messagelib-21.08.1-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11046 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z messagelib-21.08.1-1.2 on GA media These are all security issues fixed in the messagelib-21.08.1-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11046 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11046 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-10732/ SUSE CVE CVE-2019-10732 page https://www.suse.com/security/cve/CVE-2021-31855/ SUSE CVE CVE-2021-31855 page openSUSE Tumbleweed messagelib-21.08.1-1.2 messagelib-devel-21.08.1-1.2 messagelib-lang-21.08.1-1.2 messagelib-21.08.1-1.2 as a component of openSUSE Tumbleweed messagelib-devel-21.08.1-1.2 as a component of openSUSE Tumbleweed messagelib-lang-21.08.1-1.2 as a component of openSUSE Tumbleweed In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker. CVE-2019-10732 openSUSE Tumbleweed:messagelib-21.08.1-1.2 openSUSE Tumbleweed:messagelib-devel-21.08.1-1.2 openSUSE Tumbleweed:messagelib-lang-21.08.1-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-10732.html CVE-2019-10732 https://bugzilla.suse.com/1131885 SUSE Bug 1131885 KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages in some situations. Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g., an IMAP server) causes KMail to upload the decrypted content of the message to the remote server. With a crafted message, a user could be tricked into decrypting an encrypted message and then deleting an attachment attached to this message. If the attacker has access to the messages stored on the email server, then the attacker could read the decrypted content of the encrypted message. This occurs in ViewerPrivate::deleteAttachment in messageviewer/src/viewer/viewer_p.cpp. CVE-2021-31855 openSUSE Tumbleweed:messagelib-21.08.1-1.2 openSUSE Tumbleweed:messagelib-devel-21.08.1-1.2 openSUSE Tumbleweed:messagelib-lang-21.08.1-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-31855.html CVE-2021-31855