Greetings (and sorry for this really late mail),
I am not sure if this mailing list is the correct address for this,
but it affected openSUSE, and you probably know better than me if and
how to contact the Thunderbird and Enigmail developers…
TLDR: Back in May (2017-05) we noticed the following problem on
openSUSE Leap 42.1 and 42.2 with Thunderbird 52 and RPM-installed
Enigmail: E-Mail that should have been X.509-signed or -encrypted was
sent entirely unencrypted and unsigned, with Thunderbird giving no
indication that signing or encrypting had failed.
= Our setup =
- All of our laptop-using colleagues have personal X.509 certificates
on PKCS#11 USB tokens.
- Some of them also have personal GPG keys on their laptops or tokens.
- Thunderbird signs outgoing mail by default with the X.509 certificate.
- Thunderbird encrypts on demand with either X.509 (S/MIME) or GPG key
(via Enigmail).
= What happened, what was the problem? =
- If our users tried to read GPG-encrypted mail in their freshly
updated Thunderbird 52, or sign or encrypt via GPG, or even change
their Enigmail/GPG config, it failed noisily. So far, so good, this
was reported by somebody else 2 days after the release of TB52 as
BSC#1038034 (URL in timeline section below).
- If our users tried to send S/MIME-signed and/or -encrypted mail, it
was "successfully" sent without any error message, but unsigned and
unencrypted (reading mail---decrypting and verifying---worked fine).
So apparently the fact that Enigmail/GPG encryption was incompatible
with Thunderbird 52 broke the whole Thunderbird crypto, including
X.509/S-MIME, in such a horrible, invisibly way. (We witnessed this on
several laptops and reproduced it with newly created Thunderbird user
profiles. Sadly, I don't have any strace because I didn't think of it
at the time, and when I did, all users had upgraded. But I assume the
problem will return in the future.)
= Timeline =
2017-05-06 Release of Thunderbird 52 on openSUSE Leap 42.1 and 42.2
2017-05-08 Bugreport (not by us) that Enigmail isn't working anymore
with Thunderbird 52
(https://bugzilla.suse.com/show_bug.cgi?id=1038034, similar reports
existed for previous Thunderbird versions)
2017-05-17 EOL openSUSE Leap 42.1, didn't receive a fix.
2017-05-19 Enigmail update for 42.2 only (openSUSE-RU-2017:1363-1,
https://lists.opensuse.org/opensuse-updates/2017-05/msg00071.html)
= Who was affected? =
All of our laptop users running openSUSE 42.1 or 42.2 at that time,
- if they had installed the RPM package "enigmail",
- if they had updated to Thunderbird 52 (at or after 2017-05-06),
- if they hadn't yet updated to Enigmail 1.9.7 (at or after 2017-05-19).
(To see if you are/were affected, you should:
1. identify the timespan between installation/update of
MozillaThunderbird 52 and Enigmail 1.9.7:
grep -i "enigmail\|thunderbird|52" /var/log/zypp/history
2. look through your Thunderbird "Sent" folder for that timespan and
see if mails that were supposed to be S/MIME-signed or -encrypted
really are signed or encrypted.)
= How to get rid of the problem? =
Users of openSUSE Leap 42.1 need(ed) to:
- remove the system package "enigmail" ("zypper rm enigmail" as root)
to avoid similar problems with future Thunderbird updates and
- if you do need GPG, install the Thunderbird Add-On of the same name
(Extras -> Add-ons -> enter "enigmail" into the search field in the
top right -> Enter) and
- upgrade to at least 42.2 as soon as possible.
Users of 42.2 need(ed) to:
- install current system package updates after 2017-05-19 ("zypper ref
-f; zypper up" as root; make sure enigmail is at least version 1.9.7)
and we recommended to our users to also:
- remove the system package "enigmail" (like above) and
- if you do need GPG, install the Thunderbird Add-On of the same name
(like above).
= How to avoid similar problems in the future? =
- Fix Thunderbird and/or Enigmail upstream to at least not break silently.
- Release openSUSE Thunderbird updates together with Enigmail updates,
or introduce a version dependency if possible (I assume it is not that
easy on the RPM package level because Enigmail probably works with
other Mail client software, too, and hence a dependency on Thunderbird
at all would be nonsensical).
Thanks for your time and for making openSUSE!
--
Kind regards
Christopher 'm4z' Holm / 686f6c6d
"We must respect the other fellow's religion, but only in the sense
and to the extent that we respect his theory that his wife is
beautiful and his children smart." --H. L. Mencken
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
We don't have git installed anywhere. Doubtless there's some very expensive vendor package that's the company standard instead.
Patching on the fly would take restarting any running processes; I don't know if there are such things with a typical git setup. CVE-2017-1000117 has a VSS score of 9.3 inflated from Suse's estimate of 5.8, so it's due 20 Oct.
Ted
On Mon, 2017-08-21 at 18:07 +0200, opensuse-security(a)opensuse.org wrote:
SUSE Security Update: Security update for git
______________________________________________________________________________
Announcement ID: SUSE-SU-2017:2225-1
Rating: important
References: #1052481
Cross-References: CVE-2017-1000117
Affected Products:
SUSE Studio Onsite 1.3
SUSE Linux Enterprise Software Development Kit 11-SP4
SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for git fixes the following issues:
- CVE-2017-1000117: an argument injection in SSH URLs could lead to
client-side code execution (bsc#1052481)
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Studio Onsite 1.3:
zypper in -t patch slestso13-git-13235=1
- SUSE Linux Enterprise Software Development Kit 11-SP4:
zypper in -t patch sdksp4-git-13235=1
- SUSE Linux Enterprise Debuginfo 11-SP4:
zypper in -t patch dbgsp4-git-13235=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Studio Onsite 1.3 (x86_64):
git-1.7.12.4-0.18.3.1
git-core-1.7.12.4-0.18.3.1
- SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64):
git-1.7.12.4-0.18.3.1
git-arch-1.7.12.4-0.18.3.1
git-core-1.7.12.4-0.18.3.1
git-cvs-1.7.12.4-0.18.3.1
git-daemon-1.7.12.4-0.18.3.1
git-email-1.7.12.4-0.18.3.1
git-gui-1.7.12.4-0.18.3.1
git-svn-1.7.12.4-0.18.3.1
git-web-1.7.12.4-0.18.3.1
gitk-1.7.12.4-0.18.3.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):
git-debuginfo-1.7.12.4-0.18.3.1
git-debugsource-1.7.12.4-0.18.3.1
References:
https://www.suse.com/security/cve/CVE-2017-1000117.htmlhttps://bugzilla.suse.com/1052481
N�����r��y隊Z)z{.��r��/��˛���m�)z{.��+�:�{Zr�az�'z��j)h���Ǭy˫�ܾ� ޮ�^�ˬz��
Given the problems of spyware installed on Lenovo I checked time ago on badssl with a page controlling for superfish etc.
This is now running on
https://badssl.com/dashboard/
When I run that page, all is OK but one value that comes out faulty. AFAIU my system responds (with FF) to a page in a way it shouldn't.
Exactly with a DH1024. Which reads on the site as:
This site uses an ephemeral Diffie-Hellman key exchange
over a 1024-bit group.
I looked it up in Google but did find only that this has been a problem in the past. Could anybody inform me if this is:
a) a Leap problem
b) a FF problem
c) a problem of my laptop (e.g. Intel Management Engine Interface? - it shouldn't as it has been deactivated in the BIOS).
Maybe someone could check if this happens on other Leap systems (time ago that was the same with konqueror which was vulnerable to poodle (apparently via QT webkit if I did understand well, that should be fixed however).
Thank you.
Mit freenet Mail sicher kommunizieren!
[https://email.freenet.de/emig/index.html?utm_medium=Text&utm_source=Footers…]
Wir garantieren Ihnen verschlüsselte Datenübertragung &
Datenspeicherung auf deutschen Servern - E-Mail made in Germany!
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org