Bug 1184536 (CVE-2021-23991)

Summary: VUL-0: CVE-2021-23991, CVE-2021-23992, CVE-2021-23993: MozillaThunderbird: Update to 78.9.1
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Martin Sirringhaus <martin.sirringhaus>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, cgrobertson, rfrohl
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/281492/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-23991:4.3:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3.1:SUSE:CVE-2021-23992:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) CVSSv3.1:SUSE:CVE-2021-23993:4.3:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2021-04-09 07:12:04 UTC
https://www.mozilla.org/en-US/security/advisories/mfsa2021-13/

CVE-2021-23991: An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key
#MOZ-2021-23992: A crafted OpenPGP key with an invalid user ID could be used to confuse the user
CVE-2021-23993: Inability to send encrypted OpenPGP email after importing a crafted OpenPGP key
Comment 2 Swamp Workflow Management 2021-04-13 16:21:19 UTC
SUSE-SU-2021:1167-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1177542,1183942,1184536
CVE References: CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987,CVE-2021-23991,CVE-2021-23992
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    MozillaThunderbird-78.9.1-8.20.1
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    MozillaThunderbird-78.9.1-8.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 3 Alexander Bergmann 2021-04-14 07:14:55 UTC
CVE-2021-23992: A crafted OpenPGP key with an invalid user ID could be used to confuse the user
Comment 4 Swamp Workflow Management 2021-04-19 16:24:23 UTC
openSUSE-SU-2021:0580-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1177542,1183942,1184536
CVE References: CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987,CVE-2021-23991,CVE-2021-23992,CVE-2021-23993
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaThunderbird-78.9.1-lp152.2.38.1
Comment 5 Marcus Meissner 2021-08-09 12:15:14 UTC
done