Debian Bug report logs -
#280883
is woody evolution still vulnerable to SSL Man-In-The-Middle Vulnerability?
Reported by: Djoume SALVETTI <djoume@taket.org>
Date: Fri, 12 Nov 2004 10:48:12 UTC
Severity: grave
Tags: security, woody
Found in version evolution/1.0.5-1woody2
Fixed in version evolution/2.0.2-3
Done: Margarita Manterola <debian@marga.com.ar>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, djoume@taket.org, Takuo KITAME <kitame@debian.org>:
Bug#280883; Package evolution.
(full text, mbox, link).
Acknowledgement sent to Djoume SALVETTI <djoume@taket.org>:
New Bug report received and forwarded. Copy sent to djoume@taket.org, Takuo KITAME <kitame@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: evolution
Version: 2.0.2-3
Severity: grave
Tags: security
Justification: user security hole
Good day,
I'm reviewing the list of 2002 CVEs to check if there is still
some known vulnerables packages in testing.
In CVE-2002-1471 it is written :
| The camel component for Ximian Evolution 1.0.x and earlier does not
| verify certificates when it establishes a new SSL connection after
| previously verifying a certificate, which could allow remote attackers
| to monitor or modify sessions via a man-in-the-middle attack.
According to http://www.securityfocus.com/bid/5875/info/
woody version of evolution is still vulnerable.
Regards.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.9-rfb-swsusp
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)
Versions of packages evolution depends on:
ii evolution-data-server 1.0.2-3 evolution database backend server
ii gconf2 2.6.4-2 GNOME configuration database syste
ii gnome-icon-theme 1.2.3-1.1 GNOME Desktop icon theme
ii gtkhtml3.2 3.2.3-1 HTML rendering/editing library - b
ii libart-2.0-2 2.3.16-6 Library of functions for 2D graphi
ii libatk1.0-0 1.6.1-5 The ATK accessibility toolkit
ii libaudiofile0 0.2.6-4 Open-source version of SGI's audio
ii libbonobo2-0 2.6.2-7 Bonobo CORBA interfaces library
ii libbonoboui2-0 2.6.1-1 The Bonobo UI library
ii libc6 2.3.2.ds1-18 GNU C Library: Shared libraries an
ii libcompfaceg1 1989.11.11-24 Compress/decompress images for mai
ii libebook8 1.0.2-3 Client library for evolution addre
ii libecal6 1.0.2-3 Client library for evolution calen
ii libedataserver3 1.0.2-3 Utily library for evolution data s
ii libegroupwise6 1.0.2-3 Client library for accessing group
ii libesd0 0.2.35-2 Enlightened Sound Daemon - Shared
ii libfontconfig1 2.2.3-3 generic font configuration library
ii libfreetype6 2.1.7-2.2 FreeType 2 font engine, shared lib
ii libgail-common 1.6.6b-1 GNOME Accessibility Implementation
ii libgail17 1.6.6b-1 GNOME Accessibility Implementation
ii libgal2.2-1 2.2.3-1 G App Libs (run time library)
ii libgal2.2-common 2.2.3-1 G App Libs (common files)
ii libgconf2-4 2.6.4-2 GNOME configuration database syste
ii libgcrypt11 1.2.0-10 LGPL Crypto library - runtime libr
ii libglade2-0 1:2.4.0-1 Library to load .glade files at ru
ii libglib2.0-0 2.4.7-1 The GLib library of C routines
ii libgnome-keyring0 0.2.1-3 GNOME keyring services library
ii libgnome-pilot2 2.0.10-6.1 Support libraries for gnome-pilot
ii libgnome2-0 2.6.1.2-2 The GNOME 2 library - runtime file
ii libgnomecanvas2-0 2.6.1.1-2 A powerful object-oriented display
ii libgnomeprint2.2-0 2.8.0.1-2 The GNOME 2.2 print architecture -
ii libgnomeprintui2.2-0 2.6.2-1 The GNOME 2.2 print architecture U
ii libgnomeui-0 2.6.1.1cvs-1 The GNOME 2 libraries (User Interf
ii libgnomevfs2-0 2.6.2-2 The GNOME virtual file-system libr
ii libgnutls11 1.0.16-9 GNU TLS library - runtime library
ii libgpg-error0 1.0-1 library for common error values an
ii libgtk2.0-0 2.4.13-1 The GTK+ graphical user interface
ii libgtkhtml3.2-11 3.2.3-1 HTML rendering/editing library - r
ii libice6 4.3.0.dfsg.1-8 Inter-Client Exchange library
ii libjpeg62 6b-9 The Independent JPEG Group's JPEG
ii libldap2 2.1.30-3 OpenLDAP libraries
ii libnspr4 2:1.7.3-5 Netscape Portable Runtime Library
ii libnss3 2:1.7.3-5 Network Security Service Libraries
ii liborbit2 1:2.10.2-1.1 libraries for ORBit2 - a CORBA ORB
ii libpango1.0-0 1.4.1-4 Layout and rendering of internatio
ii libpisock8 0.11.8-10 Library for communicating with a P
ii libpisync0 0.11.8-10 Synchronization library for PalmOS
ii libpopt0 1.7-5 lib for parsing cmdline parameters
ii libsm6 4.3.0.dfsg.1-8 X Window System Session Management
ii libsoup2.2-7 2.2.1-1 an HTTP library implementation in
ii libtasn1-2 0.2.10-4 Manage ASN.1 structures (runtime)
ii libx11-6 4.3.0.dfsg.1-8 X Window System protocol client li
ii libxml2 2.6.11-5 GNOME XML library
ii xlibs 4.3.0.dfsg.1-8 X Window System client libraries m
ii zlib1g 1:1.2.2-3 compression library - runtime
-- no debconf information
Tags added: woody
Request was from Frank Lichtenheld <djpig@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Margarita Manterola <debian@marga.com.ar>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Djoume SALVETTI <djoume@taket.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #12 received at 280883-done@bugs.debian.org (full text, mbox, reply):
On 06/06/05 Sarge was released as stable, and woody is now oldstable. It
does not make sense to still keep the bugs that are in woody, so I'm
closing all of them.
--
Besitos, {o_
Marga. (')_
Bug reopened, originator set to 295548.
Request was from Margarita Manterola <marga@marga.com.ar>
to control@bugs.debian.org.
(full text, mbox, link).
Acknowledgement sent to Margarita Manterola <marga@marga.com.ar>:
Extra info received and filed, but not forwarded.
(full text, mbox, link).
Message #19 received at 280883-quiet@bugs.debian.org (full text, mbox, reply):
reopen 280883 295548
thanks
Security bugs must be kept open, sorry for the noise.
--
Bessos, (o_
Marga. (\)_
Changed Bug submitter from 295548 to Djoume SALVETTI <djoume@taket.org>.
Request was from Margarita Manterola <debian@marga.com.ar>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as found in version 1.0.5-1woody2.
Request was from Margarita Manterola <debian@marga.com.ar>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 2.0.2-3, send any further explanations to Djoume SALVETTI <djoume@taket.org>
Request was from Margarita Manterola <debian@marga.com.ar>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as not found in version 2.0.2-3.
Request was from Margarita Manterola <debian@marga.com.ar>
to control@bugs.debian.org.
(full text, mbox, link).
Acknowledgement sent to Margarita Manterola <debian@marga.com.ar>:
Extra info received and filed, but not forwarded.
(full text, mbox, link).
Message #32 received at 280883-quiet@bugs.debian.org (full text, mbox, reply):
found 280883 1.0.5-1woody2
close 280883 2.0.2-3
thanks
The version was screwed due to the pseudo header used in the report. The
bug is only in woody's version of Evolution.
--
Bessos,
Maggie.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 19:59:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:01:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon