USN-211-1: Enigmail vulnerability
Posted on: 10/20/2005 02:42 PM

A new Enigmail vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-211-1 October 20, 2005
enigmail vulnerability
CVE-2005-3256
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

mozilla-enigmail
mozilla-thunderbird-enigmail

The problem can be corrected by upgrading the affected package to
version 2:0.92.1-0ubuntu04.10 (for Ubuntu 4.10), 2:0.92.1-0ubuntu05.04
(for Ubuntu 5.04), or 2:0.92.1-0ubuntu05.10 (for Ubuntu 5.10). You
need to restart Thunderbird and Mozilla Mail after a standard system
upgrade to effect the necessary changes.

Details follow:

Hadmut Danish discovered an information disclosure vulnerability in
the key selection dialog of the Mozilla/Thunderbird enigmail plugin.
If a user's keyring contained a key with an empty user id (i. e. a
key without a name and email address), this key was selected by
default when the user attempted to send an encrypted email. Unless
this empty key was manually deselected, the message got encrypted for
that empty key, whose owner could then decrypt it.

Updated packages for Ubuntu 4.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu04.10.diff.gz
Size/MD5: 16913 6ff11a719f59e60cac6e702f1dd410c0
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu04.10.dsc
Size/MD5: 894 cbe074b5b608f73739ee476b317e149a
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1.orig.tar.gz
Size/MD5: 2041938 5225bb1b406e9242c38cf9ac6c3d6dd0

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu04.10_amd64.deb
Size/MD5: 327100 5043628174e9d2e014e2102286872c69
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu04.10_amd64.deb
Size/MD5: 333094 9188353e11c241043eb54658515d8fc1

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu04.10_i386.deb
Size/MD5: 310862 af28ae1970c450b5ace35e9e17f6bcb6
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu04.10_i386.deb
Size/MD5: 318472 88607d4f343d619aba364555c114a153

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu04.10_powerpc.deb
Size/MD5: 313064 f858e6ac1a42de80bc4083b0a2d5d804
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu04.10_powerpc.deb
Size/MD5: 320300 3f58924747c3599b93c8631775945bba

Updated packages for Ubuntu 5.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu05.04.diff.gz
Size/MD5: 16905 e4c40b2f6c45cf50ad972d2d019a5216
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu05.04.dsc
Size/MD5: 894 c427511288542d47a4c836fb29c0b36b
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1.orig.tar.gz
Size/MD5: 2041938 5225bb1b406e9242c38cf9ac6c3d6dd0

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.04_amd64.deb
Size/MD5: 327106 39692367cc984f18affbf9132de60a2e
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.04_amd64.deb
Size/MD5: 333142 1c39e0a03a862de983546bb179194552

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.04_i386.deb
Size/MD5: 310900 71d2030feb26c86dfd4996c7bfbd3515
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.04_i386.deb
Size/MD5: 318546 a53412b32cfbb827bafb3a12008623f4

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.04_powerpc.deb
Size/MD5: 313178 57560d7805cf27f67a53ad8eb5d7a48d
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.04_powerpc.deb
Size/MD5: 320290 baa19a348d474e43f5a2ed941063264d

Updated packages for Ubuntu 5.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu05.10.diff.gz
Size/MD5: 16956 287803d8329da4340b76aa42e2fd85a8
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu05.10.dsc
Size/MD5: 860 c3f040e311b07b6bccfe7d6bbdd6d768
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1.orig.tar.gz
Size/MD5: 2041938 5225bb1b406e9242c38cf9ac6c3d6dd0

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.10_amd64.deb
Size/MD5: 328668 0a2d6918b08165641a2d2cfc226f9665
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.10_amd64.deb
Size/MD5: 334360 118ed113e6a44a2b55897327b54cf232

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.10_i386.deb
Size/MD5: 311028 4f8d3a8762cb32fd71520db787bcb00a
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.10_i386.deb
Size/MD5: 318552 e9b84e919736b464d0aa5ecd4b787095

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.10_powerpc.deb
Size/MD5: 314100 304d26ebd5cc7dba9a1ad7d8a2dd71e7
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.10_powerpc.deb
Size/MD5: 321304 db893d45a046e51aa5f457ec3030e4d5

--cWoXeonUoKmBZSoM
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDV5xLDecnbV4Fd/IRApYLAKDK7+t5+M+eUMI2zYG5shO25tn5bwCgg/lY
/EK92HP/Gcxij0Wd5aSAsLY=
=7meB
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_211_1_enigmail_vulnerability.html)