Alpine: thunderbird: security update to 78.9.0-r0

high Tenable Cloud Security Plugin ID 427004

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Mozilla developers and community members reported memory safety bugs present in Firefox 86 and Firefox ESR
78.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.9,
Firefox < 87, and Thunderbird < 78.9. (CVE-2021-23987)

- If Content Security Policy blocked frame navigation, the full destination of a redirect served in the
frame was reported in the violation report; as opposed to the original frame URI. This could be used to
leak sensitive information contained in such URIs. This vulnerability affects Firefox < 86, Thunderbird <
78.8, and Firefox ESR < 78.8. (CVE-2021-23968)

- As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need
to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible,
user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types
of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was
fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird <
78.8, and Firefox ESR < 78.8. (CVE-2021-23969)

- When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted,
and the content of that error may have revealed information about the resource. This vulnerability affects
Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8. (CVE-2021-23973)

- Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and
Firefox ESR < 78.8. (CVE-2021-23978)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-23968

https://security.alpinelinux.org/vuln/CVE-2021-23969

https://security.alpinelinux.org/vuln/CVE-2021-23973

https://security.alpinelinux.org/vuln/CVE-2021-23978

https://security.alpinelinux.org/vuln/CVE-2021-23981

https://security.alpinelinux.org/vuln/CVE-2021-23982

https://security.alpinelinux.org/vuln/CVE-2021-23984

https://security.alpinelinux.org/vuln/CVE-2021-23987

Plugin Details

Severity: High

ID: 427004

Version: Revision 1.3

Type: Local

Published: 5/16/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-23987

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2/23/2021

Reference Information

CVE: CVE-2021-23968, CVE-2021-23969, CVE-2021-23973, CVE-2021-23978, CVE-2021-23981, CVE-2021-23982, CVE-2021-23984, CVE-2021-23987

IAVA: 2021-A-0107-S, 2021-A-0144-S