Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87sh6s5akn.fsf@silverfish.pri>
Date: Wed, 16 May 2018 17:22:32 +1000
From: Brian May <bam@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: PGP/MIME and S/MIME mail clients vulnerabilities

Leo Gaspard <oss-security@....gaspard.ninja> writes:

> Just to add in about Thunderbird with Enigmail after 2.0.0:
>
> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060325.html
> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060327.html
> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060329.html
>
> So it looks like data encrypted with CAST5 (and possibly 3DES?) may be
> at risk even with Enigmail 2.0.0, with what I guess is latest GnuPG
> (don't know whether it is with 1.4, 2.2 or both, though), likely due to
> a GnuPG bug.

>From https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060361.html:

"We should also be very careful to note that none of this discussion
thread applies to the MIME concatenation vulnerability, which is a
problem in Thunderbird and other mail clients, and which cannot be
solved by gnupg."
-- 
Brian May <bam@...ian.org>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.