Version in base suite: 22.12.3-1

Base version: kmail-account-wizard_22.12.3-1
Target version: kmail-account-wizard_22.12.3-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/k/kmail-account-wizard/kmail-account-wizard_22.12.3-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/k/kmail-account-wizard/kmail-account-wizard_22.12.3-1+deb12u1.dsc

 changelog                    |   13 ++++++++
 patches/CVE-2024-50624.patch |   68 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 82 insertions(+)

diff -Nru kmail-account-wizard-22.12.3/debian/changelog kmail-account-wizard-22.12.3/debian/changelog
--- kmail-account-wizard-22.12.3/debian/changelog	2023-03-01 20:33:00.000000000 +0000
+++ kmail-account-wizard-22.12.3/debian/changelog	2025-05-27 08:03:02.000000000 +0000
@@ -1,3 +1,16 @@
+kmail-account-wizard (4:22.12.3-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2024-50624
+    fix man-in-the-middle-attack when using autoconf for retrieving
+    configuration
+  * for configuration with autoconf.example.com, the config is fetched
+    via https and the former http as fallback.
+    for configuration via example.com/.well-known/autoconfig the
+    config is now fetched only with https
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Tue, 27 May 2025 10:03:02 +0200
+
 kmail-account-wizard (4:22.12.3-1) unstable; urgency=medium
 
   [ Patrick Franz ]
diff -Nru kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch
--- kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch	1970-01-01 00:00:00.000000000 +0000
+++ kmail-account-wizard-22.12.3/debian/patches/CVE-2024-50624.patch	2025-05-27 08:03:02.000000000 +0000
@@ -0,0 +1,68 @@
+commit 9784f5ab41c3aff435d4a88afb25585180a62ee4
+Author: Laurent Montel <montel@kde.org>
+Date:   Mon Jun 3 13:42:29 2024 +0200
+
+    Fix bug 487882: plaintext HTTP request in kmail-account-wizard
+    
+    BUG: 487882
+    FIXED-IN: 6.2.0
+
+Index: kmail-account-wizard-22.12.3/src/ispdb/ispdb.cpp
+===================================================================
+--- kmail-account-wizard-22.12.3.orig/src/ispdb/ispdb.cpp	2025-05-27 11:09:21.946961271 +0200
++++ kmail-account-wizard-22.12.3/src/ispdb/ispdb.cpp	2025-05-27 12:57:09.463399061 +0200
+@@ -64,11 +64,14 @@
+     QUrl url;
+     const QString path = type + QStringLiteral("/config-v") + version + QStringLiteral(".xml");
+     switch (mServerType) {
++    case IspHttpsAutoConfig:
++        url = QUrl(QStringLiteral("https://autoconfig.") + mAddr.domain.toLower() + QLatin1Char('/') + path);
++        break;
+     case IspAutoConfig:
+         url = QUrl(QStringLiteral("http://autoconfig.") + mAddr.domain.toLower() + QLatin1Char('/') + path);
+         break;
+     case IspWellKnow:
+-        url = QUrl(QStringLiteral("http://") + mAddr.domain.toLower() + QStringLiteral("/.well-known/autoconfig/") + path);
++        url = QUrl(QStringLiteral("https://") + mAddr.domain.toLower() + QStringLiteral("/.well-known/autoconfig/") + path);
+         break;
+     case DataBase:
+         url = QUrl(QStringLiteral("https://autoconfig.thunderbird.net/v1.1/") + mAddr.domain.toLower());
+@@ -93,16 +96,9 @@
+         qCDebug(ACCOUNTWIZARD_LOG) << "Fetching failed" << job->errorString();
+         bool lookupFinished = false;
+ 
+-        switch (mServerType) {
+-        case IspAutoConfig:
+-            mServerType = IspWellKnow;
+-            break;
+-        case IspWellKnow:
+-            lookupFinished = true;
+-            break;
+-        case DataBase:
+-            mServerType = IspAutoConfig;
+-            break;
++        if (mServerType != Ispdb::searchServerType::Last) {
++            int index = static_cast<int>(mServerType);
++            mServerType= static_cast<Ispdb::searchServerType>(++index);
+         }
+ 
+         if (lookupFinished) {
+Index: kmail-account-wizard-22.12.3/src/ispdb/ispdb.h
+===================================================================
+--- kmail-account-wizard-22.12.3.orig/src/ispdb/ispdb.h	2025-05-27 11:09:21.946961271 +0200
++++ kmail-account-wizard-22.12.3/src/ispdb/ispdb.h	2025-05-27 11:10:40.171001261 +0200
+@@ -95,9 +95,11 @@
+         @see lookupUrl to generate a url base on this type
+      */
+     enum searchServerType {
+-        IspAutoConfig = 0, /**< http://autoconfig.example.com/mail/config-v1.1.xml */
+-        IspWellKnow, /**< http://example.com/.well-known/autoconfig/mail/config-v1.1.xml */
+-        DataBase /**< https://autoconfig.thunderbird.net/v1.1/example.com */
++        DataBase = 0, ///< https://autoconfig.thunderbird.net/v1.1/example.com */
++        IspHttpsAutoConfig = 1, ///< https://autoconfig.example.com/mail/config-v1.1.xml
++        IspAutoConfig = 2, ///< http://autoconfig.example.com/mail/config-v1.1.xml
++        IspWellKnow = 3, ///< https://example.com/.well-known/autoconfig/mail/config-v1.1.xml
++        Last = IspWellKnow
+     };
+ 
+     /** let's request the autoconfig server */
diff -Nru kmail-account-wizard-22.12.3/debian/patches/series kmail-account-wizard-22.12.3/debian/patches/series
--- kmail-account-wizard-22.12.3/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ kmail-account-wizard-22.12.3/debian/patches/series	2025-05-27 08:03:02.000000000 +0000
@@ -0,0 +1 @@
+CVE-2024-50624.patch