Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0242 USN-4701-1: Thunderbird vulnerabilities 21 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Thunderbird Publisher: Ubuntu Operating System: Ubuntu Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-35113 CVE-2020-35111 CVE-2020-26978 CVE-2020-26974 CVE-2020-26973 CVE-2020-26971 CVE-2020-26970 CVE-2020-16044 CVE-2020-16042 Reference: ESB-2021.0100 ESB-2021.0011 ESB-2020.4524 ESB-2020.4515 ESB-2020.4458 Original Bulletin: https://ubuntu.com/security/notices/USN-4701-1 - --------------------------BEGIN INCLUDED TEXT-------------------- USN-4701-1: Thunderbird vulnerabilities 20 January 2021 Several security issues were fixed in Thunderbird. Releases o Ubuntu 20.10 Packages o thunderbird - Mozilla Open Source mail and newsgroup client Details Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass the CSS sanitizer, or execute arbitrary code. ( CVE-2020-16042 , CVE-2020-16044 , CVE-2020-26971 , CVE-2020-26973 , CVE-2020-26974 , CVE-2020-26978 , CVE-2020-35113 ) It was discovered that the proxy.onRequest API did not catch view-source URLs. If a user were tricked in to installing an extension with the proxy permission and opening View Source, an attacker could potentially exploit this to obtain sensitive information. ( CVE-2020-35111 ) A stack overflow was discovered due to incorrect parsing of SMTP server response codes. An attacker could potentially exploit this to execute arbitrary code. ( CVE-2020-26970 ) Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 20.10 o thunderbird - 1:78.6.1+build1-0ubuntu0.20.10.1 After a standard system update you need to restart Thunderbird to make all the necessary changes. References o CVE-2020-16042 o CVE-2020-26974 o CVE-2020-26973 o CVE-2020-35113 o CVE-2020-26970 o CVE-2020-16044 o CVE-2020-26971 o CVE-2020-35111 o CVE-2020-26978 Related notices o USN-4687-1 : firefox o USN-4671-1 : firefox - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYAkJ8+NLKJtyKPYoAQiBQw/+K7KbJwkb8CAFRWDlR4dgQtRB20rM0vOE NuZaaDq/LImoloivUck+brFNgvIS7CPhkk+vKczKCBfrvj4XRSraq9zfi4TIf0nY jfQT6JaIBPNheit0rsLHwXfkWZexlf9SBo6qEADZz5WNhImGmGRq441fTCBM6iLC 9hZvdNbL/KU94H3y2Ytd3+Ng2B6f1SdtxOKv8Iacp4Hr7HIQWCgk8e3kMvdDeZ8r h1yitrj18N0A6lLh2t2+44wi+4WL1IRR15najCQ+cBElcVCNO0jGsETHAzaZVuNT 9pKB/9EG6QbSeUI+rqSFqIt2kplP/bh0Cy9iY6Dmhifqbg0Sb5C+zNng2+3zEpIA x3nDHBMnF2nMw4xqhlUqnWalqzFxFH3yFow9v8A84haFoM6TU7aQcg7/yUuNMCcM kB27vPRlSyXwH0ErHu4gi0+5vEgZXHEV7SLhbwAk9jbgC+3XiWlyhMC3rWwIg0LC ON+ChShF+FUvJ5VGhUnH9GLt9TfQm26PRG7mxuWwfD8QJHzvAhbfouasPg+Yw9OY 5mxquvtkzLBOqC7kUPe+8g5cqK2yNL5GcTHYTulA0rpfIvMyTbcuTFlTz6j9dlvR JnVBddBiNEPl/3N0ThNfd30C2ggBa8qOvZIWISQQTqsuLR9rFDcp9g9Wj2QFXma2 ReWnrYfjYeE= =nS9f -----END PGP SIGNATURE-----