Bug 21100

Summary: kmail, messagelib new security issue CVE-2017-9604
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: KDE maintainers <kde>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=19533
Whiteboard:
Source RPM: kmail-16.12.3-1.mga6.src.rpm, messagelib-16.12.3-1.mga6.src.rpm, kdepim4-4.14.5-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-06-16 12:12:40 CEST 
Upstream has issued an advisory on June 15:
https://www.kde.org/info/security/advisory-20170615-1.txt

The upstream commits to fix the issue are linked in the message above.
Comment 1 David Walser 2017-06-16 13:50:48 CEST 
More details:
https://ctrl.blog/entry/kmail-cve-2017-9604-openpgp

KMail (from kdepim4) in Mageia 5 is also affected.

Whiteboard: (none) => MGA5TOO
Source RPM: kmail-16.12.3-1.mga6.src.rpm, messagelib-16.12.3-1.mga6.src.rpm => kmail-16.12.3-1.mga6.src.rpm, messagelib-16.12.3-1.mga6.src.rpm, kdepim4-4.14.5-1.mga5.src.rpm

Comment 2 David Walser 2017-06-24 23:54:41 CEST 
kmail-16.12.3-2.mga6 and messagelib-16.12.3-2.mga6 uploaded for Cauldron.

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 3 David Walser 2017-07-01 21:02:53 CEST 
It looks like CVE-2016-7968 is the equivalent of this for Mageia 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C5TGECM37KQEMCLQKNCGQDAOTJOSEZGH/

So I'll close this and let Mageia 5 be handled in Bug 19533.

Resolution: (none) => FIXED
Version: 5 => Cauldron
Status: NEW => RESOLVED

David Walser 2017-07-02 16:36:13 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=19533

Comment 4 David Walser 2017-07-02 16:36:39 CEST 
openSUSE has issued advisories for this today (July 2):
https://lists.opensuse.org/opensuse-updates/2017-07/msg00002.html
https://lists.opensuse.org/opensuse-updates/2017-07/msg00003.html