Vulnerability CVE-2025-0239: Information
Description
When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
firefox | sisyphus | 134.0-alt1 | 134.0-alt1 | ALT-PU-2025-1063-2 | 368493 | Fixed |
firefox-esr | sisyphus | 128.6.0-alt1 | 128.6.0-alt1 | ALT-PU-2025-1055-2 | 368492 | Fixed |
firefox-esr | p11 | 128.6.0-alt1 | 128.5.2-alt1 | ALT-PU-2025-1154-3 | 369303 | Fixed |
thunderbird | sisyphus | 128.6.0-alt1 | 128.6.0-alt1 | ALT-PU-2025-1061-2 | 368499 | Fixed |
thunderbird | sisyphus_riscv64 | 128.6.0-alt1 | 128.6.0-alt1 | ALT-PU-2025-1139-1 | - | Fixed |
thunderbird | sisyphus_loongarch64 | 128.6.0-alt1 | 128.6.0-alt1 | ALT-PU-2025-1146-1 | - | Fixed |