Johannes König

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 91.8 **Description** The issue is related to errors when updating the OpenPGP digital signature, which can allow a remote attacker to perform a spoofing attack. Specifically, when importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key, keeping it as non-revoked. **Recommendations** For versions prior to 91.8, update to version 91.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of OpenPGP digital signatures until a patch is available. Avoid importing revoked keys that specify key compromise as the revocation reason in the affected versions.