Your submission was sent successfully! Close

USN-5168-2: Thunderbird vulnerability

1 December 2021

Thunderbird could be made to crash or run programs if it verified a specially crafted signature.



  • thunderbird - Mozilla Open Source mail and newsgroup client


Tavis Ormandy discovered that NSS, included with Thunderbird, incorrectly
handled verifying DSA/RSA-PSS signatures. A remote attacker could use this
issue to cause Thunderbird to crash, resulting in a denial of service, or
possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 21.10
Ubuntu 21.04
Ubuntu 20.04
Ubuntu 18.04

After a standard system update you need to restart Thunderbird to make
all the necessary changes.


Related notices

  • USN-5168-1: nss, libnss3-tools, libnss3-dev, libnss3
  • USN-5168-3: libnss3-1d, libnss3-tools, libnss3-dev, nss, libnss3-nssdb, libnss3
  • USN-5168-4: libnss3-1d, libnss3-tools, libnss3-dev, nss, libnss3-nssdb, libnss3