Hello, Tobias Frost <[email protected]> wrote: > On Thu, 14 Mar 2019 23:18:39 +0100 Moritz Muehlenhoff <[email protected]> > wrote: > > Source: evolution > > Severity: grave > > Tags: security > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15587: > > > > https://bugzilla.gnome.org/show_bug.cgi?id=796424 > > > https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21 > > https://gitlab.gnome.org/GNOME/evolution/commit/f66cd3e1db301d264563b4222a3574e2e58e2b85 > > I was triaging into it, but unfortunatly cannot solve it... > > Summary: > The second patch seems to be already applied, but the first one seems > not to be... However, I'm not sure if it does the trick as the speciem > attached to the forwarded bug shows still up as "verified"... while working on this issue for Jessie LTS, I prepared a simple NMU patch to fix the issue in evolution 3.30.5-1 from testing/buster.
Tobias is right that only 9c55a311325f5905d8b8403b96607e46cf343f21 is missing for evolution, the other relevant commits are already in the testing/buster version of evolution (3.30.5-1). It turned out that the upstream commit applies cleanly to 3.30.5-1. I did some smoke testing and the result was as expected: the security header with information about encryption/signature of the message moved above the headers section of the mail. I opened a merge request[1] on salsa with a patch. I had to merge tag debian/3.30.5-1 into the debian/buster branch first as it was out of date. Anybody from the Debian Gnome Team ho wants to do the upload? Otherwise I could as well do the NMU. Cheers jonas PS: All related commits for evolution-data-server[2] are already in the Buster version of evolution-data-server. [1] https://salsa.debian.org/gnome-team/evolution/merge_requests/1 [2] https://gitlab.gnome.org/GNOME/evolution-data-server/commit/93306a296c64b48d12c356804f131048643eaa0a https://gitlab.gnome.org/GNOME/evolution-data-server/commit/accb0e2415681565e4dac00cf1c4303c313ad29e https://gitlab.gnome.org/GNOME/evolution-data-server/commit/5cd59aee67450e8750eb3cb2d357d0947f199f61
signature.asc
Description: OpenPGP digital signature
