CVE-2021-38502

NameCVE-2021-38502
DescriptionThunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2874-1, DSA-5034-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
thunderbird (PTS)bullseye1:115.12.0-1~deb11u1fixed
bullseye (security)1:128.5.0esr-1~deb11u1fixed
bookworm1:115.16.0esr-1~deb12u1fixed
bookworm (security)1:128.5.0esr-1~deb12u1fixed
sid, trixie1:128.5.2esr-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
thunderbirdsourceexperimental1:91.2.0-1
thunderbirdsourcestretch1:91.4.1-1~deb9u1DLA-2874-1
thunderbirdsourcebuster1:91.4.1-1~deb10u1DSA-5034-1
thunderbirdsourcebullseye1:91.4.1-1~deb11u1DSA-5034-1
thunderbirdsource(unstable)1:91.2.1-1

Notes

https://www.mozilla.org/en-US/security/advisories/mfsa2021-47/#CVE-2021-38502

Search for package or bug name: Reporting problems