thunderbird-128.10.0-1.el9_6.ML.1
エラータID: AXSA:2025-10475:14
Mozilla Thunderbird is a standalone mail and newsgroup client.
Security Fix(es):
thunderbird: User Interface (UI) Misrepresentation of attachment URL
(CVE-2025-3523)
thunderbird: Information Disclosure of /tmp directory listing
(CVE-2025-2830)
thunderbird: Leak of hashed Window credentials via crafted attachment URL
(CVE-2025-3522)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
CVE(s):
CVE-2025-2830
By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
CVE-2025-3522
Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
CVE-2025-3523
When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
Update packages.
By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
N/A
SRPMS
- thunderbird-128.10.0-1.el9_6.ML.1.src.rpm
MD5: fb429d873176266efab68a7a71d7dffa
SHA-256: 3aae7622eec85d49383e400104952e12a72cc528e1284a46d2ddda515c361372
Size: 854.24 MB
Asianux Server 9 for x86_64
- thunderbird-128.10.0-1.el9_6.ML.1.x86_64.rpm
MD5: 64875ffa67725b9b08c060cf00787662
SHA-256: 4fb87cf34490d81740ef97e0abca9f5648daf01b9176e3e2d621346a9bc4a14c
Size: 118.76 MB
日本語