CVE-2021-23991: 
NixOS vulnerability analysis and mitigation

CVE-2021-23991 is a security vulnerability in Mozilla Thunderbird's OpenPGP key refresh mechanism discovered by Cure53. The vulnerability was disclosed and fixed in Thunderbird version 78.9.1, released on April 8, 2021. The issue affects the OpenPGP encryption functionality in Mozilla Thunderbird, specifically its key management and validation system (Mozilla Advisory).

The vulnerability exists in Thunderbird's handling of OpenPGP key updates. When a user has previously imported a trusted OpenPGP key, and that key's validity period has been extended but not yet imported, the application becomes vulnerable to key poisoning attacks. The issue stems from Thunderbird's failure to properly validate subkey signatures before attempting to use them for encryption operations. The vulnerability was rated as having a moderate severity impact (Mozilla Advisory).

If exploited, an attacker could send an email containing a crafted version of a trusted key with an invalid subkey. When Thunderbird attempts to use this invalid subkey, it would fail to send encrypted email to the intended recipient, effectively causing a denial of service condition for encrypted communication (Mozilla Advisory).

The vulnerability was fixed in Thunderbird version 78.9.1. The fix involves implementing proper validation of OpenPGP key signatures using new RNP APIs for checking key validity. Users should upgrade to Thunderbird 78.9.1 or later to receive the security fix (Red Hat Advisory).