Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 21 Aug 2014 23:34:12 -0400 (EDT)
From: cve-assign@...re.org
To: henri@...v.fi
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Enigmail warning

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/

This seems to discuss at least two non-identical issues.

http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#b315
and http://sourceforge.net/p/enigmail/bugs/294/ are about "an email
with only Bcc recipients is sent in plain text." This is assigned
CVE-2014-5369.

http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#10f1
and
http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#0a5a
are about one or more issues in which there is unexpected cleartext
e-mail transmission unrelated to use of Bcc. This perhaps requires a
non-default configuration. It is conceivable -- although perhaps
unlikely -- that the problem is a UI bug (e.g., an encryption choice
is presented even when the product is configured to never use
encryption). In any case, none of this has a CVE assignment yet. There
isn't enough information to determine whether to assign zero, one, or
two additional CVE IDs. The scope of CVE-2014-5369 is only the
behavior that occurs when all recipients are Bcc recipients.

Finally, these are additional (possibly related) references that
haven't yet been mentioned on oss-security:

  http://sourceforge.net/p/enigmail/bugs/290/
  http://twitter.com/mtigas/statuses/494228366028210176/photo/1

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT9rkoAAoJEKllVAevmvmsBKUH/23mh9gvRZfW64TJtc6cj2Wa
1l6Gv6bpqAh0hSdhhQGEC25+C3YR8TTzJaUcIciyUGidCQ/p3rF/ORRcAx4Ptsae
N5cvXFT6/Ep2lpaJF+Opi3buoJ1O0w6P2PQN+qif6mcIQFjH2GFRdGwKqEFlcW9j
Of4a1vMC2YCDfqk8hTWdsqCzgCi1eOOe3xmQOTL/uUR3ilgdk1KkqhBaHUqhYX+x
JaEVPyVZPRJqH+8QZJNYmKbU5JV1UUMK5IvuQoT+eKyYLIvY+Z1PVRYQPVITOxTZ
hSiBXBrhRbmgixDb05IBHamuE83nXDEkm/j7sx6ezaEEl7Xv0DwMLYwxVl155sc=
=x0nf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.