thunderbird-128.10.1-1.el9_6.ML.1
エラータID: AXSA:2025-10505:15
リリース日:
2025/07/17 Thursday - 14:39
題名:
thunderbird-128.10.1-1.el9_6.ML.1
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- thunderbird には、利用者のなりすましを許容してしまう問題がある
ため、リモートの攻撃者により、不正な認証を可能とする脆弱性が存在
します。(CVE-2025-3875)
- thunderbird には、リモートの攻撃者により、情報の漏洩を可能
とする脆弱性が存在します。(CVE-2025-3877)
- thunderbird には、利用者のなりすましを許容してしまう問題がある
ため、リモートの攻撃者により、不正な認証を可能とする脆弱性が存在
します。(CVE-2025-3909)
- thunderbird には、リモートの攻撃者により、情報の漏洩を可能
とする脆弱性が存在します。(CVE-2025-3932)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-3875
Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
CVE-2025-3877
** REJECT ** This CVE was marked as fixed, but due to other code landing - was not actually fixed. It was subsequently fixed in CVE-2025-5986.
** REJECT ** This CVE was marked as fixed, but due to other code landing - was not actually fixed. It was subsequently fixed in CVE-2025-5986.
CVE-2025-3909
Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
CVE-2025-3932
It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
追加情報:
N/A
ダウンロード:
SRPMS
- thunderbird-128.10.1-1.el9_6.ML.1.src.rpm
MD5: 95c323a1810ba4c6787c586ff582e930
SHA-256: 9ff33951debfbda521c46862a593bad2c5685563eaaf5b440c881ae7a5b067ba
Size: 854.41 MB
Asianux Server 9 for x86_64
- thunderbird-128.10.1-1.el9_6.ML.1.x86_64.rpm
MD5: a4a63221f27afda637e01cbb59109e20
SHA-256: 765258f61b602df1f3f139a8732e3327da98985f3784b21535a4b29fc711b0b6
Size: 118.77 MB
English