I think this bug applies to Thunderbird as well as Enigmail and both
packages need urgent updates.
The Enigmail part can be corrected by updating to version 2.0.3, but the
user will still be vulnerable until a new version of Thunderbird is
released and pushed out to users. Long term the openPGP standard needs
to be updated to address the issue.
Could the maintainers of Enigmail take for action updating to the
already released 2.0.3? And forwarding the bug to Thunderbird for
further action?
Thanks,
David
On Mon, 14 May 2018 15:15:26 +0200 Yves-Alexis Perez <cor...@debian.org>
wrote:
> Package: enigmail
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi Daniel,
>
> in case you haven't already heard about it by now, a vulnerability has
> been published against S/MIME and PGP/MIME in various email clients,
> including thunderbird (and enigmail).
>
> I'm unsure if CVE-2017-17688 (OpenPGP CFB gadget attacks) applies
> to Thunderbird/enigmail or only GnuPG, but the PGP/MIME vulnerability
> does apply to enigmail.
>
> Some fixes apparently went in to enigmail 2.0.0 but I'm unsure which of
> them yet, so any pointers appreciated (for example by closing with the
> correct version number :).
>
> I think we'll likely want to release a DSA too.
>
> Regards,
> --
> Yves-Alexis
