Bug#864804: marked as done (CVE-2017-9604: Send Later with Delay bypasses OpenPGP)
Your message dated Sun, 18 Jun 2017 00:14:23 +0000
with message-id <E1dMNrD-000FFQ-3e@fasolo.debian.org>
and subject line Bug#864804: fixed in kdepim 4:16.04.3-4
has caused the Debian Bug report #864804,
regarding CVE-2017-9604: Send Later with Delay bypasses OpenPGP
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
864804: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864804
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: kf5-messagelib
Version: 4:16.04.3-2
Severity: important
Tags: patch upstream security
Control: clone -1 -2
Control: reassign -2 kdepim 4:4.14.1-1
Hi,
the following vulnerability was published for kf5-messagelib (and
kmail).
CVE-2017-9604[0]:
| KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in
| KDE Applications before 17.04.2, do not ensure that a plugin's
| sign/encrypt action occurs during use of the Send Later feature, which
| allows remote attackers to obtain sensitive information by sniffing the
| network.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9604
[1] https://www.kde.org/info/security/advisory-20170615-1.txt
Looking at the patchset I see it would apply as well to
kdepim/4:4.14.1-1 to some extend. I though have some difficulties to
correctly classify not knowing this Send Later feature. Can you please
double check the above.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: kdepim
Source-Version: 4:16.04.3-4
We believe that the bug you reported is fixed in the latest version of
kdepim, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864804@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sandro Knauß <hefee@debian.org> (supplier of updated kdepim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 17 Jun 2017 12:12:03 +0200
Source: kdepim
Binary: kdepim kdepim-doc akregator accountwizard kaddressbook kalarm storageservicemanager kmail knotes konsolekalendar kontact korganizer blogilo akonadiconsole ktnef kdepim-themeeditors
Architecture: source
Version: 4:16.04.3-4
Distribution: unstable
Urgency: high
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Sandro Knauß <hefee@debian.org>
Description:
accountwizard - wizard for KDE PIM applications account setup
akonadiconsole - management and debugging console for akonadi
akregator - RSS/Atom feed aggregator
blogilo - graphical blogging client
kaddressbook - address book and contact data manager
kalarm - alarm message, command and email scheduler
kdepim - Personal Information Management apps from the official KDE releas
kdepim-doc - KDE Personal Information Management library documentation
kdepim-themeeditors - Theme Editors for KDE PIM applications
kmail - full featured graphical email client
knotes - sticky notes application
konsolekalendar - konsole personal organizer
kontact - integrated application for personal information management
korganizer - calendar and personal organizer
ktnef - Viewer for mail attachments using TNEF format
storageservicemanager - KDE PIM storage service
Closes: 864804
Changes:
kdepim (4:16.04.3-4) unstable; urgency=high
.
* Team upload.
.
[ Sandro Knauß ]
* Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864804)
- Added upstream patch fix-CVE-2017-9604.patch
Checksums-Sha1:
baa2e7495738bdc2fec291821ae7e0059cd7c991 6154 kdepim_16.04.3-4.dsc
bf1f692f30e97caad72d3ed5d0ef77da9324cb81 72116 kdepim_16.04.3-4.debian.tar.xz
f265fb4b9322aaf57db73bdd9ad660f763072ca1 22654 kdepim_16.04.3-4_source.buildinfo
Checksums-Sha256:
cc698242a3e1f7415a6d7f6079048d5fdfac0e8716d342d5c396ebe26978ae40 6154 kdepim_16.04.3-4.dsc
bde9a70012d3a8846f9b0372c005ec785db3de2910c8d0007f2df2d996e76dd9 72116 kdepim_16.04.3-4.debian.tar.xz
2ff001b9c2bc438978c3037c9212268a67db293ed1ee99cbe7c9789cd22d904e 22654 kdepim_16.04.3-4_source.buildinfo
Files:
f76d93a205516cfb9f72ab8a3fe2a9f6 6154 kde optional kdepim_16.04.3-4.dsc
876f56f65ee44402debc92a362e3759c 72116 kde optional kdepim_16.04.3-4.debian.tar.xz
cd3c68dfbf7876a82cb40369c4b34fd0 22654 kde optional kdepim_16.04.3-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEOewRoCAWtykmSRoG462wCFBgVjYFAllFC1oRHGhlZmVlQGRl
Ymlhbi5vcmcACgkQ462wCFBgVjbwShAAiIPNu9YwxOdIPXH+7uJNe3qXvHJPPYxb
RVKGEfM75B+5e6V/r7sYSHxRgamtUfGL5pEhaM29CPX49dLbQ062vdk4YKk5dF2x
078JRUg//a2wMRlg2zA/t5JOL2oh1e6MUSkp6q46mP0r3mORxznEu+JJiUiwyba9
HKCe6BPf4A+VglV3UI24+hj7T21LwDjFIwmyt9STFITSunl7IuquYs1Hb57Ns7ay
iw+bGFBv8fxC0uwgW3cU9XWa2D0J6fdmKVlDC76P5yJc1I0rmawXqPiWpkSr/HXq
BTsAZk70oFdvyQn+qqm5JK0UMMEGkOf/P4fs/ZwTo72dMdYu5jQgCuaRdNJBsvnn
5ihhqih6z6R5uiBQ6s2bYP9+8Jykct/rHAn5xzzgsyTpe20yJKU9I42AGe7mGAeq
TV7nXkQh0FTb4KdIYIaJJChVQETuaWXb+c59R1DAzriPF/ST1aqOd939wh1seFkS
KgThl1dU5dafLQF2rdim+g0RPYmvzGKITDDfALB0/XVe0adVMdVT3fdx8/af544p
B0jq5qWyNbC9aAaCfx1ED7GHD09bZn6L1LTVsUZYHiThpGrBaAy7Pn3uQhoS60O2
rH1ht5+oqq/ubkzUHPvAu1YdMV/aAcu85Vll0dbW5PQlZj7h39vnZ3vZm1C1asRm
0LWFd68Qq+c=
=FYi1
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: