Date: Thu, 21 Aug 2014 23:34:12 -0400 (EDT) From: cve-assign@...re.org To: henri@...v.fi Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Enigmail warning -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/ This seems to discuss at least two non-identical issues. http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#b315 and http://sourceforge.net/p/enigmail/bugs/294/ are about "an email with only Bcc recipients is sent in plain text." This is assigned CVE-2014-5369. http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#10f1 and http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#0a5a are about one or more issues in which there is unexpected cleartext e-mail transmission unrelated to use of Bcc. This perhaps requires a non-default configuration. It is conceivable -- although perhaps unlikely -- that the problem is a UI bug (e.g., an encryption choice is presented even when the product is configured to never use encryption). In any case, none of this has a CVE assignment yet. There isn't enough information to determine whether to assign zero, one, or two additional CVE IDs. The scope of CVE-2014-5369 is only the behavior that occurs when all recipients are Bcc recipients. Finally, these are additional (possibly related) references that haven't yet been mentioned on oss-security: http://sourceforge.net/p/enigmail/bugs/290/ http://twitter.com/mtigas/statuses/494228366028210176/photo/1 - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT9rkoAAoJEKllVAevmvmsBKUH/23mh9gvRZfW64TJtc6cj2Wa 1l6Gv6bpqAh0hSdhhQGEC25+C3YR8TTzJaUcIciyUGidCQ/p3rF/ORRcAx4Ptsae N5cvXFT6/Ep2lpaJF+Opi3buoJ1O0w6P2PQN+qif6mcIQFjH2GFRdGwKqEFlcW9j Of4a1vMC2YCDfqk8hTWdsqCzgCi1eOOe3xmQOTL/uUR3ilgdk1KkqhBaHUqhYX+x JaEVPyVZPRJqH+8QZJNYmKbU5JV1UUMK5IvuQoT+eKyYLIvY+Z1PVRYQPVITOxTZ hSiBXBrhRbmgixDb05IBHamuE83nXDEkm/j7sx6ezaEEl7Xv0DwMLYwxVl155sc= =x0nf -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ