Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4114 evolution security and bug fix update 6 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: evolution Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 8 Red Hat Enterprise Linux WS/Desktop 8 Linux variants Debian GNU/Linux Impact/Access: Access Privileged Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-3890 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:3699 Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running evolution check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: evolution security and bug fix update Advisory ID: RHSA-2019:3699-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:3699 Issue date: 2019-11-05 CVE Names: CVE-2019-3890 ===================================================================== 1. Summary: An update for evolution, evolution-data-server, and evolution-ews is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 8) - noarch, ppc64le, x86_64 Red Hat Enterprise Linux AppStream (v. 8) - noarch, ppc64le, x86_64 3. Description: Evolution is a GNOME application that provides integrated email, calendar, contact management, and communications functionality. Security Fix(es): * evolution-ews: all certificate errors ignored if configured to ignore an initial error in gnome-online-accounts creation resulting in the connection open to being viewed and modified. (CVE-2019-3890) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Evolution must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1678313 - CVE-2019-3890 evolution-ews: all certificate errors ignored if configured to ignore an initial error in gnome-online-accounts creation resulting in the connection open to being viewed and modified. 1713619 - [abrt] test-cal-client-get-revision could fail due to delayed D-Bus property change notification 1724232 - Help Contents (F1) has a bad link to GNOME site 1724984 - [ECompEditor] Ensure attendee changes stored before save 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: evolution-3.28.5-9.el8.src.rpm evolution-data-server-3.28.5-11.el8.src.rpm evolution-ews-3.28.5-5.el8.src.rpm noarch: evolution-data-server-langpacks-3.28.5-11.el8.noarch.rpm evolution-ews-langpacks-3.28.5-5.el8.noarch.rpm evolution-help-3.28.5-9.el8.noarch.rpm evolution-langpacks-3.28.5-9.el8.noarch.rpm ppc64le: evolution-3.28.5-9.el8.ppc64le.rpm evolution-bogofilter-3.28.5-9.el8.ppc64le.rpm evolution-bogofilter-debuginfo-3.28.5-9.el8.ppc64le.rpm evolution-data-server-3.28.5-11.el8.ppc64le.rpm evolution-data-server-debuginfo-3.28.5-11.el8.ppc64le.rpm evolution-data-server-debugsource-3.28.5-11.el8.ppc64le.rpm evolution-data-server-devel-3.28.5-11.el8.ppc64le.rpm evolution-data-server-tests-debuginfo-3.28.5-11.el8.ppc64le.rpm evolution-debuginfo-3.28.5-9.el8.ppc64le.rpm evolution-debugsource-3.28.5-9.el8.ppc64le.rpm evolution-ews-3.28.5-5.el8.ppc64le.rpm evolution-ews-debuginfo-3.28.5-5.el8.ppc64le.rpm evolution-ews-debugsource-3.28.5-5.el8.ppc64le.rpm evolution-pst-3.28.5-9.el8.ppc64le.rpm evolution-pst-debuginfo-3.28.5-9.el8.ppc64le.rpm evolution-spamassassin-3.28.5-9.el8.ppc64le.rpm evolution-spamassassin-debuginfo-3.28.5-9.el8.ppc64le.rpm x86_64: evolution-3.28.5-9.el8.x86_64.rpm evolution-bogofilter-3.28.5-9.el8.x86_64.rpm evolution-bogofilter-debuginfo-3.28.5-9.el8.x86_64.rpm evolution-data-server-3.28.5-11.el8.i686.rpm evolution-data-server-3.28.5-11.el8.x86_64.rpm evolution-data-server-debuginfo-3.28.5-11.el8.i686.rpm evolution-data-server-debuginfo-3.28.5-11.el8.x86_64.rpm evolution-data-server-debugsource-3.28.5-11.el8.i686.rpm evolution-data-server-debugsource-3.28.5-11.el8.x86_64.rpm evolution-data-server-devel-3.28.5-11.el8.i686.rpm evolution-data-server-devel-3.28.5-11.el8.x86_64.rpm evolution-data-server-tests-debuginfo-3.28.5-11.el8.i686.rpm evolution-data-server-tests-debuginfo-3.28.5-11.el8.x86_64.rpm evolution-debuginfo-3.28.5-9.el8.x86_64.rpm evolution-debugsource-3.28.5-9.el8.x86_64.rpm evolution-ews-3.28.5-5.el8.x86_64.rpm evolution-ews-debuginfo-3.28.5-5.el8.x86_64.rpm evolution-ews-debugsource-3.28.5-5.el8.x86_64.rpm evolution-pst-3.28.5-9.el8.x86_64.rpm evolution-pst-debuginfo-3.28.5-9.el8.x86_64.rpm evolution-spamassassin-3.28.5-9.el8.x86_64.rpm evolution-spamassassin-debuginfo-3.28.5-9.el8.x86_64.rpm Red Hat CodeReady Linux Builder (v. 8): noarch: evolution-data-server-doc-3.28.5-11.el8.noarch.rpm ppc64le: evolution-bogofilter-debuginfo-3.28.5-9.el8.ppc64le.rpm evolution-data-server-debuginfo-3.28.5-11.el8.ppc64le.rpm evolution-data-server-debugsource-3.28.5-11.el8.ppc64le.rpm evolution-data-server-perl-3.28.5-11.el8.ppc64le.rpm evolution-data-server-tests-3.28.5-11.el8.ppc64le.rpm evolution-data-server-tests-debuginfo-3.28.5-11.el8.ppc64le.rpm evolution-debuginfo-3.28.5-9.el8.ppc64le.rpm evolution-debugsource-3.28.5-9.el8.ppc64le.rpm evolution-devel-3.28.5-9.el8.ppc64le.rpm evolution-pst-debuginfo-3.28.5-9.el8.ppc64le.rpm evolution-spamassassin-debuginfo-3.28.5-9.el8.ppc64le.rpm x86_64: evolution-bogofilter-debuginfo-3.28.5-9.el8.i686.rpm evolution-bogofilter-debuginfo-3.28.5-9.el8.x86_64.rpm evolution-data-server-debuginfo-3.28.5-11.el8.i686.rpm evolution-data-server-debuginfo-3.28.5-11.el8.x86_64.rpm evolution-data-server-debugsource-3.28.5-11.el8.i686.rpm evolution-data-server-debugsource-3.28.5-11.el8.x86_64.rpm evolution-data-server-perl-3.28.5-11.el8.x86_64.rpm evolution-data-server-tests-3.28.5-11.el8.i686.rpm evolution-data-server-tests-3.28.5-11.el8.x86_64.rpm evolution-data-server-tests-debuginfo-3.28.5-11.el8.i686.rpm evolution-data-server-tests-debuginfo-3.28.5-11.el8.x86_64.rpm evolution-debuginfo-3.28.5-9.el8.i686.rpm evolution-debuginfo-3.28.5-9.el8.x86_64.rpm evolution-debugsource-3.28.5-9.el8.i686.rpm evolution-debugsource-3.28.5-9.el8.x86_64.rpm evolution-devel-3.28.5-9.el8.i686.rpm evolution-devel-3.28.5-9.el8.x86_64.rpm evolution-pst-debuginfo-3.28.5-9.el8.i686.rpm evolution-pst-debuginfo-3.28.5-9.el8.x86_64.rpm evolution-spamassassin-debuginfo-3.28.5-9.el8.i686.rpm evolution-spamassassin-debuginfo-3.28.5-9.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-3890 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXcHza9zjgjWX9erEAQjMwBAAmWSC5AVB5A6rOjhyljU7+YPOVyz1Sxkb 28K26IIVyD4IuGO7n6Ge1L3/u37NVkTlquPKxqqdW70Cw7pKVkBxxdFF/14czTAD SldbEteKY4dT+uAihPRKQMoFTggtJbzBGjr7ikVg0b+hZW+b3AXhYLtC0HMiy1BQ 21ZpqwsOTNm7KvnBjGptbJyHEc8LCwuckONhO8IhEHqw8DkmlIlcS3CH1zZr2IwO Asw+3ixk9uQH+vDWGvlBe+XXpPY/6mhUbFRuvAaEvK80eH02LTRXGwCHYUf3ZRvx Fms5v5TM9M1FB6qkb/nRLh9Gl83BWeOiVOzhWvxMpInqDn21MMMoYvpFlqOmWyU9 znLbCiM60x/agwaMhXadCO2ZjxV+Y/in6HfcIn2SWFA0J4bMvTXLxpf9uIKP1sUj my8Q/aGyskdY1fMZ9eQqDNOqdKDA2Iax1S3Q6EeHbM9FkfM5x2ynrykV4IdI8t8P IX6M4fe4BXRaHj9lvn0VC6Me0bP+LU+Q4OSqLkKKUSS0v/3TINk6HcjRHuh0ZJGa fdFVlw7KuA5292wSkgXJNTvAnLNlbq1OH35fXLDQLxfNhotuX8kiOV9TeBXhK/aT GTMvrsdSI4985duDLZa2wuFRNhvgyMTwTZ+IGuAe90zl6wTfHAFLIaCG039i7dsN OEeMg9PzziI= =P/Fg - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXcIj1GaOgq3Tt24GAQhxqA/+NeKGPtDTZaOB6Oi8+E3sEj8NGb2Mtn8a 4lRF8PJLZwFogQwhIvslp0xWFKa1dLaD/j0vHD0DvB/rWaGPR8aOUuDw/9p/gnG2 UsQeDGiZ0tCCJ4UhwGntiLsOL9UDpZCwUes8aZLe5stDSLOXkOUM0CoaOHR23tpu 0ubhT9CCSh22qGzNOwPH5EzMHbcuphCkdr41J1piJF0pppI0rDjrdnjvmInW65qX EJsj7mzAUjq3Ll8deQE0si46da+5CF4j/qncq/qRoZdy5PKQQOChEnhrxYTmaefe 8nWCbFjyzxSv/GqxpJiOri3XX/aBrcVDMfh1su/zhwWTlx4ZWJiJU1/v+Dr7hYyU c5ysCqX3vP7eSB0LKgDisRO5tDtpwj0Z4Wm0CNFgTlVOzcI0cuc0rgpgvST8e6zm tpv90VTM7Sf2/5ECaUEToAsIPmrVl5o4Ua/VruIdgeNguJhH3hxn8/+ySm7aq2q9 8pMF6A81wMNjUxRQmSn0ZYuNncZIOhcbhOYeuVSfuPQayf6YAqKbvyKdPyeFuIqn jQmMi4LzilccHMv/EieVJ2AtClD6+uRswQBk8dU35JhnAV4Rq49UjBL4JM0x09p5 mOmyjkpbFyvv+bNmcQq6ajdbJiSl4de5ur5KNzZJBkwFMA2mChtwTkM+IQ39emdJ dEfwEvb9BJk= =+4Ez -----END PGP SIGNATURE-----