[CVE] Send Later with Delay bypasses OpenPGP
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kdepim (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Simon Quigley | ||
Xenial |
Fix Released
|
High
|
Simon Quigley | ||
kf5-messagelib (Ubuntu) |
Fix Released
|
High
|
Simon Quigley | ||
kmail (Ubuntu) |
Fix Released
|
Undecided
|
Simon Quigley |
Bug Description
KDE Project Security Advisory
=======
Title: KMail: Send Later with Delay bypasses OpenPGP
Risk Rating: Medium
CVE: CVE-2017-9604
Versions: kmail, messagelib < 5.5.2
Date: 15 June 2017
Overview
========
KMail’s Send Later with Delay function bypasses OpenPGP signing and
encryption, causing the message to be sent unsigned and in plain-text.
Solution
========
Update to kmail, messagelib >= 5.5.2 (Released as part of KDE Applications 17.04.2)
Or apply the following patches:
kmail: https:/
messagelib: https:/
Credits
=======
Thanks to Daniel Aleksandersen for the report and to Laurent Montel for the fix.
CVE References
information type: | Private Security → Public Security |
Changed in kdepim (Ubuntu): | |
importance: | Undecided → High |
Changed in kmail (Ubuntu): | |
importance: | Undecided → High |
Changed in kdepim (Ubuntu): | |
status: | Incomplete → In Progress |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in kmail (Ubuntu): | |
status: | Incomplete → In Progress |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in kdepim (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in kdepim (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in kdepim (Ubuntu Zesty): | |
importance: | Undecided → High |
Changed in kmail (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in kmail (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in kmail (Ubuntu Zesty): | |
importance: | Undecided → High |
no longer affects: | kmail (Ubuntu) |
no longer affects: | kmail (Ubuntu Trusty) |
no longer affects: | kmail (Ubuntu Xenial) |
no longer affects: | kmail (Ubuntu Zesty) |
no longer affects: | kmail (Ubuntu Artful) |
Changed in kf5-messagelib (Ubuntu): | |
importance: | Undecided → High |
Changed in kf5-messagelib (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Simon Quigley (tsimonq2) |
summary: |
- Send Later with Delay bypasses OpenPGP + [CVE] Send Later with Delay bypasses OpenPGP |
Changed in kmail (Ubuntu): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
status: | New → In Progress |
Changed in kf5-messagelib (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in kmail (Ubuntu): | |
status: | Fix Committed → Fix Released |
no longer affects: | kdepim (Ubuntu Artful) |
no longer affects: | kdepim (Ubuntu Zesty) |
Changed in kdepim (Ubuntu Trusty): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in kdepim (Ubuntu Xenial): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in kdepim (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in kdepim (Ubuntu Xenial): | |
status: | New → Confirmed |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res