An update for firefox is now available for openEuler-24.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2341 Final 1.0 1.0 2025-09-26 Initial 2025-09-26 2025-09-26 openEuler SA Tool V1.0 2025-09-26 firefox security update An update for firefox is now available for openEuler-24.03-LTS-SP2 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. %if 0 %global moz_debug_prefix /lib/debug %global moz_debug_dir /lib/debug/ %global uname_m %(uname -m) %global symbols_file_name -.en-US.-%(uname.crashreporter-symbols.zip %global symbols_file_path /lib/debug//-.en-US.-%(uname.crashreporter-symbols.zip %global _find_debuginfo_opts -p /lib/debug//-.en-US.-%(uname.crashreporter-symbols.zip -o debugcrashreporter.list %global crashreporter_pkg_name mozilla-crashreporter--debuginfo Security Fix(es): This vulnerability affects Firefox versions prior to 143 and Firefox ESR versions prior to 140.3. Specific vulnerability type and impact details require further confirmation.(CVE-2025-10527) This vulnerability affects Firefox < 143 and Firefox ESR < 140.3.(CVE-2025-10528) This vulnerability affects Firefox versions earlier than 143 and Firefox ESR versions earlier than 140.3. The vulnerability may lead to security bypass or other security issues.(CVE-2025-10529) This vulnerability affects Firefox < 143 and Firefox ESR < 140.3.(CVE-2025-10532) This vulnerability affects Firefox < 143, Firefox ESR < 115.28, and Firefox ESR < 140.3. Specific vulnerability details require further analysis.(CVE-2025-10533) This vulnerability affects Firefox < 143 and Firefox ESR < 140.3.(CVE-2025-10536) Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 143 and Firefox ESR < 140.3.(CVE-2025-10537) Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.(CVE-2025-8036) Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.(CVE-2025-8037) Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.(CVE-2025-8038) In some cases search terms persisted in the URL bar even after navigating away from the search page. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.(CVE-2025-8039) Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.(CVE-2025-8040) Spoofing issue in the Address Bar component. This vulnerability affects Firefox < 142 and Firefox ESR < 140.2.(CVE-2025-9183) An update for firefox is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical firefox https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2341 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-10527 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-10528 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-10529 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-10532 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-10533 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-10536 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-10537 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-8036 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-8037 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-8038 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-8039 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-8040 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-9183 https://nvd.nist.gov/vuln/detail/CVE-2025-10527 https://nvd.nist.gov/vuln/detail/CVE-2025-10528 https://nvd.nist.gov/vuln/detail/CVE-2025-10529 https://nvd.nist.gov/vuln/detail/CVE-2025-10532 https://nvd.nist.gov/vuln/detail/CVE-2025-10533 https://nvd.nist.gov/vuln/detail/CVE-2025-10536 https://nvd.nist.gov/vuln/detail/CVE-2025-10537 https://nvd.nist.gov/vuln/detail/CVE-2025-8036 https://nvd.nist.gov/vuln/detail/CVE-2025-8037 https://nvd.nist.gov/vuln/detail/CVE-2025-8038 https://nvd.nist.gov/vuln/detail/CVE-2025-8039 https://nvd.nist.gov/vuln/detail/CVE-2025-8040 https://nvd.nist.gov/vuln/detail/CVE-2025-9183 openEuler-24.03-LTS-SP2 firefox-140.3.1-1.oe2403sp2.aarch64.rpm firefox-debuginfo-140.3.1-1.oe2403sp2.aarch64.rpm firefox-debugsource-140.3.1-1.oe2403sp2.aarch64.rpm firefox-140.3.1-1.oe2403sp2.src.rpm firefox-140.3.1-1.oe2403sp2.x86_64.rpm firefox-debuginfo-140.3.1-1.oe2403sp2.x86_64.rpm firefox-debugsource-140.3.1-1.oe2403sp2.x86_64.rpm This vulnerability affects Firefox versions prior to 143 and Firefox ESR versions prior to 140.3. Specific vulnerability type and impact details require further confirmation. 2025-09-26 CVE-2025-10527 openEuler-24.03-LTS-SP2 High 7.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L firefox security update 2025-09-26 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2341 This vulnerability affects Firefox < 143 and Firefox ESR < 140.3. 2025-09-26 CVE-2025-10528 openEuler-24.03-LTS-SP2 High 7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L firefox security update 2025-09-26 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2341 This vulnerability affects Firefox versions earlier than 143 and Firefox ESR versions earlier than 140.3. The vulnerability may lead to security bypass or other security issues. 2025-09-26 CVE-2025-10529 openEuler-24.03-LTS-SP2 Medium 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N firefox security update 2025-09-26 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2341 This vulnerability affects Firefox < 143 and Firefox ESR < 140.3. 2025-09-26 CVE-2025-10532 openEuler-24.03-LTS-SP2 Medium 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N firefox security update 2025-09-26 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2341 This vulnerability affects Firefox < 143, Firefox ESR < 115.28, and Firefox ESR < 140.3. Specific vulnerability details require further analysis. 2025-09-26 CVE-2025-10533 openEuler-24.03-LTS-SP2 High 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H firefox security update 2025-09-26 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2341 This vulnerability affects Firefox < 143 and Firefox ESR < 140.3. 2025-09-26 CVE-2025-10536 openEuler-24.03-LTS-SP2 Medium 6.2 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N firefox security update 2025-09-26 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2341 Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 143 and Firefox ESR < 140.3. 2025-09-26 CVE-2025-10537 openEuler-24.03-LTS-SP2 High 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H firefox security update 2025-09-26 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2341 Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. 2025-09-26 CVE-2025-8036 openEuler-24.03-LTS-SP2 High 8.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N firefox security update 2025-09-26 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2341 Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. 2025-09-26 CVE-2025-8037 openEuler-24.03-LTS-SP2 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N firefox security update 2025-09-26 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2341 Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. 2025-09-26 CVE-2025-8038 openEuler-24.03-LTS-SP2 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H firefox security update 2025-09-26 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2341 In some cases search terms persisted in the URL bar even after navigating away from the search page. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. 2025-09-26 CVE-2025-8039 openEuler-24.03-LTS-SP2 High 8.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N firefox security update 2025-09-26 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2341 Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. 2025-09-26 CVE-2025-8040 openEuler-24.03-LTS-SP2 High 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H firefox security update 2025-09-26 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2341 Spoofing issue in the Address Bar component. This vulnerability affects Firefox < 142 and Firefox ESR < 140.2. 2025-09-26 CVE-2025-9183 openEuler-24.03-LTS-SP2 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N firefox security update 2025-09-26 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2341