Bug#914211: Processed: fixed in 5.54.1-1
On Samstag, 19. Januar 2019 08:15:20 CET Pino Toscano wrote: > In data sabato 19 gennaio 2019 01:12:38 CET, Debian Bug Tracking System ha scritto: > > Processing commands for cont...@bugs.debian.org: > > > fixed 914211 5.54.1-1 > > > > Bug #914211 [src:kio] [src:kio] please remove insecure TLS version > > fall-back mechanism Marked as fixed in versions kio/5.54.1-1. > > > > > thanks > > > > Stopping processing here. > > Closing the bug then. > > Maximilian, please follow the right procedure for closing bugs: > https://www.debian.org/Bugs/Developer.en.html#closing > > Thanks, Hi Pino, I didn't close the bug because the version in stable is still affected by it. I filed my initial report against both versions, stable and testing/unstable at that time, because I was told on #debian-devel IRC to do so. So if this bug is closed how can/should the version in stable be tracked? Thanks, Maxi signature.asc Description: This is a digitally signed message part.
Bug#914212: link to other bug reports
Please also see the bug report of this issue in src:kio here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914211 If you consider fixing this in stretch please also have a look at this bug report about adding TLSv1.2 support for smtp connections to kde4libs in stretch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891254 signature.asc Description: This is a digitally signed message part.
Bug#914211: link to other bug report
Please also see the bug report of this issue in libkio5 (src:kde4libs) here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914212 signature.asc Description: This is a digitally signed message part.
Bug#914212: [libkio5] please remove insecure TLS version fall-back mechanism
Package: libkio5
Version: 4:4.14.26-2
Severity: important
Tags: patch
Hi,
Until recently KDE kio had a custom TLS version fall-back mechanism which made
it possible to downgrade a TLS connection to TLSv1.0 even if the server and
client support a higher TLS version. This has been fixed upstream in [1], [2]
and is also included in KDE Frameworks 5.52.0 [3].
I backported the patch from [2] for the kio code in kde4libs. Please also
consider fixing this in stretch.
[1] https://phabricator.kde.org/D16344
[2]
https://cgit.kde.org/kio.git/commit/src/core/tcpslavebase.cpp?id=e11d4d18f66ad1c6927b058be84e11d46d9de55a
[3] https://www.kde.org/announcements/kde-frameworks-5.52.0.php
Thanks for your work on Debian!backport https://cgit.kde.org/kio.git/commit/src/core/tcpslavebase.cpp?id=e11d4d18f66ad1c6927b058be84e11d46d9de55a
to stretch.
--- a/kio/kio/tcpslavebase.cpp
+++ b/kio/kio/tcpslavebase.cpp
@@ -349,106 +349,50 @@
}
}
-/*
- By default the SSL handshake attempt uses these settings in the order shown:
-
- 1.) Protocol: KTcpSocket::SecureProtocols SSL compression: OFF (DEFAULT)
- 2.) Protocol: KTcpSocket::TlsV1 SSL compression: OFF
- 3.) Protocol: KTcpSocket::SslV3 SSL compression: OFF
-
- If any combination other than the one marked DEFAULT is used to complete
- the SSL handshake, then that combination will be cached using KIO's internal
- meta-data mechanism in order to speed up future connections to the same host.
-*/
-
QSslConfiguration sslConfig = d->socket.sslConfiguration();
+const int timeout = (connectTimeout() * 1000); // 20 sec timeout value
-#if QT_VERSION >= 0x040800
-// NOTE: Due to 'CRIME' SSL attacks, compression is always disabled.
-sslConfig.setSslOption(QSsl::SslOptionDisableCompression, true);
-#endif
-
-const int lastSslVerson = config()->readEntry("LastUsedSslVersion", static_cast(KTcpSocket::SecureProtocols));
-KTcpSocket::SslVersion trySslVersion = static_cast(lastSslVerson);
-KTcpSocket::SslVersions alreadyTriedSslVersions = trySslVersion;
+disconnectFromHost(); //Reset some state, even if we are already disconnected
+d->host = host;
-const int timeout = (connectTimeout() * 1000); // 20 sec timeout value
-while (true) {
-disconnectFromHost(); //Reset some state, even if we are already disconnected
-d->host = host;
-
-d->socket.connectToHost(host, port);
-const bool connectOk = d->socket.waitForConnected(timeout > -1 ? timeout : -1);
-
-kDebug(7027) << "Socket: state=" << d->socket.state()
- << ", error=" << d->socket.error()
- << ", connected?" << connectOk;
+d->socket.connectToHost(host, port);
+const bool connectOk = d->socket.waitForConnected(timeout > -1 ? timeout : -1);
-if (d->socket.state() != KTcpSocket::ConnectedState) {
-if (errorString)
-*errorString = host + QLatin1String(": ") + d->socket.errorString();
-switch (d->socket.error()) {
-case KTcpSocket::UnsupportedSocketOperationError:
-return ERR_UNSUPPORTED_ACTION;
-case KTcpSocket::RemoteHostClosedError:
-return ERR_CONNECTION_BROKEN;
-case KTcpSocket::SocketTimeoutError:
-return ERR_SERVER_TIMEOUT;
-case KTcpSocket::HostNotFoundError:
-return ERR_UNKNOWN_HOST;
-default:
-return ERR_COULD_NOT_CONNECT;
-}
+kDebug(7027) << "Socket: state=" << d->socket.state()
+ << ", error=" << d->socket.error()
+ << ", connected?" << connectOk;
+
+if (d->socket.state() != KTcpSocket::ConnectedState) {
+if (errorString)
+*errorString = host + QLatin1String(": ") + d->socket.errorString();
+switch (d->socket.error()) {
+case KTcpSocket::UnsupportedSocketOperationError:
+return ERR_UNSUPPORTED_ACTION;
+case KTcpSocket::RemoteHostClosedError:
+return ERR_CONNECTION_BROKEN;
+case KTcpSocket::SocketTimeoutError:
+return ERR_SERVER_TIMEOUT;
+case KTcpSocket::HostNotFoundError:
+return ERR_UNKNOWN_HOST;
+default:
+return ERR_COULD_NOT_CONNECT;
}
+}
-//### check for proxyAuthenticationRequiredError
+//### check for proxyAuthenticationRequiredError
-d->ip = d->socket.peerAddress().toString();
-d->port = d->socket.peerPort();
+d->ip = d->socket.peerAddress().toString();
+d->port = d->socket.peerPort();
-if (d->autoSSL) {
-SslResult res = d->startTLSInternal(trySslVersion, sslConfig, timeout);
-if ((res & ResultFailed) && (res & ResultFailedEarly)) {
-if (!(alreadyTriedSslVersions & KTcpSocket::SecureProtocols)) {
-trySslVersion = KTcpSocke
Bug#914211: [src:kio] please remove insecure TLS version fall-back mechanism
Package: src:kio
Version: 5.49.0-1
Severity: important
Tags: patch
Control: found -1 5.28.0-2
Hi,
Until recently KDE kio had a custom TLS version fall-back mechanism which made
it possible to downgrade a TLS connection to TLSv1.0 even if the server and
client support a higher TLS version. This has been fixed upstream in [1], [2]
and is also included in KDE Frameworks 5.52.0 [3].
Please consider backporting the patch from [2] or shipping a newer KDE
Frameworks version, so this fix can be included in buster.
Attached you also find a backported version of [2] for the version in stretch.
Please consider also fixing this in stretch.
[1] https://phabricator.kde.org/D16344
[2] https://cgit.kde.org/kio.git/commit/src/core/tcpslavebase.cpp?
id=e11d4d18f66ad1c6927b058be84e11d46d9de55a
[3] https://www.kde.org/announcements/kde-frameworks-5.52.0.php
Thanks for your work on Debian!
backport https://cgit.kde.org/kio.git/commit/src/core/tcpslavebase.cpp?id=e11d4d18f66ad1c6927b058be84e11d46d9de55a
to stretch.
--- a/src/core/tcpslavebase.cpp
+++ b/src/core/tcpslavebase.cpp
@@ -335,111 +335,51 @@
}
}
-/*
- SSL handshake is attempted in the following order:
+const int timeout = (connectTimeout() * 1000); // 20 sec timeout value
- 1.) KTcpSocket::SecureProtocols
- 2.) KTcpSocket::TlsV1_2
- 3.) KTcpSocket::TlsV1_1
- 4.) KTcpSocket::TlsV1_0
-
- Note that we indivially attempt connection with each TLS version
- because some sites don't support SSL negotiation. #275524
-
- The version used to successfully make encrypted connection with the
- remote server is cached within the process to make subsequent
- connection requests to the same server faster.
- */
-
-const int lastSslVerson = config()->readEntry("LastUsedSslVersion", static_cast(KTcpSocket::SecureProtocols));
-KTcpSocket::SslVersion trySslVersion = static_cast(lastSslVerson);
-KTcpSocket::SslVersions alreadyTriedSslVersions = trySslVersion;
+disconnectFromHost(); //Reset some state, even if we are already disconnected
+d->host = host;
-const int timeout = (connectTimeout() * 1000); // 20 sec timeout value
-while (true) {
-disconnectFromHost(); //Reset some state, even if we are already disconnected
-d->host = host;
-
-d->socket.connectToHost(host, port);
-/*const bool connectOk = */d->socket.waitForConnected(timeout > -1 ? timeout : -1);
-
-/*qDebug() << "Socket: state=" << d->socket.state()
- << ", error=" << d->socket.error()
- << ", connected?" << connectOk;*/
+d->socket.connectToHost(host, port);
+/*const bool connectOk = */d->socket.waitForConnected(timeout > -1 ? timeout : -1);
-if (d->socket.state() != KTcpSocket::ConnectedState) {
-if (errorString) {
-*errorString = host + QLatin1String(": ") + d->socket.errorString();
-}
-switch (d->socket.error()) {
-case KTcpSocket::UnsupportedSocketOperationError:
-return ERR_UNSUPPORTED_ACTION;
-case KTcpSocket::RemoteHostClosedError:
-return ERR_CONNECTION_BROKEN;
-case KTcpSocket::SocketTimeoutError:
-return ERR_SERVER_TIMEOUT;
-case KTcpSocket::HostNotFoundError:
-return ERR_UNKNOWN_HOST;
-default:
-return ERR_CANNOT_CONNECT;
-}
+/*qDebug() << "Socket: state=" << d->socket.state()
+<< ", error=" << d->socket.error()
+<< ", connected?" << connectOk;*/
+
+if (d->socket.state() != KTcpSocket::ConnectedState) {
+if (errorString) {
+*errorString = host + QLatin1String(": ") + d->socket.errorString();
}
+switch (d->socket.error()) {
+case KTcpSocket::UnsupportedSocketOperationError:
+return ERR_UNSUPPORTED_ACTION;
+case KTcpSocket::RemoteHostClosedError:
+return ERR_CONNECTION_BROKEN;
+case KTcpSocket::SocketTimeoutError:
+return ERR_SERVER_TIMEOUT;
+case KTcpSocket::HostNotFoundError:
+return ERR_UNKNOWN_HOST;
+default:
+return ERR_CANNOT_CONNECT;
+}
+}
-//### check for proxyAuthenticationRequiredError
+//### check for proxyAuthenticationRequiredError
-d->ip = d->socket.peerAddress().toString();
-d->port = d->socket.peerPort();
+d->ip = d->socket.peerAddress().toString();
+d->port = d->socket.peerPort();
-if (d->autoSSL) {
-SslResult res = d->startTLSInternal(trySslVersion, timeout);
-if ((res & ResultFailed) && (res & ResultFailedEarly)) {
-if (!(alreadyTriedSslVersions & KTcpSocket::SecureProtocols)) {
-trySslVersion = KTcpSocket::SecureProtocols;
-alreadyTriedSslVersions |= trySslVersion;
-continue;
-
Bug#891253: Related bugs
Please also see the related bugs for smtp https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891254 and imap https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891255 signature.asc Description: This is a digitally signed message part.
Bug#891254: Related bugs
Please also see the related bugs for sieve https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891253 and imap https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891255 signature.asc Description: This is a digitally signed message part.
Bug#891255: Related bugs
Please also see the related bugs for sieve https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891253 and smtp https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891254 signature.asc Description: This is a digitally signed message part.
Bug#891255: [src:kimap] Please enable TLSv1.2 for imap connections in stretch
Package: src:kimap
Version: 16.04.2-1
Severity: important
Tags: patch, stretch
--- Please enter the report below this line. ---
kmail in stretch only supports TLSv1.0 which hinders it to connect to mail
servers that only support TLSv1.2 or TLSv.1.1.
The attached patch is a backport of the upstream fix from here:
https://bugs.kde.org/show_bug.cgi?id=342567
https://git.reviewboard.kde.org/r/129030/
It is necessary for imap connections.
I primary reported the patches here
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797844#33
but was told on irc to file separate bug reports.
I tested this patch for some weeks on my system without any issues.
Pleas let me know if you have any questions.
Thank you for maintaining KDE packages in Debian!
--- System information. ---
Architecture:
Kernel: Linux 4.9.0-6-amd64
Debian Release: 9.3
500 stable-updates deb.debian.org
500 stable deb.debian.org
100 stretch-backports deb.debian.org
--- Package information. ---
Depends (Version) | Installed
===-+-==
kio | 5.28.0-2
libc6 (>= 2.14) |
libgcc1 (>= 1:3.0) |
libkf5codecs5 (>= 4.96.0) |
libkf5coreaddons5 (>= 4.97.0) |
libkf5i18n5 (>= 4.97.0) |
libkf5kiocore5 (>= 4.96.0) |
libkf5mime5 (>= 15.07.90) |
libqt5core5a (>= 5.7.0) |
libsasl2-2 |
libstdc++6 (>= 4.1.1) |
Package's Recommends field is empty.
Package's Suggests field is empty.
--- a/src/loginjob.cpp
+++ b/src/loginjob.cpp
@@ -383,7 +383,7 @@
switch (d->authState) {
case LoginJobPrivate::StartTls:
-d->sessionInternal()->startSsl(KTcpSocket::TlsV1);
+d->sessionInternal()->startSsl(KTcpSocket::SecureProtocols);
break;
case LoginJobPrivate::Capability:
signature.asc
Description: This is a digitally signed message part.
Bug#891254: [src:kde4libs] Please enable TLSv1.2 for smtp connections in stretch
Package: src:kde4libs
Version: 4:4.14.26-2
Severity: important
Tags: patch, stretch
--- Please enter the report below this line. ---
kmail in stretch only supports TLSv1.0 which hinders it to connect to mail
servers that only support TLSv1.2 or TLSv.1.1.
The attached patch is a backport of the upstream fix from here:
https://bugs.kde.org/show_bug.cgi?id=342567
https://git.reviewboard.kde.org/r/129031/
It is necessary for smtp connections.
I primary reported the patches here
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797844#33
but was told on irc to file separate bug reports.
I tested this patch for some weeks on my system without any issues.
Pleas let me know if you have any questions.
Thank you for maintaining KDE packages in Debian!
--- System information. ---
Architecture:
Kernel: Linux 4.9.0-6-amd64
Debian Release: 9.3
500 stable-updates deb.debian.org
500 stable deb.debian.org
100 stretch-backports deb.debian.org
--- Package information. ---
Package's Depends field is empty.
Package's Recommends field is empty.
Package's Suggests field is empty.
--- a/kio/kio/tcpslavebase.cpp
+++ b/kio/kio/tcpslavebase.cpp
@@ -499,7 +499,7 @@
{
if (d->usingSSL)
return false;
-return d->startTLSInternal(KTcpSocket::TlsV1) & ResultOk;
+return d->startTLSInternal(KTcpSocket::SecureProtocols) & ResultOk;
}
TCPSlaveBase::SslResult TCPSlaveBase::TcpSlaveBasePrivate::startTLSInternal (KTcpSocket::SslVersion version,
signature.asc
Description: This is a digitally signed message part.
Bug#891253: [src:libkf5ksieve] Please enable TLSv1.2 for sieve connections in stretch
Package: src:libkf5ksieve Version: 4:16.04.3-2 Severity: important Tags: patch, stretch --- Please enter the report below this line. --- kmail in stretch only supports TLSv1.0 which hinders it to connect to mail servers that only support TLSv1.2 or TLSv.1.1. The attached patch is a backport of the upstream fix from here: https://bugs.kde.org/show_bug.cgi?id=342567 https://git.reviewboard.kde.org/r/129029/ It is necessary for sieve connections. I primary reported the patches here https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797844#33 but was told on irc to file separate bug reports. I tested this patch for some weeks on my system without any issues. Pleas let me know if you have any questions. Thank you for maintaining KDE packages in Debian! --- System information. --- Architecture: Kernel: Linux 4.9.0-6-amd64 Debian Release: 9.3 500 stable-updates deb.debian.org 500 stable deb.debian.org 100 stretch-backports deb.debian.org --- Package information. --- Package's Depends field is empty. Package's Recommends field is empty. Package's Suggests field is empty. --- a/src/kmanagesieve/sessionthread.cpp +++ b/src/kmanagesieve/sessionthread.cpp @@ -453,7 +453,7 @@ m_sslCheck->setInterval(60 * 1000); connect(m_sslCheck, &QTimer::timeout, this, &SessionThread::slotSslTimeout); } -m_socket->setAdvertisedSslVersion(KTcpSocket::TlsV1); +m_socket->setAdvertisedSslVersion(KTcpSocket::SecureProtocols); m_socket->ignoreSslErrors(); connect(m_socket, &KTcpSocket::encrypted, this, &SessionThread::slotEncryptedDone); m_sslCheck->start(); signature.asc Description: This is a digitally signed message part.
Bug#797844: kmail: TLSv1.1 and TLSv1.2 are not supported
tag 797844 + patch
thanks
Hi,
I recently ran into this bug when my mail server switched to TLS 1.2 only.
I backported the upstream changes to the Debian stretch packages and are
running them now without problems.
The patches are are attached to this mail. Affect source packages are kimap,
libkf5ksieve and kde4libs.
As the patches are fairly trivial can this be applied to Debian stable? If I
remember correctly severity important classifies for fixing in stable.
Pleas let me know if you have any questions.
Thank you for maintaining KDE packages in Debian!--- a/kio/kio/tcpslavebase.cpp
+++ b/kio/kio/tcpslavebase.cpp
@@ -499,7 +499,7 @@
{
if (d->usingSSL)
return false;
-return d->startTLSInternal(KTcpSocket::TlsV1) & ResultOk;
+return d->startTLSInternal(KTcpSocket::SecureProtocols) & ResultOk;
}
TCPSlaveBase::SslResult TCPSlaveBase::TcpSlaveBasePrivate::startTLSInternal (KTcpSocket::SslVersion version,
--- a/src/loginjob.cpp
+++ b/src/loginjob.cpp
@@ -383,7 +383,7 @@
switch (d->authState) {
case LoginJobPrivate::StartTls:
-d->sessionInternal()->startSsl(KTcpSocket::TlsV1);
+d->sessionInternal()->startSsl(KTcpSocket::SecureProtocols);
break;
case LoginJobPrivate::Capability:
--- a/src/kmanagesieve/sessionthread.cpp
+++ b/src/kmanagesieve/sessionthread.cpp
@@ -453,7 +453,7 @@
m_sslCheck->setInterval(60 * 1000);
connect(m_sslCheck, &QTimer::timeout, this, &SessionThread::slotSslTimeout);
}
-m_socket->setAdvertisedSslVersion(KTcpSocket::TlsV1);
+m_socket->setAdvertisedSslVersion(KTcpSocket::SecureProtocols);
m_socket->ignoreSslErrors();
connect(m_socket, &KTcpSocket::encrypted, this, &SessionThread::slotEncryptedDone);
m_sslCheck->start();
signature.asc
Description: This is a digitally signed message part.
Bug#850462: [src:libkf5ksieve] managing sieve scripts in kmail stops working after some time
Package: src:libkf5ksieve Version: 4:16.04.3-1 Severity: normal --- Please enter the report below this line. --- Hello, After a fresh start of kmail managing sieve scripts does work as expected. After some time it doesn't work any more. Opening Settings -> Manage Sieve Scripts... only shows a never ending spinning wheel and is not loading the available scripts. Restarting kmail temporary fixed this. I've seen upstream has some fixes for sieve connection management and backporting the following commits does indeed fix this: https://cgit.kde.org/libksieve.git/commit/? id=8fb821950bd8caae0c4a86e1d2ecb4caabab1689 https://cgit.kde.org/libksieve.git/commit/? id=ee4afdd78597cb9379a39951b9eca94a8e927f98 https://cgit.kde.org/libksieve.git/commit/? id=6862737561a9ee5fadcd78bd0655d0b45c893534 https://cgit.kde.org/libksieve.git/commit/? id=9bbf8a1dd9f3683000228773eef5dbeb12e0d008 https://cgit.kde.org/libksieve.git/commit/? id=3176d1cdf6e36429ac9c6b4ee79b37c22b4273c9 I didn't have a closer look if all of the patches are needed, but applying them all solved the problem for me. All of these are included in 16.08.0 but not in 16.04.3. It would be nice to get this fixed for streatch. Thanks, Maxi --- System information. --- Architecture: Kernel: Linux 4.8.0-2-amd64 Debian Release: stretch/sid 500 testing httpredir.debian.org 500 stable security.debian.org --- Package information. --- Package's Depends field is empty. Package's Recommends field is empty. Package's Suggests field is empty. signature.asc Description: This is a digitally signed message part.
Bug#843534: workaround
I ran into this bug today. For me this is really a grave bug as is completely broke my mail setup. I found two ways how I could work around this bug: (A) install mysql-server and purge it again. (B) execute the following commands as root: # mkdir -m700 /var/lib/mysql-files # chown mysql:mysql /var/lib/mysql-files purging mysql-server leaves this directory existent, this is why (A) also worked. Probably the /var/lib/mysql-files directory should be created by some other package or the dependencies my need to be adjusted. Thanks, Maxi signature.asc Description: This is a digitally signed message part.
Bug#841458: [src:libkf5ksieve] managing sieve scripts broken in kmail
Package: src:libkf5ksieve Version: 4:16.04.2-2 Severity: important Tags: patch --- Please enter the report below this line. --- Hi, Managing sieve scripts from kmail is currently broken. When trying to edit the rules I get this error: Sieve operation failed. The server responded: require "fileinto"; This has been reported upstream here: https://bugs.kde.org/show_bug.cgi?id=364394 Which seems to be caused by a broken fix of https://bugs.kde.org/show_bug.cgi?id=328246 Cherry-picking upstream commit abc329d2b4d3a8efb489b0aa8dfb9cc2d2da9472 [1] (which reverts commit aa295b6cf15ee67a980b2858ccad6e6e8e769585 [2]) does indeed fix the problem. So it would be great if ether a new upstream version with this fix included could be uploaded or if the fix can be backported to the current version. [1] https://quickgit.kde.org/?p=libksieve.git&a=commit&h=abc329d2b4d3a8efb489b0aa8dfb9cc2d2da9472 [2] https://quickgit.kde.org/?p=libksieve.git&a=commit&h=aa295b6cf15ee67a980b2858ccad6e6e8e769585 Thanks, Maxi --- System information. --- Architecture: amd64 Kernel: Linux 4.7.0-1-amd64 Debian Release: stretch/sid 500 testing httpredir.debian.org 500 stable security.debian.org --- Package information. --- Depends(Version) | Installed -+- libkf5ksieve-data(= 4:16.04.2-2) | 4:16.04.2-2 libc6 (>= 2.14) | libkf5i18n5 (>= 4.97.0) | libkf5kiocore5 (>= 4.96.0) | libkf5kiowidgets5(>= 4.96.0) | libkf5widgetsaddons5 (>= 4.96.0) | libqt5core5a (>= 5.6.0~beta) | libqt5network5 (>= 5.4.0~) | libqt5widgets5 (>= 5.4.0~) | libsasl2-2 | libstdc++6(>= 4.1.1) | Package's Recommends field is empty. Package's Suggests field is empty. signature.asc Description: This is a digitally signed message part.
Bug#541653: kdelibs5: several (https) SSL certificates cannot be validated "for internal reasons"
I can confirm this bug. I have a laptop with Debian unstable and KDE 4.3 and a desktop PC with Debian testing and KDE 4.2 and both are affected by this bug. However on my desktop PC (KDE 4.2) this problem just occurred recently, so I don't think it's caused by kdelibs5. I think the real cause is a package that has recently migrated to testing (and of course is also in unstable). Sadly I have no idea what it could be. signature.asc Description: This is a digitally signed message part.
