KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network. Upstream fixes: kmail: https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8 messagelib: https://commits.kde.org/messagelib/c54706e990bbd6498e7b1597ec7900bc809e8197 External References: https://www.kde.org/info/security/advisory-20170615-1.txt
Created kdepim3 tracking bugs for this issue: Affects: epel-7 [bug 1461761] Affects: fedora-all [bug 1461759] Created kdepim4 tracking bugs for this issue: Affects: fedora-all [bug 1461758] Created kf5-messagelib tracking bugs for this issue: Affects: fedora-all [bug 1461757] Created kmail tracking bugs for this issue: Affects: fedora-all [bug 1461760]
> > Created kdepim4 tracking bugs for this issue: > > Affects: fedora-all [bug 1461758] fixed in kdepim4-4.14.10-31 > > Created kf5-messagelib tracking bugs for this issue: > > Affects: fedora-all [bug 1461757] > fixed in kf5-messagelib-16.12.3-2.fc25 and kf5-messagelib-17.04.1-2.fc26 > > Created kmail tracking bugs for this issue: > > Affects: fedora-all [bug 1461760] fixed in kmail-17.04.1-3.fc26 and kmail-16.12.3-2.fc25