Ubuntu alert USN-7729-1 (kdepim)
| From: | noreply+usn-bot@canonical.com | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-7729-1] KDE PIM vulnerabilities | |
| Date: | Wed, 03 Sep 2025 14:37:58 +0000 | |
| Message-ID: | <E1utocY-0007fT-9B@lists.ubuntu.com> |
========================================================================== Ubuntu Security Notice USN-7729-1 September 02, 2025 kdepim vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in KDE PIM. Software Description: - kdepim: Personal Information Management apps Details: Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk discovered that the KMail application of KDE PIM could be made to leak the plaintext of S/MIME encrypted emails when retrieving external content in emails. Under certain configurations, if a user were tricked into opening a specially crafted email, an attacker could possibly use this issue to obtain the plaintext of an encrypted email. This update mitigates the issue by preventing KMail from automatically loading external content. (CVE-2017-17689) Jens Müller, Marcus Brinkmann, Damian Poddebniak, Sebastian Schinzel, and Jörg Schwenk discovered that the KMail application of KDE PIM could be made to leak the plaintext of S/MIME or PGP encrypted emails. If a user were tricked into replying to a specially crafted email, an attacker could possibly use this issue to obtain the plaintext of an encrypted email. (CVE-2019-10732) It was discovered that the KMail application of KDE PIM could be made to attach files to an email without the user's knowledge. If a user were tricked into sending an email created by a specially crafted "mailto" link, an attacker could possibly use this issue to obtain sensitive files. This update mitigates the issue by displaying a warning to the user when files are attached in this way. (CVE-2020-11880) It was discovered that the Account Wizard application of KDE PIM used HTTP rather than HTTPS when retrieving certain email server configurations. An attacker could possibly use this issue to cause email clients to use an attacker-controlled email server. This issue only affected Ubuntu 16.04 LTS. (CVE-2024-50624) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS accountwizard 4:15.12.3-0ubuntu1.1+esm1 Available with Ubuntu Pro kmail 4:15.12.3-0ubuntu1.1+esm1 Available with Ubuntu Pro libkf5messageviewer5 4:15.12.3-0ubuntu1.1+esm1 Available with Ubuntu Pro libkf5templateparser5 4:15.12.3-0ubuntu1.1+esm1 Available with Ubuntu Pro Ubuntu 14.04 LTS kmail 4:4.13.3-0ubuntu0.2+esm1 Available with Ubuntu Pro libmessageviewer4 4:4.13.3-0ubuntu0.2+esm1 Available with Ubuntu Pro libtemplateparser4 4:4.13.3-0ubuntu0.2+esm1 Available with Ubuntu Pro After a standard system update you need to restart KMail to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7729-1 CVE-2017-17689, CVE-2019-10732, CVE-2020-11880, CVE-2024-50624
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmi3UAMACgkQcpJm3tlz hgEa+BAAmFSQ3ExrO/lmsdciLixU8/gAezz0LuWvTh6BdQAFfI+O72pqZKlvyye0 0l+AFv2JgvWriqFV9+0oKIAq9vVY5bhzwTr7+IK9yoTK718R8jO4X90tupQosnLZ ljSsryV8gtY0yu6t8ydTyFTZKe4qwfrpwj0ZZ5Et5HLolCd/HtoxgDZFmqI+sfgK jXtY6kgZ0VE4T6zgqmEfJI6I/iVe3BsbLPM8nlWqdeS8NoRQ5WM8aJkoO7ItBbLC 5v0VjoSLvLwXOB/qQZ/HuSueUabcW6SmfbiSKQhvua2MH6l7HzJTtlp6Vn+Z7ZTQ aQOeVdiqjAWdNRbxotTADg8y6as7xoqrYILLN2r5EGJm1WpaO+qbQAsb1yyuQ9XW JJiSYs9RD2/HuaRVeDcjkEHEglULk5/Cy2Nb/6TRiu3K0f1DgUKEoV5Dkj5+pbvI E0xKfS0Tu2YzfuQYHIfaY/8v9QXO9PiwN4T8l+Yr9hwotWhSI9Qf0M38Lqh1XFH+ /e2G1jnteN1NDfnkwxdMrjAg5fMfqnRw41pCbk2EP2RUCFjv+nu+TYNp+iv9KtKe VRIX7HaPWxl/xu6oqujE8TOu1ra0ffmPaRDs6zqksXJgISksYdTJ6DVx85tvtRKi 1sZsOzYn/Fa0pZUKRBf58XVbLuLBiKwBKznOgaZRlgWJ4vlK/hs= =mZFt -----END PGP SIGNATURE-----