Product SiteDocumentation Site

1.53.  evolution-data-server

1.53.1.  RHSA-2009:0354: Moderate security update


This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:0354
Updated evolution-data-server and evolution28-evolution-data-server packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
Evolution Data Server provides a unified back-end for applications which interact with contacts, task, and calendar information. Evolution Data Server was originally developed as a back-end for Evolution, but is now used by multiple other applications.
Evolution Data Server did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547)
It was discovered that Evolution Data Server did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause an application using Evolution Data Server to disclose portions of its memory or crash during user authentication. (CVE-2009-0582)
Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by Evolution Data Server. This could cause an application using Evolution Data Server to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587)
All users of evolution-data-server and evolution28-evolution-data-server are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Evolution Data Server and applications using it (such as Evolution) must be restarted for the update to take effect.

1.53.2.  RHBA-2009:1259: bug fix update

Updated evolution-data-server packages that resolve several issues are now available.
The evolution-data-server package provides a unified back end for applications which interact with contacts, task and calendar information. Evolution Data Server was originally developed as a back end for Evolution, but is now used by multiple other applications.
These updated evolution-data-server packages provide fixes for the following bugs:
  • occasionally, a "?" appeared as the last result of the list obtained when viewing the "Select Contacts from Address Book" dialog. With these updated packages, this incorrect entry no longer occurs in the dialog window when selecting contacts. (BZ#220431)
  • The IMAP mail protocol distinguishes between messages which are "new" on the server and messages which are "new" for a mail client. This dichotomy led Evolution Data Server to only apply filters to one of the "new" groups and not to the other, which meant that email filters were not applied to certain messages. With these updated packages, filters now apply to all IMAP messages which are new for the client, with the result that all messages can now be successfully filtered. (BZ#247779)
  • when attempting to connect to an Exchange 2007 server, the server's response sometimes caused Evolution to segmentation fault. Although the possibility of an Exchange 2007 server's response causing Evolution to crash has been fixed with these updated packages, it is still not possible for Evolution to communicate successfully with an Exchange 2007 server. (BZ#433648)
  • when Evolution was configured with two IMAP accounts, deleting one of those accounts could have caused Evolution to segmentation fault. These updated packages fix a variable referencing error with the result that disabling a mail account no longer causes Evolution to crash. (BZ#437758)
  • Evolution Data Server could segmentation fault when provided a malformed CalDAV calendar URL. With these updated packages, Evolution performs better error-checking on calendar URLs, which prevents this issue from occurring. (BZ#440232)
  • the Exchange connector for Evolution Data Server contained several memory leaks which have been plugged in these updated packages. (BZ#460669)
  • when adding a new Exchange account, a Mailbox name separate from the user name can now be specified. (BZ#460671)
  • when reading a calendar via the CalDAV protocol, Evolution failed to correctly adjust the time of events based on timezone information. (BZ#462007)
  • improved support for CalDAV. (BZ#484232)
  • attempting to download Exchange messages for offline use caused Evolution to segmentation fault. Evolution no longer crashes, and downloading Exchange messages works as expected, allowing for offline use. (BZ#489869)
  • Evolution incorrectly switched to Daylight Saving Time (DST) one week later than the time when DST should have started. With these updated packages, DST now takes effect at the correct time. (BZ#490218)
  • Evolution did not provide notifications for events located on a foreign Exchange calendar. This update ensures that Evolution is able to notify based on foreign Exchange calendar events in the same way as for local calendars. (BZ#494847)
All users of evolution-data-server are advised to upgrade to these updated packages, which resolve these issues.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.