USN-4335-1: Thunderbird vulnerabilities
First published: Tue Apr 21 2020(Updated: )
Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, bypass same-origin restrictions, conduct cross-site scripting (XSS) attacks, or execute arbitrary code. (CVE-2019-11757, CVE-2019-11758, CVE-2019-11759, CVE-2019-11760, CVE-2019-11761, CVE-2019-11762, CVE-2019-11763, CVE-2019-11764, CVE-2019-17005, CVE-2019-17008, CVE-2019-17010, CVE-2019-17011, CVE-2019-17012, CVE-2019-17016, CVE-2019-17017, CVE-2019-17022, CVE-2019-17024, CVE-2019-17026, CVE-2019-20503, CVE-2020-6798, CVE-2020-6800, CVE-2020-6805, CVE-2020-6806, CVE-2020-6807, CVE-2020-6812, CVE-2020-6814, CVE-2020-6819, CVE-2020-6820, CVE-2020-6821, CVE-2020-6825) It was discovered that NSS incorrectly handled certain memory operations. A remote attacker could potentially exploit this to cause a denial of service, or execute arbitrary code. (CVE-2019-11745) It was discovered that a specially crafted S/MIME message with an inner encryption layer could be displayed as having a valid signature in some circumstances, even if the signer had no access to the encrypted message. An attacker could potentially exploit this to spoof the message author. (CVE-2019-11755) A heap overflow was discovered in the expat library in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit this to cause a denial of service, or execute arbitrary code. (CVE-2019-15903) It was discovered that Message ID calculation was based on uninitialized data. An attacker could potentially exploit this to obtain sensitive information. (CVE-2020-6792) Mutiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbitrary code. (CVE-2020-6793, CVE-2020-6795, CVE-2020-6822) It was discovered that if a user saved passwords before Thunderbird 60 and then later set a primary password, an unencrypted copy of these passwords would still be accessible. A local user could exploit this to obtain sensitive information. (CVE-2020-6794) It was discovered that the Devtools’ ‘Copy as cURL’ feature did not fully escape website-controlled data. If a user were tricked in to using the ‘Copy as cURL’ feature to copy and paste a command with specially crafted data in to a terminal, an attacker could potentially exploit this to execute arbitrary commands via command injection. (CVE-2020-6811)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/thunderbird | <1:68.7.0+build1-0ubuntu0.16.04.2 | 1:68.7.0+build1-0ubuntu0.16.04.2 |
| Ubuntu Linux | =16.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2019-11745
- https://ubuntu.com/security/CVE-2019-11755
- https://ubuntu.com/security/CVE-2019-11757
- https://ubuntu.com/security/CVE-2019-11758
- https://ubuntu.com/security/CVE-2019-11759
- https://ubuntu.com/security/CVE-2019-11760
- https://ubuntu.com/security/CVE-2019-11761
- https://ubuntu.com/security/CVE-2019-11762
- https://ubuntu.com/security/CVE-2019-11763
- https://ubuntu.com/security/CVE-2019-11764
- https://ubuntu.com/security/CVE-2019-15903
- https://ubuntu.com/security/CVE-2019-17005
- https://ubuntu.com/security/CVE-2019-17008
- https://ubuntu.com/security/CVE-2019-17010
- https://ubuntu.com/security/CVE-2019-17011
- https://ubuntu.com/security/CVE-2019-17012
- https://ubuntu.com/security/CVE-2019-17016
- https://ubuntu.com/security/CVE-2019-17017
- https://ubuntu.com/security/CVE-2019-17022
- https://ubuntu.com/security/CVE-2019-17024
- https://ubuntu.com/security/CVE-2019-17026
- https://ubuntu.com/security/CVE-2019-20503
- https://ubuntu.com/security/CVE-2020-6792
- https://ubuntu.com/security/CVE-2020-6793
- https://ubuntu.com/security/CVE-2020-6794
- https://ubuntu.com/security/CVE-2020-6795
- https://ubuntu.com/security/CVE-2020-6798
- https://ubuntu.com/security/CVE-2020-6800
- https://ubuntu.com/security/CVE-2020-6805
- https://ubuntu.com/security/CVE-2020-6806
- https://ubuntu.com/security/CVE-2020-6807
- https://ubuntu.com/security/CVE-2020-6811
- https://ubuntu.com/security/CVE-2020-6812
- https://ubuntu.com/security/CVE-2020-6814
- https://ubuntu.com/security/CVE-2020-6819
- https://ubuntu.com/security/CVE-2020-6820
- https://ubuntu.com/security/CVE-2020-6821
- https://ubuntu.com/security/CVE-2020-6822
- https://ubuntu.com/security/CVE-2020-6825
- https://ubuntu.com/security/notices/USN-4216-2
- https://ubuntu.com/security/notices/USN-4216-1
- https://ubuntu.com/security/notices/USN-4241-1
- https://ubuntu.com/security/notices/USN-4203-1
- https://ubuntu.com/security/notices/USN-4203-2
- https://ubuntu.com/security/notices/USN-4202-1
- https://ubuntu.com/security/notices/USN-4165-1
- https://ubuntu.com/security/notices/USN-4132-2
- https://ubuntu.com/security/notices/USN-4132-1
- https://ubuntu.com/security/notices/USN-4852-1
- https://ubuntu.com/security/notices/USN-5455-1
- https://ubuntu.com/security/notices/USN-7199-1
- https://ubuntu.com/security/notices/USN-4234-1
- https://ubuntu.com/security/notices/USN-4328-1
- https://ubuntu.com/security/notices/USN-4299-1
- https://ubuntu.com/security/notices/USN-4278-1
- https://ubuntu.com/security/notices/USN-4278-2
- https://ubuntu.com/security/notices/USN-4317-1
- https://ubuntu.com/security/notices/USN-4323-1
- https://launchpad.net/ubuntu/+source/thunderbird/1:68.7.0+build1-0ubuntu0.16.04.2
- https://ubuntu.com/security/notices/USN-4335-1 (Advisory)
Child vulnerabilities
(Contains the following vulnerabilities)
- CVE-2019-11745
- CVE-2019-11755
- CVE-2019-11757
- CVE-2019-11758
- CVE-2019-11759
- CVE-2019-11760
- CVE-2019-11761
- CVE-2019-11762
- CVE-2019-11763
- CVE-2019-11764
- CVE-2019-15903
- CVE-2019-17005
- CVE-2019-17008
- CVE-2019-17010
- CVE-2019-17011
- CVE-2019-17012
- CVE-2019-17016
- CVE-2019-17017
- CVE-2019-17022
- CVE-2019-17024
- CVE-2019-17026
- CVE-2019-20503
- CVE-2020-6792
- CVE-2020-6793
- CVE-2020-6794
- CVE-2020-6795
- CVE-2020-6798
- CVE-2020-6800
- CVE-2020-6805
- CVE-2020-6806
- CVE-2020-6807
- CVE-2020-6811
- CVE-2020-6812
- CVE-2020-6814
- CVE-2020-6819
- CVE-2020-6820
- CVE-2020-6821
- CVE-2020-6822
- CVE-2020-6825
Frequently Asked Questions
What is the severity of USN-4335-1?
The severity of USN-4335-1 is not specified in the information provided.
How can a user be affected by USN-4335-1?
A user can be affected by USN-4335-1 if they are tricked into opening a specially crafted website in a browsing context.
What can an attacker potentially do with USN-4335-1?
An attacker could potentially cause a denial of service, obtain sensitive information, bypass security restrictions, and bypass same-origin restrictions.
How can USN-4335-1 be fixed?
USN-4335-1 can be fixed by updating Thunderbird to version 1:68.7.0+build1-0ubuntu0.16.04.2 or later.
- agent/severity
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- agent/description
- agent/title
- agent/trending
- agent/references
- agent/source
- agent/tags
- collector/usn
- source/Ubuntu
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu linux
- version/ubuntu linux/16.04