Bug#853241: kf5-messagelib: CVE-2016-7967 CVE-2016-7968
Package: kf5-messagelib
Severity: important
Tags: security
Hi,
the following vulnerabilities were published for kf5-messagelib.
CVE-2016-7967[0]:
| KMail since version 5.3.0 used a QWebEngine based viewer that had
| JavaScript enabled. Since the generated html is executed in the local
| file security context by default access to remote and local URLs was
| enabled.
CVE-2016-7968[1]:
| KMail since version 5.3.0 used a QWebEngine based viewer that had
| JavaScript enabled. HTML Mail contents were not sanitized for
| JavaScript and included code was executed.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-7967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7967
[1] https://security-tracker.debian.org/tracker/CVE-2016-7968
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7968
Please adjust the affected versions in the BTS as needed.
Thorsten
Reply to: