-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2009-2784 2009-03-18 18:32:33 --------------------------------------------------------------------------------
Name : evolution-data-server Product : Fedora 10 Version : 2.24.5 Release : 4.fc10 URL : http://www.gnome.org/projects/evolution/ Summary : Backend data server for Evolution Description : The evolution-data-server package provides a unified backend for programs that work with contacts, tasks, and calendar information. It was originally developed for Evolution (hence the name), but is now used by other packages. -------------------------------------------------------------------------------- Update Information: This update fixes two security issues: Evolution Data Server did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547) It was discovered that Evolution Data Server did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause an application using Evolution Data Server to disclose portions of its memory or crash during user authentication. (CVE-2009-0582) -------------------------------------------------------------------------------- ChangeLog: * Tue Mar 17 2009 Matthew Barnes <mbar...@redhat.com> - 2.25.5-4.fc10 - Add patch for RH bug #484925 (CVE-2009-0547, S/MIME signatures). - Add patch for RH bug #487685 (CVE-2009-0582, NTLM authentication). * Fri Mar 13 2009 Matthew Barnes <mbar...@redhat.com> - 2.25.5-3.fc10 - Revise patch for RH bug #568332 to match upstream commit. * Thu Mar 12 2009 Matthew Barnes <mbar...@redhat.com> - 2.25.5-2.fc10 - Add patch for RH bug #568332 (thread leak in fsync() rate limiting). * Wed Feb 25 2009 Matthew Barnes <mbar...@redhat.com> - 2.25.5-1.fc10 - Update to 2.24.5 * Tue Feb 3 2009 Matthew Barnes <mbar...@redhat.com> - 2.24.4.1-1.fc10 - Update to 2.24.4.1 - Remove gtkdocize hack. * Fri Jan 30 2009 Matthew Barnes <mbar...@redhat.com> - 2.24.4-1.fc10 - Update to 2.24.4 - Run gtkdocize to work around a gtk-doc version mismatch. * Mon Jan 12 2009 Matthew Barnes <mbar...@redhat.com> - 2.24.3-1.fc10 - Update to 2.24.3 * Mon Nov 24 2008 Matthew Barnes <mbar...@redhat.com> - 2.24.2-1.fc10 - Update to 2.24.2 * Fri Nov 7 2008 Matthew Barnes <mbar...@redhat.com> - 2.24.1.1-1.fc10 - Update to 2.24.1.1 - Remove patch for RH bug #467804 (fixed upstream). -------------------------------------------------------------------------------- References: [ 1 ] Bug #484925 - CVE-2009-0547 evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM) https://bugzilla.redhat.com/show_bug.cgi?id=484925 [ 2 ] Bug #487685 - CVE-2009-0582 evolution-data-server: insufficient checking of NTLM authentication challenge packets https://bugzilla.redhat.com/show_bug.cgi?id=487685 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update evolution-data-server' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list Fedora-package-announce@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-announce