Package: libkf5kmanagesieve5 Version: 4:22.12.3-1 Severity: grave Tags: security, patch, upstream
Dear Maintainer, kmail, when using managesieve, sends the password as username to servers. This is particularly bad because usernames are commonly logged by servers in plaintext. It thus leaks passwords into server-side plaintext logs e.g. with dovecot. This seems to have been fixed upstream: https://invent.kde.org/pim/libksieve/-/commit/ 6b460ba93ac4ac503ba039d0b788ac7595120db1 Please consider a backport of that patch or updating the package quickly. Thank you. -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.6.15-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libkf5kmanagesieve5 depends on: ii kio 5.107.0-1+b1 ii libc6 2.37-15 ii libkf5configcore5 5.107.0-1+b1 ii libkf5coreaddons5 5.107.0-1+b1 ii libkf5i18n5 5.107.0-1+b1 ii libkf5kiocore5 5.107.0-1+b1 ii libkf5kiowidgets5 5.107.0-1+b1 ii libkf5ksieve-data 4:22.12.3-1 ii libkf5widgetsaddons5 5.107.0-1+b1 ii libqt5core5a 5.15.10+dfsg-7 ii libqt5network5 5.15.10+dfsg-7 ii libqt5widgets5 5.15.10+dfsg-7 ii libsasl2-2 2.1.28+dfsg1-4+b1 ii libstdc++6 14-20240201-3 libkf5kmanagesieve5 recommends no packages. libkf5kmanagesieve5 suggests no packages. -- no debconf information -- Jonas Schäfer Team Lead Cloud Infrastructure Development Cloud&Heat Technologies GmbH Königsbrücker Straße 96 | 01099 Dresden +49 351 479 367 37 jonas.schae...@cloudandheat.com | www.cloudandheat.com Green, Open, Efficient. Your Cloud Service and Cloud Technology Provider from Dresden. https://www.cloudandheat.com/ Commercial Register: District Court Dresden Register Number: HRB 30549 VAT ID No.: DE281093504 Managing Director: Nicolas Röhrs Authorized signatory: Dr. Marius Feldmann
signature.asc
Description: This is a digitally signed message part.