Security updates have been released for SUSE Linux, addressing potential vulnerabilities. One update is important and relates to Mozilla Thunderbird. A second update is moderate and concerns python311-marshmallow, specifically version 3.26.2-1.1.

openSUSE-SU-2026:20002-1: important: Security update for MozillaThunderbird
openSUSE-SU-2026:10003-1: moderate: python311-marshmallow-3.26.2-1.1 on GA media

openSUSE-SU-2026:20002-1: important: Security update for MozillaThunderbird

openSUSE security update: security update for mozillathunderbird
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20002-1
Rating: important
References:

* bsc#1253188

Cross-References:

* CVE-2025-13012
* CVE-2025-13013
* CVE-2025-13014
* CVE-2025-13015
* CVE-2025-13016
* CVE-2025-13017
* CVE-2025-13018
* CVE-2025-13019
* CVE-2025-13020

CVSS scores:

* CVE-2025-13012 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-13013 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2025-13014 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2025-13015 ( SUSE ): 3.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
* CVE-2025-13016 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-13017 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2025-13018 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2025-13019 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2025-13020 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products:

openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 9 vulnerabilities and has one bug fix can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

Changes in MozillaThunderbird:

Mozilla Thunderbird 140.5.0 ESR

MFSA 2025-91 (bsc#1253188):

* CVE-2025-13012
Race condition in the Graphics component
* CVE-2025-13016
Incorrect boundary conditions in the JavaScript: WebAssembly
component
* CVE-2025-13017
Same-origin policy bypass in the DOM: Notifications component
* CVE-2025-13018
Mitigation bypass in the DOM: Security component
* CVE-2025-13019
Same-origin policy bypass in the DOM: Workers component
* CVE-2025-13013
Mitigation bypass in the DOM: Core & HTML component
* CVE-2025-13020
Use-after-free in the WebRTC: Audio/Video component
* CVE-2025-13014
Use-after-free in the Audio/Video component
* CVE-2025-13015
Spoofing issue in Thunderbird
* fixed: Could not drag and drop ICS file to Today Pane
* fixed: With Thunderbird closed, clicking a 'mailto:' link to
send signed message failed
* fixed: Upgrade from 128.x->140.x broke authentication for
@att.net using Yahoo backend

Mozilla Thunderbird 140.4.0 ESR

* Account Hub is now disabled by default for second email account
* Users could not read mail signed with OpenPGP v6 and PQC keys
* Image preview in Insert Image dialog failed with CSP error for web resources
* Emptying trash on exit did not work with some providers
* Thunderbird could crash when applying filters
* Users were unable to override expired mail server certificate
* Opening Website header link in RSS feed incorrectly re-encoded
URL parameters

Mozilla Thunderbird 140.3.1 ESR:

* several bugfixes listed here
https://www.thunderbird.net/en-US/thunderbird/140.3.1esr/releasenotes
-------------------------------------------------------------------

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-packagehub-27=1

Package List:

- openSUSE Leap 16.0:

MozillaThunderbird-140.5.0-bp160.1.1
MozillaThunderbird-openpgp-librnp-140.5.0-bp160.1.1
MozillaThunderbird-translations-common-140.5.0-bp160.1.1
MozillaThunderbird-translations-other-140.5.0-bp160.1.1

References:

* https://www.suse.com/security/cve/CVE-2025-13012.html
* https://www.suse.com/security/cve/CVE-2025-13013.html
* https://www.suse.com/security/cve/CVE-2025-13014.html
* https://www.suse.com/security/cve/CVE-2025-13015.html
* https://www.suse.com/security/cve/CVE-2025-13016.html
* https://www.suse.com/security/cve/CVE-2025-13017.html
* https://www.suse.com/security/cve/CVE-2025-13018.html
* https://www.suse.com/security/cve/CVE-2025-13019.html
* https://www.suse.com/security/cve/CVE-2025-13020.html

openSUSE-SU-2026:10003-1: moderate: python311-marshmallow-3.26.2-1.1 on GA media

# python311-marshmallow-3.26.2-1.1 on GA media

Announcement ID: openSUSE-SU-2026:10003-1
Rating: moderate

Cross-References:

* CVE-2025-68480

CVSS scores:

* CVE-2025-68480 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-68480 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Products:

* openSUSE Tumbleweed

An update that solves one vulnerability can now be installed.

## Description:

These are all security issues fixed in the python311-marshmallow-3.26.2-1.1 package on the GA media of openSUSE Tumbleweed.

## Package List:

* openSUSE Tumbleweed:
* python311-marshmallow 3.26.2-1.1
* python312-marshmallow 3.26.2-1.1
* python313-marshmallow 3.26.2-1.1

## References:

* https://www.suse.com/security/cve/CVE-2025-68480.html