As you have noticed a new security breach hype named "efail" found its way to the press. Since this is related to MUA and S/MIME and PGP R2Mail2 is vulnerable. The authors informed me 2 month ago and I tried to fix the security problems as far as possible but I have not disabled HTML for encrypted E-Mail yet.
So please consider the following:
- Upgrade to version >= 2.40.264
- Disable HTML view (Settings->Display->View HTML content by default->off)
- Do not download remote content
This does not fix the problem itself, because this is based on the CBC or CBF cipher modes used in S/MIME and PGP and not within the MUA, but it makes exfiltration of plain text more difficult.
I will consider to disable HTML for encrypted E-Mail in the future, if there will be no other fixes or workaround.
If you have particular questions do not hesitate to ask. I will publish some more infos as soon as the paper is published.
regards
stefan