Date: Mon, 14 May 2018 12:29:51 +0200 From: Christian Brabandt <cb@...bit.org> To: oss-security@...ts.openwall.com Subject: Re: PGP/MIME and S/MIME mail clients vulnerabilities On Mo, 14 Mai 2018, Yves-Alexis Perez wrote: > I guess most people have already saw this, but just in case, it seems that a > vulnerability in PGP/MIME and S/MIME handling in various mail clients will be > published tomorrow. > > Debian Security team didn't get any private information yet, but there have > been multiple twitter threads and blog posts published already: > > https://twitter.com/seecurity/status/995906576170053633 > https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime- > bugs-can-reveal-encrypted-e-mails-uninstall-now/ > https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities- > require-you-take-action-now > > GnuPG has posted a tweet (https://twitter.com/gnupg/status/995931083584757760) > indicating it's likely a vulnerability in mail clients themselves and not in > the protocol, and which is related to HTML mail handling. > > The vulnerabilities apparently enable an attacker to decrypt previous mails, > but my (wild) guess is that the attack actually requests decryption from the > mail client (which has access to the private key), rather than by actually > decrypting itself. Looks like details have just been published: https://efail.de/ Best, Christian -- Ein Flirt ohne tiefere Absicht ist ungefähr so sinnvoll wie ein Fahrplan ohne Eisenbahn. -- William Somerset Maugham
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ