Bug 1194215 - (CVE-2021-4126) VUL-0: MozillaThunderbird: update to 91.4.1 (mfsa2021-55)
(CVE-2021-4126)
VUL-0: MozillaThunderbird: update to 91.4.1 (mfsa2021-55)
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Mozilla Bugs
Security Team bot
https://smash.suse.de/issue/319388/
CVSSv3.1:SUSE:CVE-2021-4126:5.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-03 08:40 UTC by Alexander Bergmann
Modified: 2022-03-01 20:24 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-01-03 08:40:36 UTC
https://www.mozilla.org/en-US/security/advisories/mfsa2021-55/

Mozilla Foundation Security Advisory 2021-55

Security Vulnerabilities fixed in Thunderbird 91.4.1

CVE-2021-4126: 
OpenPGP signature status doesn't consider additional message content
Impact: moderate
Description:
When receiving an OpenPGP/MIME signed email message that contains an additional outer MIME message layer, for example a message footer added by a mailing list gateway, Thunderbird only considered the inner signed message for the signature validity. This gave the false impression that the additional contents were also covered by the digital signature. Starting with Thunderbird version 91.4.1, only the signature that belongs to the top level MIME part will be considered for the displayed status.

CVE-2021-44538:
Matrix chat library libolm bundled with Thunderbird vulnerable to a buffer overflow
Impact: moderate
Description:
Thunderbird users who use the Matrix chat protocol were vulnerable to a buffer overflow in libolm, that an attacker may trigger by a crafted sequence of messages. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits.

References:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-55/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4126
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44538
http://www.debian.org/security/-1/dsa-5034
https://security-tracker.debian.org/tracker/thunderbird
Comment 2 Swamp Workflow Management 2022-01-12 14:16:53 UTC
SUSE-SU-2022:0058-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194020,1194215
CVE References: CVE-2021-4126,CVE-2021-44538
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    MozillaThunderbird-91.4.1-8.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 3 Swamp Workflow Management 2022-01-12 14:18:05 UTC
openSUSE-SU-2022:0058-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194020,1194215
CVE References: CVE-2021-4126,CVE-2021-44538
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    MozillaThunderbird-91.4.1-8.48.1
Comment 4 Swamp Workflow Management 2022-03-01 20:24:19 UTC
openSUSE-SU-2022:0058-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1144018,1181400,1194020,1194215,1194681
CVE References: CVE-2020-15803,CVE-2021-27927,CVE-2021-4126,CVE-2021-44538,CVE-2022-23134
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    MozillaThunderbird-91.4.1-8.48.1
openSUSE Backports SLE-15-SP3 (src):    zabbix-4.0.38-bp153.2.3.1