Enigmail 2.0.8 has been released on August 4: https://www.enigmail.net/index.php/en/download/changelog openSUSE has issued an advisory for this today (August 9): https://lists.opensuse.org/opensuse-updates/2018-08/msg00050.html Mageia 5 and Mageia 6 are also affected.
Assigning to the registered maintainer, CC'ing some committers.
CC: (none) => geiger.david68210, lists.jjorge, marja11, mrambo, nicolas.salgueroAssignee: bugsquad => doktor5000
Note that mga5 was attempted but failed to build. Updated package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated thunderbird package fixes security vulnerabilities: * Spoofing of Email signatures I: GnuPG 2.2.8 fixed a security bug that allows remote attackers to spoof arbitrary email signatures via the embedded "--filename" parameter in OpenPGP literal data packets. This release of Enigmail prevents the exploit for all versions of GnuPG, i.e. also if GnuPG is not updated (CVE-2018-12020). *Spoofing of Email signatures II: The signature verification routine in Enigmail interpreted User IDs as status/control messages and did not correctly keep track of the status of multiple signatures. This allowed remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids (CVE-2018-12019). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020 https://www.enigmail.net/index.php/en/download/changelog https://lists.opensuse.org/opensuse-updates/2018-08/msg00050.html ======================== Updated packages in core/updates_testing: ======================== thunderbird-52.9.1-1.1.mga6 thunderbird-enigmail-52.9.1-1.1.mga6 from thunderbird-52.9.1-1.1.mga6.src.rpm
Assignee: doktor5000 => qa-bugsVersion: Cauldron => 6
MGA6-32 MATE on IBM Thinkpad R50e No installation issues, overwriting previous version. Tested normal mail functions, OK.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Have been using this on 64-bit for several days now, though I don't use enigmail. Everything I use is working as expected. OK-ing, and validating.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-32-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: MGA6-32-OK MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0354.html
Status: NEW => RESOLVEDResolution: (none) => FIXED