openSUSE Security August 2017

security@lists.opensuse.org

4 participants
3 discussions

[opensuse-security] (Past) S/MIME(!) encryption problem with openSUSE 42.1/42.2 + Thunderbird 52 + Enigmail <1.9.7 (openSUSE-RU-2017:1363-1)

by 686f6c6d

Greetings (and sorry for this really late mail), I am not sure if this mailing list is the correct address for this, but it affected openSUSE, and you probably know better than me if and how to contact the Thunderbird and Enigmail developers… TLDR: Back in May (2017-05) we noticed the following problem on openSUSE Leap 42.1 and 42.2 with Thunderbird 52 and RPM-installed Enigmail: E-Mail that should have been X.509-signed or -encrypted was sent entirely unencrypted and unsigned, with Thunderbird giving no indication that signing or encrypting had failed. = Our setup = - All of our laptop-using colleagues have personal X.509 certificates on PKCS#11 USB tokens. - Some of them also have personal GPG keys on their laptops or tokens. - Thunderbird signs outgoing mail by default with the X.509 certificate. - Thunderbird encrypts on demand with either X.509 (S/MIME) or GPG key (via Enigmail). = What happened, what was the problem? = - If our users tried to read GPG-encrypted mail in their freshly updated Thunderbird 52, or sign or encrypt via GPG, or even change their Enigmail/GPG config, it failed noisily. So far, so good, this was reported by somebody else 2 days after the release of TB52 as BSC#1038034 (URL in timeline section below). - If our users tried to send S/MIME-signed and/or -encrypted mail, it was "successfully" sent without any error message, but unsigned and unencrypted (reading mail---decrypting and verifying---worked fine). So apparently the fact that Enigmail/GPG encryption was incompatible with Thunderbird 52 broke the whole Thunderbird crypto, including X.509/S-MIME, in such a horrible, invisibly way. (We witnessed this on several laptops and reproduced it with newly created Thunderbird user profiles. Sadly, I don't have any strace because I didn't think of it at the time, and when I did, all users had upgraded. But I assume the problem will return in the future.) = Timeline = 2017-05-06 Release of Thunderbird 52 on openSUSE Leap 42.1 and 42.2 2017-05-08 Bugreport (not by us) that Enigmail isn't working anymore with Thunderbird 52 (https://bugzilla.suse.com/show_bug.cgi?id=1038034, similar reports existed for previous Thunderbird versions) 2017-05-17 EOL openSUSE Leap 42.1, didn't receive a fix. 2017-05-19 Enigmail update for 42.2 only (openSUSE-RU-2017:1363-1, https://lists.opensuse.org/opensuse-updates/2017-05/msg00071.html) = Who was affected? = All of our laptop users running openSUSE 42.1 or 42.2 at that time, - if they had installed the RPM package "enigmail", - if they had updated to Thunderbird 52 (at or after 2017-05-06), - if they hadn't yet updated to Enigmail 1.9.7 (at or after 2017-05-19). (To see if you are/were affected, you should: 1. identify the timespan between installation/update of MozillaThunderbird 52 and Enigmail 1.9.7: grep -i "enigmail\|thunderbird|52" /var/log/zypp/history 2. look through your Thunderbird "Sent" folder for that timespan and see if mails that were supposed to be S/MIME-signed or -encrypted really are signed or encrypted.) = How to get rid of the problem? = Users of openSUSE Leap 42.1 need(ed) to: - remove the system package "enigmail" ("zypper rm enigmail" as root) to avoid similar problems with future Thunderbird updates and - if you do need GPG, install the Thunderbird Add-On of the same name (Extras -> Add-ons -> enter "enigmail" into the search field in the top right -> Enter) and - upgrade to at least 42.2 as soon as possible. Users of 42.2 need(ed) to: - install current system package updates after 2017-05-19 ("zypper ref -f; zypper up" as root; make sure enigmail is at least version 1.9.7) and we recommended to our users to also: - remove the system package "enigmail" (like above) and - if you do need GPG, install the Thunderbird Add-On of the same name (like above). = How to avoid similar problems in the future? = - Fix Thunderbird and/or Enigmail upstream to at least not break silently. - Release openSUSE Thunderbird updates together with Enigmail updates, or introduce a version dependency if possible (I assume it is not that easy on the RPM package level because Enigmail probably works with other Mail client software, too, and hence a dependency on Thunderbird at all would be nonsensical). Thanks for your time and for making openSUSE! -- Kind regards Christopher 'm4z' Holm / 686f6c6d "We must respect the other fellow's religion, but only in the sense and to the extent that we respect his theory that his wife is beautiful and his children smart." --H. L. Mencken -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

4 years, 10 months

[opensuse-security] Re: [security-announce] SUSE-SU-2017:2225-1: important: Security update for git

by tedrb＠wellsfargo.com

We don't have git installed anywhere. Doubtless there's some very expensive vendor package that's the company standard instead. Patching on the fly would take restarting any running processes; I don't know if there are such things with a typical git setup. CVE-2017-1000117 has a VSS score of 9.3 inflated from Suse's estimate of 5.8, so it's due 20 Oct. Ted On Mon, 2017-08-21 at 18:07 +0200, opensuse-security(a)opensuse.org wrote: SUSE Security Update: Security update for git ______________________________________________________________________________ Announcement ID: SUSE-SU-2017:2225-1 Rating: important References: #1052481 Cross-References: CVE-2017-1000117 Affected Products: SUSE Studio Onsite 1.3 SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for git fixes the following issues: - CVE-2017-1000117: an argument injection in SSH URLs could lead to client-side code execution (bsc#1052481) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-git-13235=1 - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-git-13235=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-git-13235=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Studio Onsite 1.3 (x86_64): git-1.7.12.4-0.18.3.1 git-core-1.7.12.4-0.18.3.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): git-1.7.12.4-0.18.3.1 git-arch-1.7.12.4-0.18.3.1 git-core-1.7.12.4-0.18.3.1 git-cvs-1.7.12.4-0.18.3.1 git-daemon-1.7.12.4-0.18.3.1 git-email-1.7.12.4-0.18.3.1 git-gui-1.7.12.4-0.18.3.1 git-svn-1.7.12.4-0.18.3.1 git-web-1.7.12.4-0.18.3.1 gitk-1.7.12.4-0.18.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): git-debuginfo-1.7.12.4-0.18.3.1 git-debugsource-1.7.12.4-0.18.3.1 References: https://www.suse.com/security/cve/CVE-2017-1000117.html https://bugzilla.suse.com/1052481 N��r��y隊Z)z{.��r��/��˛��m�)z{.��+�:�{Zr�az�'z��j)h��Ǭy˫�ܾ� ޮ�^�ˬz��

4 years, 10 months

[opensuse-security] Weired result of a ssl test page with my 42.3 Leap laptop (Lenovo)

by stakanov＠freenet.de

Given the problems of spyware installed on Lenovo I checked time ago on badssl with a page controlling for superfish etc. This is now running on https://badssl.com/dashboard/ When I run that page, all is OK but one value that comes out faulty. AFAIU my system responds (with FF) to a page in a way it shouldn't. Exactly with a DH1024. Which reads on the site as: This site uses an ephemeral Diffie-Hellman key exchange over a 1024-bit group. I looked it up in Google but did find only that this has been a problem in the past. Could anybody inform me if this is: a) a Leap problem b) a FF problem c) a problem of my laptop (e.g. Intel Management Engine Interface? - it shouldn't as it has been deactivated in the BIOS). Maybe someone could check if this happens on other Leap systems (time ago that was the same with konqueror which was vulnerable to poodle (apparently via QT webkit if I did understand well, that should be fixed however). Thank you. Mit freenet Mail sicher kommunizieren! [https://email.freenet.de/emig/index.html?utm_medium=Text&utm_source=Footers…] Wir garantieren Ihnen verschlüsselte Datenübertragung & Datenspeicherung auf deutschen Servern - E-Mail made in Germany! -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

4 years, 11 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security August 2017