github Zimbra-Community/pgp-zimlet 1.8.0
release 1.8.0 security fix openpgp.js

latest releases: 2.7.7, 2.7.6, 2.7.5...
9 years ago

Forgot to add the release tag for 1.8.0, so doing it now:

add version 1.8.0, security fix openpgp.js

Date: Mon, 5 Oct 2015 09:39:17 +0200
From: thomas@mailvelope.com
To: list@openpgpjs.org
Subject: [openpgpjs] Critical vulnerability in S2K

Hello,

a vulnerability in the S2K function of OpenPGP.js allows to produce a
predictable session key without knowing the passphrase.

An attacker is able to create a private PGP key that will decrypt in
OpenPGP.js regardless of the passphrase given.

More critical: it is possible to forge a symmetrically encrypted PGP
message (Symmetric-Key Encrypted Session Key Packets (Tag 3)) that
will decrypt with any passphrase in OpenPGP.js. This can be an attack
vector if successful decryption of such a message is used as an
authentication mechanism.

The bug is fixed with a strict check on unknown S2K types.

Credits for finding the bug go to Gijs Hollestelle and thanks to Jonas
Magazinius from Cure53 for reporting the problem.

Please update to OpenPGP.js v1.3.0

Best,
Thomas


http://openpgpjs.org
Subscribe/unsubscribe: http://list.openpgpjs.org

Don't miss a new pgp-zimlet release

NewReleases is sending notifications on new releases.