I've received a few questions about EFAIL and whether this release has any related changes, so I hope you'll forgive me for sending a second mutt-announce email today.
For those unaware, https://efail.de/ disclosed an attack on OpenPGP and S/MIME emails this past week. The researchers reported mutt-1.7.2 was not successfully attacked. So, the short answer is no, mutt-1.10.0 has no changes made as a result of EFAIL, and the pgp/smime configuration variable changes in this release are unrelated. I am neither a security researcher nor a cryptographer, but here are my current takeaways and suggestions: * If you are using a version of mutt before 1.6.0 and rely on OpenPGP encryption, please upgrade. 1.6.0 introduced $pgp_decryption_okay, which scans the GnuPGP status output for a successful decryption code. * Please make sure you update your config to the values suggested in contrib/gpg.rc (again, in particular $pgp_decryption_okay). * Opening a decrypted email in an external browser should be considered unsafe. Part of the attack was due to HTML injection. * I don't believe autoviewing dumped HTML via lynx, elinks, etc is an issue. However, the researchers did not specifically test that. -Kevin
signature.asc
Description: PGP signature
