[Enigmail] [ANN] Enigmail 2.0.4 available - better protection against Efail

Patrick Brunschwig patrick at enigmail.net
Wed May 16 16:40:35 CEST 2018


I have released Enigmail v2.0.4 for Thunderbird version 52 and SeaMonkey
2.46 and newer.


Changes
=======
This version implements two workarounds to prevent against "Efail"
vulnerabilities (https://efail.de). I strongly recommend to upgrade to
Enigmail 2.0.4 as soon as possible.


Details
=======

Efail: fail on GnuPG integrity check warnings for old Algorithms
----------------------------------------------------------------

Enigmail now discovers if GnuPG prints a warning message about missing
MDC (Modification Detection Code) for old algorithms like CAST5 and
treats it like a hard failure. Such a message will no longer be
displayed.

Efail: protect against remot URL calls in unpatched Thunderbird
---------------------------------------------------------------
I implemented a workaround to prevent against leaking decrypted message
data to remote URLs. This workaround is meant as temporary measure until
Thunderbird has a more robust solution. The workaround protects
successfully against the known forms of the vulnerabilities.

I still recommend to use the "Simple HTML" view in Thunderbird
(accessible via menu View > Message Body as > Simple HTML) to prevent
from loading any remote content.


Obtaining Enigmail
==================
Enigmail can be downloaded from
<https://www.enigmail.net/index.php/en/download/>

The changelog is available from
<https://www.enigmail.net/index.php/en/download/changelog>


Additional Remarks
==================
The new version is still waiting for approval on
https://addons.mozilla.org; you should receive it automatically via the
addons-update once the approval is made.

-Patrick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/attachments/20180516/b0b9dca7/attachment.sig>


More information about the enigmail-users mailing list