[Pkg-mozext-maintainers] Bug#898630: enigmail: efail attack against enigmail
Yves-Alexis Perez
corsac at debian.org
Mon May 14 14:15:26 BST 2018
Package: enigmail
Severity: grave
Tags: security
Justification: user security hole
Hi Daniel,
in case you haven't already heard about it by now, a vulnerability has
been published against S/MIME and PGP/MIME in various email clients,
including thunderbird (and enigmail).
I'm unsure if CVE-2017-17688 (OpenPGP CFB gadget attacks) applies
to Thunderbird/enigmail or only GnuPG, but the PGP/MIME vulnerability
does apply to enigmail.
Some fixes apparently went in to enigmail 2.0.0 but I'm unsure which of
them yet, so any pointers appreciated (for example by closing with the
correct version number :).
I think we'll likely want to release a DSA too.
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages enigmail depends on:
ii gnupg 2.2.5-1
ii gpg-agent [gnupg-agent] 2.2.5-1
pn thunderbird | icedove <none>
Versions of packages enigmail recommends:
ii pinentry-gnome3 [pinentry-x11] 1.1.0-1+b1
ii pinentry-gtk2 [pinentry-x11] 1.1.0-1+b1
enigmail suggests no packages.
More information about the Pkg-mozext-maintainers
mailing list