--cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline =========================================================== Ubuntu Security Notice USN-211-1 October 20, 2005 enigmail vulnerability CVE-2005-3256 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: mozilla-enigmail mozilla-thunderbird-enigmail The problem can be corrected by upgrading the affected package to version 2:0.92.1-0ubuntu04.10 (for Ubuntu 4.10), 2:0.92.1-0ubuntu05.04 (for Ubuntu 5.04), or 2:0.92.1-0ubuntu05.10 (for Ubuntu 5.10). You need to restart Thunderbird and Mozilla Mail after a standard system upgrade to effect the necessary changes. Details follow: Hadmut Danish discovered an information disclosure vulnerability in the key selection dialog of the Mozilla/Thunderbird enigmail plugin. If a user's keyring contained a key with an empty user id (i. e. a key without a name and email address), this key was selected by default when the user attempted to send an encrypted email. Unless this empty key was manually deselected, the message got encrypted for that empty key, whose owner could then decrypt it. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu04.10.diff.gz Size/MD5: 16913 6ff11a719f59e60cac6e702f1dd410c0 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu04.10.dsc Size/MD5: 894 cbe074b5b608f73739ee476b317e149a http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1.orig.tar.gz Size/MD5: 2041938 5225bb1b406e9242c38cf9ac6c3d6dd0 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu04.10_amd64.deb Size/MD5: 327100 5043628174e9d2e014e2102286872c69 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu04.10_amd64.deb Size/MD5: 333094 9188353e11c241043eb54658515d8fc1 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu04.10_i386.deb Size/MD5: 310862 af28ae1970c450b5ace35e9e17f6bcb6 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu04.10_i386.deb Size/MD5: 318472 88607d4f343d619aba364555c114a153 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu04.10_powerpc.deb Size/MD5: 313064 f858e6ac1a42de80bc4083b0a2d5d804 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu04.10_powerpc.deb Size/MD5: 320300 3f58924747c3599b93c8631775945bba Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu05.04.diff.gz Size/MD5: 16905 e4c40b2f6c45cf50ad972d2d019a5216 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu05.04.dsc Size/MD5: 894 c427511288542d47a4c836fb29c0b36b http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1.orig.tar.gz Size/MD5: 2041938 5225bb1b406e9242c38cf9ac6c3d6dd0 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.04_amd64.deb Size/MD5: 327106 39692367cc984f18affbf9132de60a2e http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.04_amd64.deb Size/MD5: 333142 1c39e0a03a862de983546bb179194552 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.04_i386.deb Size/MD5: 310900 71d2030feb26c86dfd4996c7bfbd3515 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.04_i386.deb Size/MD5: 318546 a53412b32cfbb827bafb3a12008623f4 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.04_powerpc.deb Size/MD5: 313178 57560d7805cf27f67a53ad8eb5d7a48d http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.04_powerpc.deb Size/MD5: 320290 baa19a348d474e43f5a2ed941063264d Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu05.10.diff.gz Size/MD5: 16956 287803d8329da4340b76aa42e2fd85a8 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1-0ubuntu05.10.dsc Size/MD5: 860 c3f040e311b07b6bccfe7d6bbdd6d768 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.1.orig.tar.gz Size/MD5: 2041938 5225bb1b406e9242c38cf9ac6c3d6dd0 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.10_amd64.deb Size/MD5: 328668 0a2d6918b08165641a2d2cfc226f9665 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.10_amd64.deb Size/MD5: 334360 118ed113e6a44a2b55897327b54cf232 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.10_i386.deb Size/MD5: 311028 4f8d3a8762cb32fd71520db787bcb00a http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.10_i386.deb Size/MD5: 318552 e9b84e919736b464d0aa5ecd4b787095 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92.1-0ubuntu05.10_powerpc.deb Size/MD5: 314100 304d26ebd5cc7dba9a1ad7d8a2dd71e7 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92.1-0ubuntu05.10_powerpc.deb Size/MD5: 321304 db893d45a046e51aa5f457ec3030e4d5 --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDV5xLDecnbV4Fd/IRApYLAKDK7+t5+M+eUMI2zYG5shO25tn5bwCgg/lY /EK92HP/Gcxij0Wd5aSAsLY= =7meB -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM--