[Secure-testing-commits] r48087 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Sun Jan 15 16:28:50 UTC 2017
Author: carnil
Date: 2017-01-15 16:28:50 +0000 (Sun, 15 Jan 2017)
New Revision: 48087
Modified:
data/CVE/list
Log:
Update notes for CVE-2016-796{7,8}
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-01-15 16:07:52 UTC (rev 48086)
+++ data/CVE/list 2017-01-15 16:28:50 UTC (rev 48087)
@@ -17844,11 +17844,22 @@
CVE-2016-7968 (KMail since version 5.3.0 used a QWebEngine based viewer that had ...)
- kf5-messagelib <unfixed>
NOTE: https://www.kde.org/info/security/advisory-20161006-3.txt
- TODO: check if vulnerable code present, might have been introduced in 4:16.08
+ NOTE: Would by fixed by: https://cgit.kde.org/messagelib.git/commit/?id=f601f9ffb706f7d3a5893b04f067a1f75da62c99
+ NOTE: and building with Qt 5.7.0.
+ NOTE: Following patches partly sanitize mails but still make it possible to inject code:
+ NOTE: https://cgit.kde.org/messagelib.git/commit/?id=3503b75e9c79c3861e182588a0737baf165abd23 (v16.08.2)
+ NOTE: https://cgit.kde.org/messagelib.git/commit/?id=a8744798dfdf8e41dd6a378e48662c66302b0019 (v16.08.2)
+ NOTE: https://cgit.kde.org/messagelib.git/commit/?id=77976584a4ed2797437a2423704abdd7ece7834a (v16.08.2)
+ NOTE: https://cgit.kde.org/messagelib.git/commit/?id=fb1be09360c812d24355076da544030a67b736fc (v16.08.2)
+ NOTE: https://cgit.kde.org/messagelib.git/commit/?id=0402c17a8ead92188971cb604d905b3072d56a73 (v16.08.2)
+ NOTE: The issue is mitigated with the fixes applied for CVE-2016-7966, and a
+ NOTE: user protected from this CVE by only viewing plain text mails.
CVE-2016-7967 (KMail since version 5.3.0 used a QWebEngine based viewer that had ...)
- kf5-messagelib <unfixed>
NOTE: https://www.kde.org/info/security/advisory-20161006-2.txt
- TODO: check if vulnerable code present, might have been introduced in 4:16.08
+ NOTE: Fixed by: https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1 (16.11.80)
+ NOTE: The issue is mitigated with the fixes applied for CVE-2016-7966, and a
+ NOTE: user protected from this CVE by only viewing plain text mails.
CVE-2016-7966 (Through a malicious URL that contained a quote character it was ...)
{DSA-3697-1 DLA-673-1}
- kdepimlibs 4:4.14.10-7 (bug #840546)
More information about the Secure-testing-commits
mailing list