ESB-2018.2165 - [Debian] evolution-data-server: Access confidential data - Remote with user interaction 2018-07-25

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2165
                   evolution-data-server security update
                               25 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           evolution-data-server
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-10727  

Original Bulletin: 
   https://security-tracker.debian.org/tracker/DLA-1443-1

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : evolution-data-server
Version        : 3.12.9~git20141128.5242b0-2+deb8u4
CVE IDs        : CVE-2016-10727 

It was discovered that there was a protocol implementation error in
evolution-data-server where "STARTTLS not supported" errors from IMAP
servers were ignored leading to the use of insecure connections without
the user's knowledge or consent.

For Debian 8 "Jessie", this issue has been fixed in evolution-data-server
version 3.12.9~git20141128.5242b0-2+deb8u4.

We recommend that you upgrade your evolution-data-server packages.


Regards,

- - -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAltYC6MACgkQHpU+J9Qx
HliOqA/+NcP9dzBck3aynMmcZK3gvNrIzcr55oHICzd7nOirNLoruPr2ZErdPFHT
LfB6rJBG32rqMDGDZafo5k8zggduBSMpw2ZEXjzFMTRpVqpHIYDJAgMR956otVOO
1htoXEYe0vPzx3W7GzejkiezmiG0yZOAsOzZj5OCu1kpl9otn5z5DxOJYQtPsO6x
EUNH6ulcyB6OXg0eiUmdl+Ubqm0plNZXWBJ+KDTpr4agj7FPbLIt88TA94e5g8Y0
1JfPd/mJvVDrkZtUs/5jPH+MUIiJtZ7+xEExnbPuIjZOz4EfbDuXwfWFuX93lrVL
6PSuMECgYZrRsjdn8BAHcdCyodTOO5JgZ9ivmP1Q4kZHC+AiBMG66g6kicVsF/D8
EXKYso5Sn/DCdK1U0hIY0rRibl8erJ82W9OCJOx4u4RaOmwyNzs5Lsh/8fBp5yrf
24Jyqy/2YcVnfHuUaASFMpuKjFGC2keMmc52ZTeVnZaTaV4/VlAeoiEzCEAnxgHk
AOlESYzUJWLDRBbnplUM2CX8ZvDuZ3LCD5E/m4MaaTHTh/2KsZ+Blsw2q4/xn/hh
19Eq5JeXC0J+tEhBUJhZ7302E+sIpuPguYVaZ0MPWxloNLqf09OjW7lgzQlQHX5I
5pC+Yc7vfoBhrtV/x727b4V/p5aMdP50/rFz61aHBzGHqjebIq0=
=kP3R
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW1kweGaOgq3Tt24GAQhqQQ//dkemkeuq7tbocORdgbAXXNokBBM/pNes
q2l0n/mReE3o6/pyZh433jEIBXAtmK5IFBHmbFWz01qajpFAcAjKYn/q0W/L1m0K
efONrf3IG8UBkveMM1mmfhdKaQ1p6kMB2REzCSvrz+FQaSo03LDdfgxZfWfR108P
FnCOV2RRV1d3YErqO30PBmGSbyyWXGnhhSWSSGtnBoA6dTFiwi5J9ZE74X0v6L9+
wyQBxfMqjVTW4AaOQpjAu2fNXcbQVL7QilQLOQfwNpk9GxKDeWpegHUUWheE5K4f
CTLmdndifL4z6GKD/w7lv4Wst9icMjX1kT5dXTvqmfnL430lPpZS/tCYYwG7ty5B
d4PYxbMuse7qyhQv0aQ4JrvUmb22euqYbQ03+a+ALegKnRFSj7IbAMDFCHhtlFzs
viiN7tf02YUV2oBX3C+MVMNZ72FMHykU1Jf6/75J6sxhMjPrhyRHSpC5XIQolt8X
Kc87wyus8G4R3wTxP7LGojU6/nvq47feNZbORdThK66TJbabBWU7fir2WDSPyidT
aQuL/KaITwDAeMnAQAJgxsm+WiipAVAJfOvJz2x8DHlkxxc15HZcZAy+my06DOHG
QE3avpdNo1YPwbXbGCIgTpc+Toxr4VDOytO8a1sD2xwahlXKMBWqXoSXY9ZKqCc1
R8B60XVdBCM=
=V6O4
-----END PGP SIGNATURE-----

« Back to bulletins