evolution-data-server-3.40.4-1.4 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10744-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z evolution-data-server-3.40.4-1.4 on GA media These are all security issues fixed in the evolution-data-server-3.40.4-1.4 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10744 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2007-3257/ SUSE CVE CVE-2007-3257 page https://www.suse.com/security/cve/CVE-2020-14928/ SUSE CVE CVE-2020-14928 page https://www.suse.com/security/cve/CVE-2020-16117/ SUSE CVE CVE-2020-16117 page openSUSE Tumbleweed evolution-data-server-3.40.4-1.4 evolution-data-server-devel-3.40.4-1.4 evolution-data-server-lang-3.40.4-1.4 libcamel-1_2-62-3.40.4-1.4 libebackend-1_2-10-3.40.4-1.4 libebook-1_2-20-3.40.4-1.4 libebook-contacts-1_2-3-3.40.4-1.4 libecal-2_0-1-3.40.4-1.4 libedata-book-1_2-26-3.40.4-1.4 libedata-cal-2_0-1-3.40.4-1.4 libedataserver-1_2-26-3.40.4-1.4 libedataserverui-1_2-3-3.40.4-1.4 typelib-1_0-Camel-1_2-3.40.4-1.4 typelib-1_0-EBackend-1_2-3.40.4-1.4 typelib-1_0-EBook-1_2-3.40.4-1.4 typelib-1_0-EBookContacts-1_2-3.40.4-1.4 typelib-1_0-ECal-2_0-3.40.4-1.4 typelib-1_0-EDataBook-1_2-3.40.4-1.4 typelib-1_0-EDataCal-2_0-3.40.4-1.4 typelib-1_0-EDataServer-1_2-3.40.4-1.4 typelib-1_0-EDataServerUI-1_2-3.40.4-1.4 evolution-data-server-3.40.4-1.4 as a component of openSUSE Tumbleweed evolution-data-server-devel-3.40.4-1.4 as a component of openSUSE Tumbleweed evolution-data-server-lang-3.40.4-1.4 as a component of openSUSE Tumbleweed libcamel-1_2-62-3.40.4-1.4 as a component of openSUSE Tumbleweed libebackend-1_2-10-3.40.4-1.4 as a component of openSUSE Tumbleweed libebook-1_2-20-3.40.4-1.4 as a component of openSUSE Tumbleweed libebook-contacts-1_2-3-3.40.4-1.4 as a component of openSUSE Tumbleweed libecal-2_0-1-3.40.4-1.4 as a component of openSUSE Tumbleweed libedata-book-1_2-26-3.40.4-1.4 as a component of openSUSE Tumbleweed libedata-cal-2_0-1-3.40.4-1.4 as a component of openSUSE Tumbleweed libedataserver-1_2-26-3.40.4-1.4 as a component of openSUSE Tumbleweed libedataserverui-1_2-3-3.40.4-1.4 as a component of openSUSE Tumbleweed typelib-1_0-Camel-1_2-3.40.4-1.4 as a component of openSUSE Tumbleweed typelib-1_0-EBackend-1_2-3.40.4-1.4 as a component of openSUSE Tumbleweed typelib-1_0-EBook-1_2-3.40.4-1.4 as a component of openSUSE Tumbleweed typelib-1_0-EBookContacts-1_2-3.40.4-1.4 as a component of openSUSE Tumbleweed typelib-1_0-ECal-2_0-3.40.4-1.4 as a component of openSUSE Tumbleweed typelib-1_0-EDataBook-1_2-3.40.4-1.4 as a component of openSUSE Tumbleweed typelib-1_0-EDataCal-2_0-3.40.4-1.4 as a component of openSUSE Tumbleweed typelib-1_0-EDataServer-1_2-3.40.4-1.4 as a component of openSUSE Tumbleweed typelib-1_0-EDataServerUI-1_2-3.40.4-1.4 as a component of openSUSE Tumbleweed Camel (camel-imap-folder.c) in the mailer component for Evolution Data Server 1.11 allows remote IMAP servers to execute arbitrary code via a negative SEQUENCE value in GData, which is used as an array index. CVE-2007-3257 openSUSE Tumbleweed:evolution-data-server-3.40.4-1.4 openSUSE Tumbleweed:evolution-data-server-devel-3.40.4-1.4 openSUSE Tumbleweed:evolution-data-server-lang-3.40.4-1.4 openSUSE Tumbleweed:libcamel-1_2-62-3.40.4-1.4 openSUSE Tumbleweed:libebackend-1_2-10-3.40.4-1.4 openSUSE Tumbleweed:libebook-1_2-20-3.40.4-1.4 openSUSE Tumbleweed:libebook-contacts-1_2-3-3.40.4-1.4 openSUSE Tumbleweed:libecal-2_0-1-3.40.4-1.4 openSUSE Tumbleweed:libedata-book-1_2-26-3.40.4-1.4 openSUSE Tumbleweed:libedata-cal-2_0-1-3.40.4-1.4 openSUSE Tumbleweed:libedataserver-1_2-26-3.40.4-1.4 openSUSE Tumbleweed:libedataserverui-1_2-3-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-Camel-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EBackend-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EBook-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EBookContacts-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-ECal-2_0-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EDataBook-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EDataCal-2_0-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EDataServer-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EDataServerUI-1_2-3.40.4-1.4 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-3257.html CVE-2007-3257 https://bugzilla.suse.com/284828 SUSE Bug 284828 https://bugzilla.suse.com/290827 SUSE Bug 290827 evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection." CVE-2020-14928 openSUSE Tumbleweed:evolution-data-server-3.40.4-1.4 openSUSE Tumbleweed:evolution-data-server-devel-3.40.4-1.4 openSUSE Tumbleweed:evolution-data-server-lang-3.40.4-1.4 openSUSE Tumbleweed:libcamel-1_2-62-3.40.4-1.4 openSUSE Tumbleweed:libebackend-1_2-10-3.40.4-1.4 openSUSE Tumbleweed:libebook-1_2-20-3.40.4-1.4 openSUSE Tumbleweed:libebook-contacts-1_2-3-3.40.4-1.4 openSUSE Tumbleweed:libecal-2_0-1-3.40.4-1.4 openSUSE Tumbleweed:libedata-book-1_2-26-3.40.4-1.4 openSUSE Tumbleweed:libedata-cal-2_0-1-3.40.4-1.4 openSUSE Tumbleweed:libedataserver-1_2-26-3.40.4-1.4 openSUSE Tumbleweed:libedataserverui-1_2-3-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-Camel-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EBackend-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EBook-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EBookContacts-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-ECal-2_0-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EDataBook-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EDataCal-2_0-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EDataServer-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EDataServerUI-1_2-3.40.4-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14928.html CVE-2020-14928 https://bugzilla.suse.com/1173910 SUSE Bug 1173910 In GNOME evolution-data-server before 3.35.91, a malicious server can crash the mail client with a NULL pointer dereference by sending an invalid (e.g., minimal) CAPABILITY line on a connection attempt. This is related to imapx_free_capability and imapx_connect_to_server. CVE-2020-16117 openSUSE Tumbleweed:evolution-data-server-3.40.4-1.4 openSUSE Tumbleweed:evolution-data-server-devel-3.40.4-1.4 openSUSE Tumbleweed:evolution-data-server-lang-3.40.4-1.4 openSUSE Tumbleweed:libcamel-1_2-62-3.40.4-1.4 openSUSE Tumbleweed:libebackend-1_2-10-3.40.4-1.4 openSUSE Tumbleweed:libebook-1_2-20-3.40.4-1.4 openSUSE Tumbleweed:libebook-contacts-1_2-3-3.40.4-1.4 openSUSE Tumbleweed:libecal-2_0-1-3.40.4-1.4 openSUSE Tumbleweed:libedata-book-1_2-26-3.40.4-1.4 openSUSE Tumbleweed:libedata-cal-2_0-1-3.40.4-1.4 openSUSE Tumbleweed:libedataserver-1_2-26-3.40.4-1.4 openSUSE Tumbleweed:libedataserverui-1_2-3-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-Camel-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EBackend-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EBook-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EBookContacts-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-ECal-2_0-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EDataBook-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EDataCal-2_0-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EDataServer-1_2-3.40.4-1.4 openSUSE Tumbleweed:typelib-1_0-EDataServerUI-1_2-3.40.4-1.4 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-16117.html CVE-2020-16117 https://bugzilla.suse.com/1174712 SUSE Bug 1174712