oss-sec mailing list archives
Re: PGP/MIME and S/MIME mail clients vulnerabilities
From: Christian Brabandt <cb () 256bit org>
Date: Mon, 14 May 2018 12:29:51 +0200
On Mo, 14 Mai 2018, Yves-Alexis Perez wrote:
I guess most people have already saw this, but just in case, it seems that a vulnerability in PGP/MIME and S/MIME handling in various mail clients will be published tomorrow. Debian Security team didn't get any private information yet, but there have been multiple twitter threads and blog posts published already: https://twitter.com/seecurity/status/995906576170053633 https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime- bugs-can-reveal-encrypted-e-mails-uninstall-now/ https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities- require-you-take-action-now GnuPG has posted a tweet (https://twitter.com/gnupg/status/995931083584757760) indicating it's likely a vulnerability in mail clients themselves and not in the protocol, and which is related to HTML mail handling. The vulnerabilities apparently enable an attacker to decrypt previous mails, but my (wild) guess is that the attack actually requests decryption from the mail client (which has access to the private key), rather than by actually decrypting itself.
Looks like details have just been published: https://efail.de/ Best, Christian -- Ein Flirt ohne tiefere Absicht ist ungefähr so sinnvoll wie ein Fahrplan ohne Eisenbahn. -- William Somerset Maugham
Current thread:
- PGP/MIME and S/MIME mail clients vulnerabilities Yves-Alexis Perez (May 14)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Jakub Wilk (May 14)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Christian Brabandt (May 14)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Yves-Alexis Perez (May 14)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Brian May (May 15)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Yves-Alexis Perez (May 15)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Leo Gaspard (May 15)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Brian May (May 16)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Brian May (May 16)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Yves-Alexis Perez (May 14)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Yves-Alexis Perez (May 16)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Matthew Fernandez (May 16)
- Re: PGP/MIME and S/MIME mail clients vulnerabilities Florian Weimer (May 22)