==========================================================================
Ubuntu Security Notice USN-7731-1
September 02, 2025

kmail vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in KMail.

Software Description:
- kmail: Full featured graphical email client

Details:

Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising,
Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg
Schwenk discovered that KMail could be made to leak the plaintext
of S/MIME encrypted emails when retrieving external content in emails.
Under certain configurations, if a user were tricked into opening a
specially crafted email, an attacker could possibly use this issue to
obtain the plaintext of an encrypted email. This update mitigates the
issue by preventing KMail from automatically loading external content.
This issue only affected Ubuntu 18.04 LTS. (CVE-2017-17689)

It was discovered that KMail could be made to attach files to an email
without the user's knowledge. If a user were tricked into sending an
email created by a specially crafted "mailto" link, an attacker could
possibly use this issue to obtain sensitive files. (CVE-2020-11880)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
  kmail                           4:19.12.3-0ubuntu1+esm1
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  kmail                           4:17.12.3-0ubuntu1+esm1
                                  Available with Ubuntu Pro

After a standard system update you need to restart KMail to make
all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7731-1
  CVE-2017-17689, CVE-2020-11880