Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1197
MFSA 2021-13 Security Vulnerabilities fixed in Thunderbird 78.9.1
9 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Thunderbird
Publisher: Mozilla Foundation
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-23993 CVE-2021-23991
Original Bulletin:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-13/
- --------------------------BEGIN INCLUDED TEXT--------------------
Mozilla Foundation Security Advisory 2021-13
Security Vulnerabilities fixed in Thunderbird 78.9.1
Announced: April 8, 2021
Impact: moderate
Products: Thunderbird
Fixed in: Thunderbird 78.9.1
# CVE-2021-23991: An attacker may use Thunderbird's OpenPGP key refresh
mechanism to poison an existing key
Reporter: Cure53
Impact: moderate
Description
If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice
has extended the validity period of her key, but Alice's updated key has not
yet been imported, an attacker may send an email containing a crafted version
of Alice's key with an invalid subkey, Thunderbird might subsequently attempt
to use the invalid subkey, and will fail to send encrypted email to Alice.
References
o Bug 1673240
#MOZ-2021-23992: A crafted OpenPGP key with an invalid user ID could be used to
confuse the user
Reporter: Neal Walfield
Impact: moderate
Description
Thunderbird did not check if the user ID associated with an OpenPGP key has a
valid self signature. An attacker may create a crafted version of an OpenPGP
key, by either replacing the original user ID, or by adding another user ID. If
Thunderbird imports and accepts the crafted key, the Thunderbird user may
falsely conclude that the false user ID belongs to the correspondent.
References
o Bug 1666236
# CVE-2021-23993: Inability to send encrypted OpenPGP email after importing a
crafted OpenPGP key
Reporter: Neal Walfield
Impact: moderate
Description
An attacker may perform a DoS attack to prevent a user from sending encrypted
email to a correspondent. If an attacker creates a crafted OpenPGP key with a
subkey that has an invalid self signature, and the Thunderbird user imports the
crafted key, then Thunderbird may try to use the invalid subkey, but the RNP
library rejects it from being used, causing encryption to fail.
References
o Bug 1666360
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYG+eKuNLKJtyKPYoAQivuhAAo74IziW9cby+X4OL5A+FgH1wScJt8ub1
AJRB3HkzeQX418ZScn8PCt0MlqW1rA3rdlYrVjSIruzTYJJzsoQPruiWq+snTqrT
E7b9NCYGYFAybSBSCxDgb4axhDJvJPWpNlkga4wWe/RzfStfZtZs8scalSlcVS7i
oOmjxJeAXYfzahtS/n12zr7O3eOvV4j73aJJcqVQUZsXmlzNtL88oFsPplEki7Ab
b8c+tkNJwrILqsBogy6nmBVB/ngeFU5fVXWIEKv6lYekcTeSKR2HQxWTayJ+eAXh
88lRkkwUx+4Mrmv0nhZmTi7YoyDLCcx2Xdleb/vgkfqCX8M8z1jyM6OLCcOIXGhj
ZcLUPNEEcYXB6XDpH6l4/4rTxi4LqELQysme6v5ccD2TUIgyvEY1yK/RDr3GgY6B
uAUp6Dmgj9+Anqi2FDCEyDCBH8VwjvlcgGnZCeFhGhjhXBpeN9iSAqbvPUP4BCf/
NYfAVl00wb0cjgWuvTpj5lDWPfvmq8A8WEhrVL8T1OWpgYWY5Fd0iCGxqwJYt/9K
TAuBwmHTaF+MdY5HGAQXoNijPfeW/gNo7SHAEb8k+Ax+JCccGQTjrCECE94rSK5/
7n5JaFSSLfJsRx0t2DGUaHx98WcJSt4sGx28535gNbmS/2Ko8rQepguB1/ocS6yc
Xoh65QWT2qs=
=ZxRk
-----END PGP SIGNATURE-----