MGASA-2018-0354

See a problem?
Please try reporting it to the source first.
Source
https://advisories.mageia.org/MGASA-2018-0354.html
Import Source
https://advisories.mageia.org/MGASA-2018-0354.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2018-0354
Related
Published
2018-08-23T23:35:07Z
Modified
2018-08-23T23:10:12Z
Summary
Updated thunderbird packages fix security vulnerabilities
Details

Updated thunderbird package fixes security vulnerabilities:

  • Spoofing of Email signatures II: The signature verification routine in Enigmail interpreted User IDs as status/control messages and did not correctly keep track of the status of multiple signatures. This allowed remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids (CVE-2018-12019).

  • Spoofing of Email signatures I: GnuPG 2.2.8 fixed a security bug that allows remote attackers to spoof arbitrary email signatures via the embedded "--filename" parameter in OpenPGP literal data packets. This release of Enigmail prevents the exploit for all versions of GnuPG, i.e. also if GnuPG is not updated (CVE-2018-12020).

References
Credits

Affected packages

Mageia:6 / thunderbird

Package

Name
thunderbird
Purl
pkg:rpm/mageia/thunderbird?distro=mageia-6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
52.9.1-1.1.mga6

Ecosystem specific 

{
    "section": "core"
}