CVE-2021-38373

NameCVE-2021-38373
DescriptionIn KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ksmtp (PTS)buster18.08.3-1vulnerable
bullseye20.08.3-1vulnerable
sid, trixie, bookworm22.12.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ksmtpsource(unstable)21.12.3-2

Notes

[bullseye] - ksmtp <ignored> (Minor issue; Upstream changes change API)
[buster] - ksmtp <ignored> (Minor issue; Upstream changes change API)
https://bugs.kde.org/show_bug.cgi?id=423423
https://nostarttls.secvuln.info
https://invent.kde.org/pim/ksmtp/-/commit/38a4c09427f3fdc04f9893f8eda3f6807d9a3203
https://invent.kde.org/pim/ksmtp/-/commit/60f73c69758fe40a027a8e7402127d085f18545a

Search for package or bug name: Reporting problems