Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1197 MFSA 2021-13 Security Vulnerabilities fixed in Thunderbird 78.9.1 9 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Thunderbird Publisher: Mozilla Foundation Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2021-23993 CVE-2021-23991 Original Bulletin: https://www.mozilla.org/en-US/security/advisories/mfsa2021-13/ - --------------------------BEGIN INCLUDED TEXT-------------------- Mozilla Foundation Security Advisory 2021-13 Security Vulnerabilities fixed in Thunderbird 78.9.1 Announced: April 8, 2021 Impact: moderate Products: Thunderbird Fixed in: Thunderbird 78.9.1 # CVE-2021-23991: An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key Reporter: Cure53 Impact: moderate Description If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might subsequently attempt to use the invalid subkey, and will fail to send encrypted email to Alice. References o Bug 1673240 #MOZ-2021-23992: A crafted OpenPGP key with an invalid user ID could be used to confuse the user Reporter: Neal Walfield Impact: moderate Description Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. References o Bug 1666236 # CVE-2021-23993: Inability to send encrypted OpenPGP email after importing a crafted OpenPGP key Reporter: Neal Walfield Impact: moderate Description An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent. If an attacker creates a crafted OpenPGP key with a subkey that has an invalid self signature, and the Thunderbird user imports the crafted key, then Thunderbird may try to use the invalid subkey, but the RNP library rejects it from being used, causing encryption to fail. References o Bug 1666360 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYG+eKuNLKJtyKPYoAQivuhAAo74IziW9cby+X4OL5A+FgH1wScJt8ub1 AJRB3HkzeQX418ZScn8PCt0MlqW1rA3rdlYrVjSIruzTYJJzsoQPruiWq+snTqrT E7b9NCYGYFAybSBSCxDgb4axhDJvJPWpNlkga4wWe/RzfStfZtZs8scalSlcVS7i oOmjxJeAXYfzahtS/n12zr7O3eOvV4j73aJJcqVQUZsXmlzNtL88oFsPplEki7Ab b8c+tkNJwrILqsBogy6nmBVB/ngeFU5fVXWIEKv6lYekcTeSKR2HQxWTayJ+eAXh 88lRkkwUx+4Mrmv0nhZmTi7YoyDLCcx2Xdleb/vgkfqCX8M8z1jyM6OLCcOIXGhj ZcLUPNEEcYXB6XDpH6l4/4rTxi4LqELQysme6v5ccD2TUIgyvEY1yK/RDr3GgY6B uAUp6Dmgj9+Anqi2FDCEyDCBH8VwjvlcgGnZCeFhGhjhXBpeN9iSAqbvPUP4BCf/ NYfAVl00wb0cjgWuvTpj5lDWPfvmq8A8WEhrVL8T1OWpgYWY5Fd0iCGxqwJYt/9K TAuBwmHTaF+MdY5HGAQXoNijPfeW/gNo7SHAEb8k+Ax+JCccGQTjrCECE94rSK5/ 7n5JaFSSLfJsRx0t2DGUaHx98WcJSt4sGx28535gNbmS/2Ko8rQepguB1/ocS6yc Xoh65QWT2qs= =ZxRk -----END PGP SIGNATURE-----