Just a sample of the Echomail archive
[ << oldest | < older | list | newer > | newest >> ]
| Message 826 |
| August Abolins to All |
| openpgp.js vulnerability |
| 25 May 25 11:30:00 |
MSGID: 2:221/1.58@fidonet 20c5124b PID: OpenXP/5.0.64 (Win32) CHRS: ASCII 1 TZUTC: -0400 Best to patch up! There is a CVE-2025-47934 issued for the openpgp.js issue mentioned a few days ago. People using Mailvelop, Flowcrypt, Mymail-crypt, UDC, Encrypt.to, PGP Anywhere, passbolt ..should be wary. Protonmali seems to be using one of the openpgp.js packages out there too, but I cannot confirm which one. ""Proton Mail uses version 3.0 of OpenPGPjs. This version, released in March 2018, includes improvements that enable full interoperability with PGP and allows for better overall functionality, as outlined by Proton." ..that's their statement from 2018. So.. does Protonmail use this one.. https://github.com/ProtonMail/gopenpgp ? Or this one.. https://Github.com/openpgpjs/openpgpjs ..has 6.1.0. "In technical terms, the vulnerability arises because OpenPGP.js fails to correctly associate the extracted message data with its actual signature during verification. This oversight allows attackers to manipulate the content of a message while retaining a valid signature from a previous, unrelated message. "In order to spoof a message," the advisory explains, "the attacker needs a single valid message signature (inline or detached) as well as the plaintext data that was legitimately signed. They can then construct an inline-signed or signed-and- encrypted message containing any data of their choice, which will appear as legitimately signed." "This means a bad actor can reuse a valid signature to forge new content that appears authentic to the recipient, bypassing the trust model OpenPGP is built upon. Mozilla's Response and Patches In response to these vulnerabilities, Mozilla has issued security patches for the following versions: Mozilla Firefox 134 Mozilla Thunderbird 134 Firefox ESR 115.19 and 128.6 Thunderbird ESR 115.19 and 128.6 https://thecyberexpress.com/critical-vulnerabilities-in-mozilla-products/ --- OpenXP 5.0.64 * Origin: What do you call an excavated pyramid? Unencrypted. (2:221/1.58) SEEN-BY: 50/22 103/705 105/81 106/201 124/5016 128/187 153/757 7715 SEEN-BY: 154/10 30 110 203/0 218/700 221/1 6 226/30 227/114 229/110 SEEN-BY: 229/114 206 317 400 426 428 470 664 700 705 240/1120 5832 SEEN-BY: 266/512 280/464 5003 5006 291/111 292/854 8125 301/1 310/31 SEEN-BY: 320/219 322/757 341/66 234 342/200 396/45 423/81 120 460/58 SEEN-BY: 460/256 1124 467/888 633/280 712/848 770/1 902/26 5020/400 SEEN-BY: 5020/8912 5054/30 5075/35 PATH: 221/1 280/464 460/58 229/426 |
[ << oldest | < older | list | newer > | newest >> ]