Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 584
Alerts This Week
Warning Icon 1 584

SUSE: 2018:2243-1 Moderate: Enigmail Spoofing Fix and Update

suse
Calendar Grey August 7, 2018
Scroller Suse
A security patch for Enigmail addresses two vulnerabilities in SUSE 15. Apply the most recent updates to improve email security and reliability.
An update that solves two vulnerabilities and has one errata is now available

Summary

This update for enigmail to 2.0.7 fixes the following issues: These security issues were fixed: - CVE-2018-12020: Mitigation against GnuPG signature spoofing: Email signatures could be spoofed via an embedded "--filename" parameter in OpenPGP literal data packets. This update prevents this issue from being exploited if GnuPG was not updated (boo#1096745) - CVE-2018-12019: The signature verification routine interpreted User IDs as status/control messages and did not correctly keep track of the status of multiple signatures. This allowed remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids (boo#1097525) - Disallow plaintext (literal packets) outside of encrpyted packets - Replies to a partially encrypted message may have revealed protected

References

#1094781 #1096745 #1097525

Cross- CVE-2018-12019 CVE-2018-12020

Affected Products:

SUSE Linux Enterprise Workstation Extension 15

https://www.suse.com/security/cve/CVE-2018-12019.html

https://www.suse.com/security/cve/CVE-2018-12020.html

https://bugzilla.suse.com/1094781

https://bugzilla.suse.com/1096745

https://bugzilla.suse.com/1097525

Announcement ID: SUSE-SU-2018:2243-1
Rating: moderate

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.