Thunderbird versions prior to 91.3.0 are vulnerable to the heap overflow described in CVE-2021-43527 when processing S/MIME messages. Thunderbird versions 91.3.0 and later will not call the vulnerable code when processing S/MIME messages that contain certificates with DER-encoded DSA or RSA-PSS signatures. For more details about the original security issue, please refer to the Security Bulletin: https://access.redhat.com/security/vulnerabilities/RHSB-2021-008. Upstream Thunderbird bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1738501
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-43529
Thunderbird upstream states that this issue was fixed in Thunderbird version 91.3.0. The thunderbird packages as shipped in Red Hat Enterprise Linux were previously updated to version 91.3.0 via the following errata: thunderbird in Red Hat Enterprise Linux 7: https://access.redhat.com/errata/RHSA-2021:4134 thunderbird in Red Hat Enterprise Linux 8.1 Extended Update Support: https://access.redhat.com/errata/RHSA-2021:4133 thunderbird in Red Hat Enterprise Linux 8.2 Extended Update Support https://access.redhat.com/errata/RHSA-2021:4132 thunderbird in Red Hat Enterprise Linux 8: https://access.redhat.com/errata/RHSA-2021:4130