[USN-4202-2] Thunderbird regression

Chris Coulson chris.coulson at canonical.com
Tue Dec 10 22:17:12 UTC 2019

Ubuntu Security Notice USN-4202-2
December 10, 2019

thunderbird regression

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.10
- Ubuntu 18.04 LTS


USN-4202-1 caused a regression in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client


USN-4202-1 fixed vulnerabilities in Thunderbird. After upgrading,
created a new profile for some users. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that a specially crafted S/MIME message with an inner
 encryption layer could be displayed as having a valid signature in some
 circumstances, even if the signer had no access to the encrypted message.
 An attacker could potentially exploit this to spoof the message author.
  Multiple security issues were discovered in Thunderbird. If a user were
 tricked in to opening a specially crafted website in a browsing context,
 an attacker could potentially exploit these to cause a denial of service,
 bypass security restrictions, bypass same-origin restrictions, conduct
 cross-site scripting (XSS) attacks, or execute arbitrary code.
 (CVE-2019-11757, CVE-2019-11758, CVE-2019-11759, CVE-2019-11760,
 CVE-2019-11761, CVE-2019-11762, CVE-2019-11763, CVE-2019-11764)
  A heap overflow was discovered in the expat library in Thunderbird. If a
 user were tricked in to opening a specially crafted message, an attacker
 could potentially exploit this to cause a denial of service, or execute
 arbitrary code. (CVE-2019-15903)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.10:
  thunderbird                     1:68.2.2+build1-0ubuntu0.19.10.1

Ubuntu 18.04 LTS:
  thunderbird                     1:68.2.2+build1-0ubuntu0.18.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.


Package Information:



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20191210/be1be03a/attachment-0001.sig>

More information about the ubuntu-security-announce mailing list