[Users] Efail: Claws Mail status

Colin Leroy colin at colino.net
Thu May 17 10:16:52 CEST 2018

On Tue, 15 May 2018 08:47:55 +0300, Shai Berger <shai at platonix.com>


> The main vector for using the vulnerability is HTML mail, which Claws
> does not support by default. As far as I could see, there was no
> specific reference to the HTML plugins; as far as I understand, Claws
> with an HTML plugin (like Fancy) should get the same score as, e.g.
> KMail (that is, vulnerability can be abused but requires user
> interaction to do so).

From what I understand, the Efail attack works when the MUA
concatenates multiple HTML parts for display:


Even when using an HTML-rendering plugin like Fancy, Claws Mail only
displays one HTML part at a time and does not concatenate them.

Therefore I think it is completely safe. I'll ask the GnuPG people just
to make sure.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20180517/426728c7/attachment.sig>

More information about the Users mailing list