Greetings (and sorry for this really late mail), I am not sure if this mailing list is the correct address for this, but it affected openSUSE, and you probably know better than me if and how to contact the Thunderbird and Enigmail developers… TLDR: Back in May (2017-05) we noticed the following problem on openSUSE Leap 42.1 and 42.2 with Thunderbird 52 and RPM-installed Enigmail: E-Mail that should have been X.509-signed or -encrypted was sent entirely unencrypted and unsigned, with Thunderbird giving no indication that signing or encrypting had failed. = Our setup = - All of our laptop-using colleagues have personal X.509 certificates on PKCS#11 USB tokens. - Some of them also have personal GPG keys on their laptops or tokens. - Thunderbird signs outgoing mail by default with the X.509 certificate. - Thunderbird encrypts on demand with either X.509 (S/MIME) or GPG key (via Enigmail). = What happened, what was the problem? = - If our users tried to read GPG-encrypted mail in their freshly updated Thunderbird 52, or sign or encrypt via GPG, or even change their Enigmail/GPG config, it failed noisily. So far, so good, this was reported by somebody else 2 days after the release of TB52 as BSC#1038034 (URL in timeline section below). - If our users tried to send S/MIME-signed and/or -encrypted mail, it was "successfully" sent without any error message, but unsigned and unencrypted (reading mail---decrypting and verifying---worked fine). So apparently the fact that Enigmail/GPG encryption was incompatible with Thunderbird 52 broke the whole Thunderbird crypto, including X.509/S-MIME, in such a horrible, invisibly way. (We witnessed this on several laptops and reproduced it with newly created Thunderbird user profiles. Sadly, I don't have any strace because I didn't think of it at the time, and when I did, all users had upgraded. But I assume the problem will return in the future.) = Timeline = 2017-05-06 Release of Thunderbird 52 on openSUSE Leap 42.1 and 42.2 2017-05-08 Bugreport (not by us) that Enigmail isn't working anymore with Thunderbird 52 (https://bugzilla.suse.com/show_bug.cgi?id=1038034, similar reports existed for previous Thunderbird versions) 2017-05-17 EOL openSUSE Leap 42.1, didn't receive a fix. 2017-05-19 Enigmail update for 42.2 only (openSUSE-RU-2017:1363-1, https://lists.opensuse.org/opensuse-updates/2017-05/msg00071.html) = Who was affected? = All of our laptop users running openSUSE 42.1 or 42.2 at that time, - if they had installed the RPM package "enigmail", - if they had updated to Thunderbird 52 (at or after 2017-05-06), - if they hadn't yet updated to Enigmail 1.9.7 (at or after 2017-05-19). (To see if you are/were affected, you should: 1. identify the timespan between installation/update of MozillaThunderbird 52 and Enigmail 1.9.7: grep -i "enigmail\|thunderbird|52" /var/log/zypp/history 2. look through your Thunderbird "Sent" folder for that timespan and see if mails that were supposed to be S/MIME-signed or -encrypted really are signed or encrypted.) = How to get rid of the problem? = Users of openSUSE Leap 42.1 need(ed) to: - remove the system package "enigmail" ("zypper rm enigmail" as root) to avoid similar problems with future Thunderbird updates and - if you do need GPG, install the Thunderbird Add-On of the same name (Extras -> Add-ons -> enter "enigmail" into the search field in the top right -> Enter) and - upgrade to at least 42.2 as soon as possible. Users of 42.2 need(ed) to: - install current system package updates after 2017-05-19 ("zypper ref -f; zypper up" as root; make sure enigmail is at least version 1.9.7) and we recommended to our users to also: - remove the system package "enigmail" (like above) and - if you do need GPG, install the Thunderbird Add-On of the same name (like above). = How to avoid similar problems in the future? = - Fix Thunderbird and/or Enigmail upstream to at least not break silently. - Release openSUSE Thunderbird updates together with Enigmail updates, or introduce a version dependency if possible (I assume it is not that easy on the RPM package level because Enigmail probably works with other Mail client software, too, and hence a dependency on Thunderbird at all would be nonsensical). Thanks for your time and for making openSUSE! -- Kind regards Christopher 'm4z' Holm / 686f6c6d "We must respect the other fellow's religion, but only in the sense and to the extent that we respect his theory that his wife is beautiful and his children smart." --H. L. Mencken -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org