Your message dated Tue, 30 Jun 2020 20:18:35 -0400 with message-id <4805313.FXlFleh81E@t450> and subject line Re: Bug#958054: kmail: CVE-2020-11880 has caused the Debian Bug report #958054, regarding kmail: CVE-2020-11880 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 958054: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958054 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: kmail: CVE-2020-11880
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Fri, 17 Apr 2020 22:51:12 +0200
- Message-id: <158715667217.1372594.11577362343190010357.reportbug@eldamar.local>
Source: kmail Version: 4:19.08.3-1 Severity: important Tags: security upstream fixed-upstream Hi, The following vulnerability was published for kmail, it was fixed in v19.12.3 upstream. CVE-2020-11880[0]: | An issue was discovered in KDE KMail before 19.12.3. By using the | proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or | other source of mailto links) can make KMail attach local files to a | composed email message without showing a warning to the user, as | demonstrated by an attach=.bash_history value. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-11880 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11880 [1] https://cgit.kde.org/kmail.git/commit/?id=2a348eccd352260f192d9b449492071bbf2b34b1 Regards, Salvatore
--- End Message ---
--- Begin Message ---
- To: 958054-done@bugs.debian.org
- Subject: Re: Bug#958054: kmail: CVE-2020-11880
- From: John Scott <jscott@posteo.net>
- Date: Tue, 30 Jun 2020 20:18:35 -0400
- Message-id: <4805313.FXlFleh81E@t450>
- In-reply-to: <158715667217.1372594.11577362343190010357.reportbug@eldamar.local>
- References: <158715667217.1372594.11577362343190010357.reportbug@eldamar.local>
Version: 4:20.04.0-1 On Friday, April 17, 2020 4:51:12 PM EDT Salvatore Bonaccorso wrote: > The following vulnerability was published for kmail, it was fixed in > v19.12.3 upstream. Unfortunately KDE's cgit seems to be down right now so I can't have a look at the patch. This was seemingly missed in the 24.04.0 changelog so I'm closing this bug. Whether it's small and workable enough to be backported to Buster is yet to be determined, not that I've tried reproducing it there. https://cgit.kde.org/kmail.git/commit/? id=2a348eccd352260f192d9b449492071bbf2b34b1Attachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---