Package: mew-beta Version: 7.0.50~6.6+0.20140902-1 Severity: important Tags: jessie security
It was discovered that Mew, a mail reader supporting PGP/MIME for Emacs, did not properly implement recipients matching to encrypt mails. This may allow unrelated person may decrypt the mails. cf. - https://github.com/kazu-yamamoto/Mew/issues/77 From: Tatsuya Kinoshita > When the following keys are imported, > > - 1024D/97AA33D6 Dima Barsky <d...@debian.org> > - 1024D/1A944AD7 Martin Albert <m...@debian.org> > > I write a mail with To: m...@debian.org, and encrypt it, > then it is encrypted with Dima's key instead of Martin's key. Fixed in https://github.com/kazu-yamamoto/Mew/commit/5fa1fbd130f90b8afbeef66e256eead031f17e27 The security team suggested that is rather a candidate for a fix in a point update instead of a Debian Security Advisory. Thanks, -- Tatsuya Kinoshita
pgp8fBxEGbVdk.pgp
Description: PGP signature
