Your message dated Sun, 17 Mar 2019 23:24:13 +0100 with message-id <4145727.q3mdy22fzh@tuxin> and subject line Re: Bug#898634: kmail: efail attack against S/MIME has caused the Debian Bug report #898634, regarding kmail: efail attack against S/MIME to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 898634: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898634 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: kmail: efail attack against S/MIME
- From: Yves-Alexis Perez <corsac@debian.org>
- Date: Mon, 14 May 2018 15:33:02 +0200
- Message-id: <152630478232.31531.13923733201808973896.reportbug@scapa>
Source: kmail Severity: grave Tags: security Justification: user security hole Hi, as you may already know, a paper was published this morning describing a vulnerability known as efail against S/MIME and PGP/MIME implementations in various mail clients. This vulnerability allows an attacker with read/write access to encrypted mail to retrieve the plaintext provided HTML mails are enabled, as well as loading of remote content. The paper indicates that the PGP/MIME implementation in kmail is not vulnerable, but the S/MIME is. It might be possible that the vulnerability is in an underlying library, so feel free to reassign if needed. It's likely we'll have to issue a DSA for this. Regards, -- Yves-Alexis -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
- To: security@debian.org
- Cc: 898634-done@bugs.debian.org
- Subject: Re: Bug#898634: kmail: efail attack against S/MIME
- From: Sandro Knauß <hefee@debian.org>
- Date: Sun, 17 Mar 2019 23:24:13 +0100
- Message-id: <4145727.q3mdy22fzh@tuxin>
- In-reply-to: <[🔎] 20190315073214.GA22126@eldamar.local>
- References: <152630478232.31531.13923733201808973896.reportbug@scapa> <f08635ac470dba7f5d37e31b4cd3690ef2852fb3.camel@debian.org> <[🔎] 20190315073214.GA22126@eldamar.local>
Hey Salvatore, > According to the update in the security-tracker done by Moritz for > https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed21b > b0c20a2272745fb959f4c1da58a44ce32e7#4716ef5aa8f2742228ba3b3633215c8b808565e3 > _72290_72286 > > we might close this related issue for kmail, but not doing so, prefer > to leave it to you in case you agree. Thanks for finding one of the left overs of efail. This one can be closed. The both sub issues (#899127, #899128) fixed the issue inside Debian. hefeeAttachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---