Bug#853241: kf5-messagelib: CVE-2016-7967 CVE-2016-7968

[Thorsten Alteholz <debian@alteholz.de>]

Package: kf5-messagelib
Severity: important
Tags: security

Hi,

the following vulnerabilities were published for kf5-messagelib.

CVE-2016-7967[0]:
| KMail since version 5.3.0 used a QWebEngine based viewer that had
| JavaScript enabled. Since the generated html is executed in the local
| file security context by default access to remote and local URLs was
| enabled.

CVE-2016-7968[1]:
| KMail since version 5.3.0 used a QWebEngine based viewer that had
| JavaScript enabled. HTML Mail contents were not sanitized for
| JavaScript and included code was executed.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-7967
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7967
[1] https://security-tracker.debian.org/tracker/CVE-2016-7968
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7968
Please adjust the affected versions in the BTS as needed.

   Thorsten