Package: enigmail Severity: grave Tags: security Justification: user security hole
Hi Daniel, in case you haven't already heard about it by now, a vulnerability has been published against S/MIME and PGP/MIME in various email clients, including thunderbird (and enigmail). I'm unsure if CVE-2017-17688 (OpenPGP CFB gadget attacks) applies to Thunderbird/enigmail or only GnuPG, but the PGP/MIME vulnerability does apply to enigmail. Some fixes apparently went in to enigmail 2.0.0 but I'm unsure which of them yet, so any pointers appreciated (for example by closing with the correct version number :). I think we'll likely want to release a DSA too. Regards, -- Yves-Alexis -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages enigmail depends on: ii gnupg 2.2.5-1 ii gpg-agent [gnupg-agent] 2.2.5-1 pn thunderbird | icedove <none> Versions of packages enigmail recommends: ii pinentry-gnome3 [pinentry-x11] 1.1.0-1+b1 ii pinentry-gtk2 [pinentry-x11] 1.1.0-1+b1 enigmail suggests no packages.