Ubuntu Security Notice 5058-1 - It was discovered that Thunderbird didn't ignore IMAP server responses prior to completion of the STARTTLS handshake. A person-in-the-middle could potentially exploit this to trick Thunderbird into showing incorrect information. Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, or execute arbitrary code. Various other issues were also addressed.
d439dc830ff759d365c01af29919212afc94c2f9e8414adca8c017e63f81126f
==========================================================================
Ubuntu Security Notice USN-5058-1
August 31, 2021
thunderbird vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
It was discovered that Thunderbird didn't ignore IMAP server responses
prior to completion of the STARTTLS handshake. A person-in-the-middle
could potentially exploit this to trick Thunderbird into showing incorrect
information. (CVE-2021-29969)
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service, or
execute arbitrary code. (CVE-2021-29970, CVE-2021-29976, CVE-2021-29980,
CVE-2021-29984, CVE-2021-29985, CVE-2021-29986, CVE-2021-29988,
CVE-2021-29989, CVE-2021-30547)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
thunderbird 1:78.13.0+build1-0ubuntu0.21.04.2
Ubuntu 20.04 LTS:
thunderbird 1:78.13.0+build1-0ubuntu0.20.04.2
Ubuntu 18.04 LTS:
thunderbird 1:78.13.0+build1-0ubuntu0.18.04.1
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5058-1
CVE-2021-29969, CVE-2021-29970, CVE-2021-29976, CVE-2021-29980,
CVE-2021-29984, CVE-2021-29985, CVE-2021-29986, CVE-2021-29988,
CVE-2021-29989, CVE-2021-30547
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:78.13.0+build1-0ubuntu0.21.04.2
https://launchpad.net/ubuntu/+source/thunderbird/1:78.13.0+build1-0ubuntu0.20.04.2
https://launchpad.net/ubuntu/+source/thunderbird/1:78.13.0+build1-0ubuntu0.18.04.1