Bug 2268171 (CVE-2024-1936) - CVE-2024-1936 Mozilla: Leaking of encrypted email subjects to other conversations
Summary: CVE-2024-1936 Mozilla: Leaking of encrypted email subjects to other conversat...
Keywords:
Status: NEW
Alias: CVE-2024-1936
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2268154
TreeView+ depends on / blocked
 
Reported: 2024-03-06 13:29 UTC by Mauro Matteo Cascella
Modified: 2024-03-25 20:13 UTC (History)
6 users (show)

Fixed In Version: thunderbird 115.8.1
Doc Type: ---
Doc Text:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:1492 0 None None None 2024-03-25 20:07:25 UTC
Red Hat Product Errata RHSA-2024:1493 0 None None None 2024-03-25 20:06:26 UTC
Red Hat Product Errata RHSA-2024:1494 0 None None None 2024-03-25 20:07:06 UTC
Red Hat Product Errata RHSA-2024:1495 0 None None None 2024-03-25 20:06:43 UTC
Red Hat Product Errata RHSA-2024:1496 0 None None None 2024-03-25 20:12:38 UTC
Red Hat Product Errata RHSA-2024:1497 0 None None None 2024-03-25 20:12:52 UTC
Red Hat Product Errata RHSA-2024:1498 0 None None None 2024-03-25 20:06:53 UTC
Red Hat Product Errata RHSA-2024:1499 0 None None None 2024-03-25 20:05:00 UTC
Red Hat Product Errata RHSA-2024:1500 0 None None None 2024-03-25 20:13:07 UTC

Description Mauro Matteo Cascella 2024-03-06 13:29:36 UTC 
The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments.

External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/#CVE-2024-1936
Comment 14 errata-xmlrpc 2024-03-25 20:04:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:1499 https://access.redhat.com/errata/RHSA-2024:1499
Comment 15 errata-xmlrpc 2024-03-25 20:06:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1493 https://access.redhat.com/errata/RHSA-2024:1493
Comment 16 errata-xmlrpc 2024-03-25 20:06:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1495 https://access.redhat.com/errata/RHSA-2024:1495
Comment 17 errata-xmlrpc 2024-03-25 20:06:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1498 https://access.redhat.com/errata/RHSA-2024:1498
Comment 18 errata-xmlrpc 2024-03-25 20:07:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1494 https://access.redhat.com/errata/RHSA-2024:1494
Comment 19 errata-xmlrpc 2024-03-25 20:07:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1492 https://access.redhat.com/errata/RHSA-2024:1492
Comment 20 errata-xmlrpc 2024-03-25 20:12:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1496 https://access.redhat.com/errata/RHSA-2024:1496
Comment 21 errata-xmlrpc 2024-03-25 20:12:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1497 https://access.redhat.com/errata/RHSA-2024:1497
Comment 22 errata-xmlrpc 2024-03-25 20:13:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:1500 https://access.redhat.com/errata/RHSA-2024:1500
Note You need to log in before you can comment on or make changes to this bug.