CVE-2025-6424:
A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
CVE-2025-6425:
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
CVE-2025-6429:
Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
CVE-2025-6430:
When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
Lintian reports
5 errors
and
5 warnings
about this package. You should make the package lintian clean getting rid of them.
Standards version of the package is outdated.
high
The package is severely out of date with respect to the Debian Policy.The package should be updated to follow the last version of Debian Policy
(Standards-Version 4.7.2 instead of
3.9.8.0).
The package has not entered testing even though the delay is over
normal
The package has not entered testing even though the 20-day delay is over.Check why.
You should get rid of them to provide more metadata about this software.
debian/patches: 20 patches to forward upstream
low
Among the 20 debian patches
available in version 128.12.0esr-1 of the package,
we noticed the following issues:
20 patches
where the metadata indicates that the patch has not yet been forwarded
upstream. You should either forward the patch upstream or update the
metadata to document its real status.
This package will soon be part of the auto-libvpx transition. You might want to ensure that your package is ready for it.
You can probably find supplementary information in the
debian-release
archives or in the corresponding
release.debian.org
bug.
Migration status for firefox-esr (128.11.0esr-1 to 128.12.0esr-1): BLOCKED: Needs an approval (either due to a freeze, the source suite or a manual hint)
Issues preventing migration:
∙ ∙ blocked by freeze: does not have autopkgtest (Follow the freeze policy when applying for an unblock)
![[bug history graph]](https://qa.debian.org/data/bts/graphs/f/firefox-esr.png){kind=link}