| Summary: | messagelib new security issue CVE-2018-19516 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David GEIGER <geiger.david68210> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | messagelib-18.08.3-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David GEIGER
2018-11-29 06:16:39 CET
Assigning to kde maintainer group. Assignee:
bugsquad =>
kde Fixed both Cauldron and mga6! Advisory: ======================== Updated messagelib packages fix security vulnerability: Some HTML emails can trick messagelib into opening a new browser window when displaying said email as HTML. This happens even if the option to allow the HTML emails to access remote servers is disabled in KMail settings. This means that the owners of the servers referred in the email can see in their access logs your IP address (CVE-2018-19516). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19516 https://www.kde.org/info/security/advisory-20181128-1.txt ======================== Updated packages in core/updates_testing: ======================== messagelib-17.12.2-1.1.mga6 libkf5messagecomposer5-17.12.2-1.1.mga6 libkf5messagecore5-17.12.2-1.1.mga6 libkf5messagelist5-17.12.2-1.1.mga6 libkf5messageviewer5-17.12.2-1.1.mga6 libkf5templateparser5-17.12.2-1.1.mga6 libkf5mimetreeparser5-17.12.2-1.1.mga6 libkf5webengineviewer5-17.12.2-1.1.mga6 libkf5messagelib-devel-17.12.2-1.1.mga6 from messagelib-17.12.2-1.1.mga6.src.rpm Version:
Cauldron =>
6 MGA6-32 MATE on IBM Thinkpad R50e No installation issues. This update seems to be a Plasma affair, but this laptop does not have Plasma installed. At least MATE does not see+ to be affected in its operations. CC:
(none) =>
herman.viaene x86_64 This is a Mate system also. The packages installed and updated cleanly. I don't have kmail installed so it is unlikely that it can be tested here. CC:
(none) =>
tarazed25 Testing M6/64 BEFORE update had version 17.12.2-1. Luckily I had kmail configured, and with some messages including a few HTML ones. These viewed OK directly (excepting external elements, which I declined). Had to start from the menu, because trying the command line, it blocked on no Akonadi and would not go further. UPDATE to: - lib64kf5messagecomposer5-17.12.2-1.1.mga6.x86_64 - lib64kf5messagecore5-17.12.2-1.1.mga6.x86_64 - lib64kf5messagelist5-17.12.2-1.1.mga6.x86_64 - lib64kf5messageviewer5-17.12.2-1.1.mga6.x86_64 - lib64kf5mimetreeparser5-17.12.2-1.1.mga6.x86_64 - lib64kf5templateparser5-17.12.2-1.1.mga6.x86_64 - lib64kf5webengineviewer5-17.12.2-1.1.mga6.x86_64 - messagelib-17.12.2-1.1.mga6.x86_64 This time it *did* start from the command line without the Akonadi block, which is progress. The HTML messages again displayed OK (note you have to click the vertical bar just left of the message pane). This time I allowed external elements, which displayed OK. My efforts to pin down what libraries were used were not helpful. The best I got were loads of: /usr/lib64/qt5/plugins/messageviewer/messageviewer_xxxxxxxxxxxxplugin.so" OKing this despite. Validating, doing advisory from comment 3. Whiteboard:
(none) =>
MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0476.html Status:
NEW =>
RESOLVED |