* Fri Jan 03 2020 Andreas Stieger <andreas.stieger@gmx.de>
- enigmail 2.1.5:
* Security issue: unsigned MIME parts displayed as signed boo#1159973
* Ensure that upgrading GnuPG 2.0.x to 2.2.x upgrade converts keyring format
* Make Enigmail Compatible with Protected-Headers spec, draft 2
* Sun Dec 15 2019 Andreas Stieger <andreas.stieger@gmx.de>
- enigmail 2.1.4:
* Fixes for UI glitches
* Option to "Attach public key to messages" was not restored properly
* Sun Nov 03 2019 Andreas Stieger <andreas.stieger@gmx.de>
- enigmail 2.1.3:
* fix a bug in the setup wizard that could lead the wizard to
never complete scanning the inbox
* Fri Sep 20 2019 Andreas Stieger <andreas.stieger@gmx.de>
- boo#1151317: SeaMonkey is no longer supported. Update description
and no longer put in SeaMonkey addons path
* Tue Aug 20 2019 Andreas Stieger <andreas.stieger@gmx.de>
- enigmail 2.1.2:
* compatibility with Mozilla Thunderbird 68
* New simplified setup wizard
* Full support for keys.openpgp.org
* Default to ECC keys on GnuPG 2.1 or later
* Autocrypt: implemented key-gossip and updates to known keys
* Thu Jul 11 2019 Andreas Stieger <andreas.stieger@gmx.de>
- enimail 2.0.12:
* set the default keyserver to keys.openpgp.org in order to
mitigate the SKS Keyserver Network Attack boo#1141025
* Wed May 22 2019 Andreas Stieger <andreas.stieger@gmx.de>
- enigmail 2.0.11:
* CVE-2019-12269: Specially crafted inline PGP messages could
spoof a "correctly signed" message (boo#1135855)
* Fri Mar 29 2019 Andreas Stieger <andreas.stieger@gmx.de>
- enigmail 2.0.10:
* various bug fixes for configuring and handling encrypted e-mail
* UI fixes for dialogs, messages, and dark Thunderbird themes
* Mon Dec 10 2018 astieger@suse.com
- enigmail 2.0.9, fixing one security issues:
* An HTTP authentication dialog maye displayed during web key
discovery, allowing remote attackers to possibly trick the user
into entering e-mail credentials (bsc#1118935)
- other bugs fixed:
* pEp - PGP/MIME signed-only messages are ignored
* Autocrypt overrules manually created Per-Recipient Rules
* "Re:" prefix on subject line disappears when editing encrypted,
saved draft
* Sun Aug 05 2018 michael@stroeder.com
- enigmail 2.0.8:
This release addresses a security issue and
solves a few regression bugs.
* a security issue has been fixed that allows an attacker to prepare
a plain, unauthenticated HTML message in a way that it looks like
it's signed and/or encrypted (boo#1104036)
* Wed Jun 13 2018 astieger@suse.com
- enigmail 2.0.7:
* CVE-2018-12020: Mitigation against GnuPG signature spoofing:
Email signatures could be spoofed via an embedded "--filename"
parameter in OpenPGP literal data packets. This update prevents
this issue from being exploited if GnuPG was not updated
(boo#1096745)
* CVE-2018-12019: The signature verification routine interpreted
User IDs as status/control messages and did not correctly keep
track of the status of multiple signatures. This allowed remote
attackers to spoof arbitrary email signatures via public keys
containing crafted primary user ids (boo#1097525)
* Fri Jun 01 2018 astieger@suse.com
- enigmail 2.0.6.1:
* fix compatibility issue with Thunderbird 60b7
* disallow plaintext (literal packets) outside of encrpyted
packets
* Sun May 27 2018 astieger@suse.com
- enigmail 2.0.6:
* Replies to a partially encrypted message may have revealed
protected information - no longer display PGP/MIME message
part followed by unencrypted data (bsc#1094781)
* Fix signature Spoofing via Inline-PGP in HTML Mails
* Fix filter actions forgetting selected mail folder names
* Tue May 22 2018 astieger@suse.com
- enigmail 2.0.5:
* Improvements on previous fixes on CVE-2017-17688, bsc#1093151
and CVE-2017-17689, bsc#1093152 (EFAIL):
- do not decrypt MIME parts unnecessarily
- improve Error Message for Missing MDC
* Wed May 16 2018 astieger@suse.com
- enigmail 2.0.4:
* CVE-2017-17688: CFB gadget attacks allowed to exfiltrate
plaintext out of encrypted emails. enigmail now fails on GnuPG
integrit check warnings for old Algorithms (EFAIL, bsc#1093151)
* CVE-2017-17689: CBC gadget attacks allows to exfiltrate
plaintext out of encrypted emails (EFAIL), bsc#1093152)
* Wed May 09 2018 astieger@suse.com
- enigmail 2.0.3 addresses the following issues (bsc#1092581):
Stability and functionality:
* Thunderbird may at displaying a message with an encrypted e-mail
* Crash from processing double encrypted PGP/MIME message
* Specific UI interaction sequence may prevent editing OpenPGP
settings
* Filter might not not executed at Thunderbird startup for ne
message
* gpg not terminated correctly when canceling "Import Key"
Encryption/Decryption:
* Saving encrypted draft leaks subject (even if protected headers
are used)
* manual PGP/MIME sig verification not working
* Autocrpyt "addr" address might not match "From" header
* Viewing S/MIME signed email disables PGP signature checks
* S/MIME signing/encryption defaults not applied correctly
E-mail subject handling:
* Double "Re:" prefix on replies
* "Re:" prefix on subject line disappears when editing encrypted,
saved draft
* Encrypted Message" subject in reply messages
* Fri Apr 13 2018 astieger@suse.com
- enigmail 2.0.2, addressing more regressions in 2.0/2.0.1:
* protected headers should not check for force-display part
* Incorrectly displayed subject line in writing dialog when
forwarding
* Error in Preferences Dialog upon loading
* Autocrypt messages were unreadable without Enigmail
* Tue Apr 03 2018 astieger@suse.com
- enigmail 2.0.1, addressing several issues found in 2.0:
* S/MIME signing/encryption not working correctly, if Enigmail
is not enabled for an account
* Emails fail to decrypt if the sender address contains brackets
* Autocrypt-headers may flip manually created per-recipient rules
* The key manager does not load if no key on the keyring
* Mon Mar 26 2018 astieger@suse.com
- enigmail 2.0:
* The Encryption and Signing buttons now work for both OpenPGP
and S/MIME. Enigmail will chose between S/MIME or OpenPGP
depending on whether the keys for all recipients are available
for the respective standard.
* Support for the Autocrypt standard, which is now enabled by
default.
* Support for Pretty Easy Privacy (p?p) is implemented in
Enigmail.
* Support for Web Key Directory (WKD) is implemented. Enigmail
will try to download unavailable keys during message
composition from WKD. GnuPG 2.2.x is used the provider
supports the Web Key Service protocol, users can also use
Enigmail to upload keys to WKD.
* The message subject can now be encrypted and replaced with a
dummy subject, following the Memory Hole standard for
protected Email Headers.
* The keys on the keyring are automatically refreshed from
keyservers at an irregular interval.
* Enigmail was turned into a "restartless" addon. That is, once
Enigmail is installed, subsequent updates will be installed
without needing to restart Thunderbird.
* Keys are internally addressed using the fingerprint instead of
the key ID.
- Use %license (boo#1082318)
* Wed Dec 20 2017 thardeck@suse.com
- enigmail 1.9.9, fixing multiple vulnerabilities (boo#1073858):
* Enigmail could be coerced to use a malicious PGP public key
with a corresponding secret key controlled by an attacker
* Enigmail could have replayed encrypted content in partially
encrypted e-mails, allowing a plaintext leak
* Enigmail could be tricked into displaying incorrect signature
verification results
* Specially crafted content may cause denial of service