oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PGP/MIME and S/MIME mail clients vulnerabilities

From: Brian May <bam () debian org>
Date: Wed, 16 May 2018 17:22:32 +1000
Leo Gaspard <oss-security@leo.gaspard.ninja> writes:


Just to add in about Thunderbird with Enigmail after 2.0.0:

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060325.html
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060327.html
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060329.html

So it looks like data encrypted with CAST5 (and possibly 3DES?) may be
at risk even with Enigmail 2.0.0, with what I guess is latest GnuPG
(don't know whether it is with 1.4, 2.2 or both, though), likely due to
a GnuPG bug.



From https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060361.html:


"We should also be very careful to note that none of this discussion
thread applies to the MIME concatenation vulnerability, which is a
problem in Thunderbird and other mail clients, and which cannot be
solved by gnupg."
-- 
Brian May <bam () debian org>
Previous By Date Next
Previous By Thread Next

Current thread: