enigmail-2.2.4-1.4 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10736-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z enigmail-2.2.4-1.4 on GA media These are all security issues fixed in the enigmail-2.2.4-1.4 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10736 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-17688/ SUSE CVE CVE-2017-17688 page https://www.suse.com/security/cve/CVE-2017-17689/ SUSE CVE CVE-2017-17689 page https://www.suse.com/security/cve/CVE-2018-12019/ SUSE CVE CVE-2018-12019 page https://www.suse.com/security/cve/CVE-2018-12020/ SUSE CVE CVE-2018-12020 page https://www.suse.com/security/cve/CVE-2019-12269/ SUSE CVE CVE-2019-12269 page openSUSE Tumbleweed enigmail-2.2.4-1.4 enigmail-2.2.4-1.4 as a component of openSUSE Tumbleweed ** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification. CVE-2017-17688 openSUSE Tumbleweed:enigmail-2.2.4-1.4 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-17688.html CVE-2017-17688 https://bugzilla.suse.com/1093151 SUSE Bug 1093151 https://bugzilla.suse.com/1093727 SUSE Bug 1093727 https://bugzilla.suse.com/1093971 SUSE Bug 1093971 https://bugzilla.suse.com/1093973 SUSE Bug 1093973 https://bugzilla.suse.com/1115719 SUSE Bug 1115719 The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. CVE-2017-17689 openSUSE Tumbleweed:enigmail-2.2.4-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-17689.html CVE-2017-17689 https://bugzilla.suse.com/1093152 SUSE Bug 1093152 https://bugzilla.suse.com/1093727 SUSE Bug 1093727 https://bugzilla.suse.com/1093969 SUSE Bug 1093969 The signature verification routine in Enigmail before 2.0.7 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids. CVE-2018-12019 openSUSE Tumbleweed:enigmail-2.2.4-1.4 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12019.html CVE-2018-12019 https://bugzilla.suse.com/1097525 SUSE Bug 1097525 mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes. CVE-2018-12020 openSUSE Tumbleweed:enigmail-2.2.4-1.4 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12020.html CVE-2018-12020 https://bugzilla.suse.com/1096745 SUSE Bug 1096745 https://bugzilla.suse.com/1101134 SUSE Bug 1101134 Enigmail before 2.0.11 allows PGP signature spoofing: for an inline PGP message, an attacker can cause the product to display a "correctly signed" message indication, but display different unauthenticated text. CVE-2019-12269 openSUSE Tumbleweed:enigmail-2.2.4-1.4 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-12269.html CVE-2019-12269 https://bugzilla.suse.com/1135855 SUSE Bug 1135855