Date: Thu, 21 Aug 2014 23:34:12 -0400 (EDT) From: cve-assign@...re.org To: henri@...v.fi Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Enigmail warning -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/ This seems to discuss at least two non-identical issues. http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#b315 and http://sourceforge.net/p/enigmail/bugs/294/ are about "an email with only Bcc recipients is sent in plain text." This is assigned CVE-2014-5369. http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#10f1 and http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#0a5a are about one or more issues in which there is unexpected cleartext e-mail transmission unrelated to use of Bcc. This perhaps requires a non-default configuration. It is conceivable -- although perhaps unlikely -- that the problem is a UI bug (e.g., an encryption choice is presented even when the product is configured to never use encryption). In any case, none of this has a CVE assignment yet. There isn't enough information to determine whether to assign zero, one, or two additional CVE IDs. The scope of CVE-2014-5369 is only the behavior that occurs when all recipients are Bcc recipients. Finally, these are additional (possibly related) references that haven't yet been mentioned on oss-security: http://sourceforge.net/p/enigmail/bugs/290/ http://twitter.com/mtigas/statuses/494228366028210176/photo/1 - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT9rkoAAoJEKllVAevmvmsBKUH/23mh9gvRZfW64TJtc6cj2Wa 1l6Gv6bpqAh0hSdhhQGEC25+C3YR8TTzJaUcIciyUGidCQ/p3rF/ORRcAx4Ptsae N5cvXFT6/Ep2lpaJF+Opi3buoJ1O0w6P2PQN+qif6mcIQFjH2GFRdGwKqEFlcW9j Of4a1vMC2YCDfqk8hTWdsqCzgCi1eOOe3xmQOTL/uUR3ilgdk1KkqhBaHUqhYX+x JaEVPyVZPRJqH+8QZJNYmKbU5JV1UUMK5IvuQoT+eKyYLIvY+Z1PVRYQPVITOxTZ hSiBXBrhRbmgixDb05IBHamuE83nXDEkm/j7sx6ezaEEl7Xv0DwMLYwxVl155sc= =x0nf -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.