Security Advisory Moderate: evolution-data-server security update

Advisory: RHSA-2009:0354-10
Type: Security Advisory
Severity: Moderate
Issued on: 2009-03-16
Last updated on: 2009-03-16
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.7.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.7.z)
Red Hat Enterprise Linux EUS (v. 5.3.z server)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20090354.xml
CVEs (cve.mitre.org): CVE-2009-0547
CVE-2009-0582
CVE-2009-0587

Details

Updated evolution-data-server and evolution28-evolution-data-server
packages that fix multiple security issues are now available for Red Hat
Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Evolution Data Server provides a unified back-end for applications which
interact with contacts, task, and calendar information. Evolution Data
Server was originally developed as a back-end for Evolution, but is now
used by multiple other applications.

Evolution Data Server did not properly check the Secure/Multipurpose
Internet Mail Extensions (S/MIME) signatures used for public key encryption
and signing of e-mail messages. An attacker could use this flaw to spoof a
signature by modifying the text of the e-mail message displayed to the
user. (CVE-2009-0547)

It was discovered that Evolution Data Server did not properly validate NTLM
(NT LAN Manager) authentication challenge packets. A malicious server using
NTLM authentication could cause an application using Evolution Data Server
to disclose portions of its memory or crash during user authentication.
(CVE-2009-0582)

Multiple integer overflow flaws which could cause heap-based buffer
overflows were found in the Base64 encoding routines used by Evolution Data
Server. This could cause an application using Evolution Data Server to
crash, or, possibly, execute an arbitrary code when large untrusted data
blocks were Base64-encoded. (CVE-2009-0587)

All users of evolution-data-server and evolution28-evolution-data-server
are advised to upgrade to these updated packages, which contain backported
patches to correct these issues. All running instances of Evolution Data
Server and applications using it (such as Evolution) must be restarted for
the update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
evolution-data-server-1.12.3-10.el5_3.3.src.rpm
File outdated by:  RHBA-2009:1259		     1e9d40d02745955d3b030951bfbbeee9
 
IA-32:
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259		     f9ca9c28edce62ddf926a431c6b2fe4f
 
x86_64:
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259		     f9ca9c28edce62ddf926a431c6b2fe4f
evolution-data-server-devel-1.12.3-10.el5_3.3.x86_64.rpm
File outdated by:  RHBA-2009:1259		     319540216e7172a7ec246126664757ae
 
Red Hat Desktop (v. 4)
SRPMS:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.src.rpm     e5a218e5596b5804b66bb27c5fd1554f
 
IA-32:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.i386.rpm     cd3c138a020aa765492f15106e33f473
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.i386.rpm     15df9dc70d2ba63f285be4eb375c7476
 
x86_64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.x86_64.rpm     9fdf4887dbb41e8ce28a8b88afd1ad4f
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.x86_64.rp     37c799f5070e83af6483f90b681737cd
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
evolution-data-server-1.12.3-10.el5_3.3.src.rpm
File outdated by:  RHBA-2009:1259		     1e9d40d02745955d3b030951bfbbeee9
 
IA-32:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259		     07a9b1d55226fa6f180e9125161eae85
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259		     f9ca9c28edce62ddf926a431c6b2fe4f
evolution-data-server-doc-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259		     edc69a81aca2c1afe25160aaa02e0b33
 
IA-64:
evolution-data-server-1.12.3-10.el5_3.3.ia64.rpm
File outdated by:  RHBA-2009:1259		     2024abde3c2078c59663e19325dc1039
evolution-data-server-devel-1.12.3-10.el5_3.3.ia64.rpm
File outdated by:  RHBA-2009:1259		     a2f757521bf5b6498a3263502b102635
evolution-data-server-doc-1.12.3-10.el5_3.3.ia64.rpm
File outdated by:  RHBA-2009:1259		     e47a80a8a43f5ccbb599b5ed0ad39e2f
 
PPC:
evolution-data-server-1.12.3-10.el5_3.3.ppc.rpm
File outdated by:  RHBA-2009:1259		     0b226e9e1f4d0da6cc64d1b22b60ae5f
evolution-data-server-1.12.3-10.el5_3.3.ppc64.rpm
File outdated by:  RHBA-2009:1259		     5ac5dd6e9adb86d7778ea14f8892ce83
evolution-data-server-devel-1.12.3-10.el5_3.3.ppc.rpm
File outdated by:  RHBA-2009:1259		     0deef0de8dc52aacecd3fd9b630ff9ef
evolution-data-server-devel-1.12.3-10.el5_3.3.ppc64.rpm
File outdated by:  RHBA-2009:1259		     4eeac4d08eba33e6874eaf7b9736d7a3
evolution-data-server-doc-1.12.3-10.el5_3.3.ppc.rpm
File outdated by:  RHBA-2009:1259		     c4412a84d69801a982c53fd313f1de79
 
s390x:
evolution-data-server-1.12.3-10.el5_3.3.s390.rpm
File outdated by:  RHBA-2009:1259		     76f9c482b4ec36e660738dfe15aed1e2
evolution-data-server-1.12.3-10.el5_3.3.s390x.rpm
File outdated by:  RHBA-2009:1259		     c77a7cf1e16bda1d4698cc33170970d7
evolution-data-server-devel-1.12.3-10.el5_3.3.s390.rpm
File outdated by:  RHBA-2009:1259		     0080255a7684e9b4674f0cd164189033
evolution-data-server-devel-1.12.3-10.el5_3.3.s390x.rpm
File outdated by:  RHBA-2009:1259		     4ebd51d4a050c5ccf0041bb10106a7b2
evolution-data-server-doc-1.12.3-10.el5_3.3.s390x.rpm
File outdated by:  RHBA-2009:1259		     06ebbea6dea7500f1fb547348a405b4e
 
x86_64:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259		     07a9b1d55226fa6f180e9125161eae85
evolution-data-server-1.12.3-10.el5_3.3.x86_64.rpm
File outdated by:  RHBA-2009:1259		     7a41b30c365bd744ccaa85b3fc5340d6
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259		     f9ca9c28edce62ddf926a431c6b2fe4f
evolution-data-server-devel-1.12.3-10.el5_3.3.x86_64.rpm
File outdated by:  RHBA-2009:1259		     319540216e7172a7ec246126664757ae
evolution-data-server-doc-1.12.3-10.el5_3.3.x86_64.rpm
File outdated by:  RHBA-2009:1259		     8cb8545a54d7455aa36dcd69d4705742
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.src.rpm     e5a218e5596b5804b66bb27c5fd1554f
 
IA-32:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.i386.rpm     cd3c138a020aa765492f15106e33f473
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.i386.rpm     15df9dc70d2ba63f285be4eb375c7476
 
IA-64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.ia64.rpm     aff7af88530cbb800d6554580b2da215
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.ia64.rpm     7bd8001b7a7ca98d27044389fb0d5ef3
 
PPC:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.ppc.rpm     9acc9cb284656a9104500cfde59eb720
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.ppc.rpm     540ff6d6d78125aab2e06786f604150f
 
s390:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.s390.rpm     9fa99fbf0d2369c06af9c733b5df1309
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.s390.rpm     9f5f7387f4b1f3d86524d4d525a4eb70
 
s390x:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.s390x.rpm     8200e5a150f4e282f6822e810f429938
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.s390x.rpm     1039a6d975c2750aa313e89c118908a1
 
x86_64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.x86_64.rpm     9fdf4887dbb41e8ce28a8b88afd1ad4f
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.x86_64.rpm     37c799f5070e83af6483f90b681737cd
 
Red Hat Enterprise Linux AS (v. 4.7.z)
SRPMS:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.src.rpm     e5a218e5596b5804b66bb27c5fd1554f
 
IA-32:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.i386.rpm     cd3c138a020aa765492f15106e33f473
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.i386.rpm     15df9dc70d2ba63f285be4eb375c7476
 
IA-64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.ia64.rpm     aff7af88530cbb800d6554580b2da215
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.ia64.rpm     7bd8001b7a7ca98d27044389fb0d5ef3
 
PPC:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.ppc.rpm     9acc9cb284656a9104500cfde59eb720
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.ppc.rpm     540ff6d6d78125aab2e06786f604150f
 
s390:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.s390.rpm     9fa99fbf0d2369c06af9c733b5df1309
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.s390.rpm     9f5f7387f4b1f3d86524d4d525a4eb70
 
s390x:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.s390x.rpm     8200e5a150f4e282f6822e810f429938
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.s390x.rpm     1039a6d975c2750aa313e89c118908a1
 
x86_64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.x86_64.rpm     9fdf4887dbb41e8ce28a8b88afd1ad4f
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.x86_64.rpm     37c799f5070e83af6483f90b681737cd
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
evolution-data-server-1.12.3-10.el5_3.3.src.rpm
File outdated by:  RHBA-2009:1259		     1e9d40d02745955d3b030951bfbbeee9
 
IA-32:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259		     07a9b1d55226fa6f180e9125161eae85
evolution-data-server-doc-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259		     edc69a81aca2c1afe25160aaa02e0b33
 
x86_64:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259		     07a9b1d55226fa6f180e9125161eae85
evolution-data-server-1.12.3-10.el5_3.3.x86_64.rpm
File outdated by:  RHBA-2009:1259		     7a41b30c365bd744ccaa85b3fc5340d6
evolution-data-server-doc-1.12.3-10.el5_3.3.x86_64.rpm
File outdated by:  RHBA-2009:1259		     8cb8545a54d7455aa36dcd69d4705742
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.src.rpm     e5a218e5596b5804b66bb27c5fd1554f
 
IA-32:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.i386.rpm     cd3c138a020aa765492f15106e33f473
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.i386.rpm     15df9dc70d2ba63f285be4eb375c7476
 
IA-64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.ia64.rpm     aff7af88530cbb800d6554580b2da215
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.ia64.rpm     7bd8001b7a7ca98d27044389fb0d5ef3
 
x86_64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.x86_64.rpm     9fdf4887dbb41e8ce28a8b88afd1ad4f
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.x86_64.rpm     37c799f5070e83af6483f90b681737cd
 
Red Hat Enterprise Linux ES (v. 4.7.z)
SRPMS:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.src.rpm     e5a218e5596b5804b66bb27c5fd1554f
 
IA-32:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.i386.rpm     cd3c138a020aa765492f15106e33f473
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.i386.rpm     15df9dc70d2ba63f285be4eb375c7476
 
IA-64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.ia64.rpm     aff7af88530cbb800d6554580b2da215
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.ia64.rpm     7bd8001b7a7ca98d27044389fb0d5ef3
 
x86_64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.x86_64.rpm     9fdf4887dbb41e8ce28a8b88afd1ad4f
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.x86_64.rpm     37c799f5070e83af6483f90b681737cd
 
Red Hat Enterprise Linux EUS (v. 5.3.z server)
SRPMS:
evolution-data-server-1.12.3-10.el5_3.3.src.rpm
File outdated by:  RHBA-2009:1259		     1e9d40d02745955d3b030951bfbbeee9
 
IA-32:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm     07a9b1d55226fa6f180e9125161eae85
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm     f9ca9c28edce62ddf926a431c6b2fe4f
evolution-data-server-doc-1.12.3-10.el5_3.3.i386.rpm     edc69a81aca2c1afe25160aaa02e0b33
 
IA-64:
evolution-data-server-1.12.3-10.el5_3.3.ia64.rpm     2024abde3c2078c59663e19325dc1039
evolution-data-server-devel-1.12.3-10.el5_3.3.ia64.rpm     a2f757521bf5b6498a3263502b102635
evolution-data-server-doc-1.12.3-10.el5_3.3.ia64.rpm     e47a80a8a43f5ccbb599b5ed0ad39e2f
 
PPC:
evolution-data-server-1.12.3-10.el5_3.3.ppc.rpm     0b226e9e1f4d0da6cc64d1b22b60ae5f
evolution-data-server-1.12.3-10.el5_3.3.ppc64.rpm     5ac5dd6e9adb86d7778ea14f8892ce83
evolution-data-server-devel-1.12.3-10.el5_3.3.ppc.rpm     0deef0de8dc52aacecd3fd9b630ff9ef
evolution-data-server-devel-1.12.3-10.el5_3.3.ppc64.rpm     4eeac4d08eba33e6874eaf7b9736d7a3
evolution-data-server-doc-1.12.3-10.el5_3.3.ppc.rpm     c4412a84d69801a982c53fd313f1de79
 
s390x:
evolution-data-server-1.12.3-10.el5_3.3.s390.rpm     76f9c482b4ec36e660738dfe15aed1e2
evolution-data-server-1.12.3-10.el5_3.3.s390x.rpm     c77a7cf1e16bda1d4698cc33170970d7
evolution-data-server-devel-1.12.3-10.el5_3.3.s390.rpm     0080255a7684e9b4674f0cd164189033
evolution-data-server-devel-1.12.3-10.el5_3.3.s390x.rpm     4ebd51d4a050c5ccf0041bb10106a7b2
evolution-data-server-doc-1.12.3-10.el5_3.3.s390x.rpm     06ebbea6dea7500f1fb547348a405b4e
 
x86_64:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm     07a9b1d55226fa6f180e9125161eae85
evolution-data-server-1.12.3-10.el5_3.3.x86_64.rpm     7a41b30c365bd744ccaa85b3fc5340d6
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm     f9ca9c28edce62ddf926a431c6b2fe4f
evolution-data-server-devel-1.12.3-10.el5_3.3.x86_64.rpm     319540216e7172a7ec246126664757ae
evolution-data-server-doc-1.12.3-10.el5_3.3.x86_64.rpm     8cb8545a54d7455aa36dcd69d4705742
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.src.rpm     e5a218e5596b5804b66bb27c5fd1554f
 
IA-32:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.i386.rpm     cd3c138a020aa765492f15106e33f473
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.i386.rpm     15df9dc70d2ba63f285be4eb375c7476
 
IA-64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.ia64.rpm     aff7af88530cbb800d6554580b2da215
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.ia64.rpm     7bd8001b7a7ca98d27044389fb0d5ef3
 
x86_64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.x86_64.rpm     9fdf4887dbb41e8ce28a8b88afd1ad4f
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.x86_64.rpm     37c799f5070e83af6483f90b681737cd
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

484925 - CVE-2009-0547 evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM)
487685 - CVE-2009-0582 evolution-data-server: insufficient checking of NTLM authentication challenge packets
488226 - CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0582
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0587
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/