Lucene search
+L

openSUSE 16 Security Update : MozillaThunderbird (openSUSE-SU-2026:20002-1)

🗓️ 04 Jan 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 5 Views

Security update for Mozilla Thunderbird on openSUSE sixteen fixing multiple CVEs and issues.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2025-13017
11 Nov 202515:47
attackerkb
ATTACKERKB
CVE-2025-13012
11 Nov 202515:47
attackerkb
ATTACKERKB
CVE-2025-13018
11 Nov 202515:47
attackerkb
ATTACKERKB
CVE-2025-13014
11 Nov 202515:47
attackerkb
ATTACKERKB
CVE-2025-13016
11 Nov 202515:47
attackerkb
ATTACKERKB
CVE-2025-13013
11 Nov 202515:47
attackerkb
ATTACKERKB
CVE-2025-13019
11 Nov 202515:47
attackerkb
ATTACKERKB
CVE-2025-13020
11 Nov 202515:47
attackerkb
ATTACKERKB
CVE-2025-13015
11 Nov 202515:47
attackerkb
Tenable Nessus
Amazon Linux 2023 : firefox (ALAS2023-2025-1298)
9 Dec 202500:00
nessus
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# openSUSE Security Update openSUSE-SU-2026:20002-1. The text itself
# is copyright (C) SUSE.
##

include('compat.inc');

if (description)
{
  script_id(281638);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/04");

  script_cve_id(
    "CVE-2025-13012",
    "CVE-2025-13013",
    "CVE-2025-13014",
    "CVE-2025-13015",
    "CVE-2025-13016",
    "CVE-2025-13017",
    "CVE-2025-13018",
    "CVE-2025-13019",
    "CVE-2025-13020"
  );

  script_name(english:"openSUSE 16 Security Update : MozillaThunderbird (openSUSE-SU-2026:20002-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote openSUSE host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the
openSUSE-SU-2026:20002-1 advisory.

    Changes in MozillaThunderbird:

    Mozilla Thunderbird 140.5.0 ESR

    MFSA 2025-91 (bsc#1253188):

      * CVE-2025-13012
        Race condition in the Graphics component
      * CVE-2025-13016
        Incorrect boundary conditions in the JavaScript: WebAssembly
        component
      * CVE-2025-13017
        Same-origin policy bypass in the DOM: Notifications component
      * CVE-2025-13018
        Mitigation bypass in the DOM: Security component
      * CVE-2025-13019
        Same-origin policy bypass in the DOM: Workers component
      * CVE-2025-13013
        Mitigation bypass in the DOM: Core & HTML component
      * CVE-2025-13020
        Use-after-free in the WebRTC: Audio/Video component
      * CVE-2025-13014
        Use-after-free in the Audio/Video component
      * CVE-2025-13015
        Spoofing issue in Thunderbird
      * fixed: Could not drag and drop ICS file to Today Pane
      * fixed: With Thunderbird closed, clicking a 'mailto:' link to
        send signed message failed
      * fixed: Upgrade from 128.x->140.x broke authentication for
        @att.net using Yahoo backend

    Mozilla Thunderbird 140.4.0 ESR

      * Account Hub is now disabled by default for second email account
      * Users could not read mail signed with OpenPGP v6 and PQC keys
      * Image preview in Insert Image dialog failed with CSP error for web resources
      * Emptying trash on exit did not work with some providers
      * Thunderbird could crash when applying filters
      * Users were unable to override expired mail server certificate
      * Opening Website header link in RSS feed incorrectly re-encoded
        URL parameters

    Mozilla Thunderbird 140.3.1 ESR:

      * several bugfixes listed here
        https://www.thunderbird.net/en-US/thunderbird/140.3.1esr/releasenotes
    -------------------------------------------------------------------

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1253188");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2025-13012");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2025-13013");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2025-13014");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2025-13015");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2025-13016");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2025-13017");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2025-13018");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2025-13019");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2025-13020");
  script_set_attribute(attribute:"solution", value:
"Update the affected MozillaThunderbird, MozillaThunderbird-openpgp-librnp, MozillaThunderbird-translations-common and /
or MozillaThunderbird-translations-other packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-13020");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/11/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/04");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-openpgp-librnp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:16.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"SuSE Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/SuSE/release');
if (isnull(os_release) || os_release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, 'openSUSE');
var _os_ver = pregmatch(pattern: "^SUSE([\d.]+)", string:os_release);
if (isnull(_os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');
_os_ver = _os_ver[1];
if (os_release !~ "^(SUSE16\.0)$") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '16.0', os_release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + _os_ver, cpu);

var pkgs = [
    {'reference':'MozillaThunderbird-140.5.0-bp160.1.1', 'release':'SUSE16.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'MozillaThunderbird-openpgp-librnp-140.5.0-bp160.1.1', 'release':'SUSE16.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'MozillaThunderbird-translations-common-140.5.0-bp160.1.1', 'release':'SUSE16.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'MozillaThunderbird-translations-other-140.5.0-bp160.1.1', 'release':'SUSE16.0', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var _cpu = NULL;
  var rpm_spec_vers_cmp = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (reference && _release) {
    if (rpm_check(release:_release, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'MozillaThunderbird / MozillaThunderbird-openpgp-librnp / etc');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation