Friday, November 5, 2021

MFSA2021-50 Thunderbird: Security Vulnerabilities fixed in Thunderbird 91.3 (CVE-2021-38507)

Description
The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.
Solution(s)
  • mozilla-thunderbird-upgrade-91_3


  • References
  • https://attackerkb.com/topics/cve-2021-38507
  • CVE - 2021-38507
  • http://www.mozilla.org/security/announce/2021/mfsa2021-50.html




  •  

    Copyright © 2021 Vulnerability Database | Cyber Details™

    thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore