I was working with the Solus Linux team to get Mailspring to be available in their packages. However, when I did so, they pointed out several security issues they found, which is why they had previously pulled it. They checked it again and found that they stated that they still exist. This is obviously concerning.
Hey @clintre , thanks for the post! Sounds like the concern is that Mailspring uses an older version of OpenSSL? ( I see your post also references an old version of our JSON parsing library, but I’m not aware of any security implications of that)
We’re planning on dropping support for Ubuntu 16, Ubuntu 18 and other old versions of linux soon and that should allow us to move to a newer version of OpenSSL. It’s actually getting difficult to continue building Mailspring for those ancient linuxes for other reasons too.
Yeah, I just mainly wanted to point out what they were finding. I actually ran a static analysis, and it did not come up, but they posted their findings when I was trying to get Mailspring in their repos and then noticed the SSL that they were referring to. I cannot use Snap and the unofficial Flatpak version doesn’t work, so wanted to see about getting a native package there.
For now using Distrobox to run it, but it is not ideal.
You bet! I read through the discussion you linked and I think I’m up to speed on this again.
I’ll see if we can move toward using the system version of OpenSSL and drop support for old linux releases. I think long ago when we started the project, we were actually shipping a /newer/ version of SSL than was present on many linux distros, but now almost 8 years later, it’s an older version, not a best practice, and definitely a security issue.
I was wanting to get an update on this, as it is a major security vulnerability.
It has become a much larger issue as my company works in secure environments, so I have had to remove Mailspring on my work system as it was detected and reported in a security scan as a high-severity vulnerability.
Yes, and this is something that should be at the top of the list. Security vulnerabilities should never be taken lightly, and the issue being raised dates back several years now.
Agreed. The big issue is the build process for Mailspring still supports EOL Linux distros. Hence partially why this app still has OpenSSL vulnerabilities. Unfortunately this is pretty much kept running by a skeleton crew including the creator @bengotow. He has a day job that pays the bills…
TLDR; The bandage need to be “ripped”. Support of end of life Linux distros is not an asset. Flatpak has even removed it recently because of the security issues, flagged under EOL.