{"affected":[{"ecosystem_specific":{"binaries":[{"MozillaThunderbird":"140.3.0-bp160.1.1","MozillaThunderbird-openpgp-librnp":"140.3.0-bp160.1.1","MozillaThunderbird-translations-common":"140.3.0-bp160.1.1","MozillaThunderbird-translations-other":"140.3.0-bp160.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"MozillaThunderbird","purl":"pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"140.3.0-bp160.1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for MozillaThunderbird fixes the following issues:\n\nChanges in MozillaThunderbird:\n\nMozilla Thunderbird 140.3.0 ESR:\n\n  * Right-clicking 'List-ID' -> 'Unsubscribe' created double encoded\n    draft subject\n  * Thunderbird could crash on startup\n  * Thunderbird could crash when importing mail\n  * Opening Website header link in RSS feed incorrectly re-encoded\n    URL parameters\n  MFSA 2025-78 (bsc#1249391)\n  * CVE-2025-10527\n    Sandbox escape due to use-after-free in the Graphics:\n    Canvas2D component\n  * CVE-2025-10528\n    Sandbox escape due to undefined behavior, invalid pointer in\n    the Graphics: Canvas2D component\n  * CVE-2025-10529\n    Same-origin policy bypass in the Layout component\n  * CVE-2025-10532\n    Incorrect boundary conditions in the JavaScript: GC component\n  * CVE-2025-10533\n    Integer overflow in the SVG component\n  * CVE-2025-10536\n    Information disclosure in the Networking: Cache component\n  * CVE-2025-10537\n    Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird\n    ESR 140.3, Firefox 143 and Thunderbird 143\n\n","id":"openSUSE-SU-2025-20021-1","modified":"2025-10-29T17:54:20Z","published":"2025-10-29T17:54:20Z","references":[{"type":"ADVISORY","url":null},{"type":"REPORT","url":"https://bugzilla.suse.com/1249391"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-10527"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-10528"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-10529"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-10532"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-10533"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-10536"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-10537"}],"related":["CVE-2025-10527","CVE-2025-10528","CVE-2025-10529","CVE-2025-10532","CVE-2025-10533","CVE-2025-10536","CVE-2025-10537"],"summary":"Security update for MozillaThunderbird","upstream":["CVE-2025-10527","CVE-2025-10528","CVE-2025-10529","CVE-2025-10532","CVE-2025-10533","CVE-2025-10536","CVE-2025-10537"]}