Описание
Security update for MozillaThunderbird
This update for MozillaThunderbird fixes the following issues:
- Mozilla Thunderbird 78.10.2
- CVE-2021-29957: Fixed partial protection of inline OpenPGP message not indicated (bsc#1186198).
- CVE-2021-29956: Fixed Thunderbird stored OpenPGP secret keys without master password protection (bsc#1186199).
- CVE-2021-29951: Fixed Thunderbird Maintenance Service could have been started or stopped by domain users (bsc#1185633).
- CVE-2021-29950: Fixed logic issue potentially leaves key material unlocked (bsc#1185086).
Список пакетов
SUSE Linux Enterprise Workstation Extension 15 SP2
SUSE Linux Enterprise Workstation Extension 15 SP3
Ссылки
- Link for SUSE-SU-2021:1854-1
- E-Mail link for SUSE-SU-2021:1854-1
- SUSE Security Ratings
- SUSE Bug 1185086
- SUSE Bug 1185633
- SUSE Bug 1186198
- SUSE Bug 1186199
- SUSE CVE CVE-2021-29950 page
- SUSE CVE CVE-2021-29951 page
- SUSE CVE CVE-2021-29956 page
- SUSE CVE CVE-2021-29957 page
Описание
Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected state. This vulnerability affects Thunderbird < 78.8.1.
Затронутые продукты
Ссылки
- CVE-2021-29950
- SUSE Bug 1185086
Описание
The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating (if an attacker spammed the 'Stop' command); but also exposed attack surface in the maintenance service. *Note: This issue only affected Windows operating systems older than Win 10 build 1709. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 78.10.1, Firefox < 87, and Firefox ESR < 78.10.1.
Затронутые продукты
Ссылки
- CVE-2021-29951
- SUSE Bug 1185633
Описание
OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird < 78.10.2.
Затронутые продукты
Ссылки
- CVE-2021-29956
- SUSE Bug 1186199
Описание
If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected. This vulnerability affects Thunderbird < 78.10.2.
Затронутые продукты
Ссылки
- CVE-2021-29957
- SUSE Bug 1186198