Strange CVEs about email encryption

Support and Help
1

Hello, I am writing about a pair of recent CVEs for which there have been Ubuntu announcements, namely:

  • CVE-2024-49393
  • CVE-2024-49394

As far as I can understand (and I may be completely wrong, because the CVE description is so terse), these CVEs are complete nonsense. They flag a design flaw in (Open)PGP that has always been there and has been understood since PGP existed. So blaming this on the mutt and neomutt packages is absurd … and it does feel like an attempt of someone influential to kill off “legacy” email for good.

Nonetheless, Ubuntu announced in here:

that it had a “fix” for these CVEs at least in neomutt. So I want to know what this “fix” consists of? Did they just disable PGP in the build? That would be like removing air bags from cars because they don’t protect against, say, driving off a bridge. So what else?

Or am I really misunderstanding?


Ian

2

Happily, the links you cite include, in turn, a link to the actual patch released by neomutt:

You can see for yourself that the patch does not disable PGP.

3 Likes
3

Thanks for pointing that out. I need to read the IETF draft document about the header protection scheme before I can make sense of all this.


Ian