Bug#898633: evolution-data-server: efail attack against S/MIME
Jeremy Bicha
jbicha at debian.org
Sun Aug 12 21:38:11 BST 2018
On Mon, May 14, 2018 at 9:33 AM Yves-Alexis Perez <corsac at debian.org> wrote:
> as you are certainly aware, a paper describing a vulnerability called
> efail has been published today (https://efail.de). It describes an
> attack scenario which can enable an attacker with read/write access to
> the encrypted mails to retrieve plaintext via an external server if HTML
> mail and loading of remote content is enabled.
>
> The PGP/MIME part is apparently not vulnerable in Evolution, but the
> S/MIME seems to be (according to the authors).
>
> It's unclear if a fix needs to be done at the evolution(-data-server)
> layer or below, so feel free to reassign to an underlying library if
> needed (nss for example).
>
> We'll likely have to issue a DSA at one point.
Yvez, the Evolution bug was closed upstream. Should we close the bug
in Debian too?
https://bugzilla.gnome.org/796135
Thanks,
Jeremy Bicha
More information about the pkg-gnome-maintainers
mailing list