Bug#926712: evolution-ews: CVE-2019-3890

Luca Boccassi bluca at debian.org
Wed Jul 3 11:38:14 BST 2019


On Mon, 17 Jun 2019 11:39:13 +0100 Luca Boccassi <
bluca at debian.org
> wrote:
> On Tue, 9 Apr 2019 15:52:52 +0200 Sylvain Beucler <
> 
beuc at beuc.net

> > wrote:
> > Package: evolution-ews
> > Version: 3.30.5-1
> > X-Debbugs-CC: 
> 
team at security.debian.org

> 
> > Severity: grave
> > Tags: security
> > 
> > Hi,
> > 
> > The following vulnerability was published for evolution-ews.
> > 
> > CVE-2019-3890[0]:
> > No description was found (try on a search engine)
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog
entry.
> > 
> > For further information see:
> > 
> > [0] 
> 
https://security-tracker.debian.org/tracker/CVE-2019-3890

> 
> >     
> 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3890

> 
> > 
> 
https://gitlab.gnome.org/GNOME/evolution-ews/issues/27

> 
> > 
> 
https://gitlab.gnome.org/GNOME/evolution-ews/issues/36

> 
> > 
> 
https://bugzilla.redhat.com/show_bug.cgi?id=1678313

> 
> > Note: depends on evolution-data-server patch
> > 
> > Cheers!
> > Sylvain Beucler / Debian LTS
> 
> Dear Maintainers,
> 
> I have backported the required patches and tested them on Buster,
they
> seem to work fine.
> 
> I have opened PRs against the 2 repos on Salsa, but they both require
a
> new debian/buster branch to be created as debian/master has moved on
to
> new releases:
> 
> 
https://salsa.debian.org/gnome-team/evolution-data-server/merge_requests/1

> 
https://salsa.debian.org/gnome-team/evolution-ews/merge_requests/2

> 
> It would be great if we could have evolution-ews in Buster, as it's
the
> only way to use exchange/o365 for Debian users.
> 
> Thanks!

Dear Maintainers,

As things stand, Buster users will have no way to use a GUI email
client with an Exchange/OWA/O365 email server. They will have to stay
on Stretch and completely skip Buster, or move to a different
distribution. If they were to upgrade from Stretch to Buster, their
email accounts would simply disappear from their evolution instances,
without any explanation nor warning.

I'd like to propose to upload the changes mentioned above to unstable,
let them migrate to Bullseye and then upload to buster-backports, so
that users on Buster have at least that path to avoid breaking this
functionality. This needs to be done before 3.32 moved from
experimental to unstable of course.

I'd be more than happy to do all of the above work via NMUs. The
evolution-data-server change is backward compatible and does not
require a rebuild of reverse dependencies. Are there any objections to
this idea?

Thank you!

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20190703/084c2955/attachment.sig>


More information about the pkg-gnome-maintainers mailing list