Bug 1186199 - (CVE-2021-29956) VUL-1: CVE-2021-29956: MozillaThunderbird: Thunderbird stored OpenPGP secret keys without master password protection
(CVE-2021-29956)
VUL-1: CVE-2021-29956: MozillaThunderbird: Thunderbird stored OpenPGP secret ...
Status: RESOLVED FIXED
: 1186464 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Martin Sirringhaus
Security Team bot
https://smash.suse.de/issue/284545/
CVSSv3.1:SUSE:CVE-2021-29956:3.3:(AV:...
:
Depends on: CVE-2021-33589
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-18 12:10 UTC by Gianluca Gabrielli
Modified: 2021-08-09 12:31 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-18 12:10:38 UTC
CVE-2021-29956

OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions.



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2021-22/#CVE-2021-29956

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1961504
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29956
Comment 1 Gianluca Gabrielli 2021-05-18 12:11:50 UTC
Affected packages:

 - SUSE:SLE-15-SP2:Update/MozillaThunderbird       78.10.0
 - openSUSE:Factory/MozillaThunderbird     78.10.1

Please update to version >= 78.10.2
Comment 3 Andreas Stieger 2021-05-26 15:27:41 UTC
*** Bug 1186464 has been marked as a duplicate of this bug. ***
Comment 4 OBSbugzilla Bot 2021-06-03 22:00:05 UTC
This is an autogenerated message for OBS integration:
This bug (1186199) was mentioned in
https://build.opensuse.org/request/show/897289 Factory / MozillaThunderbird
Comment 5 Swamp Workflow Management 2021-06-04 10:27:44 UTC
SUSE-SU-2021:1854-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185086,1185633,1186198,1186199
CVE References: CVE-2021-29950,CVE-2021-29951,CVE-2021-29956,CVE-2021-29957
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    MozillaThunderbird-78.10.2-8.27.1
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    MozillaThunderbird-78.10.2-8.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2021-07-10 22:20:00 UTC
openSUSE-SU-2021:1854-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185086,1185633,1186198,1186199
CVE References: CVE-2021-29950,CVE-2021-29951,CVE-2021-29956,CVE-2021-29957
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    MozillaThunderbird-78.10.2-8.27.1
Comment 7 Marcus Meissner 2021-08-09 12:31:53 UTC
done