Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id
<ee4c0876608d99eb3f8b333b556fbd92e7a652eb.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1106867,
regarding bookworm-pu: kmail-account-wizard/22.12.3-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1106867: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106867
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
The attached debdiff for kmail-account-wizard fixes CVE-2024-50624 in
Bookworm. According to my tests everything works as intended.
This CVE has been marked as no-dsa by the security team.
Thorsten
diff -Nru kmail-account-wizard-22.12.3/debian/changelog
kmail-account-wizard-22.12.3/debian/changelog
--- kmail-account-wizard-22.12.3/debian/changelog 2023-03-01
21:33:00.000000000 +0100
+++ kmail-account-wizard-22.12.3/debian/changelog 2025-05-27
10:03:02.000000000 +0200
@@ -1,3 +1,16 @@
+kmail-account-wizard (4:22.12.3-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2024-50624
+ fix man-in-the-middle-attack when using autoconf for retrieving
+ configuration
+ * for configuration with autoconf.example.com, the config is fetched
+ via https and the former http as fallback.
+ for configuration via example.com/.well-known/autoconfig the
+ config is now fetched only with https
+
+ -- Thorsten Alteholz <[email protected]> Tue, 27 May 2025 10:03:02 +0200
+
kmail-account-wizard (4:22.12.3-1) unstable; urgency=medium
[ Patrick Franz ]
diff -Nru kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch
kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch
--- kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch
1970-01-01 01:00:00.000000000 +0100
+++ kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch
2025-05-27 10:03:02.000000000 +0200
@@ -0,0 +1,68 @@
+commit 9784f5ab41c3aff435d4a88afb25585180a62ee4
+Author: Laurent Montel <[email protected]>
+Date: Mon Jun 3 13:42:29 2024 +0200
+
+ Fix bug 487882: plaintext HTTP request in kmail-account-wizard
+
+ BUG: 487882
+ FIXED-IN: 6.2.0
+
+Index: kmail-account-wizard-22.12.3/src/ispdb/ispdb.cpp
+===================================================================
+--- kmail-account-wizard-22.12.3.orig/src/ispdb/ispdb.cpp 2025-05-27
11:09:21.946961271 +0200
++++ kmail-account-wizard-22.12.3/src/ispdb/ispdb.cpp 2025-05-27
12:57:09.463399061 +0200
+@@ -64,11 +64,14 @@
+ QUrl url;
+ const QString path = type + QStringLiteral("/config-v") + version +
QStringLiteral(".xml");
+ switch (mServerType) {
++ case IspHttpsAutoConfig:
++ url = QUrl(QStringLiteral("https://autoconfig.";) +
mAddr.domain.toLower() + QLatin1Char('/') + path);
++ break;
+ case IspAutoConfig:
+ url = QUrl(QStringLiteral("http://autoconfig.";) +
mAddr.domain.toLower() + QLatin1Char('/') + path);
+ break;
+ case IspWellKnow:
+- url = QUrl(QStringLiteral("http://";) + mAddr.domain.toLower() +
QStringLiteral("/.well-known/autoconfig/") + path);
++ url = QUrl(QStringLiteral("https://";) + mAddr.domain.toLower() +
QStringLiteral("/.well-known/autoconfig/") + path);
+ break;
+ case DataBase:
+ url = QUrl(QStringLiteral("https://autoconfig.thunderbird.net/v1.1/";)
+ mAddr.domain.toLower());
+@@ -93,16 +96,9 @@
+ qCDebug(ACCOUNTWIZARD_LOG) << "Fetching failed" << job->errorString();
+ bool lookupFinished = false;
+
+- switch (mServerType) {
+- case IspAutoConfig:
+- mServerType = IspWellKnow;
+- break;
+- case IspWellKnow:
+- lookupFinished = true;
+- break;
+- case DataBase:
+- mServerType = IspAutoConfig;
+- break;
++ if (mServerType != Ispdb::searchServerType::Last) {
++ int index = static_cast<int>(mServerType);
++ mServerType= static_cast<Ispdb::searchServerType>(++index);
+ }
+
+ if (lookupFinished) {
+Index: kmail-account-wizard-22.12.3/src/ispdb/ispdb.h
+===================================================================
+--- kmail-account-wizard-22.12.3.orig/src/ispdb/ispdb.h 2025-05-27
11:09:21.946961271 +0200
++++ kmail-account-wizard-22.12.3/src/ispdb/ispdb.h 2025-05-27
11:10:40.171001261 +0200
+@@ -95,9 +95,11 @@
+ @see lookupUrl to generate a url base on this type
+ */
+ enum searchServerType {
+- IspAutoConfig = 0, /**<
http://autoconfig.example.com/mail/config-v1.1.xml */
+- IspWellKnow, /**<
http://example.com/.well-known/autoconfig/mail/config-v1.1.xml */
+- DataBase /**< https://autoconfig.thunderbird.net/v1.1/example.com */
++ DataBase = 0, ///<
https://autoconfig.thunderbird.net/v1.1/example.com */
++ IspHttpsAutoConfig = 1, ///<
https://autoconfig.example.com/mail/config-v1.1.xml
++ IspAutoConfig = 2, ///<
http://autoconfig.example.com/mail/config-v1.1.xml
++ IspWellKnow = 3, ///<
https://example.com/.well-known/autoconfig/mail/config-v1.1.xml
++ Last = IspWellKnow
+ };
+
+ /** let's request the autoconfig server */
diff -Nru kmail-account-wizard-22.12.3/debian/patches/series
kmail-account-wizard-22.12.3/debian/patches/series
--- kmail-account-wizard-22.12.3/debian/patches/series 1970-01-01
01:00:00.000000000 +0100
+++ kmail-account-wizard-22.12.3/debian/patches/series 2025-05-27
10:03:02.000000000 +0200
@@ -0,0 +1 @@
+CVE-2024-50624.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.12
Hi,
Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.
Regards,
Adam
--- End Message ---
