Bug 23415 - thunderbird-enigmail new security issue fixed upstream in 2.0.8
Summary: thunderbird-enigmail new security issue fixed upstream in 2.0.8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-08-09 19:57 CEST by David Walser
Modified: 2018-08-24 01:36 CEST (History)
9 users (show)

See Also:
Source RPM: thunderbird
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-08-09 19:57:45 CEST 
Enigmail 2.0.8 has been released on August 4:
https://www.enigmail.net/index.php/en/download/changelog

openSUSE has issued an advisory for this today (August 9):
https://lists.opensuse.org/opensuse-updates/2018-08/msg00050.html

Mageia 5 and Mageia 6 are also affected.
Comment 1 Marja Van Waes 2018-08-09 21:01:51 CEST 
Assigning to the registered maintainer, CC'ing some committers.

CC: (none) => geiger.david68210, lists.jjorge, marja11, mrambo, nicolas.salguero
Assignee: bugsquad => doktor5000

Comment 2 Mike Rambo 2018-08-15 17:51:54 CEST 
Note that mga5 was attempted but failed to build.

Updated package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated thunderbird package fixes security vulnerabilities:

* Spoofing of Email signatures I: GnuPG 2.2.8 fixed a security bug that allows remote attackers to spoof arbitrary email signatures via the embedded "--filename" parameter in OpenPGP literal data packets. This release of Enigmail prevents the exploit for all versions of GnuPG, i.e. also if GnuPG is not updated (CVE-2018-12020).

*Spoofing of Email signatures II: The signature verification routine in Enigmail interpreted User IDs as status/control messages and did not correctly keep track of the status of multiple signatures. This allowed remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids (CVE-2018-12019).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
https://www.enigmail.net/index.php/en/download/changelog
https://lists.opensuse.org/opensuse-updates/2018-08/msg00050.html
========================

Updated packages in core/updates_testing:
========================
thunderbird-52.9.1-1.1.mga6
thunderbird-enigmail-52.9.1-1.1.mga6

from thunderbird-52.9.1-1.1.mga6.src.rpm

Assignee: doktor5000 => qa-bugs
Version: Cauldron => 6

Comment 3 Herman Viaene 2018-08-17 11:27:20 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues, overwriting previous version.
Tested normal mail functions, OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2018-08-23 21:33:25 CEST 
Have been using this on 64-bit for several days now, though I don't use enigmail.

Everything I use is working as expected. OK-ing, and validating.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-32-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Andrews 2018-08-23 21:39:51 CEST

Whiteboard: MGA6-32-OK MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Thomas Backlund 2018-08-24 00:31:40 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2018-08-24 01:36:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0354.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.