openSUSE Security Update: Security update for claws-mail
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:1045-1
Rating:             moderate
References:         #1174457 
Cross-References:   CVE-2020-15917
CVSS scores:
                    CVE-2020-15917 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Leap 15.2
                    openSUSE Backports SLE-15-SP3
                    openSUSE Backports SLE-15-SP2
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for claws-mail fixes the following issues:

   Update to 3.18.0

     * Support for the OAuth2 authorisation protocol has been added for IMAP,
       POP and SMTP using custom, user-generated client IDs. OAuth2
       preferences are found in the Account Preferences on the Receive page
       (for POP: Authenticate before POP connection, for IMAP: Authentication
       method); the Send page (SMTP authentication: Authentication method);
       and on a dedicated OAuth2 page.
     * The option 'Save (X-)Face in address book if possible' has been added
       to the /Message View/Text Options preferences page. Previously the
       (X-)Face would be saved automatically, therefore this option is turned
       on by default.
     * The Image Viewer has been reworked. New options have been added to
       /Message View/Image Viewer: when resizing images, either fit the image
       width or fit the image height to the available space. Fitting the
       image height is the default. Regardless of this setting, when
       displaying images inline they will fit the height. When displaying an
       image, left-clicking the image will toggle between full size and
       reduced size; right-clicking will toggle between fitting the height
       and fitting the width.
     * When re-editing a saved message, it is now possible to use
       /Options/Remove References.
     * It is now possible to attempt to retrieve a missing GPG key via WKD.
     * The man page has been updated.
     * Updated translations: Brazilian Portuguese, British English, Catalan,
       Czech, Danish, Dutch, French, Polish, Romanian, Russian, Slovak,
       Spanish, Traditional Chinese, Turkish.
     * bug fixes: claws#2411, claws#4326, claws#4394, claws#4431, claws#4445,
       claws#4447, claws#4455, claws#4473
       - stop WM's X button from causing GPG key fetch attempt
       - Make fancy respect default font size for messageview
       - harden link checker before accepting click
       - non-display of (X-)Face when prefs_common.enable_avatars is
         AVATARS_ENABLE_RENDER (2)
       - debian bug #983778, 'Segfault on selecting empty 'X-Face' custom
         header'

     * It is now possible to 'Inherit Folder properties and processing rules
       from parent folder' when creating new folders with the move message
       and copy message dialogues.
     * A Phishing warning is now shown when copying a phishing URL, (in
       addition to clicking a phishing URL).
     * The progress window when importing an mbox file is now more responsive.
     * A warning dialogue is shown if the selected privacy system is 'None'
       and automatic signing amd/or encrypting is enabled.
     * Python plugin: pkgconfig is now used to check for python2. This
       enables the Python plugin (which uses python2) to be built on newer
       systems which have both python2 and python3.

     Bug fixes:

     * bug 3922, 'minimize to tray on startup not working'
     * bug 4220, 'generates files in cache without content'
     * bug 4325, 'Following redirects when retrieving image'
     * bug 4342, 'Import mbox file command doesn't work twice on a row'
     * fix STARTTLS protocol violation CVE-2020-15917 boo#1174457)
     * fix initial debug line
     * fix fat-fingered crash when v (hiding msgview) is pressed just before
       c (check signature)
     * fix non-translation of some Templates strings


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2021-1045=1

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2021-1045=1

   - openSUSE Backports SLE-15-SP2:

      zypper in -t patch openSUSE-2021-1045=1



Package List:

   - openSUSE Leap 15.2 (noarch):

      claws-mail-lang-3.18.0-lp152.3.9.1

   - openSUSE Leap 15.2 (x86_64):

      claws-mail-3.18.0-lp152.3.9.1
      claws-mail-debuginfo-3.18.0-lp152.3.9.1
      claws-mail-debugsource-3.18.0-lp152.3.9.1
      claws-mail-devel-3.18.0-lp152.3.9.1

   - openSUSE Backports SLE-15-SP3 (aarch64 ppc64le s390x x86_64):

      claws-mail-3.18.0-bp153.2.3.1
      claws-mail-debuginfo-3.18.0-bp153.2.3.1
      claws-mail-debugsource-3.18.0-bp153.2.3.1
      claws-mail-devel-3.18.0-bp153.2.3.1

   - openSUSE Backports SLE-15-SP3 (noarch):

      claws-mail-lang-3.18.0-bp153.2.3.1

   - openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):

      claws-mail-3.18.0-bp152.3.9.1
      claws-mail-devel-3.18.0-bp152.3.9.1

   - openSUSE Backports SLE-15-SP2 (noarch):

      claws-mail-lang-3.18.0-bp152.3.9.1


References:

   https://www.suse.com/security/cve/CVE-2020-15917.html
   https://bugzilla.suse.com/1174457

openSUSE: 2021:1045-1 moderate: claws-mail

July 15, 2021
An update that fixes one vulnerability is now available

Description

This update for claws-mail fixes the following issues: Update to 3.18.0 * Support for the OAuth2 authorisation protocol has been added for IMAP, POP and SMTP using custom, user-generated client IDs. OAuth2 preferences are found in the Account Preferences on the Receive page (for POP: Authenticate before POP connection, for IMAP: Authentication method); the Send page (SMTP authentication: Authentication method); and on a dedicated OAuth2 page. * The option 'Save (X-)Face in address book if possible' has been added to the /Message View/Text Options preferences page. Previously the (X-)Face would be saved automatically, therefore this option is turned on by default. * The Image Viewer has been reworked. New options have been added to /Message View/Image Viewer: when resizing images, either fit the image width or fit the image height to the available space. Fitting the image height is the default. Regardless of this setting, when displaying images inline they will fit the height. When displaying an image, left-clicking the image will toggle between full size and reduced size; right-clicking will toggle between fitting the height and fitting the width. * When re-editing a saved message, it is now possible to use /Options/Remove References. * It is now possible to attempt to retrieve a missing GPG key via WKD. * The man page has been updated. * Updated translations: Brazilian Portuguese, British English, Catalan, Czech, Danish, Dutch, French, Polish, Romanian, Russian, Slovak, Spanish, Traditional Chinese, Turkish. * bug fixes: claws#2411, claws#4326, claws#4394, claws#4431, claws#4445, claws#4447, claws#4455, claws#4473 - stop WM's X button from causing GPG key fetch attempt - Make fancy respect default font size for messageview - harden link checker before accepting click - non-display of (X-)Face when prefs_common.enable_avatars is AVATARS_ENABLE_RENDER (2) - debian bug #983778, 'Segfault on selecting empty 'X-Face' custom header' * It is now possible to 'Inherit Folder properties and processing rules from parent folder' when creating new folders with the move message and copy message dialogues. * A Phishing warning is now shown when copying a phishing URL, (in addition to clicking a phishing URL). * The progress window when importing an mbox file is now more responsive. * A warning dialogue is shown if the selected privacy system is 'None' and automatic signing amd/or encrypting is enabled. * Python plugin: pkgconfig is now used to check for python2. This enables the Python plugin (which uses python2) to be built on newer systems which have both python2 and python3. Bug fixes: * bug 3922, 'minimize to tray on startup not working' * bug 4220, 'generates files in cache without content' * bug 4325, 'Following redirects when retrieving image' * bug 4342, 'Import mbox file command doesn't work twice on a row' * fix STARTTLS protocol violation CVE-2020-15917 boo#1174457) * fix initial debug line * fix fat-fingered crash when v (hiding msgview) is pressed just before c (check signature) * fix non-translation of some Templates strings

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1045=1 - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2021-1045=1 - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2021-1045=1


Package List

- openSUSE Leap 15.2 (noarch): claws-mail-lang-3.18.0-lp152.3.9.1 - openSUSE Leap 15.2 (x86_64): claws-mail-3.18.0-lp152.3.9.1 claws-mail-debuginfo-3.18.0-lp152.3.9.1 claws-mail-debugsource-3.18.0-lp152.3.9.1 claws-mail-devel-3.18.0-lp152.3.9.1 - openSUSE Backports SLE-15-SP3 (aarch64 ppc64le s390x x86_64): claws-mail-3.18.0-bp153.2.3.1 claws-mail-debuginfo-3.18.0-bp153.2.3.1 claws-mail-debugsource-3.18.0-bp153.2.3.1 claws-mail-devel-3.18.0-bp153.2.3.1 - openSUSE Backports SLE-15-SP3 (noarch): claws-mail-lang-3.18.0-bp153.2.3.1 - openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64): claws-mail-3.18.0-bp152.3.9.1 claws-mail-devel-3.18.0-bp152.3.9.1 - openSUSE Backports SLE-15-SP2 (noarch): claws-mail-lang-3.18.0-bp152.3.9.1


References

https://www.suse.com/security/cve/CVE-2020-15917.html https://bugzilla.suse.com/1174457


Severity
Announcement ID: openSUSE-SU-2021:1045-1
Rating: moderate
Affected Products: openSUSE Leap 15.2 openSUSE Backports SLE-15-SP3 openSUSE Backports SLE-15-SP2 .

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved