USN-5168-2: Thunderbird vulnerability
1 December 2021
Thunderbird could be made to crash or run programs if it verified a specially crafted signature.
Releases
Packages
- thunderbird - Mozilla Open Source mail and newsgroup client
Details
Tavis Ormandy discovered that NSS, included with Thunderbird, incorrectly
handled verifying DSA/RSA-PSS signatures. A remote attacker could use this
issue to cause Thunderbird to crash, resulting in a denial of service, or
possibly execute arbitrary code.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 21.10
Ubuntu 21.04
Ubuntu 20.04
Ubuntu 18.04
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References
Related notices
- USN-5168-1: libnss3-tools, nss, libnss3-dev, libnss3
- USN-5168-3: libnss3-nssdb, libnss3-dev, nss, libnss3-tools, libnss3-1d, libnss3
- USN-5168-4: libnss3-nssdb, libnss3-dev, nss, libnss3-tools, libnss3-1d, libnss3