There are 2 open security issues in buster.
2 issues left for the package maintainer to handle:
- CVE-2020-11880:
(needs triaging)
An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make KMail attach local files to a composed email message without showing a warning to the user, as demonstrated by an attach=.bash_history value.
- CVE-2021-38373:
(needs triaging)
In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked.
You can find information about how to handle these issues in the security team's documentation.