| Package | kmail-account-wizard |
|---|---|
| Version | 4:18.08.3-1+deb10u1 (buster) |
| Related CVEs | CVE-2020-15954 CVE-2024-50624 |
Two issues have been found in kmail-account-wizard, a wizard for KDE PIM applications account setup.
One issue is about a man-in-the-middle-attack when using autoconf for retrieving configuration. The other issue is about a misleading UI, in which the state of encryption is shown wrong.
Please also note that for configuration with autoconf.example.com, the config is first fetched with https and the former http is used only as fallback. For configuration via example.com/.well-known/autoconfig the config is now fetched only with https.
For Debian 10 buster, these problems have been fixed in version 4:18.08.3-1+deb10u1.
We recommend that you upgrade your kmail-account-wizard packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.