Bug#1069163: marked as done (libkf5kmanagesieve5: sends password as username when authenticating against sieve servers)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 17 Apr 2024 17:04:49 +0000
with message-id <E1rx8iH-00FEJy-GQ@fasolo.debian.org>
and subject line Bug#1069163: fixed in libkf5ksieve 4:22.12.3-2
has caused the Debian Bug report #1069163,
regarding libkf5kmanagesieve5: sends password as username when authenticating against sieve servers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1069163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069163
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libkf5kmanagesieve5: sends password as username when authenticating against sieve servers
• From: Jonas Schäfer <jonas.schaefer@cloudandheat.com>
• Date: Wed, 17 Apr 2024 10:22:05 +0200
• Message-id: <[🔎] 2539589.01v9Vk3DZE@antares>

Package: libkf5kmanagesieve5
Version: 4:22.12.3-1
Severity: grave
Tags: security, patch, upstream

Dear Maintainer,

kmail, when using managesieve, sends the password as username to
servers. This is particularly bad because usernames are commonly logged
by servers in plaintext. It thus leaks passwords into server-side
plaintext logs e.g. with dovecot.

This seems to have been fixed upstream:
https://invent.kde.org/pim/libksieve/-/commit/
6b460ba93ac4ac503ba039d0b788ac7595120db1

Please consider a backport of that patch or updating the package 
quickly.

Thank you.

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.6.15-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libkf5kmanagesieve5 depends on:
ii  kio                   5.107.0-1+b1
ii  libc6                 2.37-15
ii  libkf5configcore5     5.107.0-1+b1
ii  libkf5coreaddons5     5.107.0-1+b1
ii  libkf5i18n5           5.107.0-1+b1
ii  libkf5kiocore5        5.107.0-1+b1
ii  libkf5kiowidgets5     5.107.0-1+b1
ii  libkf5ksieve-data     4:22.12.3-1
ii  libkf5widgetsaddons5  5.107.0-1+b1
ii  libqt5core5a          5.15.10+dfsg-7
ii  libqt5network5        5.15.10+dfsg-7
ii  libqt5widgets5        5.15.10+dfsg-7
ii  libsasl2-2            2.1.28+dfsg1-4+b1
ii  libstdc++6            14-20240201-3

libkf5kmanagesieve5 recommends no packages.

libkf5kmanagesieve5 suggests no packages.

-- no debconf information

-- 
Jonas Schäfer
Team Lead Cloud Infrastructure Development

Cloud&Heat Technologies GmbH
Königsbrücker Straße 96 | 01099 Dresden
+49 351 479 367 37
jonas.schaefer@cloudandheat.com | www.cloudandheat.com

Green, Open, Efficient.
Your Cloud Service and Cloud Technology Provider from Dresden.
https://www.cloudandheat.com/

Commercial Register: District Court Dresden
Register Number: HRB 30549
VAT ID No.: DE281093504
Managing Director: Nicolas Röhrs
Authorized signatory: Dr. Marius Feldmann

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

• To: 1069163-close@bugs.debian.org
• Subject: Bug#1069163: fixed in libkf5ksieve 4:22.12.3-2
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Wed, 17 Apr 2024 17:04:49 +0000
• Message-id: <E1rx8iH-00FEJy-GQ@fasolo.debian.org>
• Reply-to: Patrick Franz <deltaone@debian.org>

Source: libkf5ksieve
Source-Version: 4:22.12.3-2
Done: Patrick Franz <deltaone@debian.org>

We believe that the bug you reported is fixed in the latest version of
libkf5ksieve, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1069163@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Franz <deltaone@debian.org> (supplier of updated libkf5ksieve package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 17 Apr 2024 18:46:16 +0200
Source: libkf5ksieve
Architecture: source
Version: 4:22.12.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <deltaone@debian.org>
Closes: 1069163
Changes:
 libkf5ksieve (4:22.12.3-2) unstable; urgency=medium
 .
   [ Patrick Franz ]
   * Add patch to prevent leaking passwords into server-side logs
     (Closes: #1069163).
Checksums-Sha1:
 a6a4de3eb37a1aa539e40867133fcda6dfe5780b 3198 libkf5ksieve_22.12.3-2.dsc
 1ca46917b9f7a037d90c715bc64c3c02206de7b1 16520 libkf5ksieve_22.12.3-2.debian.tar.xz
 ddfd5607baf1004d4f0150b20f00b16e7cadb91c 12827 libkf5ksieve_22.12.3-2_source.buildinfo
Checksums-Sha256:
 77e152d2a615b0edcdf00ea179fee5c85941d5ffc566e898b05fe4e3776256ad 3198 libkf5ksieve_22.12.3-2.dsc
 eed925d50add7ac45d02a34095786da0527d32faadd0f5d4e681a5f7b2a1c57b 16520 libkf5ksieve_22.12.3-2.debian.tar.xz
 b17cdf70f4470d8386f0bb7f529187203cbb0f2f2ea7dad31602b022f132db36 12827 libkf5ksieve_22.12.3-2_source.buildinfo
Files:
 b038dc51f7d785c00cdc0d9f3f2c127d 3198 libs optional libkf5ksieve_22.12.3-2.dsc
 7d5f8888812bdf26078e3e3f9de9543c 16520 libs optional libkf5ksieve_22.12.3-2.debian.tar.xz
 5ad06fd70becd4c09f5903914febd257 12827 libs optional libkf5ksieve_22.12.3-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYodBXDR68cxZHu3Knp96YDB3/lYFAmYf/bAACgkQnp96YDB3
/lYXAQ//bhagzu6DAOPS3Xjmv3djFpdbFFq86eLZw3CgBqQpYOLGz/4BlA8s+4Wp
A6J8wg5ybDGDFx+NgJVjhZGj/S2UJo5iItLAwgotvmV7tACd1g37aSYlqYQOvE5B
pEgQA9i20ZyB5s1WAEhKjOjokWOqFJls3nh7NDOSvvNKumfg4YooCNoGk+VNusnQ
m7W7QoJ0ngTeCTjzZVIEkrSpTmG4PbnPxROsGAqeJLHhWxAXEpp7dc0q6wnKVo8A
0ZM9u4PjpciEO5+MsAx0sPrAbiPmQzZaNgMfEIF92BpQLqUx76E71fDo4J0FRp3q
U+7lFGJHkUqdeX3oQ1XujIcV4CGpU8QTTqulc0ovkICN1iQ9nFlkaFHYhIQCwkT3
lLZI4OuoTdDVkT6rEpZylWNlvCC6ilx8odLGBEgb5XWu9uhwSblOR52s76cE4OjY
L7M57FAcgbRATZk/vu2gRQbSyOgU2QTNuGcSyPGYmKLH3wZ/PtrllDyaqvA8oKSU
JE34MCDvANUDN745sG5Ridj9uHVSZJLO/E+iVFUxy1zPeNSz86uDY1Qiom9M22yE
Faa1tEgt1IstfAEDcQvO+kKY+awFVJWwG3AIU5R+T9tt8s8Wuw2lo+hlWZM8bBmk
ruIUafKyzqZ4PeqmFxlpbA6gLWnyfy6OoNNwxLk/VRI932LWec8=
=847X
-----END PGP SIGNATURE-----

Attachment: pgpQf1jcF_RjC.pgp
Description: PGP signature

--- End Message ---