Re: [Enigmail] [ANN] Enigmail v1.9.9 available

2017-12-19 Thread Patrick Brunschwig 
Am 19. Dezember 2017 20:28:25 MEZ schrieb Daniel Kahn Gillmor 
:
>Thanks very much for this work, Patrick!  And thanks to Posteo and
>Mozilla for funding this research.
>
>On Tue 2017-12-19 08:45:29 +0100, Patrick Brunschwig wrote:
>> [1]
>>
>
>> [2] 
>
>Are there CVE numbers assigned to these?

Not yet., but I'll take care of that tomorrow. Thanks for the reminder. 

Patrick 



signature.asc
Description: PGP signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] [ANN] Enigmail v1.9.9 available

2017-12-19 Thread Daniel Kahn Gillmor 
Thanks very much for this work, Patrick!  And thanks to Posteo and
Mozilla for funding this research.

On Tue 2017-12-19 08:45:29 +0100, Patrick Brunschwig wrote:
> [1]
> 
> [2] 

Are there CVE numbers assigned to these?

I see 6 vulnerabilities listed that seem CVE-worthy to me:

 * TBE-01-002 Enigmail: Weak Parsing Causes Confidentiality Compromise 
(Critical)

(the description of this one is a bit confused -- it's not clear who
 is sending the e-mail, or who the attacker is, or how the message
 is specifically encrypted.  it also references TB-01-004, which
 isn't listed in the excerpt)

 * TBE-01-005 Enigmail: Replay of encrypted Contents leads to Plaintext Leak 
(High)

 * TBE-01-021 Enigmail: Flawed parsing allows faked Signature Display (Critical)

 * TBE-01-001 Enigmail: Insecure Random Secret Generation (Low)

 * TBE-01-003 Enigmail: Regular Expressions Exploitable for Denial of Service 
(Low)

 * https://sourceforge.net/p/enigmail/bugs/709/  Enigmail: Signature Spoofing 
Attacks using multipart/related 

-


If you've already got CVEs assigned, can you report them?  If you don't,
and you want to request them yourself, you can get them here:

   https://cveform.mitre.org/

If you don't want to bother, i can request CVEs for you and report back
on-list.

Please let me know what you prefer to do about getting CVEs here!

   --dkg


signature.asc
Description: PGP signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net

Re: [Enigmail] [ANN] Enigmail v1.9.9 available

2017-12-19 Thread Ian Mann 
Many thanks Patrick & Seasons Greetings to you – Ian Mann (Australia)



Sent from Mail for Windows 10




From: enigmail-users  on behalf of Patrick 
Brunschwig 
Sent: Tuesday, December 19, 2017 6:45:29 PM
To: Enigmail user discussion list
Subject: [Enigmail] [ANN] Enigmail v1.9.9 available

I'm happy to announce the availability of Enigmail v1.9.9 for
Thunderbird version 52.x and SeaMonkey 2.46.

This version addresses a number of security vulnerabilities discovered
by Cure53 during an audit of Thunderbird with Enigmail. The audit report
covers both Thunderbird and Enigmail. As some vulnerabilities are still
unfixed on the side of Thunderbird, we currently only publish an excerpt
of the report with the issues found in Enigmail [1].

Enigmail is one of the most widely used tool for OpenPGP email
encryption. Yet it took 16(!) years of development until the first
security audit was performed. It was more than overdue, and I would like
to thank Posteo (www.posteo.de) for taking the initiative 
and
co-financing an audit report together with the Mozilla Foundation. Not
very surprising for such an old project, the audit report revealed a
number of important issues that were addressed now.


Changes
===

See the Pentest Report for Enigmail by Cure53 [1].
In addition, Bug 709 was fixed [2].


Obtaining Enigmail
==
Enigmail can be downloaded from


The changelog is available from



Additional Remarks
==
Beta versions of Thunderbird require a nightly build of Enigmail,
i.e. Enigmail v1.9.x will not work with Thunderbird 56b1 and newer.

-Patrick



[1]

[2] 

___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net