AFAIU the scenario requires html mail bodies

This is an autogenerated message for OBS integration:
This bug (1093151) was mentioned in
https://build.opensuse.org/request/show/609845 15.0+42.3+Backports:SLE-12 / enigmail

openSUSE-SU-2018:1329-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1093151,1093152
CVE References: CVE-2017-17688,CVE-2017-17689
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    enigmail-2.0.4-9.1

openSUSE-SU-2018:1330-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1093151,1093152
CVE References: CVE-2017-17688,CVE-2017-17689
Sources used:
openSUSE Leap 42.3 (src):    enigmail-2.0.4-12.1

openSUSE-SU-2018:1347-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1093151,1093152
CVE References: CVE-2017-17688,CVE-2017-17689
Sources used:
openSUSE Leap 15.0 (src):    enigmail-2.0.4-lp150.2.3.1

This is an autogenerated message for OBS integration:
This bug (1093151) was mentioned in
https://build.opensuse.org/request/show/611143 15.0+42.3+Backports:SLE-12 / enigmail

MozillaThunderbird has own CVEs, removed this package here.

Statement from Kevin J. McCarthy regarding mutt:

I've received a few questions about EFAIL and whether this release has
any related changes, so I hope you'll forgive me for sending a second
mutt-announce email today.

For those unaware, https://efail.de/ disclosed an attack on OpenPGP and
S/MIME emails this past week.  The researchers reported mutt-1.7.2 was
not successfully attacked.

So, the short answer is no, mutt-1.10.0 has no changes made as a result
of EFAIL, and the pgp/smime configuration variable changes in this
release are unrelated.

I am neither a security researcher nor a cryptographer, but here are my
current takeaways and suggestions:

* If you are using a version of mutt before 1.6.0 and rely on OpenPGP
  encryption, please upgrade.  1.6.0 introduced $pgp_decryption_okay,
  which scans the GnuPGP status output for a successful decryption code.

* Please make sure you update your config to the values suggested
  in contrib/gpg.rc (again, in particular $pgp_decryption_okay).

* Opening a decrypted email in an external browser should be considered
  unsafe.  Part of the attack was due to HTML injection.

* I don't believe autoviewing dumped HTML via lynx, elinks, etc is an
  issue.  However, the researchers did not specifically test that.

Since this only covers GnuPG I'll still leave mutt in here for S/MIME

openSUSE-SU-2018:1392-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1093151,1093152
CVE References: CVE-2017-17688,CVE-2017-17689
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    enigmail-2.0.5-12.1

openSUSE-SU-2018:1393-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1093151,1093152
CVE References: CVE-2017-17688,CVE-2017-17689
Sources used:
openSUSE Leap 42.3 (src):    enigmail-2.0.5-15.1
openSUSE Leap 15.0 (src):    enigmail-2.0.5-lp150.2.6.1

(In reply to Johannes Segitz from comment #9)
>
> So, the short answer is no, mutt-1.10.0 has no changes made as a result
> of EFAIL, and the pgp/smime configuration variable changes in this
> release are unrelated.
> 
> I am neither a security researcher nor a cryptographer, but here are my
> current takeaways and suggestions:
> 
> * If you are using a version of mutt before 1.6.0 and rely on OpenPGP
>   encryption, please upgrade.  1.6.0 introduced $pgp_decryption_okay,
>   which scans the GnuPGP status output for a successful decryption code.

SLES-12 is on mutt-1.6.0 whereas SLES-11 is on mutt-1.5.17 ... do we need an update on SLES-11 (LTS)

> 
> * Please make sure you update your config to the values suggested
>   in contrib/gpg.rc (again, in particular $pgp_decryption_okay).

That makes it complicated as this is a user file and an installation due an update of the mutt package does not overwrite this file

> * Opening a decrypted email in an external browser should be considered
>   unsafe.  Part of the attack was due to HTML injection.

That you have to enforce by using urlview/urlscan which btw. does only expand particular URLS from within the message and never the full messages. If an user uses w3m then he is always on its own.

> * I don't believe autoviewing dumped HTML via lynx, elinks, etc is an
>   issue.  However, the researchers did not specifically test that.

Hmmm ... lynx or w3m does not matter, both do the same work

> 
> Since this only covers GnuPG I'll still leave mutt in here for S/MIME

Does mean what here?  AFAIHU this is a main problem of the protocol its self.
Btw. Do they have tested the mutt uses with 

   set crypt_use_gpgme=yes

instead of gpg.rc (aka `source ~/.gpg.rc' in ~/.muttrc)

(In reply to Dr. Werner Fink from comment #13)
>> So, the short answer is no, mutt-1.10.0 has no changes made as a result
>> of EFAIL, and the pgp/smime configuration variable changes in this
>> release are unrelated.
>>
>> I am neither a security researcher nor a cryptographer, but here are my
>> current takeaways and suggestions:
>>
>> * If you are using a version of mutt before 1.6.0 and rely on OpenPGP
>>   encryption, please upgrade.  1.6.0 introduced $pgp_decryption_okay,
>>   which scans the GnuPGP status output for a successful decryption code.
>
>SLES-12 is on mutt-1.6.0 whereas SLES-11 is on mutt-1.5.17 ... do we need an update on SLES-11 (LTS)

We have it regularly maintained in SLE-SERVER_11-SP4, so yes.

>> * Please make sure you update your config to the values suggested
>>   in contrib/gpg.rc (again, in particular $pgp_decryption_okay).
>
>That makes it complicated as this is a user file and an installation due an update of the mutt package does not overwrite this file

We can mention it in the patchinfo to inform the user that he has to change
this. But we should still change the setting we deliver for new installations

>> Since this only covers GnuPG I'll still leave mutt in here for S/MIME
>
>Does mean what here?  AFAIHU this is a main problem of the protocol its self.

yes, but we still might see mitigations in the client

>Btw. Do they have tested the mutt uses with
>
>   set crypt_use_gpgme=yes
>
>instead of gpg.rc (aka `source ~/.gpg.rc' in ~/.muttrc)

no

(In reply to Johannes Segitz from comment #0)
> rh#1577906
> 
> Vulnerabilities in OpenPGP specification can be abused by so-called CFB
> gadget attacks to exfiltrate the plaintext from encrypted email. Attacker
> having access to encrypted emails of a victim can modify them to inject an
> image tag into them and create a single encrypted body part that exfiltrates
> its own plaintext when the victim opens the attacker email.
> 
> More details in https://efail.de/, full details in the paper:
> https://efail.de/efail-attack-paper.pdf
> 
> Assigning to bnc-team-gnome for evolution. All the other maintainers (or
> last major contributers) are CC.
> 
> I'm still reading the paper myself, but according to page 20 all those
> packages are affected one way or another.
> 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=1577906
> https://whatstatus.co/hindi-jokes/
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17688

I've received a few questions about EFAIL and whether this release has
any related changes, so I hope you'll forgive me for sending a second
mutt-announce email today.