Debian and Debian-LTS have issued advisories on July 15 and today (July 16): https://lists.debian.org/debian-security-announce/2020/msg00131.html https://www.debian.org/security/2020/dsa-4725 https://www.debian.org/lts/security/2020/dla-2281 The issue is fixed upstream in 3.36.4. We could possibly use the Debian backported patch.
This needs to be assigned globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection". (CVE-2020-14928) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14928 https://lists.debian.org/debian-security-announce/2020/msg00131.html https://www.debian.org/security/2020/dsa-4725 https://www.debian.org/lts/security/2020/dla-2281 ======================== Updated packages in core/updates_testing: ======================== evolution-data-server-3.32.2-1.1.mga7 lib(64)camel1.2_62-3.32.2-1.1.mga7 lib(64)ebook1.2_19-3.32.2-1.1.mga7 lib(64)ecal1.2_19-3.32.2-1.1.mga7 lib(64)ebook-contacts1.2_2-3.32.2-1.1.mga7 lib(64)edata-book1.2_25-3.32.2-1.1.mga7 lib(64)edata-cal1.2_29-3.32.2-1.1.mga7 lib(64)edataserver1.2_24-3.32.2-1.1.mga7 lib(64)edataserverui1.2_2-3.32.2-1.1.mga7 lib(64)ebackend1.2_10-3.32.2-1.1.mga7 lib(64)edataserver1.2-devel-3.32.2-1.1.mga7 lib(64)evolution-data-server-gir1.2-3.32.2-1.1.mga7 Wrote: /home/iurt/rpmbuild/RPMS/x86_64/evolution-data-server-tests-3.32.2-1.1.mga7 from SRPMS: evolution-data-server-3.32.2-1.1.mga7.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salgueroCVE: (none) => CVE-2020-14928
Loaded the packages with QARepo, then select evolution-data-serv in MCC to install, and after a while error message : The "drakrpm" program has crashed with the following error: detecting looping forever while trying to resolve dependencies. Aborting... Try again with '-vv --debug' options at /usr/lib64/perl5/vendor_perl/URPM/Resolve.pm line 1287. Perl's trace: drakbug::bug_handler() called from /usr/share/perl5/vendor_perl/Gtk3.pm:524 Gtk3::__ANON__() called from /usr/lib/libDrakX/mygtk3.pm:1550 mygtk3::main() called from /usr/lib/libDrakX/ugtk3.pm:857 ugtk3::main() called from /usr/share/perl5/vendor_perl/Rpmdrake/gui.pm:609 Rpmdrake::gui::ask_browse_tree_given_widgets_for_rpmdrake() called from /usr/libexec/drakrpm:835 main::run_treeview_dialog() called from /usr/libexec/drakrpm:859
CC: (none) => herman.viaene
This does not happen when disabling local QA-repo and enabling Core Updates Testng directly in MCC.
Possible cause of the loop(I guess it's rather a timeout): I did not include the evolution-data-server-tests when uploading the Qa-repo.
Consulted prrevious bugs 10896 and 14425 , but I don't find much info on how to test this. Come and see later........
Copy from https://developer.gnome.org/eds/stable/ "Evolution-Data-Server is a collection of libraries and services for storing addressbooks and calendars. In this reference manual you will find documentation on using the client libraries as well as implementing backends for calendars and addressbooks. " Looks like developer stuff, agree on clean install???
How about we fix another issue while we're figuring that out? Debian-LTS has issued an advisory on August 2: https://www.debian.org/lts/security/2020/dla-2309 It fixes one new issue, fixed upstream in 3.35.91.
CVE: CVE-2020-14928 => CVE-2020-14928, CVE-2020-16117Summary: evolution-data-server new security issue CVE-2020-14928 => evolution-data-server new security issues CVE-2020-14928 and CVE-2020-16117Severity: normal => majorAssignee: qa-bugs => nicolas.salgueroCC: (none) => qa-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection". (CVE-2020-14928) In GNOME evolution-data-server before 3.35.91, a malicious server can crash the mail client with a NULL pointer dereference by sending an invalid (e.g., minimal) CAPABILITY line on a connection attempt. This is related to imapx_free_capability and imapx_connect_to_server. (CVE-2020-16117) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14928 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16117 https://lists.debian.org/debian-security-announce/2020/msg00131.html https://www.debian.org/security/2020/dsa-4725 https://www.debian.org/lts/security/2020/dla-2281 https://www.debian.org/lts/security/2020/dla-2309 ======================== Updated packages in core/updates_testing: ======================== evolution-data-server-3.32.2-1.2.mga7 lib(64)camel1.2_62-3.32.2-1.2.mga7 lib(64)ebook1.2_19-3.32.2-1.2.mga7 lib(64)ecal1.2_19-3.32.2-1.2.mga7 lib(64)ebook-contacts1.2_2-3.32.2-1.2.mga7 lib(64)edata-book1.2_25-3.32.2-1.2.mga7 lib(64)edata-cal1.2_29-3.32.2-1.2.mga7 lib(64)edataserver1.2_24-3.32.2-1.2.mga7 lib(64)edataserverui1.2_2-3.32.2-1.2.mga7 lib(64)ebackend1.2_10-3.32.2-1.2.mga7 lib(64)edataserver1.2-devel-3.32.2-1.2.mga7 lib(64)evolution-data-server-gir1.2-3.32.2-1.2.mga7 Wrote: /home/iurt/rpmbuild/RPMS/x86_64/evolution-data-server-tests-3.32.2-1.2.mga7 from SRPMS: evolution-data-server-3.32.2-1.2.mga7.src.rpm
Assignee: nicolas.salguero => qa-bugs
CC: qa-bugs => (none)
How about this security bug? Has it been tested?
CC: (none) => ouaurelien
64-bit Plasma install, Evolution not installed. Evolution-data-server had been installed previously, perhaps for another update test. The following 11 packages are going to be installed: - evolution-data-server-3.32.2-1.2.mga7.x86_64 - evolution-data-server-tests-3.32.2-1.2.mga7.x86_64 - lib64camel1.2_62-3.32.2-1.2.mga7.x86_64 - lib64ebackend1.2_10-3.32.2-1.2.mga7.x86_64 - lib64ebook-contacts1.2_2-3.32.2-1.2.mga7.x86_64 - lib64ebook1.2_19-3.32.2-1.2.mga7.x86_64 - lib64ecal1.2_19-3.32.2-1.2.mga7.x86_64 - lib64edata-book1.2_25-3.32.2-1.2.mga7.x86_64 - lib64edata-cal1.2_29-3.32.2-1.2.mga7.x86_64 - lib64edataserver1.2_24-3.32.2-1.2.mga7.x86_64 - lib64edataserverui1.2_2-3.32.2-1.2.mga7.x86_64 No installation issues. Attempted to run several of the tests, but most came back with errors, missing configurations and/or files, things like that. I suspect that's because evolution is not installed, and believe it is to be expected. Looking online at the manual for this package, I see that it is quite lengthy and comprehensive, far too much for my feeble abilities to learn for this test, and much of what I saw looking to be beyond the scope of QA. OKing, and validating, based on a clean install and on the few tests that did run. Advisory in Comment 9.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OK
CC: ouaurelien => (none)Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0351.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED