When receiving an OpenPGP/MIME signed email message that contains an
additional outer MIME message layer, for example a message footer added by
a mailing list gateway, Thunderbird only considered the inner signed
message for the signature validity. This gave the false impression that the
additional contents were also covered by the digital signature. Starting
with Thunderbird version 91.4.1, only the signature that belongs to the top
level MIME part will be considered for the displayed status. This
vulnerability affects Thunderbird < 91.4.1.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | thunderbird | < 1:91.5.0+build1-0ubuntu0.18.04.1 | UNKNOWN |
ubuntu | 20.04 | noarch | thunderbird | < 1:91.5.0+build1-0ubuntu0.20.04.1 | UNKNOWN |
ubuntu | 21.10 | noarch | thunderbird | < 1:91.5.0+build1-0ubuntu0.21.10.1 | UNKNOWN |
ubuntu | 22.04 | noarch | thunderbird | < 1:91.5.0+build1-0ubuntu1 | UNKNOWN |
ubuntu | 22.10 | noarch | thunderbird | < 1:91.5.0+build1-0ubuntu1 | UNKNOWN |
ubuntu | 23.04 | noarch | thunderbird | < 1:91.5.0+build1-0ubuntu1 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2021-4126
nvd.nist.gov/vuln/detail/CVE-2021-4126
security-tracker.debian.org/tracker/CVE-2021-4126
ubuntu.com/security/notices/USN-5246-1
ubuntu.com/security/notices/USN-5248-1
www.cve.org/CVERecord?id=CVE-2021-4126
www.mozilla.org/en-US/security/advisories/mfsa2021-55/#CVE-2021-4126