Enigmail should be updated to version 1.9.9 following Cure53 audit

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Enigmail is already updated to 1.9.9 in Debian stable, see https://packages.debian.org/stretch/enigmail. The wiki page you linked says you can "request a sync from Debian" to fix security problems. Can you do that here?

Hi Jeremy, unfortunately we cannot just fake-sync enigmail from Debian to address this issue; the candidates for fake-syncing are the entries with 'sync' in the 'Status' column on http://people.canonical.com/~ubuntu-security/d2u/

The quickest and easiest way to get enigmail updated is to prepare a debdiff with cherry-picked patches that address security issues applied in the Debian packaging, and documented in the debian/changelog.

An update to a wholly new version is possible but would be best served by the Stable Release Update process https://wiki.ubuntu.com/StableReleaseUpdates

Thanks

I asked in the original bug report to have Enigmail updated to 1.9.9. Posteo, one of the sponsors of the audit, wrote at https://posteo.de/en/blog/security-warning-for-thunderbird-users-and-enigmail-users-vulnerabilities-threaten-confidentiality-of-communication :

"For Enigmail users:

* Update Enigmail immediately to the new version 1.9.9. This update removes all vulnerabilities identified in this audit.
* ..."

An excerpt of the audit report is available at https://www.enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf linked from the Enigmail changelog at https://www.enigmail.net/index.php/en/download/changelog .

At your link https://wiki.ubuntu.com/StableReleaseUpdates it says:

"2. When

2.1. High-impact bugs

Stable release updates will, in general, only be issued in order to fix high-impact bugs. Examples of such bugs include:

* Bugs which may, under realistic circumstances, directly cause a security vulnerability. These are done by the security team and are documented at SecurityTeam/UpdateProcedures.

* ..."

That's the situation here, there are multiple bugs that cause security vulnerabilities and I submitted a bug report here asking for Enigmail to be updated. If that means this is a "stable release update" and not a "fake-sync", that's fine with me.

I'm not part of the Enigmail development team. It seems from your link that this should be handled by the security team, but if you or the security team are not the right group to handle this according to Ubuntu bug rules, please feel free to reassign this to a different team, or leave it unassigned and remove the "Incomplete" status.

Thanks Jeremy; the 'incomplete' status just indicates that we're currently waiting on a community member to provide us with a debdiff for sponsorship.

Does that mean you're not going to do a stable release update? Is there something wrong with the package from Debian?

Untested updates available here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

I will publish them next week.

I just published updates for this. Thanks.

Thanks Marc! (And Seth!)