advisories/28764.adv

type: security
subject: Updated thunderbird packages fix security vulnerabilities
CVE:
 - CVE-2021-23991
 - CVE-2021-23993
src:
  7:
   core:
     - thunderbird-78.9.1-1.mga7
     - thunderbird-l10n-78.9.1-1.mga7
  8:
   core:
     - thunderbird-78.9.1-1.mga8
     - thunderbird-l10n-78.9.1-1.mga8
description: |
  An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an
  existing key (CVE-2021-23991).
  
  A crafted OpenPGP key with an invalid user ID could be used to confuse the
  user (MOZ-2021-23992).
  
  Inability to send encrypted OpenPGP email after importing a crafted OpenPGP
  key (CVE-2021-23993).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=28764
 - https://www.mozilla.org/en-US/security/advisories/mfsa2021-13/
 - https://www.thunderbird.net/en-US/thunderbird/78.9.1/releasenotes/
ID: MGASA-2021-0189
1	type: security
2	subject: Updated thunderbird packages fix security vulnerabilities
3	CVE:
4	- CVE-2021-23991
5	- CVE-2021-23993
6	src:
7	7:
8	core:
9	- thunderbird-78.9.1-1.mga7
10	- thunderbird-l10n-78.9.1-1.mga7
11	8:
12	core:
13	- thunderbird-78.9.1-1.mga8
14	- thunderbird-l10n-78.9.1-1.mga8
15	description: \|
16	An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an
17	existing key (CVE-2021-23991).
18
19	A crafted OpenPGP key with an invalid user ID could be used to confuse the
20	user (MOZ-2021-23992).
21
22	Inability to send encrypted OpenPGP email after importing a crafted OpenPGP
23	key (CVE-2021-23993).
24	references:
25	- https://bugs.mageia.org/show_bug.cgi?id=28764
26	- https://www.mozilla.org/en-US/security/advisories/mfsa2021-13/
27	- https://www.thunderbird.net/en-US/thunderbird/78.9.1/releasenotes/
28	ID: MGASA-2021-0189