{"id":"MGASA-2025-0195","summary":"Updated nss & firefox packages fix security vulnerabilities","details":"CVE-2025-5263: Error handling for script execution was incorrectly\nisolated from web content, which could have allowed cross-origin leak\nattacks.\nCVE-2025-5264: Due to insufficient escaping of the newline character in\nthe “Copy as cURL” feature, an attacker could trick a user into using\nthis command, potentially leading to local code execution on the user's\nsystem.\nCVE-2025-5266: Script elements loading cross-origin resources generated\nload and error events which leaked information enabling XS-Leaks\nattacks.\nCVE-2025-5267: A clickjacking vulnerability could have been used to\ntrick a user into leaking saved payment card details to a malicious\npage.\nCVE-2025-5268: Memory safety bugs present in Firefox 138, Thunderbird\n138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs\nshowed evidence of memory corruption and we presume that with enough\neffort some of these could have been exploited to run arbitrary code.\nCVE-2025-5269: Memory safety bug present in Firefox ESR 128.10, and\nThunderbird 128.10. This bug showed evidence of memory corruption and we\npresume that with enough effort this could have been exploited to run\narbitrary code.\nWe can't ship this update to armv7hl architecture; we are investigating\nthe issue and will try to update firefox for armv7hl as soon as possible.\n","modified":"2026-04-16T04:42:02.038210183Z","published":"2025-06-25T15:14:48Z","upstream":["CVE-2025-5263","CVE-2025-5264","CVE-2025-5266","CVE-2025-5267","CVE-2025-5268","CVE-2025-5269"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2025-0195.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=34337"},{"type":"WEB","url":"https://www.mozilla.org/en-US/firefox/128.11.0/releasenotes/"},{"type":"ADVISORY","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/"},{"type":"WEB","url":"https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_112.html"}],"affected":[{"package":{"name":"firefox","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/firefox?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"128.11.0-1.1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0195.json"}},{"package":{"name":"firefox-l10n","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/firefox-l10n?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"128.11.0-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0195.json"}},{"package":{"name":"nss","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/nss?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.112.0-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0195.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}