Date: Mon, 14 May 2018 10:05:20 +0200 From: Yves-Alexis Perez <corsac@...ian.org> To: oss-security@...ts.openwall.com Subject: PGP/MIME and S/MIME mail clients vulnerabilities I guess most people have already saw this, but just in case, it seems that a vulnerability in PGP/MIME and S/MIME handling in various mail clients will be published tomorrow. Debian Security team didn't get any private information yet, but there have been multiple twitter threads and blog posts published already: https://twitter.com/seecurity/status/995906576170053633 https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime- bugs-can-reveal-encrypted-e-mails-uninstall-now/ https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities- require-you-take-action-now GnuPG has posted a tweet (https://twitter.com/gnupg/status/995931083584757760) indicating it's likely a vulnerability in mail clients themselves and not in the protocol, and which is related to HTML mail handling. The vulnerabilities apparently enable an attacker to decrypt previous mails, but my (wild) guess is that the attack actually requests decryption from the mail client (which has access to the private key), rather than by actually decrypting itself. Regards, -- Yves-Alexis Perez - Debian Security Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ