Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4114
evolution security and bug fix update
6 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: evolution
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 8
Red Hat Enterprise Linux WS/Desktop 8
Linux variants
Debian GNU/Linux
Impact/Access: Access Privileged Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-3890
Original Bulletin:
https://access.redhat.com/errata/RHSA-2019:3699
Comment: This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running evolution check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: evolution security and bug fix update
Advisory ID: RHSA-2019:3699-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3699
Issue date: 2019-11-05
CVE Names: CVE-2019-3890
=====================================================================
1. Summary:
An update for evolution, evolution-data-server, and evolution-ews is now
available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 8) - noarch, ppc64le, x86_64
Red Hat Enterprise Linux AppStream (v. 8) - noarch, ppc64le, x86_64
3. Description:
Evolution is a GNOME application that provides integrated email, calendar,
contact management, and communications functionality.
Security Fix(es):
* evolution-ews: all certificate errors ignored if configured to ignore an
initial error in gnome-online-accounts creation resulting in the connection
open to being viewed and modified. (CVE-2019-3890)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of Evolution must be restarted for this update to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1678313 - CVE-2019-3890 evolution-ews: all certificate errors ignored if configured to ignore an initial error in gnome-online-accounts creation resulting in the connection open to being viewed and modified.
1713619 - [abrt] test-cal-client-get-revision could fail due to delayed D-Bus property change notification
1724232 - Help Contents (F1) has a bad link to GNOME site
1724984 - [ECompEditor] Ensure attendee changes stored before save
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
evolution-3.28.5-9.el8.src.rpm
evolution-data-server-3.28.5-11.el8.src.rpm
evolution-ews-3.28.5-5.el8.src.rpm
noarch:
evolution-data-server-langpacks-3.28.5-11.el8.noarch.rpm
evolution-ews-langpacks-3.28.5-5.el8.noarch.rpm
evolution-help-3.28.5-9.el8.noarch.rpm
evolution-langpacks-3.28.5-9.el8.noarch.rpm
ppc64le:
evolution-3.28.5-9.el8.ppc64le.rpm
evolution-bogofilter-3.28.5-9.el8.ppc64le.rpm
evolution-bogofilter-debuginfo-3.28.5-9.el8.ppc64le.rpm
evolution-data-server-3.28.5-11.el8.ppc64le.rpm
evolution-data-server-debuginfo-3.28.5-11.el8.ppc64le.rpm
evolution-data-server-debugsource-3.28.5-11.el8.ppc64le.rpm
evolution-data-server-devel-3.28.5-11.el8.ppc64le.rpm
evolution-data-server-tests-debuginfo-3.28.5-11.el8.ppc64le.rpm
evolution-debuginfo-3.28.5-9.el8.ppc64le.rpm
evolution-debugsource-3.28.5-9.el8.ppc64le.rpm
evolution-ews-3.28.5-5.el8.ppc64le.rpm
evolution-ews-debuginfo-3.28.5-5.el8.ppc64le.rpm
evolution-ews-debugsource-3.28.5-5.el8.ppc64le.rpm
evolution-pst-3.28.5-9.el8.ppc64le.rpm
evolution-pst-debuginfo-3.28.5-9.el8.ppc64le.rpm
evolution-spamassassin-3.28.5-9.el8.ppc64le.rpm
evolution-spamassassin-debuginfo-3.28.5-9.el8.ppc64le.rpm
x86_64:
evolution-3.28.5-9.el8.x86_64.rpm
evolution-bogofilter-3.28.5-9.el8.x86_64.rpm
evolution-bogofilter-debuginfo-3.28.5-9.el8.x86_64.rpm
evolution-data-server-3.28.5-11.el8.i686.rpm
evolution-data-server-3.28.5-11.el8.x86_64.rpm
evolution-data-server-debuginfo-3.28.5-11.el8.i686.rpm
evolution-data-server-debuginfo-3.28.5-11.el8.x86_64.rpm
evolution-data-server-debugsource-3.28.5-11.el8.i686.rpm
evolution-data-server-debugsource-3.28.5-11.el8.x86_64.rpm
evolution-data-server-devel-3.28.5-11.el8.i686.rpm
evolution-data-server-devel-3.28.5-11.el8.x86_64.rpm
evolution-data-server-tests-debuginfo-3.28.5-11.el8.i686.rpm
evolution-data-server-tests-debuginfo-3.28.5-11.el8.x86_64.rpm
evolution-debuginfo-3.28.5-9.el8.x86_64.rpm
evolution-debugsource-3.28.5-9.el8.x86_64.rpm
evolution-ews-3.28.5-5.el8.x86_64.rpm
evolution-ews-debuginfo-3.28.5-5.el8.x86_64.rpm
evolution-ews-debugsource-3.28.5-5.el8.x86_64.rpm
evolution-pst-3.28.5-9.el8.x86_64.rpm
evolution-pst-debuginfo-3.28.5-9.el8.x86_64.rpm
evolution-spamassassin-3.28.5-9.el8.x86_64.rpm
evolution-spamassassin-debuginfo-3.28.5-9.el8.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 8):
noarch:
evolution-data-server-doc-3.28.5-11.el8.noarch.rpm
ppc64le:
evolution-bogofilter-debuginfo-3.28.5-9.el8.ppc64le.rpm
evolution-data-server-debuginfo-3.28.5-11.el8.ppc64le.rpm
evolution-data-server-debugsource-3.28.5-11.el8.ppc64le.rpm
evolution-data-server-perl-3.28.5-11.el8.ppc64le.rpm
evolution-data-server-tests-3.28.5-11.el8.ppc64le.rpm
evolution-data-server-tests-debuginfo-3.28.5-11.el8.ppc64le.rpm
evolution-debuginfo-3.28.5-9.el8.ppc64le.rpm
evolution-debugsource-3.28.5-9.el8.ppc64le.rpm
evolution-devel-3.28.5-9.el8.ppc64le.rpm
evolution-pst-debuginfo-3.28.5-9.el8.ppc64le.rpm
evolution-spamassassin-debuginfo-3.28.5-9.el8.ppc64le.rpm
x86_64:
evolution-bogofilter-debuginfo-3.28.5-9.el8.i686.rpm
evolution-bogofilter-debuginfo-3.28.5-9.el8.x86_64.rpm
evolution-data-server-debuginfo-3.28.5-11.el8.i686.rpm
evolution-data-server-debuginfo-3.28.5-11.el8.x86_64.rpm
evolution-data-server-debugsource-3.28.5-11.el8.i686.rpm
evolution-data-server-debugsource-3.28.5-11.el8.x86_64.rpm
evolution-data-server-perl-3.28.5-11.el8.x86_64.rpm
evolution-data-server-tests-3.28.5-11.el8.i686.rpm
evolution-data-server-tests-3.28.5-11.el8.x86_64.rpm
evolution-data-server-tests-debuginfo-3.28.5-11.el8.i686.rpm
evolution-data-server-tests-debuginfo-3.28.5-11.el8.x86_64.rpm
evolution-debuginfo-3.28.5-9.el8.i686.rpm
evolution-debuginfo-3.28.5-9.el8.x86_64.rpm
evolution-debugsource-3.28.5-9.el8.i686.rpm
evolution-debugsource-3.28.5-9.el8.x86_64.rpm
evolution-devel-3.28.5-9.el8.i686.rpm
evolution-devel-3.28.5-9.el8.x86_64.rpm
evolution-pst-debuginfo-3.28.5-9.el8.i686.rpm
evolution-pst-debuginfo-3.28.5-9.el8.x86_64.rpm
evolution-spamassassin-debuginfo-3.28.5-9.el8.i686.rpm
evolution-spamassassin-debuginfo-3.28.5-9.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-3890
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXcHza9zjgjWX9erEAQjMwBAAmWSC5AVB5A6rOjhyljU7+YPOVyz1Sxkb
28K26IIVyD4IuGO7n6Ge1L3/u37NVkTlquPKxqqdW70Cw7pKVkBxxdFF/14czTAD
SldbEteKY4dT+uAihPRKQMoFTggtJbzBGjr7ikVg0b+hZW+b3AXhYLtC0HMiy1BQ
21ZpqwsOTNm7KvnBjGptbJyHEc8LCwuckONhO8IhEHqw8DkmlIlcS3CH1zZr2IwO
Asw+3ixk9uQH+vDWGvlBe+XXpPY/6mhUbFRuvAaEvK80eH02LTRXGwCHYUf3ZRvx
Fms5v5TM9M1FB6qkb/nRLh9Gl83BWeOiVOzhWvxMpInqDn21MMMoYvpFlqOmWyU9
znLbCiM60x/agwaMhXadCO2ZjxV+Y/in6HfcIn2SWFA0J4bMvTXLxpf9uIKP1sUj
my8Q/aGyskdY1fMZ9eQqDNOqdKDA2Iax1S3Q6EeHbM9FkfM5x2ynrykV4IdI8t8P
IX6M4fe4BXRaHj9lvn0VC6Me0bP+LU+Q4OSqLkKKUSS0v/3TINk6HcjRHuh0ZJGa
fdFVlw7KuA5292wSkgXJNTvAnLNlbq1OH35fXLDQLxfNhotuX8kiOV9TeBXhK/aT
GTMvrsdSI4985duDLZa2wuFRNhvgyMTwTZ+IGuAe90zl6wTfHAFLIaCG039i7dsN
OEeMg9PzziI=
=P/Fg
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXcIj1GaOgq3Tt24GAQhxqA/+NeKGPtDTZaOB6Oi8+E3sEj8NGb2Mtn8a
4lRF8PJLZwFogQwhIvslp0xWFKa1dLaD/j0vHD0DvB/rWaGPR8aOUuDw/9p/gnG2
UsQeDGiZ0tCCJ4UhwGntiLsOL9UDpZCwUes8aZLe5stDSLOXkOUM0CoaOHR23tpu
0ubhT9CCSh22qGzNOwPH5EzMHbcuphCkdr41J1piJF0pppI0rDjrdnjvmInW65qX
EJsj7mzAUjq3Ll8deQE0si46da+5CF4j/qncq/qRoZdy5PKQQOChEnhrxYTmaefe
8nWCbFjyzxSv/GqxpJiOri3XX/aBrcVDMfh1su/zhwWTlx4ZWJiJU1/v+Dr7hYyU
c5ysCqX3vP7eSB0LKgDisRO5tDtpwj0Z4Wm0CNFgTlVOzcI0cuc0rgpgvST8e6zm
tpv90VTM7Sf2/5ECaUEToAsIPmrVl5o4Ua/VruIdgeNguJhH3hxn8/+ySm7aq2q9
8pMF6A81wMNjUxRQmSn0ZYuNncZIOhcbhOYeuVSfuPQayf6YAqKbvyKdPyeFuIqn
jQmMi4LzilccHMv/EieVJ2AtClD6+uRswQBk8dU35JhnAV4Rq49UjBL4JM0x09p5
mOmyjkpbFyvv+bNmcQq6ajdbJiSl4de5ur5KNzZJBkwFMA2mChtwTkM+IQ39emdJ
dEfwEvb9BJk=
=+4Ez
-----END PGP SIGNATURE-----