[CLSA-2026:1782811369] thunderbird: Fix of 2 CVEs
Type:
security
Severity:
Low
Release date:
2026-06-30 09:23:08 UTC
Description:
- CVE-2026-8970: constrain AsyncPrefs by remoteType so a compromised content process cannot set security-relevant prefs via AsyncPrefs; split the allowlist into privileged-about and unprivileged-exposed sets (Bug 2032174) - CVE-2026-8961: add locationspecific="true" to Thunderbird's PopupAutoComplete panel so the form-autocomplete dropdown is dismissed on navigation, closing a spoofing window (Bug 1962625)
Updated packages:
  • thunderbird-115.4.1-1.el9_2.alma.tuxcare.els15.x86_64.rpm
    sha:96aea17fbd886861ec13d18c461fea269ab81d7dbd2118795ac9cd2745ee29ea
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.