Alpine: thunderbird: security update to 91.4.1-r0

critical Tenable Self-Hosted Container Security Plugin ID 426397

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- When receiving an OpenPGP/MIME signed email message that contains an additional outer MIME message layer,
for example a message footer added by a mailing list gateway, Thunderbird only considered the inner signed
message for the signature validity. This gave the false impression that the additional contents were also
covered by the digital signature. Starting with Thunderbird version 91.4.1, only the signature that
belongs to the top level MIME part will be considered for the displayed status. This vulnerability affects
Thunderbird < 91.4.1. (CVE-2021-4126)

- The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The
Olm session object represents a cryptographic channel between two parties. Therefore, its state is
partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of
messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a
buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were
undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces
and digits. The known affected products are Element Web And SchildiChat Web. (CVE-2021-44538)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-4126

https://security.alpinelinux.org/vuln/CVE-2021-44538

Plugin Details

Severity: Critical

ID: 426397

Version: Revision 1.3

Type: Local

Published: 5/16/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-44538

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 12/14/2021

Reference Information

CVE: CVE-2021-4126, CVE-2021-44538

IAVA: 2021-A-0603