Ubuntu has issued an advisory on July 31: http://www.ubuntu.com/usn/usn-1922-1/ Ubuntu has links to upstream patches for 3.8.x and 3.9.x and a patch for 3.6.x. Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
This is fixed upstream in 3.9.5, which we have in Cauldron. Patched packages uploaded for Mageia 2 and Mageia 3. Advisory: ======================== Updated evolution-data-server packages fix security vulnerability: Yves-Alexis Perez discovered that Evolution Data Server did not properly select GPG recipients. Under certain circumstances, this could result in Evolution encrypting email to an unintended recipient (CVE-2013-4166). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4166 http://www.ubuntu.com/usn/usn-1922-1/ ======================== Updated packages in core/updates_testing: ======================== evolution-data-server-3.4.4-1.1.mga2 libcamel33-3.4.4-1.1.mga2 libebook13-3.4.4-1.1.mga2 libecal11-3.4.4-1.1.mga2 libedata-book13-3.4.4-1.1.mga2 libedata-cal15-3.4.4-1.1.mga2 libedataserver16-3.4.4-1.1.mga2 libedataserverui1-3.4.4-1.1.mga2 libebackend2-3.4.4-1.1.mga2 libedataserver-devel-3.4.4-1.1.mga2 libevolution-data-server-gir1.2-3.4.4-1.1.mga2 evolution-data-server-3.6.3-1.1.mga3 libcamel1.2_40-3.6.3-1.1.mga3 libebook1.2_14-3.6.3-1.1.mga3 libecal1.2_15-3.6.3-1.1.mga3 libedata-book1.2_15-3.6.3-1.1.mga3 libedata-cal1.2_18-3.6.3-1.1.mga3 libedataserver1.2_17-3.6.3-1.1.mga3 libedataserverui3.0_4-3.6.3-1.1.mga3 libebackend1.2_5-3.6.3-1.1.mga3 libedataserver1.2-devel-3.6.3-1.1.mga3 libevolution-data-server-gir1.2-3.6.3-1.1.mga3 from SRPMS: evolution-data-server-3.4.4-1.1.mga2.src.rpm evolution-data-server-3.6.3-1.1.mga3.src.rpm
CC: (none) => olavVersion: Cauldron => 3Assignee: olav => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Created attachment 4260 [details] Screenshot showing that it's failing to find the public key. Unless I've made a typo, that I'm just not seeing, this is not working in my test on a Mageia 2 i586 vb guest (i2v).
CC: (none) => davidwhodgins
Whiteboard: MGA2TOO => MGA2TOO feedback
Ignore comment 2. Finally noticed the typo. Missing e in homeip
Whiteboard: MGA2TOO feedback => MGA2TOO
As there is no indication what certain circumstances cause the wrong key to be selected, just testing that it's working with gpg signed encrypted msgs. Testing complete on Mageia 2 i586 and x86_64.
Whiteboard: MGA2TOO => MGA2TOO MGA2-64-OK MGA2-32-OK
Testing complete on Mageia 3 i586 and x86_64. Could someone from the sysadmin team push 10896.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO MGA2-64-OK MGA2-32-OK => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => sysadmin-bugs
update pushed: http://advisories.mageia.org/MGASA-2013-0245.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED