lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051020133155.GA24842@piware.de>
Date: Thu Oct 20 14:31:51 2005
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-211-1] Enigmail vulnerability

===========================================================
Ubuntu Security Notice USN-211-1	   October 20, 2005
enigmail vulnerability
CVE-2005-3256
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

mozilla-enigmail
mozilla-thunderbird-enigmail

The problem can be corrected by upgrading the affected package to
version 2:0.92.1-0ubuntu04.10 (for Ubuntu 4.10), 2:0.92.1-0ubuntu05.04
(for Ubuntu 5.04), or 2:0.92.1-0ubuntu05.10 (for Ubuntu 5.10).  You
need to restart Thunderbird and Mozilla Mail after a standard system
upgrade to effect the necessary changes.

Details follow:

Hadmut Danish discovered an information disclosure vulnerability in
the key selection dialog of the Mozilla/Thunderbird enigmail plugin.
If a user's keyring contained a key with an empty user id (i. e. a
key without a name and email address), this key was selected by
default when the user attempted to send an encrypted email. Unless
this empty key was manually deselected, the message got encrypted for
that empty key, whose owner could then decrypt it.

Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu04.10.diff.gz
      Size/MD5:    16913 6ff11a719f59e60cac6e702f1dd410c0
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu04.10.dsc
      Size/MD5:      894 cbe074b5b608f73739ee476b317e149a
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1.orig.tar.gz
      Size/MD5:  2041938 5225bb1b406e9242c38cf9ac6c3d6dd0

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu04.10_amd64.deb
      Size/MD5:   327100 5043628174e9d2e014e2102286872c69
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu04.10_amd64.deb
      Size/MD5:   333094 9188353e11c241043eb54658515d8fc1

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu04.10_i386.deb
      Size/MD5:   310862 af28ae1970c450b5ace35e9e17f6bcb6
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu04.10_i386.deb
      Size/MD5:   318472 88607d4f343d619aba364555c114a153

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu04.10_powerpc.deb
      Size/MD5:   313064 f858e6ac1a42de80bc4083b0a2d5d804
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu04.10_powerpc.deb
      Size/MD5:   320300 3f58924747c3599b93c8631775945bba

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu05.04.diff.gz
      Size/MD5:    16905 e4c40b2f6c45cf50ad972d2d019a5216
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu05.04.dsc
      Size/MD5:      894 c427511288542d47a4c836fb29c0b36b
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1.orig.tar.gz
      Size/MD5:  2041938 5225bb1b406e9242c38cf9ac6c3d6dd0

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.04_amd64.deb
      Size/MD5:   327106 39692367cc984f18affbf9132de60a2e
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.04_amd64.deb
      Size/MD5:   333142 1c39e0a03a862de983546bb179194552

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.04_i386.deb
      Size/MD5:   310900 71d2030feb26c86dfd4996c7bfbd3515
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.04_i386.deb
      Size/MD5:   318546 a53412b32cfbb827bafb3a12008623f4

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.04_powerpc.deb
      Size/MD5:   313178 57560d7805cf27f67a53ad8eb5d7a48d
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.04_powerpc.deb
      Size/MD5:   320290 baa19a348d474e43f5a2ed941063264d

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu05.10.diff.gz
      Size/MD5:    16956 287803d8329da4340b76aa42e2fd85a8
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu05.10.dsc
      Size/MD5:      860 c3f040e311b07b6bccfe7d6bbdd6d768
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1.orig.tar.gz
      Size/MD5:  2041938 5225bb1b406e9242c38cf9ac6c3d6dd0

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.10_amd64.deb
      Size/MD5:   328668 0a2d6918b08165641a2d2cfc226f9665
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.10_amd64.deb
      Size/MD5:   334360 118ed113e6a44a2b55897327b54cf232

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.10_i386.deb
      Size/MD5:   311028 4f8d3a8762cb32fd71520db787bcb00a
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.10_i386.deb
      Size/MD5:   318552 e9b84e919736b464d0aa5ecd4b787095

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.10_powerpc.deb
      Size/MD5:   314100 304d26ebd5cc7dba9a1ad7d8a2dd71e7
    http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.10_powerpc.deb
      Size/MD5:   321304 db893d45a046e51aa5f457ec3030e4d5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051020/8efe3039/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ