| Summary: | evolution-data-server new security issues CVE-2020-14928 and CVE-2020-16117 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, nicolas.salguero, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | evolution-data-server-3.32.2-1.mga7.src.rpm | CVE: | CVE-2020-14928, CVE-2020-16117 |
| Status comment: | |||
|
Description
David Walser
2020-07-16 23:46:49 CEST
This needs to be assigned globally. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated packages fix a security vulnerability: evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection". (CVE-2020-14928) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14928 https://lists.debian.org/debian-security-announce/2020/msg00131.html https://www.debian.org/security/2020/dsa-4725 https://www.debian.org/lts/security/2020/dla-2281 ======================== Updated packages in core/updates_testing: ======================== evolution-data-server-3.32.2-1.1.mga7 lib(64)camel1.2_62-3.32.2-1.1.mga7 lib(64)ebook1.2_19-3.32.2-1.1.mga7 lib(64)ecal1.2_19-3.32.2-1.1.mga7 lib(64)ebook-contacts1.2_2-3.32.2-1.1.mga7 lib(64)edata-book1.2_25-3.32.2-1.1.mga7 lib(64)edata-cal1.2_29-3.32.2-1.1.mga7 lib(64)edataserver1.2_24-3.32.2-1.1.mga7 lib(64)edataserverui1.2_2-3.32.2-1.1.mga7 lib(64)ebackend1.2_10-3.32.2-1.1.mga7 lib(64)edataserver1.2-devel-3.32.2-1.1.mga7 lib(64)evolution-data-server-gir1.2-3.32.2-1.1.mga7 Wrote: /home/iurt/rpmbuild/RPMS/x86_64/evolution-data-server-tests-3.32.2-1.1.mga7 from SRPMS: evolution-data-server-3.32.2-1.1.mga7.src.rpm Status:
NEW =>
ASSIGNED Loaded the packages with QARepo, then select evolution-data-serv in MCC to install, and after a while error message : The "drakrpm" program has crashed with the following error: detecting looping forever while trying to resolve dependencies. Aborting... Try again with '-vv --debug' options at /usr/lib64/perl5/vendor_perl/URPM/Resolve.pm line 1287. Perl's trace: drakbug::bug_handler() called from /usr/share/perl5/vendor_perl/Gtk3.pm:524 Gtk3::__ANON__() called from /usr/lib/libDrakX/mygtk3.pm:1550 mygtk3::main() called from /usr/lib/libDrakX/ugtk3.pm:857 ugtk3::main() called from /usr/share/perl5/vendor_perl/Rpmdrake/gui.pm:609 Rpmdrake::gui::ask_browse_tree_given_widgets_for_rpmdrake() called from /usr/libexec/drakrpm:835 main::run_treeview_dialog() called from /usr/libexec/drakrpm:859 CC:
(none) =>
herman.viaene This does not happen when disabling local QA-repo and enabling Core Updates Testng directly in MCC. Possible cause of the loop(I guess it's rather a timeout): I did not include the evolution-data-server-tests when uploading the Qa-repo. Consulted prrevious bugs 10896 and 14425 , but I don't find much info on how to test this. Come and see later........ Copy from https://developer.gnome.org/eds/stable/ "Evolution-Data-Server is a collection of libraries and services for storing addressbooks and calendars. In this reference manual you will find documentation on using the client libraries as well as implementing backends for calendars and addressbooks. " Looks like developer stuff, agree on clean install??? How about we fix another issue while we're figuring that out? Debian-LTS has issued an advisory on August 2: https://www.debian.org/lts/security/2020/dla-2309 It fixes one new issue, fixed upstream in 3.35.91. CVE:
CVE-2020-14928 =>
CVE-2020-14928, CVE-2020-16117 Suggested advisory: ======================== The updated packages fix security vulnerabilities: evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection". (CVE-2020-14928) In GNOME evolution-data-server before 3.35.91, a malicious server can crash the mail client with a NULL pointer dereference by sending an invalid (e.g., minimal) CAPABILITY line on a connection attempt. This is related to imapx_free_capability and imapx_connect_to_server. (CVE-2020-16117) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14928 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16117 https://lists.debian.org/debian-security-announce/2020/msg00131.html https://www.debian.org/security/2020/dsa-4725 https://www.debian.org/lts/security/2020/dla-2281 https://www.debian.org/lts/security/2020/dla-2309 ======================== Updated packages in core/updates_testing: ======================== evolution-data-server-3.32.2-1.2.mga7 lib(64)camel1.2_62-3.32.2-1.2.mga7 lib(64)ebook1.2_19-3.32.2-1.2.mga7 lib(64)ecal1.2_19-3.32.2-1.2.mga7 lib(64)ebook-contacts1.2_2-3.32.2-1.2.mga7 lib(64)edata-book1.2_25-3.32.2-1.2.mga7 lib(64)edata-cal1.2_29-3.32.2-1.2.mga7 lib(64)edataserver1.2_24-3.32.2-1.2.mga7 lib(64)edataserverui1.2_2-3.32.2-1.2.mga7 lib(64)ebackend1.2_10-3.32.2-1.2.mga7 lib(64)edataserver1.2-devel-3.32.2-1.2.mga7 lib(64)evolution-data-server-gir1.2-3.32.2-1.2.mga7 Wrote: /home/iurt/rpmbuild/RPMS/x86_64/evolution-data-server-tests-3.32.2-1.2.mga7 from SRPMS: evolution-data-server-3.32.2-1.2.mga7.src.rpm Assignee:
nicolas.salguero =>
qa-bugs
David Walser
2020-08-07 13:28:10 CEST
CC:
qa-bugs =>
(none) How about this security bug? Has it been tested? CC:
(none) =>
ouaurelien 64-bit Plasma install, Evolution not installed. Evolution-data-server had been installed previously, perhaps for another update test. The following 11 packages are going to be installed: - evolution-data-server-3.32.2-1.2.mga7.x86_64 - evolution-data-server-tests-3.32.2-1.2.mga7.x86_64 - lib64camel1.2_62-3.32.2-1.2.mga7.x86_64 - lib64ebackend1.2_10-3.32.2-1.2.mga7.x86_64 - lib64ebook-contacts1.2_2-3.32.2-1.2.mga7.x86_64 - lib64ebook1.2_19-3.32.2-1.2.mga7.x86_64 - lib64ecal1.2_19-3.32.2-1.2.mga7.x86_64 - lib64edata-book1.2_25-3.32.2-1.2.mga7.x86_64 - lib64edata-cal1.2_29-3.32.2-1.2.mga7.x86_64 - lib64edataserver1.2_24-3.32.2-1.2.mga7.x86_64 - lib64edataserverui1.2_2-3.32.2-1.2.mga7.x86_64 No installation issues. Attempted to run several of the tests, but most came back with errors, missing configurations and/or files, things like that. I suspect that's because evolution is not installed, and believe it is to be expected. Looking online at the manual for this package, I see that it is quite lengthy and comprehensive, far too much for my feeble abilities to learn for this test, and much of what I saw looking to be beyond the scope of QA. OKing, and validating, based on a clean install and on the few tests that did run. Advisory in Comment 9. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Aurelien Oudelet
2020-08-28 15:26:43 CEST
CC:
ouaurelien =>
(none) An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0351.html Resolution:
(none) =>
FIXED |