Source: kmail-account-wizard Version: 4:22.12.3-3 Severity: important Tags: security upstream Forwarded: https://bugs.kde.org/show_bug.cgi?id=487882 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: fixed -1 4:24.08.0-1
Hi, The following vulnerability was published for kmail-account-wizard. CVE-2024-50624[0]: | ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle | attackers to trigger use of an attacker-controlled mail server | because cleartext HTTP is used for a URL such as | http://autoconfig.example.com or http://example.com/.well- | known/autoconfig for retrieving the configuration. This is related | to kmail-account-wizard. Code was substantially refactored, but the issue is present as well in older versions. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-50624 https://www.cve.org/CVERecord?id=CVE-2024-50624 [1] https://bugs.kde.org/show_bug.cgi?id=487882 [2] https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41c3aff435d4a88afb25585180a62ee4 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
