Bug 26962 - evolution-data-server new security issue CVE-2020-14928
Summary: evolution-data-server new security issue CVE-2020-14928
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-16 23:46 CEST by David Walser
Modified: 2020-07-20 14:09 CEST (History)
1 user (show)

See Also:
Source RPM: evolution-data-server-3.32.2-1.mga7.src.rpm
CVE: CVE-2020-14928
Status comment:


Attachments

Description David Walser 2020-07-16 23:46:49 CEST
Debian and Debian-LTS have issued advisories on July 15 and today (July 16):
https://lists.debian.org/debian-security-announce/2020/msg00131.html
https://www.debian.org/security/2020/dsa-4725
https://www.debian.org/lts/security/2020/dla-2281

The issue is fixed upstream in 3.36.4.

We could possibly use the Debian backported patch.
Comment 1 Lewis Smith 2020-07-17 21:17:39 CEST
This needs to be assigned globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2020-07-20 14:09:08 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection". (CVE-2020-14928)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14928
https://lists.debian.org/debian-security-announce/2020/msg00131.html
https://www.debian.org/security/2020/dsa-4725
https://www.debian.org/lts/security/2020/dla-2281
========================

Updated packages in core/updates_testing:
========================
evolution-data-server-3.32.2-1.1.mga7
lib(64)camel1.2_62-3.32.2-1.1.mga7
lib(64)ebook1.2_19-3.32.2-1.1.mga7
lib(64)ecal1.2_19-3.32.2-1.1.mga7
lib(64)ebook-contacts1.2_2-3.32.2-1.1.mga7
lib(64)edata-book1.2_25-3.32.2-1.1.mga7
lib(64)edata-cal1.2_29-3.32.2-1.1.mga7
lib(64)edataserver1.2_24-3.32.2-1.1.mga7
lib(64)edataserverui1.2_2-3.32.2-1.1.mga7
lib(64)ebackend1.2_10-3.32.2-1.1.mga7
lib(64)edataserver1.2-devel-3.32.2-1.1.mga7
lib(64)evolution-data-server-gir1.2-3.32.2-1.1.mga7
Wrote: /home/iurt/rpmbuild/RPMS/x86_64/evolution-data-server-tests-3.32.2-1.1.mga7

from SRPMS:
evolution-data-server-3.32.2-1.1.mga7.src.rpm

CVE: (none) => CVE-2020-14928
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED


Note You need to log in before you can comment on or make changes to this bug.