Bug#899128: kdepim: Limit CVE-2017-17689 (EFAIL) even more for kmail

[Ivo De Decker <ivodd@debian.org>]

Hi,

On 04/09/2019 09:19 PM, Moritz Muehlenhoff wrote:

> > The tracker for CVE-2017-17689 doesn't list anything related to kdepim or
> > src:meta-kde for buster. Is the issue fixed in the binary kdepim (produced
> > by src:meta-kde) in buster? If so, that should probably be stated explicitly
> > in the tracker.
>
> For buster the affected code is in src:kf5-messagelib and fixed in 4:18.08.1-1
>
> In stretch the affected code is in src:kdepim
>
> In Buster the binary package kdepim is now built out of src:meta-kde, but that
> was never affected. That's we don't track src:meta-kde at all in
> https://security-tracker.debian.org/tracker/CVE-2017-17689
>
> Does that clarify?

Yes. I (incorrectly) assumed that the offending code had been in 
meta-kde in buster at some point. As that's not the case, there is 
nothing left to fix for buster.

Thanks for the clarification.

Ivo