SUSE-SU-2018:2243-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2018/suse-su-20182243-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2018:2243-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2018:2243-1
Related
Published
2018-08-07T16:05:05Z
Modified
2018-08-07T16:05:05Z
Summary
Security update for enigmail
Details

This update for enigmail to 2.0.7 fixes the following issues:

These security issues were fixed:

  • CVE-2018-12020: Mitigation against GnuPG signature spoofing: Email signatures could be spoofed via an embedded '--filename' parameter in OpenPGP literal data packets. This update prevents this issue from being exploited if GnuPG was not updated (boo#1096745)
  • CVE-2018-12019: The signature verification routine interpreted User IDs as status/control messages and did not correctly keep track of the status of multiple signatures. This allowed remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids (boo#1097525)
  • Disallow plaintext (literal packets) outside of encrpyted packets
  • Replies to a partially encrypted message may have revealed protected information - no longer display PGP/MIME message part followed by unencrypted data (bsc#1094781)
  • Fix signature Spoofing via Inline-PGP in HTML Mails

These non-security issues were fixed:

  • Fix filter actions forgetting selected mail folder names
  • Fix compatibility issue with Thunderbird 60b7
References

Affected packages

SUSE:Linux Enterprise Workstation Extension 15 / enigmail

Package

Name
enigmail
Purl
pkg:rpm/suse/enigmail&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.7-3.7.2

Ecosystem specific 

{
    "binaries": [
        {
            "enigmail": "2.0.7-3.7.2"
        }
    ]
}