Skip to navigation

Security Advisory Moderate: evolution and evolution-data-server security update

Advisory: RHSA-2009:0355-9
Type: Security Advisory
Severity: Moderate
Issued on: 2009-03-16
Last updated on: 2009-03-16
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.7.z)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.7.z)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2009-0547
CVE-2009-0582
CVE-2009-0587

Details

Updated evolution and evolution-data-server packages that fixes multiple
security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Evolution is the integrated collection of e-mail, calendaring, contact
management, communications, and personal information management (PIM) tools
for the GNOME desktop environment.

Evolution Data Server provides a unified back-end for applications which
interact with contacts, task and calendar information. Evolution Data
Server was originally developed as a back-end for Evolution, but is now
used by multiple other applications.

Evolution did not properly check the Secure/Multipurpose Internet Mail
Extensions (S/MIME) signatures used for public key encryption and signing
of e-mail messages. An attacker could use this flaw to spoof a signature by
modifying the text of the e-mail message displayed to the user. (CVE-2009-0547)

It was discovered that evolution did not properly validate NTLM (NT LAN
Manager) authentication challenge packets. A malicious server using NTLM
authentication could cause evolution to disclose portions of its memory or
crash during user authentication. (CVE-2009-0582)

Multiple integer overflow flaws which could cause heap-based buffer
overflows were found in the Base64 encoding routines used by evolution and
evolution-data-server. This could cause evolution, or an application using
evolution-data-server, to crash, or, possibly, execute an arbitrary code
when large untrusted data blocks were Base64-encoded. (CVE-2009-0587)

All users of evolution and evolution-data-server are advised to upgrade to
these updated packages, which contain backported patches to correct these
issues. All running instances of evolution and evolution-data-server must
be restarted for the update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Desktop (v. 4)

IA-32:
evolution-2.0.2-41.el4_7.2.i386.rpm     MD5: 49331fb4e97b0c1a69c3acc2b03a9c15
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     MD5: 4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-devel-1.0.2-14.el4_7.1.i386.rpm     MD5: c00f80c33b4968601918da4a1f8efdb6
evolution-devel-2.0.2-41.el4_7.2.i386.rpm     MD5: c23f73e6b4affcc2d0953a807a16a817
 
x86_64:
evolution-2.0.2-41.el4_7.2.x86_64.rpm     MD5: 59c0a49d79dd7c4311d459959e83d01d
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     MD5: 4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-1.0.2-14.el4_7.1.x86_64.rpm     MD5: 31236005484618069059d893c9d4eafa
evolution-data-server-devel-1.0.2-14.el4_7.1.x86_64.rpm     MD5: 73b590c385e57212778a6e12f369c47d
evolution-devel-2.0.2-41.el4_7.2.x86_64.rpm     MD5: 154ff3339a8c83f289e3699e24ecb132
 
Red Hat Enterprise Linux AS (v. 4)

IA-32:
evolution-2.0.2-41.el4_7.2.i386.rpm     MD5: 49331fb4e97b0c1a69c3acc2b03a9c15
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     MD5: 4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-devel-1.0.2-14.el4_7.1.i386.rpm     MD5: c00f80c33b4968601918da4a1f8efdb6
evolution-devel-2.0.2-41.el4_7.2.i386.rpm     MD5: c23f73e6b4affcc2d0953a807a16a817
 
IA-64:
evolution-2.0.2-41.el4_7.2.ia64.rpm     MD5: f9a5c46d3e3a0d35852735c9b8f75829
evolution-data-server-1.0.2-14.el4_7.1.ia64.rpm     MD5: 42a172ec5d06fcef6b8a9a37b0943fe4
evolution-data-server-devel-1.0.2-14.el4_7.1.ia64.rpm     MD5: d54e2ca7ff76ef551995383d5468ef1f
evolution-devel-2.0.2-41.el4_7.2.ia64.rpm     MD5: 30eaf03f310795e84b30dc1f10bb25d1
 
PPC:
evolution-2.0.2-41.el4_7.2.ppc.rpm     MD5: 903de15997484c32ab556e85e5d87117
evolution-data-server-1.0.2-14.el4_7.1.ppc.rpm     MD5: 9609fc28b85879eeefa11926e10192e0
evolution-data-server-devel-1.0.2-14.el4_7.1.ppc.rpm     MD5: eaea6aaa397fff11e5cc3b022b5e4a43
evolution-devel-2.0.2-41.el4_7.2.ppc.rpm     MD5: 4bda3d299deabc6b52640b84c08eb799
 
s390:
evolution-2.0.2-41.el4_7.2.s390.rpm     MD5: 5fe26eb561a6813a48380207a4f3f8f9
evolution-data-server-1.0.2-14.el4_7.1.s390.rpm     MD5: 754715236e75f4f96a622d078e5bd1a7
evolution-data-server-devel-1.0.2-14.el4_7.1.s390.rpm     MD5: 324daae57e7251798bdbc8b597702468
evolution-devel-2.0.2-41.el4_7.2.s390.rpm     MD5: c22175635ecbbc1274cfeb6d699aff61
 
s390x:
evolution-2.0.2-41.el4_7.2.s390x.rpm     MD5: 2baad505ae4fef1dc148b8f93453a890
evolution-data-server-1.0.2-14.el4_7.1.s390x.rpm     MD5: fc82a6eed70286205d684dd7b35e0164
evolution-data-server-devel-1.0.2-14.el4_7.1.s390x.rpm     MD5: 4b67b87315035e012e469dd56c18d930
evolution-devel-2.0.2-41.el4_7.2.s390x.rpm     MD5: 69b6421ede5673e4f5f54e8e5e2a6f48
 
x86_64:
evolution-2.0.2-41.el4_7.2.x86_64.rpm     MD5: 59c0a49d79dd7c4311d459959e83d01d
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     MD5: 4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-1.0.2-14.el4_7.1.x86_64.rpm     MD5: 31236005484618069059d893c9d4eafa
evolution-data-server-devel-1.0.2-14.el4_7.1.x86_64.rpm     MD5: 73b590c385e57212778a6e12f369c47d
evolution-devel-2.0.2-41.el4_7.2.x86_64.rpm     MD5: 154ff3339a8c83f289e3699e24ecb132
 
Red Hat Enterprise Linux AS (v. 4.7.z)

IA-32:
evolution-2.0.2-41.el4_7.2.i386.rpm     MD5: 49331fb4e97b0c1a69c3acc2b03a9c15
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     MD5: 4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-devel-1.0.2-14.el4_7.1.i386.rpm     MD5: c00f80c33b4968601918da4a1f8efdb6
evolution-devel-2.0.2-41.el4_7.2.i386.rpm     MD5: c23f73e6b4affcc2d0953a807a16a817
 
IA-64:
evolution-2.0.2-41.el4_7.2.ia64.rpm     MD5: f9a5c46d3e3a0d35852735c9b8f75829
evolution-data-server-1.0.2-14.el4_7.1.ia64.rpm     MD5: 42a172ec5d06fcef6b8a9a37b0943fe4
evolution-data-server-devel-1.0.2-14.el4_7.1.ia64.rpm     MD5: d54e2ca7ff76ef551995383d5468ef1f
evolution-devel-2.0.2-41.el4_7.2.ia64.rpm     MD5: 30eaf03f310795e84b30dc1f10bb25d1
 
PPC:
evolution-2.0.2-41.el4_7.2.ppc.rpm     MD5: 903de15997484c32ab556e85e5d87117
evolution-data-server-1.0.2-14.el4_7.1.ppc.rpm     MD5: 9609fc28b85879eeefa11926e10192e0
evolution-data-server-devel-1.0.2-14.el4_7.1.ppc.rpm     MD5: eaea6aaa397fff11e5cc3b022b5e4a43
evolution-devel-2.0.2-41.el4_7.2.ppc.rpm     MD5: 4bda3d299deabc6b52640b84c08eb799
 
s390:
evolution-2.0.2-41.el4_7.2.s390.rpm     MD5: 5fe26eb561a6813a48380207a4f3f8f9
evolution-data-server-1.0.2-14.el4_7.1.s390.rpm     MD5: 754715236e75f4f96a622d078e5bd1a7
evolution-data-server-devel-1.0.2-14.el4_7.1.s390.rpm     MD5: 324daae57e7251798bdbc8b597702468
evolution-devel-2.0.2-41.el4_7.2.s390.rpm     MD5: c22175635ecbbc1274cfeb6d699aff61
 
s390x:
evolution-2.0.2-41.el4_7.2.s390x.rpm     MD5: 2baad505ae4fef1dc148b8f93453a890
evolution-data-server-1.0.2-14.el4_7.1.s390x.rpm     MD5: fc82a6eed70286205d684dd7b35e0164
evolution-data-server-devel-1.0.2-14.el4_7.1.s390x.rpm     MD5: 4b67b87315035e012e469dd56c18d930
evolution-devel-2.0.2-41.el4_7.2.s390x.rpm     MD5: 69b6421ede5673e4f5f54e8e5e2a6f48
 
x86_64:
evolution-2.0.2-41.el4_7.2.x86_64.rpm     MD5: 59c0a49d79dd7c4311d459959e83d01d
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     MD5: 4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-1.0.2-14.el4_7.1.x86_64.rpm     MD5: 31236005484618069059d893c9d4eafa
evolution-data-server-devel-1.0.2-14.el4_7.1.x86_64.rpm     MD5: 73b590c385e57212778a6e12f369c47d
evolution-devel-2.0.2-41.el4_7.2.x86_64.rpm     MD5: 154ff3339a8c83f289e3699e24ecb132
 
Red Hat Enterprise Linux ES (v. 4)

IA-32:
evolution-2.0.2-41.el4_7.2.i386.rpm     MD5: 49331fb4e97b0c1a69c3acc2b03a9c15
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     MD5: 4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-devel-1.0.2-14.el4_7.1.i386.rpm     MD5: c00f80c33b4968601918da4a1f8efdb6
evolution-devel-2.0.2-41.el4_7.2.i386.rpm     MD5: c23f73e6b4affcc2d0953a807a16a817
 
IA-64:
evolution-2.0.2-41.el4_7.2.ia64.rpm     MD5: f9a5c46d3e3a0d35852735c9b8f75829
evolution-data-server-1.0.2-14.el4_7.1.ia64.rpm     MD5: 42a172ec5d06fcef6b8a9a37b0943fe4
evolution-data-server-devel-1.0.2-14.el4_7.1.ia64.rpm     MD5: d54e2ca7ff76ef551995383d5468ef1f
evolution-devel-2.0.2-41.el4_7.2.ia64.rpm     MD5: 30eaf03f310795e84b30dc1f10bb25d1
 
x86_64:
evolution-2.0.2-41.el4_7.2.x86_64.rpm     MD5: 59c0a49d79dd7c4311d459959e83d01d
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     MD5: 4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-1.0.2-14.el4_7.1.x86_64.rpm     MD5: 31236005484618069059d893c9d4eafa
evolution-data-server-devel-1.0.2-14.el4_7.1.x86_64.rpm     MD5: 73b590c385e57212778a6e12f369c47d
evolution-devel-2.0.2-41.el4_7.2.x86_64.rpm     MD5: 154ff3339a8c83f289e3699e24ecb132
 
Red Hat Enterprise Linux ES (v. 4.7.z)

IA-32:
evolution-2.0.2-41.el4_7.2.i386.rpm     MD5: 49331fb4e97b0c1a69c3acc2b03a9c15
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     MD5: 4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-devel-1.0.2-14.el4_7.1.i386.rpm     MD5: c00f80c33b4968601918da4a1f8efdb6
evolution-devel-2.0.2-41.el4_7.2.i386.rpm     MD5: c23f73e6b4affcc2d0953a807a16a817
 
IA-64:
evolution-2.0.2-41.el4_7.2.ia64.rpm     MD5: f9a5c46d3e3a0d35852735c9b8f75829
evolution-data-server-1.0.2-14.el4_7.1.ia64.rpm     MD5: 42a172ec5d06fcef6b8a9a37b0943fe4
evolution-data-server-devel-1.0.2-14.el4_7.1.ia64.rpm     MD5: d54e2ca7ff76ef551995383d5468ef1f
evolution-devel-2.0.2-41.el4_7.2.ia64.rpm     MD5: 30eaf03f310795e84b30dc1f10bb25d1
 
x86_64:
evolution-2.0.2-41.el4_7.2.x86_64.rpm     MD5: 59c0a49d79dd7c4311d459959e83d01d
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     MD5: 4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-1.0.2-14.el4_7.1.x86_64.rpm     MD5: 31236005484618069059d893c9d4eafa
evolution-data-server-devel-1.0.2-14.el4_7.1.x86_64.rpm     MD5: 73b590c385e57212778a6e12f369c47d
evolution-devel-2.0.2-41.el4_7.2.x86_64.rpm     MD5: 154ff3339a8c83f289e3699e24ecb132
 
Red Hat Enterprise Linux WS (v. 4)

IA-32:
evolution-2.0.2-41.el4_7.2.i386.rpm     MD5: 49331fb4e97b0c1a69c3acc2b03a9c15
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     MD5: 4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-devel-1.0.2-14.el4_7.1.i386.rpm     MD5: c00f80c33b4968601918da4a1f8efdb6
evolution-devel-2.0.2-41.el4_7.2.i386.rpm     MD5: c23f73e6b4affcc2d0953a807a16a817
 
IA-64:
evolution-2.0.2-41.el4_7.2.ia64.rpm     MD5: f9a5c46d3e3a0d35852735c9b8f75829
evolution-data-server-1.0.2-14.el4_7.1.ia64.rpm     MD5: 42a172ec5d06fcef6b8a9a37b0943fe4
evolution-data-server-devel-1.0.2-14.el4_7.1.ia64.rpm     MD5: d54e2ca7ff76ef551995383d5468ef1f
evolution-devel-2.0.2-41.el4_7.2.ia64.rpm     MD5: 30eaf03f310795e84b30dc1f10bb25d1
 
x86_64:
evolution-2.0.2-41.el4_7.2.x86_64.rpm     MD5: 59c0a49d79dd7c4311d459959e83d01d
evolution-data-server-1.0.2-14.el4_7.1.i386.rpm     MD5: 4e2f890550c66de5d45afbbddaed7fba
evolution-data-server-1.0.2-14.el4_7.1.x86_64.rpm     MD5: 31236005484618069059d893c9d4eafa
evolution-data-server-devel-1.0.2-14.el4_7.1.x86_64.rpm     MD5: 73b590c385e57212778a6e12f369c47d
evolution-devel-2.0.2-41.el4_7.2.x86_64.rpm     MD5: 154ff3339a8c83f289e3699e24ecb132
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

484925 - CVE-2009-0547 evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM)
487685 - CVE-2009-0582 evolution-data-server: insufficient checking of NTLM authentication challenge packets
488226 - CVE-2009-0587 evolution-data-server: integer overflow in base64 encoding functions


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/