Bug 2072963 (CVE-2022-1197) - CVE-2022-1197 Mozilla: OpenPGP revocation information was ignored
Summary: CVE-2022-1197 Mozilla: OpenPGP revocation information was ignored
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-1197
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2072587 2072588 2072589 2072590 2072591 2072592 2072593 2072594 2072595 2072600
Blocks: 2072585
TreeView+ depends on / blocked
 
Reported: 2022-04-07 11:01 UTC by Mauro Matteo Cascella
Modified: 2022-12-12 20:14 UTC (History)
5 users (show)

Fixed In Version: thunderbird 91.8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as: When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected.
Clone Of:
Environment:
Last Closed: 2022-04-12 18:27:40 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1301 0 None None None 2022-04-11 14:14:28 UTC
Red Hat Product Errata RHSA-2022:1302 0 None None None 2022-04-11 14:49:27 UTC
Red Hat Product Errata RHSA-2022:1303 0 None None None 2022-04-11 13:50:11 UTC
Red Hat Product Errata RHSA-2022:1305 0 None None None 2022-04-11 14:32:29 UTC
Red Hat Product Errata RHSA-2022:1326 0 None None None 2022-04-12 14:32:10 UTC

Description Mauro Matteo Cascella 2022-04-07 11:01:55 UTC 
When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected.



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/#CVE-2022-1197
Comment 1 errata-xmlrpc 2022-04-11 13:50:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:1303 https://access.redhat.com/errata/RHSA-2022:1303
Comment 2 errata-xmlrpc 2022-04-11 14:14:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1301 https://access.redhat.com/errata/RHSA-2022:1301
Comment 3 errata-xmlrpc 2022-04-11 14:32:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:1305 https://access.redhat.com/errata/RHSA-2022:1305
Comment 4 errata-xmlrpc 2022-04-11 14:49:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:1302 https://access.redhat.com/errata/RHSA-2022:1302
Comment 5 errata-xmlrpc 2022-04-12 14:32:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:1326 https://access.redhat.com/errata/RHSA-2022:1326
Comment 6 Product Security DevOps Team 2022-04-12 18:27:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1197
Note You need to log in before you can comment on or make changes to this bug.