Summary: | app-crypt/gnupg, x11-plugins/enigmail, dev-python/python-gnupg: injecting status messages (SigSpoof) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | axs, k_f, mozilla, python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=657596 | ||
Whiteboard: | A3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Hanno Böck
2018-06-12 15:31:12 UTC
Enigmail bump is out: https://sourceforge.net/p/enigmail/forum/announce/thread/b948279f/ Please bump. python-gnupg 0.4.3 is out, found no release notes, but this contains the fix according to the bug finder: https://pypi.org/project/python-gnupg/#history Info is out now: https://neopg.io/blog/gpg-signature-spoof/ https://neopg.io/blog/enigmail-signature-spoof/ I can't make this bug public, can someone from security do this? (In reply to Hanno Boeck from comment #3) > Info is out now: > https://neopg.io/blog/gpg-signature-spoof/ > https://neopg.io/blog/enigmail-signature-spoof/ > > I can't make this bug public, can someone from security do this? Done The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e22b2f158eb694e0ecdcab392acf3c73b8ee28ae commit e22b2f158eb694e0ecdcab392acf3c73b8ee28ae Author: Ian Stakenvicius <axs@gentoo.org> AuthorDate: 2018-06-13 20:01:40 +0000 Commit: Ian Stakenvicius <axs@gentoo.org> CommitDate: 2018-06-13 20:04:58 +0000 x11-plugins/enigmail: bump for CVE-2018-12019 Bug: http://bugs.gentoo.org/657986 Package-Manager: Portage-2.3.24, Repoman-2.3.6 x11-plugins/enigmail/Manifest | 1 + x11-plugins/enigmail/enigmail-2.0.7.ebuild | 83 ++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+) (In reply to Hanno Boeck from comment #2) > python-gnupg 0.4.3 is out, found no release notes, but this contains the fix > according to the bug finder: > https://pypi.org/project/python-gnupg/#history https://groups.google.com/forum/#!topic/python-gnupg/2yAlj_F2S1g (In reply to Hanno Boeck from comment #2) > python-gnupg 0.4.3 is out, found no release notes, but this contains the fix > according to the bug finder: > https://pypi.org/project/python-gnupg/#history https://groups.google.com/forum/#!topic/python-gnupg/2yAlj_F2S1g This seems a bit stuck. @mozilla: Are we ready to stabilize 2.0.7? @python: can you bump python-gnupg? (In reply to Hanno Boeck from comment #8) > This seems a bit stuck. > > @mozilla: Are we ready to stabilize 2.0.7? > > @python: can you bump python-gnupg? enigmail-2.0.7 can go stable This got lost, cleaning up. NoGLSA will be issued. |