'[oss-security] Re: Enigmail warning'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: Enigmail warning
From:       cve-assign () mitre ! org
Date:       2014-08-22 3:34:12
Message-ID: 20140822033412.B31F61F067E () smtpksrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/

This seems to discuss at least two non-identical issues.

http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#b315
and http://sourceforge.net/p/enigmail/bugs/294/ are about "an email
with only Bcc recipients is sent in plain text." This is assigned
CVE-2014-5369.

http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#10f1
and
http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#0a5a
are about one or more issues in which there is unexpected cleartext
e-mail transmission unrelated to use of Bcc. This perhaps requires a
non-default configuration. It is conceivable -- although perhaps
unlikely -- that the problem is a UI bug (e.g., an encryption choice
is presented even when the product is configured to never use
encryption). In any case, none of this has a CVE assignment yet. There
isn't enough information to determine whether to assign zero, one, or
two additional CVE IDs. The scope of CVE-2014-5369 is only the
behavior that occurs when all recipients are Bcc recipients.

Finally, these are additional (possibly related) references that
haven't yet been mentioned on oss-security:

  http://sourceforge.net/p/enigmail/bugs/290/
  http://twitter.com/mtigas/statuses/494228366028210176/photo/1

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT9rkoAAoJEKllVAevmvmsBKUH/23mh9gvRZfW64TJtc6cj2Wa
1l6Gv6bpqAh0hSdhhQGEC25+C3YR8TTzJaUcIciyUGidCQ/p3rF/ORRcAx4Ptsae
N5cvXFT6/Ep2lpaJF+Opi3buoJ1O0w6P2PQN+qif6mcIQFjH2GFRdGwKqEFlcW9j
Of4a1vMC2YCDfqk8hTWdsqCzgCi1eOOe3xmQOTL/uUR3ilgdk1KkqhBaHUqhYX+x
JaEVPyVZPRJqH+8QZJNYmKbU5JV1UUMK5IvuQoT+eKyYLIvY+Z1PVRYQPVITOxTZ
hSiBXBrhRbmgixDb05IBHamuE83nXDEkm/j7sx6ezaEEl7Xv0DwMLYwxVl155sc=
=x0nf
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic