Operating System:

[Debian]

Published:

05 January 2022

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2022.0032 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.0032
                        thunderbird security update
                              5 January 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           thunderbird
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-44538 CVE-2021-43546 CVE-2021-43545
                   CVE-2021-43543 CVE-2021-43542 CVE-2021-43541
                   CVE-2021-43539 CVE-2021-43538 CVE-2021-43537
                   CVE-2021-43536 CVE-2021-43535 CVE-2021-43534
                   CVE-2021-43529 CVE-2021-43528 CVE-2021-38509
                   CVE-2021-38508 CVE-2021-38507 CVE-2021-38506
                   CVE-2021-38504 CVE-2021-38503 CVE-2021-38502
                   CVE-2021-38500 CVE-2021-38496 CVE-2021-4126

Reference:         ESB-2022.0031
                   ESB-2022.0015

Original Bulletin: 
   http://www.debian.org/lts/security/2022/dla-2874

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2874-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/               Emilio Pozuelo Monfort
January 04, 2022                              https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : thunderbird
Version        : 1:91.4.1-1~deb9u1
CVE ID         : CVE-2021-4126 CVE-2021-38496 CVE-2021-38500 CVE-2021-38502
                 CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507
                 CVE-2021-38508 CVE-2021-38509 CVE-2021-43528 CVE-2021-43529
                 CVE-2021-43534 CVE-2021-43535 CVE-2021-43536 CVE-2021-43537
                 CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542
                 CVE-2021-43543 CVE-2021-43545 CVE-2021-43546 CVE-2021-44538

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code, spoofing, information disclosure,
downgrade attacks on SMTP STARTTLS connections or misleading display of
OpenPGP/MIME signatures.

For Debian 9 stretch, these problems have been fixed in version
1:91.4.1-1~deb9u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmHUHP4ACgkQnUbEiOQ2
gwIdhhAAsYJeGaKX7EakOQSqKqWksvfDg41A+TA01hpygOvfipqGlJl4sBCFHtfm
vPY4w6A+RsJWPohOch+DMc9EfXOJ1ivMp0nMMky/8xYYksAQqeThtwBfm2wHWpGT
IZAtn5doZe/53P++ejD5xLnCC19oCdBbEHsPj3p6OWzEUByqfPZBAv02lA+0pqqo
Mga52gFMI6xy4wmeuQZGtKsyI/hujLbYHnp7Rb8+3uwisb7QkzeVod77z211pGon
ifobrw52Bfa0Cb1e9Xesg70TDsZlPPlUnqHaUC5pE+OxS0Vx1G4Eur1+wQ9ao4V8
djlJWhmj1+1wNlSJ91Fsk0UQ+y6cVli4MU5wzIufQ0TdN+hMjQD0nuCejnjhQjPc
YNK7jYUwM4+DFGswYdpvoNa2uNtKzsu7sZQW9kfeF7H2uLoJgAUdNRdKrNmUrofQ
C4E2CsI3wTQxE9gmWX+LRGKr9r6QF15es7KCEGuFlAToVCh/d6vXF0f9IaH0ZE05
6W4sfcYoj6HKHEcKONuh6codpRceKx6gPgh+2n0pdoUNNlz/AbO0is+SiIInILlI
dYSdTxPLK0fZxD+ufi2E9IaQ2VvRg0Y933pQvjn3xbCCk7xehM7TD55LlwfUWPGb
/ffeEgwsObhA0cmV3jN6+bvxM9Tbk7DSd4Q30fuqSy8od5Ih0i4=
=kFGv
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYdTPyONLKJtyKPYoAQjGog/+LjhyETdHsKYG/yJYXAHvSL4vphkHLtBT
MZ3YdgbS9gufgFm4fK5Ujbi0QdL90wLEtoF01uEJg1yLxx5u/NkVLzp1NLD8kr/I
0VghZQsAoV+dAPPppLL9250Jq0c+R7b4+AKq61oCkQqogCJppiTQII+lkHbIb0jC
OXNVdCWN4Z6QkRzEa7ZXQzXQOP+j8RwssHFkodyBJfZOC+JIuEWPE9sLcz4E0wF2
KRaB/06qBwjZoFGNpEhudo3ir4cDFSJT5vHCpd3dJlv7IhkSyxuH9uBh5mdLO/mr
L6h7AbRbc7F3LjghEQx2y+qpBvvY+9KmICdM3fBKADm8RPYJzEDwdWmU50kZhPR5
3QSbFgX1ap1MAcxAyqOS3EzPnIe7Uw3XRkBrhL1ql8Y9w3JcHRDML3PU47j2uIoX
8edzMks309IjKLfJjorDf4AgBk24kLZJIzzpmt3i+Qi7wCw+Bhm4iIuyWKOL/v6k
jrQJBkLp5LTQFXwmi1NugoiQG9oNwxF0wL2ljdz/csrtMbBHJ+sGvcSIhM+Ix6xw
sMLEUna6s/9jtlrhh0hBH2gNvqzqVmVn5mkUIwH4m1Hk5ifKxzTA1GiND6nJRK2t
/oq698jXdbLD1hHsH+83TpdH4xPy0dfTCxqPuDB9P3kSWRxZ0waM3e6dyVnZQQwC
3bV5cd+cSu0=
=kkWG
-----END PGP SIGNATURE-----