I asked in the original bug report to have Enigmail updated to 1.9.9. Posteo, one of the sponsors of the audit, wrote at https://posteo.de/en/blog/security-warning-for-thunderbird-users-and- enigmail-users-vulnerabilities-threaten-confidentiality-of-communication :
"For Enigmail users: * Update Enigmail immediately to the new version 1.9.9. This update removes all vulnerabilities identified in this audit. * ..." An excerpt of the audit report is available at https://www.enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf linked from the Enigmail changelog at https://www.enigmail.net/index.php/en/download/changelog . At your link https://wiki.ubuntu.com/StableReleaseUpdates it says: "2. When 2.1. High-impact bugs Stable release updates will, in general, only be issued in order to fix high-impact bugs. Examples of such bugs include: * Bugs which may, under realistic circumstances, directly cause a security vulnerability. These are done by the security team and are documented at SecurityTeam/UpdateProcedures. * ..." That's the situation here, there are multiple bugs that cause security vulnerabilities and I submitted a bug report here asking for Enigmail to be updated. If that means this is a "stable release update" and not a "fake-sync", that's fine with me. I'm not part of the Enigmail development team. It seems from your link that this should be handled by the security team, but if you or the security team are not the right group to handle this according to Ubuntu bug rules, please feel free to reassign this to a different team, or leave it unassigned and remove the "Incomplete" status. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1740323 Title: Enigmail should be updated to version 1.9.9 following Cure53 audit To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
