Operating System:

[Debian]

Published:

18 December 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.4474
                        thunderbird security update
                             18 December 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           thunderbird
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-35113 CVE-2020-35111 CVE-2020-26978
                   CVE-2020-26974 CVE-2020-26973 CVE-2020-26971
                   CVE-2020-16042  

Reference:         ESB-2020.4458
                   ESB-2020.4419

Original Bulletin: 
   https://lists.debian.org/debian-security-announce/2020/msg00222.html
   https://lists.debian.org/debian-lts-announce/2020/12/msg00024.html

Comment: This bulletin contains two (2) Debian security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4815-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 17, 2020                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2020-16042 CVE-2020-26971 CVE-2020-26973 CVE-2020-26974
                 CVE-2020-26978 CVE-2020-35111 CVE-2020-35113

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code, denial of service or information
leak.

For the stable distribution (buster), these problems have been fixed in
version 1:78.6.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl/bJSBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0R9vw/+IjyYwaBFsLNnB+42mFRQfM6aYrhoOOmCOcfj6iFyEXLZgGEG2Bi1aEs9
VLe6SPOAU4YqnLG/Xu98lkv6eCduWIlboNslASNkidAifFlL2PkLLrtoN1qmWT7k
fW34MEWu7Dg0ACagDn+kqgMIwBEKUUFi1wvTUQKYejRG/753Gs3E+BRI+UgFaEEx
iIJWOBphUwrLfztllKW4i2rdm2SxVYm4f+PQf2u6ZYGyuue/1XpIfCk8az7gtgWR
VuPTqYNJMm7SipqUqRle9tjKzreG+mcsRYR7oAjsx7RcKHgqB17R374RUdDKe4hO
Vy+kpli1J2Jxc224bI/dbdyvZta75JVA9si9XYsze4x/RKpX/g2pn/s81wyOGAMX
b4tSsVvin9ZRaPGw0d+uwWPNu0SpjxnCBTP5RcpVOnOLITDSaEtI+1nC2hvtyxkE
HuFGYXjNIEKuteeAdHw3YL3YLwtXTM11odp25NCfggutBYuiiD8KpGNiRfwZKgM5
gC1MjjveAjIZU5HTWrjciAxFn81AvAYjgt65cIcK1S8a1BgRgoKTU7zPihRHpYsD
WltIShZrWBZIzeaVCUBY5WsklIwHcE9RPsGQD/N1Wg2BRwnr2u/QdYwvdFu2j9CY
2UwSuT2qIX8pd50YaMUOc3rlCQiIUvvpl4URJMnY5Gg7bnIic54=
=a4Nh
- -----END PGP SIGNATURE-----

- ------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2497-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/               Emilio Pozuelo Monfort
December 17, 2020                             https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : thunderbird
Version        : 1:78.6.0-1~deb9u1
CVE ID         : CVE-2020-16042 CVE-2020-26971 CVE-2020-26973 CVE-2020-26974
                 CVE-2020-26978 CVE-2020-35111 CVE-2020-35113

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code, denial of service or information
leak.

For Debian 9 stretch, these problems have been fixed in version
1:78.6.0-1~deb9u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAl/bQz8ACgkQnUbEiOQ2
gwLS8A//SZ4wicKX1ptybn9I1CDiH7ASRI5fX8aMIhoo9tMmTIFlTv9w08vGc8Zq
FDGUQgySuhJWnn3QpN+A/EZmS09bkKO3x7SubM+/ku90ekU5xSX5J9Yw9lKEgRlC
VaS5p7ZFh0Nwk3Hd0gDz6JizYC0HbXe0JgfeJvnV6hYuGD9kC+ZbFUANRoA7soUT
p+helx4FNCrzt11x4PNC+gLF/nohpE5NM1OiBsOI6EwBRvnJht5P3xyb3caU2zuv
KqZnZIisjL4n9/NS0rZI4r4L0blzDUnzi/3sxyUqnjmG+EcCK+LNWWo3Cyb+mz6V
/KPoTs/7hxcMgoElciDoEZ7yjmCzPfDRkxPARFv8bYA9SeNDC5oCf1UoIXRjq0iL
KJyPc9mqzJgcGmllQnXvFo40VwqE443cAbbWed8S7srbsEFRvfkhuvosU7nDDM7r
cr3ztkj9rLQLY5JSr+9/2gxZbA689lFV40UQEl/wP6N9nPJ8YlMH+QgJaPfxCXBf
NLdv42u30on/ECkBIt4CwxgBScbEnbrvVgs91evoY1Ep+Kqr2fR/iJHGhTKOMJvl
KgM1H6d8Mym2QLaQOGNnQ/SkFYNzCLLSzK8zZ/qnRkEFV2VnnDiUOrm93zWaiqv4
LypcwfNTflAiutLnv8YyomZ++zvZRBsu1YNHY6xvzpH5865riqM=
=J2cJ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX9v8lONLKJtyKPYoAQifaw//W51XZsBQZEI1ugyt31T5v0nW+6BdxOjS
vJMpx2nX3/Yo2PoSIeDuPcOtr49Tap+8/M3UjL0cDTk7KXNUEjcWomMDkSihE0Jr
I/GYGWSMHqQ6t50Dobd0bFliSN7iDrzfMUIHm8E7QGASbhFHkZqXlzozMjWDqxk9
j3PdUvOW4QqYRv9AViUAjG2XBK4p7eJ9FlZoj2p2Ni3Kk9Mv6RLV1o5t62+lF0R1
oVKKaE2WhE9+DMNM9I+65H6AopfpyAM6vEPrUFETW7fZy1K+URFfn7sqNAm/2NJn
rDwAvew5JOuII69QcbWE9I4Z6Y7W/RsDrF+Xzn82kg4RoqjwDIyGdbFI3J88PV5y
mTvHmg6PVSt29qWSnnuk/Qzou3Fg7toOPCWS4KXU2qPrlv50YOltPUgOP2emg3+p
QAWXbfMeVt9DiHmvFeCmYXp9gxK5m+W/BIG4ecf0M1gtI6IHtsgAn6vOstXZ6LQg
xL/syWT3J/e8RhO9NPZVx0l5KocrAFJ6V5pspXm+lyfFPeEnAYqCcxFjTq4Xmukz
QdbiXA/J2+QRrPtSaKNPQ8LuEaZPSwhk80tlLj+s7gIVIQVa36MfSlYwrW/lmJ+z
BPWiTWH1Ws9aw9v5WSX8M3GlNDuVMGUEPrmZMZGOg32EVW5RR4nPXbvRw/G9mBeE
wTT6w00qeBc=
=vmH7
-----END PGP SIGNATURE-----