Security update for enigmail SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:1329-1 Final 1 1 2018-05-17T11:35:48Z current 2018-05-17T11:35:48Z 2018-05-17T11:35:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for enigmail This update for enigmail to version 2.0.4 fixes multiple issues. Security issues fixed: - CVE-2017-17688: CFB gadget attacks allowed to exfiltrate plaintext out of encrypted emails. enigmail now fails on GnuPG integrity check warnings for old Algorithms (bsc#1093151) - CVE-2017-17689: CBC gadget attacks allows to exfiltrate plaintext out of encrypted emails (bsc#1093152) This update also includes new and updated functionality: - The Encryption and Signing buttons now work for both OpenPGP and S/MIME. Enigmail will chose between S/MIME or OpenPGP depending on whether the keys for all recipients are available for the respective standard - Support for the Autocrypt standard, which is now enabled by default - Support for Pretty Easy Privacy (p≡p) - Support for Web Key Directory (WKD) - The message subject can now be encrypted and replaced with a dummy subject, following the Memory Hole standard forprotected Email Headers - keys on keyring are automatically refreshed from keyservers at irregular intervals - Subsequent updates of Enigmail no longer require a restart of Thunderbird - Keys are internally addressed using the fingerprint instead of the key ID The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2018-470 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RNZBPQATLVKCT7P5YVUXDDVDFKRPUWP6/#RNZBPQATLVKCT7P5YVUXDDVDFKRPUWP6 E-Mail link for openSUSE-SU-2018:1329-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1093151 SUSE Bug 1093151 https://bugzilla.suse.com/1093152 SUSE Bug 1093152 https://www.suse.com/security/cve/CVE-2017-17688/ SUSE CVE CVE-2017-17688 page https://www.suse.com/security/cve/CVE-2017-17689/ SUSE CVE CVE-2017-17689 page SUSE Package Hub 12 enigmail-2.0.4-9.1 enigmail-2.0.4-9.1 as a component of SUSE Package Hub 12 ** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification. CVE-2017-17688 SUSE Package Hub 12:enigmail-2.0.4-9.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RNZBPQATLVKCT7P5YVUXDDVDFKRPUWP6/#RNZBPQATLVKCT7P5YVUXDDVDFKRPUWP6 https://www.suse.com/security/cve/CVE-2017-17688.html CVE-2017-17688 https://bugzilla.suse.com/1093151 SUSE Bug 1093151 https://bugzilla.suse.com/1093727 SUSE Bug 1093727 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 https://bugzilla.suse.com/1115719 SUSE Bug 1115719 The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. CVE-2017-17689 SUSE Package Hub 12:enigmail-2.0.4-9.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RNZBPQATLVKCT7P5YVUXDDVDFKRPUWP6/#RNZBPQATLVKCT7P5YVUXDDVDFKRPUWP6 https://www.suse.com/security/cve/CVE-2017-17689.html CVE-2017-17689 https://bugzilla.suse.com/1093152 SUSE Bug 1093152 https://bugzilla.suse.com/1093727 SUSE Bug 1093727 https://bugzilla.suse.com/1093969 SUSE Bug 1093969