| Bug ID | 1141025 |
|---|---|
| Summary | VUL-1: enigmail: mitigation against SKS Keyserver Network Attack |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 15.1 |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | bnc-team-gnome@forge.provo.novell.com |
| Reporter | Andreas.Stieger@gmx.de |
| QA Contact | security-team@suse.de |
| CC | wolfgang@rosenauer.org |
| Found By | Security Response Team |
| Blocker | --- |
Due to an implementation of the SKS keyserver network, malicious users could poison specific keys with many key signature packages. The specific keys would then become unusable due to their size and number of signatures. Enigmail 2.0.12 changes the default keyserver to keys.openpgp.org in order to mitigate the SKS Keyserver Network Attack. References: https://enigmail.net/index.php/en/download/changelog#enig2.0.12 https://gitlab.com/enigmail/enigmail/commit/5868fa72d3d04e73258a7f1417bd8552bf3e60e3 https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f