Upstream has announced an advisory on November 28: https://mail.kde.org/pipermail/kde-announce/2018-November/000001.html This issue was fixed upstream in messagelib >= 18.12.0 or in this following commit: https://cgit.kde.org/messagelib.git/commit/?id=34765909cdf8e55402a8567b48fb288839c61612 Mageia 6 is also affected!
Assigning to kde maintainer group.
Assignee: bugsquad => kde
Fixed both Cauldron and mga6!
Advisory: ======================== Updated messagelib packages fix security vulnerability: Some HTML emails can trick messagelib into opening a new browser window when displaying said email as HTML. This happens even if the option to allow the HTML emails to access remote servers is disabled in KMail settings. This means that the owners of the servers referred in the email can see in their access logs your IP address (CVE-2018-19516). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19516 https://www.kde.org/info/security/advisory-20181128-1.txt ======================== Updated packages in core/updates_testing: ======================== messagelib-17.12.2-1.1.mga6 libkf5messagecomposer5-17.12.2-1.1.mga6 libkf5messagecore5-17.12.2-1.1.mga6 libkf5messagelist5-17.12.2-1.1.mga6 libkf5messageviewer5-17.12.2-1.1.mga6 libkf5templateparser5-17.12.2-1.1.mga6 libkf5mimetreeparser5-17.12.2-1.1.mga6 libkf5webengineviewer5-17.12.2-1.1.mga6 libkf5messagelib-devel-17.12.2-1.1.mga6 from messagelib-17.12.2-1.1.mga6.src.rpm
Version: Cauldron => 6Assignee: kde => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. This update seems to be a Plasma affair, but this laptop does not have Plasma installed. At least MATE does not see+ to be affected in its operations.
CC: (none) => herman.viaene
x86_64 This is a Mate system also. The packages installed and updated cleanly. I don't have kmail installed so it is unlikely that it can be tested here.
CC: (none) => tarazed25
Testing M6/64 BEFORE update had version 17.12.2-1. Luckily I had kmail configured, and with some messages including a few HTML ones. These viewed OK directly (excepting external elements, which I declined). Had to start from the menu, because trying the command line, it blocked on no Akonadi and would not go further. UPDATE to: - lib64kf5messagecomposer5-17.12.2-1.1.mga6.x86_64 - lib64kf5messagecore5-17.12.2-1.1.mga6.x86_64 - lib64kf5messagelist5-17.12.2-1.1.mga6.x86_64 - lib64kf5messageviewer5-17.12.2-1.1.mga6.x86_64 - lib64kf5mimetreeparser5-17.12.2-1.1.mga6.x86_64 - lib64kf5templateparser5-17.12.2-1.1.mga6.x86_64 - lib64kf5webengineviewer5-17.12.2-1.1.mga6.x86_64 - messagelib-17.12.2-1.1.mga6.x86_64 This time it *did* start from the command line without the Akonadi block, which is progress. The HTML messages again displayed OK (note you have to click the vertical bar just left of the message pane). This time I allowed external elements, which displayed OK. My efforts to pin down what libraries were used were not helpful. The best I got were loads of: /usr/lib64/qt5/plugins/messageviewer/messageviewer_xxxxxxxxxxxxplugin.so" OKing this despite. Validating, doing advisory from comment 3.
Whiteboard: (none) => MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0476.html
Status: NEW => RESOLVEDResolution: (none) => FIXED