## This update for MozillaThunderbird fixes the following issues: Update to Mozilla Thunderbird 128.7 (MFSA 2025-10, bsc#1236539). Security fixes: * CVE-2025-1009: use-after-free in XSLT. * CVE-2025-1010: use-after-free in Custom Highlight. * CVE-2025-1011: a bug in WebAssembly code generation could result in a crash. * CVE-2025-1012: use-after-free during concurrent delazification. * CVE-2024-11704: potential double-free vulnerability in PKCS#7 decryption handling. * CVE-2025-1013: potential opening of private browsing tabs in normal browsing windows. * CVE-2025-1014: certificate length was not properly checked. * CVE-2025-1015: unsanitized address book fields. * CVE-2025-0510: address of e-mail sender can be spoofed by malicious email. * CVE-2025-1016: memory safety bugs.
* bsc#1236411
* bsc#1236539
Cross-
* CVE-2024-11704
* CVE-2025-0510
* CVE-2025-1009
* CVE-2025-1010
* CVE-2025-1011
* CVE-2025-1012
* CVE-2025-1013
* CVE-2025-1014
* CVE-2025-1015
* CVE-2025-1016
* CVE-2025-1017
CVSS scores:
* CVE-2024-11704 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0510 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2025-0510 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2025-0510 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2025-1009 ( SUSE ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
* CVE-2025-1009 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-1009 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Get the latest Linux and open source security news straight to your inbox.