If a Thunderbird user has previously imported Alices OpenPGP key, and Alice has extended the validity period of her key, but Alices updated key has not yet been imported, an attacker may send an email containing a crafted version of Alices key with an invalid subkey, Thunderbird might subsequently attempt to use the invalid subkey, and will fail to send encrypted email to Alice. This vulnerability affects Thunderbird < 78.9.1.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Thunderbird | Mozilla | * | 78.9.1 (excluding) |
| Red Hat Enterprise Linux 7 | RedHat | thunderbird-0:78.9.1-1.el7_9 | * |
| Red Hat Enterprise Linux 8 | RedHat | thunderbird-0:78.9.1-1.el8_3 | * |
| Red Hat Enterprise Linux 8.1 Extended Update Support | RedHat | thunderbird-0:78.9.1-1.el8_1 | * |
| Red Hat Enterprise Linux 8.2 Extended Update Support | RedHat | thunderbird-0:78.9.1-1.el8_2 | * |
| Thunderbird | Ubuntu | bionic | * |
| Thunderbird | Ubuntu | devel | * |
| Thunderbird | Ubuntu | focal | * |
| Thunderbird | Ubuntu | groovy | * |
| Thunderbird | Ubuntu | hirsute | * |
| Thunderbird | Ubuntu | impish | * |
| Thunderbird | Ubuntu | jammy | * |
| Thunderbird | Ubuntu | kinetic | * |
| Thunderbird | Ubuntu | lunar | * |
| Thunderbird | Ubuntu | trusty | * |
| Thunderbird | Ubuntu | upstream | * |
| Thunderbird | Ubuntu | xenial | * |