Zwei Probleme in enigmail
ID: | SUSE-SU-2018:2243-1 |
Distribution: | SUSE |
Plattformen: | SUSE Linux Enterprise Workstation Extension 15 |
Datum: | Mi, 8. August 2018, 07:45 |
Referenzen: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12019
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020 |
Applikationen: | Enigmail |
Originalnachricht |
|
SUSE Security Update: Security update for enigmail ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2243-1 Rating: moderate References: #1094781 #1096745 #1097525 Cross-References: CVE-2018-12019 CVE-2018-12020 Affected Products: SUSE Linux Enterprise Workstation Extension 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for enigmail to 2.0.7 fixes the following issues: These security issues were fixed: - CVE-2018-12020: Mitigation against GnuPG signature spoofing: Email signatures could be spoofed via an embedded "--filename" parameter in OpenPGP literal data packets. This update prevents this issue from being exploited if GnuPG was not updated (boo#1096745) - CVE-2018-12019: The signature verification routine interpreted User IDs as status/control messages and did not correctly keep track of the status of multiple signatures. This allowed remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids (boo#1097525) - Disallow plaintext (literal packets) outside of encrpyted packets - Replies to a partially encrypted message may have revealed protected information - no longer display PGP/MIME message part followed by unencrypted data (bsc#1094781) - Fix signature Spoofing via Inline-PGP in HTML Mails These non-security issues were fixed: - Fix filter actions forgetting selected mail folder names - Fix compatibility issue with Thunderbird 60b7 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15: zypper in -t patch SUSE-SLE-Product-WE-15-2018-1514=1 Package List: - SUSE Linux Enterprise Workstation Extension 15 (x86_64): enigmail-2.0.7-3.7.2 References: https://www.suse.com/security/cve/CVE-2018-12019.html https://www.suse.com/security/cve/CVE-2018-12020.html https://bugzilla.suse.com/1094781 https://bugzilla.suse.com/1096745 https://bugzilla.suse.com/1097525 _______________________________________________ sle-security-updates mailing list sle-security-updates@lists.suse.com http://lists.suse.com/mailman/listinfo/sle-security-updates |