openSUSE Security Update: Security update for enigmail
Announcement ID: openSUSE-SU-2018:1329-1
References: #1093151 #1093152
Cross-References: CVE-2017-17688 CVE-2017-17689
SUSE Package Hub for SUSE Linux Enterprise 12
An update that fixes two vulnerabilities is now available.
This update for enigmail to version 2.0.4 fixes multiple issues.
Security issues fixed:
- CVE-2017-17688: CFB gadget attacks allowed to exfiltrate plaintext out
of encrypted emails. enigmail now fails on GnuPG integrity check
warnings for old Algorithms (bsc#1093151)
- CVE-2017-17689: CBC gadget attacks allows to exfiltrate plaintext out of
encrypted emails (bsc#1093152)
This update also includes new and updated functionality:
- The Encryption and Signing buttons now work for both OpenPGP and S/MIME.
Enigmail will chose between S/MIME or OpenPGP depending on whether the
keys for all recipients are available for the respective standard
- Support for the Autocrypt standard, which is now enabled by default
- Support for Pretty Easy Privacy (p≡p)
- Support for Web Key Directory (WKD)
- The message subject can now be encrypted and replaced with a dummy
subject, following the Memory Hole standard forprotected Email Headers
- keys on keyring are automatically refreshed from keyservers at irregular
- Subsequent updates of Enigmail no longer require a restart of Thunderbird
- Keys are internally addressed using the fingerprint instead of the key ID
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Package Hub for SUSE Linux Enterprise 12:
zypper in -t patch openSUSE-2018-470=1
- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64):
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org