Bug#926712: evolution-ews: CVE-2019-3890

Luca Boccassi bluca at debian.org
Tue Jul 9 15:28:14 BST 2019 

On Wed, 2019-07-03 at 11:38 +0100, Luca Boccassi wrote:
> On Mon, 17 Jun 2019 11:39:13 +0100 Luca Boccassi <
> bluca at debian.org
> 
> > wrote:
> > On Tue, 9 Apr 2019 15:52:52 +0200 Sylvain Beucler <
> > 
> 
> beuc at beuc.net
> 
> 
> > > wrote:
> > > Package: evolution-ews
> > > Version: 3.30.5-1
> > > X-Debbugs-CC: 
> 
> team at security.debian.org
> 
> 
> > > Severity: grave
> > > Tags: security
> > > 
> > > Hi,
> > > 
> > > The following vulnerability was published for evolution-ews.
> > > 
> > > CVE-2019-3890[0]:
> > > No description was found (try on a search engine)
> > > 
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog
> 
> entry.
> > > For further information see:
> > > 
> > > [0] 
> 
> https://security-tracker.debian.org/tracker/CVE-2019-3890
> 
> 
> > >     
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3890
> 
> 
> 
> https://gitlab.gnome.org/GNOME/evolution-ews/issues/27
> 
> 
> 
> https://gitlab.gnome.org/GNOME/evolution-ews/issues/36
> 
> 
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1678313
> 
> 
> > > Note: depends on evolution-data-server patch
> > > 
> > > Cheers!
> > > Sylvain Beucler / Debian LTS
> > 
> > Dear Maintainers,
> > 
> > I have backported the required patches and tested them on Buster,
> 
> they
> > seem to work fine.
> > 
> > I have opened PRs against the 2 repos on Salsa, but they both
> > require
> 
> a
> > new debian/buster branch to be created as debian/master has moved
> > on
> 
> to
> > new releases:
> > 
> > 
> 
> https://salsa.debian.org/gnome-team/evolution-data-server/merge_requests/1
> 
> 
> 
> https://salsa.debian.org/gnome-team/evolution-ews/merge_requests/2
> 
> 
> > It would be great if we could have evolution-ews in Buster, as it's
> 
> the
> > only way to use exchange/o365 for Debian users.
> > 
> > Thanks!
> 
> Dear Maintainers,
> 
> As things stand, Buster users will have no way to use a GUI email
> client with an Exchange/OWA/O365 email server. They will have to stay
> on Stretch and completely skip Buster, or move to a different
> distribution. If they were to upgrade from Stretch to Buster, their
> email accounts would simply disappear from their evolution instances,
> without any explanation nor warning.
> 
> I'd like to propose to upload the changes mentioned above to
> unstable,
> let them migrate to Bullseye and then upload to buster-backports, so
> that users on Buster have at least that path to avoid breaking this
> functionality. This needs to be done before 3.32 moved from
> experimental to unstable of course.
> 
> I'd be more than happy to do all of the above work via NMUs. The
> evolution-data-server change is backward compatible and does not
> require a rebuild of reverse dependencies. Are there any objections
> to
> this idea?
> 
> Thank you!

Dear Maintainers, Uploaders and Gnome Team,

As mentioned in the previous mail, I intend to upload to DELAYED/7 NMUs
for evolution-data-server and evolution-ews on Friday afternoon (GMT-
ish). I am attaching the debdiffs for both.

Please let me know if there are any objections.

If there are no objections and the NMUs are not cancelled and make it
to unstable, and then migrate to bullseye, I then intend to upload the
equivalent ~bpo binary NMUs to buster-backports. This way, stretch
users that enabled buster-backports before the dist upgrade should have
an upgrade path that allows them not to lose their inboxes, calendars
and so on.

Thank you!

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eds-3.30.5-1_3.30.5-1.1.debdiff
Type: text/x-patch
Size: 2899 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20190709/35f6e6b4/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ews-3.30.5-1_3.30.5-1.1.debdiff
Type: text/x-patch
Size: 33922 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20190709/35f6e6b4/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20190709/35f6e6b4/attachment-0003.sig>

More information about the pkg-gnome-maintainers mailing list