Bug 393450

Summary: Report on findings
Product: [Applications] kmail2 Reporter: ekaratsiolis
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED UPSTREAM    
Severity: normal CC: aheinecke
Priority: NOR    
Version: 5.1.3   
Target Milestone: ---   
Platform: Kubuntu   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Report on Findings

Description ekaratsiolis 2018-04-24 06:01:19 UTC 
Created attachment 112210 [details]
Report on Findings

Dear KMail Team,

some time ago we informed you about the errors we detected in KMail with respect to the certification path validation (Bug 385687) in the course of a project contracted out by the German Federal Office for Information Security. We have now written up our conclusive report on all findings within the project. We kindly ask you to review it with respect to the statements pertaining to your product and give us feedback within two weeks from today whether you have any objections against the publication of this document in its current form.

Best Regards,

Evangelos and Falko
Comment 1 Ben Cooksley 2018-04-24 19:33:26 UTC 
The content of attachment 112210 [details] has been deleted for the following reason:

Remove confidential report
Comment 2 Andre Heinecke 2018-04-27 13:55:54 UTC 
Hello,

Would you please share that report with the GnuPG Team ( https://www.gnupg.org/documentation/security.html ) Or in a mail to the gnupg-devel mailing list ? 

KMail is just a downstream user of GnuPG as I've written in 385687

Best Regards,
Andre Heinecke

P.S.
What to do about this issue? Resolve as Upstream?
Comment 3 Andre Heinecke 2018-05-08 14:15:40 UTC 
The report was sent to security@gnupg.org and I took over responsibility.

In my opinion there is no need for any security action in KMail. In fact, KMail is looking very very good in that report with only a minor GUI issue about an expert / testing feature in Kleopatra raised.