Bug#1069163: marked as done (libkf5kmanagesieve5: CVE-2023-52723: sends password as username when authenticating against sieve servers)

To: Patrick Franz <deltaone@debian.org>
Subject: Bug#1069163: marked as done (libkf5kmanagesieve5: CVE-2023-52723: sends password as username when authenticating against sieve servers)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 15 Jun 2024 21:21:10 +0000
Message-id: <[🔎] handler.1069163.D1069163.171848626136602.ackdone@bugs.debian.org>
Reply-to: 1069163@bugs.debian.org
References: <E1sIamI-008t0F-DG@fasolo.debian.org> <2539589.01v9Vk3DZE@antares>

Your message dated Sat, 15 Jun 2024 21:17:38 +0000
with message-id <E1sIamI-008t0F-DG@fasolo.debian.org>
and subject line Bug#1069163: fixed in libkf5ksieve 4:20.08.3-1+deb11u1
has caused the Debian Bug report #1069163,
regarding libkf5kmanagesieve5: CVE-2023-52723: sends password as username when authenticating against sieve servers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1069163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069163
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libkf5kmanagesieve5: sends password as username when authenticating against sieve servers
From: Jonas Schäfer <jonas.schaefer@cloudandheat.com>
Date: Wed, 17 Apr 2024 10:22:05 +0200
Message-id: <2539589.01v9Vk3DZE@antares>

Package: libkf5kmanagesieve5
Version: 4:22.12.3-1
Severity: grave
Tags: security, patch, upstream

Dear Maintainer,

kmail, when using managesieve, sends the password as username to
servers. This is particularly bad because usernames are commonly logged
by servers in plaintext. It thus leaks passwords into server-side
plaintext logs e.g. with dovecot.

This seems to have been fixed upstream:
https://invent.kde.org/pim/libksieve/-/commit/
6b460ba93ac4ac503ba039d0b788ac7595120db1

Please consider a backport of that patch or updating the package 
quickly.

Thank you.

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.6.15-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libkf5kmanagesieve5 depends on:
ii  kio                   5.107.0-1+b1
ii  libc6                 2.37-15
ii  libkf5configcore5     5.107.0-1+b1
ii  libkf5coreaddons5     5.107.0-1+b1
ii  libkf5i18n5           5.107.0-1+b1
ii  libkf5kiocore5        5.107.0-1+b1
ii  libkf5kiowidgets5     5.107.0-1+b1
ii  libkf5ksieve-data     4:22.12.3-1
ii  libkf5widgetsaddons5  5.107.0-1+b1
ii  libqt5core5a          5.15.10+dfsg-7
ii  libqt5network5        5.15.10+dfsg-7
ii  libqt5widgets5        5.15.10+dfsg-7
ii  libsasl2-2            2.1.28+dfsg1-4+b1
ii  libstdc++6            14-20240201-3

libkf5kmanagesieve5 recommends no packages.

libkf5kmanagesieve5 suggests no packages.

-- no debconf information

-- 
Jonas Schäfer
Team Lead Cloud Infrastructure Development

Cloud&Heat Technologies GmbH
Königsbrücker Straße 96 | 01099 Dresden
+49 351 479 367 37
jonas.schaefer@cloudandheat.com | www.cloudandheat.com

Green, Open, Efficient.
Your Cloud Service and Cloud Technology Provider from Dresden.
https://www.cloudandheat.com/

Commercial Register: District Court Dresden
Register Number: HRB 30549
VAT ID No.: DE281093504
Managing Director: Nicolas Röhrs
Authorized signatory: Dr. Marius Feldmann

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

To: 1069163-close@bugs.debian.org
Subject: Bug#1069163: fixed in libkf5ksieve 4:20.08.3-1+deb11u1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 15 Jun 2024 21:17:38 +0000
Message-id: <E1sIamI-008t0F-DG@fasolo.debian.org>
Reply-to: Patrick Franz <deltaone@debian.org>

Source: libkf5ksieve
Source-Version: 4:20.08.3-1+deb11u1
Done: Patrick Franz <deltaone@debian.org>

We believe that the bug you reported is fixed in the latest version of
libkf5ksieve, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1069163@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Franz <deltaone@debian.org> (supplier of updated libkf5ksieve package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 25 Apr 2024 12:37:50 +0200
Source: libkf5ksieve
Architecture: source
Version: 4:20.08.3-1+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <deltaone@debian.org>
Closes: 1069163
Changes:
 libkf5ksieve (4:20.08.3-1+deb11u1) bullseye; urgency=medium
 .
   * Team upload.
   * Add patch to prevent leaking passwords into server-side logs
     (Closes: #1069163).
Checksums-Sha1:
 1a48250d32707533cb26e2f8a1d03172bf1bf49d 3285 libkf5ksieve_20.08.3-1+deb11u1.dsc
 c0233f79370871a709618433fad49802864d95aa 11192 libkf5ksieve_20.08.3-1+deb11u1.debian.tar.xz
 4f27c81bde92aee37f8934ecc04511ce030c2d26 12743 libkf5ksieve_20.08.3-1+deb11u1_source.buildinfo
Checksums-Sha256:
 f20a35d69b4d1ad84e4d10bbd265f8d5d922302dcccc9217a610fa02721f3bbc 3285 libkf5ksieve_20.08.3-1+deb11u1.dsc
 16b480629a79b9ec5c12de9e94242de8efa13d813df1448898ccd3c78ff6e83c 11192 libkf5ksieve_20.08.3-1+deb11u1.debian.tar.xz
 fdc663b72e2039763a6fb47bce1bb29fc014e1d1a169f0b617d81205059a46be 12743 libkf5ksieve_20.08.3-1+deb11u1_source.buildinfo
Files:
 73d3ae555e70510cb56edd405b2ab5da 3285 libs optional libkf5ksieve_20.08.3-1+deb11u1.dsc
 5bca5eb48e1e2d3d26fe0c8dac22678c 11192 libs optional libkf5ksieve_20.08.3-1+deb11u1.debian.tar.xz
 99bfbfe1681796d5d212659f89cd1d6f 12743 libs optional libkf5ksieve_20.08.3-1+deb11u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYodBXDR68cxZHu3Knp96YDB3/lYFAmZrWdEACgkQnp96YDB3
/lYvdg/7BEow3IilkFMHMETIlV1jVciXaP8lp8wLP384ApsoL7xF7LyOrI77IXht
WNaARdit3zMnZwx/S66x56IO3/DSUl5gVdOoHdkyDIG22NocuZmRzKg558d6v1CH
87q2/dYcswIUZwvWgobtqyZSbuBbCfU/FZbTeFkkFdxLiYNXezYFhOY4yPCiGC08
VvYBYLnadu4q6vx3u3sGIHtVQfm0OyVl3kv6fX31AtqVR+PEzPh52bgoFyTU6dYG
9VfKWjxgm1d9iVyXHeuqtkZA4rYA7QYgKlx5QspIzPPF/NxAoqCL8N/iDxVahs+V
1DkP7CknwjpmlXhIIooYnz7hJMb17W8kERcJ77tFzKLvqp91BJ/L5V5tOF52u9jw
JKjIFPymCFVR4+2Hca+tbz6valANW2NtPZ0Yf6rLixo+r5gnCg7Ox0uRE1Tqrok4
Slmp5BihADN8U7CJhzoXf8q+QZnB4z/9z87db2+JTR7bRHlKqFeabTNIB2YVk9fr
y21ryRmc5vF7eCYanRP8jLqMzchBtWHr1J2Z1A22MheyX6m2abv9TVj3NlAPanMq
3w2ySxLHbzdGdsgPlhySGyBFNfoDmTEhQhl5m/YIOIGztgb33DincIBbY2nGM5T9
l8zRT4qrJDQZxeBc487wJun5fojouRVKv/qSML9xIePQBtxeVmw=
=kN2H
-----END PGP SIGNATURE-----

Attachment: pgp_b0dg_PUee.pgp
Description: PGP signature

--- End Message ---

Reply to:

Prev by Date: libkf5ksieve_20.08.3-1+deb11u1_source.changes ACCEPTED into oldstable-proposed-updates
Next by Date: qtcreator_14.0.0~beta1-1_source.changes ACCEPTED into experimental
Previous by thread: libkf5ksieve_20.08.3-1+deb11u1_source.changes ACCEPTED into oldstable-proposed-updates
Next by thread: Bug#1069163: marked as done (libkf5kmanagesieve5: CVE-2023-52723: sends password as username when authenticating against sieve servers)
Index(es):
- Date
- Thread