[Pkg-mozext-maintainers] Bug#929363: enigmail: CVE-2019-12269
Moritz Mühlenhoff
jmm at inutil.org
Tue Jun 25 21:35:44 BST 2019
On Fri, May 24, 2019 at 09:49:54AM +0200, Salvatore Bonaccorso wrote:
> Source: enigmail
> Source-Version: 2:2.0.11+ds1-1
>
> On Wed, May 22, 2019 at 02:25:42PM +0200, Salvatore Bonaccorso wrote:
> > Source: enigmail
> > Version: 2:2.0.10+ds1-1
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://sourceforge.net/p/enigmail/bugs/983/
> >
> > Hi,
> >
> > The following vulnerability was published for enigmail.
> >
> > CVE-2019-12269[0]:
> > | Enigmail before 2.0.11 allows PGP signature spoofing: for an inline
> > | PGP message, an attacker can cause the product to display a "correctly
> > | signed" message indication, but display different unauthenticated
> > | text.
>
> This issue was adressed 2.0.11 upstream, closing manually.
Buster still has 2.0.10, what's the plan for it (and for stretch),
should we fix this in older releases?
Cheers,
Moritz
More information about the Pkg-mozext-maintainers
mailing list