USN-211-1: Enigmail vulnerability

20 October 2005

enigmail vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 5.10
  • Ubuntu 5.04
  • Ubuntu 4.10

Software Description

Details

Hadmut Danish discovered an information disclosure vulnerability in the key selection dialog of the Mozilla/Thunderbird enigmail plugin. If a user’s keyring contained a key with an empty user id (i. e. a key without a name and email address), this key was selected by default when the user attempted to send an encrypted email. Unless this empty key was manually deselected, the message got encrypted for that empty key, whose owner could then decrypt it.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.10
mozilla-enigmail
mozilla-thunderbird-enigmail
Ubuntu 5.04
mozilla-enigmail
mozilla-thunderbird-enigmail
Ubuntu 4.10
mozilla-enigmail
mozilla-thunderbird-enigmail

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References