Bug#924616: RFT and RFC: Updates for evolution{,-data-server}

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Wed Apr 24 20:19:33 BST 2019 

Hi Jonas,

On  Mi 24 Apr 2019 12:56:18 CEST, Jonas Meurer wrote:

> Jonas Meurer:
>> With evolution-data-server, the situation is slightly more complicated.
>> I'm still debugging issues with the patches[5] that are supposed to fix
>> the "[GPG] Mails that are not encrypted look encrypted" issue.
>>
>> [5] https://gitlab.gnome.org/GNOME/evolution-data-server/commit/93306a29
>> and https://gitlab.gnome.org/GNOME/evolution-data-server/commit/accb0e24
>>
>> My question: do you agree that these fixes are within the scope of
>> CVE-2018-15587? If so, then I will continue working on the issue and
>> upload both of evolution and evolution-data-server in a batch once I got
>> the issues sorted out.
>>
>> Another option would be to upload evolution to jessie-security right now
>> and decide that evolution-data-server is not affected by CVE-2018-15587,
>> since it's only prone to "encrypted message spoofing", not to "signature
>> spoofing". But in my eyes, that would be a sham.
>
> Looking more into the core issue[1] of "[GPG] Mails that are not
> encrypted look encrypted", it became clear that a lot of applications
> (GnuPG[2], Enigmail[3], Mutt[4]) are affected and it's not tracked as
> security issue for any of them.

Is it required to coordinate an according update of those CVEs in  
data/CVE/list with the security team? Sounds like it.

> In fact it's tracked for evolution{,-data-server} in the debian security
> tracker only because the issue is mentioned in the CVE-2018-15587
> bugreport[5].
>
> Besides, I agree with the bug author that "this bug is certainly not in
> the same category as a serious security vulnerability, such as a
> plaintext leak or a signature spoof"[1].
>
> So I changed my mind and decided to ignore the "encryption spoofing" bug
> and only care about "signature spoofing". This means that
> evolution-data-server is unaffected and only evolution needs to be fixed.

Your choice of priority sounds good to me.

Mike


-- 

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: Digitale PGP-Signatur
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20190424/6035cc8f/attachment.sig>

More information about the pkg-gnome-maintainers mailing list