Bug#898634: kmail: efail attack against S/MIME

Hi According to the update in the security-tracker done by Moritz for https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed21bb0c20a2272745fb959f4c1da58a44ce32e7#4716ef5aa8f2742228ba3b3633215c8b808565e3_72290_72286 we might close this related issue for kmail, but not doing

Bug#898634: kmail: efail attack against S/MIME

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, 2018-05-16 at 13:04 +0200, Sandro Knauß wrote: > > There's a misunderstanding. My point isn't about PGP/MIME (which is indeed > > handled by gnupg, even if through gpgme), but about S/MIME, which I really > > don't think it handled by

Bug#898634: kmail: efail attack against S/MIME

> There's a misunderstanding. My point isn't about PGP/MIME (which is indeed > handled by gnupg, even if through gpgme), but about S/MIME, which I really > don't think it handled by anything related to gnupg. It is - the binary and package is called gpgsm and is part of gnupg souce tarball.

Bug#898634: kmail: efail attack against S/MIME

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, 2018-05-16 at 12:33 +0200, Sandro Knauß wrote: > > Thanks, that's good to know. > > Should I prepare a update with those patches for stable? Yes I think it'd be worth it. > > > > For a more detailed look for KMail and EFail see the

Bug#898634: kmail: efail attack against S/MIME

> Ok. Other clients like Evolution and Trojita also had an issue with DNS > prefetching which could be re-enabled in Webkit. Not sure on what library > KMail relies for HTML rending but it might be worth checking that too? > > See https://bugs.webkit.org/show_bug.cgi?id=182924 for the webkit bug

Bug#898634: kmail: efail attack against S/MIME

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, 2018-05-16 at 11:44 +0200, Sandro Knauß wrote: > Hey, Hi Sandro, thanks for the update on this. > > For S/MIME the situation is that it is a conceptional weakness in the > standard > to remove the target vector completely. Agreed, and

Bug#898634: kmail: efail attack against S/MIME

Hey, For S/MIME the situation is that it is a conceptional weakness in the standard to remove the target vector completely. In KMail we have the best handling that we can get at the moment (with default settings). KMail never access resources from the internet without asking the user or an

Bug#898634: kmail: efail attack against S/MIME

Source: kmail Severity: grave Tags: security Justification: user security hole Hi, as you may already know, a paper was published this morning describing a vulnerability known as efail against S/MIME and PGP/MIME implementations in various mail clients. This vulnerability allows an attacker