I have released Enigmail v2.0.7 for Thunderbird version 52/60 and SeaMonkey 2.46 and newer.
Changes ======= This release addresses several critical security bugs: * Spoofing of Email signatures I (CVE-2018-12020) [1]: GnuPG 2.2.8 fixed a security bug that allows remote attackers to spoof arbitrary email signatures via the embedded "--filename" parameter in OpenPGP literal data packets. This release of Enigmail prevents the exploit for all versions of GnuPG, i.e. also if GnuPG is not updated. * Spoofing of Email signatures II (CVE-2018-12019) [2]: The signature verification routine in Enigmail interpreted User IDs as status/control messages and did not correctly keep track of the status of multiple signatures. This allowed remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids. * Mozilla crash bug 1423895 [3]: If Enigmail is installed on Thunderbird 60b7 together with the Add-Ons "CardBook" or "QuickFolders" (or possibly other Add-Ons), then Thunderbird will crash as soon as an Enigmail-specific window is opened. This version implements a workaround for the Mozilla bug. Obtaining Enigmail ================== Enigmail can be downloaded from <https://www.enigmail.net/index.php/en/download/> The changelog is available from <https://www.enigmail.net/index.php/en/download/changelog> Additional Remarks ================== The new version is already approved on https://addons.mozilla.org; you should receive it automatically via the addons-update. -Patrick [1] https://www.cvedetails.com/cve/CVE-2018-12020 [2] https://www.cvedetails.com/cve/CVE-2018-12019 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1423895
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net