Security update for evolution-data-server SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:0885-1 Final 1 1 2021-03-19T14:48:30Z current 2021-03-19T14:48:30Z 2021-03-19T14:48:30Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for evolution-data-server This update for evolution-data-server fixes the following issues: - Fix buffer overrun when parsing base64 data (bsc#1182882). - CVE-2020-16117: Fix crash on malformed server response with minimal capabilities (bsc#1174712). - CVE-2020-14928: Response injection via STARTTLS in SMTP and POP3 (bsc#1173910). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-885,SUSE-SLE-WE-12-SP5-2021-885 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20210885-1/ Link for SUSE-SU-2021:0885-1 https://lists.suse.com/pipermail/sle-security-updates/2021-March/008527.html E-Mail link for SUSE-SU-2021:0885-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1173910 SUSE Bug 1173910 https://bugzilla.suse.com/1174712 SUSE Bug 1174712 https://bugzilla.suse.com/1182882 SUSE Bug 1182882 https://www.suse.com/security/cve/CVE-2020-14928/ SUSE CVE CVE-2020-14928 page https://www.suse.com/security/cve/CVE-2020-16117/ SUSE CVE CVE-2020-16117 page SUSE Linux Enterprise Workstation Extension 12 SP5 evolution-data-server-3.20.6-17.3.1 evolution-data-server-32bit-3.20.6-17.3.1 evolution-data-server-64bit-3.20.6-17.3.1 evolution-data-server-devel-3.20.6-17.3.1 evolution-data-server-doc-3.20.6-17.3.1 evolution-data-server-lang-3.20.6-17.3.1 libcamel-1_2-57-3.20.6-17.3.1 libcamel-1_2-57-32bit-3.20.6-17.3.1 libcamel-1_2-57-64bit-3.20.6-17.3.1 libebackend-1_2-10-3.20.6-17.3.1 libebackend-1_2-10-32bit-3.20.6-17.3.1 libebackend-1_2-10-64bit-3.20.6-17.3.1 libebook-1_2-16-3.20.6-17.3.1 libebook-1_2-16-32bit-3.20.6-17.3.1 libebook-1_2-16-64bit-3.20.6-17.3.1 libebook-contacts-1_2-2-3.20.6-17.3.1 libebook-contacts-1_2-2-32bit-3.20.6-17.3.1 libebook-contacts-1_2-2-64bit-3.20.6-17.3.1 libecal-1_2-19-3.20.6-17.3.1 libecal-1_2-19-32bit-3.20.6-17.3.1 libecal-1_2-19-64bit-3.20.6-17.3.1 libedata-book-1_2-25-3.20.6-17.3.1 libedata-book-1_2-25-32bit-3.20.6-17.3.1 libedata-book-1_2-25-64bit-3.20.6-17.3.1 libedata-cal-1_2-28-3.20.6-17.3.1 libedata-cal-1_2-28-32bit-3.20.6-17.3.1 libedata-cal-1_2-28-64bit-3.20.6-17.3.1 libedataserver-1_2-21-3.20.6-17.3.1 libedataserver-1_2-21-32bit-3.20.6-17.3.1 libedataserver-1_2-21-64bit-3.20.6-17.3.1 libedataserverui-1_2-1-3.20.6-17.3.1 libedataserverui-1_2-1-32bit-3.20.6-17.3.1 libedataserverui-1_2-1-64bit-3.20.6-17.3.1 typelib-1_0-EBook-1_2-3.20.6-17.3.1 typelib-1_0-EBookContacts-1_2-3.20.6-17.3.1 typelib-1_0-EDataServer-1_2-3.20.6-17.3.1 libcamel-1_2-57-3.20.6-17.3.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP5 libedataserver-1_2-21-3.20.6-17.3.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP5 evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection." CVE-2020-14928 SUSE Linux Enterprise Workstation Extension 12 SP5:libcamel-1_2-57-3.20.6-17.3.1 SUSE Linux Enterprise Workstation Extension 12 SP5:libedataserver-1_2-21-3.20.6-17.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210885-1/ https://www.suse.com/security/cve/CVE-2020-14928.html CVE-2020-14928 https://bugzilla.suse.com/1173910 SUSE Bug 1173910 In GNOME evolution-data-server before 3.35.91, a malicious server can crash the mail client with a NULL pointer dereference by sending an invalid (e.g., minimal) CAPABILITY line on a connection attempt. This is related to imapx_free_capability and imapx_connect_to_server. CVE-2020-16117 SUSE Linux Enterprise Workstation Extension 12 SP5:libcamel-1_2-57-3.20.6-17.3.1 SUSE Linux Enterprise Workstation Extension 12 SP5:libedataserver-1_2-21-3.20.6-17.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210885-1/ https://www.suse.com/security/cve/CVE-2020-16117.html CVE-2020-16117 https://bugzilla.suse.com/1174712 SUSE Bug 1174712