Your message dated Thu, 07 Sep 2017 17:47:09 +0000 with message-id <e1dq0tr-00080i...@fasolo.debian.org> and subject line Bug#864804: fixed in kdepim 4:16.04.3-4~deb9u1 has caused the Debian Bug report #864804, regarding CVE-2017-9604: Send Later with Delay bypasses OpenPGP to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 864804: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864804 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: kf5-messagelib Version: 4:16.04.3-2 Severity: important Tags: patch upstream security Control: clone -1 -2 Control: reassign -2 kdepim 4:4.14.1-1 Hi, the following vulnerability was published for kf5-messagelib (and kmail). CVE-2017-9604[0]: | KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in | KDE Applications before 17.04.2, do not ensure that a plugin's | sign/encrypt action occurs during use of the Send Later feature, which | allows remote attackers to obtain sensitive information by sniffing the | network. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9604 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9604 [1] https://www.kde.org/info/security/advisory-20170615-1.txt Looking at the patchset I see it would apply as well to kdepim/4:4.14.1-1 to some extend. I though have some difficulties to correctly classify not knowing this Send Later feature. Can you please double check the above. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: kdepim Source-Version: 4:16.04.3-4~deb9u1 We believe that the bug you reported is fixed in the latest version of kdepim, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 864...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sandro Knauß <he...@debian.org> (supplier of updated kdepim package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 17 Jun 2017 12:12:03 +0200 Source: kdepim Binary: kdepim kdepim-doc akregator accountwizard kaddressbook kalarm storageservicemanager kmail knotes konsolekalendar kontact korganizer blogilo akonadiconsole ktnef kdepim-themeeditors Architecture: source Version: 4:16.04.3-4~deb9u1 Distribution: stretch Urgency: high Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Changed-By: Sandro Knauß <he...@debian.org> Description: accountwizard - wizard for KDE PIM applications account setup akonadiconsole - management and debugging console for akonadi akregator - RSS/Atom feed aggregator blogilo - graphical blogging client kaddressbook - address book and contact data manager kalarm - alarm message, command and email scheduler kdepim - Personal Information Management apps from the official KDE releas kdepim-doc - KDE Personal Information Management library documentation kdepim-themeeditors - Theme Editors for KDE PIM applications kmail - full featured graphical email client knotes - sticky notes application konsolekalendar - konsole personal organizer kontact - integrated application for personal information management korganizer - calendar and personal organizer ktnef - Viewer for mail attachments using TNEF format storageservicemanager - KDE PIM storage service Closes: 864804 Changes: kdepim (4:16.04.3-4~deb9u1) stretch; urgency=high . * Team upload. . [ Sandro Knauß ] * Fix CVE-2017-9604: Send Later with Delay bypasses OpenPGP (Closes: #864804) - Added upstream patch fix-CVE-2017-9604.patch Checksums-Sha1: aff63762a10dd9dd2c724f009e3203c1f23aa7e9 6182 kdepim_16.04.3-4~deb9u1.dsc f5e638610d49f1a430d2f4dd9dd0a1e637638db1 72100 kdepim_16.04.3-4~deb9u1.debian.tar.xz e8ad37b49e558326adf22ff37263730778ad659b 22969 kdepim_16.04.3-4~deb9u1_source.buildinfo Checksums-Sha256: 012bf2cd16327b11f371ff85a49cd5cd6aad82abc44d807dbae1a40e9bd69821 6182 kdepim_16.04.3-4~deb9u1.dsc d075ff4fe701037f9729b774873af048b8df75adbda18a9c090bf91213c6d030 72100 kdepim_16.04.3-4~deb9u1.debian.tar.xz ca694b3bea7b111c99a6855c70f5f2f25fc8414b1169ffb3776cb160440887ca 22969 kdepim_16.04.3-4~deb9u1_source.buildinfo Files: 53bf2b1dbf66b27493d8f6f436abd71f 6182 kde optional kdepim_16.04.3-4~deb9u1.dsc 9baae7c7602d63b600e612fa5dc046d8 72100 kde optional kdepim_16.04.3-4~deb9u1.debian.tar.xz f4d1fe5d52f75444113c9e83072df950 22969 kde optional kdepim_16.04.3-4~deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEOewRoCAWtykmSRoG462wCFBgVjYFAlmgYaQRHGhlZmVlQGRl Ymlhbi5vcmcACgkQ462wCFBgVjZpNg//U56fcw/bnxHG54+2RKk1TnwBvMyhEC7B Vd2FuiQaxfJIuoq45Ov9fzkLD0ZYtoFlcXABz0qE9meaKDiPY/bTX0RxWUBm1ixK hi9y0K1XD8iF5uTyatVLMZsJdNOopSMKnDxhrNq++spwOQGJ3fISM0KXOWUQZ73Q ZSHS9AKKO4wysupFlnnjNdY4a8+3/pEeYVkmdIsbo65M5yKytdDI8oyB14B0cPYX TcYryUZcdaC+qv7t6feQWickEL8Oxz/dS3w8Ynqb+FVw17j4XoBud/hHKFP0hau9 oNqW17OsIPf4hskHV+T27sOsHjyavcDrf3XOCdyGr74l9IdZZfaqtBDr3uq/r3xZ 9bIlildXhD/6jLlm7SSU9S14vikFy6e5/buBrhpDKH56ZcIQ7KZCYigCqz2eatVm iew5+mf6UpbCkVz+q/HlgT5C8bAOThE7V9mAEiLI5D6lO4fPWmS1TuHVkJhP5ibA f4xlUOiwqfKZ0Rac27UnnElvXoaH79m6EvIg74kf3Fx/uwkh5H2KVOmtIXF0jqU1 nd3jwS91/reSrKUwHT7RUWUvvjPohotdzFPVf8cxYt9qxbD8ZsyFw7Adz7Foc8KK lCAMhTFaLzCquTl5GP5nXFv7qx+n1fLPgH4g9BlapUYQLOVSNfCwX3KnH8ii+pU9 t6T66pyr1AI= =Gl3u -----END PGP SIGNATURE-----
--- End Message ---
