This bug was fixed in the package kdepimlibs - 4:4.13.3-0ubuntu0.3 --------------- kdepimlibs (4:4.13.3-0ubuntu0.3) trusty-security; urgency=high
* SECURITY UPDATE: KMail: HTML injection in plain text viewer * References (LP: #1631237) * CVE-2016-7966 * Avoid transforming as a url in plain text mode when there is a quote * Add debian/patches/CVE-2016-7966.diff from upstream -- Scott Kitterman <[email protected]> Thu, 06 Oct 2016 23:50:44 -0400 ** Changed in: kdepimlibs (Ubuntu Trusty) Status: Confirmed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-7966 -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1631237 Title: KMail: HTML injection in plain text viewer Status in kdepimlibs package in Ubuntu: Invalid Status in kdepimlibs source package in Precise: Confirmed Status in kdepimlibs source package in Trusty: Fix Released Status in kdepimlibs source package in Xenial: Invalid Status in kdepimlibs source package in Yakkety: Invalid Bug description: Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plain text viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content. Note: Affected package is kdepimlibs in 12.04 - 15.04 and it looks like both kcoreaddons and messagecomposer in later releases. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdepimlibs/+bug/1631237/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : [email protected] Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
