Patrick Brunschwig

**Name of the Vulnerable Software and Affected Versions** Enigmail versions prior to 2.0.6 **Description** The issue allows OpenPGP signatures to be spoofed for arbitrary messages. This can be achieved by using a PGP/INLINE signature wrapped within a specially crafted multipart HTML email. **Recommendations** For versions prior to 2.0.6, update to version 2.0.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Enigmail versions prior to 1.9.9 **Description** A problem has been discovered where a remote attacker can obtain cleartext content by sending an encrypted data block to a victim and relying on the victim to automatically decrypt the block and then send it back to the attacker as quoted text. This issue is also known as the "replay" problem. **Recommendations** For Enigmail versions prior to 1.9.9, update to version 1.9.9 or later to resolve the issue. As a temporary workaround, consider disabling automatic decryption of encrypted data blocks until a patch is available. Restrict the use of quoting text in encrypted conversations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Enigmail versions prior to 1.9.9 **Description** A problem has been discovered where regular expressions can be exploited to cause a Denial of Service (DoS) due to attempts to match arbitrarily long strings. **Recommendations** For versions prior to 1.9.9, update to version 1.9.9 or later to resolve the issue.