Kontact is vulnerable by NO STARTTLS
Volker Krause
vkrause at kde.org
Mon Sep 20 16:49:00 BST 2021
On Samstag, 11. September 2021 11:43:58 CEST Volker Krause wrote:
> On Freitag, 10. September 2021 21:28:26 CEST Sandro Knauß wrote:
> > the security team of nostarttls [1] have found two vulnerabilities within
> > Kontact/Kmail:
> > #423423 - STARTTLS is ignored when "Server requires authentication" not
> > checked in UI
>
> This one seems to go all the way down to KSMTP, which ties setting up
> encryption and authentication in LoginJob.
>
> An idea to solve this would be to move encryption handling from LoginJob to
> Session there, and set it up in Session as soon as possible before it
> indicates it's ready for jobs.
A number of MRs for this have landed meanwhile, another one is still in review
and you can find the remaining changes yet to be submitted in this branch:
https://invent.kde.org/vkrause/ksmtp/-/tree/work/pending-encryption-changes
Once all that is in, the first bug should be fixed.
Has anyone already looked into the second one?
Regards,
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-pim/attachments/20210920/405ade5a/attachment.sig>
More information about the kde-pim
mailing list