{"id":"ALSA-2025:12187","summary":"Important: thunderbird security update","details":"Mozilla Thunderbird is a standalone mail and newsgroup client.  \n\nSecurity Fix(es):  \n\n  * firefox: thunderbird: Large branch table could lead to truncated instruction (CVE-2025-8028)\n  * firefox: thunderbird: Memory safety bugs (CVE-2025-8035)\n  * firefox: thunderbird: Incorrect URL stripping in CSP reports (CVE-2025-8031)\n  * firefox: thunderbird: JavaScript engine only wrote partial return value to stack (CVE-2025-8027)\n  * firefox: thunderbird: Potential user-assisted code execution in ?Copy as cURL? command (CVE-2025-8030)\n  * firefox: Memory safety bugs (CVE-2025-8034)\n  * firefox: thunderbird: Incorrect JavaScript state machine for generators (CVE-2025-8033)\n  * firefox: thunderbird: XSLT documents could bypass CSP (CVE-2025-8032)\n  * firefox: thunderbird: javascript: URLs executed on object and embed tags (CVE-2025-8029)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n","modified":"2026-02-04T03:45:43.111146Z","published":"2025-07-29T00:00:00Z","related":["CVE-2025-8027","CVE-2025-8028","CVE-2025-8029","CVE-2025-8030","CVE-2025-8031","CVE-2025-8032","CVE-2025-8033","CVE-2025-8034","CVE-2025-8035"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:12187"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2025-8027"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2025-8028"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2025-8029"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2025-8030"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2025-8031"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2025-8032"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2025-8033"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2025-8034"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2025-8035"},{"type":"REPORT","url":"https://bugzilla.redhat.com/2382701"},{"type":"REPORT","url":"https://bugzilla.redhat.com/2382703"},{"type":"REPORT","url":"https://bugzilla.redhat.com/2382704"},{"type":"REPORT","url":"https://bugzilla.redhat.com/2382707"},{"type":"REPORT","url":"https://bugzilla.redhat.com/2382710"},{"type":"REPORT","url":"https://bugzilla.redhat.com/2382711"},{"type":"REPORT","url":"https://bugzilla.redhat.com/2382717"},{"type":"REPORT","url":"https://bugzilla.redhat.com/2382718"},{"type":"REPORT","url":"https://bugzilla.redhat.com/2382720"},{"type":"ADVISORY","url":"https://errata.almalinux.org/9/ALSA-2025-12187.html"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"AlmaLinux:9","purl":"pkg:rpm/almalinux/thunderbird"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"128.13.0-3.el9_6.alma.1"}]}],"database_specific":{"source":"https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux9/ALSA-2025:12187.json"}}],"schema_version":"1.7.3"}