Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 21 Aug 2014 23:34:12 -0400 (EDT)
From: cve-assign@...re.org
To: henri@...v.fi
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Enigmail warning

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/

This seems to discuss at least two non-identical issues.

http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#b315
and http://sourceforge.net/p/enigmail/bugs/294/ are about "an email
with only Bcc recipients is sent in plain text." This is assigned
CVE-2014-5369.

http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#10f1
and
http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#0a5a
are about one or more issues in which there is unexpected cleartext
e-mail transmission unrelated to use of Bcc. This perhaps requires a
non-default configuration. It is conceivable -- although perhaps
unlikely -- that the problem is a UI bug (e.g., an encryption choice
is presented even when the product is configured to never use
encryption). In any case, none of this has a CVE assignment yet. There
isn't enough information to determine whether to assign zero, one, or
two additional CVE IDs. The scope of CVE-2014-5369 is only the
behavior that occurs when all recipients are Bcc recipients.

Finally, these are additional (possibly related) references that
haven't yet been mentioned on oss-security:

  http://sourceforge.net/p/enigmail/bugs/290/
  http://twitter.com/mtigas/statuses/494228366028210176/photo/1

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT9rkoAAoJEKllVAevmvmsBKUH/23mh9gvRZfW64TJtc6cj2Wa
1l6Gv6bpqAh0hSdhhQGEC25+C3YR8TTzJaUcIciyUGidCQ/p3rF/ORRcAx4Ptsae
N5cvXFT6/Ep2lpaJF+Opi3buoJ1O0w6P2PQN+qif6mcIQFjH2GFRdGwKqEFlcW9j
Of4a1vMC2YCDfqk8hTWdsqCzgCi1eOOe3xmQOTL/uUR3ilgdk1KkqhBaHUqhYX+x
JaEVPyVZPRJqH+8QZJNYmKbU5JV1UUMK5IvuQoT+eKyYLIvY+Z1PVRYQPVITOxTZ
hSiBXBrhRbmgixDb05IBHamuE83nXDEkm/j7sx6ezaEEl7Xv0DwMLYwxVl155sc=
=x0nf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ