1221054 – (CVE-2024-1936) VUL-0: CVE-2024-1936: MozillaThunderbird: the encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message

Bug 1221054 (CVE-2024-1936) - VUL-0: CVE-2024-1936: MozillaThunderbird: the encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message

Summary: VUL-0: CVE-2024-1936: MozillaThunderbird: the encrypted subject of an email m...

Status:	NEW

Alias:	CVE-2024-1936

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Martin Sirringhaus
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/396271/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-1936:7.5:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-03-06 11:06 UTC by SMASH SMASH
Modified:	2024-03-15 08:36 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-03-06 11:06:36 UTC

The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1936
https://bugzilla.mozilla.org/show_bug.cgi?id=1860977
https://www.mozilla.org/security/advisories/mfsa2024-11/
https://www.cve.org/CVERecord?id=CVE-2024-1936

Comment 1 Carlos López 2024-03-06 11:07:27 UTC

This is Thunderbird 115.8.1

Comment 3 Maintenance Automation 2024-03-15 08:36:25 UTC

SUSE-SU-2024:0893-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1221054
CVE References: CVE-2024-1936
Sources used:
openSUSE Leap 15.5 (src): MozillaThunderbird-115.8.1-150200.8.151.1
SUSE Package Hub 15 15-SP5 (src): MozillaThunderbird-115.8.1-150200.8.151.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): MozillaThunderbird-115.8.1-150200.8.151.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src): MozillaThunderbird-115.8.1-150200.8.151.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.