Bug#926712: evolution-ews: CVE-2019-3890

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#926712: evolution-ews: CVE-2019-3890

Sylvain Beucler
Package: evolution-ews
Version: 3.30.5-1
X-Debbugs-CC: [hidden email]
Severity: grave
Tags: security

Hi,

The following vulnerability was published for evolution-ews.

CVE-2019-3890[0]:
No description was found (try on a search engine)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-3890
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3890
https://gitlab.gnome.org/GNOME/evolution-ews/issues/27
https://gitlab.gnome.org/GNOME/evolution-ews/issues/36
https://bugzilla.redhat.com/show_bug.cgi?id=1678313
Note: depends on evolution-data-server patch

Cheers!
Sylvain Beucler / Debian LTS

Reply | Threaded
Open this post in threaded view
|

Bug#926712: evolution-ews: CVE-2019-3890

Luca Boccassi-3
On Tue, 9 Apr 2019 15:52:52 +0200 Sylvain Beucler <
[hidden email]
> wrote:
> Package: evolution-ews
> Version: 3.30.5-1
> X-Debbugs-CC:
[hidden email]

> Severity: grave
> Tags: security
>
> Hi,
>
> The following vulnerability was published for evolution-ews.
>
> CVE-2019-3890[0]:
> No description was found (try on a search engine)
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0]
https://security-tracker.debian.org/tracker/CVE-2019-3890

>    
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3890

>
https://gitlab.gnome.org/GNOME/evolution-ews/issues/27

>
https://gitlab.gnome.org/GNOME/evolution-ews/issues/36

>
https://bugzilla.redhat.com/show_bug.cgi?id=1678313

> Note: depends on evolution-data-server patch
>
> Cheers!
> Sylvain Beucler / Debian LTS

Dear Maintainers,

I have backported the required patches and tested them on Buster, they
seem to work fine.

I have opened PRs against the 2 repos on Salsa, but they both require a
new debian/buster branch to be created as debian/master has moved on to
new releases:

https://salsa.debian.org/gnome-team/evolution-data-server/merge_requests/1
https://salsa.debian.org/gnome-team/evolution-ews/merge_requests/2

It would be great if we could have evolution-ews in Buster, as it's the
only way to use exchange/o365 for Debian users.

Thanks!

--
Kind regards,
Luca Boccassi

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#926712: evolution-ews: CVE-2019-3890

Luca Boccassi-3
On Mon, 17 Jun 2019 11:39:13 +0100 Luca Boccassi <
[hidden email]
> wrote:
> On Tue, 9 Apr 2019 15:52:52 +0200 Sylvain Beucler <
>
[hidden email]

> > wrote:
> > Package: evolution-ews
> > Version: 3.30.5-1
> > X-Debbugs-CC:
>
[hidden email]

>
> > Severity: grave
> > Tags: security
> >
> > Hi,
> >
> > The following vulnerability was published for evolution-ews.
> >
> > CVE-2019-3890[0]:
> > No description was found (try on a search engine)
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog
entry.
> >
> > For further information see:
> >
> > [0]
>
https://security-tracker.debian.org/tracker/CVE-2019-3890

>
> >    
>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3890

>
> >
>
https://gitlab.gnome.org/GNOME/evolution-ews/issues/27

>
> >
>
https://gitlab.gnome.org/GNOME/evolution-ews/issues/36

>
> >
>
https://bugzilla.redhat.com/show_bug.cgi?id=1678313

>
> > Note: depends on evolution-data-server patch
> >
> > Cheers!
> > Sylvain Beucler / Debian LTS
>
> Dear Maintainers,
>
> I have backported the required patches and tested them on Buster,
they
> seem to work fine.
>
> I have opened PRs against the 2 repos on Salsa, but they both require
a
> new debian/buster branch to be created as debian/master has moved on
to
> new releases:
>
>
https://salsa.debian.org/gnome-team/evolution-data-server/merge_requests/1

>
https://salsa.debian.org/gnome-team/evolution-ews/merge_requests/2

>
> It would be great if we could have evolution-ews in Buster, as it's
the
> only way to use exchange/o365 for Debian users.
>
> Thanks!

Dear Maintainers,

As things stand, Buster users will have no way to use a GUI email
client with an Exchange/OWA/O365 email server. They will have to stay
on Stretch and completely skip Buster, or move to a different
distribution. If they were to upgrade from Stretch to Buster, their
email accounts would simply disappear from their evolution instances,
without any explanation nor warning.

I'd like to propose to upload the changes mentioned above to unstable,
let them migrate to Bullseye and then upload to buster-backports, so
that users on Buster have at least that path to avoid breaking this
functionality. This needs to be done before 3.32 moved from
experimental to unstable of course.

I'd be more than happy to do all of the above work via NMUs. The
evolution-data-server change is backward compatible and does not
require a rebuild of reverse dependencies. Are there any objections to
this idea?

Thank you!

--
Kind regards,
Luca Boccassi

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#926712: evolution-ews: CVE-2019-3890

Luca Boccassi-3
On Wed, 2019-07-03 at 11:38 +0100, Luca Boccassi wrote:

> On Mon, 17 Jun 2019 11:39:13 +0100 Luca Boccassi <
> [hidden email]
>
> > wrote:
> > On Tue, 9 Apr 2019 15:52:52 +0200 Sylvain Beucler <
> >
>
> [hidden email]
>
>
> > > wrote:
> > > Package: evolution-ews
> > > Version: 3.30.5-1
> > > X-Debbugs-CC:
>
> [hidden email]
>
>
> > > Severity: grave
> > > Tags: security
> > >
> > > Hi,
> > >
> > > The following vulnerability was published for evolution-ews.
> > >
> > > CVE-2019-3890[0]:
> > > No description was found (try on a search engine)
> > >
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog
>
> entry.
> > > For further information see:
> > >
> > > [0]
>
> https://security-tracker.debian.org/tracker/CVE-2019-3890
>
>
> > >    
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3890
>
>
>
> https://gitlab.gnome.org/GNOME/evolution-ews/issues/27
>
>
>
> https://gitlab.gnome.org/GNOME/evolution-ews/issues/36
>
>
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1678313
>
>
> > > Note: depends on evolution-data-server patch
> > >
> > > Cheers!
> > > Sylvain Beucler / Debian LTS
> >
> > Dear Maintainers,
> >
> > I have backported the required patches and tested them on Buster,
>
> they
> > seem to work fine.
> >
> > I have opened PRs against the 2 repos on Salsa, but they both
> > require
>
> a
> > new debian/buster branch to be created as debian/master has moved
> > on
>
> to
> > new releases:
> >
> >
>
> https://salsa.debian.org/gnome-team/evolution-data-server/merge_requests/1
>
>
>
> https://salsa.debian.org/gnome-team/evolution-ews/merge_requests/2
>
>
> > It would be great if we could have evolution-ews in Buster, as it's
>
> the
> > only way to use exchange/o365 for Debian users.
> >
> > Thanks!
>
> Dear Maintainers,
>
> As things stand, Buster users will have no way to use a GUI email
> client with an Exchange/OWA/O365 email server. They will have to stay
> on Stretch and completely skip Buster, or move to a different
> distribution. If they were to upgrade from Stretch to Buster, their
> email accounts would simply disappear from their evolution instances,
> without any explanation nor warning.
>
> I'd like to propose to upload the changes mentioned above to
> unstable,
> let them migrate to Bullseye and then upload to buster-backports, so
> that users on Buster have at least that path to avoid breaking this
> functionality. This needs to be done before 3.32 moved from
> experimental to unstable of course.
>
> I'd be more than happy to do all of the above work via NMUs. The
> evolution-data-server change is backward compatible and does not
> require a rebuild of reverse dependencies. Are there any objections
> to
> this idea?
>
> Thank you!
Dear Maintainers, Uploaders and Gnome Team,

As mentioned in the previous mail, I intend to upload to DELAYED/7 NMUs
for evolution-data-server and evolution-ews on Friday afternoon (GMT-
ish). I am attaching the debdiffs for both.

Please let me know if there are any objections.

If there are no objections and the NMUs are not cancelled and make it
to unstable, and then migrate to bullseye, I then intend to upload the
equivalent ~bpo binary NMUs to buster-backports. This way, stretch
users that enabled buster-backports before the dist upgrade should have
an upgrade path that allows them not to lose their inboxes, calendars
and so on.

Thank you!

--
Kind regards,
Luca Boccassi

eds-3.30.5-1_3.30.5-1.1.debdiff (3K) Download Attachment
ews-3.30.5-1_3.30.5-1.1.debdiff (45K) Download Attachment
signature.asc (499 bytes) Download Attachment