{"id":"MGASA-2025-0048","summary":"Updated thunderbird packages fix security vulnerabilities","details":"Use-after-free in XSLT. (CVE-2025-1009)\nUse-after-free in Custom Highlight. (CVE-2025-1010)\nA bug in WebAssembly code generation could result in a crash.\n(CVE-2025-1011)\nUse-after-free during concurrent delazification. (CVE-2025-1012)\nPotential double-free vulnerability in PKCS#7 decryption handling.\n(CVE-2024-11704)\nPotential opening of private browsing tabs in normal browsing windows.\n(CVE-2025-1013)\nCertificate length was not properly checked. (CVE-2025-1014)\nUnsanitized address book fields. (CVE-2025-1015)\nAddress of e-mail sender can be spoofed by malicious email.\n(CVE-2025-0510)\nMemory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR\n115.20, Firefox ESR 128.7, Thunderbird 115.20, and Thunderbird 128.7.\n(CVE-2025-1016)\nMemory safety bugs fixed in Firefox 135, Thunderbird 135, Firefox ESR\n128.7, and Thunderbird 128.7. (CVE-2025-1017)\n","modified":"2026-04-16T04:43:30.600146349Z","published":"2025-02-09T00:19:43Z","upstream":["CVE-2024-11704","CVE-2025-0510","CVE-2025-1009","CVE-2025-1010","CVE-2025-1011","CVE-2025-1012","CVE-2025-1013","CVE-2025-1014","CVE-2025-1015","CVE-2025-1016","CVE-2025-1017"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2025-0048.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=33984"},{"type":"WEB","url":"https://www.thunderbird.net/en-US/thunderbird/128.7.0esr/releasenotes/"},{"type":"ADVISORY","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2025-10/"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/thunderbird?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"128.7.0-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0048.json"}},{"package":{"name":"thunderbird-l10n","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/thunderbird-l10n?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"128.7.0-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0048.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}