Lector de Feeds
MGASA-2025-0228 - Updated thunderbird packages fix vulnerabilities
Publication date: 05 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-6424 , CVE-2025-6425 , CVE-2025-6429 , CVE-2025-6430 , CVE-2025-8027 , CVE-2025-8028 , CVE-2025-8029 , CVE-2025-8030 , CVE-2025-8031 , CVE-2025-8032 , CVE-2025-8033 , CVE-2025-8034 , CVE-2025-8035 , CVE-2025-9179 , CVE-2025-9180 , CVE-2025-9181 , CVE-2025--9185 Description Use-after-free in FontFaceSet. (CVE-2025-6424) The WebCompat WebExtension shipped exposed a persistent UUID. (CVE-2025-6425) Incorrect parsing of URLs could have allowed embedding of youtube.com. (CVE-2025-6429) Content-Disposition header ignored when a file is included in an embed or object tag. (CVE-2025-6430) JavaScript engine only wrote partial return value to stack. (CVE-2025-8027) Large branch table could lead to truncated instruction. (CVE-2025-8028) Javascript: URLs executed on object and embed tags. (CVE-2025-8029) Potential user-assisted code execution in “Copy as cURL” command. (CVE-2025-8030) Incorrect URL stripping in CSP reports. (CVE-2025-8031) XSLT documents could bypass CSP. (CVE-2025-8032) Incorrect JavaScript state machine for generators. (CVE-2025-8033) Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. (CVE-2025-8034) Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. (CVE-2025-8035) Sandbox escape due to invalid pointer in the Audio/Video: GMP component. (CVE-2025-9179) Same-origin policy bypass in the Graphics: Canvas2D component. (CVE-2025-9180) Uninitialized memory in the JavaScript Engine component. (CVE-2025-9181) Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. (CVE-2025-9185). For the armv7hl architecture this package fixes additional vulnerabilities; see the links below: https://advisories.mageia.org/MGASA-2025-0197.html https://advisories.mageia.org/MGASA-2025-0168.html https://advisories.mageia.org/MGASA-2025-0151.html https://advisories.mageia.org/MGASA-2025-0126.html https://advisories.mageia.org/MGASA-2025-0093.html https://advisories.mageia.org/MGASA-2025-0048.html https://advisories.mageia.org/MGASA-2025-0010.html https://advisories.mageia.org/MGASA-2024-0395.html https://advisories.mageia.org/MGASA-2024-0384.html https://advisories.mageia.org/MGASA-2024-0365.html https://advisories.mageia.org/MGASA-2024-0350.html https://advisories.mageia.org/MGASA-2024-0336.html https://advisories.mageia.org/MGASA-2024-0332.html References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-6424 , CVE-2025-6425 , CVE-2025-6429 , CVE-2025-6430 , CVE-2025-8027 , CVE-2025-8028 , CVE-2025-8029 , CVE-2025-8030 , CVE-2025-8031 , CVE-2025-8032 , CVE-2025-8033 , CVE-2025-8034 , CVE-2025-8035 , CVE-2025-9179 , CVE-2025-9180 , CVE-2025-9181 , CVE-2025--9185 Description Use-after-free in FontFaceSet. (CVE-2025-6424) The WebCompat WebExtension shipped exposed a persistent UUID. (CVE-2025-6425) Incorrect parsing of URLs could have allowed embedding of youtube.com. (CVE-2025-6429) Content-Disposition header ignored when a file is included in an embed or object tag. (CVE-2025-6430) JavaScript engine only wrote partial return value to stack. (CVE-2025-8027) Large branch table could lead to truncated instruction. (CVE-2025-8028) Javascript: URLs executed on object and embed tags. (CVE-2025-8029) Potential user-assisted code execution in “Copy as cURL” command. (CVE-2025-8030) Incorrect URL stripping in CSP reports. (CVE-2025-8031) XSLT documents could bypass CSP. (CVE-2025-8032) Incorrect JavaScript state machine for generators. (CVE-2025-8033) Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. (CVE-2025-8034) Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. (CVE-2025-8035) Sandbox escape due to invalid pointer in the Audio/Video: GMP component. (CVE-2025-9179) Same-origin policy bypass in the Graphics: Canvas2D component. (CVE-2025-9180) Uninitialized memory in the JavaScript Engine component. (CVE-2025-9181) Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. (CVE-2025-9185). For the armv7hl architecture this package fixes additional vulnerabilities; see the links below: https://advisories.mageia.org/MGASA-2025-0197.html https://advisories.mageia.org/MGASA-2025-0168.html https://advisories.mageia.org/MGASA-2025-0151.html https://advisories.mageia.org/MGASA-2025-0126.html https://advisories.mageia.org/MGASA-2025-0093.html https://advisories.mageia.org/MGASA-2025-0048.html https://advisories.mageia.org/MGASA-2025-0010.html https://advisories.mageia.org/MGASA-2024-0395.html https://advisories.mageia.org/MGASA-2024-0384.html https://advisories.mageia.org/MGASA-2024-0365.html https://advisories.mageia.org/MGASA-2024-0350.html https://advisories.mageia.org/MGASA-2024-0336.html https://advisories.mageia.org/MGASA-2024-0332.html References
- https://bugs.mageia.org/show_bug.cgi?id=34415
- https://www.thunderbird.net/en-US/thunderbird/128.12.0esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-55/
- https://www.thunderbird.net/en-US/thunderbird/128.13.0esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-62/
- https://www.thunderbird.net/en-US/thunderbird/128.14.0esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-71/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6424
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6425
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6429
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6430
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8027
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8028
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8029
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8030
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8031
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8032
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8033
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8034
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8035
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9179
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9180
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9181
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025--9185
- thunderbird-128.14.0-1.mga9
- thunderbird-l10n-128.14.0-1.mga9
Categorías: Actualizaciones de Seguridad
MGASA-2025-0227 - Updated rootcerts, nspr, nss & firefox packages fix vulnerabilities
Publication date: 05 Sep 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8027 , CVE-2025-8028 , CVE-2025-8029 , CVE-2025-8030 , CVE-2025-8031 , CVE-2025-8032 , CVE-2025-8033 , CVE-2025-8034 , CVE-2025-8035 , CVE-2025-9179 , CVE-2025-9180 , CVE-2025-9181 , CVE-2025-9185 Description JavaScript engine only wrote partial return value to stack. (CVE-2025-8027) Large branch table could lead to truncated instruction. (CVE-2025-8028) Javascript: URLs executed on object and embed tags. (CVE-2025-8029) Potential user-assisted code execution in “Copy as cURL” command. (CVE-2025-8030) Incorrect URL stripping in CSP reports. (CVE-2025-8031) XSLT documents could bypass CSP. (CVE-2025-8032) Incorrect JavaScript state machine for generators. (CVE-2025-8033) Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. (CVE-2025-8034) Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. (CVE-2025-8035) Sandbox escape due to invalid pointer in the Audio/Video: GMP component. (CVE-2025-9179) Same-origin policy bypass in the Graphics: Canvas2D component. (CVE-2025-9180) Uninitialized memory in the JavaScript Engine component. (CVE-2025-9181) Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. (CVE-2025-9185) References
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-8027 , CVE-2025-8028 , CVE-2025-8029 , CVE-2025-8030 , CVE-2025-8031 , CVE-2025-8032 , CVE-2025-8033 , CVE-2025-8034 , CVE-2025-8035 , CVE-2025-9179 , CVE-2025-9180 , CVE-2025-9181 , CVE-2025-9185 Description JavaScript engine only wrote partial return value to stack. (CVE-2025-8027) Large branch table could lead to truncated instruction. (CVE-2025-8028) Javascript: URLs executed on object and embed tags. (CVE-2025-8029) Potential user-assisted code execution in “Copy as cURL” command. (CVE-2025-8030) Incorrect URL stripping in CSP reports. (CVE-2025-8031) XSLT documents could bypass CSP. (CVE-2025-8032) Incorrect JavaScript state machine for generators. (CVE-2025-8033) Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. (CVE-2025-8034) Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. (CVE-2025-8035) Sandbox escape due to invalid pointer in the Audio/Video: GMP component. (CVE-2025-9179) Same-origin policy bypass in the Graphics: Canvas2D component. (CVE-2025-9180) Uninitialized memory in the JavaScript Engine component. (CVE-2025-9181) Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. (CVE-2025-9185) References
- https://bugs.mageia.org/show_bug.cgi?id=34552
- https://www.firefox.com/en-US/firefox/128.13.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-58/
- https://www.firefox.com/en-US/firefox/128.14.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-66/
- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_114.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8027
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8028
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8029
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8030
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8031
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8032
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8033
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8034
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8035
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9179
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9180
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9181
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9185
- firefox-128.14.0-1.4.mga9
- firefox-l10n-128.14.0-1.mga9
- nss-3.115.1-1.mga9
- nspr-4.37-1.mga9
- rootcerts-20250808.00-1.mga9
Categorías: Actualizaciones de Seguridad
