Debian Bug report logs - #335731
security issue in enigmail package (CAN-2005-3256)

version graph

Package: enigmail; Maintainer for enigmail is Debian Mozilla Extension Maintainers <pkg-mozext-maintainers@lists.alioth.debian.org>; Source for enigmail is src:enigmail.

Reported by: Alexander Sack <asac@debian.org>

Date: Tue, 25 Oct 2005 17:18:02 UTC

Severity: grave

Tags: patch, security

Found in version enigmail/2:0.91-4

Fixed in version 2:0.93-1

Done: Alexander Sack <asac@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>:
Bug#335731; Package enigmail. Full text and rfc822 format available.

Acknowledgement sent to Alexander Sack <asac@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alexander Sack <asac@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: security issue in enigmail package (CAN-2005-3256)
Date: Tue, 25 Oct 2005 19:07:01 +0200
[Message part 1 (text/plain, inline)]
Package: enigmail
Version: 2:0.91-4
Severity: critical
Tags: security patch

If there is a key on your keyring, that has an empty UID (no name,
e-mail address, etc.), mail may be encrypted to that UID, although the
recipient was not choosen by the user. This may lead to  disclosure of
confidential data to others.

This is CAN-2005-3256.

Patch received from upstream is attached.

 - asac
[security-patch.txt (text/x-c++, attachment)]

Severity set to `grave'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Alexander Sack <asac@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alexander Sack <asac@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at 335731-done@bugs.debian.org (full text, mbox):

From: Alexander Sack <asac@debian.org>
To: 334731-done@bugs.debian.org
Subject: security issue is already fixed in unstable ... go to testing!
Date: Thu, 27 Oct 2005 20:31:43 +0200
Version: 2:0.93-1

this issue is fixed in unstable, so let it in!

-- 
 GPG messages preferred. |  .''`.  ** Debian GNU/Linux **
 Alexander Sack          | : :' :      The  universal
 asac@debian.org         | `. `'      Operating System
 http://www.jwsdot.com/  |   `-    http://www.debian.org/



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 02:42:17 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:18:34 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.