"textview_uri_security_check in textview.c in Claws Mail before 3.18.0, and Sylpheed through 3.7.0, does not have sufficient link checks before accepting a click."
FWIW you can pick the patch from Fedora, they ported the claws patch to sylpheed (which has afaik no active upstream): https://src.fedoraproject.org/rpms/sylpheed/blob/rawhide/f/sylpheed-3.7.0-uri-check.patch
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbdd19788e941b123628f724764bac32d12a728c commit cbdd19788e941b123628f724764bac32d12a728c Author: Akinori Hattori <hattya@gentoo.org> AuthorDate: 2022-06-12 13:33:08 +0000 Commit: Akinori Hattori <hattya@gentoo.org> CommitDate: 2022-06-12 13:33:08 +0000 mail-client/sylpheed: fix CVE-2021-37746 Bug: https://bugs.gentoo.org/805338 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Akinori Hattori <hattya@gentoo.org> .../sylpheed/files/sylpheed-CVE-2021-37746.patch | 39 ++++++++++++ mail-client/sylpheed/sylpheed-3.7.0-r5.ebuild | 69 ++++++++++++++++++++++ 2 files changed, 108 insertions(+)
Thanks! Please stable when ready
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d98d478b5e4a74b802f876ee4160c4b11c0fd0c0 commit d98d478b5e4a74b802f876ee4160c4b11c0fd0c0 Author: Akinori Hattori <hattya@gentoo.org> AuthorDate: 2022-08-17 12:28:32 +0000 Commit: Akinori Hattori <hattya@gentoo.org> CommitDate: 2022-08-17 12:28:32 +0000 mail-client/sylpheed: drop old Bug: https://bugs.gentoo.org/805338 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Akinori Hattori <hattya@gentoo.org> mail-client/sylpheed/sylpheed-3.7.0-r4.ebuild | 66 --------------------------- 1 file changed, 66 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0fca6e9ac605eecb019c47cdc23f38cbcae8474 commit b0fca6e9ac605eecb019c47cdc23f38cbcae8474 Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2023-06-01 18:46:19 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2023-06-03 05:23:35 +0000 mail-client/sylpheed: treeclean Closes: https://bugs.gentoo.org/769293 Closes: https://bugs.gentoo.org/664070 Bug: https://bugs.gentoo.org/805338 Bug: https://bugs.gentoo.org/807358 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> mail-client/sylpheed/Manifest | 1 - .../sylpheed/files/sylpheed-CVE-2021-37746.patch | 39 ------------ mail-client/sylpheed/files/sylpheed-tls-1.3.patch | 17 ------ mail-client/sylpheed/metadata.xml | 11 ---- mail-client/sylpheed/sylpheed-3.7.0-r5.ebuild | 69 ---------------------- profiles/package.mask | 6 -- 6 files changed, 143 deletions(-)
Package is gone, low impact anyway. No GLSA, all done!