Bug#1069163: libkf5kmanagesieve5: sends password as username when authenticating against sieve servers

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1069163: libkf5kmanagesieve5: sends password as username when authenticating against sieve servers
From: Jonas Schäfer <jonas.schaefer@cloudandheat.com>
Date: Wed, 17 Apr 2024 10:22:05 +0200
Message-id: <[🔎] 2539589.01v9Vk3DZE@antares>
Reply-to: Jonas Schäfer <jonas.schaefer@cloudandheat.com>, 1069163@bugs.debian.org

Package: libkf5kmanagesieve5
Version: 4:22.12.3-1
Severity: grave
Tags: security, patch, upstream

Dear Maintainer,

kmail, when using managesieve, sends the password as username to
servers. This is particularly bad because usernames are commonly logged
by servers in plaintext. It thus leaks passwords into server-side
plaintext logs e.g. with dovecot.

This seems to have been fixed upstream:
https://invent.kde.org/pim/libksieve/-/commit/
6b460ba93ac4ac503ba039d0b788ac7595120db1

Please consider a backport of that patch or updating the package 
quickly.

Thank you.

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.6.15-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libkf5kmanagesieve5 depends on:
ii  kio                   5.107.0-1+b1
ii  libc6                 2.37-15
ii  libkf5configcore5     5.107.0-1+b1
ii  libkf5coreaddons5     5.107.0-1+b1
ii  libkf5i18n5           5.107.0-1+b1
ii  libkf5kiocore5        5.107.0-1+b1
ii  libkf5kiowidgets5     5.107.0-1+b1
ii  libkf5ksieve-data     4:22.12.3-1
ii  libkf5widgetsaddons5  5.107.0-1+b1
ii  libqt5core5a          5.15.10+dfsg-7
ii  libqt5network5        5.15.10+dfsg-7
ii  libqt5widgets5        5.15.10+dfsg-7
ii  libsasl2-2            2.1.28+dfsg1-4+b1
ii  libstdc++6            14-20240201-3

libkf5kmanagesieve5 recommends no packages.

libkf5kmanagesieve5 suggests no packages.

-- no debconf information

-- 
Jonas Schäfer
Team Lead Cloud Infrastructure Development

Cloud&Heat Technologies GmbH
Königsbrücker Straße 96 | 01099 Dresden
+49 351 479 367 37
jonas.schaefer@cloudandheat.com | www.cloudandheat.com

Green, Open, Efficient.
Your Cloud Service and Cloud Technology Provider from Dresden.
https://www.cloudandheat.com/

Commercial Register: District Court Dresden
Register Number: HRB 30549
VAT ID No.: DE281093504
Managing Director: Nicolas Röhrs
Authorized signatory: Dr. Marius Feldmann

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Bug#1069163: marked as done (libkf5kmanagesieve5: sends password as username when authenticating against sieve servers)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processing of kf6-kuserfeedback_6.0.0-1_amd64.changes
Next by Date: Bug#1069163: Acknowledgement (libkf5kmanagesieve5: sends password as username when authenticating against sieve servers)
Previous by thread: Processing of kf6-kuserfeedback_6.0.0-1_amd64.changes
Next by thread: Bug#1069163: Acknowledgement (libkf5kmanagesieve5: sends password as username when authenticating against sieve servers)
Index(es):
- Date
- Thread