Package: mew Version: 1:6.6-2 Severity: important Tags: jessie security It was discovered that Mew, a mail reader supporting PGP/MIME for Emacs, did not properly implement recipients matching to encrypt mails. This may allow unrelated person may decrypt the mails.
cf. - https://github.com/kazu-yamamoto/Mew/issues/77 From: Tatsuya Kinoshita > When the following keys are imported, > > - 1024D/97AA33D6 Dima Barsky <d...@debian.org> > - 1024D/1A944AD7 Martin Albert <m...@debian.org> > > I write a mail with To: m...@debian.org, and encrypt it, > then it is encrypted with Dima's key instead of Martin's key. Fixed in https://github.com/kazu-yamamoto/Mew/commit/5fa1fbd130f90b8afbeef66e256eead031f17e27 The security team suggested that is rather a candidate for a fix in a point update instead of a Debian Security Advisory. Thanks, -- Tatsuya Kinoshita
pgppOutTiAYqP.pgp
Description: PGP signature
