Subject: claws-mail-vcalendar-plugin: credentials exposed on interface Package: claws-mail-vcalendar-plugin Severity: normal Tags: security
Reported originally in here: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782 by csw...@gmail.com: """ In some instances, it might be the case that the only possible way to access a calendaring service is through https, and in such cases, the only way to authenticate (at least within the confines of vCalendar) is by embedding the username:password into the ics URL and/or have a 'private' url that shouldn't be shared. In either case, after configuring a calendar and trying to access it, the full url is displayed in the status tray when trying to poll the calendar, something like: Fetching 'https://user:passw...@server.example.com/location/of/my/Calendar'... Thus, use of the vCalendar plugin really isn't suitable or secure for such configurations! In the scenarios above, the former is more of a concern but neither is one you'd necessarily want to expose to prying eyes. Even a google calendar "private url", for example, is visible it its entirety within the status tray. """ No upstream fix for this yet. CVE-request by Ricardo Mones in here http://www.openwall.com/lists/oss-security/2012/11/15/5 Please contact me in case of any questions. Haven't verified this in Debian-package yet, but I can do that and even try to backport the patch when it comes out. -- Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
