Upstream has issued an advisory on June 15: https://www.kde.org/info/security/advisory-20170615-1.txt The upstream commits to fix the issue are linked in the message above.
More details: https://ctrl.blog/entry/kmail-cve-2017-9604-openpgp KMail (from kdepim4) in Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOOSource RPM: kmail-16.12.3-1.mga6.src.rpm, messagelib-16.12.3-1.mga6.src.rpm => kmail-16.12.3-1.mga6.src.rpm, messagelib-16.12.3-1.mga6.src.rpm, kdepim4-4.14.5-1.mga5.src.rpm
kmail-16.12.3-2.mga6 and messagelib-16.12.3-2.mga6 uploaded for Cauldron.
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
It looks like CVE-2016-7968 is the equivalent of this for Mageia 5: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C5TGECM37KQEMCLQKNCGQDAOTJOSEZGH/ So I'll close this and let Mageia 5 be handled in Bug 19533.
Resolution: (none) => FIXEDVersion: 5 => CauldronStatus: NEW => RESOLVED
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=19533
openSUSE has issued advisories for this today (July 2): https://lists.opensuse.org/opensuse-updates/2017-07/msg00002.html https://lists.opensuse.org/opensuse-updates/2017-07/msg00003.html