From the upstream bug at $URL: "In some instances, it might be the case that the only possible way to access a calendaring service is through https, and in such cases, the only way to authenticate (at least within the confines of vCalendar) is by embedding the username:password into the ics URL and/or have a 'private' url that shouldn't be shared. In either case, after configuring a calendar and trying to access it, the full url is displayed in the status tray when trying to poll the calendar, something like: Fetching 'https://user:password@server.example.com/location/of/my/Calendar'... Thus, use of the vCalendar plugin really isn't suitable or secure for such configurations! In the scenarios above, the former is more of a concern but neither is one you'd necessarily want to expose to prying eyes. Even a google calendar "private url", for example, is visible it its entirety within the status tray."
I added a -r1 of 2.0.13 with a fix applied. 2.0.14 is available but does not contain this fix, I will have to bump Claws Mail itself and all plugins, this may take one more day or two. Arches, please go on.
+ 22 Nov 2012; Sergey Popov <pinkbyte@gentoo.org> + claws-mail-vcalendar-2.0.13-r1.ebuild: + Stable on amd64, wrt bug #443500
stable ppc ppc64
x86 stable
Its not stable on sparc
Thanks, everyone. GLSA vote: no.
Vote: no. Closing noglsa.