Bug 1961504 (CVE-2021-29956)

Summary: CVE-2021-29956 Mozilla: Thunderbird stored OpenPGP secret keys without master password protection
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: erack, jhorak, nobody, stransky, thomas, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: thunderbird 78.10.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-07 15:04:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1961498, 1961499, 1961500, 1961501, 1961502    
Bug Blocks: 1961496    

Description Doran Moppert 2021-05-18 06:23:34 UTC
OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions.



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2021-22/#CVE-2021-29956

Comment 1 errata-xmlrpc 2021-06-07 10:58:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2262 https://access.redhat.com/errata/RHSA-2021:2262

Comment 2 errata-xmlrpc 2021-06-07 11:23:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2261 https://access.redhat.com/errata/RHSA-2021:2261

Comment 3 errata-xmlrpc 2021-06-07 11:59:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2263 https://access.redhat.com/errata/RHSA-2021:2263

Comment 4 errata-xmlrpc 2021-06-07 12:26:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2264 https://access.redhat.com/errata/RHSA-2021:2264

Comment 5 Product Security DevOps Team 2021-06-07 15:04:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-29956