[Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit
Thanks Marc! (And Seth!) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1740323 Title: Enigmail should be updated to version 1.9.9 following Cure53 audit To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit
I just published updates for this. Thanks. ** Changed in: enigmail (Ubuntu Trusty) Status: Confirmed => Fix Released ** Changed in: enigmail (Ubuntu Xenial) Status: Confirmed => Fix Released ** Changed in: enigmail (Ubuntu Artful) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1740323 Title: Enigmail should be updated to version 1.9.9 following Cure53 audit To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit
Untested updates available here: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages I will publish them next week. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1740323 Title: Enigmail should be updated to version 1.9.9 following Cure53 audit To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit
** Changed in: enigmail (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: enigmail (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: enigmail (Ubuntu Artful) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1740323 Title: Enigmail should be updated to version 1.9.9 following Cure53 audit To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit
** Also affects: enigmail (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: enigmail (Ubuntu Bionic) Importance: Undecided Status: Incomplete ** Also affects: enigmail (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: enigmail (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: enigmail (Ubuntu Bionic) Status: Incomplete => Fix Released ** Changed in: enigmail (Ubuntu Trusty) Status: New => Confirmed ** Changed in: enigmail (Ubuntu Xenial) Status: New => Confirmed ** Changed in: enigmail (Ubuntu Artful) Status: New => Confirmed ** Changed in: enigmail (Ubuntu Trusty) Importance: Undecided => High ** Changed in: enigmail (Ubuntu Xenial) Importance: Undecided => High ** Changed in: enigmail (Ubuntu Artful) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1740323 Title: Enigmail should be updated to version 1.9.9 following Cure53 audit To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit
Does that mean you're not going to do a stable release update? Is there something wrong with the package from Debian? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1740323 Title: Enigmail should be updated to version 1.9.9 following Cure53 audit To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit
Thanks Jeremy; the 'incomplete' status just indicates that we're currently waiting on a community member to provide us with a debdiff for sponsorship. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1740323 Title: Enigmail should be updated to version 1.9.9 following Cure53 audit To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit
I asked in the original bug report to have Enigmail updated to 1.9.9. Posteo, one of the sponsors of the audit, wrote at https://posteo.de/en/blog/security-warning-for-thunderbird-users-and- enigmail-users-vulnerabilities-threaten-confidentiality-of-communication : "For Enigmail users: * Update Enigmail immediately to the new version 1.9.9. This update removes all vulnerabilities identified in this audit. * ..." An excerpt of the audit report is available at https://www.enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf linked from the Enigmail changelog at https://www.enigmail.net/index.php/en/download/changelog . At your link https://wiki.ubuntu.com/StableReleaseUpdates it says: "2. When 2.1. High-impact bugs Stable release updates will, in general, only be issued in order to fix high-impact bugs. Examples of such bugs include: * Bugs which may, under realistic circumstances, directly cause a security vulnerability. These are done by the security team and are documented at SecurityTeam/UpdateProcedures. * ..." That's the situation here, there are multiple bugs that cause security vulnerabilities and I submitted a bug report here asking for Enigmail to be updated. If that means this is a "stable release update" and not a "fake-sync", that's fine with me. I'm not part of the Enigmail development team. It seems from your link that this should be handled by the security team, but if you or the security team are not the right group to handle this according to Ubuntu bug rules, please feel free to reassign this to a different team, or leave it unassigned and remove the "Incomplete" status. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1740323 Title: Enigmail should be updated to version 1.9.9 following Cure53 audit To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit
Hi Jeremy, unfortunately we cannot just fake-sync enigmail from Debian to address this issue; the candidates for fake-syncing are the entries with 'sync' in the 'Status' column on http://people.canonical.com /~ubuntu-security/d2u/ The quickest and easiest way to get enigmail updated is to prepare a debdiff with cherry-picked patches that address security issues applied in the Debian packaging, and documented in the debian/changelog. An update to a wholly new version is possible but would be best served by the Stable Release Update process https://wiki.ubuntu.com/StableReleaseUpdates Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1740323 Title: Enigmail should be updated to version 1.9.9 following Cure53 audit To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit
Enigmail is already updated to 1.9.9 in Debian stable, see https://packages.debian.org/stretch/enigmail. The wiki page you linked says you can "request a sync from Debian" to fix security problems. Can you do that here? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1740323 Title: Enigmail should be updated to version 1.9.9 following Cure53 audit To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures ** Changed in: enigmail (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1740323 Title: Enigmail should be updated to version 1.9.9 following Cure53 audit To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
