Package: kmail Version: 4:4.11.5-1 Severity: grave Tags: security Justification: user security hole
Dear Maintainer, Configure an outgoing SMTP server with (Start)TLS in kmail. If the server presents an invalid or self-signed certificate to the agent, KDE will show a warning dialog offering three choices: details, continue and cancel (not sure about translation from fr_FR locale). The "details" button works as expected, showing certificate infos, then returning to the previous dialog. The "cancel" button has no effects other than to bring the same dialog almost instantly back in an infinite loop. The "continue" button yields another dialog letting the user choose how long to accept the certificate, either forever, or only for the current session. If the dialog is closed without answer, Kmail assumes forever. At that point, the mail feeder will happily send user credentials over to the untrusted server. So basically, there are no ways to reject an invalid certificate, other than to kill the mail feeder or take the system offline. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.13.10-basile (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages kmail depends on: ii kde-runtime 4:4.11.5-1 ii kdepim-runtime 4:4.11.5-1 ii kdepimlibs-kio-plugins 4:4.11.5-4+b1 ii libakonadi-calendar4 4:4.11.5-4+b1 ii libakonadi-contact4 4:4.11.5-4+b1 ii libakonadi-kde4 4:4.11.5-4+b1 ii libakonadi-kmime4 4:4.11.5-4+b1 ii libakonadiprotocolinternals1 1.11.0-1 ii libc6 2.18-4 ii libcalendarsupport4 4:4.11.5-1 ii libgcc1 1:4.9-20140411-2 ii libgpgme++2 4:4.11.5-4+b1 ii libgrantlee-core0 0.3.0-5 ii libincidenceeditorsng4 4:4.11.5-1 ii libkabc4 4:4.11.5-4+b1 ii libkalarmcal2 4:4.11.5-4+b1 ii libkcalcore4 4:4.11.5-4+b1 ii libkcalutils4 4:4.11.5-4+b1 ii libkcmutils4 4:4.11.5-3 ii libkdecore5 4:4.11.5-3 ii libkdepim4 4:4.11.5-1 ii libkdeui5 4:4.11.5-3 ii libkio5 4:4.11.5-3 ii libkleo4 4:4.11.5-1 ii libkmime4 4:4.11.5-4+b1 ii libknewstuff3-4 4:4.11.5-3 ii libknotifyconfig4 4:4.11.5-3 ii libkontactinterface4 4:4.11.5-4+b1 ii libkparts4 4:4.11.5-3 ii libkpgp4 4:4.11.5-1 ii libkpimidentities4 4:4.11.5-4+b1 ii libkpimtextedit4 4:4.11.5-4+b1 ii libkpimutils4 4:4.11.5-4+b1 ii libkprintutils4 4:4.11.5-3 ii libksieveui4 4:4.11.5-1 ii libktnef4 4:4.11.5-4+b1 ii libmailcommon4 4:4.11.5-1 ii libmailimporter4 4:4.11.5-1 ii libmailtransport4 4:4.11.5-4+b1 ii libmessagecomposer4 4:4.11.5-1 ii libmessagecore4 4:4.11.5-1 ii libmessagelist4 4:4.11.5-1 ii libmessageviewer4 4:4.11.5-1 ii libnepomukcore4 4:4.11.5-2+b1 ii libpimcommon4 4:4.11.5-1 ii libqt4-dbus 4:4.8.5+git242-g0315971+dfsg-2 ii libqt4-network 4:4.8.5+git242-g0315971+dfsg-2 ii libqt4-xml 4:4.8.5+git242-g0315971+dfsg-2 ii libqtcore4 4:4.8.5+git242-g0315971+dfsg-2 ii libqtgui4 4:4.8.5+git242-g0315971+dfsg-2 ii libqtwebkit4 2.2.1-7 ii libsendlater4 4:4.11.5-1 ii libsolid4 4:4.11.5-3 ii libsoprano4 2.9.4+dfsg-1 ii libstdc++6 4.9-20140411-2 ii libtemplateparser4 4:4.11.5-1 ii perl 5.18.2-2+b1 Versions of packages kmail recommends: ii gnupg-agent 2.0.22-3 ii gnupg2 2.0.22-3 ii pinentry-qt4 [pinentry-x11] 0.8.3-2 Versions of packages kmail suggests: pn clamav | f-prot-installer <none> pn kaddressbook <none> pn kleopatra <none> pn procmail <none> pn spamassassin | bogofilter | annoyance-filter | spambayes | bsfilter <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140422193328.15837.53977.report...@basile.remlab.net
