Re: Thunderbird security

To: debian-user@lists.debian.org
Subject: Re: Thunderbird security
From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
Date: Sat, 26 Mar 2022 08:28:01 -0300
Message-id: <[🔎] a745b609-1afc-253d-2568-2dd604785f4e@kalinowski.com.br>
In-reply-to: <[🔎] 0cce3c63-62b9-404b-a75f-f65586205a5d@rodier.me>
References: <[🔎] 0cce3c63-62b9-404b-a75f-f65586205a5d@rodier.me>

On 26/03/2022 05:50, André Rodier wrote:

I would like to collect, from this thread, your experience and opinionabout Mozilla Thunderbird, in term of security.
I am registered on The Debian security list, and I see a lot of CVEcoming, some of them with a high score, mentioning execution ofarbitrary code or information disclosure.
Most of them seems pretty severe to me, and I am now runningThunderbird in firejail. However, I wonder if such vulnerability wouldallow a remote attacker to send an email, and get, for instance, thecredentials stored in Thunderbird, with or without master password.
This seem habitual to me, compared to other mail clients in Debian,like evolution / claws, etc...
In term of security, Which email clients, or which practices, youwould recommend to me ?

If you search the CVE numbers[0], you should be able to find informationabout the vulnerabilities[1], describing the conditions necessary for itto be exploited and the possible consequences. You can then judge ifthey might affect you (some vulnerabilities can only be exploited inparticular circunstances, which might not apply to your case) andevaluate the risk.

But, overall, the fact the vulnerabilities are being found and fixed isa good sign: it means that the code is being looked at and problems arebeing solved. The fact that the details have not been released yetsuggests that those were found by someone well-intentioned, and notbecause they were being exploited in the wild, but on the other handalso suggests the risk is high enough that it's better to withhold thatinformation until people have had a chance to upgrade to a fixed version.

[0] The announcements on debian-security-announce could be improved byhaving a link to the CVE database. But for now, you'll have to searchthem manually.

[1] Eventually... The last CVEs for Thunderbird are still in the"reserved" state. I believe this is meant to give some time fordistributions to update the software before the details about how toexploit the vulnerability are disclosed.



--
Insomnia isn't anything to lose sleep over.

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br

Reply to:

References:
- Thunderbird security
  - From: André Rodier <andre@rodier.me>

Prev by Date: Re: Under each of these scenarios, what is the neatest and simplest way to manipulate the /etc/network/interfaces file?
Next by Date: Re: Thunderbird security
Previous by thread: Thunderbird security
Next by thread: Re: Thunderbird security
Index(es):
- Date
- Thread