| Summary: | <kde-apps/kopete-16.12.0: OTR plugin leaks unencrypted messages | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | kde |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1346839 | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: |
=kde-apps/kopete-16.12.0 amd64 x86
|
Runtime testing required: | --- |
https://cgit.kde.org/kopete.git/commit/?id=19957f9324a5ae45bcb1479f1bb017efa77d0aa7 Thanks to Kensington for working with upstream to get this fixed! If anyone is actually still using kopete:4, please test the following PR related to the subject: https://github.com/gentoo/gentoo/pull/2901 This has been part of 16.12.0 release, in tree for two weeks now, which apart from this security fix only has two other bugfixes compared to 16.08.3 (fixing google accounts and jabber server list url). KDE Applications couldn't care less since kopete was removed from kdenetwork-meta, so from my POV 16.12.0 can very well be stabilised. @ Arches, please test and mark stable: =kde-apps/kopete-16.12.0 amd64 stable x86 stable. Closing. Re-opening as security isn't done with this bug yet. @ Maintainer(s): Please drop <kde-apps/kopete-16.12.0. |
From ${URL} : Using kopete with OTR plugin may lead to sending messages unencrypted without notice. Upstream bugs: https://bugs.kde.org/show_bug.cgi?id=274099 https://bugs.kde.org/show_bug.cgi?id=362535 References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827048 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.