Kontact is vulnerable by NO STARTTLS
Volker Krause
vkrause at kde.org
Sat Sep 11 10:43:58 BST 2021
On Freitag, 10. September 2021 21:28:26 CEST Sandro Knauß wrote:
> the security team of nostarttls [1] have found two vulnerabilities within
> Kontact/Kmail:
> #423423 - STARTTLS is ignored when "Server requires authentication" not
> checked in UI
This one seems to go all the way down to KSMTP, which ties setting up
encryption and authentication in LoginJob.
An idea to solve this would be to move encryption handling from LoginJob to
Session there, and set it up in Session as soon as possible before it
indicates it's ready for jobs.
Thoughts?
Regards,
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-pim/attachments/20210911/b7adf7cf/attachment.sig>
More information about the kde-pim
mailing list