CVE-2023-50761 (https://bugzilla.mozilla.org/show_bug.cgi?id=1865647): The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature despite a date or time mismatch. This could be used to give recipients the impression that a message was sent at a different date or time. This vulnerability affects Thunderbird < 115.6. CVE-2023-50762 (https://bugzilla.mozilla.org/show_bug.cgi?id=1862625): When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally signed text from a different context, such as a signed GIT commit, could be used to spoof an email message. This vulnerability affects Thunderbird < 115.6. Please stabilize when ready, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7854682c7b0c37f76873fb3e7aab5a0d1a027b3f commit 7854682c7b0c37f76873fb3e7aab5a0d1a027b3f Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2023-12-22 11:40:09 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-12-22 11:40:09 +0000 mail-client/thunderbird: stabilize 115.6.0 for x86 Bug: https://bugs.gentoo.org/920508 Signed-off-by: Joonas Niilola <juippis@gentoo.org> mail-client/thunderbird/thunderbird-115.6.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ad2c57d7c40f804df3f54df0128bd66d51786de commit 5ad2c57d7c40f804df3f54df0128bd66d51786de Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2023-12-22 11:39:57 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-12-22 11:39:57 +0000 mail-client/thunderbird: stabilize 115.6.0 for amd64 Bug: https://bugs.gentoo.org/920508 Signed-off-by: Joonas Niilola <juippis@gentoo.org> mail-client/thunderbird/thunderbird-115.6.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Tree should be clean, along with bug 918444 and bug 914073
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=39f2a7a485887d1506cfabc1ac4bee230c06a1e7 commit 39f2a7a485887d1506cfabc1ac4bee230c06a1e7 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-19 05:59:01 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-02-19 06:10:22 +0000 [ GLSA 202402-25 ] Mozilla Thunderbird: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/918444 Bug: https://bugs.gentoo.org/920508 Bug: https://bugs.gentoo.org/924845 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202402-25.xml | 129 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+)