Bug#926712: evolution-ews: CVE-2019-3890

Luca Boccassi bluca at debian.org
Fri Jul 12 22:22:47 BST 2019 

On Tue, 2019-07-09 at 15:28 +0100, Luca Boccassi wrote:
> On Wed, 2019-07-03 at 11:38 +0100, Luca Boccassi wrote:
> > On Mon, 17 Jun 2019 11:39:13 +0100 Luca Boccassi <
> > bluca at debian.org
> > 
> > 
> > > wrote:
> > > On Tue, 9 Apr 2019 15:52:52 +0200 Sylvain Beucler <
> > > 
> > 
> > beuc at beuc.net
> > 
> > 
> > 
> > > > wrote:
> > > > Package: evolution-ews
> > > > Version: 3.30.5-1
> > > > X-Debbugs-CC: 
> > 
> > team at security.debian.org
> > 
> > 
> > 
> > > > Severity: grave
> > > > Tags: security
> > > > 
> > > > Hi,
> > > > 
> > > > The following vulnerability was published for evolution-ews.
> > > > 
> > > > CVE-2019-3890[0]:
> > > > No description was found (try on a search engine)
> > > > 
> > > > If you fix the vulnerability please also make sure to include
> > > > the
> > > > CVE (Common Vulnerabilities & Exposures) id in your changelog
> > 
> > entry.
> > > > For further information see:
> > > > 
> > > > [0] 
> > 
> > https://security-tracker.debian.org/tracker/CVE-2019-3890
> > 
> > 
> > 
> > > >     
> > 
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3890
> > 
> > 
> > 
> > 
> > https://gitlab.gnome.org/GNOME/evolution-ews/issues/27
> > 
> > 
> > 
> > 
> > https://gitlab.gnome.org/GNOME/evolution-ews/issues/36
> > 
> > 
> > 
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=1678313
> > 
> > 
> > 
> > > > Note: depends on evolution-data-server patch
> > > > 
> > > > Cheers!
> > > > Sylvain Beucler / Debian LTS
> > > 
> > > Dear Maintainers,
> > > 
> > > I have backported the required patches and tested them on Buster,
> > 
> > they
> > > seem to work fine.
> > > 
> > > I have opened PRs against the 2 repos on Salsa, but they both
> > > require
> > 
> > a
> > > new debian/buster branch to be created as debian/master has moved
> > > on
> > 
> > to
> > > new releases:
> > > 
> > > 
> > 
> > https://salsa.debian.org/gnome-team/evolution-data-server/merge_requests/1
> > 
> > 
> > 
> > 
> > https://salsa.debian.org/gnome-team/evolution-ews/merge_requests/2
> > 
> > 
> > 
> > > It would be great if we could have evolution-ews in Buster, as
> > > it's
> > 
> > the
> > > only way to use exchange/o365 for Debian users.
> > > 
> > > Thanks!
> > 
> > Dear Maintainers,
> > 
> > As things stand, Buster users will have no way to use a GUI email
> > client with an Exchange/OWA/O365 email server. They will have to
> > stay
> > on Stretch and completely skip Buster, or move to a different
> > distribution. If they were to upgrade from Stretch to Buster, their
> > email accounts would simply disappear from their evolution
> > instances,
> > without any explanation nor warning.
> > 
> > I'd like to propose to upload the changes mentioned above to
> > unstable,
> > let them migrate to Bullseye and then upload to buster-backports,
> > so
> > that users on Buster have at least that path to avoid breaking this
> > functionality. This needs to be done before 3.32 moved from
> > experimental to unstable of course.
> > 
> > I'd be more than happy to do all of the above work via NMUs. The
> > evolution-data-server change is backward compatible and does not
> > require a rebuild of reverse dependencies. Are there any objections
> > to
> > this idea?
> > 
> > Thank you!
> 
> Dear Maintainers, Uploaders and Gnome Team,
> 
> As mentioned in the previous mail, I intend to upload to DELAYED/7
> NMUs
> for evolution-data-server and evolution-ews on Friday afternoon (GMT-
> ish). I am attaching the debdiffs for both.
> 
> Please let me know if there are any objections.
> 
> If there are no objections and the NMUs are not cancelled and make it
> to unstable, and then migrate to bullseye, I then intend to upload
> the
> equivalent ~bpo binary NMUs to buster-backports. This way, stretch
> users that enabled buster-backports before the dist upgrade should
> have
> an upgrade path that allows them not to lose their inboxes, calendars
> and so on.
> 
> Thank you!

Dear Maintainers, Uploaders and Gnome Team,

I have now uploaded the above mentioned NMUs to DELAYED/7 as previously
mentioned.

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20190712/f8b14194/attachment-0001.sig>

More information about the pkg-gnome-maintainers mailing list