Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 802759 (CVE-2021-29969)

Summary: <mail-client/thunderbird{-bin,}-78.12.0: multiple vulnerabilities (CVE-2021-29969)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: major CC: mozilla
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.mozilla.org/en-US/security/advisories/mfsa2021-30/
Whiteboard: A2 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 802756, 807352    

Description John Helmert III gentoo-dev Security 2021-07-18 16:13:20 UTC
CVE-2021-29969: IMAP server responses sent by a MITM prior to STARTTLS could be processed

If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for example the attacker could have tricked Thunderbird to show folders that didn't exist on the IMAP server.


More vulnerabilities at tracker. Fixed in 78.12. Still need bump for -bin.
Comment 1 Larry the Git Cow gentoo-dev 2021-07-21 11:10:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8979757af1f878471fdac154fd132e4942db2ed

commit d8979757af1f878471fdac154fd132e4942db2ed
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-21 11:09:48 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-21 11:09:48 +0000

    mail-client/thunderbird-bin: drop 78.11.0
    
    Bug: https://bugs.gentoo.org/802759
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird-bin/Manifest               |  66 ----
 .../thunderbird-bin/thunderbird-bin-78.11.0.ebuild | 378 ---------------------
 2 files changed, 444 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=338e4b1fe6a0856ba94eeacc770facc5218996ee

commit 338e4b1fe6a0856ba94eeacc770facc5218996ee
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-21 11:09:00 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-21 11:09:00 +0000

    mail-client/thunderbird-bin: add 78.12.0
    
    Bug: https://bugs.gentoo.org/802759
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird-bin/Manifest               |  66 ++++
 .../thunderbird-bin/thunderbird-bin-78.12.0.ebuild | 378 +++++++++++++++++++++
 2 files changed, 444 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2021-07-21 13:29:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33648758419ed0b3ab4b047a8b09e7f09ed217d1

commit 33648758419ed0b3ab4b047a8b09e7f09ed217d1
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-21 13:23:35 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-21 13:29:28 +0000

    mail-client/thunderbird: stabilize 78.12.0 for amd64
    
    Bug: https://bugs.gentoo.org/802759
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/thunderbird-78.12.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7e94d01f13b3b7dee80058c3f5b6bede6abb653

commit e7e94d01f13b3b7dee80058c3f5b6bede6abb653
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-21 12:36:23 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-21 13:29:28 +0000

    mail-client/thunderbird: stabilize 78.12.0 for x86
    
    Bug: https://bugs.gentoo.org/802759
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/thunderbird-78.12.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 Joonas Niilola gentoo-dev 2021-07-21 13:30:56 UTC
Gonna wait for ~2 days before cleaning the old version, just in case.
Comment 4 John Helmert III gentoo-dev Security 2021-07-21 21:48:45 UTC
(In reply to Joonas Niilola from comment #3)
> Gonna wait for ~2 days before cleaning the old version, just in case.

Thank you!
Comment 5 Larry the Git Cow gentoo-dev 2021-07-23 19:05:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d0cf19c70d0483f79f7dcaa744c97dc7ad55e1d

commit 6d0cf19c70d0483f79f7dcaa744c97dc7ad55e1d
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-23 19:03:51 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-23 19:05:45 +0000

    mail-client/thunderbird: security cleanup
    
    Bug: https://bugs.gentoo.org/802759
    
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/Manifest                   |   66 --
 mail-client/thunderbird/thunderbird-78.11.0.ebuild | 1108 --------------------
 2 files changed, 1174 deletions(-)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:20:56 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:29:03 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:36:59 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:45:02 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:53:05 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:57:01 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 18:01:01 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 18:09:19 UTC
Package list is empty or all packages have requested keywords.