ASA-201610-5 log original external raw
[ASA-201610-5] messagelib: multiple issues |
---|
Arch Linux Security Advisory ASA-201610-5
=========================================
Severity: Medium
Date : 2016-10-07
CVE-ID : CVE-2016-7967 CVE-2016-7968
Package : messagelib
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-44
Summary
=======
The package messagelib before version 16.08.1-2 is vulnerable to
multiple issues including cross-site scripting and insufficient
validation.
Resolution
==========
Upgrade to 16.08.1-2.
# pacman -Syu "messagelib>=16.08.1-2"
The problems have been fixed upstream but no release is available yet.
Workaround
==========
None.
Description
===========
- CVE-2016-7967 (cross-site scripting)
KMail since version 5.3.0 used a QWebEngine based viewer that had
JavaScript enabled. Since the generated html is executed in the local
file security context by default access to remote and local URLs was
enabled.
- CVE-2016-7968 (insufficient validation)
KMail since version 5.3.0 used a QWebEngine based viewer that had
JavaScript enabled. HTML Mail contents were not sanitized for
JavaScript and included code was executed.
Impact
======
An attacker is able to access local or remote urls via injected
javascript.
References
==========
https://www.kde.org/info/security/advisory-20161006-1.txt
https://www.kde.org/info/security/advisory-20161006-3.txt
https://www.kde.org/info/security/advisory-20161006-2.txt
http://seclists.org/oss-sec/2016/q4/23
http://seclists.org/oss-sec/2016/q4/21
https://security.archlinux.org/CVE-2016-7967
https://security.archlinux.org/CVE-2016-7968
|