Ubuntu Security Notice 4202-2 - USN-4202-1 fixed vulnerabilities in Thunderbird. After upgrading, Thunderbird created a new profile for some users. This update fixes the problem. It was discovered that a specially crafted S/MIME message with an inner encryption layer could be displayed as having a valid signature in some circumstances, even if the signer had no access to the encrypted message. An attacker could potentially exploit this to spoof the message author. Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, bypass security restrictions, bypass same-origin restrictions, conduct cross-site scripting attacks, or execute arbitrary code. A heap overflow was discovered in the expat library in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit this to cause a denial of service, or execute arbitrary code.
0508b25ed86166d9e8ad492da3dab33c26ea8d976fc0c2aaea774bea64b55912==========================================================================
Ubuntu Security Notice USN-4202-2
December 10, 2019
thunderbird regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
Summary:
USN-4202-1 caused a regression in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
USN-4202-1 fixed vulnerabilities in Thunderbird. After upgrading,
Thunderbird
created a new profile for some users. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that a specially crafted S/MIME message with an inner
encryption layer could be displayed as having a valid signature in some
circumstances, even if the signer had no access to the encrypted message.
An attacker could potentially exploit this to spoof the message author.
(CVE-2019-11755)
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
bypass security restrictions, bypass same-origin restrictions, conduct
cross-site scripting (XSS) attacks, or execute arbitrary code.
(CVE-2019-11757, CVE-2019-11758, CVE-2019-11759, CVE-2019-11760,
CVE-2019-11761, CVE-2019-11762, CVE-2019-11763, CVE-2019-11764)
A heap overflow was discovered in the expat library in Thunderbird. If a
user were tricked in to opening a specially crafted message, an attacker
could potentially exploit this to cause a denial of service, or execute
arbitrary code. (CVE-2019-15903)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
thunderbird 1:68.2.2+build1-0ubuntu0.19.10.1
Ubuntu 18.04 LTS:
thunderbird 1:68.2.2+build1-0ubuntu0.18.04.1
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References:
https://usn.ubuntu.com/4202-2
https://usn.ubuntu.com/4202-1
https://launchpad.net/bugs/1854150
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:68.2.2+build1-0ubuntu0.19.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:68.2.2+build1-0ubuntu0.18.04.1
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed