{"id":"MGASA-2021-0096","summary":"Updated thunderbird packages fix security vulnerabilities","details":"If Content Security Policy blocked frame navigation, the full destination of a\nredirect served in the frame was reported in the violation report; as opposed\nto the original frame URI. This could be used to leak sensitive information\ncontained in such URIs (CVE-2021-23968).\n\nAs specified in the W3C Content Security Policy draft, when creating a\nviolation report, \"User agents need to ensure that the source file is the URL\nrequested by the page, pre-redirects. If that’s not possible, user agents need\nto strip the URL down to an origin to avoid unintentional leakage.\" Under\ncertain types of redirects, Firefox incorrectly set the source file to be the\ndestination of the redirects. This was fixed to be the redirect destination's\norigin (CVE-2021-23969).\n\nWhen trying to load a cross-origin resource in an audio/video context a\ndecoding error may have resulted, and the content of that MediaError message\nmay have revealed information about the resource (CVE-2021-23973).\n\nMozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and Mats\nPalmgren reported memory safety bugs present in Thunderbird 78.7. Some of\nthese bugs showed evidence of memory corruption and we presume that with\nenough effort some of these could have been exploited to run arbitrary code\n(CVE-2021-23978).\n","modified":"2026-02-04T03:32:56.688704Z","published":"2021-03-04T12:26:19Z","related":["CVE-2021-23968","CVE-2021-23969","CVE-2021-23973","CVE-2021-23978"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0096.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=28431"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/"},{"type":"REPORT","url":"https://www.thunderbird.net/en-US/thunderbird/78.8.0/releasenotes/"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/thunderbird?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"78.8.0-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0096.json"}},{"package":{"name":"thunderbird-l10n","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/thunderbird-l10n?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"78.8.0-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0096.json"}},{"package":{"name":"thunderbird","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/thunderbird?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"78.8.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0096.json"}},{"package":{"name":"thunderbird-l10n","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/thunderbird-l10n?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"78.8.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0096.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}