Overview

File _patchinfo of Package patchinfo.38562

<patchinfo incident="38562">
  <issue tracker="bnc" id="1241621">VUL-0: MozillaFirefox / MozillaThunderbird: update to 138.0 and 128.10esr</issue>
  <issue tracker="cve" id="2025-4082"/>
  <issue tracker="cve" id="2025-4087"/>
  <issue tracker="cve" id="2025-4093"/>
  <issue tracker="cve" id="2025-4091"/>
  <issue tracker="cve" id="2025-4083"/>
  <issue tracker="cve" id="2025-4084"/>
  <issue tracker="cve" id="2025-2817"/>
  <packager>MSirringhaus</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for MozillaThunderbird</summary>
  <description>This update for MozillaThunderbird fixes the following issues:

Mozilla Thunderbird ESR 128.10 update (bsc#1241621):

- CVE-2025-4082: WebGL shader attribute memory corruption in Thunderbird for macOS.
- CVE-2025-4087: Unsafe attribute access during XPath parsing.
- CVE-2025-4093: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird.
- CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10.
- CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames.
- CVE-2025-4084: Potential local code execution in "copy as cURL" command.
- CVE-2025-2817: Privilege escalation in Thunderbird Updater.
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places