Bug 1221054 (CVE-2024-1936)

Summary: VUL-0: CVE-2024-1936: MozillaThunderbird: the encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Martin Sirringhaus <martin.sirringhaus>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/396271/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-1936:7.5:(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-06 11:06:36 UTC 
The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1936
https://bugzilla.mozilla.org/show_bug.cgi?id=1860977
https://www.mozilla.org/security/advisories/mfsa2024-11/
https://www.cve.org/CVERecord?id=CVE-2024-1936
Comment 1 Carlos López 2024-03-06 11:07:27 UTC 
This is Thunderbird 115.8.1
Comment 3 Maintenance Automation 2024-03-15 08:36:25 UTC 
SUSE-SU-2024:0893-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1221054
CVE References: CVE-2024-1936
Sources used:
openSUSE Leap 15.5 (src): MozillaThunderbird-115.8.1-150200.8.151.1
SUSE Package Hub 15 15-SP5 (src): MozillaThunderbird-115.8.1-150200.8.151.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): MozillaThunderbird-115.8.1-150200.8.151.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src): MozillaThunderbird-115.8.1-150200.8.151.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.