Bug 21100 - kmail, messagelib new security issue CVE-2017-9604
Summary: kmail, messagelib new security issue CVE-2017-9604
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: KDE maintainers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-16 12:12 CEST by David Walser
Modified: 2017-07-02 16:36 CEST (History)
0 users

See Also:
Source RPM: kmail-16.12.3-1.mga6.src.rpm, messagelib-16.12.3-1.mga6.src.rpm, kdepim4-4.14.5-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-06-16 12:12:40 CEST
Upstream has issued an advisory on June 15:
https://www.kde.org/info/security/advisory-20170615-1.txt

The upstream commits to fix the issue are linked in the message above.
Comment 1 David Walser 2017-06-16 13:50:48 CEST
More details:
https://ctrl.blog/entry/kmail-cve-2017-9604-openpgp

KMail (from kdepim4) in Mageia 5 is also affected.

Whiteboard: (none) => MGA5TOO
Source RPM: kmail-16.12.3-1.mga6.src.rpm, messagelib-16.12.3-1.mga6.src.rpm => kmail-16.12.3-1.mga6.src.rpm, messagelib-16.12.3-1.mga6.src.rpm, kdepim4-4.14.5-1.mga5.src.rpm

Comment 2 David Walser 2017-06-24 23:54:41 CEST
kmail-16.12.3-2.mga6 and messagelib-16.12.3-2.mga6 uploaded for Cauldron.

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 3 David Walser 2017-07-01 21:02:53 CEST
It looks like CVE-2016-7968 is the equivalent of this for Mageia 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C5TGECM37KQEMCLQKNCGQDAOTJOSEZGH/

So I'll close this and let Mageia 5 be handled in Bug 19533.

Resolution: (none) => FIXED
Version: 5 => Cauldron
Status: NEW => RESOLVED

David Walser 2017-07-02 16:36:13 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=19533

Comment 4 David Walser 2017-07-02 16:36:39 CEST
openSUSE has issued advisories for this today (July 2):
https://lists.opensuse.org/opensuse-updates/2017-07/msg00002.html
https://lists.opensuse.org/opensuse-updates/2017-07/msg00003.html

Note You need to log in before you can comment on or make changes to this bug.