[USN-4202-2] Thunderbird regression
chris.coulson at canonical.com
Tue Dec 10 22:17:12 UTC 2019
Ubuntu Security Notice USN-4202-2
December 10, 2019
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
USN-4202-1 caused a regression in Thunderbird.
- thunderbird: Mozilla Open Source mail and newsgroup client
USN-4202-1 fixed vulnerabilities in Thunderbird. After upgrading,
created a new profile for some users. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that a specially crafted S/MIME message with an inner
encryption layer could be displayed as having a valid signature in some
circumstances, even if the signer had no access to the encrypted message.
An attacker could potentially exploit this to spoof the message author.
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
bypass security restrictions, bypass same-origin restrictions, conduct
cross-site scripting (XSS) attacks, or execute arbitrary code.
(CVE-2019-11757, CVE-2019-11758, CVE-2019-11759, CVE-2019-11760,
CVE-2019-11761, CVE-2019-11762, CVE-2019-11763, CVE-2019-11764)
A heap overflow was discovered in the expat library in Thunderbird. If a
user were tricked in to opening a specially crafted message, an attacker
could potentially exploit this to cause a denial of service, or execute
arbitrary code. (CVE-2019-15903)
The problem can be corrected by updating your system to the following
Ubuntu 18.04 LTS:
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the ubuntu-security-announce