Register | Log in

xdg-utils

desktop integration utilities from freedesktop.org

Choose email to subscribe with

general

source: xdg-utils (main)
version: 1.1.3-4.1
maintainer: Debian freedesktop.org maintainers (archive) (DMD)
uploaders: Nicholas Guriev [DMD]
arch: all
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.1.1-1+deb9u2
o-o-sec: 1.1.1-1+deb9u1
oldstable: 1.1.3-1+deb10u1
stable: 1.1.3-4.1
testing: 1.1.3-4.1
unstable: 1.1.3-4.1

versioned links

1.1.1-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.1.1-1+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.1.3-1+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.1.3-4.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

xdg-utils (61 bugs: 0, 44, 17, 0)

action needed

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2022-4055: When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.
CVE-2020-27748: A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.

Created: 2022-07-04 Last update: 2022-11-20 05:37

2 security issues in buster high

There are 2 open security issues in buster.

1 important issue:

CVE-2022-4055: When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.

1 issue postponed or untriaged:

CVE-2020-27748: (postponed; to be fixed through a stable update) A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.

Created: 2022-11-19 Last update: 2022-11-20 05:37

2 security issues in bullseye high

There are 2 open security issues in bullseye.

1 important issue:

CVE-2022-4055: When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.

1 issue left for the package maintainer to handle:

CVE-2020-27748: (postponed; to be fixed through a stable update) A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.

You can find information about how to handle this issue in the security team's documentation.

Created: 2022-07-04 Last update: 2022-11-20 05:37

2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:

CVE-2022-4055: When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.
CVE-2020-27748: A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.

Created: 2022-07-04 Last update: 2022-11-20 05:37

9 bugs tagged patch in the BTS normal

The BTS contains patches fixing 9 bugs, consider including or untagging them.

Created: 2022-07-27 Last update: 2022-11-27 11:05

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.5.1).

Created: 2021-08-18 Last update: 2022-05-11 23:24

news

[2021-05-04] xdg-utils 1.1.3-4.1 MIGRATED to testing (Debian testing watch)
[2021-04-26] Accepted xdg-utils 1.1.3-4.1 (source) into unstable (Roland Clobus) (signed by: Paul Gevers)
[2021-02-13] xdg-utils 1.1.3-4 MIGRATED to testing (Debian testing watch)
[2021-01-18] Accepted xdg-utils 1.1.3-4 (source) into unstable (Nicholas Guriev) (signed by: Emilio Pozuelo Monfort)
[2021-01-18] Accepted xdg-utils 1.1.3-3 (source) into unstable (Nicholas Guriev) (signed by: Adam Borowski)
[2020-04-26] Accepted xdg-utils 1.1.1-1+deb9u2 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Mattia Rizzolo)
[2020-04-25] Accepted xdg-utils 1.1.3-1+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Mattia Rizzolo)
[2020-03-19] xdg-utils 1.1.3-2 MIGRATED to testing (Debian testing watch)
[2020-03-14] Accepted xdg-utils 1.1.3-2 (source) into unstable (Nicholas Guriev) (signed by: Adam Borowski)
[2018-05-28] Accepted xdg-utils 1.1.0~rc1+git20111210-7.4+deb8u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Nicholas Guriev) (signed by: Luciano Bello)
[2018-05-28] Accepted xdg-utils 1.1.1-1+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Nicholas Guriev) (signed by: Luciano Bello)
[2018-05-25] Accepted xdg-utils 1.1.0~rc1+git20111210-7.4+deb8u1 (source all) into oldstable->embargoed, oldstable (Nicholas Guriev) (signed by: Luciano Bello)
[2018-05-25] Accepted xdg-utils 1.1.1-1+deb9u1 (source all) into stable->embargoed, stable (Nicholas Guriev) (signed by: Luciano Bello)
[2018-05-25] xdg-utils 1.1.3-1 MIGRATED to testing (Debian testing watch)
[2018-05-24] Accepted xdg-utils 1.1.0~rc1+git20111210-6+deb7u4 (source all) into oldoldstable (Nicholas Guriev) (signed by: Markus Koschany)
[2018-05-20] Accepted xdg-utils 1.1.3-1 (source) into unstable (Nicholas Guriev) (signed by: Emilio Pozuelo Monfort)
[2018-03-04] xdg-utils 1.1.2-2 MIGRATED to testing (Debian testing watch)
[2018-02-27] Accepted xdg-utils 1.1.2-2 (source) into unstable (Emilio Pozuelo Monfort)
[2017-11-02] xdg-utils 1.1.2-1 MIGRATED to testing (Debian testing watch)
[2017-10-22] Accepted xdg-utils 1.1.2-1 (source) into unstable (Nicholas Guriev) (signed by: Emilio Pozuelo Monfort)
[2015-10-11] xdg-utils 1.1.1-1 MIGRATED to testing (Britney)
[2015-10-05] Accepted xdg-utils 1.1.1-1 (source all) into unstable (Per Olofsson)
[2015-10-04] Accepted xdg-utils 1.1.0-1 (source all) into unstable (Per Olofsson)
[2015-09-28] xdg-utils 1.1.0~rc3+git20150922-1 MIGRATED to testing (Britney)
[2015-09-22] Accepted xdg-utils 1.1.0~rc3+git20150922-1 (source all) into unstable (Per Olofsson)
[2015-09-21] Accepted xdg-utils 1.1.0~rc3+git20150919-1 (source all) into unstable (Per Olofsson)
[2015-09-20] xdg-utils 1.1.0~rc3+git20150907-2 MIGRATED to testing (Britney)
[2015-09-15] Accepted xdg-utils 1.1.0~rc3+git20150907-2 (source all) into unstable (Per Olofsson)
[2015-09-14] xdg-utils 1.1.0~rc3+git20150907-1 MIGRATED to testing (Britney)
[2015-09-08] Accepted xdg-utils 1.1.0~rc3+git20150907-1 (source all) into unstable (Per Olofsson)

1
2

bugs [bug history graph]

all: 60 62
RC: 0
I&N: 44 45
M&W: 16 17
F&P: 0
patch: 9

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.1.3-4.1ubuntu3
60 bugs (3 patches)
patches for 1.1.3-4.1ubuntu3

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing