[Bug 1232454] New: VUL-0: CVE-2024-50624: kmail-account-wizard: plaintext HTTP used for URLs when retrieving configuration files
https://bugzilla.suse.com/show_bug.cgi?id=1232454 Bug ID: 1232454 Summary: VUL-0: CVE-2024-50624: kmail-account-wizard: plaintext HTTP used for URLs when retrieving configuration files Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/425830/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: christophe@krop.fr Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: camila.matos@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoconfig for retrieving the configuration. This is related to kmail-account-wizard. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-50624 https://www.cve.org/CVERecord?id=CVE-2024-50624 https://bugs.kde.org/show_bug.cgi?id=487882 https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41c3aff435d... https://invent.kde.org/pim/kmail/-/tags https://kde.org/announcements/megarelease/6/ -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232454 https://bugzilla.suse.com/show_bug.cgi?id=1232454#c1 --- Comment #1 from Camila Camargo de Matos <camila.matos@suse.com> --- openSUSE:Factory/kmail-account-wizard already contains the fix for this issue, and, therefore, is not affected by the vulnerability. The same package in openSUSE:Backports:SLE-15-SP5 and openSUSE:Backports:SLE-15-SP6, on the other hand, seems to be affected by this issue (see file src/ispdb/ispdb.cpp). -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232454 https://bugzilla.suse.com/show_bug.cgi?id=1232454#c2 Camila Camargo de Matos <camila.matos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lbeltrame@kde.org --- Comment #2 from Camila Camargo de Matos <camila.matos@suse.com> --- @Christophe, I have set you as the assignee for this bug, as I was unable to find the official maintainer/bugowner for package kmail-account-wizard in OBS, and because you have recently made changes to this package in openSUSE:Factory. If you are aware of who the maintainer/bugowner for package kmail-account-wizard is, please feel free to reassign this bug to them. If that is not the case, please feel free to reassign it to the Security team, and we will look further into finding someone who could apply the fix to the vulnerable packages. Thanks in advance! -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232454 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232454 https://bugzilla.suse.com/show_bug.cgi?id=1232454#c3 Christophe Marin <christophe@krop.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #3 from Christophe Marin <christophe@krop.fr> --- I'm not really convinced upstream should still allow http, but I'll backport the change to match the 6.2.0 behaviour. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232454 https://bugzilla.suse.com/show_bug.cgi?id=1232454#c5 Christophe Marin <christophe@krop.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |christophe@krop.fr Assignee|christophe@krop.fr |security-team@suse.de --- Comment #5 from Christophe Marin <christophe@krop.fr> --- Merged. Reassign to secteam -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232454 https://bugzilla.suse.com/show_bug.cgi?id=1232454#c6 --- Comment #6 from Marcus Meissner <meissner@suse.com> --- openSUSE-SU-2024:0353-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1232454 CVE References: CVE-2024-50624 JIRA References: Sources used: openSUSE Backports SLE-15-SP6 (src): kmail-account-wizard-23.08.5-bp156.2.3.1 openSUSE Backports SLE-15-SP5 (src): kmail-account-wizard-22.12.3-bp155.2.3.1 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232454 Camila Camargo de Matos <camila.matos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com