Bug#915039: marked as done (CVE-2018-19516: HTML email can open browser window automatically)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 02 Mar 2019 00:34:43 +0000
with message-id <E1gzsbz-0002jx-9V@fasolo.debian.org>
and subject line Bug#915039: fixed in kf5-messagelib 4:18.08.3-2
has caused the Debian Bug report #915039,
regarding CVE-2018-19516: HTML email can open browser window automatically
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
915039: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915039
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: CVE-2018-19516: HTML email can open browser window automatically
• From: Felix Geyer <fgeyer@debian.org>
• Date: Thu, 29 Nov 2018 19:12:08 +0100
• Message-id: <154351512862.12117.2862106320665332519.reportbug@callisto.home.debfx.de>

Source: kf5-messagelib
Version: 4:18.08.1-1
Severity: grave
Tags: upstream security

Hi,

KDE published the following security advisory (CVE-2018-19516):

> messagelib by default displays emails as plain text, but gives the user
> an option to "Prefer HTML to plain text" in the settings and if that option
> is not enabled there is way to enable HTML display when an email contains HTML.
>
> Some HTML emails can trick messagelib into opening a new browser window when
> displaying said email as HTML.
>
> This happens even if the option to allow the HTML emails to access
> remote servers is disabled in KMail settings.
>
> This means that the owners of the servers referred in the email can see
> in their access logs your IP address.

https://www.kde.org/info/security/advisory-20181128-1.txt

Cheers,
Felix

--- End Message ---

--- Begin Message ---

• To: 915039-close@bugs.debian.org
• Subject: Bug#915039: fixed in kf5-messagelib 4:18.08.3-2
• From: Sandro Knauß <hefee@debian.org>
• Date: Sat, 02 Mar 2019 00:34:43 +0000
• Message-id: <E1gzsbz-0002jx-9V@fasolo.debian.org>

Source: kf5-messagelib
Source-Version: 4:18.08.3-2

We believe that the bug you reported is fixed in the latest version of
kf5-messagelib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 915039@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Knauß <hefee@debian.org> (supplier of updated kf5-messagelib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 02 Mar 2019 01:20:22 +0100
Source: kf5-messagelib
Architecture: source
Version: 4:18.08.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Sandro Knauß <hefee@debian.org>
Closes: 915039
Changes:
 kf5-messagelib (4:18.08.3-2) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Sandro Knauß ]
   * Disable running tests on mipsel.
   * Add patch for CVE-2018-19516 (Closes: #915039)
   * Add Build-Depends-Package for symbols files.
Checksums-Sha1:
 fa604fd4aee940f1dceaa9c1ebd1aa7ee4b3a628 4977 kf5-messagelib_18.08.3-2.dsc
 9cdf155c5a1c983d33dd6b2d20c8e47fe2d927f0 48288 kf5-messagelib_18.08.3-2.debian.tar.xz
 0e561452f806434edaf102fecf00c95e18fee855 24111 kf5-messagelib_18.08.3-2_source.buildinfo
Checksums-Sha256:
 160da1aeb0609bb2e2f11ecdf9665c9974d70dd82e548868061f44914610eaf0 4977 kf5-messagelib_18.08.3-2.dsc
 4081d5fdae2b255f51b7e7bab0097dafd42cd891464dd09e49942ccc47ee99db 48288 kf5-messagelib_18.08.3-2.debian.tar.xz
 00f550a032cb9c78d748982678758cb9d0a24636750eef9b46cd372c3429ed72 24111 kf5-messagelib_18.08.3-2_source.buildinfo
Files:
 f984e1731a3fdc9459399c99650fcbda 4977 libs optional kf5-messagelib_18.08.3-2.dsc
 19d761b778e462af8f6b62d1e8c83578 48288 libs optional kf5-messagelib_18.08.3-2.debian.tar.xz
 9c2cd06b5a79d3e8edb15b6eacd7ee61 24111 libs optional kf5-messagelib_18.08.3-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEOewRoCAWtykmSRoG462wCFBgVjYFAlx5zFwRHGhlZmVlQGRl
Ymlhbi5vcmcACgkQ462wCFBgVjYp2A//V4uB7wX0iCF4+DMhFhf1NrptsQH4P1oM
B2S0doPZCSfWQCi28+dKmhtWvUOGD3Qxef0mMivZpXNIHlPGio5w8qDOvZ1h9Zue
CyTlSPZummmcKq9H2M85N4u9E2SW66Qj3TXNxugLYVuVcYi7w0HIm1WOm3cWFQCi
fLiWOXlqWhUukurcr/pE/DomO9b4rd5QimCe3sHNPsplQTex3z86WUrPPaqlVU+P
VWtjBWpGouOVpjXFr50Bk1+tynpzLdz5qGNplkWO8lGFuhpG4kXiiQ1mzpwWdagW
2CYzF7L4rpmzBp84zAGLyXkzcZWDrTZWfPIiNqiwZzPTVviz58G9hMIRRFyj2VB/
eJN76IFZtzByZODvAe8cKM/9b2PbtOmf+jQmoxLx0fbgqs0ipl6d//ITBzmUjpwZ
IVNvg2ByFF3+i3WkKwKSlJUCzru6Yq23JWt54+tleN/1ghtcpFhGROoJMXsP8kL/
i0ZRpJlO4uN4HmIK4eedLKqVkheg7Umsw7CTkeVJ+L0SKKoc1+H6d5j3mZDroxbb
lBZiYKHkOi+lzGvmBnr1iu8MEojuezqGhHjtm33Nq10z5LqMBG7DaH6SHhMJuE/N
hgsTe+ToCPfiNKnN8OAOvNDK5e60UydJamGKBPHnmkuHKx7NVGvr5UevWPgpWI5G
JNAPBfnS/KI=
=bsy7
-----END PGP SIGNATURE-----

--- End Message ---