Make sure you update to S/Notify 4.1
We would like to note that we have updated the Bouncy Castle crypto library in S/Notify 4.1, and that this version of the library fixes flaws that may lead to high CPU usage or even a DoS (Denial of Service) under certain circumstances. The following CVEs have been addressed and may be relevant for its use within S/Notify:
- CVE-2024-29857 - Importing an EC certificate with specially crafted F2m parameters can cause high CPU usage during parameter evaluation.
- CVE-2024-30172 - Crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code.
Note that especially CVE-2024-30172 could be used for DoS (Denial of Service) attack. This is particularly true if you allow user uploads or, in Jira, the extraction and use of certificates or keys from incoming email.
Therefore, we recommend all customers to plan a short-term update to S/Notify for Jira 4.1, S/Notify for Confluence 4.1 and/or S/Notify for Bitbucket 2.1 if they haven't already.
Our new release of S/Notify Email Encryption brings you useful improvements and new features
We are delighted to announce the release of S/Notify Email Encryption 4.1.0 for Jira, S/Notify Email Encryption for Confluence 4.1.0, as well as S/Notify Email Encryption for Bitbucket 2.1.0. This update introduces numerous improvements, along with new features, to ensure your confidential data remains protected and your communication workflows are more streamlined than ever before.
Here's what this update brings you:
Improvements
- Upgraded Crypto Library: We have updated the underlying crypto library to BouncyCastle 1.78.1, incorporating fixes and improvements to strengthen encryption and decryption processes.
- Stricter Password Reset Email Recognition: The useful feature to exclude user account relevant emails from encryption has now become even more reliable.
- Improved Signature Validation: The validation of signatures in Jira now includes checking the sender address to make sure the email signature wasn't spoofed.
- Check Uploaded S/MIME Certificates: When users upload their S/MIME certificate, it is now checked that the certificate had not been issued solely for signing purposes.
- Easier Comparison of Serial Numbers: S/MIME certificates are now displayed with their serial number in both decimal and hex for easier comparison.
- Updated PGP Encryption: The PGP version tag is no longer included in PGP encrypted emails as recommended in the upcoming OpenPGP crypto refresh documentation.
- Configure External LDAP Referral: Its behavior can now be configured independent from the LDAP user directory behavior.
- Better Test Emails: While you don't usually see the internal test emails of S/Notify, if you do, they are now more useful to identify any problems.
New Features
- Getting Ready: S/Notify is now prepared for the upcoming Confluence 9, Bitbucket 9, and Jira 10 releases by Atlassian. Note that, while we have done our best to be prepared, actual compatibility can only be guaranteed after the final releases are out.
- Dark Theme Support: Full support of the upcoming new Dark Theme setting.
- Super Simple Server Email Verification: In Jira, it is now possible to perform server key verification against arbitrary email address, which makes it easy to check the server key management configuration.
- Improved Security: In Bitbucket 9, administrator re-authentication (als known as 'websudo') is now supported and requested to access the S/Notify configuration pages.
We also fixed a couple of smaller bugs, most notably are probably those with regard to S/MIME Validation:
- separate encryption and signing certificates can no longer cause validation to fail
- certificates that are missing an Authority Key Identifier (AKI) are now considered valid, because the AKI is optional
Accessibility
We fixed some issues and made some enhancements that you won't see, but are key to better accessibility for visually impaired users. We also published our first Accessibility Compliance Report (ACR), sometimes also referred to VPAT, for S/Notify for Jira and Jira Service Management. You can download the ACR from here.
Thank you for your continued trust in S/Notify. We are excited to embark on this journey of enhanced email security together.
Why and How We Love Helping Our Customers
Did you ever want to know what drives us to help our customers thrive by focussing on their core competences in a secure environment? Why we think that email encryption is an important part of security? And why we are so passionate about our proven S/Notify Email Encryption and the innovative Uptrust Email Encryption Server solutions? Then you can now read the interview by SafetyDetectives with our CEO to gain some insights.
SafetyDetectives is a platform dedicated to providing insightful and engaging interviews with top executives and innovators in the technology and cybersecurity sectors. Their mission is to bring forward the latest trends, challenges, and solutions from high-tech companies, software developers, AI experts, and cybersecurity leaders. Their in-depth interviews offer a unique glimpse into the minds of industry pioneers, providing their readers with valuable knowledge and perspectives on cutting-edge technologies and security practices.
Let us know how you like the interview, and don't hesitate to reach out if you have further questions!
Article link: SafetyDetectives Interview With Metin Savignano - Founder at Savignano Software Solutions