|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : evolution SUMMARY : Several vulnerabilities DATE : 2003-05-14 16:09:00 ID : CLA-2003:648 RELEVANT RELEASES : 7.0, 8, 9 - ------------------------------------------------------------------------- DESCRIPTION Evolution is a Gnome-based personal information manager (PIM). It includes email, address book, calendar and other integrated features. Core Security Technologies found[1] several vulnerabilities in Evolution <= 1.2.2 and in the gtkhtml library (which is used by Evolution and other gnome programs to render basic HTML). These vulnerabilities can be exploited by remote attackers (using specially crafted e-mails) to crash evolution, cause general system instability through resource starvation or to bypass some security restrictions. The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2003-0128, CAN-2003-0129 and CAN-2003-0130 to the issues[2,3,4] discovered. In Conectiva Linux 7.0 and 8, Evolution is being upgraded to the 1.0.3 version with patches to fix the vulnerabilities. Note that in order to upgrade Evolution in Conectiva Linux 7.0, several packages had to be added (Gnome components necessary to run the 1.0.3 version of Evolution that were not distributed with Conectiva Linux 7.0). These packages are included in this update. The Evolution package distributed with Conectiva Linux 9 (evolution-1.2.2-28320cl) already has the fixes for its vulnerabilities [2,3]. For this version of Conectiva Linux, only the fix for the gtkhml vulnerability[4] is included. SOLUTION All evolution users should upgrade. IMPORTANT: Conectiva Linux 7.0 users that want to perform this upgrade using apt must use the "dist-upgrade" command or explicitly list the packages in the "install" command. This is necessary because the "upgrade" command will not install the new dependencies. REFERENCES: 1.http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0128 3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0129 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0130 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/RPMS/bonobo-1.0.3-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/bonobo-conf-0.12-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/bonobo-conf-devel-0.12-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/bonobo-conf-devel-static-0.12-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/bonobo-devel-1.0.3-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/bonobo-devel-static-1.0.3-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/evolution-1.0.3-2U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/evolution-devel-1.0.3-2U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/evolution-devel-static-1.0.3-2U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/gnome-print-0.29-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/gnome-print-devel-0.29-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/gnome-print-devel-static-0.29-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/gtkhtml-1.0.1-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/gtkhtml-devel-1.0.1-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/gtkhtml-devel-static-1.0.1-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/libgal19-0.19-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/libgal19-devel-0.19-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/libgal19-devel-static-0.19-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/bonobo-1.0.3-1U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/bonobo-conf-0.12-1U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/evolution-1.0.3-2U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/gal19-0.19-1U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/gnome-print-0.29-1U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/gtkhtml-1.0.1-1U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/evolution-1.0.3-6U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/evolution-devel-1.0.3-6U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/evolution-devel-static-1.0.3-6U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/gtkhtml-1.0.1-4U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/gtkhtml-devel-1.0.1-4U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/gtkhtml-devel-static-1.0.1-4U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/libgtkhtml20-1.0.1-4U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/libgtkhtml-i18n-1.0.1-4U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/evolution-1.0.3-6U80_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/gtkhtml20-1.0.1-4U80_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/gtkhtml-1.1.7-20736U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/gtkhtml-devel-1.1.7-20736U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/gtkhtml-devel-static-1.1.7-20736U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libgtkhtml20-1.1.7-20736U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libgtkhtml-i18n-1.1.7-20736U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/SRPMS/gtkhtml20-1.1.7-20736U90_1cl.src.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+wpTG42jd0JmAcZARAmXrAKDE/QJchncOYsb/hkeknfVmZaAbHwCgwauY cin79gTAij/BhdL8QlbS17Q= =VsSz -----END PGP SIGNATURE-----