Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 767394 (MFSA-2021-05) - <mail-client/thunderbird{,-bin}-78.7.0: Multiple vulnerabilities (MFSA-2021-05)
Summary: <mail-client/thunderbird{,-bin}-78.7.0: Multiple vulnerabilities (MFSA-2021-05)
Status: RESOLVED FIXED
Alias: MFSA-2021-05
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2021-23953, CVE-2021-23954, CVE-2021-23960, CVE-2021-23964
  Show dependency tree
 
Reported: 2021-01-27 04:51 UTC by Sam James
Modified: 2021-02-01 03:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-01-27 04:51:25 UTC
* CVE-2020-15685

"During the plaintext phase of the STARTTLS connection setup, protocol commands could have been injected and evaluated within the encrypted session."

* CVE-2020-26976

"When a HTTPS page was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing."
Comment 1 Sam James archtester gentoo-dev Security 2021-01-28 19:04:08 UTC
amd64 done
Comment 2 Sam James archtester gentoo-dev Security 2021-01-30 21:10:39 UTC
x86 done

all arches done
Comment 3 Sam James archtester gentoo-dev Security 2021-01-30 21:10:57 UTC
Please cleanup.
Comment 4 Larry the Git Cow gentoo-dev 2021-01-31 05:22:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56078c75a0730f705a7297a686f793a7f72719a6

commit 56078c75a0730f705a7297a686f793a7f72719a6
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-01-31 05:21:54 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-01-31 05:21:54 +0000

    mail-client/thunderbird-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/767394
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird-bin/Manifest               |  66 ----
 .../thunderbird-bin/thunderbird-bin-78.6.1.ebuild  | 378 ---------------------
 2 files changed, 444 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=161b2ef4ef62f09b842733c36260415fe24a7f44

commit 161b2ef4ef62f09b842733c36260415fe24a7f44
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-01-31 05:21:23 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-01-31 05:21:23 +0000

    mail-client/thunderbird: security cleanup
    
    Bug: https://bugs.gentoo.org/767394
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/Manifest                  |   65 --
 mail-client/thunderbird/thunderbird-78.6.1.ebuild | 1056 ---------------------
 2 files changed, 1121 deletions(-)
Comment 5 John Helmert III (ajak) gentoo-dev Security 2021-01-31 07:50:38 UTC
Thank you!
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2021-02-01 01:43:49 UTC
This issue was resolved and addressed in
 GLSA 202102-02 at https://security.gentoo.org/glsa/202102-02
by GLSA coordinator Aaron Bauman (b-man).
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2021-02-01 01:44:12 UTC
re-opened for cleanup
Comment 8 John Helmert III (ajak) gentoo-dev Security 2021-02-01 03:11:21 UTC
Tree already clean.