs-128.14.0-1.mga9
thunderbird-cy-128.14.0-1.mga9
thunderbird-da-128.14.0-1.mga9
thunderbird-de-128.14.0-1.mga9
thunderbird-dsb-128.14.0-1.mga9
thunderbird-el-128.14.0-1.mga9
thunderbird-en_CA-128.14.0-1.mga9
thunderbird-en_GB-128.14.0-1.mga9
thunderbird-en_US-128.14.0-1.mga9
thunderbird-es_AR-128.14.0-1.mga9
thunderbird-es_ES-128.14.0-1.mga9
thunderbird-es_MX-128.14.0-1.mga9
thunderbird-et-128.14.0-1.mga9
thunderbird-eu-128.14.0-1.mga9
thunderbird-fi-128.14.0-1.mga9
thunderbird-fr-128.14.0-1.mga9
thunderbird-fy_NL-128.14.0-1.mga9
thunderbird-ga_IE-128.14.0-1.mga9
thunderbird-gd-128.14.0-1.mga9
thunderbird-gl-128.14.0-1.mga9
thunderbird-he-128.14.0-1.mga9
thunderbird-hr-128.14.0-1.mga9
thunderbird-hsb-128.14.0-1.mga9
thunderbird-hu-128.14.0-1.mga9
thunderbird-hy_AM-128.14.0-1.mga9
thunderbird-id-128.14.0-1.mga9
thunderbird-is-128.14.0-1.mga9
thunderbird-it-128.14.0-1.mga9
thunderbird-ja-128.14.0-1.mga9
thunderbird-ka-128.14.0-1.mga9
thunderbird-kab-128.14.0-1.mga9
thunderbird-kk-128.14.0-1.mga9
thunderbird-ko-128.14.0-1.mga9
thunderbird-lt-128.14.0-1.mga9
thunderbird-lv-128.14.0-1.mga9
thunderbird-ms-128.14.0-1.mga9
thunderbird-nb_NO-128.14.0-1.mga9
thunderbird-nl-128.14.0-1.mga9
thunderbird-nn_NO-128.14.0-1.mga9
thunderbird-pa_IN-128.14.0-1.mga9
thunderbird-pl-128.14.0-1.mga9
thunderbird-pt_BR-128.14.0-1.mga9
thunderbird-pt_PT-128.14.0-1.mga9
thunderbird-ro-128.14.0-1.mga9
thunderbird-ru-128.14.0-1.mga9
thunderbird-sk-128.14.0-1.mga9
thunderbird-sl-128.14.0-1.mga9
thunderbird-sq-128.14.0-1.mga9
thunderbird-sr-128.14.0-1.mga9
thunderbird-sv_SE-128.14.0-1.mga9
thunderbird-th-128.14.0-1.mga9
thunderbird-tr-128.14.0-1.mga9
thunderbird-uk-128.14.0-1.mga9
thunderbird-uz-128.14.0-1.mga9
thunderbird-vi-128.14.0-1.mga9
thunderbird-zh_CN-128.14.0-1.mga9
thunderbird-zh_TW-128.14.0-1.mga9

SRPMS:
thunderbird-128.14.0-1.mga9.src.rpm
thunderbird-l10n-128.14.0-1.mga9.src.rpm

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
CVE: CVE-2025-6424, CVE-2025-6425, CVE-2025-6429, CVE-2025-6430 => CVE-2025-6424, CVE-2025-6425, CVE-2025-6429, CVE-2025-6430, CVE-2025-8027, CVE-2025-8028, CVE-2025-8029, CVE-2025-8030, CVE-2025-8031, CVE-2025-8032, CVE-2025-8033, CVE-2025-8034, CVE-2025-8035, CVE-2025-9179, CVE-2025-9180, CVE-2025-9181, CVE-2025-9185
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

katnatek 2025-08-28 20:35:01 CEST

Keywords: (none) => advisory

Comment 5 Jose Manuel López 2025-08-28 22:23:33 CEST 
Hi.

Installed in:

- Mageia 9 x64 Plasma, amd 4800H integrated graphics.

- Mageia 9 x64 Plasma, amd 5700H integrated graphics.


No issues for the moment.


Pop and Imap ok.
Calendar ok.
Task ok.
Signatures ok.
Settings and spanish translation ok.

I'm working now with this version.


Greetings!

CC: (none) => Joselp

Comment 6 Herman Viaene 2025-08-30 14:15:47 CEST 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Installed over previous version.
Calendar is OK, sending and receiving mail without and with attachments, all work OK.

CC: (none) => herman.viaene

Comment 7 Morgan Leijström 2025-08-30 19:48:42 CEST 
OK x86_64, Plasma, on my workstation svarten
running backport kernel 6.12.44-1

Plasma X11, Swedish locale
Intel Core i7 870, GPU: AMD Navi 24 Radeon RX 6400
Machine details see Firefox bug

$ thunderbird --version
Thunderbird 128.14.0esr


Repeated tests like I use to perform:

Closed Thunderbird, data backup, updated, started:
Thunderbird just keep working OK:
Swedish locale
Settings and local mail kept
IMAP (offline, IMAP to synk to server)
SMTP
Sent and received mail with inline jpeg and attached pdf
Viewed attached pdf in Thunderbird, and printed to network printer.

I do not use calendar nor tasks or filters.

CC: (none) => fri

Comment 8 Thomas Andrews 2025-09-05 01:31:58 CEST 
MGA9-64 Plasma, US English version.

Used for several days now for POP mail and newsgroups with no issues. I do not use the calendar.

Good enough. Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK

Comment 9 Mageia Robot 2025-09-05 20:31:25 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0228.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.