what you don't know can hurt you

Ubuntu Security Notice USN-4701-1

Ubuntu Security Notice USN-4701-1
Posted Jan 20, 2021
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 4701-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass the CSS sanitizer, or execute arbitrary code. It was discovered that the proxy.onRequest API did not catch view-source URLs. If a user were tricked in to installing an extension with the proxy permission and opening View Source, an attacker could potentially exploit this to obtain sensitive information. Various other issues were also addressed.

tags | advisory, denial of service, arbitrary
systems | linux, ubuntu
advisories | CVE-2020-16042, CVE-2020-26970, CVE-2020-26973, CVE-2020-26974, CVE-2020-35111, CVE-2020-35113
MD5 | d5be7805a4212cf046f8575dfc0f5c39

Ubuntu Security Notice USN-4701-1

Change Mirror Download
==========================================================================
Ubuntu Security Notice USN-4701-1
January 20, 2021

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.10

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass the CSS sanitizer, or execute
arbitrary code. (CVE-2020-16042, CVE-2020-16044, CVE-2020-26971,
CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35113)

It was discovered that the proxy.onRequest API did not catch
view-source URLs. If a user were tricked in to installing an
extension with the proxy permission and opening View Source, an
attacker could potentially exploit this to obtain sensitive
information. (CVE-2020-35111)

A stack overflow was discovered due to incorrect parsing of SMTP server
response codes. An attacker could potentially exploit this to execute
arbitrary code. (CVE-2020-26970)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.10:
thunderbird 1:78.6.1+build1-0ubuntu0.20.10.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References:
https://usn.ubuntu.com/4701-1
CVE-2020-16042, CVE-2020-16044, CVE-2020-26970, CVE-2020-26971,
CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35111,
CVE-2020-35113

Package Information:

https://launchpad.net/ubuntu/+source/thunderbird/1:78.6.1+build1-0ubuntu0.20.10.1
Login or Register to add favorites

File Archive:

March 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    19 Files
  • 2
    Mar 2nd
    15 Files
  • 3
    Mar 3rd
    30 Files
  • 4
    Mar 4th
    13 Files
  • 5
    Mar 5th
    9 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close