Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:1854-1 Final 1 1 2021-06-04T06:54:13Z current 2021-06-04T06:54:13Z 2021-06-04T06:54:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird 78.10.2 - CVE-2021-29957: Fixed partial protection of inline OpenPGP message not indicated (bsc#1186198). - CVE-2021-29956: Fixed Thunderbird stored OpenPGP secret keys without master password protection (bsc#1186199). - CVE-2021-29951: Fixed Thunderbird Maintenance Service could have been started or stopped by domain users (bsc#1185633). - CVE-2021-29950: Fixed logic issue potentially leaves key material unlocked (bsc#1185086). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-1854,SUSE-SLE-Product-WE-15-SP2-2021-1854,SUSE-SLE-Product-WE-15-SP3-2021-1854 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20211854-1/ Link for SUSE-SU-2021:1854-1 https://lists.suse.com/pipermail/sle-security-updates/2021-June/008933.html E-Mail link for SUSE-SU-2021:1854-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1185086 SUSE Bug 1185086 https://bugzilla.suse.com/1185633 SUSE Bug 1185633 https://bugzilla.suse.com/1186198 SUSE Bug 1186198 https://bugzilla.suse.com/1186199 SUSE Bug 1186199 https://www.suse.com/security/cve/CVE-2021-29950/ SUSE CVE CVE-2021-29950 page https://www.suse.com/security/cve/CVE-2021-29951/ SUSE CVE CVE-2021-29951 page https://www.suse.com/security/cve/CVE-2021-29956/ SUSE CVE CVE-2021-29956 page https://www.suse.com/security/cve/CVE-2021-29957/ SUSE CVE CVE-2021-29957 page SUSE Linux Enterprise Workstation Extension 15 SP2 SUSE Linux Enterprise Workstation Extension 15 SP3 MozillaThunderbird-78.10.2-8.27.1 MozillaThunderbird-translations-common-78.10.2-8.27.1 MozillaThunderbird-translations-other-78.10.2-8.27.1 MozillaThunderbird-78.10.2-8.27.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP2 MozillaThunderbird-translations-common-78.10.2-8.27.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP2 MozillaThunderbird-translations-other-78.10.2-8.27.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP2 MozillaThunderbird-78.10.2-8.27.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP3 MozillaThunderbird-translations-common-78.10.2-8.27.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP3 MozillaThunderbird-translations-other-78.10.2-8.27.1 as a component of SUSE Linux Enterprise Workstation Extension 15 SP3 Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected state. This vulnerability affects Thunderbird < 78.8.1. CVE-2021-29950 SUSE Linux Enterprise Workstation Extension 15 SP2:MozillaThunderbird-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP2:MozillaThunderbird-translations-common-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP2:MozillaThunderbird-translations-other-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-78.10.2-8.27.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211854-1/ https://www.suse.com/security/cve/CVE-2021-29950.html CVE-2021-29950 https://bugzilla.suse.com/1185086 SUSE Bug 1185086 The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating (if an attacker spammed the 'Stop' command); but also exposed attack surface in the maintenance service. *Note: This issue only affected Windows operating systems older than Win 10 build 1709. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 78.10.1, Firefox < 87, and Firefox ESR < 78.10.1. CVE-2021-29951 SUSE Linux Enterprise Workstation Extension 15 SP2:MozillaThunderbird-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP2:MozillaThunderbird-translations-common-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP2:MozillaThunderbird-translations-other-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-78.10.2-8.27.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211854-1/ https://www.suse.com/security/cve/CVE-2021-29951.html CVE-2021-29951 https://bugzilla.suse.com/1185633 SUSE Bug 1185633 OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird < 78.10.2. CVE-2021-29956 SUSE Linux Enterprise Workstation Extension 15 SP2:MozillaThunderbird-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP2:MozillaThunderbird-translations-common-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP2:MozillaThunderbird-translations-other-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-78.10.2-8.27.1 low 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211854-1/ https://www.suse.com/security/cve/CVE-2021-29956.html CVE-2021-29956 https://bugzilla.suse.com/1186199 SUSE Bug 1186199 If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected. This vulnerability affects Thunderbird < 78.10.2. CVE-2021-29957 SUSE Linux Enterprise Workstation Extension 15 SP2:MozillaThunderbird-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP2:MozillaThunderbird-translations-common-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP2:MozillaThunderbird-translations-other-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-common-78.10.2-8.27.1 SUSE Linux Enterprise Workstation Extension 15 SP3:MozillaThunderbird-translations-other-78.10.2-8.27.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211854-1/ https://www.suse.com/security/cve/CVE-2021-29957.html CVE-2021-29957 https://bugzilla.suse.com/1186198 SUSE Bug 1186198