SB2022093040 - Slackware Linux update for mozilla-thunderbird (SSA

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022093040

SB2022093040 - Slackware Linux update for mozilla-thunderbird (SSA

Published: September 30, 2022

Security Bulletin ID SB2022093040
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2022-39236)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing beacon events. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


2) Insufficient verification of data authenticity (CVE-ID: CVE-2022-39249)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a very permissive key forwarding strategy. A remote attacker cooperating with a malicious home server can construct messages appearing to have come from another person.


3) Insufficient verification of data authenticity (CVE-ID: CVE-2022-39250)

The vulnerability allows a remote attacker to bypass SAS verification.

The vulnerability exists due to checking and signing user identities and devices in two separate steps, and inadequately fixing the keys to be signed between these steps. A remote attacker cooperating with a malicious home server can interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities, leading to the other device trusting/verifying the user identity under the control of the home server instead of the intended one.


4) Insufficient verification of data authenticity (CVE-ID: CVE-2022-39251)

he vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. A remote attacker cooperating with a malicious home server can construct messages appearing to have come from another person without any indication such as a grey shield.


Remediation

Install update from vendor's website.

References