[USN-3724-1] Evolution Data Server vulnerability


This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
–===============5655410964028475524==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol=”application/pgp-signature”;
boundary=”ST4Hg4kPm9DSElHXZy9FX4MXq6O1FHkEl”

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
–ST4Hg4kPm9DSElHXZy9FX4MXq6O1FHkEl
Content-Type: multipart/mixed; boundary=”fOKrO6MxoERsCXBr0z5nzjFe9KIoKWqNS”;
protected-headers=”v1″
From: Mike Salvatore
Reply-To: security@ubuntu.com
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID:
Subject: [USN-3724-1] Evolution Data Server vulnerability

–fOKrO6MxoERsCXBr0z5nzjFe9KIoKWqNS
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-3724-1
July 26, 2018

evolution-data-server vulnerability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 16.04 LTS
– Ubuntu 14.04 LTS

Summary:

Evolution Data Server could be made to expose sensitive information over =
the
network.

Software Description:
– evolution-data-server: Evolution suite data server

Details:

Jon Kristensen discovered that Evolution Data Server would automatically
downgrade a connection to an IMAP server if the IMAP server did not suppo=
rt
SSL. This would result in the user’s password being unexpectedly sent in =
clear
text, even though the user had requested to use SSL.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
evolution-data-server 3.18.5-1ubuntu1.1
evolution-data-server-common 3.18.5-1ubuntu1.1
libcamel-1.2-54 3.18.5-1ubuntu1.1
libebackend-1.2-10 3.18.5-1ubuntu1.1
libedataserver-1.2-21 3.18.5-1ubuntu1.1

Ubuntu 14.04 LTS:
evolution-data-server 3.10.4-0ubuntu1.6
evolution-data-server-common 3.10.4-0ubuntu1.6
libcamel-1.2-45 3.10.4-0ubuntu1.6
libebackend-1.2-7 3.10.4-0ubuntu1.6
libedataserver-1.2-18 3.10.4-0ubuntu1.6

After a standard system update you need to restart Evolution to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3724-1
CVE-2016-10727

Package Information:
https://launchpad.net/ubuntu/+source/evolution-data-server/3.18.5-1ubun=
tu1.1
https://launchpad.net/ubuntu/+source/evolution-data-server/3.10.4-0ubun=
tu1.6

–fOKrO6MxoERsCXBr0z5nzjFe9KIoKWqNS–

–ST4Hg4kPm9DSElHXZy9FX4MXq6O1FHkEl
Content-Type: application/pgp-signature; name=”signature.asc”
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename=”signature.asc”

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCgAdFiEEwZbe96kJeWh2OITRdyg1Qz0oXX0FAltZ1EAACgkQdyg1Qz0o
XX3e8BAAnrZrNQRN41cI9i1yWVqGDOvegv8BiLAsyJshoeSO7o9k/4iUAvGJXtv0
be4SjtY7sXt9kU5eno02fqlKGjQkSJJ1Q7Qds2Hu8dBoqeUHOc4ePByXtGaO8gyH
qqwAIGOvm7teT4zcGHoEJAFYeGfr0439WyJbOfkdTjcnSQPL/rtWa47/rdjxm2w3
Gj1OurB+qaNLMGT8G1RzFbZdaYyui2oJWh74ooo5SsoRXYE9h8MZ+/dGb+lA5veS
7aQ2s+I/DyFcIisBc+xDLAUzfG+UvqtC7wBZzM6SgEtUK1WvBtr++DK8055lfACJ
1TMfaxy1MhQR+F2DPBXiHX+sgjBDxmUJdx5/nxGhruI/oxsotm9JyX5dFYI4Evn/
LcNiG5PmRxdGSFxnGt3DQIVguGYLo2BRFDftf9HgeEmp3BE915sAckZAFR/m8ik5
cl+eRXO3NTBy0NVVPGDRHFuT0jaMQ11z44yS+YwpnbdxSxxrjqlFL69mILjZNrtE
M2GueiVyWtpqBTLJNRitmGlcuAp0Q9/emOceMNzBnTPrNZHH9wYEMKW2axr6NqcL
Nyp7kuStlf9sKsQzM7tbZURHmQ9pwcrWONLnpDiXfCPanIgJa8+uhn94fOXubfL5
6rznLK9dpnSOi/umRWlVVl5/Nu83GVU2wxrExUebecNCaLNI1j4=
=UlnN
—–END PGP SIGNATURE—–

–ST4Hg4kPm9DSElHXZy9FX4MXq6O1FHkEl–

–===============5655410964028475524==
Content-Type: text/plain; charset=”utf-8″
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

–===============5655410964028475524==–