Thanks very much for this work, Patrick! And thanks to Posteo and Mozilla for funding this research.
On Tue 2017-12-19 08:45:29 +0100, Patrick Brunschwig wrote: > [1] > <https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf> > [2] <https://sourceforge.net/p/enigmail/bugs/709/> Are there CVE numbers assigned to these? I see 6 vulnerabilities listed that seem CVE-worthy to me: * TBE-01-002 Enigmail: Weak Parsing Causes Confidentiality Compromise (Critical) (the description of this one is a bit confused -- it's not clear who is sending the e-mail, or who the attacker is, or how the message is specifically encrypted. it also references TB-01-004, which isn't listed in the excerpt) * TBE-01-005 Enigmail: Replay of encrypted Contents leads to Plaintext Leak (High) * TBE-01-021 Enigmail: Flawed parsing allows faked Signature Display (Critical) * TBE-01-001 Enigmail: Insecure Random Secret Generation (Low) * TBE-01-003 Enigmail: Regular Expressions Exploitable for Denial of Service (Low) * https://sourceforge.net/p/enigmail/bugs/709/ Enigmail: Signature Spoofing Attacks using multipart/related --------- If you've already got CVEs assigned, can you report them? If you don't, and you want to request them yourself, you can get them here: https://cveform.mitre.org/ If you don't want to bother, i can request CVEs for you and report back on-list. Please let me know what you prefer to do about getting CVEs here! --dkg
signature.asc
Description: PGP signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
