Security update for enigmail SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:1393-1 Final 1 1 2018-05-23T15:50:47Z current 2018-05-23T15:50:47Z 2018-05-23T15:50:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for enigmail This update for enigmail to version 2.0.5 fixes the following issues: Improvements on previous fixes on CVE-2017-17688, boo#1093151 and CVE-2017-17689, boo#1093152 (EFAIL): - do not decrypt MIME parts unnecessarily - improve Error Message for Missing Message Modification Code The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-05/msg00096.html E-Mail link for openSUSE-SU-2018:1393-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub for SUSE Linux Enterprise 12 enigmail-2.0.5-12.1 enigmail-2.0.5-12.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 12 ** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification. CVE-2017-17688 SUSE Package Hub for SUSE Linux Enterprise 12:enigmail-2.0.5-12.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-05/msg00096.html https://www.suse.com/security/cve/CVE-2017-17688.html CVE-2017-17688 https://bugzilla.suse.com/1093151 SUSE Bug 1093151 https://bugzilla.suse.com/1093727 SUSE Bug 1093727 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 https://bugzilla.suse.com/1115719 SUSE Bug 1115719 The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. CVE-2017-17689 SUSE Package Hub for SUSE Linux Enterprise 12:enigmail-2.0.5-12.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-05/msg00096.html https://www.suse.com/security/cve/CVE-2017-17689.html CVE-2017-17689 https://bugzilla.suse.com/1093152 SUSE Bug 1093152 https://bugzilla.suse.com/1093727 SUSE Bug 1093727 https://bugzilla.suse.com/1093969 SUSE Bug 1093969