On Mon, May 14, 2018 at 9:33 AM Yves-Alexis Perez <cor...@debian.org> wrote: > as you are certainly aware, a paper describing a vulnerability called > efail has been published today (https://efail.de). It describes an > attack scenario which can enable an attacker with read/write access to > the encrypted mails to retrieve plaintext via an external server if HTML > mail and loading of remote content is enabled. > > The PGP/MIME part is apparently not vulnerable in Evolution, but the > S/MIME seems to be (according to the authors). > > It's unclear if a fix needs to be done at the evolution(-data-server) > layer or below, so feel free to reassign to an underlying library if > needed (nss for example). > > We'll likely have to issue a DSA at one point.
Yvez, the Evolution bug was closed upstream. Should we close the bug in Debian too? https://bugzilla.gnome.org/796135 Thanks, Jeremy Bicha
