Ubuntu
claws-mail package

claws-mail package outdated (security risk)

Bug #1942927 reported by Valsu
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
claws-mail (Ubuntu)
New
Undecided
Unassigned
sylpheed (Ubuntu)
New
Undecided
Unassigned

Bug Description

The claws-mail package in the Ubuntu repo is at version 3.17.8, which is outdated.

A high security flaw has been fixed in upstream version 3.18. See https://www.cvedetails.com/cve/CVE-2021-37746/
"textview_uri_security_check in textview.c in Claws Mail before 3.18.0, and Sylpheed through 3.7.0, does not have sufficient link checks before accepting a click."

I was unable to locate any information that this fix already got backported to the version of claws-mail currently available for Ubuntu.

This flaw is pretty severe as it could be exploited quite easily. Please update package or sync the package with Debian unstable.

Package: claws-mail
Version: 3.17.8 and all versions prior
Release: 21.04; affecting all releases

CVE References

Valsu (valsu)
information type: Private Security → Public Security
Revision history for this message
Steve Beattie (sbeattie) wrote :

Looks like https://git.claws-mail.org/?p=claws.git;a=commit;h=ac286a71ed78429e16c612161251b9ea90ccd431 is the upstream commit to address the issue.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.