Insecure Signature Validation

2021-12-2921:01:25

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

JSON

thunderbird:sid has insecure signature validation. When receiving an OpenPGP/MIME signed email message that contains an additional outer MIME message layer, for example a message footer added by a mailing list gateway, Thunderbird only considered the inner signed message for the signature validity. This gave the false impression that the additional contents were also covered by the digital signature.

CPENameOperatorVersion
thunderbird:sideq1:78.5.0-1
thunderbird:bustereq1:60.9.0-1~deb10u1
thunderbird:bustereq1:68.12.0-1~deb10u1
thunderbird:bustereq1:78.5.0-1~deb10u1
thunderbird:bustereq1:78.6.0-1~deb10u1
thunderbird:bullseyeeq1:78.5.0-1
thunderbird:stretcheq1:68.10.0-1~deb9u1
thunderbird:stretcheq1:52.9.1-1~deb9u1
thunderbird:stretcheq1:60.9.0-1~deb9u1
thunderbird:focaleq1:68.10.0+build1-0ubuntu0.20.04.1

Name	Operator	Version
thunderbird:sid	eq	1:78.5.0-1
thunderbird:buster	eq	1:60.9.0-1~deb10u1
thunderbird:buster	eq	1:68.12.0-1~deb10u1
thunderbird:buster	eq	1:78.5.0-1~deb10u1
thunderbird:buster	eq	1:78.6.0-1~deb10u1
thunderbird:bullseye	eq	1:78.5.0-1
thunderbird:stretch	eq	1:68.10.0-1~deb9u1
thunderbird:stretch	eq	1:52.9.1-1~deb9u1
thunderbird:stretch	eq	1:60.9.0-1~deb9u1
thunderbird:focal	eq	1:68.10.0+build1-0ubuntu0.20.04.1