[Bug 1117958] VUL-1: CVE-2018-19516: messagelib: Some HTML emails can trick messagelib into opening a new browser window when displaying said email as HTML. Workaround: Do not enable "Prefer HTML to plain text" in KMail settings.

http://bugzilla.opensuse.org/show_bug.cgi?id=1117958 http://bugzilla.opensuse.org/show_bug.cgi?id=1117958#c4 Fabian Vogt changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |fvogt@suse.com Resolution|FIXED |--- --- Comment #4 from Fabian Vogt --- (In reply to Wolfgang Bauer from comment #3)

I submitted the update for Leap 15.0: https://build.opensuse.org/request/show/653598

Tumbleweed will soon get 18.12.0 anyway.

Regarding 42.3 I'm not sure yet.

Closing as fixed for now though, please reopen if you do think an update for 42.3 is necessary as well. Thanks.

I'll try it on 42.3 tomorrow, I've made a simple PoC here. For some reason it opens a dolphin window if opening a mail as .mbox file, which I have to investigate further... In any case, the fix seems to be incomplete, so this needs some more fixing for 15 and TW as well... -- You are receiving this mail because: You are on the CC list for the bug.