Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2021:1854-1

Опубликовано: 10 июл. 2021
Источник: suse-cvrf

Описание

Security update for MozillaThunderbird

This update for MozillaThunderbird fixes the following issues:

  • Mozilla Thunderbird 78.10.2
  • CVE-2021-29957: Fixed partial protection of inline OpenPGP message not indicated (bsc#1186198).
  • CVE-2021-29956: Fixed Thunderbird stored OpenPGP secret keys without master password protection (bsc#1186199).
  • CVE-2021-29951: Fixed Thunderbird Maintenance Service could have been started or stopped by domain users (bsc#1185633).
  • CVE-2021-29950: Fixed logic issue potentially leaves key material unlocked (bsc#1185086).

Список пакетов

openSUSE Leap 15.3
MozillaThunderbird-78.10.2-8.27.1
MozillaThunderbird-translations-common-78.10.2-8.27.1
MozillaThunderbird-translations-other-78.10.2-8.27.1

Ссылки

Описание

Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected state. This vulnerability affects Thunderbird < 78.8.1.

Затронутые продукты
openSUSE Leap 15.3:MozillaThunderbird-78.10.2-8.27.1
openSUSE Leap 15.3:MozillaThunderbird-translations-common-78.10.2-8.27.1
openSUSE Leap 15.3:MozillaThunderbird-translations-other-78.10.2-8.27.1
Ссылки

Описание

The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating (if an attacker spammed the 'Stop' command); but also exposed attack surface in the maintenance service. *Note: This issue only affected Windows operating systems older than Win 10 build 1709. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 78.10.1, Firefox < 87, and Firefox ESR < 78.10.1.

Затронутые продукты
openSUSE Leap 15.3:MozillaThunderbird-78.10.2-8.27.1
openSUSE Leap 15.3:MozillaThunderbird-translations-common-78.10.2-8.27.1
openSUSE Leap 15.3:MozillaThunderbird-translations-other-78.10.2-8.27.1
Ссылки

Описание

OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird < 78.10.2.

Затронутые продукты
openSUSE Leap 15.3:MozillaThunderbird-78.10.2-8.27.1
openSUSE Leap 15.3:MozillaThunderbird-translations-common-78.10.2-8.27.1
openSUSE Leap 15.3:MozillaThunderbird-translations-other-78.10.2-8.27.1
Ссылки

Описание

If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected. This vulnerability affects Thunderbird < 78.10.2.

Затронутые продукты
openSUSE Leap 15.3:MozillaThunderbird-78.10.2-8.27.1
openSUSE Leap 15.3:MozillaThunderbird-translations-common-78.10.2-8.27.1
openSUSE Leap 15.3:MozillaThunderbird-translations-other-78.10.2-8.27.1
Ссылки
Уязвимость openSUSE-SU-2021:1854-1