[Secure-testing-team] Bug#526985: kmail: SSL connection with CAcert cannot be secured

Remi Denis-Courmont rdenis at simphalempin.com
Mon May 4 19:55:51 UTC 2009 

Package: kmail
Version: 4:4.2.2-1
Severity: grave
Tags: security
Justification: user security hole


	Hello,

Contrary to that in KDE 3.5, kmail in KDE 4.2 is incapable of verifying
IMAP server credentials when TLS is used. This means that the user has
to decide between fetching mail at all or exposing itself to MITM
attacks. This seems like a security issue.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (100, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.29-1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages kmail depends on:
ii  kdebase-runtime               4:4.2.2-1  runtime components from the offici
ii  kdelibs5                      4:4.2.2-2  core libraries for all KDE 4 appli
ii  kdepimlibs5                   4:4.2.2-1  core libraries for KDE PIM 4 appli
ii  libc6                         2.9-9      GNU C Library: Shared libraries
ii  libgcc1                       1:4.4.0-3  GCC support library
ii  libkdepim4                    4:4.2.2-1  KDE PIM library
ii  libkleo4                      4:4.2.2-1  certificate based crypto library f
ii  libkontactinterfaces4         4:4.2.2-1  KDE Kontact interface library
ii  libkpgp4                      4:4.2.2-1  gpg based crypto library for KDE
ii  libksieve4                    4:4.2.2-1  KDE mail/news message filtering li
ii  libmimelib4                   4:4.2.2-1  KDE mime library
ii  libphonon4                    4:4.3.1-1  Phonon multimedia framework for Qt
ii  libqt4-dbus                   4.5.1-1    Qt 4 D-Bus module
ii  libqt4-network                4.5.1-1    Qt 4 network module
ii  libqt4-qt3support             4.5.1-1    Qt 3 compatibility library for Qt 
ii  libqt4-xml                    4.5.1-1    Qt 4 XML module
ii  libqtcore4                    4.5.1-1    Qt 4 core module
ii  libqtgui4                     4.5.1-1    Qt 4 GUI module
ii  libstdc++6                    4.4.0-3    The GNU Standard C++ Library v3
ii  perl                          5.10.0-19  Larry Wall's Practical Extraction 
ii  phonon                        4:4.3.1-1  metapackage for Phonon multimedia 

Versions of packages kmail recommends:
pn  procmail                      <none>     (no description available)

Versions of packages kmail suggests:
ii  clamav                     0.95.1+dfsg-2 anti-virus utility for Unix - comm
ii  gnupg                      1.4.9-4       GNU privacy guard - a free PGP rep
pn  gnupg-agent                <none>        (no description available)
pn  kaddressbook               <none>        (no description available)
pn  kleopatra                  <none>        (no description available)
pn  pinentry-qt | pinentry-x11 <none>        (no description available)
pn  spamassassin | bogofilter  <none>        (no description available)

-- no debconf information

More information about the Secure-testing-team mailing list