Bug#926712: evolution-ews: CVE-2019-3890

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#926712: evolution-ews: CVE-2019-3890

Luca Boccassi-3
On Tue, 2019-07-09 at 15:28 +0100, Luca Boccassi wrote:

> On Wed, 2019-07-03 at 11:38 +0100, Luca Boccassi wrote:
> > On Mon, 17 Jun 2019 11:39:13 +0100 Luca Boccassi <
> > [hidden email]
> >
> >
> > > wrote:
> > > On Tue, 9 Apr 2019 15:52:52 +0200 Sylvain Beucler <
> > >
> >
> > [hidden email]
> >
> >
> >
> > > > wrote:
> > > > Package: evolution-ews
> > > > Version: 3.30.5-1
> > > > X-Debbugs-CC:
> >
> > [hidden email]
> >
> >
> >
> > > > Severity: grave
> > > > Tags: security
> > > >
> > > > Hi,
> > > >
> > > > The following vulnerability was published for evolution-ews.
> > > >
> > > > CVE-2019-3890[0]:
> > > > No description was found (try on a search engine)
> > > >
> > > > If you fix the vulnerability please also make sure to include
> > > > the
> > > > CVE (Common Vulnerabilities & Exposures) id in your changelog
> >
> > entry.
> > > > For further information see:
> > > >
> > > > [0]
> >
> > https://security-tracker.debian.org/tracker/CVE-2019-3890
> >
> >
> >
> > > >    
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3890
> >
> >
> >
> >
> > https://gitlab.gnome.org/GNOME/evolution-ews/issues/27
> >
> >
> >
> >
> > https://gitlab.gnome.org/GNOME/evolution-ews/issues/36
> >
> >
> >
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1678313
> >
> >
> >
> > > > Note: depends on evolution-data-server patch
> > > >
> > > > Cheers!
> > > > Sylvain Beucler / Debian LTS
> > >
> > > Dear Maintainers,
> > >
> > > I have backported the required patches and tested them on Buster,
> >
> > they
> > > seem to work fine.
> > >
> > > I have opened PRs against the 2 repos on Salsa, but they both
> > > require
> >
> > a
> > > new debian/buster branch to be created as debian/master has moved
> > > on
> >
> > to
> > > new releases:
> > >
> > >
> >
> > https://salsa.debian.org/gnome-team/evolution-data-server/merge_requests/1
> >
> >
> >
> >
> > https://salsa.debian.org/gnome-team/evolution-ews/merge_requests/2
> >
> >
> >
> > > It would be great if we could have evolution-ews in Buster, as
> > > it's
> >
> > the
> > > only way to use exchange/o365 for Debian users.
> > >
> > > Thanks!
> >
> > Dear Maintainers,
> >
> > As things stand, Buster users will have no way to use a GUI email
> > client with an Exchange/OWA/O365 email server. They will have to
> > stay
> > on Stretch and completely skip Buster, or move to a different
> > distribution. If they were to upgrade from Stretch to Buster, their
> > email accounts would simply disappear from their evolution
> > instances,
> > without any explanation nor warning.
> >
> > I'd like to propose to upload the changes mentioned above to
> > unstable,
> > let them migrate to Bullseye and then upload to buster-backports,
> > so
> > that users on Buster have at least that path to avoid breaking this
> > functionality. This needs to be done before 3.32 moved from
> > experimental to unstable of course.
> >
> > I'd be more than happy to do all of the above work via NMUs. The
> > evolution-data-server change is backward compatible and does not
> > require a rebuild of reverse dependencies. Are there any objections
> > to
> > this idea?
> >
> > Thank you!
>
> Dear Maintainers, Uploaders and Gnome Team,
>
> As mentioned in the previous mail, I intend to upload to DELAYED/7
> NMUs
> for evolution-data-server and evolution-ews on Friday afternoon (GMT-
> ish). I am attaching the debdiffs for both.
>
> Please let me know if there are any objections.
>
> If there are no objections and the NMUs are not cancelled and make it
> to unstable, and then migrate to bullseye, I then intend to upload
> the
> equivalent ~bpo binary NMUs to buster-backports. This way, stretch
> users that enabled buster-backports before the dist upgrade should
> have
> an upgrade path that allows them not to lose their inboxes, calendars
> and so on.
>
> Thank you!
Dear Maintainers, Uploaders and Gnome Team,

I have now uploaded the above mentioned NMUs to DELAYED/7 as previously
mentioned.

--
Kind regards,
Luca Boccassi

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#926712: evolution-ews: CVE-2019-3890

Luca Boccassi-3
On Fri, 2019-07-12 at 22:22 +0100, Luca Boccassi wrote:

> On Tue, 2019-07-09 at 15:28 +0100, Luca Boccassi wrote:
> > On Wed, 2019-07-03 at 11:38 +0100, Luca Boccassi wrote:
> > > On Mon, 17 Jun 2019 11:39:13 +0100 Luca Boccassi <
> > > [hidden email]
> > >
> > >
> > >
> > > > wrote:
> > > > On Tue, 9 Apr 2019 15:52:52 +0200 Sylvain Beucler <
> > > >
> > >
> > > [hidden email]
> > >
> > >
> > >
> > >
> > > > > wrote:
> > > > > Package: evolution-ews
> > > > > Version: 3.30.5-1
> > > > > X-Debbugs-CC:
> > >
> > > [hidden email]
> > >
> > >
> > >
> > >
> > > > > Severity: grave
> > > > > Tags: security
> > > > >
> > > > > Hi,
> > > > >
> > > > > The following vulnerability was published for evolution-ews.
> > > > >
> > > > > CVE-2019-3890[0]:
> > > > > No description was found (try on a search engine)
> > > > >
> > > > > If you fix the vulnerability please also make sure to include
> > > > > the
> > > > > CVE (Common Vulnerabilities & Exposures) id in your changelog
> > >
> > > entry.
> > > > > For further information see:
> > > > >
> > > > > [0]
> > >
> > > https://security-tracker.debian.org/tracker/CVE-2019-3890
> > >
> > >
> > >
> > >
> > > > >    
> > >
> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3890
> > >
> > >
> > >
> > >
> > >
> > > https://gitlab.gnome.org/GNOME/evolution-ews/issues/27
> > >
> > >
> > >
> > >
> > >
> > > https://gitlab.gnome.org/GNOME/evolution-ews/issues/36
> > >
> > >
> > >
> > >
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1678313
> > >
> > >
> > >
> > >
> > > > > Note: depends on evolution-data-server patch
> > > > >
> > > > > Cheers!
> > > > > Sylvain Beucler / Debian LTS
> > > >
> > > > Dear Maintainers,
> > > >
> > > > I have backported the required patches and tested them on
> > > > Buster,
> > >
> > > they
> > > > seem to work fine.
> > > >
> > > > I have opened PRs against the 2 repos on Salsa, but they both
> > > > require
> > >
> > > a
> > > > new debian/buster branch to be created as debian/master has
> > > > moved
> > > > on
> > >
> > > to
> > > > new releases:
> > > >
> > > >
> > >
> > > https://salsa.debian.org/gnome-team/evolution-data-server/merge_requests/1
> > >
> > >
> > >
> > >
> > >
> > > https://salsa.debian.org/gnome-team/evolution-ews/merge_requests/2
> > >
> > >
> > >
> > >
> > > > It would be great if we could have evolution-ews in Buster, as
> > > > it's
> > >
> > > the
> > > > only way to use exchange/o365 for Debian users.
> > > >
> > > > Thanks!
> > >
> > > Dear Maintainers,
> > >
> > > As things stand, Buster users will have no way to use a GUI email
> > > client with an Exchange/OWA/O365 email server. They will have to
> > > stay
> > > on Stretch and completely skip Buster, or move to a different
> > > distribution. If they were to upgrade from Stretch to Buster,
> > > their
> > > email accounts would simply disappear from their evolution
> > > instances,
> > > without any explanation nor warning.
> > >
> > > I'd like to propose to upload the changes mentioned above to
> > > unstable,
> > > let them migrate to Bullseye and then upload to buster-backports,
> > > so
> > > that users on Buster have at least that path to avoid breaking
> > > this
> > > functionality. This needs to be done before 3.32 moved from
> > > experimental to unstable of course.
> > >
> > > I'd be more than happy to do all of the above work via NMUs. The
> > > evolution-data-server change is backward compatible and does not
> > > require a rebuild of reverse dependencies. Are there any
> > > objections
> > > to
> > > this idea?
> > >
> > > Thank you!
> >
> > Dear Maintainers, Uploaders and Gnome Team,
> >
> > As mentioned in the previous mail, I intend to upload to DELAYED/7
> > NMUs
> > for evolution-data-server and evolution-ews on Friday afternoon
> > (GMT-
> > ish). I am attaching the debdiffs for both.
> >
> > Please let me know if there are any objections.
> >
> > If there are no objections and the NMUs are not cancelled and make
> > it
> > to unstable, and then migrate to bullseye, I then intend to upload
> > the
> > equivalent ~bpo binary NMUs to buster-backports. This way, stretch
> > users that enabled buster-backports before the dist upgrade should
> > have
> > an upgrade path that allows them not to lose their inboxes,
> > calendars
> > and so on.
> >
> > Thank you!
>
> Dear Maintainers, Uploaders and Gnome Team,
>
> I have now uploaded the above mentioned NMUs to DELAYED/7 as
> previously
> mentioned.
Dear Maintainers, Uploaders and Gnome team,

The NMUs have migrated to testing a few days ago, so I have now
uploaded no-change rebuilds for buster-backports to DELAYED/2.

$ debdiff evolution-data-server_3.30.5-1.1.dsc evolution-data-server_3.30.5-1.1~bpo10+1.dsc
diff -Nru evolution-data-server-3.30.5/debian/changelog evolution-data-server-3.30.5/debian/changelog
--- evolution-data-server-3.30.5/debian/changelog 2019-07-09 14:52:09.000000000 +0100
+++ evolution-data-server-3.30.5/debian/changelog 2019-07-22 14:25:48.000000000 +0100
@@ -1,3 +1,10 @@
+evolution-data-server (3.30.5-1.1~bpo10+1) buster-backports; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for buster-backports.
+
+ -- Luca Boccassi <[hidden email]>  Mon, 22 Jul 2019 14:25:48 +0100
+
 evolution-data-server (3.30.5-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
$ debdiff evolution-ews_3.30.5-1.1.dsc evolution-ews_3.30.5-1.1~bpo10+1.dsc
diff -Nru evolution-ews-3.30.5/debian/changelog evolution-ews-3.30.5/debian/changelog
--- evolution-ews-3.30.5/debian/changelog 2019-04-02 17:56:27.000000000 +0100
+++ evolution-ews-3.30.5/debian/changelog 2019-07-22 15:47:54.000000000 +0100
@@ -1,3 +1,10 @@
+evolution-ews (3.30.5-1.1~bpo10+1) buster-backports; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for buster-backports.
+
+ -- Luca Boccassi <[hidden email]>  Mon, 22 Jul 2019 15:47:54 +0100
+
 evolution-ews (3.30.5-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.

--
Kind regards,
Luca Boccassi

signature.asc (499 bytes) Download Attachment