SUSE-SU-2018:2243-1

Опубликовано: 07 авг. 2018

Источник: suse-cvrf

Описание

Security update for enigmail

This update for enigmail to 2.0.7 fixes the following issues:

These security issues were fixed:

CVE-2018-12020: Mitigation against GnuPG signature spoofing: Email signatures could be spoofed via an embedded '--filename' parameter in OpenPGP literal data packets. This update prevents this issue from being exploited if GnuPG was not updated (boo#1096745)
CVE-2018-12019: The signature verification routine interpreted User IDs as status/control messages and did not correctly keep track of the status of multiple signatures. This allowed remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids (boo#1097525)
Disallow plaintext (literal packets) outside of encrpyted packets
Replies to a partially encrypted message may have revealed protected information - no longer display PGP/MIME message part followed by unencrypted data (bsc#1094781)
Fix signature Spoofing via Inline-PGP in HTML Mails

These non-security issues were fixed:

Fix filter actions forgetting selected mail folder names
Fix compatibility issue with Thunderbird 60b7

Список пакетов

SUSE Linux Enterprise Workstation Extension 15

enigmail-2.0.7-3.7.2

Ссылки

https://www.suse.com/support/update/announcement/2018/suse-su-20182243-1/
Link for SUSE-SU-2018:2243-1
https://lists.suse.com/pipermail/sle-security-updates/2018-August/004384.html
E-Mail link for SUSE-SU-2018:2243-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1094781
SUSE Bug 1094781
https://bugzilla.suse.com/1096745
SUSE Bug 1096745
https://bugzilla.suse.com/1097525
SUSE Bug 1097525
https://www.suse.com/security/cve/CVE-2018-12019/
SUSE CVE CVE-2018-12019 page
https://www.suse.com/security/cve/CVE-2018-12020/
SUSE CVE CVE-2018-12020 page

Описание

The signature verification routine in Enigmail before 2.0.7 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids.

Затронутые продукты

SUSE Linux Enterprise Workstation Extension 15:enigmail-2.0.7-3.7.2

Ссылки

https://www.suse.com/security/cve/CVE-2018-12019.html
CVE-2018-12019
https://bugzilla.suse.com/1097525
SUSE Bug 1097525

Описание

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

Затронутые продукты

SUSE Linux Enterprise Workstation Extension 15:enigmail-2.0.7-3.7.2

Ссылки

https://www.suse.com/security/cve/CVE-2018-12020.html
CVE-2018-12020
https://bugzilla.suse.com/1096745
SUSE Bug 1096745
https://bugzilla.suse.com/1101134
SUSE Bug 1101134

SUSE-SU-2018:2243-1

Описание

Список пакетов

SUSE Linux Enterprise Workstation Extension 15

Ссылки

Уязвимость: CVE-2018-12019

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2018-12020

Описание

Затронутые продукты

Ссылки