Your message dated Mon, 13 Aug 2018 11:58:51 -0400
with message-id
<caaajcmaeblsr40oq8ttuea6xhooi7rrve8yemuxo9_wnamb...@mail.gmail.com>
and subject line Re: Bug#898633: evolution-data-server: efail attack against
S/MIME
has caused the Debian Bug report #898633,
regarding evolution-data-server: efail attack against S/MIME
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
898633: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898633
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: evolution-data-server
Version: 3.28.2-1
Severity: grave
Tags: security
Justification: user security hole
Hi,
as you are certainly aware, a paper describing a vulnerability called
efail has been published today (https://efail.de). It describes an
attack scenario which can enable an attacker with read/write access to
the encrypted mails to retrieve plaintext via an external server if HTML
mail and loading of remote content is enabled.
The PGP/MIME part is apparently not vulnerable in Evolution, but the
S/MIME seems to be (according to the authors).
It's unclear if a fix needs to be done at the evolution(-data-server)
layer or below, so feel free to reassign to an underlying library if
needed (nss for example).
We'll likely have to issue a DSA at one point.
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8),
LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages evolution depends on:
ii dbus 1.12.8-2
ii evolution-common 3.28.2-1
ii evolution-data-server 3.28.2-1+b1
ii libc6 2.27-3
ii libcamel-1.2-61 3.28.2-1+b1
ii libclutter-gtk-1.0-0 1.8.4-3
ii libecal-1.2-19 3.28.2-1+b1
ii libedataserver-1.2-23 3.28.2-1+b1
ii libevolution 3.28.2-1
ii libglib2.0-0 2.56.1-2
ii libgtk-3-0 3.22.30-1
ii libical3 3.0.1-5+b1
ii libnotify4 0.7.7-3
ii libsoup2.4-1 2.62.2-1
ii libwebkit2gtk-4.0-37 2.20.2-1+b1
ii libxml2 2.9.4+dfsg1-6.1+b1
ii psmisc 23.1-1+b1
Versions of packages evolution recommends:
pn evolution-plugin-bogofilter | evolution-plugin-spamassassin <none>
pn evolution-plugin-pstimport <none>
ii evolution-plugins 3.28.2-1
ii yelp 3.28.1-1
Versions of packages evolution suggests:
pn evolution-ews <none>
pn evolution-plugins-experimental <none>
ii gnupg 2.2.5-1
ii network-manager 1.10.8-1
-- debconf information:
evolution/needs_shutdown:
evolution/kill_processes:
--- End Message ---
--- Begin Message ---
On Mon, Aug 13, 2018 at 11:53 AM Yves-Alexis Perez <[email protected]> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Sun, 2018-08-12 at 16:38 -0400, Jeremy Bicha wrote:
> > Yvez, the Evolution bug was closed upstream. Should we close the bug
> > in Debian too?
> >
> > https://bugzilla.gnome.org/796135
>
> Yeah I guess so, it only adds noise. The status is not entirely clear but
> keeping this bug open doesn't help that.
>
> Regards,
> - --
> Yves-Alexis
--- End Message ---
