Skip to navigation

Security Advisory Moderate: evolution-data-server security update

Advisory: RHSA-2009:0354-10
Type: Security Advisory
Severity: Moderate
Issued on: 2009-03-16
Last updated on: 2009-03-16
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.7.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.7.z)
Red Hat Enterprise Linux EUS (v. 5.3.z server)
Red Hat Enterprise Linux Long Life (v. 5.3 server)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2009-0547
CVE-2009-0582
CVE-2009-0587

Details

Updated evolution-data-server and evolution28-evolution-data-server
packages that fix multiple security issues are now available for Red Hat
Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Evolution Data Server provides a unified back-end for applications which
interact with contacts, task, and calendar information. Evolution Data
Server was originally developed as a back-end for Evolution, but is now
used by multiple other applications.

Evolution Data Server did not properly check the Secure/Multipurpose
Internet Mail Extensions (S/MIME) signatures used for public key encryption
and signing of e-mail messages. An attacker could use this flaw to spoof a
signature by modifying the text of the e-mail message displayed to the
user. (CVE-2009-0547)

It was discovered that Evolution Data Server did not properly validate NTLM
(NT LAN Manager) authentication challenge packets. A malicious server using
NTLM authentication could cause an application using Evolution Data Server
to disclose portions of its memory or crash during user authentication.
(CVE-2009-0582)

Multiple integer overflow flaws which could cause heap-based buffer
overflows were found in the Base64 encoding routines used by Evolution Data
Server. This could cause an application using Evolution Data Server to
crash, or, possibly, execute an arbitrary code when large untrusted data
blocks were Base64-encoded. (CVE-2009-0587)

All users of evolution-data-server and evolution28-evolution-data-server
are advised to upgrade to these updated packages, which contain backported
patches to correct these issues. All running instances of Evolution Data
Server and applications using it (such as Evolution) must be restarted for
the update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
evolution-data-server-1.12.3-10.el5_3.3.src.rpm
File outdated by:  RHBA-2009:1259
    MD5: 1e9d40d02745955d3b030951bfbbeee9
 
IA-32:
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259
    MD5: f9ca9c28edce62ddf926a431c6b2fe4f
 
x86_64:
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259
    MD5: f9ca9c28edce62ddf926a431c6b2fe4f
evolution-data-server-devel-1.12.3-10.el5_3.3.x86_64.rpm
File outdated by:  RHBA-2009:1259
    MD5: 319540216e7172a7ec246126664757ae
 
Red Hat Desktop (v. 4)

IA-32:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.i386.rpm     MD5: cd3c138a020aa765492f15106e33f473
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.i386.rpm     MD5: 15df9dc70d2ba63f285be4eb375c7476
 
x86_64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.x86_64.rpm     MD5: 9fdf4887dbb41e8ce28a8b88afd1ad4f
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.x86_64.rpm     MD5: 37c799f5070e83af6483f90b681737cd
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
evolution-data-server-1.12.3-10.el5_3.3.src.rpm
File outdated by:  RHBA-2009:1259
    MD5: 1e9d40d02745955d3b030951bfbbeee9
 
IA-32:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259
    MD5: 07a9b1d55226fa6f180e9125161eae85
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259
    MD5: f9ca9c28edce62ddf926a431c6b2fe4f
evolution-data-server-doc-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259
    MD5: edc69a81aca2c1afe25160aaa02e0b33
 
IA-64:
evolution-data-server-1.12.3-10.el5_3.3.ia64.rpm
File outdated by:  RHBA-2009:1259
    MD5: 2024abde3c2078c59663e19325dc1039
evolution-data-server-devel-1.12.3-10.el5_3.3.ia64.rpm
File outdated by:  RHBA-2009:1259
    MD5: a2f757521bf5b6498a3263502b102635
evolution-data-server-doc-1.12.3-10.el5_3.3.ia64.rpm
File outdated by:  RHBA-2009:1259
    MD5: e47a80a8a43f5ccbb599b5ed0ad39e2f
 
PPC:
evolution-data-server-1.12.3-10.el5_3.3.ppc.rpm
File outdated by:  RHBA-2009:1259
    MD5: 0b226e9e1f4d0da6cc64d1b22b60ae5f
evolution-data-server-1.12.3-10.el5_3.3.ppc64.rpm
File outdated by:  RHBA-2009:1259
    MD5: 5ac5dd6e9adb86d7778ea14f8892ce83
evolution-data-server-devel-1.12.3-10.el5_3.3.ppc.rpm
File outdated by:  RHBA-2009:1259
    MD5: 0deef0de8dc52aacecd3fd9b630ff9ef
evolution-data-server-devel-1.12.3-10.el5_3.3.ppc64.rpm
File outdated by:  RHBA-2009:1259
    MD5: 4eeac4d08eba33e6874eaf7b9736d7a3
evolution-data-server-doc-1.12.3-10.el5_3.3.ppc.rpm
File outdated by:  RHBA-2009:1259
    MD5: c4412a84d69801a982c53fd313f1de79
 
s390x:
evolution-data-server-1.12.3-10.el5_3.3.s390.rpm
File outdated by:  RHBA-2009:1259
    MD5: 76f9c482b4ec36e660738dfe15aed1e2
evolution-data-server-1.12.3-10.el5_3.3.s390x.rpm
File outdated by:  RHBA-2009:1259
    MD5: c77a7cf1e16bda1d4698cc33170970d7
evolution-data-server-devel-1.12.3-10.el5_3.3.s390.rpm
File outdated by:  RHBA-2009:1259
    MD5: 0080255a7684e9b4674f0cd164189033
evolution-data-server-devel-1.12.3-10.el5_3.3.s390x.rpm
File outdated by:  RHBA-2009:1259
    MD5: 4ebd51d4a050c5ccf0041bb10106a7b2
evolution-data-server-doc-1.12.3-10.el5_3.3.s390x.rpm
File outdated by:  RHBA-2009:1259
    MD5: 06ebbea6dea7500f1fb547348a405b4e
 
x86_64:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259
    MD5: 07a9b1d55226fa6f180e9125161eae85
evolution-data-server-1.12.3-10.el5_3.3.x86_64.rpm
File outdated by:  RHBA-2009:1259
    MD5: 7a41b30c365bd744ccaa85b3fc5340d6
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259
    MD5: f9ca9c28edce62ddf926a431c6b2fe4f
evolution-data-server-devel-1.12.3-10.el5_3.3.x86_64.rpm
File outdated by:  RHBA-2009:1259
    MD5: 319540216e7172a7ec246126664757ae
evolution-data-server-doc-1.12.3-10.el5_3.3.x86_64.rpm
File outdated by:  RHBA-2009:1259
    MD5: 8cb8545a54d7455aa36dcd69d4705742
 
Red Hat Enterprise Linux AS (v. 4)

IA-32:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.i386.rpm     MD5: cd3c138a020aa765492f15106e33f473
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.i386.rpm     MD5: 15df9dc70d2ba63f285be4eb375c7476
 
IA-64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.ia64.rpm     MD5: aff7af88530cbb800d6554580b2da215
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.ia64.rpm     MD5: 7bd8001b7a7ca98d27044389fb0d5ef3
 
PPC:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.ppc.rpm     MD5: 9acc9cb284656a9104500cfde59eb720
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.ppc.rpm     MD5: 540ff6d6d78125aab2e06786f604150f
 
s390:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.s390.rpm     MD5: 9fa99fbf0d2369c06af9c733b5df1309
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.s390.rpm     MD5: 9f5f7387f4b1f3d86524d4d525a4eb70
 
s390x:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.s390x.rpm     MD5: 8200e5a150f4e282f6822e810f429938
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.s390x.rpm     MD5: 1039a6d975c2750aa313e89c118908a1
 
x86_64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.x86_64.rpm     MD5: 9fdf4887dbb41e8ce28a8b88afd1ad4f
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.x86_64.rpm     MD5: 37c799f5070e83af6483f90b681737cd
 
Red Hat Enterprise Linux AS (v. 4.7.z)

IA-32:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.i386.rpm     MD5: cd3c138a020aa765492f15106e33f473
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.i386.rpm     MD5: 15df9dc70d2ba63f285be4eb375c7476
 
IA-64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.ia64.rpm     MD5: aff7af88530cbb800d6554580b2da215
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.ia64.rpm     MD5: 7bd8001b7a7ca98d27044389fb0d5ef3
 
PPC:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.ppc.rpm     MD5: 9acc9cb284656a9104500cfde59eb720
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.ppc.rpm     MD5: 540ff6d6d78125aab2e06786f604150f
 
s390:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.s390.rpm     MD5: 9fa99fbf0d2369c06af9c733b5df1309
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.s390.rpm     MD5: 9f5f7387f4b1f3d86524d4d525a4eb70
 
s390x:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.s390x.rpm     MD5: 8200e5a150f4e282f6822e810f429938
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.s390x.rpm     MD5: 1039a6d975c2750aa313e89c118908a1
 
x86_64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.x86_64.rpm     MD5: 9fdf4887dbb41e8ce28a8b88afd1ad4f
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.x86_64.rpm     MD5: 37c799f5070e83af6483f90b681737cd
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
evolution-data-server-1.12.3-10.el5_3.3.src.rpm
File outdated by:  RHBA-2009:1259
    MD5: 1e9d40d02745955d3b030951bfbbeee9
 
IA-32:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259
    MD5: 07a9b1d55226fa6f180e9125161eae85
evolution-data-server-doc-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259
    MD5: edc69a81aca2c1afe25160aaa02e0b33
 
x86_64:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm
File outdated by:  RHBA-2009:1259
    MD5: 07a9b1d55226fa6f180e9125161eae85
evolution-data-server-1.12.3-10.el5_3.3.x86_64.rpm
File outdated by:  RHBA-2009:1259
    MD5: 7a41b30c365bd744ccaa85b3fc5340d6
evolution-data-server-doc-1.12.3-10.el5_3.3.x86_64.rpm
File outdated by:  RHBA-2009:1259
    MD5: 8cb8545a54d7455aa36dcd69d4705742
 
Red Hat Enterprise Linux ES (v. 4)

IA-32:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.i386.rpm     MD5: cd3c138a020aa765492f15106e33f473
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.i386.rpm     MD5: 15df9dc70d2ba63f285be4eb375c7476
 
IA-64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.ia64.rpm     MD5: aff7af88530cbb800d6554580b2da215
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.ia64.rpm     MD5: 7bd8001b7a7ca98d27044389fb0d5ef3
 
x86_64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.x86_64.rpm     MD5: 9fdf4887dbb41e8ce28a8b88afd1ad4f
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.x86_64.rpm     MD5: 37c799f5070e83af6483f90b681737cd
 
Red Hat Enterprise Linux ES (v. 4.7.z)

IA-32:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.i386.rpm     MD5: cd3c138a020aa765492f15106e33f473
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.i386.rpm     MD5: 15df9dc70d2ba63f285be4eb375c7476
 
IA-64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.ia64.rpm     MD5: aff7af88530cbb800d6554580b2da215
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.ia64.rpm     MD5: 7bd8001b7a7ca98d27044389fb0d5ef3
 
x86_64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.x86_64.rpm     MD5: 9fdf4887dbb41e8ce28a8b88afd1ad4f
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.x86_64.rpm     MD5: 37c799f5070e83af6483f90b681737cd
 
Red Hat Enterprise Linux EUS (v. 5.3.z server)

SRPMS:
evolution-data-server-1.12.3-10.el5_3.3.src.rpm
File outdated by:  RHBA-2009:1259
    MD5: 1e9d40d02745955d3b030951bfbbeee9
 
IA-32:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm     MD5: 07a9b1d55226fa6f180e9125161eae85
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm     MD5: f9ca9c28edce62ddf926a431c6b2fe4f
evolution-data-server-doc-1.12.3-10.el5_3.3.i386.rpm     MD5: edc69a81aca2c1afe25160aaa02e0b33
 
IA-64:
evolution-data-server-1.12.3-10.el5_3.3.ia64.rpm     MD5: 2024abde3c2078c59663e19325dc1039
evolution-data-server-devel-1.12.3-10.el5_3.3.ia64.rpm     MD5: a2f757521bf5b6498a3263502b102635
evolution-data-server-doc-1.12.3-10.el5_3.3.ia64.rpm     MD5: e47a80a8a43f5ccbb599b5ed0ad39e2f
 
PPC:
evolution-data-server-1.12.3-10.el5_3.3.ppc.rpm     MD5: 0b226e9e1f4d0da6cc64d1b22b60ae5f
evolution-data-server-1.12.3-10.el5_3.3.ppc64.rpm     MD5: 5ac5dd6e9adb86d7778ea14f8892ce83
evolution-data-server-devel-1.12.3-10.el5_3.3.ppc.rpm     MD5: 0deef0de8dc52aacecd3fd9b630ff9ef
evolution-data-server-devel-1.12.3-10.el5_3.3.ppc64.rpm     MD5: 4eeac4d08eba33e6874eaf7b9736d7a3
evolution-data-server-doc-1.12.3-10.el5_3.3.ppc.rpm     MD5: c4412a84d69801a982c53fd313f1de79
 
s390x:
evolution-data-server-1.12.3-10.el5_3.3.s390.rpm     MD5: 76f9c482b4ec36e660738dfe15aed1e2
evolution-data-server-1.12.3-10.el5_3.3.s390x.rpm     MD5: c77a7cf1e16bda1d4698cc33170970d7
evolution-data-server-devel-1.12.3-10.el5_3.3.s390.rpm     MD5: 0080255a7684e9b4674f0cd164189033
evolution-data-server-devel-1.12.3-10.el5_3.3.s390x.rpm     MD5: 4ebd51d4a050c5ccf0041bb10106a7b2
evolution-data-server-doc-1.12.3-10.el5_3.3.s390x.rpm     MD5: 06ebbea6dea7500f1fb547348a405b4e
 
x86_64:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm     MD5: 07a9b1d55226fa6f180e9125161eae85
evolution-data-server-1.12.3-10.el5_3.3.x86_64.rpm     MD5: 7a41b30c365bd744ccaa85b3fc5340d6
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm     MD5: f9ca9c28edce62ddf926a431c6b2fe4f
evolution-data-server-devel-1.12.3-10.el5_3.3.x86_64.rpm     MD5: 319540216e7172a7ec246126664757ae
evolution-data-server-doc-1.12.3-10.el5_3.3.x86_64.rpm     MD5: 8cb8545a54d7455aa36dcd69d4705742
 
Red Hat Enterprise Linux Long Life (v. 5.3 server)

SRPMS:
evolution-data-server-1.12.3-10.el5_3.3.src.rpm
File outdated by:  RHBA-2009:1259
    MD5: 1e9d40d02745955d3b030951bfbbeee9
 
IA-32:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm     MD5: 07a9b1d55226fa6f180e9125161eae85
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm     MD5: f9ca9c28edce62ddf926a431c6b2fe4f
evolution-data-server-doc-1.12.3-10.el5_3.3.i386.rpm     MD5: edc69a81aca2c1afe25160aaa02e0b33
 
IA-64:
evolution-data-server-1.12.3-10.el5_3.3.ia64.rpm     MD5: 2024abde3c2078c59663e19325dc1039
evolution-data-server-devel-1.12.3-10.el5_3.3.ia64.rpm     MD5: a2f757521bf5b6498a3263502b102635
evolution-data-server-doc-1.12.3-10.el5_3.3.ia64.rpm     MD5: e47a80a8a43f5ccbb599b5ed0ad39e2f
 
x86_64:
evolution-data-server-1.12.3-10.el5_3.3.i386.rpm     MD5: 07a9b1d55226fa6f180e9125161eae85
evolution-data-server-1.12.3-10.el5_3.3.x86_64.rpm     MD5: 7a41b30c365bd744ccaa85b3fc5340d6
evolution-data-server-devel-1.12.3-10.el5_3.3.i386.rpm     MD5: f9ca9c28edce62ddf926a431c6b2fe4f
evolution-data-server-devel-1.12.3-10.el5_3.3.x86_64.rpm     MD5: 319540216e7172a7ec246126664757ae
evolution-data-server-doc-1.12.3-10.el5_3.3.x86_64.rpm     MD5: 8cb8545a54d7455aa36dcd69d4705742
 
Red Hat Enterprise Linux WS (v. 4)

IA-32:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.i386.rpm     MD5: cd3c138a020aa765492f15106e33f473
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.i386.rpm     MD5: 15df9dc70d2ba63f285be4eb375c7476
 
IA-64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.ia64.rpm     MD5: aff7af88530cbb800d6554580b2da215
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.ia64.rpm     MD5: 7bd8001b7a7ca98d27044389fb0d5ef3
 
x86_64:
evolution28-evolution-data-server-1.8.0-37.el4_7.2.x86_64.rpm     MD5: 9fdf4887dbb41e8ce28a8b88afd1ad4f
evolution28-evolution-data-server-devel-1.8.0-37.el4_7.2.x86_64.rpm     MD5: 37c799f5070e83af6483f90b681737cd
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

484925 - CVE-2009-0547 evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM)
487685 - CVE-2009-0582 evolution-data-server: insufficient checking of NTLM authentication challenge packets
488226 - CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/