Rapid7 Vulnerability & Exploit Database

RHSA-2009:0354: evolution-data-server security update

Back to Search

RHSA-2009:0354: evolution-data-server security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
03/14/2009
Created
07/25/2018
Added
09/12/2009
Modified
07/04/2017

Description

Evolution Data Server provides a unified back-end for applications whichinteract with contacts, task, and calendar information. Evolution DataServer was originally developed as a back-end for Evolution, but is nowused by multiple other applications.Evolution Data Server did not properly check the Secure/MultipurposeInternet Mail Extensions (S/MIME) signatures used for public key encryptionand signing of e-mail messages. An attacker could use this flaw to spoof asignature by modifying the text of the e-mail message displayed to theuser. (CVE-2009-0547)It was discovered that Evolution Data Server did not properly validate NTLM(NT LAN Manager) authentication challenge packets. A malicious server usingNTLM authentication could cause an application using Evolution Data Serverto disclose portions of its memory or crash during user authentication.(CVE-2009-0582)Multiple integer overflow flaws which could cause heap-based bufferoverflows were found in the Base64 encoding routines used by Evolution DataServer. This could cause an application using Evolution Data Server tocrash, or, possibly, execute an arbitrary code when large untrusted datablocks were Base64-encoded. (CVE-2009-0587)All users of evolution-data-server and evolution28-evolution-data-serverare advised to upgrade to these updated packages, which contain backportedpatches to correct these issues. All running instances of Evolution DataServer and applications using it (such as Evolution) must be restarted forthe update to take effect.

Solution(s)

  • redhat-upgrade-evolution-data-server
  • redhat-upgrade-evolution-data-server-devel
  • redhat-upgrade-evolution-data-server-doc
  • redhat-upgrade-evolution28-evolution-data-server
  • redhat-upgrade-evolution28-evolution-data-server-devel

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;