Packages
- kdepim - Personal Information Management apps
Details
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising,
Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg
Schwenk discovered that the KMail application of KDE PIM could be made
to leak the plaintext of S/MIME encrypted emails when retrieving
external content in emails. Under certain configurations, if a user were
tricked into opening a specially crafted email, an attacker could
possibly use this issue to obtain the plaintext of an encrypted email.
This update mitigates the issue by preventing KMail from automatically
loading external content. (CVE-2017-17689)
Jens Müller, Marcus Brinkmann, Damian Poddebniak, Sebastian Schinzel,
and Jörg Schwenk discovered that the KMail application of KDE PIM could
be made to leak the plaintext of S/MIME or PGP encrypted emails. If a
user were tricked into replying to a specially crafted email, an
attacker could possibly use this...
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising,
Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg
Schwenk discovered that the KMail application of KDE PIM could be made
to leak the plaintext of S/MIME encrypted emails when retrieving
external content in emails. Under certain configurations, if a user were
tricked into opening a specially crafted email, an attacker could
possibly use this issue to obtain the plaintext of an encrypted email.
This update mitigates the issue by preventing KMail from automatically
loading external content. (CVE-2017-17689)
Jens Müller, Marcus Brinkmann, Damian Poddebniak, Sebastian Schinzel,
and Jörg Schwenk discovered that the KMail application of KDE PIM could
be made to leak the plaintext of S/MIME or PGP encrypted emails. If a
user were tricked into replying to a specially crafted email, an
attacker could possibly use this issue to obtain the plaintext of an
encrypted email. (CVE-2019-10732)
It was discovered that the KMail application of KDE PIM could be made to
attach files to an email without the user's knowledge. If a user
were tricked into sending an email created by a specially crafted
"mailto" link, an attacker could possibly use this issue to obtain
sensitive files. This update mitigates the issue by displaying a
warning to the user when files are attached in this way.
(CVE-2020-11880)
It was discovered that the Account Wizard application of KDE PIM used
HTTP rather than HTTPS when retrieving certain email server
configurations. An attacker could possibly use this issue to cause email
clients to use an attacker-controlled email server. This issue only
affected Ubuntu 16.04 LTS. (CVE-2024-50624)
Update instructions
After a standard system update you need to restart KMail to make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 16.04 xenial | accountwizard – 4:15.12.3-0ubuntu1.1+esm1 | ||
| kmail – 4:15.12.3-0ubuntu1.1+esm1 | |||
| libkf5messageviewer5 – 4:15.12.3-0ubuntu1.1+esm1 | |||
| libkf5templateparser5 – 4:15.12.3-0ubuntu1.1+esm1 | |||
| 14.04 trusty | kmail – 4:4.13.3-0ubuntu0.2+esm1 | ||
| libmessageviewer4 – 4:4.13.3-0ubuntu0.2+esm1 | |||
| libtemplateparser4 – 4:4.13.3-0ubuntu0.2+esm1 | |||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.