Update Info


Security update for claws-mail

Type: security
Severity: moderate
Issued: 2020-11-03
This update for claws-mail fixes the following issues:

- Additional cleanup of the template handling

claws-mail was updated to 3.17.8 (boo#1177967)

  * Shielded template's |program{} and |attach_program{} so that the
    command-line that is executed does not allow sequencing such as
    with && || ;, preventing possible execution of nasty, or at least
    unexpected, commands
  * bug fixes: claws#4376
  * updated English, French, and Spanish manuals

- Update to 3.17.7 

  * Image Viewer: Image attachments, when displayed, are now resized
    to fit the available width rather than the available height.
  * -d is now an alias to --debug.
  * Libravatar plugin: New styles supported: Robohash and Pagan.
  * SpamAssassin plugin: The 'Maximum size' option now matches
    SpamAssassin's maximum; it can now handle messages up to 256MB.
  * LiteHTML viewer plugin: The UI is now translatable.
  Bug fixes:
  * bug 4313, 'Recursion stack overflow with rebuilding folder
  * bug 4372, '[pl_PL] Crash after "Send later" without
    recipient and then "Close"'
  * bug 4373, 'attach mailto URI double free'
  * bug 4374, 'insert mailto URI misses checks'
  * bug 4384, 'U+00AD (soft hyphen) changed to space in
  * bug 4386, 'Allow Sieve config without userid without
  * Add missing SSL settings when cloning accounts.
  * Parsing of command-line arguments.
  * PGP Core plugin: fix segv in address completion with a
  * Libravatar plugin: fixes to image display.

- Disable python-gtk plugin on suse_version > 1500: still relying
  on python2, which is EOL.

- Update to 3.17.6:

  * It is now possible to 'Inherit Folder properties and processing
    rules from parent folder' when creating new folders with the
    move message and copy message dialogues.
  * A Phishing warning is now shown when copying a phishing URL, (in
    addition to clicking a phishing URL).
  * The progress window when importing an mbox file is now more
  * A warning dialogue is shown if the selected privacy system is
    'None' and automatic signing amd/or encrypting is enabled.
  * Python plugin: pkgconfig is now used to check for python2. This
    enables the Python plugin (which uses python2) to be built on
    newer systems which have both python2 and python3.
  Bug fixes:
  * bug 3922, 'minimize to tray on startup not working'
  * bug 4220, 'generates files in cache without content'
  * bug 4325, 'Following redirects when retrieving image'
  * bug 4342, 'Import mbox file command doesn't work twice on a row'
  * fix STARTTLS protocol violation
  * fix initial debug line
  * fix fat-fingered crash when v (hiding msgview) is pressed
    just before c (check signature)
  * fix non-translation of some Templates strings

- Update to 3.17.5

  + Inline Git patches now have colour syntax highlighting
    The colours of these, and patch attachments, are configurable on
    the 'Other' tab of the Display/Colors page of the general
  + The previously hidden preference, 'summary_from_show', is now
    configurable within the UI, on the 'Message List' tab of the
    Display/Summaries page of the general preferences, 'Displayed in
    From column [ ]'.
  + 'Re-edit' has been added to the message context menu when in the
    Drafts folder.
  + Additional Date header formats are supported:
    - weekday, month, day, hh, mm, ss, year, zone
    - weekday, month, day, hh, mm, ss, year
  + LiteHtml viewer plugin: scrolling with the keyboard has been
  + The included tools/scripts have been updated:
    - eud2gc.py converted to Python 3
    - tbird2claws.py converted to Python 3
    - tbird2claws.py converted to Python 3
    - google_search.pl has been replaced with ddg_search.pl (that is,
      duckduckgo.com instead of google.com)
    - fix_date.sh and its documentation have been updated 
    - multiwebsearch.pl 'fm' (freshmeat.net) has been removed; 'google'
      has been replaced by 'ddg'
    - the outdated OOo2claws-mail.pl script has been removed
  + Updated manuals
  + Updated translations: British English, Catalan, Czech, Danish,
    Dutch, French, German, Russian, Slovak, Spanish, Swedish,
    Traditional Chinese, Turkish
  + bug fixes: claws#2131, claws#4237, claws#4239, claws#4248, 
    claws#4253, claws#4257, claws#4277, claws#4278, claws#4305
  + Misc bugs fixed:
    - Fix crash in litehtml_viewer when  tag has no href
    - removed "The following file has been attached..." dialogue
    - MBOX import: give a better estimation of the time left and
      grey out widgets while importing
    - Fixed "vcard.c:238:2: warning: ‘strncpy’ output truncate 
      before terminating nul copying as many bytes from a string
      as its length"
    - RSSyl: Fix handling deleted feed items where modified and
      published dates do not match 
    - fix bolding of target folder
    - when creating a new account, don't pre-fill data from the
      default account
    - respect 'default selection' settings when moving a msg with
      manual filtering
    - Fix printing of empty pages when the selected part is
      rendered with a plugin not implementing print
    - Addressbook folder selection dialogs: make sure folder list
      is sorted and apply global prefs to get stripes in lists.
    - when user cancels the GPG signing passphrase dialogue,
      don't bother the user with an "error" dialogue
    - Fix imap keyword search. Libetpan assumes keyword search is
      a MUST but RFC states it is a MAY. Fix advanced search on
      MS Exchange
    - fix SHIFT+SPACE in msg list, moving in reverse
    - revert pasting images as attachments
    - Fix help about command-line arguments that require a
    - Printing: only print as plain text if the part is of type
    - fix a segfault with default info icon when trying to print
     a non-text part.

- Add a test on build-time libetpan version to require the proper
  version at run-time (boo#1157594)

- Move "Mark all read/unread" menu entries where they belong.
  remove-MarkAll-from-message-menu.patch (claws#4278)
  add-MarkAll-to-folder-menu.patch (claws#4278)

- Make litehtml plugin build on Tumbleweed.

- Update to 3.17.4:

  * New HTML viewer plugin: Litehtml viewer
  * Added option 'Enable keyboard shortcuts' to the 'Keyboard
    shortcuts' frame on /Configuration/Preferences/Other/Miscellaneous
  * Compose: implemented copying of attached images to clipboard
  * Compose: images and text/uri-list (files) can now be attached by
    pasting into the Compose window
  * Python plugin: window sizes are now remembered for the Python
    console, the 'Open URLs' and the 'Set mailbox order' windows.
  * Fancy plugin: the download-link feature now follows redirections
  * MBOX export: the Enter key in the dialogue now starts the export
  * The date (ISO format) has been added to log timestamps
  * Update translations
    - bug 1920, 'No automatic NNTP filtering'
    - bug 2045, 'address book blocks focus on email window'
    - bug 2131, 'Focus stealing after mail check'
    - bug 2627, 'Filtering does not work on NNTP'
    - bug 3070, 'misbehaving text wrapping when URL chars are present'
    - bug 3838, 'Canceled right-click on message list leaves UI
      in inconsistent state'
    - bug 3977, 'Fix crashes when some external APIs fail'
    - bug 3979, 'Hang (with killing needed) during action which
      extracts attachments'
    - bug 4029, 'segfault after deleting message in a window'
    - bug 4031, 'fingerprint in SSL/TLS certificates for ...
      (regress error)'
    - bug 4037, 'Fix some small issues'
    - bug 4142, 'Translation error on Russian'
    - bug 4145, 'proxy server for sending doesn't work'
    - bug 4155, 'remember directory of last saving'
    - bug 4166, 'corrupted double-linked list'
    - bug 4167, 'Max line length exceeded when forwarding mail'
    - bug 4188, 'STL file is sent not as an attachment but as its
      base64 representation in plaintext'
    - CID 1442278, 'impossible to trigger buffer overflow'
    - Make key accelerators from menu work in addressbook window
    - save checkbox choices of display/summaries/defaults prefs
    - Do not throw an error when cancelling 'Save email as...'.
    - occasional crash on drag'n'drop of msgs
    - possible stack overflow in vcalendar's Curl data handler
    - crash when LDAP address source is defined in index, but
    - support is disabled
    - crash in Fancy plugin if one of the MIME parts has no
    - -ID
    - a few small memory leaks in scan_mailto_url()
    - configure script for rare cases where python is not
    - incorrect charset conversion in sc_html_read_line().
    - markup in 'key not fully trusted' warning in pgpcore
    - use after free in rare code path in rssyl_subscribe()
    - several memory leaks
    - verify_folderlist_xml() for fresh starts
    - printf formats for size_t and goffset arguments.
    - alertpanel API use in win32 part of mimeview.c
    - pid handling in debug output of kill_children_cb()
    - incorrect pointer arithmetic in w32_filesel.c



  • claws-mail-3.17.8-bp152.3.6.1