Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 14 May 2018 12:29:51 +0200
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: Re: PGP/MIME and S/MIME mail clients vulnerabilities


On Mo, 14 Mai 2018, Yves-Alexis Perez wrote:

> I guess most people have already saw  this, but just in case, it seems that a
> vulnerability in PGP/MIME and S/MIME handling in various mail clients will be
> published tomorrow.
> 
> Debian Security team didn't get any private information yet, but there have
> been multiple twitter threads and blog posts published already:
> 
> https://twitter.com/seecurity/status/995906576170053633
> https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-
> bugs-can-reveal-encrypted-e-mails-uninstall-now/
> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-
> require-you-take-action-now
> 
> GnuPG has posted a tweet (https://twitter.com/gnupg/status/995931083584757760)
> indicating it's likely a vulnerability in mail clients themselves and not in
> the protocol, and which is related to HTML mail handling.
> 
> The vulnerabilities apparently enable an attacker to decrypt previous mails,
> but my (wild) guess is that the attack actually requests decryption from the
> mail client (which has access to the private key), rather than by actually
> decrypting itself.

Looks like details have just been published:
https://efail.de/

Best,
Christian
-- 
Ein Flirt ohne tiefere Absicht ist ungefähr so sinnvoll wie ein
Fahrplan ohne Eisenbahn.
		-- William Somerset Maugham

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ