Subj : openpgp.js vulnerability
To   : digimaus
From : August Abolins
Date : Mon May 26 2025 09:26:00

** On Monday 26.05.25 - 08:51, August Abolins wrote to digimaus:

 d>> Mailvenlope allows you to use an installed version of GPG instead of the
 d>> JS script.  That's much more secure.

 AA> Hmmm..


 AA> "Key management by GnuPG

 AA> "If you have selected GnuPG as your preferred backend for
 AA> encryption in Options -> General -> OpenPGP Preferences, the
 AA> keys will be managed by your local GnuPG program (usually
 AA> GPG4Win or GPGTools).

 AA> OK.. That's for the "key management" part.  But I'm not sure if
 AA> that is the same thing as avoiding the security issue talked
 AA> about.


NEVERMIND..  It seems, that the GnuPG option does indeed avoid  
the OpenPGP.js security issue:

"Unaffected Users

"Users who have activated the GnuPG integration in Mailvelope
and exclusively use the GnuPG keyring for all operations
(including verification) are not affected by this
vulnerability. This is because the issue is specific to
OpenPGP.js, and GnuPG operates as an independent encryption
library.

Meanwhile.. the Firefox addon seems to be only available to  
specific versions of Firefox. A download sends me to the  
mozilla.org addons section, but only offers version 5.2.0 for  
me Firefox 115.23.1esr

So.. I guess, by simply switching to the GnuPGP management  
option, all is well?

-- 
  ../|ug

--- OpenXP 5.0.64
 * Origin: (} Pointy McPointface (618:250/1.9)

.