Am Montag, 30. Januar 2017, 19:55:16 CET schrieb Thorsten Alteholz: > Package: kf5-messagelib > Severity: important > Tags: security […] > the following vulnerabilities were published for kf5-messagelib. > > CVE-2016-7967[0]: > | KMail since version 5.3.0 used a QWebEngine based viewer that had > | JavaScript enabled. Since the generated html is executed in the local > | file security context by default access to remote and local URLs was > | enabled. > > CVE-2016-7968[1]: > | KMail since version 5.3.0 used a QWebEngine based viewer that had > | JavaScript enabled. HTML Mail contents were not sanitized for > | JavaScript and included code was executed.
Unstable has KMail 5.2.3 from KDEPIM 16.04 which AFAIK doesn´t use webengine yet. I am not sure whether the older KMail + messagelib stuff has similar issues. Ciao, -- Martin
