Security update for messagelib SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0188-1 Final 1 1 2021-01-29T19:13:54Z current 2021-01-29T19:13:54Z 2021-01-29T19:13:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for messagelib This update for messagelib fixes the following issues: - CVE-2019-10732: Prevented accidental disclosure of encrypted content when replying (boo#1131885). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-188 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UIP7JD6E7AKTOSG2IAFVY4AE7G4NZIKB/ E-Mail link for openSUSE-SU-2021:0188-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1131885 SUSE Bug 1131885 https://www.suse.com/security/cve/CVE-2019-10732/ SUSE CVE CVE-2019-10732 page openSUSE Leap 15.1 messagelib-18.12.3-lp151.2.4.1 messagelib-devel-18.12.3-lp151.2.4.1 messagelib-lang-18.12.3-lp151.2.4.1 messagelib-18.12.3-lp151.2.4.1 as a component of openSUSE Leap 15.1 messagelib-devel-18.12.3-lp151.2.4.1 as a component of openSUSE Leap 15.1 messagelib-lang-18.12.3-lp151.2.4.1 as a component of openSUSE Leap 15.1 In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker. CVE-2019-10732 openSUSE Leap 15.1:messagelib-18.12.3-lp151.2.4.1 openSUSE Leap 15.1:messagelib-devel-18.12.3-lp151.2.4.1 openSUSE Leap 15.1:messagelib-lang-18.12.3-lp151.2.4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UIP7JD6E7AKTOSG2IAFVY4AE7G4NZIKB/ https://www.suse.com/security/cve/CVE-2019-10732.html CVE-2019-10732 https://bugzilla.suse.com/1131885 SUSE Bug 1131885