Project

General

Profile

Bug #16738

Enigmail vulnerable to signature spoofing (again)

Added by segfault 28 days ago. Updated 18 days ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Email Client

Description

Enigmail 2.0.11 was released today which fixes another signature spoofing vulnerability:
https://www.enigmail.net/index.php/en/download/changelog#enig2.0.11
https://sourceforge.net/p/enigmail/bugs/983/


Related issues

Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed 03/22/2019

History

#1 Updated by intrigeri 27 days ago

#2 Updated by intrigeri 27 days ago

  • Affected tool set to Email Client

#3 Updated by segfault 21 days ago

  • Description updated (diff)

2.0.11 is in sid now: https://tracker.debian.org/news/1040308/accepted-enigmail-22011ds1-1-source-into-unstable

And there is a CVE (CVE-2019-12269) but it's not tracked in the Debian security bug tracker, so it's not entirely clear to me whether the version we ship in 3.14 (2.0.8-5~deb9u1 from Stretch) is vulnerable, but I assume that it is (https://nvd.nist.gov/vuln/detail/CVE-2019-12269 says that versions before 2.0.11 are vulnerable).

There is no new version in Stretch.

#4 Updated by intrigeri 18 days ago

And there is a CVE (CVE-2019-12269) but it's not tracked in the Debian security bug tracker, so it's not entirely clear to me whether the version we ship in 3.14 (2.0.8-5~deb9u1 from Stretch) is vulnerable, but I assume that it is (https://nvd.nist.gov/vuln/detail/CVE-2019-12269 says that versions before 2.0.11 are vulnerable).

https://security-tracker.debian.org/tracker/CVE-2019-12269 says that 2:2.0.8-5~deb9u1 is vulnerable.

Also available in: Atom PDF