An issue has been found in kmail-account-wizard, a wizard for KDE PIM
applications account setup.
The issues is about a man-in-the-middle-attack when using autoconf for
retrieving configuration.
Please also note that for configuration with autoconf.example.com, the
config is first fetched with https and the former http is used only as
fallback. For configuration via example.com/.well-known/autoconfig the
config is now fetched only with https.
For Debian 11 bullseye, this problem has been fixed in version
4:20.08.3-1+deb11u1.
We recommend that you upgrade your kmail-account-wizard packages.
For the detailed security status of kmail-account-wizard please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/kmail-account-wizard
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Get the latest Linux and open source security news straight to your inbox.