CVE-2016-7966: KMail - HTML injection in plain text viewer

Sandro KnauƟ sknauss at
Fri Oct 7 20:35:50 UTC 2016


the patch attached to fix this can't be applied for KDE Frameworks 5.26:

you need additionally

I think we should add this information.

Also I think we should add the information, that the affected version is 
inside KDE Frameworks  < 5.26 and is/will be fixed with 5.27. To make it easier 
to understand that this is outside of kdepim space for KF5.

Additionally we should add to all CVEs, the fixed version(s).

Btw. shouldn't we need to release fixed version for all framework versions? At 
previous Akademy (in Spain) it was told, that frameworks will get security 
fixes for an year, so we would need to release 12 frameworks?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the release-team mailing list