On Fri, May 24, 2019 at 09:49:54AM +0200, Salvatore Bonaccorso wrote:
> Source: enigmail
> Source-Version: 2:2.0.11+ds1-1
>
> On Wed, May 22, 2019 at 02:25:42PM +0200, Salvatore Bonaccorso wrote:
> > Source: enigmail
> > Version: 2:2.0.10+ds1-1
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://sourceforge.net/p/enigmail/bugs/983/
> >
> > Hi,
> >
> > The following vulnerability was published for enigmail.
> >
> > CVE-2019-12269[0]:
> > | Enigmail before 2.0.11 allows PGP signature spoofing: for an inline
> > | PGP message, an attacker can cause the product to display a "correctly
> > | signed" message indication, but display different unauthenticated
> > | text.
>
> This issue was adressed 2.0.11 upstream, closing manually.
Buster still has 2.0.10, what's the plan for it (and for stretch),
should we fix this in older releases?
Cheers,
Moritz